Alerts

ISC StormCast for Thursday, March 13th 2014 http://isc.sans.edu/podcastdetail.html?id=3889, (Thu, Mar 13th)

Latest Alerts - Wed, 03/12/2014 - 17:17
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Identification and authentication are hard ... finding out intention is even harder, (Thu, Mar 13th)

Latest Alerts - Wed, 03/12/2014 - 16:09

While the drama about the lost airplane in Malaysia is still continuing, our hearts of course go out to the families of the missing. This ISC diary though is not about airplanes, or terrorism, it is rather about the related discovery that at least two passengers on the plane were using fake passports. Equally startling was the comment by Interpol that this is "common". What is the point of maintaining, for example, a no-fly list, if those listed on it anyway travel with stolen documents, and if the security checkpoint apparently fails to determine that a 19yr old doesn't look like a 40yr old, and that Italians who don't speak at least rudimentary Italian are, well, somewhat rare?

If we translate this to the virtual world, it turns into an everyday problem. How do we know that Joe using Joe's password is actually Joe, and not Jane? I probably should call them "Bob" and "Alice" to make this worthy of a scientific paper :), but the problem still stands: identification and authentication are hard, and finding out intentions is even harder. If we take from the airport physical security playbook, then it is "behavior" that makes the difference. The security checkpoint guys are (supposedly) trained to look for "clues" like nervousness, and carry-on baggage that is leaking 1,2,3-trinitroxypropane. Inevitably, there are numerous software products that claim to identify the "unusual" as well. Joe connecting from Connecticut, even though he lives in Idaho? Alert! Joe using Chrome even though he used Firefox last time? Alert! Joe typing his password faster than usual? Alert!

But like in the physical world, this kind of profiling only works well if you have a pretty homogenous and static "good guy" population, and a pretty well defined adversary. The real world, unfortunately, tends to be more diverse and complex than that. Which is why login fraud detection, just as airport security, often drowns in the "false positives", and as a result, de-tunes the sensitivity to the point where real fraud has stellar odds to just slip by. This is a fundamental issue with many security measures. Statisticians call this "base rate fallacy". If there are many many! more good guys than bad guys, finding the bad guys with a test that has a high error rate is pretty much: moot.

Checking the passports against the Interpol list of stolen passports .. wouldn't hurt though. Not doing this is akin to letting someone log in to an account that is suspended, or log in with a password that was valid two years ago.
 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wordpress "Pingback" DDoS Attacks, (Wed, Mar 12th)

Latest Alerts - Wed, 03/12/2014 - 04:21

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:

<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
     <param><value><string>http://victim</string></value></param>
     <param><value><string>http://reflector</string></value></param>
  </params>
</methodCall>

For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.

 

[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wordpress "Pingback" DDoS Attacks, (Wed, Mar 12th)

Latest Alerts - Wed, 03/12/2014 - 04:21

Sucuri detected an interesting "reflective" attack using the Wordpress Pingback feature to attack web sites [1]. Unlike other reflective attacks that use UDP services like NTP and DNS, this attacks uses the Wordpress Pingback feature.

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, Wordpress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".

With Wordpress, the Pingback is sent as a POST request to the /xmlrpc.php request. The body of the request will look like:

<methodCall>
  <methodName>pingback.ping</methodName>
  <params>
     <param><value><string>http://victim</string></value></param>
     <param><value><string>http://reflector</string></value></param>
  </params>
</methodCall>

For the attack seen by Sucuri, the "victim" URL included a random parameter like "victim.com?123456=123456" to prevent caching.

The result of this request is that your Wordpress install will send a request to the victim's site. I don't think the attack will provide a significant traffic amplification, but it does obfuscate the actual source of the attack.

By default, this feature is enabled in all Wordpress installs, and isn't quite easy to turn off. Sucuri recommends to add the following API filter to Wordpress:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
   unset( $methods['pingback.ping'] );
   return $methods;
} );

Removing xmlrpc.php is not recommended as it will breack a number of other features that will use the API.

 

[1] http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, March 12th 2014 http://isc.sans.edu/podcastdetail.html?id=3887, (Wed, Mar 12th)

Latest Alerts - Tue, 03/11/2014 - 17:15
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Introduction to Memory Analysis with Mandiant Redline, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 10:46

In a previous diary I talked about memory acqusition with Dumpit .in this diary I will talk about how to use Mandiant Redline to analysis the memory dump.[1]

Mandiant Redline:

“Redline, Mandiant’s premier free tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile”.[2]

Installation:

1-Download Mandiant Redline from https://www.mandiant.com/resources/download/redline

2-Double click on Redline-1.11.msi

3-follow up the steps, then click close

Redline Usage:

To analysis a memory image :

1-Select From a Saved Memory File under Analyze Data on the home screen

2-Click Browse under Location of Saved Memory Image (for this diary I will not use an Indicators of Comporomise)

3-Click Next then OK

Depending on the size of the image and the speed of your PC, Mandiant Redline will take time to process the memory image.

