An exploit has been released into the wild for Tomcat Connector version jk2-2.0.2. The vulnerability exploited exists in the Host Header field of the apache jk2 module. At this point it’s known to work on Fedora Core versions 6,7, and 8. Other distros will likely also be affected by the exploit. If you are using the legacy 2.0.x tree of the Apache Tomcat Connector, upgrade to version 2.0.4, or use the newest version of mod_jk.
I thought this particular “hacker” article was pretty interesting. Thanks to Dr. Anton Chuvakin’s “Security Warrior” blog for pointing it out.
Once you look beyond the manifesto hype, you can really get a feel for what it represents. It represents a call to action to remind security professionals that the game has changed. The network and systems that it is composed of remain but a part of the security equation. The real target of the attackers that represent the REAL THREAT is the data that the network and systems hold.
Attackers have definitely moved up the stack. They do not care that most organizations are still focused on the network layer and more than a few are still trying to get the basics of that right. In fact, it simply empowers them more.
Today, attackers are focused on the application. That is true whether you look at holes like SQL injection and XSS or at the browser vulnerabilities that are at the root of a majority of malware and bot-net activity today. Today’s attackers have excellent tools for exploit development that have seriously changed the security landscape. More attackers understand the deeper nuances of computer science than ever before. Man security teams and professionals are lagging behind in knowledge, resources and capability.
One of the big reinforcers of this ideal to me was a presentation I gave a few weeks ago about application security. During the research for it, I found that according to several sources, a HUGE amount – roughly a third – of all reported security incidents last year involved SQL injection and XSS. Almost 2/3s of all reported incidents were web-application focused. Clearly, there is no denying that the attackers have moved up the security stack – the question is – have the defenders…
What are you, your security team and your security partners doing today to ensure that your data is protected tomorrow?
There appears to be two vulnerable ActiveX controls in Symantec Internet Security 2008. The following ActiveX controls are vulnerable:
Progid: SymAData.ActiveDataInfo.1
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version: 2.7.0.1
Clsid: 3451DEDE-631F-421c-8127-FD793AFC6CC8
File: C:\PROGRA~1\COMMON~1\SYMANT~1\SUPPOR~1\SymAData.dll
Version 2.7.0.1
These ActiveX are marked safe for scripting by Symantec. According to Symantec, although they are marked safe for scripting, they will only run from the “symantec.com” domain. Successful exploitation would require the use of XSS or DNS poisoning techniques, but could allow for complete control over a users system simply by viewing a malicious page. Symantec has issued updates to fix these vulnerabilities.
There’s a SQL injection in a the Wordress Download plugin. Data passed to wp-download.php is not properly sanitized before being processed by SQL. This could result in a SQL injection attack that could lead to the disclosure of usernames and passwords. WordPress admin’s should update to version 1.2.1.
There’s a major vulnerability in and activex control installed by Macrovision InstallShield InstallScript One-Click Install (OCI). The control gets installed via webpages prompting to install software. A large user base is likely affected by this. Basically, when the activex control is initiated it loads several DLL’s that are not sanity checked. These DLL’s could execute arbitrary code when loaded. This vulnerability has been confirmed in version 12.0. The following are the properties associated with the activex:
File: %WINDIR%\Downloaded Program Files\setup.exe
CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A
Macromedia has released a hotfix for this issue, available along with the KB entry for this vulnerability, at http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640
Multiple CA products containing the DSM ListCtrl ActiveX Control are vulnerable to buffer overflow. Exploit code has been posted to a public area for this issue. This could allow attackers to cause a denial of service or execute code in the context of the user running the browser. Some mitigating factors taken from the original advisory:
” Mitigating Factors: For BrightStor ARCserve Backup for Laptops &
Desktops, only the server installation is affected. Client
installations are not affected. For CA Desktop Management Suite,
Unicenter Desktop Management Bundle, Unicenter Asset Management,
Unicenter Software Delivery and Unicenter Remote Control, only the
Managers and DSM Explorers are affected. Scalability Servers and
Agents are not affected.”
CA has posted an update for the affected software.
VMWare has issued an update for VMWare ESX. This update fixes a vulnerability that could cause a denial of service. Users/Administrators should apply ESX 2.5.5 Upgrade Patch 6.
It appears that possibly a new tool to find vulnerabilities in tftp servers may be floating around. In the last several days 3 different TFTP programs have had 0Day exploits released. We’re not sure of the similarities in the exploits yet, but being across multiple products shows that there is some underlying issue. The currently affected TFTP servers are Quick TFTP, PacketTrap Networks TFTP Server, and TFTP Server for Windows. If you happen to use any of these, update as soon as possible. If you are using other TFTP server software, keep an eye out for updates.
I have spent just a little time playing with VoIP Hopper, which was updated in mid-February. Thus far, this seems like a pretty useful tool for doing penetration testing and enumeration of your VLAN segments and VoIP deployments.
The tool is very capable. It can easily help you scan your installations with CDP discovery and can be very useful in testing VLAN architectures for common security holes.
It is a command line tool written in C, but you should have no problem compiling it in your favorite Linux environment. It even works nicely on a default BackTrack install, so it playing with it should be easy on your lab schedule.
There has been a lot of attention paid to VoIP security over the last couple of years and this is certainly a nice quick and dirty tool for looking around your install. It also sheds a little light on the mistaken idea that some service providers like to pretend is the gospel – VLANs really won’t keep your VoIP secure. You can use this tool to prove them wrong if they just won’t listen to reason…
Play nice with it and make sure you only use it in the lab or on authorized networks…
The Cisco Systems Product Security Incident Response Team release a group of security advisories today. The majority of the vulnerabilities can result in Denial of Service for multiple products. Here’s the round up:
Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
Devices running certain versions of Cisco IOS prior to 12.3 with VPDN enabled may be affected by the vulnerabilities. The vulnerabilities are a result of a memory leak and an inability to reuse virtual interfaces. See the original advisory for full details:
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Certain Processors
Some Cisco Catalyst 6500 Series and Cisco 7600 Routers running particular branches of Cisco IOS based on 12.2 may be vulnerable to a denial of service vulnerability. To be vulnerable they must be configured to use OSPF and MPLS enabled VPNs. Products known to be vulnerable are based on the Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720 (RSP720). See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers
Devices running Cisco IOS software with Internet Protocol version 6 (IPv6) enabled may be subject to a denial of service attack. To be vulnerable the device must also have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
All devices running Cisco IOS with the Data-link Switching (DLSw) feature enabled may be susceptible to a vulnerability that can result in a reload or memory leak when processing specially crafted UDP or IP Protocol 91 packets. See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
All devices running Cisco IOS and configured for MVPN are susceptible to a vulnerability that can allow an attacker to receive multicast traffic from other MVPN networks. See the original advisory for full details: http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
Vulnerabilities have been reported in Mozilla Firefox and Thunderbird. These vulnerabilities could be exploited by malicious people to ypass browser/mail client security restrictions, disclose information, and conduct cross-site scripting and phishing attacks. Version 2.0.0.13 fixes these issues for both Firefox and Thunderbird, so update as soon as possible.
An Excel exploit has been released into the wild. The exploit takes advantage of a vulnerability described in MS08-014. Microsoft has already released an update for this, so if it hasn’t been installed already. Now would be a really great time to do so.
I was reading my email this morning, and a particular spam had slipped through the filter. It was wanting me to look at some enticing Shakira video, and being the inquisitive person I am, I looked at the URL. I was surprised to find that the URL was google.com, and there was a redirection within the ad mechanism. As an example http://www.google.com/pagead/iclk?sa=l&ai=RZLTKo&num=30620&adurl=http://microsolved.com
This is something I had not noticed before, and so did a little research. It seems that this is how Google ads works, and within the last couple of weeks spammers and phishers have been abusing this pretty blatantly. Because this appears to be working “as designed”, I wouldn’t expect to see any changes to how this works in the near future.