Blog

Archive for SANS

Threat Con Yellow: Protection recommendation regarding Internet Explorer exploits in the wild, (Fri, Sep 20th)

The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505.  Accordingly, we're moving the InfoCon up to Yellow.

Per the advisory:
Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution, CVE-2013-3893 Fix It Workaround, prevents the exploitation of this issue. This FixIt solution also includes EMET 4.0 guidance. Certainly consider use of EMET where you can.  Please note, the Fix It seems to only help 32-bit versions of browsers.
 
It appears that an exploit has been in the wild since August 29th, 2013 when it was first seen by one of the online security scanners.  There is some indication that a weaponized exploit may be in broader circulation now, so expect this to ramp up quickly.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Arrays in requests, PHP and DedeCMS, (Thu, Sep 19th)

We received an interesting submission about a strange looking Apache web server log. While the log does not look malicious, after examining it carefully it certainly looks strange, as you can see below:

10.10.10.10 – – [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109 [snip] HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

The log, as shown below, contains a request to the download.php PHP script with a bunch of parameters that appear to be the same. After decoding %5B and %5D to [ and ], the request becomes a bit more obvious:

/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98

The request above contains repeating arrs1[] parameters – PHP treats these as members of an array so this actually creates an array called arrs1 (and later arrs2 as shown in the original log) which contains various numbers. These numbers (99, 102, 103 …) look like ASCII encodings, so the next step to decode this is to push it through a perl one liner that will work on the original log:

$ perl -pe 's/(&arrs(1|2)%5B%5D=)(d+)/chr($3)/ge' < original.log

10.10.10.10 – – [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1cfg_dbprefixmytag` (aid,expbody,normbody) VALUES(9013,@`'`,'{dede:php}file_put_contents(''90sec.php'',''<?php eval($_POST[guige]);?>'');{/dede:php}') # @`'` HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

The vulnerability exists because the CMS uses the $GLOBALS global variable which is then further propagated to an SQL query. The resulting query, from the decoded attack above, is pretty obvious: the attacker will create a file called 90sec.php which is a very simple backdoor PHP shell that allows the attacker to execute any command with a POST HTTP request that contains the command to be executed in the parameter called guige (highlighted above).

While in this case this was simply a way to transfer an array over a GET request, similar request can also abuse HTTP Parameter Pollution attacks, where a single parameter is added multiple times into GET or POST requests, resulting in potentially unexpected behavior.

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

Thanks to our reader for sending the logs, and for being alert about strange looking requests – something everyone should do.


@bojanz
Bojan
INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

More Goodies in the Apple Security Update Basket!, (Wed, Sep 18th)

APPLE-SA-2013-09-18-3
An OSX update that fixes a situation where the hostname in a certificate is not checked against the actual hostname.  This vulnerability means that anyone with a valid certificate can impersonate any host – lots of attack applications in this, when combined with MITM or DNS hijack attacks

APPLE-SA-2013-09-18-2
An absolute TON of updates for IOS, which should be no surprise in a new version.  The highlights include updates to the Root Certificates, fixes for code exploit issues from malicious PDF and Movie files, and a bypass for the password retry limit, allowing a malicious app to brute force the device unlock code.
Also some fun fixes for several cross site scripting issues within Webkit (which is the provider for browser functions in IOS)

Attack vectors for these include buffer overflows, misses on bounds checking and some fun kernel mode attacks!

As always, watch for the full details on Apple's Security Update Page, found here ==> http://support.apple.com/kb/HT1222

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Apple DDOS? Nope, just the update coming down!, (Wed, Sep 18th)

The amount of press that Apples IOS 7 update has gotten today has had an unintended consequence – everyone seems to be pulling it down the instant they see that it's available.

This is triggering IPS Sensors and causing real DOS conditions due to the traffic involved – an unintended "apple – zooka"

Swa, one of our handlers, indicates that this can be easily resolved for a single broadcast domain by enabling the Apple Caching Service on a single OSX Server in the network.  Clients find it with Bonjour, and a single download services all clients. (thanks for the screenshot Swa)

I'm not sure how this interacts with the Service Discovery features in mDNS – if anyone has details on this we'd appreciate your insight in the comments field for this story!

Generally, just enabling this is enough, but advanced settings for the caching server can be found here ==> http://support.apple.com/kb/HT5590

 

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Cisco DCNM Update Released, (Wed, Sep 18th)

We continue to see web applications deployed to manage datacenter functions.  And I'm sorry to say, we continue to see security issues in these applications – some of them so simple a quick run-through with Burp or ZAP would red-flag them.

In that theme, today Cisco posts updates to DCNM (Cisco Prime Data Center Network Manager).  The issues resolved are not so simple as I describe above (they are more complex than a simple scan to detect or exploit), but they do involve remote command execution and authentication bypass – two things most folks should have problems with in a Data Center Network Manager.

The advisory is here ==> http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130918-dcnm

As per usual, a valid service contract is required to obtain the update.  My clients do have Cisco contracts, but I'm not sure how thrilled I am that you need to pay maintenance to fix security issues so fundamental.

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Apple IOS 7 – Brace for Impact!, (Wed, Sep 18th)

Apple IOS 7 is available today (just posted in fact). While the major push for this is support for the new iPhone platforms, we can expect functional and security changes that will affect all ios platforms, among them:

  • per app licensing
  • per app vpn settings
  • per app encryption keys
  • single signon (What could possibly go wrong with this?! )
  • and better MDM (Mobile Device Management) functions – expect upgrades for your corporate MDM platforms sometime real soon, and expect that management will want these applied ASAP!
  • More on these features here – http://www.apple.com/ios/business/


 I'm sure several of these new features are worth a story all on their own – stay tuned!

We've all seen the flurry of app updates over the past few weeks, as everyone gets their app ready for the new OS. Before updating, you should check to see that all of your apps will support the new operating system. For instance, I still use Stanza as a reader app for my fiction library. Since it was officially moved to unsupported status by Amazon, I think it's smart for me to (finally) change readers before I upgrade.

This update comes at an interesting time for a couple of my clients. Since going to a BYOD model, they now have thousands of i-devices ontheir networks, unmanaged and for the mostly owned by their users (or their visitors). Ibn most organizations, at just under 1GB the bandwidth overhead of for this update shouldn't be an issue, but one client in my list is in that "thousands of Apple devices" list and is also on my "bandwidth constrained" list. I can see this update affecting their business applications, both by stressing their already maxed out WAN and also by adding to their already over-capacity internet uplink. We're changing their QOS to de-prioritize "all things Apple" for today. Once we can characterize what this update looks like on the network, we'll make the ACL more specific to just deprioritize the update traffic.  Now that the update is posted, I'll be firing up TCPDUMP and doing just that !

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →
Page 290 of 295 «...260270280288289290291292...»