Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A – Is it a worm or a trojan?
Don’t let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in “targeted” attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a “network-aware” trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities…reliable public exploit code will be out before you know it! Make sure you take your patching seriously…

UPDATE: If you follow HD Moore on Twitter you will see that he has just released MS08-067 PoC code for Metasploit.

If you haven’t patched your DNS yet…do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP’s DNS is still vulnerable…change your DNS servers to use OpenDNS!

“Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.”

Meanwhile, Dan Kaminsky posted the following on his blog:

“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”

This might imply that Matasano has the goods…I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

Oh yeah..Dan has a cool “DNS Checker” on his web site where you can test your own DNS servers to see if they are vulnerable.

Several weeks ago I was looking for an online schedule of events at one of the local community centers where I live so I did what anyone would do and typed in the URL of the city’s web site into my browser, but without typing “www” first. The actual URL starts with “www” but many times just by typing the URL without “www” will take you to the web site. So to my surprise instead of getting the main index page of the city’s web site I get a web form prompting for login credentials to what looked like an HVAC system attached to the Internet! The header of the page had some information about a system version so I did what any other security guy would do and launched a Google search to find out more details about this system. Yep, it was an HVAC system alright. So I thought no big deal right….out of curiosity I hit the ‘enter’ key thinking that there was no way that there was an anonymous login on this baby…low and behold, it logged me in! I was able to view the HVAC system configuration and potentially manage the HVAC for not only the community center but the city hall and other facilities. Looked like I could have caused some mischievous outages like changing the temperatures and even shutting down the HVAC system. At this point many scenarios entered my head, including why someone would put an HVAC system that should be on the company “Intranet” on the “Internet” with an anonymous administrator level account…nahh…I’m a pen tester so this isn’t shocking to me at all!

Being the ethical person that I am I emailed the city that manages this domain letting them know of the issue…today a received an email that said they were looking into the issue and it should be resolved shortly. So here are the questions. What would you have done (put your non-evil hat on please…yes, methodically messing with the temperature in the mayors office would be a blast…)? Do you just forget that you stumbled upon this vulnerability or do you believe in more of a full disclosure policy to the people running the web site? In talking to some others…attempting to contact the site owners is the best option (which I agree with) yet some others may take a different approach. Some “grey-hat” hackers might even resort to causing havoc with the HVAC system just to prove a point, then disclose the vulnerability the right way. Thoughts from the community?

I won’t go into all the details since every other security blogger on earth is covering it….however, as a reminder this issue is pretty serious if you had generated any keys on affected Debian or Ubuntu systems. The best summary I have found of the issue with links to all the “toys” that have come out to attack this vulnerability are on HD Moore’s web site. Here is a summary from HD:

“All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system.“

Ugly vulnerability is right for an OS that changes you….

For those of you using phpBB2 (which last I checked was still one of the most popular open source forum software out there), you had better start to think about upgrading to the latest version, phpBB3 “Olympus”.

I have always had a love/hate relationship with phpBB…it has been the most popular target for attackers in the last couple years in terms of forum hacking so as a webmaster you really needed to keep up with phpBB security patches. There were some rather serious vulnerabilities discovered multiple times over the years so I am not sad to see the 2.0 branch bite the dust. It almost reminds me of how WordPress is being targeted because of it’s recent surge in popularity right now. Anyway, it is good to see the phpBB development team taking secure coding much more seriously with the new version 3.0.

Breaking News!

90% of all Windows machines are vulnerable to Adobe Flash vulnerabilities…(not really breaking news by any means for security professionals, right?). But for the average home user I certainly hope it is. You see articles all the time talking about the latest client-side vulnerabilities and usually they are just talking about one specific vulnerability. What about all the other client-side software that users fail to either patch or keep up-to-date. Shall I give you examples besides Adobe Flash? How’s this for starters?

Internet Explorer, Firefox, Opera, Skype, Windows Media Player, Quicktime, Adobe Reader, Java, Microsoft Office…the list goes on and on.

