CERT Warns of SSH Attacks

Earlier this week US-CERT warned of attacks using stolen SSH keys. After access is gained to the machine, a rootkit (Phalanx2), is installed on the system. Once installed, the rootkit steals other keys from the system and sends them back to the attacker, allowing them to compromise other machines. The rootkit seems to create a directory, existance of the directory /etc/khubd.p2/ indicates a compromise. However, it should not be assumed because it’s not there that the machine is not compromised. It’s believed at least some of these machines were compromised by the Debian SSL Key bug from the summer.

US-CERT has provided some mitigation strategies to ensure that machines do not get compromised by this exploit. First, identify and examine systems where SSH keys are used as part of automated process. Any instance where keys are used without passphrases, a  passphrase should be used to reduce the risk of a compromise. Finally, ensure that internet facing systems are fully patched.

Bank Data Sold On Ebay

A few banks had a wake up surprise when they found that one of their servers had been sold on Ebay. The system was bought for about $150, and was acquired by an IT manager. Upon booting the machine he noticed that there were several cd ISOs on the disk array in the server. In each of these cd images were backups of customer credit card applications. The banks were notified by the buyer, but it is unknown where the machine was between the time it was at the bank and when it showed up on Ebay. I’m sure the banks are scrambling to implement encryption on their backups as we speak.

Trend Micro Auth Bypass

An issue has been discovered some Trend Micro products, which can be exploited by attackers to bypass authentication. Version affected are OfficeScan 7.0, 7.3, and 8.0; Worry-Free Business Security 5.0; and Trend Micro Client/Server/Messaging Suite versions 3.5, and 3.6. Currently there are fixes for OfficeScan 8.0, and Worry-Free Business Security 5.0. It’s expected that patches for other versions will follow shortly.

Web Application Scanning Tools

There have been several publicized releases of web scanning tools this week. Three specific ones come to mind, that enable assessors to automate a large part of the web application/site assessments. With this, there’s a lot of buzz on mailing lists about these tools, so expect an increase in threat to any web facing applications or sites. All of these tools are freely available for download.

Internet Explorer Security Zone Bypass

It’s possible to bypass the security zones within Internet Explorer. An issue has been identified in the way that security policies are applied when a URI is specified in the UNC form: \\MACHINE_NAME_OR_IP\PATH_TO_RESOURCE’. When a URI like this is accessed remotely, Internet Explorer does not apply the correct Security Zone Permissions. This issue affects Internet Explorer 5,6 and 7 under all versions of Windows.
Microsoft has released a work around for this issue. The work around can be found in Microsoft’s techbulletin for this issue. http://www.microsoft.com/technet/security/bulletin/ms08-048.mspx

SPAM Backscatter

We are getting many reports of mail servers under heavy load because of SPAM backscatter. This happens when a spammer uses a company’s email address to forge the “FROM” field in the email. When mail servers get these spam emails and reject them because they are sent to a user that doesn’t exist, the SPAM targeted mail server will send a bounce back message to the forged “FROM” field. Now as you might imagine, when a spammer sends out over a million emails it’s very likely that many of those will go to addresses that no longer exist, and innocent company in the “FROM” field gets blasted by thousands of bounce backs.

What can we do about this though? Unfortunately if you’re the one getting the backscatter, not a whole lot. However, you can help to prevent backscatter for others. We recommend that email servers be configured to REJECT bad email during the initial transaction instead of accepting it and creating a bounce back reply. Also consider not using “out of office” email replies. This also creates backscatter when the vacationed user receives spam. This could also land you on a spam blacklist, if whoever got the backscatter happened to report your mail server as a backscatter sender.

Ignuma Overview

I spent a few minutes this morning looking at the newest release of Ignuma. If you aren’t familiar with it, it is another penetration testing framework, mostly focused on Oracle servers, but has plenty of other capabilities and front ends a number of fuzzing and host discovery tools.

The tool is written in Python and has both command line and GUI interfaces, including a QT-based GUI and a more traditional “curses-based” GUI. The tool is pretty easy to get working and adapts itself pretty well to some easy scans, probes and fuzzing. In the hands of someone with skills in vuln dev, this could be a capable tool for finding some new vulnerabilities.

The tools is written to be extendable and the Python code is easy to read. It is not overly well documented, but enough so that a proficient programmer could add in new modules and extend the capabilities of it pretty easily.

The tool is still in heavy development and it looks like it could be interesting over the next few months as it matures. Keep you eyes on it if you are interested in such things. You can find the latest version of Ignuma here.

WebEx Meeting Manager Vulnerable ActiveX

An activex control installed by Cisco WebEx Meeting Manager is vulnerable to remote code execution or denial of service. The activex control, atucfobj.dll, is installed when a user connects to a WebEx meeting service. When users connect to an upgraded meeting service, the client side activex is automatically upgraded. Exploit code for this vulnerability has been publicly released.

As an aside, the interesting part of this vulnerability, according to a post from NANOG, is that even if you have cleaned the install of the client off your machine and have the latest version, if you connect to a meeting service that is NOT up to date, you could then become vulnerable again.

The full vulnerability details can be found at http://www.cisco.com/warp/public/707/cisco-sa-20080814-webex.shtml

Patched DNS Servers Still Not Safe!?!

OK, now we have some more bad news on the DNS front. There have been new developments along the exploit front that raise the bar for protecting DNS servers against the cache poisoning attacks that became all the focus a few weeks ago.

A new set of exploits have emerged that allow successful cache poisoning attacks against BIND servers, even with the source port randomization patches applied!

The new exploits make the attack around 60% likely to succeed in a 12 hour time period and the attack is roughly equivalent in scope to a typical brute force attack against passwords, sessions or other credentials. The same techniques are likely to get applied to other DNS servers in the coming days and could reopen the entire DNS system to further security issues and exploitation. While the only published exploits we have seen so far are against BIND, we feel it is likely that additional targets will follow in the future.

It should be noted that attackers need high speed access and adequate systems to perform the current exploit, but a distributed version of the attack that could be performed via a coordinated mechanism such as a bot-net could dramatically change that model.

BTW – according to the exploit code, the target testing system used fully randomized source ports, using roughly 64,000 ports, and the attack was still successful. That means that if your server only implemented smaller port windows (as a few did), then the attack will be even easier against those systems.

Please note that this is NOT a new exploit, but a faster, more powerful way to exploit the attack that DK discovered. You can read about Dan’s view of the issue here (**Spoiler** He is all about risk acceptance in business. Alex Hutton, do you care to weigh in on this one?)

This brings to mind the reminder that ATTACKERS HAVE THE FINAL SAY IN THE EVOLUTION OF ATTACKS and that when they change the paradigm of the attack vector, bad things can and do happen.

PS – DNS Doberman, the tool we released a couple of days ago, will detect the cache poisoning if/when it occurs! You can get more info about our tool here.