Leopard Clawing WoW?

Posted on November 7, 2007 by Nathan Grandbois

MacOS X Leopard has issues with the firewall. For starters, the firewall is deactivated upon installation. Next, the firewall has changed so that it now operates that the application level and performs signature checks. If Apple does not have a digital signature for an application, it will sign the application itself. If at any time, the binary changes, it will be denied internet access. This is causing problems with applications that change their binaries, such as Skype and World of Warcraft. Users having issues with these applications have reported a reinstall fixing the issue. There’s much discussion about this on the WoW forums.

In other news, a new blind SQL injection tool has been released, http://sqlmap.sourceforge.net/. I haven’t personally used this tool but it looks promising. Also, the “cyber jihad” rumored to start on 11/11 is nothing more than a rumor. I remember the last time they tried this and it fizzled out to nothing, just like it likely will this time. At best they may be able to pull off some DoS attacks, but no extra precautions are required if you are regularly vigilant.

OpenBSD Ouchie, Apple QuickTime and Solaris 10 Vulns

Posted on November 6, 2007 by Brent Huston

In a pretty rare occurrence, a remote buffer overflow in OpenBSD has been identified. The vulnerability exists in “dhcpd”, the DHCP daemon, and allows denial of service and arbitrary code execution on 4.0 – 4.2. This issue was originally published in May, but new developments have been made in refining the exploits and in details about the issue. Patches are available, and should be installed as soon as possible.

Apple updated QuickTime to fix several identified issues, including some security problems. The updates are now available, and if you use the Apple update service, you should get them applied automatically. The big problem repaired in this release is a heap overflow that can be used to seize control of machines. We mention this update because QuickTime is one of those pesky applications that seem to turn up everywhere, in many organizations. It would likely be wise to check not only workstations, but also any servers that are used in training, multi-media or presentations. QuickTime seems to be a common tool for these mechanisms.

Lastly, Solaris 10 systems have proven to be vulnerable to a new buffer overflow in the monitoring package “srsexec”. This is installed in many Solaris systems, especially those leveraging the centralized console management and administrative console applications. Attackers with local access to the Solaris system can exploit this issue to execute arbitrary code as “root”, since the binary is suid by default. Patches are already available and should be applied as soon as practical.

Daylight Savings Time & Sonicwall VPN Problems

Posted on November 5, 2007 by Adam Hostetler

Day light savings time caused us to fall back an hour this weekend. Unfortunately it looks like some gadgets and systems missed the memo. Be sure to check all of your systems, routers, firewalls, and other devices to make sure they’re all in sync.

Also, Sonicwall VPN has been found vulnerable to a few issues. The issues could allow an attacker to delete arbitrary files on a host computer, or possibly even compromise the system. Sonicwall has already released an update, so get the newest firmware to mitigate these problems.

A Couple of Interesting Developments

Posted on November 3, 2007 by Brent Huston

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive! — Just a reminder!

Vulnerability Updates, Firefox 2.0.0.9, and a Mac Trojan

Posted on November 2, 2007 by Nathan Grandbois

Similar to previously reported vulnerabilities, Symantec’s Mail Security Appliance is vulnerable to denial of service and a buffer overflow. This is due to insecurity in a third party tool. The exploit can be triggered when the appliance checks a specially crafted file. Administrators are recommended to update to version 5.0.0-36 or later.

Two ActiveX controls installed on client systems using SonicWALL SSL VPN contain vulnerabilities. The first, NeLaunchCtrl, contains boundary errors in a number of functions that could result in a buffer overflow by visiting a malicious site. The WebCacheCleaner control contains an insecure “FileDelete()” method that can be exploited to delete arbitrary files on a system. Firewall admins should update to firmware version 2.5 for SonicWALL SSL VPN 2000/4000, and version 2.1 for SonicWALL SSL-VPN 200.

Hewlett-Packard OpenView Radia Integration Server contains a vulnerability that could allow remote attackers to access arbitrary files on the system. The issues is within the HTTP server running on TCP port 3456 and can be exploited without authentication. Attackers could use this to access configuration or log files which could aid in furthering an attack.

In other news, Firefox update 2.0.0.9 has been released. This is not a security fix, but a stability release. Users should be running at least version 2.0.0.8.

A mac based Trojan, a malicious video codec, is in the wild. Spam emails directing people to pornographic websites are hoping to lure users in to downloading a required codec to watch videos. Once downloaded, no codec is actually installed but a Trojan virus instead.

Slight Increases in SSH Probes

Posted on November 1, 2007 by Brent Huston

Our HoneyPoints have been picking up slight increases in the probes and brute force attacks against port 22 – SSH. We are seeing increases in wide scale SSH scans and attacks against common login/password combinations.

Now might be a good time for folks to take a look at their perimeter and make sure no one has poked an SSH exposure through. If you have some, they should be immediatly audited for common account use. Treat any system with these issues as likely compromised and initiate an investigation.

Most of these compromised systems are used for further scanning and many have bot-net clients installed. Keep an extra eye on your logs for obvious forms of bot-net traffic, such as IRC connections, odd ports and outbound half-open TCP connections.

