An exploit has been released that takes advantage of a vulnerability in OfficeScan 7.3. The vulnerability is within the ActiveX control. Exploitation of this vulnerability allows arbitrary code execution. Trend Micro has already patched this issue, and version 8 of OfficeScan is not vulnerable. So if you are vulnerable, apply the update or upgrade to verson 8.
We have kind of been breaking down the DNS cache poisoning exploit scenarios and have been dropping them into 3 different “piles”.
1) Massive poisoning attacks that would be used a denial of service style attack to attempt to “cut an organization off from the Internet” or at least key sites – the damage from this one could be low to medium and is obviously likely to be discovered fairly quickly, though tracking down the issue could be difficult for organizations without adequate technical support or on-site IT teams
2) Large scale attacks with malware intent – these would also be largely executed in an attempt to introduce malware into the organization, browser exploits, client-side exploits or forms of social engineering could be used to trick users into activating malware, likely these attempts would introduce bot-net agents into the organization giving attackers remote control of part or all of the environment
3) Surgical poisoning attacks – these attacks would be more focused and much more difficult to identify, in this case, the attackers would poison the cache of sites that they knew could be critical- this could be as obvious as the windows update sites or as focused as the banking sites or stock trade sites of executives, this attack platform is likely to be focused on specific effects and will likely be combined with social engineering to get insight into the specifics of the target
There certainly may be a myriad of additional scenarios or specific focus points for the attacks, but we wanted to give some examples so that folks can be aware of where attackers may go with their new toys and techniques.
Doing incident response and forensics on these attacks could be difficult depending on the levels of the cache time to live and logging that is done on the DNS systems. Now might be a good time to review both of these variables to make sure they will be adequate to examine any attack patterns should they be discovered now, or in the future from this or any other poisoning attack vector.
As we stated earlier, please do not rely on the idea that recursion is only available from internal systems as a defense. That might help protect you from the “click and drool” exploits, but WILL NOT PROTECT YOU from determined, capable attackers!
For those organizations who have decided not to patch their DNS servers because they feel protected by implemented controls that only allow recursion from internal systems, we just wanted to point out that there a number of ways that an attacker can cause a recursive query to be performed by an “internal” host.
Here is just a short list of things that an attacker could do to cause internal DNS recursion to occur:
Send an email with an embedded graphic from the site that they want to poison your cache for, which will cause your DNS to do a lookup for that domain if it is not already known by your DNS
Send an email to a mail server that does reverse lookups on the sender domain (would moving your reverse lookup rule down in the rule stack of email filters help minimize this possibility???)
Embed web content on pages that your users visit that would trigger a lookup
Trick users through social engineering into visiting a web site or the like
Use a bot-net (or other malware) controlled system in your environment to do the lookup themselves (they could also use this mechanism to perform “internal” cache poisoning attacks)
The key point here is that many organizations believe that the fact that they don’t allow recursion from external hosts makes them invulnerable to the exploits now circulating in the wild for the DNS issue at hand. While they may be resilient to the “click and drool” hacks, they are far more vulnerable than they believe to a knowledgeable, focused, resourced attacker who might be focused on their environment.
The bottom line solution, in case you are not aware, is to PATCH YOUR DNS SYSTEMS NOW IF THEY ARE NOT PATCHED ALREADY.
Please, do not wait, active and wide scale exploitation is very likely in the very near future, if it is not underway right now!
An exploit for the recent DNS issue has been released in a popular attack framework (Metasploit). This is going to make running the exploit trivial for any would be malicious user that has enough skill to download Metasploit. The exploit claims to only work against Bind 9, but I would be very surprised if it doesn’t work against all the other vulnerable DNS implementations. This issue isn’t just going to go away and hide in a corner somewhere. So, if you haven’t yet patched, DO IT NOW!!.
Unfortunately, the blackout period for the DNS issues has been broken. The exploit details have been made public and have been in the wild for a number of hours. While the security researchers involved have tried to remove the details and analysis, Google had already cached the site and the details are now widely known.
Please patch IMMEDIATELY if you have not already done so!
If you can not patch your existing DNS product, please switch to a patched public DNS (for Internet resolution) or deploy OPENDNS as soon as possible.
Here is a quick and dirty plan of action:
1. Catalog the DHCP Servers you use on the Internet and internally. Be sure you check all branch locations, firewalls and DHCP servers to ensure that you have a complete picture. If you find any Internet facing DNS with recursive enabled, disable it ASAP!
2. Verify that each of these DNS implementations are patched or not vulnerable. You can check vulnerability by using the “Check DNS” tool at Mr. Kaminski’s page, here.
3. Test the patch and get it implemented as quickly as possible.
4. Note that you may have to upgrade firmware and software for firewalls, packet filters and other security controls to enable them to understand the new DNS operations and keep them from interfering with the new way that DNS “acts”.
Please note that the exploit for this cache poisoning attack in now public and exploitation on a wide scale could already be underway. PATCH AS SOON AS POSSIBLE!
Symptoms to look for include:
Vulnerability: unpatched and non-random source ports for DNS query responses.
Exploit: check for a large number of non-existent subdomains in your DNS records (or subdomain requests in your logs) if you are an authoritative DNS for a domain, attackers will be poisoning the cache with subdomain records at least according to some researchers.
If you have questions or concerns, please contact MSI for more information or assistance.
Updates to our DNS paper and other details will be released soon, so check back with stateofsecurity.com for updates.
We are seeking a new member for our team of security analysts, engineers and consultants. This is a junior level, full time, salary position. We are seeking technicians with the following skills and interests. You do NOT need security experience, as we will teach the successful applicant our award-winning methodologies and approaches to information security.
What you bring:
Technical Skills:
Knowledge of Perl, PHP and/or Python or other programming language(s)
Knowledge of Windows and/or Linux/OS X/BSD
Understanding of basic IP networking, TCP protocols and network troubleshooting, etc.
Personal Skills:
Ability to work as a member of an elite team
Personal diligence, attention to detail and a dedication to learning and exploring infosec topics
Self reliance, initiative and the ability to pass a full background check
An already existing capability to work in the United States
Flexibility and great customer service skills
This position is located in Columbus, Ohio and physical presence is required. Some occasional business travel will be required, usually in 3-5 day increments.
What we bring:
A unique business casual atmosphere with the most dedicated, enthusiastic and technically capable team that you can find.
A full benefits package including health, life and disability insurance, 401(K) with match, performance-based bonuses, paid vacations and personal time and much more.
Ongoing training programs and involvement in the information security community.
How to apply:
To apply to join our team, please send your resume, a technical writing sample and salary requirements to “jobs [at] microsolved [dot] com”.
Be sure to include the writing sample and salary requirements as incomplete submissions will not be reviewed.
Please, no phone calls, headhunters or third parties.
We are only interested in talking directly to folks who want to join our team and are willing to make the personal commitment to be the best at what they do. If this does not describe you, then please, ignore this posting. 😉
Apple Mac OS X 10.5 and 10.4 ARDagent (Apple Remote Desktop) contains a vulnerability that allows local users to gain root privileges through an AppleScript command. This issue was first presented last month, but now there are indications that this vulnerability is being actively exploited to install malicious software on target systems. Because this vulnerability is so easy to exploit, and allows root access, there is a potential for a lot of bad things to land on the system, such as rootkits.
At this time there has been no patch provided by Apple. Users are cautioned to only run trusted AppleScripts, and only install trusted applications.
Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.
Affected products:
Original Advisory:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
As I referred to earlier, our team has been doing some research on popular content management systems and potential security vulnerabilities in them. We were doing this as a part of a review of the Syhunt Sandcat4PHP product that our partner has released.
As a part of that project, we have identified significant vulnerabilities in each of the popular content managers we reviewed. Several of the products were found to have various types of injection vulnerabilities (SQL/command/etc.), arbitrary file disclosure and access issues and tons of cross-site scripting (XSS) problems. We are now in the process of notifying each of the product teams about the vulnerabilities we identified.
How bad were things? One word, abysmal…
Here is an inside glimpse of the raw math of the scanning tool’s findings:
CMS           Injections & File Issues       XSS          “Risk Rating”
==================================================
Bitweaver             37                 7              42.25
Drupal               97                 2              98.50
Joomla                4                15              15.25
Mambo               45               207             200.25
WordPress              5               166             129.50
** The “risk rating” was based upon each injection and file issue being given a score of 1.0 and each XSS being given a score of .75, then adding them together. It should be noted that this was an arbitrarily chosen mechanism created to give a simple basis for comparison and is NOT reflective of any specific risk rating system or the like. Also, no general weighting or anything is included, so I use the term “risk” loosely…
I also dropped the data into InspireData, a quick and dirty visualization tool I like to play with. It produced these quick images (Note that you can download them for a clearer view):
This graph shows a plot of the “risk score” by the product tested.
This graph shows a matrix of the products plotted across an axis for Injections and File Leaks and an axis for XSS. Interestingly, the red lines show the mean values of the plot just for a quick reference.
As I said before, our team is in the process of contacting each of the CMS projects that we tested and will be disclosing the vulnerability information to them for their mitigation. Our team did some basic testing and analysis on the data that the Syhunt tool found and determined it to be pretty good at finding the issues. We found very few false positives, and the ones we did find were areas where other functions are involved in testing inputs beyond the initial layer of the source code.
The Syhunt tool did very well. It is a great tool for a 1.00 release and very much worth the cost. If you have PHP and javascript applications in your environment, I would suggest grabbing your team a copy. If you have applications that you would like tested by a third party, please feel free to contact us for a quote. Let us know if we can be of any assistance or if you have questions about what we did or the like.
Please note that we will NOT be making disclosures of the identified vulnerabilities at this time, so don’t ask. We will be working with the project teams to mitigate any vulnerabilities identified.
Note that all products were downloaded from public sources and are “open” projects. Versions were current as of the download date. We only scanned the source of core products, no plugins/add ons/expansions or modules outside of the core products were tested in this project. Your paranoia may vary and you should not take any of the results of these tests as advice or endorsement of any of these projects or products. Use the results at your own risk…… 😉
I just had a quick conversation with an IT technician who alluded to the idea that more than Zone Alarm may be broken by the new port randomization behaviors of “patched DNS”. These fundamental changes to the ports allocated for DNS traffic may confuse existing firewalls and other filtering devices that are unaware of the changes to DNS behaviors.
For example, if you have filtering devices that specific port ranges defined for egress or ingress of DNS traffic, especially if you are using a non-stateful device, this configuration may need to be changed to allow for the greater port range applied to the “patched DNS” setup. Systems that are also “DNS aware” might not expect the randomization of the ports that the patching is creating. As such, filtering devices, especially at the perimeter may well need to be reconfigured or upgraded as well to allow for continued operation of unimpeded DNS traffic.
There may be SEVERAL other nuances that become evident in some environments as the patch process for the DNS issue continues to evolve. Stay tuned to stateofsecurity.com and other security venues for information and guidance as it becomes available.