The scary thing is that the “average” user really has no clue on why this software should be updated and patched- even when they are prompted by the application to “Update me now!”. Most users will just click “cancel” and go about their business…and if their business includes checking their email, lets not hope there is a malicious PDF waiting for them in their inbox…or a link taking them to the latest Excel exploit. This is currently the most popular attack vector right now and until either applications get smarter about how they update themselves, programmers learn secure coding practices, and users become security aware, these types of attacks will “keep on coming”. Oh, and don’t forget about 0day vulnerabilities like the ones discovered in the pwn to own contest at CanSecWest.

Microsoft says that “there are a number of factors that make exploitation of this issue difficult and unlikely in real-world conditions”. However, researchers over at Immunity Inc. (these are the guys that make CANVAS, an automated pen testing product) demonstrated how this vulnerability could be exploited via this flash demo. Immunity only has released the exploit to it’s customers of the CANVAS product and admits that the exploit is not 100% reliable…yet. Now that everyone knows that an exploit is “possible”, it’s only a matter of time before someone releases working, reliable exploit code in the wild. Patch now!

Once again SANS has released it’s “Top 20″ security risks for 2007. This is always a good report and I recommend all security professionals read it. This year they give highlight to two increasing attack vectors, users who are easily misled (aka: Social Engineering) and custom built web applications.

Either of these should be of no surprise. I know I have seen a major increase over the last year in “spear phishing” types of targeted attacks in my organization as well as your typical PayPal and Ebay phishes. Until users become more security aware I am not sure how this will decrease. All an attacker needs to do is get a user to click a link or visit a web site and it’s pretty much game over!

Custom built web applications is not a huge surprise either. Most of the time internal developers are not using secure coding practices and usually have no idea their applications are even vulnerable to simple things like SQL injections. Again, it all starts with education and making users and developers more security aware.

Two scenarios they mention highlight this risk. From the executive overview:

“Scenario 1: The Chief Information Security Officer of a medium sized, but sensitive, federal agency learned that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack highlighted in this year’s Top 20. Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agencys systems.”

and

“Scenario 3. A hospitals Web site was compromised because a Web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients health records to be spread all over the Internet.”

You can read the entire 2007 SANS Top 20 article here.

Attacks exploiting RealPlayer zero-day in progress

Security Focus BID here.

Patch located here.

If you haven’t already..as a reminder stop using IE and use Firefox or another non-ActiveX browser. You may also want to disable ActiveX even if you don’t use IE on your Windows PC to mitigate the potential risk of future exploits.

According to the Adobe Security Advisory, your machine is vulnerable if you have:

* Adobe Reader 8.1 and earlier OR Adobe Acrobat 8.1 and earlier
* Windows XP
* Internet Explorer 7

Javacool Software has a nice little tool that implements the workaround mentioned in the Adobe security advisory here.

Cross-site scripting the top security risk – Network World

- Windows XP: Make sure you are on XP Service Pack 2. SP2 is not vulnerable. Or, disable HTTP1.1 functionality.

- Windows 2000 IE SP1: Disable HTTP1.1 functionality or better yet, upgrade to XP w/SP2.

Hopefully Microsoft releases a patch for the patch soon!

SecuriTeam – MS06-042 Related Internet Explorer ‘Crash’ is Exploitable

“Despite SecureWorks being quoted saying the Mac is threatened by the exploit demonstrated at Black Hat, they have provided no evidence that in fact it is,” Apple Director of Mac PR, Lynn Fox, told Macworld. “To the contrary, the SecureWorks demonstration used a third party USB 802.11 device–not the 802.11 hardware in the Mac–a device which uses a different chip and different software drivers than those on the Mac. Further, SecureWorks has not shared or demonstrated any code in relation to the Black Hat-demonstrated exploit that is relevant to the hardware and software that we ship.”

So much for credibility huh?

Macworld: News: MacBook Wi-Fi hack didn’t use Apple drivers

- Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.

- Outgoing traffic to 18067/TCP bniu.househot.com, ypgw.walloan.com.

- Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.

- Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.

Network Security | IT Security | Vulnerability Assessment | Intrusion Prevention

Slashdot | Microsoft Bracing for Worm Attack

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System

Note: Even though this article says Windows SP2 can block this…patching should still occur regardless!

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System

Hack a MacBook in 60 seconds?

Yep, it’s true…imagine what could happen if this type of exploit got out in the wild? FSecure also notes that the patch for Centrino laptops is only a mere 129mb!

Hack a Mac in 60 seconds