4-For this example I am going to choose “I am reviewing A Full Live Response or Memory Image”

Now our Image is ready for Review:

From the left hand side you can choose which type of Data you would like to analysis in this view it’s the “Processes”

Here you can find all the process which was running on the system when the memory image was acquired . It shows the full details about the process such as the Process ID,Path ,Arguemnts ,User name ,SID …etc  .

If you would like to view the open ports on the System while the image was acquired , To view ports, click Ports under Processes on the Analysis Data window’s Host tab.



[1]http://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216

[2] https://www.mandiant.com/resources/download/redline

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday March 2014, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 09:23

Overview of the March 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-012 Cummulative Security Update for Internet Explorer
(ReplacesMS14-010 ) Internet Explorer
CVE-2014-0297
CVE-2014-0298
CVE-2014-0299
CVE-2014-0302
CVE-2014-0303
CVE-2014-0304
CVE-2014-0305
CVE-2014-0306
CVE-2014-0307
CVE-2014-0308
CVE-2014-0309
CVE-2014-0311
CVE-2014-0312
CVE-2014-0313
CVE-2014-0314
CVE-2014-0321
CVE-2014-0322
CVE-2014-0324 KB 2925418 Yes! Severity:Critical
Exploitability: 1 PATCH NOW! Critical MS14-013 Remote Code Execution Vulnerability in Microsoft Direct Show
(ReplacesMS13-056 ) Direct Show JPEG Library
CVE-2014-0301 KB 2929961 No. Severity:Critical
Exploitability: 1 Critical Important MS14-014 Vulnerability in Silverlight Could Allow Security Feature Bypass
(ReplacesMS13-087 ) Silverlight
CVE-2014-0319 KB 2932677 No. Severity:Important
Exploitability: 1 Important Important MS14-015 Privilege Escalation Vulnerability in Windows Kernel-Mode Driver
(ReplacesMS13-101 ) Windows Kernel-Mode Driver
CVE-2014-0300
CVE-2014-0323 KB 2930275 Yes. CVE-2014-0323 was public. Severity:Important
Exploitability: 1 Important Important MS14-016 Security Bypass Vulnerabilty in Security Account Manager Remote (SAMR)
(ReplacesMS11-095 MS13-032 ) Security Account Manager Remote
CVE-2014-0317 KB 2930275 No. Severity:Important
Exploitability: 1 Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Updates: Flash Player, (Tue, Mar 11th)

Latest Alerts - Tue, 03/11/2014 - 06:40

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, March 11th 2014 http://isc.sans.edu/podcastdetail.html?id=3885, (Tue, Mar 11th)

Latest Alerts - Mon, 03/10/2014 - 18:06
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple iOS 7.1, (Mon, Mar 10th)

Latest Alerts - Mon, 03/10/2014 - 11:33

Here is detailed information on today's Apple releases - both iOS and Apple TV were updated

APPLE-SA-2014-03-10-1 iOS 7.1

iOS 7.1 is now available and addresses the following:

Backup
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

Configuration Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Profile expiration dates were not honored
Description:  Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267

CoreCapture
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application can cause an unexpected system
termination
Description:  A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella

Crash Reporting
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to change permissions on arbitrary
files
Description:  CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Code signing requirements may be bypassed
Description:  Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs

FaceTime
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOKit HID Event
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may monitor on user actions in other
apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye

iTunes Store
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description:  An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description:  An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs

Office Viewer
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description:  A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

Photos Backend
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Deleted images may still appear in the Photos app underneath
transparent images
Description:  Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington

Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB

Settings - Accounts
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description:  An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99

SpringBoard Lock Screen
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker may be able to cause the lock screen to
become unresponsive
Description:  A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net

TelephonyUI Framework
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A webpage could trigger a FaceTime audio call without user
interaction
Description:  Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross

USB Host
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description:  A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group

Video Driver
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description:  A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Sysinternals Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1 and Sigcheck v2.03 update, (Mon, Mar 10th)

Latest Alerts - Mon, 03/10/2014 - 11:18

Microsoft Sysinterals has updates Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1, Sigcheck v2.03 :

Process Explorer v16.02: This minor update adds a refresh button to the thread’s stack dialog and ensures that the Virus Total terms of agreement dialog box remains above the main Process Explorer window.

Process Monitor v.3.1: This release adds registry create file disposition (create vs open) and a new switch, /saveapplyfilter, which has Process Monitor apply the current filter to the output file as it saves it.

