Research, NIST Speaks

Posted on December 31, 2007 by Nathan Grandbois

Over the past week some researchers have published new methods and tools for embedded device hacking and ways to improve blind SQL injection. It will be interesting to see the scope of where embedded device hacking goes, as more devices are getting additional capabilities, that may be coming in exchange for security. Also, the NIST says the feds are keeping up on their own penetration testing and will release new guidelines in March required third party testing for federally controlled facilities.

A new version of Nipper has been released. This handy tool performs configuration auditing for various network devices and can make limited security recommendations. When was the last time you went through your firewall rules? This should be happening at some regular occurrence, however dull it may be.

Another worm, Nugache, has recently been covered in an article by Bruce Schneier, where he talks about some interesting stuff. No direct C&C server, encrypted packets all around, and the ability for any node to become the “leader”. Bot development is becoming more sophisticated, and funded. Expect to see some serious Trojans in the coming future.

MS07-065 PoC, Scam Warning

Posted on December 28, 2007 by Nathan Grandbois

A proof of concept has been released for one of the vulnerabilities announced in Decembers Microsoft Update. The vulnerability in Message Queuing Service (ms07-065) now has a working proof of concept exploit available to the public. If you have not updated, or do not have automatic updates enabled, please do so.

Also, with the recent death of a foreign former prime minister, be on the lookout for emails or website attempting to lure you there as most of these will likely been social engineering/scam attempts.

More Storm Worm

Posted on December 27, 2007 by Adam Hostetler

Not a lot happening today in vulnerability news. However, a new round of the storm worm has been circulating. This time the emails are coming with “Happy New Years” themes. This one is seems to be pointing to the domain “uhavepostcard.com”. So be wary of any ecards in your inbox.

0wned By a Picture Frame & Other Digital Errata

Posted on December 26, 2007 by Brent Huston

First it was Trojan firmware on network routers, firewalls and other network appliances. That was followed by attackers installing trojans and malware on USB keys and then dumping them back into those sale bins by the registers. Now, SANS is reporting that a number of digital picture frames sold by retailers were pre-infected with malware, just waiting to be mounted on a PC during the picture loading process.

As we have been predicting in the State of the Threat presentations for more than a year, the attackers have found new and insidious ways to turn the newest and seemingly most benign technologies into platforms of attack. Now that just about everything from refrigerators to washing machines and from toasters to picture frames have memory, CPU and connectivity – the vectors for malware introduction and propagation are becoming logarithmically more available. As computers, mesh networks and home automation continue to merge, we have to think differently about risk, threats and vulnerabilities.

Until we as security folks can get our head around overall strategies for securing the personal networks and tools we become more dependent upon each day, we have to rely on point tactics like wiping drives when we get them, reloading firmware on all devices – even new ones – from trusted vendor sources and doing the basics to secure home and business networks and systems. Hopefully, one day soon, we can build better, more proactive solutions like integrated hashing, malware identification and other mechanisms for alerting users to basic tampering with our devices. While we geeks are getting the wired world we always dreamed of, we are learning all too quickly that it comes with some unexpected risk…

Novell Identity Manager, Groove Office

Posted on December 26, 2007 by Adam Hostetler

Groove Virtual Office is reported to have a vulnerable ActiveX control. The vulnerability is a buffer overflow which could potentially allow code execution if an exploit were successful. This vulnerability applies to Groove Virtual Office 3.x, and does not affect the newest version included in Office 2007. At this time there’s no patch, so it is recommended to disable the ActiveX control.

A vulnerability has also been reported in Novell Identity Manager. This vulnerability could be exploited by a remote attacker to cause a Denial of Service condition. It’s reported that version 3.5.1 is affected, but may also affect other versions. Novell has issued a patch for this issue.

Flash and Web 2.0

Posted on December 24, 2007 by Adam Hostetler

A new book due to be released, details vulnerabilities within Web “2.0” content. We expect this to create a rise in general knowledge among these web applications. One specific area within the book details , as of yet, unpatched Adobe Flash XSS vulnerabilities. It is speculated that there are thousands of Flash apps out there that are potentially vulnerable to these issues. It’s also known that many Flash authoring tools generate code with these bugs. It’s recommended that end users disable Flash for the time being. Adobe is expected to release updates for these issues within the coming weeks.

Reminder – New Systems Should Be Patched Before Use

Posted on December 24, 2007 by Brent Huston

Please remind teens, kids and adults who might receive computers for the holidays this year to patch them before general use. They should ensure that software and network firewalls are in place before connecting them to ANY network.

They should also ensure that they have anti-malware software that is up to date for any and all operating systems (even Linux and OS X) and that they follow other general guidelines of safe computing.

