Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-07-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cisco MARS vulnerabilities

Published: 2006-07-19
Last Updated: 2006-07-19 23:26:29 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Cisco released earlier today an advisory pointing out vulnerabilities in one of their security managment products: Cisco Security Monitoring, Analysis and Response System (CS-MARS).

  • The included Oracle database has default passwords
  • The included JBoss webserver allows remote code execution
  • A privilege escalation problem that allows administrators to gain root access to the machine
--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

TCP/1433 spike: Call for Packets.

Published: 2006-07-19
Last Updated: 2006-07-19 15:03:19 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

One of our readers, Warner, noted today what initially appeared to be a localized attack on port 1433/tcp (Microsoft SQL Port).  After some continued investigation we are seeing a bit of a spike in the Dshield data, we are indeed seeing a similar spike elsewhere.


Next step is to identify for what they are scanning. This will involve answering the SYN packets and seeing what happens. We already know there are many SYNs, we want to try to figure out what happens if the handshake completes.

Setting up something to answer can be done using netcat: "nc -l 1433 > capturefile" or "nc -L -p 1433 > capturefile" (depending on the version of netcat you're using) but it might need more of the protocol before it does its magic, so some experimentation might be needed.

Upload captures through the contact page please.

We'll update this story as it evolves.

Thanks to all handlers working on this: Scott, David, William, Robert, ...
--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)

New Challenge: Hack Bill!

Published: 2006-07-19
Last Updated: 2006-07-19 12:31:37 UTC
by Ed Skoudis (Version: 1)
0 comment(s)
I'm really happy to announce that my buddy and fellow ISC handler Mike Poor wrote a new movie-themed security challenge.  These challenges are designed to test your incident handling and security skills, in a fun and playful way.  I've written 17 of them myself, and now, I've invited some of my friends to write them.

Mike's handiwork is based on the _Kill_Bill_ movie by Quentin Tarantino.  He calls it, appropriately enough, _Hack_Bill_.  Read the challenge here, and submit your answers by July 31 to win a fine prize (an autographed copy of Counter Hack Reloaded, signed by Mike and me).  This one tests some nifty UNIX skills... and even if you don't know all of the answers, enter anyway.  We'll give away prizes to the best technical and creative answers, as well as one drawn randomly from all entrants.

BTW, look carefully at those UNIX commands in the challenge.  Several people have written thinking that there are mistakes in these commands.  There are not.  Each one is carefully calibrated to test your knowledge.  :)
Keywords:
0 comment(s)

Oracle quarterly patches

Published: 2006-07-19
Last Updated: 2006-07-19 03:13:47 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Oracle released patches yesterday. All details are -traditionally- hidden behind metalink login screens.

I counted 65 vulnerabilities (give or take a few) in the report, no workarounds for any of them have been released.

Since we're not supposed to look deeper than the surface it's very hard to add any value to what Oracle released, so be sure to get more details if you have any of their software running and make sure it gets appropriately patched ASAP.

In the past I found it helpful to print out the tables of the vulnerabilities, highlight the software and versions we were using and then going over those left with a DBA sitting next to me to determine what was to be patched how and when. Unfortunately you might run into 3rd party vendors not approving of any upgrading/patching creating a catch-22 situation.

If you run exposed (e.g. http) oracle based servers this might be one of those moments to reconsider the architecture. Yes, it's not without pain, and the developers of the application will hate you for it.  But at least you get back some control over what patch goes on when, instead of being forced to rely on obscurity for months in a row.

The next scheduled batch of patches for Oracle is due on October 17th. So make sure the days after it are marked to not let the DBAs take a vacation at that time.

Disclaimer: I really do not like Oracle's handling of patches at all: I find 3 months way too long; 65 vulnerabilities to deal with in one go way too many; I hate not being able to see any details; I feel they could come up with some workarounds in those months preceding their release; I wonder how many bad guys do have and use a metalink login/password, while any self-respecting security professional cannot ... .

Thanks to fellow handler Koon Yaw Tan for noticing the release.

--
Swa Frantzen -- Section66
Keywords:
0 comment(s)
Diary Archives