WordPress Code Execution Vulnerability

Two new vulnerabilities have been identified in WordPress 2.5. The vulnerabilities could allow an attacker to conduct xss attacks, bypass some security restrictions, compromise the vulnerable system. The first vuln could allow an attacker to bypass the authentication mechanism by creating a cookie with certain settings.

The second vulnerability is caused by passing input to an unspecified parameter which is not properly sanitised by the server. This vulnerability can be exploited to execute arbitrary script code in a user’s browser session.

All users should update to the latest version of WordPress, version 2.5.1.

Perl 5.8.8 Vulnerability – Trillian 3.1 Long Nick

A double free vulnerability exists in perl 5.8.8. A result of a UTF8 crafted regular expression, this vulnerability could cause a denial of service on certain operating systems. This has not been fixed as of the time of this writing.

A curious vulnerability has been announced for Trillian 3.1 where a specially formed nickname can cause a buffer overflow in Windows. Very few details are available at this time, and an exploit hasn’t been released, but I wouldn’t expect it to be long before we see a real PoC.

VoIPER – A VoIP Fuzzing Tool

VoIPER, a VoIP fuzzing framework, has been released. This tool includes a suite built on the Sulley fuzzing framework and a SIP torturer. The fuzzer currently incorporates tests for SIP INVITE, SIP ACK, SIP CANCEL, SIP request structure, and SPD over SIP. VoIPER, and tools like it, are likely to increase the likely hood that additional SIP vulnerabilities will be found. Proper architecture and configuration surrounding a SIP implementation is likely to reduce the potential for compromise in almost all scenarios.

Here We Grow Again! — MSI is Hiring!

MSI is seeking a technical leader with an understanding of Linux, networking and an interest in information security. The main focus of this position is project/engagement management, but the successful candidate will also need to be able to participate in security testing as a member of our team. They should have excellent written and verbal communication skills and not be afraid of dynamic environments. Public speaking, customer presentations and technical writing definitely go in the “plus” column.

The position is full time, located in Columbus, Ohio and has excellent benefits, a friendly and casual working environment and minimal travel. It also includes working with our team and being the best that the security industry has to offer.

If you would like more information about this position, please send your resume to bhuston**AT**microsolved.com.

High Profile XSS

A security issue in Barack Obama’s website has been exploited by a user to redirect users to Hillary Clinton’s website. Visitors of the community blogs section of his website were sent to Hillary Clintons home page via a Cross Site Scripting (XSS) vulnerability. This story highlights the importance of secure coding practices, as well as finding and remediating any XSS that are found on your site. Had the intentions of the user posting the XSS been malicious, he could have infected all of the visitors with malware/spyware. Moral of the story, XSS is not a vulnerability that should be taken lightly.

Changing the World….Again!

In the last couple of years since we launched the HoneyPoint family of products, it has been an interesting experience. I have learned the joys and hardships of marketing a security software product. I have tried to make myself heard in an overcrowded and noisy marketplace. I would do it all over again, because HoneyPoint is the right idea and the right thing to do.

Now, MSI is again out to change the world. This week, we are launching a new release of HoneyPoint Security Server Console and officially releasing the long awaited HoneyPoint Trojan. Using these new tools, security teams can now create friendly Trojans that report information back to them whenever they are used. Security teams can gather when people access data that they should not and they can track data, documents and other pseudo-information around the world. That means that if you make jet engines, you can drop these Trojans on your file servers and anonymous FTP sites and then proceed to learn more about where they propagate!

But, that isn’t even the big news. The big deal is a new enhancement to HoneyPoint Security Server called HornetPoint. HornetPoints are the world’s first implementation of what we call “defensive fuzzing”. Like normal HoneyPoints, these pseudo-services listen on IP ports and wait for network contact. Just like HoneyPoints, they then capture the source and content of those transactions and report them to the central server. HoneyPoints, of course are often deployed to create an enterprise honeypot.

But, unlike normal HoneyPoints, HornetPoints are not a passive defense. Instead of replying with normal and expected data, the HornetPoints fuzz the expected data and mutate it into random and unexpected ways. The result is that a high number of attacker tools, worms, scanners and bot-net tools crash when the mutated data is received. Thus, HornetPoints, actively defend themselves and the network of their owners. Unlike more traditional defenses, HornetPoints don’t just guard against attacks – they break attackers and their tools!

We are just starting to populate the web site with information on these new versions and enhancements to the HoneyPoint product line. Over the next several days, we will make the new versions available and get the updated marketing added to the web site. In the meantime, if you are interested in hearing more about these new capabilities and the evolution from security to Corporate Counter Intelligence, just give us a call.

A special thanks is due from the MSI staff to those who have supported us during this process. Thanks to all of the folks who have urged us to complete the enhancements and to those who have helped challenge us to again rise to a new level. Things are certainly changing and we are all very proud to be a part of the next evolution of information security! We promise, we will continue to work hard to bring the best bleeding-edge protection and insights to all of you. As always, thanks so much for believing in us and in choosing MSI as your security partner!

OpenOffice Overflow

Several OpenOffice vulnerabilities have been released over the weekend. In total, four advisories have been released detailing various types of overflows in the software. These could be exploited in various ways, all resulting in complete system compromise. Version 2.3 and below are vulnerable, and OpenOffice has released version 2.4, which addresses these vulnerabilities.

April Virtual Event – Evangelizing Security to Upper Management


This presentation will explain several techniques that have successfully been used to help upper management understand the information security initiative in several organizations. Overall strategies and specific tactics for gaining upper management support will be identified. The audience can use these techniques to gain, maintain and ensure rapport with upper management, establish and reinforce the value of the security team and to demonstrate the value of including the security team in business operational decisions and planning.

This virtual event will be held Wednesday, April 30th 2008 at 4pm Eastern time. You can get access to a PDF of the slides and the phone number and passcode for the audio portion by sending an RSVP email to info@microsolved.com.

For those unable to attend, the slides and an MP3 of the audio portion will be made available following the presentation.

Intel Centrino Wireless Exploit

A popular attack framework has released an exploit that takes advantage of a vulnerability within older Intel Centrino wireless drivers. Specifically the Intel 2200BG has this issue. The vulnerability exists with the w22n51.sys driver which has a buffer overflow. It would be a very good idea to make sure you are running the latest wireless drivers if you’re using an Intel Centrino based laptop, as the exploit will infect every machine vulnerable within the vicinity at the kernel level.

Cisco Network Admission Control Appliance Vulnerability

The Cisco Network Admission Control Appliance (NAC) contains a vulnerability that allows the shared secret used by the Cisco Clean Access Server (CAS) and the Cisco Clean Access Manager (CAM) to be captured. This can then be leveraged to gain control over the CAS.

The following versions of NAC are known to be vulnerable:
 All 3.5.x versions
 All 3.6.x versions prior to
 All 4.0.x versions prior to 4.0.6
 All 4.1.x versions prior to 4.1.2

For full details see Cisco’s original advisory at: http://www.cisco.com/warp/public/707/cisco-sa-20080416-nac.shtml