Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Thanx to our readers

Published: 2006-07-15
Last Updated: 2006-07-15 21:40:51 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Well, I'm back home and almost caught up on sleep after SANSFIRE (the largest gathering of handlers in one place in the history of the Internet Storm Center).  The training at these conferences is always top notch, but meeting with other professionals that are going through the same sorts of things at work is also a treat for me and getting to actually meet some of the other handlers in person after corresponding with them online for, in some cases, 5 years was a blast.  There were a number of people who came up to me in DC (especially on Thursday when all the handlers --except one who shall remain nameless-- wore our ISC shirts) to thank us for providing this service.  We all appreciate the kind words, but we wouldn't be able to do what we do, if it weren't for the rest of our readers out there submitting logs to Dshield, writing in when they see something suspicious on their own machines or networks (and including packets and the malware), or just giving us a heads up that they hear about a new vulnerability somewhere.  We enjoy doing this, and we struggle through the slow days when there doesn't seem to be anything to write about to get to the "exciting" days when there is a massive malware outbreak.    I think I speak for all of us here when I say that the thanks really go to you folks, we couldn't do it without you, so keep up the good work.

We now return you to our regularly scheduled Linux local privilege escalation exploits. :)

Jim Clausing
0 comment(s)

And *another* 0-day Linux kernel vulnerability

Published: 2006-07-15
Last Updated: 2006-07-15 15:56:03 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
And if we didn't have enough for this weekend, an exploit for another Linux kernel privilege escalation vulnerability has been posted.

The exploit seems to be working on all 2.6.x kernels and is not related to the previous exploit we've written about.

From limited testing we've done so far, SELinux is blocking this exploit successfully, so the exploit didn't work on RedHat Enterprise Linux 4 machines we've tested this on. 

Also, the published exploit depends on the a.out support in the kernel (the CONFIG_BINFMT_AOUT has to be set), but the vulnerability can be exploited no matter if a.out is supported or not.

Update: (JAC 2006-07-15 15:50 UTC) -
We've spent some more time working with this one and I've had it work intermittently on both fully-patched SuSE 9.3 and 10.0 (kernel and 2.6.13 respectively).  I haven't had the time yet to figure out why it works sometimes and not others, but I'll try to keep looking into it this afternoon.  One of the key things that jumps out from looking at exploit code is that this appears to require that /proc be mounted suid.  Several folks have said that if /proc is mounted nosuid, the exploit fails.  I haven't yet tried it and I'm not sure what else this might break, but it is a possible work-around.

0 comment(s)

0-day exploit for Microsoft PowerPoint

Published: 2006-07-15
Last Updated: 2006-07-15 00:03:53 UTC
by Bojan Zdrnja (Version: 3)
0 comment(s)
Our readers Juha-Matti and Gennaro informed us about a new, undocumented vulnerability in Microsoft PowerPoint. It looks like the same group of Chinese hackers decided to take Office applications for a good test. And the fact that they are releasing their stuff immediately after Microsoft released the patches certainly doesn't help.

Symantec has a write-up of this; it doesn't look like it's wide spread at all at the moment.

UPDATE 07/14/2006

Microsoft is working on this issue and they've posted some information on their blog.
Most of the major AV vendors received samples of the infected PPT file and added detection for it so far. However, this doesn't mean that you can completely relax now ? while we don't know what part of the infected PPT file they use for detection, it is quite possible that new exploits for this same vulnerability (once and if they are released) will not be detected properly (we've seen this before with other vulnerabilities in Microsoft Office product, Excel for example).

At this moment we are not sure exactly which versions of Microsoft PowerPoint are affected by this vulnerability. It looks like all versions 2000 through to 2003 are vulnerable.
We also can't confirm whether the PowerPoint Viewer utility is or isn't affected.

There is a CVE entry for this vulnerability,

Juha-Matti created a nice FAQ about this vulnerability (similarly to his previous Excel vulnerability FAQ). You can find it at

It is worth reminding you that, as with previous vulnerabilities in Microsoft Office applications, there are not many options you have in protecting your networks. If you can, apply strict filtering of PPT files (maybe at least quarantine them, so they can be scanned and reviewed later). Users should be extra careful when opening PowerPoint files until Microsoft releases a patch (or some workaround is available).
While we can't confirm that this would stop the exploit from executing, it is a good idea to turn on memory-based security mechanisms (Data Execution Prevention).

If you went to Symantec's web site with the description of the Trojan being dropped, you probably saw the screen shot of the PowerPoint slide which is displayed once the file is opened in PowerPoint. One of our readers, Vince, sent us the translation of this:

"What is love? Sending her 999 roses knowing she doesn't love him.
What is waste? Sending her 999 roses know she loves him."

Interesting, isn't it? If this was displayed with all infected documents, it makes us wonder who was targeted with this. It is quite possible that that the original exploit was written by some other author who then maybe sold it to bad guys ? this sounds to me like a typical "I'm in love, here's my worm/virus/exploit dedicated to her" thing; we've seen such worms/viruses many times before.

UPDATE 2 07/14/2006

Three (!!!) PoCs for this vulnerability(ies) have just been publicly posted.
From what we can tell at the moment, they all just crash PowerPoint, but they show where the vulnerabilities are, so a full exploit can be written.
This is a first step to remote exploitation so we can unfortunately expect to see some malware using this very soon (and we though it will be another quiet weekend).

Again, stress out to users how important it is to be very careful when opening PowerPoint files (and if possible, don't open them at all until the patch is out). Otherwise you'll have to rely on your desktop anti-virus product to catch the dropped component, and we all know how (un)reliable this can be.

0 comment(s)
Diary Archives