October Patch Tuesday Preview (CVE-2013-3893 patch coming!)

Published: 2013-10-03
Last Updated: 2013-10-03 22:29:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

So far, we got pre-announcements from Microsoft and Adobe.

Microsoft promises 8 bulletins, split evenly between critical and important. The critical bulletins affect Windows, Internet Explorer and the .Net framework, while the important bulletins affect Office and Silverlight.

So this sounds like an average, very client heavy patch Tuesday. On the server end, only Sharepoint server (again) and Office Server are affected.

Important: The cumulative IE update included will include a patch for CVE-2013-3893, the currently un-patched but exploited vulnerability in Internet Explorer. This bulletin should be applied as soon as possible once released.

For details, see http://technet.microsoft.com/en-us/security/bulletin/ms13-oct

Adobe pre-announced only one patch for Acrobat and PDF Reader. For details see http://blogs.adobe.com/psirt/2013/10/prenotification-upcoming-security-updates-for-adobe-reader-and-acrobat-apsb13-25.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe ie msft patch
0 comment(s)

CSAM: Web Honeypot Logs

Published: 2013-10-03
Last Updated: 2013-10-03 19:10:02 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today's logs come from a honeypot. The fun part about honeypots is that you don't have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise.

SSL Conection to a web server not supporting SSL

Invalid method in request \x80w\x01\x03\x01

The first few bytes of the request are interpreted as the method of the request. If SSL is used by the client, but the server "doesn't get it", then the server will just log the first few bytes of the SSL message. In this case, this was \x80w\x01\x03\x01

Odd URLs

File does not exist: /var/www/HNAP1

Frequently you will find attack scripts that try to "hunt" for a particular vulnerability, wether or not you even have the application installed. This is in part behind our 404 project. Above, the attacker looked for "HNAP1", which appears to be vulnerable in some routers (see http://www.cathaycenturies.com/blog/?p=643 for more details about this particular vulnerability.

Odd User Agents

Mozilla/3.0 (compatible; Indy Library)
Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij

The first one "Indy Libary" is a standard library used in many web attack tools. The second one is old favorite nmap and the last one is Havij, a script kiddie SQL injection tool (not seeing it as much as I used to). In pretty much all cases it is easy to change the user agent, but most attackers don't bother to.

Sometimes the user agent string itself is the attack. like in this log:

"GET /rssfeed.xml HTTP/1.1" 200 5162 "-" "><script>alert('XSSUserAgent')</script>" "-"

The attacker may hope that the user agent is echoed back to the administrator as part of an admin interface.

Standard SQL Injection Strings

GET /diary.php?storyid=999999.9+union+all+select+0x31303235343830303536--
GET /diary.php?storyid=1480%27
GET /diary.php?storyid=1480+and+1%3D1

Many SQL injection attack tools use similar techniques. The examples above are from Havij. Typically the attacker will try to insted single quotes (%27) or try to issue UNION requests with random parameters to be able to identify any data that may come back. For the union requests, you will see the attack starting with one column and work its way up as the attacker attempts to figure out how many columns your query returns.

Cross Site Scripting

here is a typical XSS attempt:

GET /diary.html?storyid=\"><script>alert(13377331)</script> HTTP/1.0"

Not much obfuscation here. Just a pretty plain XSS attempt. 

 

------ 
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
0 comment(s)
ISC StormCast for Thursday, October 3rd 2013 http://isc.sans.edu/podcastdetail.html?id=3578

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives