* You are viewing the archive for the ‘Threat Intelligence’ Category

Commercial Grade Exploit Released for CVE-2011-0073 in Mozilla Firefox

White Phosphorus Exploit Pack version 1.12 for Immunity CANVAS now includes an exploit for CVE-2011-0073 in Mozilla Firefox versions 3.6.0 through to 3.6.16.

According to the vendor for White Phosphorus:

This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.

(MOSDEF is Immunity CANVAS’ proprietary shell, like Meterpreter for Metasploit).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0073
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0073
http://blog.sharpesecurity.com/2011/04/29/mozilla-firefox-4-0-1-3-6-11-and-3-5-19-released/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Upcoming Security Changes for Android Market

Hopefully, from a security perspective, Google will move their Android market to more of the walled garden similar to Apple’s App Store. The developer and application vetting that Apple does seems to be working reasonably well in practice. The first reference link below is a statement from Google announcing some upcoming changes they intend to make to the Android Market due to recent problems (DroidDream) with malicious content being posted. Google has already removed those applications (putting REMOVE_ASSET to good use). And interestingly we see a beneficial use of INSTALL_ASSET, where Google used that facility to … Continue Reading

Share

Exploit Released for JBoss CVE-2010-0738 Vulnerability

An exploit is now publicly available for remote JBoss vulnerability CVE-2010-0738.

References:
https://access.redhat.com/kb/docs/DOC-30741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0738
http://www.exploit-db.com/exploits/16274/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Commercial Root Exploit Exists for Google Android 2.2

If you support Google Android in your organization, you might want to consider disallowing (e.g. through Good Technologies or by Exchange ActiveSync reporting) Android versions 2.2 and below until those units can be upgraded. Why? There is now commercially available (Immunity CANVAS) exploit code to gain root access to Android 2.2.

This attack against Android 2.2 is a two-step process. The first step takes advantage of a Android Webkit CSS rule deletion vulnerability, and the second step leverages that access to use a privilege escalation vulnerability to gain root access to the device.

Android 2.3 isn’t affected.

email: david @ sharpesecurity.com
website: … Continue Reading

Share

IBM Lotus Notes and Domino Patches Released

IBM has released a series of patches for their Lotus Notes and Domino products. Please note that one of the Domino vulnerabilities (Lotus Domino diiop overflow) is remotely exploitable and a commercial-grade exploit exists.

References:
http://www-01.ibm.com/support/docview.wss?uid=swg21461514

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

IBM DB2 Administration Server Remote Vulnerability Fixed

IBM has released a fix for a buffer overflow vulnerability in their DB2 Administration Server (DAS) system.

The following versions are vulnerable:
DB2 9.1 prior to Fix Pack 10
DB2 9.5 prior to Fix Pack 6
DB2 9.7 prior to Fix Pack 3

UPDATE 11 Feb 2011 -Commercial exploit code now exists for this.

References:
[9.1] – https://www-304.ibm.com/support/docview.wss?uid=swg1IC69986
[9.5] – https://www-304.ibm.com/support/docview.wss?uid=swg1IC70538
[9.7] – https://www-304.ibm.com/support/docview.wss?uid=swg1IC70539

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Two Things Not Patched in the January 2011 Microsoft Patch Bundle

Next week’s January 2011 Microsoft patches will NOT include a fix for two of the known, currently exploited vulnerabilites in Internet Explorer. One is CVE-2010-3971 and the other is described at http://www.microsoft.com/technet/security/advisory/2488013.mspx. So if your IPS vendor provides detection you might want to consider getting the associated filters in place if possible.

References:
http://www.microsoft.com/technet/security/advisory/2488013.mspx.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3971

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Exploit Released for Unpatched Vuln in TRACE MODE Data Center SCADA System

An exploit (Agora Pack version 1.22 for Immunity CANVAS) has been released for an as yet unpatched vulnerability in TRACE MODE Data Center SCADA management system.

References:
http://www.tracemode.com/products/runtime/scada/DataCenter/
http://gleg.net/agora.shtml

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Unpatched Vulnerability in IE6, 7, and 8

Microsoft has acknowlegded that there is an unpatched security vulnerability affecting Internet Explorer versions 6, 7, and 8. The problem has to do with how IE processes CSS. Exploit code is publicly available. Until Microsoft makes a patch available, there is little else to do except press your IPS vendors for a filter and your antivirus vendors for detection.

References:
http://www.microsoft.com/technet/security/advisory/2488013.mspx
http://blogs.technet.com/b/msrc/archive/2010/12/22/microsoft-releases-security-advisory-2488013.aspx

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Microsoft IIS FTP Server Vulnerability

A vulnerability in Microsoft’s IIS FTP server has been reported. IIS version 7.5 is vulnerable. It is unknown at this point if other IIS versions are affected. No patch is available yet. Exploit code is publicly available, but results in a of denial of service condition only at this point. Microsoft indicates that remote code execution is unlikely. The IIS FTP service is not installed by default.

References:
http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx
http://www.securityfocus.com/bid/45542

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Novell iPrint Remotely Exploitable Vulnerabilities Announced

Multiple remotely exploitable vulnerabilities have been reported in Novell’s iPrint Client. As of this writing (09 Dec 2010), Novell hasn’t released any patches.

References:
http://www.novell.com/support/viewContent.do?externalId=7007342
http://www.novell.com/support/viewContent.do?externalId=7007343
http://www.novell.com/support/viewContent.do?externalId=7007344
http://www.novell.com/support/viewContent.do?externalId=7007345
http://www.novell.com/support/viewContent.do?externalId=7007346

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Exim Remote Exploit Detected

A remotely exploitable vulnerability in Exim has been detected. This article will be updated as soon as a fix has been released.

UPDATED 10 Dec 2010 to add two references links regarding the problem. No permanent fix is available right now.

UPDATE 13 Dec 2010 – The Exim development team is saying that only Exim versions 4.69 and below are affected. Exim 4.70 was released in November 2009, and the current latest available version is 4.72 (released June 2010).

References:
http://www.exim.org/
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Disabling Windows Autorun in Real World Enterprise Environments

According to this report from Avast, 1 out of 8 pieces of malware has a USB autorun attack component associated with it. In my own malware reverse engineering work, I frequently see malware with the ability to spread through USB removable drives, the root of local drives, and writeable roots of network shares. The obvious mitigation for this problem is to disable Windows autorun where you can.

If you have been hesitant to disable Windows autorun throughout your enterprise for any reason, please consider that you can do so by device type. To be clear, completely disabling … Continue Reading

Share

Exploit for Oracle Sun Java Vulnerability CVE-2010-3552 Released

An exploit for Oracle Sun Java vulnerability CVE-2010-3552 has been released. The CVE-2010-3552 vulnerability affects Oracle Sun JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3552
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

New Vulns Used by Stuxnet Patched in Microsoft’s Sept 2010 Patches

Original article from Sept 2010:
According to this article by Symantec, it looks like the top countries affected Stuxnet (by infection count) were Iran and some of its closest neighbors geographically. To me, it looks like an intelligence service lost a couple of arrows out of its quiver here. Microsoft is closing one of the vulnerabilities used by Stuxnet in the September 2010 Microsoft monthly patches.

The smart money is on the U.S. or Israel, but I guess the public storyline will never tell us for sure. Nation-state intelligence services cannot wait for a time of war to … Continue Reading

Share

Exploit Released for CA ARCserve Backup Vulnerability

Both Metaspoit and the D2 Exploitation Pack for Immunity CANVAS now contain working exploits for CVE-2007-3216 in the following software titles:

Computer Associates ARCserve Backup for Laptops and Desktops 11.0
Computer Associates ARCserve Backup for Laptops and Desktops 11.1
Computer Associates ARCserve Backup for Laptops and Desktops 11.1 SP1
Computer Associates ARCserve Backup for Laptops and Desktops 11.1 SP2
Computer Associates ARCserve Backup for Laptops and Desktops 11.5
Computer Associates Desktop Management Suite 11.1
Computer Associates Desktop Management Suite 11.2
Computer Associates Protection Suites r2

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

List of Currently Exploited Sun Java Vulnerabilities

The following is a list of Sun Java runtime vulnerabilites that have reliable exploits and are commonly found in today’s crimeware packs. This list is current for all publicly available crimeware packs as of 07 April 2011.

For organizations that cannot simply update all Sun Java runtime instances to the latest fully patched version available, this list can be used as a starting point to ensure that you have appropriate blocks configured in your IPS systems. If any of these aren’t enabled by default from your IPS vendor, you should consider adding those to your block/notify list.

Sun Java Calendar … Continue Reading

Share

Handling Adobe Shockwave Player Vulnerability CVE-2010-3653

Exploit code now exists for Adobe Shockwave player vulnerability CVE-2010-3653. Adobe hasn’t released an update for us to deploy, and other than disabling the Adobe Shockwave player itself, there is no other known workaround. So for now we will have to use any IPS signatures we get to protect ourselves until Adobe releases a patched version of the Shockwave player.

References:
http://www.adobe.com/support/security/advisories/apsa10-04.html
http://threatpost.com/en_us/blogs/attack-code-published-adobe-shockwave-zero-day-102110
http://www.exploit-db.com/exploits/15296/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

Lenovo’s www.lenovoservicetraining.com Training Site Spreading Malware

Lenovo’s www.lenovoservicetraining.com service and support training site was detected spreading malware recently. Hopefully none of your desktop support people were affected by this. The site appears to be clean now. See the link below for details.

References:
http://www.h-online.com/security/news/item/Trojan-trouble-at-Lenovo-1110581.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

Recent VBmania Mass Mailer Malware Deleted the Windows Automatic Updates Service

It looks like the recent VBmania (“Here You Have” and “Just for You”) mass mailer malware deleted the Automatic Updates service from infected machines. Microsoft Automatic Updates, WSUS, and SCCM-integrated WSUS need the Automatic Updates service working to successfully install monthly Microsoft patches and other updates.It looks like reinstalling the Automatic Updates service fixes the damage on affected machines.  Your antivirus tool won’t restore this broken configuration for you.  You will need to do that as a follow up activity after the initial infections have been removed.A quick way to tell if a machine lost its Automatic Updates … Continue Reading

Share

Back to School Special on Fake AV

Emails were found circulating yesterday masquerading as school parking permit receipts. Below is an example:Parking Permit and/or Benefit Card Order Receipt – 396521 Parking Permit and/or Benefit Card Receipt for Date:Wed, 25 Aug 2010 16:43:59 +0200Grossmont-Cuyamaca Community College District Your Credit Card has been charged $40.00. “GROSSMONT-CUYA PARKING” will appear on your credit card statement. A summary of the contents of your order are shown below. Please note that each item will be mailed individually. ———————————————————————— Order # Description Amount ———————————————————————— 0GU843621 Student Fall Permit … Continue Reading

Share

Dell Confirms Malware in Some PowerEdge Motherboard Firmware

Dell confirms malware is present in the firmware in some PowerEdge motherboards. No further details are available at this time beyond what is in the link below. If someone has a copy of the problematic firmware image and can send that to me, I will reverse the malware and post the results here. My contact information is below.References:http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspxemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

New USB Threat – Link Files

According to this article, there appears to be a newly discovered threat affecting Windows 7 from USB devices NOT related to autorun or autoplay. This one has to do with viewing .LNK files through the Windows GUI. The major AV companies already have samples are releasing definitions for the known variants. For example, Symantec detects the malware as W32.Temphid and released that detection on 13 July 2010.References:http://anti-virus.by/en/tempo.shtmlhttp://en.securitylab.ru/viruses/395815.phpemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Preparing for Apple Mac Malware

This SANS ISC article (http://isc.sans.org/diary.html?storyid=8890) got me thinking again about the reality of Mac malware. What are people using for AV scanning for Mac executables at their web and mail gateways? As Macs increasingly make their way in the enterprise and Apple continues to improve its market share, I assume that eventually we will need to supplement host-based AV scanning on the Macs with gateway-based AV defensive layers – just like we did to protect our Windows endpoints. What should we block at the web and email gateway … Continue Reading

Share

Impact of SSDT Argument Substitution Attacks (KHOBE)

A report was released recently describing “SSDT Argument Substitution Attacks” against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).”If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.”Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten … Continue Reading

Share

Exploit Code Published for MS10-020 (KB980232)

Exploit code for MS10-020 (KB980232) has been published here.  Please read http://sharpesecurity.blogspot.com/2010/04/problems-with-microsoft-april-2010.html for all known issues with patching MS10-020, paying special attention the information about MS10-020 and Cisco WAAS-related issues if you use that technology in your environment.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

You Really, Really Should Upgrade Adobe Reader

I am analyzing a Windows RAM dump now where a machine running a version of Adobe Reader that is long off vendor support – version 6.x – got compromised by navigating to a website serving up malicious PDF content from an installation of the YES Exploit Kit. Many of the commonly available commercial exploit toolkits include robust and reliable working exploits for unpatched Adobe Reader util.printf, Collab.collectEmailInfo, and Collab.getIcon vulnerabilities. Soon I will translate a number of the top exploit kits’ exploit lists to English and publish those here to back up my point. For now … Continue Reading

Share