PSExec v2.1: This update to PsExec, a command-line utility that enables you to execute programs on remote systems without preinstalling an agent, encrypts all communication between local and remote systems, including the transmission of command information such as the user name and password under which the remote program executes.

Sigcheck v2.03: This version corrects a bug that caused the output of the –u switch to include signed files, and fixes several other minor bugs.

http://blogs.technet.com/b/sysinternals/archive/2014/03/07/updates-process-explorer-v16-02-process-monitor-v3-1-psexec-v2-1-sigcheck-v2-03.aspx

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Sysinternals Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1 and Sigcheck v2.03 update, (Mon, Mar 10th)

Latest Alerts - Mon, 03/10/2014 - 11:18

Microsoft Sysinterals has updates Process Explorer v16.02, Process Monitor v3.1, PSExec v2.1, Sigcheck v2.03 :

Process Explorer v16.02: This minor update adds a refresh button to the thread’s stack dialog and ensures that the Virus Total terms of agreement dialog box remains above the main Process Explorer window.

Process Monitor v.3.1: This release adds registry create file disposition (create vs open) and a new switch, /saveapplyfilter, which has Process Monitor apply the current filter to the output file as it saves it.

PSExec v2.1: This update to PsExec, a command-line utility that enables you to execute programs on remote systems without preinstalling an agent, encrypts all communication between local and remote systems, including the transmission of command information such as the user name and password under which the remote program executes.

Sigcheck v2.03: This version corrects a bug that caused the output of the –u switch to include signed files, and fixes several other minor bugs.

http://blogs.technet.com/b/sysinternals/archive/2014/03/07/updates-process-explorer-v16-02-process-monitor-v3-1-psexec-v2-1-sigcheck-v2-03.aspx

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, March 10th 2014 http://isc.sans.edu/podcastdetail.html?id=3883, (Mon, Mar 10th)

Latest Alerts - Sun, 03/09/2014 - 21:08
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft March Patch Pre-Announcement, (Sat, Mar 8th)

Latest Alerts - Sat, 03/08/2014 - 05:23

Microsoft released its pre-announcement for the upcoming patch Tuesday. The summary indicates a total of 5 bulletins, 2 are critical with remote code execution and 3 Important with a mix of security feature bypass and elevation of privileges. The announcement is available here.

Reminder

Last patch Tuesday for both Windows XP(SP3) and Office 2003 is next month April 8, 2014. This means that any new vulnerabilities discovered in Windows XP or Office 2003 after its “end of life” will no longer be addressed by new security updates from Microsoft. It is now time to upgrade on the Windows 7 or 8. ISC has pool going title "The end of XP is looming where are you at?"

[1] http://technet.microsoft.com/en-us/security/bulletin/ms14-mar
[2] http://blogs.technet.com/b/kdean/archive/2014/01/12/windows-xp-end-of-life-amp-support-options.aspx
[3] http://blogs.technet.com/b/security/archive/2013/04/09/the-countdown-begins-support-for-windows-xp-ends-on-april-8-2014.aspx
[4] http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx
[5] https://isc.sans.edu/poll.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Wireshark Security Updates - 1.10.6 & 1.8.13 and http://www.wireshark.org/download.html, (Sat, Mar 8th)

Latest Alerts - Fri, 03/07/2014 - 17:59

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple IOS Security Whitepaper http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf, (Fri, Mar 7th)

Latest Alerts - Fri, 03/07/2014 - 12:45
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php, (Fri, Mar 7th)

Latest Alerts - Fri, 03/07/2014 - 05:17

PHP 5.4.26 and 5.5.10 available. Several Security Fixes @ : http://www.php.net/downloads.php

 

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Linux Memory Dump with Rekall, (Fri, Mar 7th)

Latest Alerts - Thu, 03/06/2014 - 17:58

Memory dumping for incident response is nothing new, but ever since they locked down access to direct memory (/dev/mem) on Linux, I’ve had bad experiences dumping memory.  I usually end up crashing the server about 60 percent of the time while collecting data with Fmem.

 

A new version of Linux memory dumping utility rekall (previous called Winpmem) has recently came out. I’ve been testing it on the latest versions of Ubuntu and Redhat EL 5 and have not run into any issues with collection.  

 

If you are fortunate enough to have an environment where you have groups of servers with the same patch levels, you should run the following steps on a non-compromised server.  Additionally, if the compromised system is a VM, you can clone it and perform these actions on the clone. Make sure you collect all other volatile data (MACtimes, LSOF, PS ect..) before you dump memory as this may still cause instability to the system and you do not want to lose this data.

 

Preparing for collection

Install Linux Kernel Headers

Ubuntu

>sudo apt-get install linux-headers-server zip

CentOS/Redhat

>yum install kernel-headers gcc

 

Download and Compile rekall

When you run the makefile, it will automatically create part of the profile for the server. This will need to be copied off the server for analysis.

