Perl and PHP Issues, Citrix XSS

Posted on by
Reply

Perl 5.8.8 contains a buffer overflow when processing certain regular expressions. The overflow can occur when switching between byte and Unicode characters. This affects currently installed versions of dev/lang. Users should apply their distributions’ updated version or rebuild the source with a patch applied.

PHP 5.2.4 is vulnerable to multiple issues. Successful exploitation could result in a denial of service condition, could allow an attacker to bypass security restrictions, or ultimately execute arbitrary code. PHP has released version 5.2.5 to address these issues.

Citrix NetScaler contains a XSS bug in the management interface. The vulnerability has been identified in version 8.0, build 47.8 and other versions may be affected. Users of this software should not remain logged in to the management interface while browsing other web sites.

Inside an Average PHP Scan

Posted on by
Reply

I have been talking about PHP scans for a while now. They are so common that we get them on our HoneyPoint deployments all the time, often several times per day, depending on our location.

These scans follow traditional scanner patterns in that they grind through a list of specific urls that are known to have issues looking for a 200 response from the server.

Here is a quick list of a recent scan against one of our HoneyPoints:

/+webvpn+/index.html: 1 Time(s)
/PMA/main.php: 1 Time(s)
/admin/database/main.php: 1 Time(s)
/admin/datenbank/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqladmin/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/padmin/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/phpmyadmin2/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/board/index.php: 4 Time(s)
/database/main.php: 1 Time(s)
/datenbank/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/favicon.ico: 1 Time(s)
/forum/index.php: 4 Time(s)
/forums/index.php: 4 Time(s)
/myadmin/main.php: 1 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/padmin/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpbb/index.php: 4 Time(s)
/phpbb2/index.php: 4 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/robots.txt: 15 Time(s)
/sqlweb/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
As you can see, the scanner requests some of the pages many times, usually with subtle differences in the method or url termination scheme. When we have faked the 200 responses for these pages, it simply catalogs the success and continues. Thus far, we have been unable to identify when/if the real human attacker returns to test and play with the finds, since there are just so many scans for these issues going on all the time. But, we continue to monitor and analyze, so hopefully soon we can identify a pattern of scans followed by verification and exploit.

Note that some/many of these scans will immediately exploit the vulnerability in PHP and use it to drop a bot-net client onto the machine. Of course, this immediately compromises the system and adds it to the scanning army. In those cases, the waiting for the return of the human attacker would not apply.

So, what does all of this mean? We wanted to give you some more insight into the wide scale PHP scans and what they look like. If you have not checked your own web site for these known vulnerabilities, it would likely be very wise to do so. It can be done quite easily by hand, using a simple Perl script or any of the publicly available web scanner tools.

Denial of Service in Linux Kernel

Posted on by
Reply

Two denial of service vulnerabilities were reported in Linux kernels prior to 2.6.23.8 this weekend.

The first is caused by a design flaw in the “wait_task_stopped()” function. It is locally exploitable by manipulating the state of a child process. Kernel version 2.6.24-rc1 is also known to be vulnerable. See CVE-2007-5500 for more details.

The second involves a design flaw in the “write_queue_from” which creates a NULL-pointer issue. This vulnerability is remotely exploitable by sending the system a specially crafted ACK packet. See CVE-2007-5501 for more details.

The original advisory can be viewed at:
http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.23.8

Multiple Buffer Overflows in Samba

Posted on by
Reply

A new samba patch was released yesterday to address two buffer overflows. The first allows for the execution of arbitrary code when the WINS support option is enabled. An attacker would send specially crafted WINS requests to take advantage of this vulnerability. The second d can be exploited by sending a specially crafted GETDC mailslot request. For this second exploit to succeed samba must be configured as a Domain Controller. Samba versions 3.0.0-3.0.26a are know to be vulnerable to these issues.
The original advisory and patches are available at:
http://us1.samba.org/samba/history/security.html

Apple OS X Updates

Posted on by
Reply

Apple has released new security updates for Mac OS X. The updates address a variety of issues including vulnerabilities in the Adobe Flash Player, AppleRAID, BIND, FTP, the kernel and various sub-systems. Successful exploitation of these issues could lead to system access, privilege escalation, Denial of Service issues, etc.

All users are strongly encouraged to update to Mac OS X 10.4.11 or apply Security Update 2007-008.

Full details can be found in the original Apple advisory:
http://docs.info.apple.com/article.html?artnum=307041

Windows updates

Posted on by
Reply

Yesterday was patch Tuesday for Microsoft. This time around only two security fixes were released, one of them fixed a critical issue though. That would be MS07-061, which is known to be exploitable. The exploit allows command execution on the host, so this is a very important update. Make sure all desktop systems are patched immediately. The other updates fixes a potential DNS spoofing issue, described in MS07-062.

Avaya vulns

Posted on by
Reply

Avaya is getting hit again with multiple vulnerabilities. Over the past month, there have been several, so it’s pretty obvious that attackers are digging deep into Avaya’s systems. Fortunately these new vulns are limited to DoS and local information leakage. The DoS affects  Avaya CM 3.0, Intuity, MSS, Message Networking, CCS/SES, and AES. The info leakage issue affects Avaya CMS R12, R13(.1), R14, and Avaya IR 1.3 and 2.0, on Solaris 8, and 2.0 and 3.0 on Solaris 10. All of these issues have already been fixed by Avaya, get the latest versions if you haven’t already.

IE exploit, new attacker tools

Posted on by
Reply

An exploit has been released into the wild that takes advantage of an Internet Explorer bug described in MS-07-055. The exploit currently only works on Windows 2000 with IE 5.0, 5.5 and 6.0 SP1, but attackers are sure to be working on a version for XP which would cause a much larger issue. Vista is not affected by this vulnerability, so if you’re running on that platform, there’s no cause for alarm here.

Some new tools have also been released into the public. The Metasploit project is continuing to be developed, and causing headaches for system admins everywhere. A new version was released in beta, so look forward to new exploits being developed for that framework. Some new SIP attack tools were also released. SIPVicious is an attackers tool package that’s able to scan, war dial and crack SIP PBX’s. VOIP is still getting hit hard, and we don’t see any calming in the future.

Cisco Movie!!!

Posted on by
Reply

I also got to work with the folks at Cisco, Trend and RSA on a movie this week! I got to shoot a quick info session about Man in the Browser (MitB) attacks and then got to do a little play acting. The trailer should be available soon here.

If you want to see the whole thing come out to this event. I think you will dig it!

Hats off to Radigan, Flanagan and the others who hooked me up with this. It was very cool to be involved and I look forward to our big premier!  😉

Data Visualization Tools in Security

Posted on by
Reply

I have been playing with a few data visualization tools and doing some on the fly firewall log analysis. Mostly just basic plots and stuff so far.

These tools make analysis a pretty cool process. I can see where it would be useful with a very large data set.

I have been reading a new book about it, stay tuned for a review. In the meantime, there are a lot of data visualization tools out there, but I have been playing with the InspireData from Inspiration Software.  Check them out if you want to see what I am talking about.

Have you tried using visualization tools for log analysis? If so, leave me a comment about your experiences and the tools you use.