Bad News in Trends of 2007

Posted on December 11, 2007 by Brent Huston

The infosec community got some bad news today in the first release of trends for 2007. Overall, things are not going as well as we would like. Attacks continue to rise and successful compromises that end in data compromise are up.

Attackers seems to have fully embraced client-side attacks and bot-nets for performing illicit activity and laptop theft is also seen as rising. As expected, identity theft is rapidly becoming a huge criminal enterprise with an entire underground economy emerging to support it.

Reports came out today that showed that malware attacks have doubled in 2007 and that data theft rates have TRIPLED!

From our standpoint, this validates that existing traditional security controls based around the perimeter simply are NOT WORKING. We must establish defense in depth. We must embrace enclaving, encryption of sensitive data and portable systems and establish proactive security mechanisms that can raise the bar of compromise out of the reach of the common attacker. Until we begin to think differently about security, data protection and privacy – these trends remain likely to increase even further.

A Plethora of New Issues for Today

Posted on December 11, 2007 by Brent Huston

It’s been a busy morning for vulnerabilities so far. We are tracking new vulnerabilities in the following applications:

Squid Proxy – a DoS problem has been identified in the ICAP implementation that could allow attackers to spike the CPU of the server, a patch is available and should be applied on your next maintenance process

Samba – A buffer overflow in Samba version 3.0.27a allows remote execution of code if the “domain logons” option is enabled, patches are available on the Samba site for the problem.

WordPress – A SQL injection has been found in the charset implementation. Dumping the database is possible and when combined with other exploits already available can allow remote compromise of the WordPress Admin password. There is a workaround, but it is very specific to each WordPress deployment, so check the WordPress site carefully for info on this issue.

We are also tracking a few new tools of interest, that might increase some of the scan and probe traffic over the next few weeks while attackers play with their new toys. They are:

HttpRecon – a tool for advanced web server fingerprinting, likely to increase web server probes as the tool is examined and included into other tools

BurpSuite – a new revision of this tool for testing websites for things like SQL injection and XSS is now available, likely to cause scans for web application problems

EchoVNC – a firewall, proxy and network access control avoidance enabled version of the VNC server has been released, this is likely to be a useful tool for attackers and bot-masters as they compromise networks

Lastly, Microsoft is releasing a large load of patches today. Amongst them are 3 remotely exploitable “critical” patches. Look for exploits and such to follow very quickly if they are not already available. Wide scale exploit distribution and inclusion into bot-net clients is likely to follow in the next few days. As always, patches should be tested and applied as soon as possible.

VMWare ESX Update, XSS Testing for Webmail Systems

Posted on December 10, 2007 by Nathan Grandbois

A recent update of VMWare ESX server contains many fixes, but a few of them are critical to the security of the application. Now should be the time to look in to updating VMWare on you computers.

A new XSS testing tool has been released. XSS testing tools are nothing new, however this is the first dedicated solely to testing XSS in webmail applications. Written in perl, it tests XSS in mail messages sent to an account you specify. It’s called Excess, and can be found at http://www.scanit.be/excess.html

Also, striking similarities between the Quicktime bug found in 2002 and the recent RTSP bug have been noticed. CVE 2002-0252 and 2007-6166 are very much alike each other. Has Apple reintroduced the same bug from 2002?

Evolution, Maturity and Rethinking the Problems…

Posted on December 7, 2007 by Brent Huston

I have been following a number of attacker trends and I see a potential point of convergence just over the horizon.

Most especially, I think that an intersection is likely to occur between bot development/virtual machines/rootkits and man-in-the-browser. My guess is that a hybrid juggernaut of these technologies is likely to emerge as an eventual all-in-one attack platform.

The use of these technologies alone are already present in many attack platforms. There are already a ton of examples of bot/rootkit integration. We know that man-in-the-browser has already been combined with rootkit technologies to make it more insidious and more powerful. If we add things like installation of illicit virtual machines, evil hypervisors and other emerging threats to the mix, the outcome is a pretty interesting crime/cyber-war tool.

If all of these problems would come together and get united into a super tool, many organizations would quickly learn that their existing defenses and detection mechanisms are not up to the challenge. Rootkit detection, egress traffic analysis, honeypot deployments and a high level of awareness are just beginning to be adopted in many organizations whose infosec teams lack the budgets, maturity and technical skills needed to get beyond the reactive patch/scan/patch cycle.

Vendors are already picking up on these new hybrid threats, much like they did with worms – by offering their products wrapped with new marketing buzzwords and hype. We have heard everything from IPS to NAC and hardened browsers (that mysteriously resemble Lynx) to special network crypto widgets that provide mysterious checksums of web transactions with other users of the special widgets… I don’t think any of these thigs are going to really solve the problems that are coming, though some might be interesting as point solutions or defense in depth components. My guess is that more than a few of the currently hyped vendor solutions are likely to be practically useless in the near future.

The real problem is this – security team maturity needs to be quickly addressed. Attackers are nearing another evolutionary leap in their capabilities (just as worms were a leap, bots were a leap, etc…) and we are still having issues dealing with the current levels of threats. It is becoming increasingly clear that we need to have infosec folks start to think differently about the problems, learn more about their adversaries and embrace a new pragmatic approach to defending data, systems and networks.

Maybe we need less whiz bang technology and more Sun Tzu?

Buffer Overflow Ouchies for Skype and HP OpenView

Posted on December 7, 2007 by Brent Huston

Two traditional buffer overflow vulnerabilities have emerged today. The first is in the Skype product. It suffers from a heap overflow in the skype4com module. Attackers can exploit this by getting users to visit a malicious page, triggering the overflow. Obviously, Skype users should beware of any links, files or other items sent to them through the Skype network. User awareness of issues with trusting Skype content is the best solution, if your organization allows Skype at all.

Skype users should ensure that they are running the most current version, which is protected from this attack.

The second buffer overflow, this one in HP OpenView’s Network Node Manager, only impacts the following versions:

HP OpenView Network Node Manager (OV NNM) 6.41, 7.01, 7.51 running on HP-UX B.11.00, B.11.11, and B.11.23, Solaris, Windows NT, Windows 2000, Windows XP, and Linux

Attackers can leverage this issue to execute arbitrary code on the vulnerable system. Patches are available through the OpenView support site. Patches should be applied as soon as possible!

Vulnerable HSQLDB; ARCServe and BorderManager

Posted on December 6, 2007 by Nathan Grandbois

Two different applications implementing HSQLDB contain vulnerabilities. The first is in OpenOffice, where there is an unspecified error in the HSQLDB database that can be exploited to execute Java code through a malicious database document. OpenOffice versions prior to 2.3.1 are affected. Next, JBOSS is affected by remote command injection vulnerability. Due to certain flaws, an attacker can pass commands to the HSQLDB component on TCP port 1701 (for JBOSS 3.2.1) or TCP port 1476 (for JBOSS 3.0.8). Multiple attacks can be performed leveraging this vulnerability, such as command execution in the database and potentially the OS, Denial of Service, etc. This issue is reported to exist with JBOSS 3.2.1/3.0.8 on any Java 1.4.x-enabled platforms. Other versions may also be affected.

CA BrightStor ARCServe BackUp R11.5 is affected by a remote stack overflow vulnerability. The flaw exists in the CA BrightStor Message Engine. This is a result of errors in the handling of RPC requests to TCP port 6504. Successful exploitation of this vulnerability will result in remote code execution. CA has released an update for this issue, available at http://supportconnectw.ca.com/public/storage/infodocs/basb-secnotice.asp

Novell BorderManager 3.8 SP5 contains multiple vulnerabilities. An issue in the Novell Client Trust can be exploited to execute arbitrary code. An error in handling certain encoded HTTP traffic can be exploited to bypass security controls. Also, proxy authentication can be bypass when the traffic is sourced from another proxy. Novell has released Support Pack5 Interim Release 1, available at http://download.novell.com/Download?buildid=_E_defvCXnE~.

Cisco Vulns, OS X DoS, SWFIntruder

Posted on December 5, 2007 by Nathan Grandbois

A cross site scripting vulnerability has been found in CiscoWorks. The XSS is present in the initial login page. Attackers could use this to steal cookies or execute arbitrary html or script code on a remote user. CiscoWorks versions 2.6 and prior are vulnerable, and Cisco has released a patch for this issue.

The Cisco 7940 SIP Phone is vulnerable to an interesting denial of service. Sending malformed SIP INVITE messages to a 7940 phone can cause the device to reboot, or be put under the DoS condition. If INVITE packets are then sent at certain intervals, the DoS condition will persist. The phone will be in a seemingly working condition, where it continues to send REGISTER commands to the server, but will ring busy on incoming calls and return busy on any calls made by the user. There was no patch or update listed with the advisory.

Cisco Security Agent (CSA) for Windows and Cisco Security Manager are vulnerable to a remote buffer overflow attack. This can be exploited by sending a specially crafted TCP message to port 139 or 445 on a system running the CSA. This could result in a stop error (blue screen) or remote code execution. Cisco has released a free software update to address this vulnerability.

Two Denial of Service attacks for MacOS X have had their exploit code released. The first is in the vpnd which has been tested in Apple MACOS X 10.5.0. The second DoS in a local one in the kernel. This has been testing in Apple MACOS X 10.4 (xnu-792.22.5~1/RELEASE_I386), Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_I386) and Apple MACOS X 10.5.1 (xnu-1228.0.2~1/RELEASE_PPC).

WabiSabi Labs (the online exploit auction group), reportedly has a QuickTime vulnerability that could result in remote code execution that is different from the one we mention in “QuickTime 7.2/7.3 RTSP Exploits” (https://stateofsecurity.com/?p=162). We have no way to accurately verify this information though.

A new tool has been released yesterday. The tool, SWFIntruder, is “the first tool specifically developed for analyzing and testing security of Flash applications at runtime.” [1] This looks to be a powerful tool to test flash implementations for the presence of XSS of XSF issues in a semi automated manner. If you are responsible for testing web applications, this may be a tool you’ll want to have a look at.

1. https://www.owasp.org/index.php/Category:SWFIntruder

Cisco’s PCI Ultimatum Movie was a Big Hit!

Posted on December 5, 2007 by Brent Huston

The movie premiered in Columbus yesterday and seemed to be a great way to learn about PCI requirements.

It was hilarious to see people you know on the big screen.

Check it out when it comes to a city near you. You can check out the trailers and such at http://www.businessofsecurity.com.

We have put up a separate blog site to follow the movie as it tours and to give follow up info. You can check it out at http://pcimovie.blogspot.com!

Respond in comments and let us know what you thought of it!

Added Note: It is our CEO who gets killed in the opening scene, persistent isn’t he… 😉

Also, the movie premier followed our State of the Threat presentation yesterday morning, adding even more info to what has quickly become one of the leading edge security presentations around!

Multiple XSS Vulnerabilities and 27MHz Research

Posted on December 3, 2007 by Nathan Grandbois

Two cross site scripting vulnerabilities were announced today in F5 Firepass 4100 SSL VPN and Apache 2.2.3 and 2.0.46 and above. In the F5 device, input passed to my.activation.php3 and my.logon.php3 is not properly sanitized before returning to the user. In Apache, input via the HTTP method is not properly sanitized before being sent to the user when a “413 Request Entity Too Large” error page is displayed. Both issues can be exploited to execute script or HTML code in a user’s browser session.

A security research team has demonstrated the ability to intercept communications between 27 Mhz keyboards and a computer. The team was able to reverse engineer the packets and break the trivial encryption to sniff commands entered between the keyboard and the computer. Reportedly this can be performed up to 10 m away. Maybe it’s time to take a look at your company’s security policy and see what’s in it about wireless keyboards and reevaluate those decisions.

More QuickTime Exploits

Posted on November 30, 2007 by Adam Hostetler

It seems the recent QuickTime vulnerabilities are receiving a lot of attention. Exploits are popping up fast, and there are now working exploit frameworks to attack both Windows and OSX. Since the exploit can be embedded in websites, it’s harder to avoid it. Even the practice of avoiding untrusted websites may not be 100% effective. Other things that may be tried include blocking the rstp:// protocol at the firewall if you have the capability, or better yet uninstall the QuickTime browser controls, or disable file associations for QuickTime files. Apple is still working on an patch for this issue.

MSI :: State of Security

Insight from the Information Security Experts