More QuickTime Exploits

It seems the recent QuickTime vulnerabilities are receiving a lot of attention. Exploits are popping up fast, and there are now working exploit frameworks to attack both Windows and OSX. Since the exploit can be embedded in websites, it’s harder to avoid it. Even the practice of avoiding untrusted websites may not be 100% effective. Other things that may be tried include blocking the rstp:// protocol at the firewall if you have the capability, or better yet uninstall the QuickTime browser controls, or disable file associations for QuickTime files. Apple is still working on an patch for this issue.

Two New HP-UX vulnerabilities

The first is a potential remote execution of code on HP-UX systems that are running Apache. HP-UX B.11.11, B.11.23, B.11.31 running Apache v2.0.59.00.0 or earlier are known to be vulnerable. While the HP security bulletin is a vague, it does cite CVE-2007-5135 which details an off-by-one error in the SSL_get_shared_ciphers function of OpenSSL 0.9.7 – 0.9.7l, and 0.9.8 – 0.9.8f. HP’s original security bulletin is HPSBUX02292 SSRT071499 rev.1. Updates are available.

The second is an XSS issue in HP OpenView Network Node Manager. It appears to be remotely exploitable. Affected versions are HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux. The original HP security bulletin is HPSBMA02283 SSRT071319 rev.1. Updates are available for this as well.

Avaya Products Multiple Vulnerabilities

Avaya has released information on multiple vulnerabilities within their products. The first issue is an error in certain OpenSSL functions.  A certain function can be exploited to cause a buffer overlow and a weakness in the RSA implementation can be exploited to reveal the private keys. The following products are affected:

  • Avaya Communication Manager (CM 3.0)
  • Avaya EMMC (1.017, 1.021)
  • Avaya CCS/SES (3.1 and earlier)
  • Avaya AES (AES 3.1.4 and earlier)

The next set of issues lies in the PCRE libraries. When parsing certain regular expressions an integer overflow can occur and result in a denial of service or potentially compromise an application using the library.  Additionally, an error processing multiple unspecified character classes can be exploited to cause insufficient memory allocation.

The following versions are affected:

  • Avaya Communication Manager (CM 3.1, CM 4.x)
  • Avaya Intuity AUDIX LX (IALX 2.0)
  • Avaya Messaging Storage Server (MSS 3.x)
  • Avaya Message Networking (MN 3.1)
  • Avaya CCS/SES (3.1.1, 3.1.2, 4.0)
  • Avaya AES (AES 4.0.1)

Symantec Backup Exec DoS and Phishing Survey

Symantec Backup Exec for Windows Servers is vulnerable to denial of service. There are two different issues that could cause a denial of service, one being a NULL pointer reference that can cause the backup exec job engine service to crash with a specially crafted packet sent to TCP port 5633. Two integer overflows within the engine, triggered by a specially crafted packet to port 5633 can cause the service to enter an infinite loop consuming large amounts of CPU time. Backup Exec version 11d build 11.0.7170 and version 11d build 11.0.6.6235 are affected. Users should upgrade to versions Build 11.0.7170 and Build 11.0.6235 respectively.

We found a survey published today that some of you may be interested in. Cloudmark Inc., an anti-spam, anti-phishing outfit, released a survey about phishing sites, and the effects on the perception of the company being phished. It seems that some people (42% of the people surveyed) would have their trust in the brand “greatly reduced” after receiving a phishing email claiming to be from them. Now, of course the phishing email has absolutely nothing to do with the actual company, but it still seems to leave an impression. If the results of this survey can be trusted, it looks like some consumers need to be educated about phishing attacks and the relation to the brand.

IBM Lotus Notes Vulnerabilities

Today a vulnerability was disclosed that effects IBM Lotus Notes. The issue effects versions 5.x, 6.x, 7.x and 8.x. Specifically, the issue lies within the Lotus Notes viewer, a specially crafted Lotus Notes viewer file (.123 extension) could cause a buffer overflow within the viewer and lead to the execution of arbitrary code.

If you have Lotus Notes 7.x or 8.x, IBM has an update. If you are using version 6.x, or 5.x, there is currently no update. IBM is currently working on an update for 6.x, but will not release one for 5.x. However, a workaround for these versions is to disable the viewer. If the viewer is disabled, then the files will not be opened within Lotus Notes viewer.

New Releases of Firefox and SeaMonkey

The latest releases of Firefox (2.0.0.10) and SeaMonkey (1.1.7) address three recently discovered vulnerabilities. The first is a race condition in window.location that can allow Cross-site scripting via referer-spoofing. The second is a memory corruption issue which could lead to the execution of arbitrary code. The third is a jar URI scheme vulnerability that can also allow Cross-site scripting to occur.

You should update if you are using one of these products.

For for the original notifications travel over to Mozilla’s known vulnerabilities site

Quicktime 7.2/7.3 RTSP Exploits

Quicktime versions 7.2 and 7.3 are vulnerable to a stack based overflow. This vulnerability is caused by a boundary error when processing RTSP (Real Time Streaming Protocol) replies. This can be exploited by sending a specially crafted RTSP reply with a long “Content-Type” header. Exploitation requires that a user visits a malicious URL or open a malicious QTL file. Working exploit code is available to the public. There is no update available at this time, so users should beware suspicious links or Quicktime files (qtl).

Linksys XSS

Bit Defender Online Scanner is vulnerable to remote code execution. A vulnerable ActiveX control can be exploited to execute code on a users system. The vulnerability is reported in version 8.0. There is an updated version available.

Linksys WAG54GS has some cross site scripting issues. Two separate issues can result in either script code execution in a user’s browser, or result in administrative function being performed by others when a logged in administrator visits a malicious site. These vulnerabilities are present in 1.00.06

Perl and PHP Issues, Citrix XSS

Perl 5.8.8 contains a buffer overflow when processing certain regular expressions. The overflow can occur when switching between byte and Unicode characters. This affects currently installed versions of dev/lang. Users should apply their distributions’ updated version or rebuild the source with a patch applied.

PHP 5.2.4 is vulnerable to multiple issues. Successful exploitation could result in a denial of service condition, could allow an attacker to bypass security restrictions, or ultimately execute arbitrary code. PHP has released version 5.2.5 to address these issues.

Citrix NetScaler contains a XSS bug in the management interface. The vulnerability has been identified in version 8.0, build 47.8 and other versions may be affected. Users of this software should not remain logged in to the management interface while browsing other web sites.

Inside an Average PHP Scan

I have been talking about PHP scans for a while now. They are so common that we get them on our HoneyPoint deployments all the time, often several times per day, depending on our location.

These scans follow traditional scanner patterns in that they grind through a list of specific urls that are known to have issues looking for a 200 response from the server.

Here is a quick list of a recent scan against one of our HoneyPoints:

/+webvpn+/index.html: 1 Time(s)
/PMA/main.php: 1 Time(s)
/admin/database/main.php: 1 Time(s)
/admin/datenbank/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqladmin/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/padmin/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/phpmyadmin2/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/board/index.php: 4 Time(s)
/database/main.php: 1 Time(s)
/datenbank/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/favicon.ico: 1 Time(s)
/forum/index.php: 4 Time(s)
/forums/index.php: 4 Time(s)
/myadmin/main.php: 1 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/padmin/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpbb/index.php: 4 Time(s)
/phpbb2/index.php: 4 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/robots.txt: 15 Time(s)
/sqlweb/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
As you can see, the scanner requests some of the pages many times, usually with subtle differences in the method or url termination scheme. When we have faked the 200 responses for these pages, it simply catalogs the success and continues. Thus far, we have been unable to identify when/if the real human attacker returns to test and play with the finds, since there are just so many scans for these issues going on all the time. But, we continue to monitor and analyze, so hopefully soon we can identify a pattern of scans followed by verification and exploit.

Note that some/many of these scans will immediately exploit the vulnerability in PHP and use it to drop a bot-net client onto the machine. Of course, this immediately compromises the system and adds it to the scanning army. In those cases, the waiting for the return of the human attacker would not apply.

So, what does all of this mean? We wanted to give you some more insight into the wide scale PHP scans and what they look like. If you have not checked your own web site for these known vulnerabilities, it would likely be very wise to do so. It can be done quite easily by hand, using a simple Perl script or any of the publicly available web scanner tools.