InstallShield Issues and BorderManager Vulns

Posted on November 1, 2007 by Nathan Grandbois

Macrovision InstallShield Update Service contains an insecure method vulnerability. InstallShield contains an ActiveX control that is marked safe for scripting. An attacker could leverage the update service to download and install malicious software. Due to the fact that it is marked safe for scripting, this could be exploited by a malicious web site or a downloaded application. The following ActiveX control should be disabled so that Internet Explorer will not load the control.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]

“Compatibility Flags”=dword:00000400

The updated versions of FlexNet and InstallShield products will not be marked safe for scripting.

Additionally, Novell Border Manager Client is vulnerable to a remote heap-based buffer overflow. The vulnerability exists within the Client Trust Application and can be exploited by sending a specially crafted packet to the application. Successful exploitation could result in the exploitation of arbitrary code. The vulnerability is reported in Novell BorderManager 3.8.

WatchDog Content Moving to StateOfSecurity.com

Posted on October 25, 2007 by Brent Huston

If you are a regular WatchDog product user, then you may already know this, but on November 1, 2007 MSI will move all WatchDog content to this blog and begin to phase out the WatchDog client program.

This is being done to simplify the use and access to the information and to enable users to easily leverage our threat intelligence offerings via RSS and other popular mechanisms without using our locked-in client.

The same information that WatchDog has brought to you for years will continue, but hosted here instead of through the WatchDog client. It will also be stored in the emerging threats category – thus making it easy to subscribe or filter on.

We hope you continue to benefit from our work and insights, and please, let us know how you like the WatchDog content and if we can do something better or more helpful with the data.

Blast(s) From the Past

Posted on August 29, 2007 by Brent Huston

A few of my HoneyPoints delivered an interesting blast from the past to me this morning. Around 2pm Eastern yesterday, one of our IP ranges got hit by a scan with this signature on port 80:

GET /level/16/exec/-///pwd HTTP/1.0

The web connection was then followed by a series of connections on port 23, though the tool did not do anything more than banner grabbing on the telnet port.

While the scan was obviously an attempt to exploit the old Cisco HTTP vulnerability (circa 2001), I had not seen probes for those issues in quite some time. I also had not seen a tool that also connected on port 23 of the same host and did banner grabbing, so thus why this stood out above the usual noise.

This brought about a very interesting point that many of these old vulnerabilities are making comebacks. Scans for old web vulnerabilities like Unicode issues, Double Decode, Code Red and the ASN.1 worm continue to be among the most seen probes on the Internet. Other folks have talked about the idea that perhaps as more third world countries become more Internet connected, that technology may not be updated there as rapidly – which could cause the lifecycle of older vulnerabilities to either be reborn or at least, eek out a longer existence. Could ancient vulnerabilities like RDS and .HTR buffer overflows still be leveraged for Internet compromise? The possibility is high that some small percentage of systems is likely available as a vulnerable target.

Does this mean that vulnerabilities will have a lifecycle that approaches infinity? If there are still systems out there that are vulnerable, why would some attacker without general worries of discovery not just keep building a super-worm that continually crawls the net looking for every known web vulnerability to date? If incorporated and distributed through bot-net style approaches, this is likely pretty feasible – particularly if you can make the attack smart enough to adapt its vulnerability testing to the specifics of a target – much like a modern scanning tool.

How will some of these older vulnerabilities fair? It remains to be seen, but my bet is that blasts from the past are likely to keep on rolling in some diminutive way. Let’s just say that I think it will be a long time before we live in a Code Red free world.

VMWare Guest Security Problems

Posted on August 27, 2007 by Brent Huston

A few more problems seem to have been identified in VMWare and the potential isolation of the Guest systems. This article discusses how malicious code can be spread to Guest hosts via the scripting API of VMWare products.

This is especially dangerous given that many security researchers use VMWare and other virtualization mechanisms to study malware, attack code and other less-than-friendly mechanisms, but it has ramifications for everyone else too. VMWare claims, according the author of the article, to stick to their design decision that allows the issues to exist. They believe that the good of the feature outweighs the risk of compromise. I am not so sure they are right.

VMWare and other solutions are quickly moving into the core of most organizations and their IT spectrum. They have long evolved from geek-centric tool to mainstream deployment. As such, a vulnerability of this magnitude should be treated as severe. Guest OS isolation has always been a deep value to be maintained if virtualization is to reach even higher market penetration. Organizations simply can not afford, in today’s regulatory environment, to not be able to depend on isolation in their virtual systems. Without it, they will be back to deploying multiple physical systems to manage compliance – and we have already seen that this is not the way we want to go.

While work-arounds for fixing this specific issue exist (read the article for details), I think all IT folks should make it very clear to VMWare and other virtualization vendors that we can not accept issues with host isolation, no matter the cost to features and shortcuts. The risk is simply too high. Please, if you are a user of VMWare, let them know your thoughts. Drop them, or us, a line.

Oh, and don’t forget to modify your config files to disable the feature that makes this vulnerability possible!

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats