Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS05-051 exploit info and rumors

Published: 2005-10-14
Last Updated: 2005-10-14 14:14:07 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Patch yesterday folks. So far we're aware that an MS05-051 exploit is in the hands of immunitysec Canvas customers - "October 11, 2005: MS05-051 (MS DTC) Trigger for the bug in MS DTC on Windows 2000"

Correction, "Immunity chief executive Justine Aitel said the proof-of-concept has been released to IDS (intrusion detection companies) and larger penetrating testing firms......"

In addition we're seeing reports of non-specific exploit warnings from managed security service providers to their customers. And some rumors.

McAfee Vulnerability Information says that they have protection against exploits of MS Vulnerability MS05-051, "Entercept's Generic Buffer Overflow Protection protects against code execution that may result from exploiting this vulnerability."

ISS says they have protection out for an exploit, it's announcement is here.

NFR says they have protection out for an exploit. their announcement is here.

Here's some pre-vuln announcement facts, see the DShield data on Port 3372 scanning, ymmv.

We'll post anything else that's specific and critical when we get it.
Keywords:
0 comment(s)

VERITAS NetBackup Vulnerability - remote

Published: 2005-10-12
Last Updated: 2005-10-12 22:21:40 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Veritas has announced a vulnerability, Document ID: 279085, describing a remotely exploitable "format string overflow vulnerability in the Java authentication service, bpjava-msvc, running on NetBackup servers and clients" that is "known to affect the application server for the NetBackup Java GUI."

"The vulnerable daemon listens on port 13722 on both NetBackup servers and clients."

Affected products:

NetBackup 4.5, all versions, all platforms.
NetBackup 5.0, all versions, all platforms.
NetBackup 5.1, all versions, all platforms.
NetBackup 6.0, all versions, all platforms.

Their suggested workaround;
Block external network access on TCP port 13722

Symantec's version of the vulnerability announcement - VERITAS NetBackup: Java User-Interface, format string vulnerability
Keywords:
0 comment(s)

Belated "deja vu" - IR for rootkits that run in safe mode

Published: 2005-10-12
Last Updated: 2005-10-12 20:05:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
I was a little busy last August 1st and didn't notice that there was a new glitch in the Matrix, a haxdoor variant that's a real problem for first tier IR folks because "It also ......, drops rootkits that run in safe mode." So a number of weeks later when the second haxdoor variant that "drops rootkits that run in safe mode" was being analyzed by Handlers Tom Liston and Lorna Hutcheson, my jaw was dropping as I read Symantec's August 1st recommendations for "cleaning". To say the least, Symantec's documented recovery instructions are onerous, and first responders should at least read their instructions and compare them to an alternative mentioned below.

Since I then knew of only 2 haxdoor versions which create the SAFEMODE cleaning issue (flattening is still preferred here), and since this cleaning issue doesn't seem to have created any significant AV Vendor issues in the middle of this years malware fe$tival, I dropped a line to some AV acquaintences about IR response problems these two variants create.

To make a long story short, F-Secure took a look at the second "safe mode" variant and said  "Yes, this variant uses the similair registry keys/values. Haxdoor indeed does run in safemode. Symantec's recommendation about recovery console is probably the easiest way to delete haxdoor without any special tools. F-secure Blacklight also can identify and rename haxdoor's files. So I'd recommend users to try that first. It is far easier to use than recovery console."

And if your AV vendor does or does not address this issue, please drop me a line. Thanks!

Also, thanks very much Lorna, Tom and Jarkko!.

F-Secure BlackLight Beta

Symantec Backdoor.Haxdoor.E, "Discovered on: August 01, 2005"

Tom's analysis mentioning the second variant is in the Handler's Diary September 22nd 2005, see Follow the Bouncing Malware IX: eGOLDFINGER
Keywords:
0 comment(s)

24 BEA WebLogic Vulnerabilities and Security Issues

Published: 2005-10-12
Last Updated: 2005-10-12 20:05:03 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
See Secunia's BEA WebLogic 24 Vulnerabilities and Security Issues alert of the issues. Make sure you have plenty of free time, and it's nice to see that this was piled on top of MS Black Tuesday patches.
Keywords:
0 comment(s)

Autoruns updated October 6th

Published: 2005-10-12
Last Updated: 2005-10-12 18:58:52 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Autoruns v8.22 was released on October 6th, "This Autorun update supports arbitrary length Registry and file system paths, adds a find capability to search through configured items, introduces a comparison feature to compare current autostarts with a previously saved version so that you can easily identify new additions, and knows about yet more autostart locations including the Winlogon boot verification Registry value and Shell open hijacks."

The previous registry value length problem was covered by Handler Daniel Wesemann, with many reader contributions, in Nasty Games of Hide and Seek in the Registry
Keywords:
0 comment(s)

MS05-044 Windows FTP Client File Transfer Location Tampering

Published: 2005-10-12
Last Updated: 2005-10-12 16:05:22 UTC
by Joshua Wright (Version: 2)
0 comment(s)

MS05-044 Vulnerability in the Windows FTP Client Could Allow File Transfer Location Tampering

KB: 905495
CVE: CAN-2005-2126

This bulletin and related patch resolves a newly discovered public vulnerability.  The flaw exists in the Windows FTP Client on Windows 2000SP4 (with IE 6 SP1), XP SP1 and Windows Server 2003 computers.  An attacker can exploit the flaw to tamper with the file transfer location on the client during an FTP file transfer session.  When a client has manually chosen to transfer a file via FTP on affected systems, the attacker can redirect the storage location to a location such as the Startup Folder.  In general, if you do not download files from un-trusted FTP (or any other servers) then you really won't have a problem.  Unfortunately, most end users are too trusting of links on the web and email and can be exploited in a few situation.

Per Microsoft, the vulnerability is mitigated in 3 ways.

1) "The attacker would have to successful persuade end users to visit an FTP server hosting files with specially-crafted file names" and would not have a way to forcing the files to be transferred.  This would require our end-users to interact with dialog boxes and click on links without concern.
2) If the file of the same name already exists in this alternate location, then an "Overwrite File" warning message will be presented.  If end users click through the dialog box, then it will go ahead and overwrite the file.
3)  If the Internet Explorer setting "Enable Folder View for FTP Sites" is changed from the default disabled state, then the attack will be successful.

http://www.microsoft.com/technet/security/Bulletin/MS05-044.mspx
Keywords:
0 comment(s)
Diary Archives