>wget http://downloads.rekall.googlecode.com/git/Linux/linux_pmem_1.0RC1.tgz

>tar -zxvf linux_pmem_1.0RC1.tgz

>cd linux

>make

 

Note:For Redhat/CentOS systems you will need to adjust the Makefile KHEADER variable.

 

Copy this file to your Volatility analysis machine under your volatility directory /plugins/overlays/linux/.

Load the Kernel Driver

>sudo insmod pmem.ko

>sudo lsmod |grep pmem

pmem                   12680  0

 

Collect Memory

Now that the drive is loaded, a new device is accessible /dev/pmem. We want to copy the memory to an external device/share.

#Items in {} need to be changed per incident to be useful for analysis

>dcfldd if=/dev/pmem bs=512 conv=noerror,sync  of=/{USBDRIVE}/ mount/{servername.date}.memory.dd hash=md5,sha256  hashlog=/{USBDRIVE}/{servername.date}.memory.dd-hash.log

 

Unload driver

>sudo rmmod pmem.ko

Analysis using Rekall

Now that collection is completed, we need to be able to examine the memory dump.  Copy the memory image to your analysis workstation.

 

Install Rekall

>sudo apt-get install python-pip python-dev

>sudo pip install rekall

 

Build Rekall Profile

We now need to create a profile that will work with Rekall. Convert the file that was copied from the server and name it something useful for future analysis.

>rekal.py convert_profile 3.5.0-45-generic.zip Ubuntu3.5.0-45-generic.zip

>rekal.py --profile ./Ubuntu3.5.0-45-generic.zip -f /media/mem.dd  pslist

 

To enter the interactive shell, you do not add a plugin on the commandline

>rekal.py --profile ./Ubuntu3.5.0-45-generic.zip -f /media/mem.dd

 

To list the available plugins, use the interactive shell:

>rekal.py info[tab][tab]

 

plugins.arp              plugins.check_idt        plugins.convert_profile  plugins.dwarfparser      plugins.info             plugins.lsof             plugins.null             plugins.psaux            plugins.vmscan

plugins.banner           plugins.check_modules    plugins.cpuinfo          plugins.fetch_pdb        

…..  


 

To get more info about a specific plugin use a ? after plugin name

mem 12:38:31>plugins.pslist?

 

Some of the more useful plugins are:

  • plugins.bash -searches for bash history

  • plugins.check_modules- List loaded modules

  • plugins.dmesg - Gathers dmesg buffer

  • plugins.lsof

  • plugins.netstat

  • plugins.pslist


 

Optional (If you want to use Volatility for analysis)

I haven’t spent much time on this, but Volatility will not be able to use the rekall default profile. You also have to do the steps below to read the memory dump with Volatility.  I’m guessing only a small change in the file is needed, but I have dug any deeper at this time.


 

>sudo apt-get install dwarfdump

>wget  https://volatility.googlecode.com/files/volatility-2.3.1.tar.gz

>tar -zxvf volatility-2.3.1.tar.gz

>cd volatility-2.3.1/tools/linux

>make

>zip Ubuntu{Kernel ver}.zip ./module.dwarf  /boot/System.map-`uname -r`


 

For more information on Rekall

http://docs.rekall.googlecode.com/git/tutorial.html


 

For more info on Volatility Linux analysis

https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

 

--

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, March 7th 2014 http://isc.sans.edu/podcastdetail.html?id=3881, (Fri, Mar 7th)

Latest Alerts - Thu, 03/06/2014 - 17:09
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Port 5000 traffic and snort signature, (Thu, Mar 6th)

Latest Alerts - Thu, 03/06/2014 - 07:59

ISC Reader James Lay has captured the mysterious port 5000 traffic and provided us with a copy of the packets and a snort signature.   Thanks James!  Your awesome!

The traffic is scanning TCP port 5000.  After establishing a connection it sends "GET /webman/info.cgi?host='" 

This appears to be a scan for Synology DiskStation Manager installations that are vulnerable to a remote code exection exploit published in October 2013.   There is currently a metasploit module available for the vulnerability.

Thanks to James for the following snort signature.

alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"SERVER-WEBAPP Synology DiskStation Manager Reflected XSS attempt over UPnP"; flow:to_server,established; content:"/webman/info.cgi|3f|host="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, reference:url,www.scip.ch/en/?vuldb.10255; classtype:attempted-admin; sid:10000130; rev:1;)

Follow me on Twitter: @markbaggett

There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

http://www.sans.org/event/northern-virginia-2014/course/python-for-pen-testers

http://www.sans.org/event/sansfire-2014/course/python-for-pen-testers

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content