Remember, fight the urge to save the safety speech for another time. If the system gets compromised while they are using it for a test drive – being safe later will likely not help them be protected against bots, identity theft and other illicit computing dangers. It only takes one moment of exposure to compromise the system on an irreparable scale.

Happy and safe holidays to everyone. Have a joyous, peaceful and wonderful holiday season!

Storm Worm Goes Active Again and Odd Port 56893/TCP Probes

Posted on December 23, 2007 by Brent Huston

Two fairly interesting items tonight:

1) SANS is getting reports that the Storm worm is active again. This time sending messages attempting to draw victims to the “merry christmasdude.com” <take out the space> domain. As of 10:30 PM Eastern tonight, the domain is being flooded with traffic, but appears to be functional. SANS is suggesting applying domain blocks to the domain, and it would probably be good to add mail and other content filtering rules as well, if you are still using the blacklist approach. Here is the whois for the domain:

Domain name: MERRYCHRISTMASDUDE.COM
Creation Date: 2007.11.27
Updated Date: 2007.12.17
Expiration Date: 2008.11.27
Status: DELEGATED
Registrant ID: P4DHBN0-RU
Registrant Name: John A Cortas
Registrant Organization: John A Cortas
Registrant Street1: Green st 322, fl.10
Registrant City: Toronto
Registrant Postal Code: 12345
Registrant Country: CA
Administrative, Technical Contact
Contact ID: P4DHBN0-RU
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008@yahoo.com
Registrar: ANO Regional Network Information Center dba RU-CENTER
Last updated on 2007.12.24 06:17:35 MSK/MSD

2) Also, on a secondary note, we are getting a rapid increase in probes to TCP 56893. This port has been a known port for an SSH trojan and botnet deployment in the past. This may be related to the Storm worm activity or may be another bot group gearing up for activity.

It looks like the holiday is likely to bring a high level of increase in bot activity and as always, attackers will be looking for new machines received as gifts that will suddenly appear online and may be missing a patch or two. Make sure you give some advice to new techies and computer owners this holiday – patch early, patch often and make sure you build layers of defense against today’s emerging threats!

Bricked HP Notebooks, IBM BoF, Cisco DoS

Posted on December 21, 2007 by Nathan Grandbois

IBM Lotus Domino Web Access is vulnerable to a buffer overflow. An ActiveX control (dwa7.dwa7.1) is responsible for this error. This can be exploited remotely and successful exploitation could result in the execution of arbitrary code. The vulnerability is reported in dwa7W.dll version 7.0.34.1. Users should set the kill bit for this ActiveX control until an update is made available.

More issues with HP notebooks. Another buffer overflow has been discovered in the HP Software Update that could result in the modification of system files resulting in a non bootable system. Every HP machine containing the HP Software Update is vulnerable. A working POC exploit has been released to the public. At this time there is no update available.

Finally, there is a Denial of Service in Cisco Firewall Services Module. This is a result of an error processing data with Layer 7 application inspections. The vulnerability is reported in FWSM System Software version 3.2(3). Cisco has made an update and workaround available at http://www.cisco.com/warp/public/707/cisco-sa-20071219-fwsm.shtml

Apple Security Update, Various Overflows

Posted on December 18, 2007 by Nathan Grandbois

Apple has released security update 2007-009. This update contains fixes for several critical vulnerabilities, plus fixes for other issues. Updates are available for 10.4.11 and 10.5.1. For a complete list of vulnerabilities fixed, please visit http://docs.info.apple.com/article.html?artnum=307179.

There is buffer overflow in HP-UX. The issue lies in a function call to sw_rpc_agent_init within swagentd that if given malformed arguments, could result in a buffer overflow. This could allow attackers to execute arbitrary code. Authentication is not required. Hewlett-Packard has released an update to address this vulnerability, available from HP document ID #SB2294r1.

Trend Micro ServerProtect contains an insecure method exposure in the StRpcSrv.dll. The bug exists in the SpntSvc.exe daemon running on TCP port 5168. An attack against this vector could result in full file system access that could be leveraged to execute arbitrary code. An update to this issue has been release, and more information can be found at http://www.trendmicro.com/ftp/documentation/readme/spnt_558_win_en_securitypatch4_readme.txt.

The perl package Net::DNS is vulnerable to a denial of service. By sending a malformed DNS reply to a server or application running Net::DNS, it is possible to cause the package to crash. This would in turn crash any application running the Net::DNS module. Net::DNS version 0.60 build 654 is vulnerable. This issue has been assigned CVE-2007-6341.

St. Bernard Open File Manager is vulnerable to a heap-based buffer overflow. This is due to a boundary error in ofmnt.exe, in which an attacker can send a malicious packet to the service and cause the overflow. This could result in the execution of code as a SYSTEM user. Version 9.6 build 602 available to customers addresses this issue. Other vendors using this software may have made updates available as well.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats