[SecurityRatty] tag: cve

Microsofts Patch Fix Critical Vulnerabilities In IE And Office

Wed, 13 Aug 2008 08:26:27 +0000

Microsoft has released six critical patches and five patches described as important, addressing a total of 26 vulnerabilities. All six critical updates address code injection risks involving Access, Excel, Microsoft Office and Internet Explorer. Full bulletin can be found here. Here’s the brief summary of critical flaws: CVE-2008-2254, CVE-2008-2255, CVE-2008-2256, CVE-2008-2257, CVE-2008-2259 and CVE-2008-2258: These patches fix [...]

The Bitrix open redirect vulnerability: a lesson in the absurd

Tue, 22 Jul 2008 19:00:00 +0000

I try to limit my heckling to McYouKnowWho, but I just stumbled across an issue I couldn't leave alone.
If you've been keeping up on recent articles I've published, you know open redirect vulnerabilities really bother me; thus Open redirect vulnerabilities: definition and prevention in (IN)SECURE Issue 17.
Sidebar: I recently spotted a great academic paper on the same issue by Shue, Kalafut, and Gupta at Indian University. Definitive, to say the least.
Back to the issue at hand. It should have occurred to me to check for this earlier; write it off to being busy. Allow me to spell it out simply.

1) On May 2nd, 2008, I published a open redirect vulnerability in Bitrix Site Manager 6.5, specifically CVE-2008-2052.

2) The vulnerability is a simple one to reproduce, easily exploited by phishers and malware propagators. The issue is still unresolved by the vendor, so here's an example, still available, from their site:
http://www.bitrixsoft.com/bitrix/redirect.php?event1=demo_out&event2=
sm_demo&event3=pdemo&goto=http://www.xssed.com/news/29/
The_dangers_of_Redirect_vulnerabilities/
Obviously, the fact that I can send you to XSSed.com's fine explanation of the issue, in the context of the vendor's site, is a no-no in Web App Sec 101. In May, the vendor responded, saying they'd fix it, but I've not received the promised communication that they have. Their own site certainly hasn't been mitigated, so we'll see.

3) One of the sites I found exhibiting this vulnerability while researching the issue via Googledork is http://en.securitylab.ru.

4) The same day, en.securitylab.ru posts their version of the CVE vulnerability advisory for the Bitrix vulnerability.

5) As a reference, en.securitylab.ru links to my original advisory USING THE EXACT SAME VULNERABLE REDIRECT SCRIPT!
http://en.securitylab.ru/bitrix/redirect.php?event3=352513&
goto=http://holisticinfosec.org/content/view/62/45/

To this day, neither the vendor's site, nor Security Lab's site have been mitigated.
A malicious attacker could send a "security advisory" in a phishing email, supposedly from Security Lab, and redirect the victim to another web site, likely also somewhere in Russia, and laden with malware.
This could be a candidate for Pwnie Award 2009. ;-)

Common, people...fix it!

del.icio.us | digg

VMware ESX Server Update For Tomcat and Java JRE

Tue, 17 Jun 2008 06:42:29 +0000

Here’s a quick bullet from Secunia on a VMWare ESX update.

From Secunia:

VMware has issued an update for VMware ESX Server. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service), bypass certain security restrictions, manipulate data, disclose sensitive/system information, or potentially compromise a vulnerable system.

The rating on this is “highly critical”. For the list CVE issues that it patches, read on.

Article Link

Verizon Business has a new report on data breaches

Thu, 12 Jun 2008 16:21:39 +0000

The Verizon Business data breach report is by far the most comprehensive and detailed report on data breaches I have seen. It is great to see the break down of what is the root cause of these expensive and significant computer security failures. While it is interesting to see counts of malware infected computers from Symantec and vulnerability counts from CVE, this report gets to the actual attacks that organizations need to prevent with their security programs.

Digging into the full report they say that 59% of the breaches involve hacking. Of those the breakdown is this:

Application/Service layer -39%
OS/Platform layer - 23%
Exploit known vulnerability -18%
Exploit unknown vulnerability - 5%
Use of back door -15%

“Attacks targeting applications, software, and services were by far the most common technique, representing 39 percent of all hacking activity leading to data compromise. This follows a trend in recent years of attacks moving up the stack. Far from passé, operating system, platform, and server-level attacks accounted for a sizable portion of breaches. Eighteen percent of hacks exploited a specific known vulnerability while 5 percent exploited unknown vulnerabilities for which a patch was not available at the time of the attack. Evidence of re-entry via backdoors, which enable prolonged access to and control of compromised systems, was found in 15 percent of hacking-related breaches. The attractiveness of this to criminals desiring large quantities of information is obvious.”

The largest single type of breach is hacking and within that the largest type is application/service layer attacks. So if we multiply 59% times 39% we get 23% of those 500, or 115, data breaches are due attackers hacking applications. That is a very significant number of the whole slice of the data breach pie. It is clear that securing applications is a significant part of protecting against data breaches.

Full Report

-Chris

Fake YouTube Site Serving Flash Exploits

Thu, 12 Jun 2008 03:12:58 +0000

Originally mentioned by the folks at Sunbelt, this fake YouTube site happens to be a bit more interesting than it seems at the first place :

"Clicking on that link then redirects to a different site, youtube-s, which serves exploits to attempt to infect your system. Then, if your browser hasn’t completely crashed at that point, you may ultimately get redirected to the real YouTube, displaying some idiotic video (hence, possibly even helping to continue the infection, by having users forward the spam above)"

Interesting mostly because it not just attempts to serve a online games password stealer through exploiting the ubiquitous MDAC exploit, but is also serving a flash exploit which when analyzed leads us to a web based C&C of new malware kit. And although I've been aware of its existence for a while now, it's the first time I see it in action.

Upon analyzing youtube-r.com (211.95.79.57) a couple of days ago, it's now returning a 403 forbidden message, however, copies of the malware have already been obtained and analyzed. In between attempting to infect with MDAC at youtube-s.com/load.php?id=912; the flash exploit loads from a9rhiwa.cn/update_files/1.swf, and while this is happening the end user is redirected to the real YouTube site. Some sample detection rates :

Scanners result : 7/32 (21.88%)
TR/Crypt.ULPM.Gen; Mal/EncPk-CO
File size: 8704 bytes
MD5...: cb8611db343067e1fb663ab6ee671114
SHA1..: 4497715e0a365863d6ca41ab12254bf591118ed7

Scanners result : 10/32 (31.25%)
SWF:CVE-2007-0071; Exploit:Win32/APSB08-11.gen!A
File size: 593 bytes
MD5...: 5b6b28d4de3df92f48fbe5e8bd565cda
SHA1..: 3123d357d2080d1ee09ee67203275d51332e3397

The password stealer than connects to the C&C, from where an unknown for the time being number of campaigns are coordinated. What's a useless virtual good such as passwords for MMORPGs for malware gangs aiming to steal Ebanking details through banking malware for instance, is a precious and valuable good for others operating on the other side of the world, where a virtual item is more expensive than access to a Ebanking account.

Flash Player + Windows = Threat of SQL Injection

Thu, 29 May 2008 11:59:09 +0000

Apparently Adobe Flash players that aren’t patched and up to date on Windows might be vulnerable to a new SQL injection–there are apparently 18 variants of the new exploit. SecureWorks has the details:

Attackers insert SCRIPT and IFRAME tags into the content of trusted, legitimate web sites via a known SQL injection attack. Those tags redirect the user to the attacker’s server which hosts the Flash exploit. Tens of thousands of web sites are vulnerable to the SQL injection attack, meaning the distribution potential is high.

The vulnerability is not “zero-day”; however, these are the first known public exploits targeting it. The SecureWorks Counter Threat Unit (CTU) has analyzed 18 variants of the exploit, and all attempt to leverage the integer overflow vulnerability originally discovered by Mark Dowd (CVE-2007-0071), which was patched by Adobe with release of version 9.0.124.0 of the Flash Player. While some have reported that the latest version is vulnerable, the CTU was unable to duplicate these results with samples taken from known exploit sites. The only confirmed vulnerable version is (pre-patch) 9.0.115.0.

Advisory: CiscoWorks Arbitrary Code Execution Vulnerability

Wed, 28 May 2008 21:56:52 +0000

Summary

Name: CiscoWorks Arbitrary Code Execution Vulnerability
Release Date: 28 May 2008
Reference: LSD003-2008
Discover: Dave Lewis
CVE Number: CVE-2008-2054
Vendor: Cisco Systems
Systems Affected: CiscoWorks Common Services (various versions): Cisco Unified Operations Manager (CUOM), Cisco Unified Service Monitor (CUSM), CiscoWorks QoS Policy Manager (QPM), CiscoWorks LAN Management Solution (LMS), Cisco Security Manager (CSM), Cisco TelePresence Readiness Assessment Manager (CTRAM)

Risk: High
Status: Published (Vendor Confirmed, Patch Available)

Description

CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.

This vulnerability exists due to an unspecified error in CiscoWorks Common Services. An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code resulting in complete system compromise.

Impact: Arbitrary code execution with elevated privileges. Fire bad.

TimeLine

Discovered: 14 February 2008
Reported: 14 February 2008
Fixed: 22 April 2008
Patch Release: 28 May 2008
Published: 28 May 2008

Technical Details

The vulnerability exists due to an unspecified error in CiscoWorks Common Services when it processes attacker-supplied URLs. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with elevated privileges.

Fix Information

This issue has now been resolved.

The patch may be obtained from:

http://www.cisco.com

Cisco Advisory
http://www.cisco.com/en/US/products/products_security_advisory09186a00809a1f14.shtml

I would like to thank Cisco for their professional response to this issue.

Liquidmatrix Security Digest
http://www.liquidmatrix.org/blog/

2255B Queen Street East
suite 156
Toronto, Ontario
Canada
M4E 1G3

Yet Another Massive SQL Injection Spotted in the Wild

Mon, 26 May 2008 06:58:01 +0000

Another SQL injection attack was spotted in the wild during the last couple of hours, and while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As I've already pointed out, the upcoming SQL injection attacks for the next couple of months, will be primarily executed by copycats, where among the few differentiation factors left is increasing the survivability of the domain.

In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected.

Are current vulnerability and compliance testing tools like answering the phone at 3am?

Mon, 19 May 2008 19:16:18 +0000

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week. The requirements for this customer was not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc. This direction is where a lot of the traditional vulnerability management solutions have been heading. Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area. However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue, usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7. Therefore it is important to reach and test these devices when they are on the network. That is the rub. How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time and that usually at an off hour?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am. That is an important question for who is president, but for compliance answering the phone when someone is there to talk to is more important. I think this is where NAC provides an advantage. By utilizing NAC to detect devices coming on the network and than using a low impact compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so. Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this. What do you think?

A new blog on the block

Fri, 16 May 2008 19:36:19 +0000

This one is not all security related, but is the ScienceLogic Blog. One of my favorite persons in the IT field Dave Link is the CEO and founder of ScienceLogic. Several other friends from Interliant including Louis Dimiglio (sorry if I messed up the spelling Lou!), Richard Chart and Chris Cordray are also part of the team. They have done a great job of creating a network management product and in a hyper-competitive industry carving out a place for themselves. I am running into them more and more at shows, conferences and in the field. Now they have joined the blogging ranks and it looks like there will be several contributers. They are all smart folks and I am sure will have good things to say, so be sure to check out the blog!

In one article responding to a post I did about where is the interoperational in interop, Dave says that he and the ScienceLogic team had a very different experience at Interop this year. Due to their participation in the InteropNet and ILabs project, ScienceLogic was very involved in making sure the network at Interop was up and running and showing off the many different products and vendors working together. Certainly the work of the many people at Interop Labs and Interop Net show how heterogeneous equipment and technology can work together, but where those labs and network used to be the center of the show, I am not so sure that is the case any more. Many folks walk by the NOC at Interop, peak inside at the folks at the stations, smile and move on. How many actually take the tour compared to how many walk the floor or sit in on presentations. I think in Dave's view it is a case of when you are a hammer, everything looks like a nail.

More importantly though Dave challenges me to answer his questions of what StillSecure has done to promote interoperability with other vendors that we can promote. Great question and it deserves an answer. So at the risk of giving StillSecure a shameless plug, let me give you the three foundations that we have built our products on that allow us to excel at interoperability:

1. Using open standard software and hardware - All StillSecure products run on off the shelf x86 hardware or in VMware virtual machines. Additionally, our products all run on top of the StillSecure OS which is a hardened and stripped version of Linux, but still provides that standard command line programs and interoperability that the Linux OS allows. Additionally, we use standard and open databases such as MySQL and PostgresSQL that are SQL and ODBC compliant. Additionally, we have open data base schema's. Also, we use Java webservers and similar types of open standard software that makes it easier for us to work with other products and for our customers to feel comfortable with what is under the hood.

2. Support of industry frameworks and standards - Whether it be TCG/TNC or NAP in the NAC world or CVE and FDCC in vulnerability management, we support industry wide standards and frameworks which allow products to work with each other. SNMP traps, SMTP email alerts are all standard in StillSecure products.

3. Enterprise Integration Frameworks- StillSecure products all ship with our enterprise integration frameworks. These are a complete set of fully documented and functional APIs in XML and Java that allow for the bi-directional exchange of data with many 3rd party products. This is perhaps our greatest means of interoperabitility and integration.

Dave, I hope that answered the question for you. Now that we know about the blog, we will be reading. Good Luck!