Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

phpBB 2.0.19 released

Published: 2005-12-30
Last Updated: 2005-12-31 11:04:37 UTC
by Swa Frantzen (Version: 2)
0 comment(s)
phpBB 2.0.19 has been released.

It looks like it's upgrade time for those of us running a phpBB forum. XSS and dictionary attacks against forum users seem to be on the menu.

Report of an upgrade I performed:

# download
# download the code from one of the mirrors you find
# through

# Since I try not to browse on the server it's a bit a pain to get to the URLs
# of the mirrors, still it's quite possible.

$ wget ...

# I usually get the patch file as it details the changes between the two releases
# and the changed files only as I'd rather get clean copies than have patch
# bail out due to some reason. I do have a modified board so sometimes I
# need to code myself to get these upgrades back in place.

# unpack
# unpack the files you fetched away from the live forum.

#copy (backup) and make sure the copy does not get used
$ cp -r forum forum.cp
$ chmod 0 forum.cp

#Change the files
# add new parameters to prevent brute forcing passwords of users
# remove quotes around a string that is assigned (not clear to me as to the rationale)
# perhaps others with deeper knowledge of PHP can explain the difference between:
  • $b = basename (...) ; $a = "$b" ;
  • $b = basename (...) ; $a = $b ;
# add sessions_keys to the list of the tables to be backed up

# removes the addition of a session key

# removal of the quotes, similar to admin/admin_board.php

# dito

# added aditional processing when deleting users
# phpbb_clean_username() call added
# added ".." in path to the avatar location

# again the removal of the quotes, similar to admin/admin_board.php

# allow version 5 of mysql
# add "./" in front of the filenames while building the menu

# change of the error message when in install and contrib directory are still
# present on a production system

# most likely the XSS fixes:
#   tests for url= inside [url] tags
#   replaced the char " with "&quote;" for the [quote] tag

# sql escaping of usernames

# most likely the other XSS fix:
#   add " as a special char in addtion to those already being processed such as "&", "<" and ">"

# looks like the fix for those not having zlib

# change in stripping and length of usernames

# added strings for the new variables to prevent brute forcing user passwords

# dito

# if you have other languages installed they will need the same modifications

# the prevention of the brute force attacks

# similar change to the one in include/functions_post.php
# interestingly there might be an issue in private messages with XSS on forums.

# support for the added variables for preventing the bruteforcing of the user passwords

# the move of the version info towards the top of the page

# if you have other templates (probably based on subSilver), make similar changes there as well!

# copy the install and contrib directories (forum goes offline)
$ cp -r .../{contrib,install} forum

# surf to install/update_to_latest.php
$ lynx http://.../forum/install/update_to_latest.php
# this step updates the database

# remove contrib and install
$ rm -rf forum/contrib forum/install

# test

My conclusion from the changes in the source code are:
  • XSS issues in uploaded html (also in private messages between members)
  • XSS issues in the [url] and [quote] tags
  • fixes with new variables to control brute forcing login attempts
Swa Frantzen
0 comment(s)

More WMF Signatures

Published: 2005-12-30
Last Updated: 2005-12-30 20:32:47 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Frank Knobbe from sent us some new and improved rules for the WMF exploit. As you can tell by the various itterations we went through, a lot of work went into these rules.

First a couple notes about these rules:

In its simplest case, you may want to limit the rules to port 80 (or $HTTP_PORTS, which typically maps to ports used by web servers).  But realize, that this only works if you block access to other ports at your firewall. Otherwise, its trivial to just run a web server on an odd port, and link to the image on the odd port.

Here the rule developed by the Bleedingsnort team:
(to avoid copy/paste issues, see the bleedingsnort CVS repository

Update: (20:15 UTC) The folks at have updated this sig to rev:2.  We had some problems with the pcre in the earlier version of this story, so we've removed it from the story, see the link above to get the actual sig.  Also, it is very important to note that this sig will not detect the exploit on any http ports for which the http_inspect preprocessor is enabled with default settings.  The http_inspect preprocessor defaults to a flow_depth of 300.  Increasing flow_depth (or setting flow_depth to 0 which turns off truncation of the tcp stream by the preprocessor) is potentially a serious performance issue for the sensor on a busy network.
0 comment(s)

Musings and More WMF Information

Published: 2005-12-30
Last Updated: 2005-12-30 20:10:48 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Websense released some more information about their investigation in some website exploitation that involves IFRAMEs and WMF vulnerability.  My fellow handler Lorna said recently, "IFrames are always suspect in my eyes."  In light of this information, I have to agree with her.  Take a look at Websense Security Labs website for  details of their investigation including a nice movie file showing the exploitation at work.

As a side note,  I am quite thankful that most university and K-12 schools are still on holiday until next week.  This will hopefully give enough lead time for the mass media to report on this issue, and maybe, just maybe, Microsoft will have a better solution for the home users and our student populations.  *crossing his fingers that MS will release a preliminary update quickly*

One reader send us the following summary, which pretty nicely outlines the issues with this vulnerability:

  1. Filename extension filtering will not work.
  2. Even if you un-register the DLL, some programs may re-register it by invoiking it (shimgvw.dll) directly.
  3. you have to delete or rename the DLL to protect yourself. However, remember to undo this once there is a patch.
  4. While images embedded into docuements may not immediately trigger the exploit, they may once saved into their own file.
The readers goes on to note that whatever mitigation is offered in Microsoft's advisory is not much more then a quick temporary bandaid. What we need is a patch and we need it quick.

Scott Fendley
Handler on Duty

0 comment(s)

Ethereal Security Issue

Published: 2005-12-30
Last Updated: 2005-12-30 19:25:06 UTC
by Scott Fendley (Version: 2)
0 comment(s)
While catching up on email from the past week, I noticed a security issue that has fallen by the wayside in the midst of all of the 0-day exploit discussion.  On Tuesday, Ethereal released a security advisory which discusses problems with 3 of its dissectors.  Of particular note is the IRC dissector can go into an infinite loop.  As you, our loyal readers, have probably already noted mentally, the IRC dissector is a fairly important one as we eavesdrop on botnets that primarily use irc as its command and control channel.

It is possible that one could run arbitrary code through the vulnerability with the OSPF dissector, but more likely you will just have Ethereal crash or use up all available system resources.

The new version is available at .


There appears to be typo in Ethereal's advisory in the resolution section.  From the information provided I would recommend upgrading to 0.10.14  not 0.10.13 as the advisory states.  Note the following line right under the assumed typo of upgrading to 0.10.13.

"If you are running a version prior to 0.10.14 and you cannot upgrade, you can disable the GTP, IRC, and OSPF protocol dissectors by selecting Analyze->Enabled Protocols... and disabling them in the list."

This along with summary line that states "Versions Affected: 0.8.20 up to and including 0.10.13" makes me think there is a typo on their advisory.  So upgrade to 0.10.14 if you haven't already. 

Scott Fendley
Handler on Duty

0 comment(s)

Microsoft Advisory

Published: 2005-12-30
Last Updated: 2005-12-30 07:59:43 UTC
by Scott Fendley (Version: 2)
0 comment(s)
Microsoft has issued a security advisory on the WMF vulnerability.

Details are available here

Update by Scott Fendley:
Microsoft has updated their security advisory tonight(December 30 UTC) with more information
and frequently asked questions with answers.

Some noteable things that I read in it.

** Windows Metafile (WMF) images can be embedded in other files such as Word documents. Am I vulnerable to an attack from this vector?

No. While we are investigating the public postings which seek to utilize specially crafted WMF files through IE, we are looking thoroughly at all instances of WMF handling as part of our investigation. While we're not
aware of any attempts to embed specially crafted WMF files in, for example Microsoft Word documents, our advice is to accept files only from trusted source would apply to any such attempts.

** It has been reported that malicious files indexed by MSN Desktop Search could lead to exploitation of the vulnerability. Is this true?

We have received reports and are investigating them thoroughly as part of our ongoing investigation. We are not aware at this time of issues around the MSN Desktop Indexer, but we are continuing to investigate.

** Is this issue related to Microsoft Security Bulletin MS05-053 - Vulnerabilities in Graphics Rendering Engine Could Allow Code Execution (896424) which was released in November?*

No, these are different and separate issues.

** Are there any third party Intrusion Detection Systems (IDS) that would help protect against attempts to exploit this vulnerability?

While we don't know of specific products or services that currently scan or detect for attempts to render specially crafted WMF files, we are working with our partners through industry programs like VIA to provide information as we have it. . Customers should contact their IDS provider to determine if it offers protection from this vulnerability.

Scott Fendley
Handler on Duty

0 comment(s)

Back to Green

Published: 2005-12-30
Last Updated: 2005-12-30 07:57:23 UTC
by Scott Fendley (Version: 3)
0 comment(s)
As it has been 24 hours since we elevated the Infocon to yellow in response to the WMF 0-day exploit, we will be lowering the Infocon level to Green

An advisory has been released by Microsoft, working snort signatures are available and as a result of raising the Infocon to yellow yesterday, awareness of the issue has been raised appropriately.

Moving to green signifies that no -new- significant threats are currently being tracked and is not intended to imply that the threat level today is any less than it was yesterday. See Infocon Levels for more information.  Administrators and others responsible for system security are encouraged to act appropriately if no action or incomplete actions have been taken at this time.


We just got this very nicely done set of snort rules from Chris Ries at Vigilantminds:

The HTTP check is a slight performance booster for this rule.  
The issue we had with it, though, is that in cases where we don't
perform server-side stream reassembly for performance reasons,
the sig would occassionally false-negative.

We broke this out into 4 rules:

# This Rule
alert tcp any $HTTP_PORTS -> any any (sid:1006182; flow:from_server,
established; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8;
flowbits: set,HTTPSTREAM;flowbits:noalert; classtype:VM;)

# Identifies the HTTP stream for these rules
alert tcp any $HTTP_PORTS -> any any (sid:1006183;
flowbits: isset, HTTPSTREAM;
flowbits:isnotset, WMF; content:"HTTP|2F|1|2E|"; nocase; depth: 0;
content:"200 OK"; nocase; within:8; content:"|0D 0A 0D 0A|";

0 comment(s)

Lotus Notes Vulnerable to WMF 0-Day Exploit

Published: 2006-01-04
Last Updated: 2006-01-04 02:28:56 UTC
by Scott Fendley (Version: 3)
0 comment(s)

John Herron at discovered today that Lotus Notes versions 6.x and higher is vulnerable to the WMF 0-day exploit. In the advisory, located on the NIST website here, John reports that Lotus Notes remained vulerable even after running the regsvr32 workaround in the Microsoft security advisory.

Update December 30, 2005

Our dedicated reader from Finland, Juha-Matti Laurio, has confirmed that IBM is aware of the vulnerability above. He had a couple of recommended workarounds for those using the Lotus Notes (Domino) system. I expect that IBM will be releasing an advisory directly with this information.

"1. Filter all common picture file extensions at the network perimeter.

The following file extensions are recommended:

BMP, DIB, EMF, GIF, ICO, JFIF, JPE, JPEG, JPG, PNG, RLE, TIF, TIFF and WMF, because Microsoft Windows handles picture files by information of the file header information, not by file extension used.

2. Do not Open... or View... picture files from untrusted sources.

Thanks for that information Juha-Matti.

Update January 04, 2006

IBM has released an advisory that states the following:
"Lotus Notes allows users to optionally "View" or "Open" file attachments contained in email messages and documents. These attachments do not auto-launch or execute without user action."  Their recommendation is to follow the recommendations from Microsoft and apply the patch when available.

Scott Fendley
Handler on Duty

0 comment(s)
Diary Archives