Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-07-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DHCP exploit publicly available (MS06-036)

Published: 2006-07-22
Last Updated: 2006-07-23 20:58:37 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
As a "present" for blackhat an exploit against the DHCP client of Windows 2000 was released publicly. See MS06-036 for more details.

The exploit claims to add the user "bl4ck" with a very insecure password and might cause the service to terminate. The author left some suggestions for "improvement" in the source code, so expect potentially nastier versions to be used in real life.

If you still have not patched your Windows client systems, it is a very good time to do so now.

The nature of DHCP makes it so that any device on a LAN can answer any and all DHCP request. So be sure people understand there is no need to attack or compromise any server first. Detecting this is helped slightly by DHCP's use of broadcasts (the client doesn't have an IP address).

It is quite imaginable that this gets used not just over wired networks - where the defending staff could disable a port in a worst-case scenario - but also over wireless networks, hotspots, hotels etc. where no such option is available. Or it could be used in a multi-stage attack where this gets inside your network in other ways and then does its "magic" on the local LAN.

--
Swa Frantzen -- Section 66
Keywords:
0 comment(s)

A Lesson Learned from the Mailbox

Published: 2006-07-22
Last Updated: 2006-07-22 23:21:35 UTC
by Kevin Liston (Version: 1)
0 comment(s)
From today's mailbox, William writes:

I walked up to my home computer only to find it acting on its own. I now understand it was the RealVnc 4.1.1 attack. Anyways, the computer is on a dialup connection, so they were working slowly. I unpluged the modem at once, leaving them cut off. They were in the process of downloading a virus from what i suspect to be a personal httpd. the address is [REDACTED], its full of hacker goodies you might like to look at. Either way, i feel really silly now, and pledge to keep up on my upgrades.

There are a few lessons from this report:
* The obvious ones are keep up on your patches and don't run unecessary services
* "I don't have anything on my computer that hackers would want," which I hear a lot from my extended family, is universallyl incorrect-- they want your computer.
* Bots don't know if you're on dial-up.

Thanks for the report William!
Keywords:
0 comment(s)

Powerpoint Vulnerabilty and MalCode Review

Published: 2006-07-22
Last Updated: 2006-07-22 18:36:01 UTC
by Kevin Liston (Version: 1)
0 comment(s)
Recent vulnerabilities affecting PowerPoint:

MS06-010: Vulnerability in PowerPoint 2000 Could Allow Information Disclosure (889167)
CVE-2006-0004
CVSS base: 2.3

MS06-028: Vulnerability in Microsoft PowerPoint Could Allow Remote Code Execution (916768)
CVE-2006-0022
CVSS base: 5.6

Microsoft PowerPoint Unspecified Code Execution Vulnerability
CVE-2006-3590
CVSS base: 5.6
Vendor Announcements:
http://www.microsoft.com/technet/security/advisory/922970.mspx
http://blogs.technet.com/msrc/archive/2006/07/14/441893.aspx
Patch is currently un-available
Malcode exploiting this vulnerability has been identified, signatures are available.  
Aliases: Trojan.PPDropper.B, TROJ_MDROPPER.AS

Microsoft PowerPoint Memory Corruption Vulnerabilities
CVE-2006-3655
CVSS base: 5.6
Proof of concept code exists
Patch is currently un-available

CVE-2006-3656
CVSS base: 1.9
Proof of concept code exists
Patch is currently un-available

CVE-2006-3660
CVSS base: 5.6
Proof of concept code exists
Patch is currently un-available

These were reported on the Handler's Diary here: http://isc.sans.org/diary.php?storyid=1484
Keywords:
0 comment(s)

Microsoft July Security Bulletin Review

Published: 2006-07-22
Last Updated: 2006-07-22 18:30:36 UTC
by Kevin Liston (Version: 2)
0 comment(s)
A quick little, "where are we now" review.

Initial July Microsoft announcement:
http://www.microsoft.com/technet/security/bulletin/ms06-jul.mspx

MS06-033: Vulnerability in ASP.NET Could Allow Information Disclosure (917283)
CVE-2006-1300
CVSS base: 2.3

MS06-034: Vulnerability in Microsoft Internet Information Services using Active Server Pages Could Allow Remote Code Execution (917537)
CVE-2006-0026
CVSS base: 4.2
initial ISC announement: http://isc.sans.org/diary.php?storyid=1473
reported to have some patch issues:
http://isc.sans.org/diary.php?storyid=1481
http://support.microsoft.com/kb/917537
Microsoft updated the .cab file:
http://isc.sans.org/diary.php?storyid=1494
http://blogs.technet.com/msrc/archive/2006/07/18/442388.aspx
exploit code is available

MS06-035: Vulnerability in Server Service Could Allow Remote Code Execution (917159)
aka "Mailslot"
CVE-2006-1314
CVSS base: 7.0
CVE-2006-1315
CVSS base: 2.3
initial ISC announement: http://isc.sans.org/diary.php?storyid=1471
exploit code is available

MS06-036: Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)
CVE-2006-2372
CVSS base: 7.0 temporal: 5.8
initial ISC announement: http://isc.sans.org/diary.php?storyid=1472
exploit code is available: http://isc.sans.org/diary.php?storyid=1502

MS06-037: Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (917285)
CVE-2006-1301
CVE-2006-1302
CVE-2006-1304
CVE-2006-1306
CVE-2006-1308
CVE-2006-1309
CVE-2006-2388
CVE-2006-3059
CVSS base: 5.6
initial ISC announement: http://isc.sans.org/diary.php?storyid=1474

MS06-038: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (917284)
CVE-2006-1316 ? Microsoft Office Parsing Vulnerability
CVSS base: 5.6
CVE-2006-1540 ? Microsoft Office Malformed String Parsing Vulnerability
CVSS base: 1.1
CVE-2006-2389 ? Microsoft Office Property Vulnerability
CVSS base: 6.5
initial ISC announement: http://isc.sans.org/diary.php?storyid=1475

MS06-039: Vulnerabilities in Microsoft Office Filters Could Allow Remote Code Execution (915384)
CVE-2006-0033
CVSS base: 3.7
CVE-2006-0007
CVSS base: 5.6
initial ISC announement: http://isc.sans.org/diary.php?storyid=1476

Keywords:
0 comment(s)
Diary Archives