RealPlayer, ClamAV, Nugache

There’s a buffer overflow in RealPlayer 11. We don’t have much detail at this time, however it is reported that this can be exploited with a maliciously crafted file opened with a vulnerable version. Opening a malicious file will result in the execution of code under the context of the user running the application.  The issue is reported in RealPlayer 11, other untested version may be vulnerable.

ClamAV version 0.92 contains multiple vulnerabilities. The first vulnerability is a race condition, where an attacker could generate a file with a specific name that would be called by a ClamAV function. This could allow the attacker to overwrite arbitrary files. The next issue is in the handling Base64-UUEncoded files. Attackers can create certain packed files that can bypass the scanner itself. The consequences of this should be self evident, and the possibility to occur is very real, due to the success rate of socially engineered emails and links.

More articles are emerging on the Nugache Trojan. Briefly, the Nugache Trojan is a very sophisticated piece of P2P controlled malware. Using decentralized management, nodes that can attach/detach, and encryption, this malware is a professional job. The authors of these articles seem to feel that the Storm and Nugache authors are the same, or share similar tactics. Once we see a full write up, we’ll post the details.

Research, NIST Speaks

Over the past week some researchers have published new methods and tools for embedded device hacking and ways to improve blind SQL injection. It will be interesting to see the scope of where embedded device hacking goes, as more devices are getting additional capabilities, that may be coming in exchange for security. Also, the NIST says the feds are keeping up on their own penetration testing and will release new guidelines in March required third party testing for federally controlled facilities.

A new version of Nipper has been released. This handy tool performs configuration auditing for various network devices and can make limited security recommendations. When was the last time you went through your firewall rules? This should be happening at some regular occurrence, however dull it may be.

Another worm, Nugache, has recently been covered in an article by Bruce Schneier, where he talks about some interesting stuff. No direct C&C server, encrypted packets all around, and the ability for any node to become the “leader”. Bot development is becoming more sophisticated, and funded. Expect to see some serious Trojans in the coming future.