Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 34 min 33 sec ago

Beware of Phishing and Spam Super Bowl Fans!, (Sat, Jan 31st)

Fri, 01/30/2015 - 20:43

Beware of Super Bowl spam that may come to your email inbox this weekend. The big game is Sunday and the spam and phishing emails are pouring in complete with helpful links - back-ended by malware and/or credential harvesting of course.

Its worth a reminder friends and family if they see any emails about the Super Bowl that appears to be too good to be true to simply delete it. Be safe!


[1] http://www.google.com/safebrowsing/diagnostic?site=http://www.yoursuperbowlspace.com/torn/pigmentations/containments/papal/seen/bons.htm

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 30th 2015 http://isc.sans.edu/podcastdetail.html?id=4335, (Fri, Jan 30th)

Thu, 01/29/2015 - 20:05
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Blindly confirming XXE, (Thu, Jan 29th)

Thu, 01/29/2015 - 10:43

Almost exactly a year ago I posted a diary called Is XXE the new SQLi? you can read it at https://isc.sans.edu/diary/Is+XXE+the+new+SQLi/17375. In last year, the things have not changed a lot regarding XXE vulnerabilities. They still seem to be popping up here and there, depending on how XML documents are consumed by server side applications.

Recently I had an interesting engagement where the server side web application consumed an XML document submitted by a user (through a web browser, in a POST HTTP request). Of course, whenever you see XML being used, you should always test for existence of XXE vulnerabilities since their impact can be quite serious check the original diary and can lead from Denial of Service attacks to disclosure of arbitrary files.

In this specific case, however, the problem was that while the application processed the submitted XML document, it never outputted anything from the document: the application would only echo back if processing was successful or not.

So the question that came in mind was on how to confirm if the target application was vulnerable to XXE or not? Sure, I could try to launch a DoS attack to see if it works or not, but since I was dealing with a semi-production system, this was not an option.

Almost like blind SQL injection

This case is very similar to blind SQL injection vulnerabilities: we can modify the input and while we cannot see the output directly, we can deduce what happened on the server side. Let">DocumentLayer
Document InternalID=1
DocumentPointerTest/DocumentPointer
/Document
/DocumentLayer

Of course, in the real test the XML document was much more complex and had some logic for the backend application ">DocumentPointer">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe Test ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

Simple! If this works, it means that we blindly confirmed that the XML processor on the server side used our reference to the xxe entity. Cool.
The next step is to see if we can use external entities. However, again, since we cannot see the results of the XXE injection, its not all that simple. To make things more complex, the backend server is behind a firewall that does not let this machine connect directly to anything on the Internet. This stops us from using a SYSTEM external entity with a URL supplied.

So is there any other way to confirm that external entities are supported? Probably yes there is one protocol that is almost always allowed, in one sense or another: DNS. In this particular case, this means that we can craft external entity which will resolve to a domain name that we control by checking DNS requests we can see if the entity was resolved correctly or not. In this case it does not matter if the backend server cannot access the Internet or not ">!DOCTYPE DocumentLayer [
!ELEMENT DocumentLayer ANY
!ENTITY xxe SYSTEM http://thisdomaindoesnotexist.infigo.hr/test.txt ]
DocumentLayer
Document InternalID=1
DocumentPointer/DocumentPointer
/Document
/DocumentLayer

While this document will not be processed correctly (remember, the DocumentPointer element must contain the text string Test), the reference will be resolved by the XML processor and by observing the DNS traffic on DNS servers for our domain we will see a request for the submitted domain which will allow us to confirm that XXEs are resolved by the target application.

So, to wrap things up we blindly confirmed the XXE vulnerability in the target application. While in this case our exploitation options are unfortunately limited only to DoS, it is worth noting that the vulnerability exists, and that its only a matter of time when it can be abused further, unless patched.

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, January 29th 2015 http://isc.sans.edu/podcastdetail.html?id=4333, (Thu, Jan 29th)

Wed, 01/28/2015 - 19:34
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Flash Update Available for CVE-2015-0311 & -0312, (Wed, Jan 28th)

Wed, 01/28/2015 - 12:23

Adobe has released an update to the Flash vulnerability CVE-2015-0311 discussed earlier this week here on the ISC. The update released from Adobe addresses Flash vulnerabilities documented in CVE-2015-0311 CVE-2015-0312, which now has exploits being seen in the wild. Given that we are seeing exploits in the wild, the criticality of this exploit should be re-evaluated for prioritization and implementation. ">tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

GHOST glibc gethostbyname() Vulnerability: https://www.youtube.com/watch?v=218JiCBpUTM, (Wed, Jan 28th)

Wed, 01/28/2015 - 08:01
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 28th 2015 http://isc.sans.edu/podcastdetail.html?id=4331, (Wed, Jan 28th)

Wed, 01/28/2015 - 07:43
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMware Security Advisories - 1 New, 1 Updated, (Wed, Jan 28th)

Tue, 01/27/2015 - 16:48

VMware has released an new and updated security advisory today. The two security advisories, listed below, address numerous vulnerabilities in the VMware platform. For information regarding the impacted versions, affected components, and related CVE">">Updated Advisory: ">">">tony d0t carothers --gmail

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST), (Tue, Jan 27th)

Tue, 01/27/2015 - 15:56

Qualys discovered a criticalbuffer overflow in the gethostbyname() and gethostbyname2() functions in glibc. According to the announcement by Qualys, they were able to create an in-house exploit that will execute arbitrary code via the Exim">glibcbefore version 2.18 (released August ) is vulnerable. You can quickly check your glibc version by using ldd --version">These glibc">What should you do: Apply this update as soon as you see patched offered by your Linux/Unix distribution. Some Windows software (and of course OS X) uses glibcas well and may be vulnerable. Use thegetaddrinfo() function, not">[1]">You shouldn">Highly critical Ghost">GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - Michael Mimoso, Threatpost

LinuxGhostRemoteCode">---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Security Updates 27 JAN 2015 for OS X, Safari, iOS, and Apple TV - http://support.apple.com/en-us/HT1222, (Tue, Jan 27th)

Tue, 01/27/2015 - 14:48
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, January 27th 2015 http://isc.sans.edu/podcastdetail.html?id=4329, (Tue, Jan 27th)

Mon, 01/26/2015 - 18:34
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe updates Security Advisory for Adobe Flash Player, Infocon returns to green, (Mon, Jan 26th)

Mon, 01/26/2015 - 09:14

On Saturday, 24 JAN 2015, Adobe updated their Security Advisory for Adobe Flash Player specific to CVE-2015-0311. From the update:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

To that end we">GREEN. Please ensure you apply updates as soon as possible and stay tuned here as additional related information">|">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe updates Security Advisory for Adobe Flash Player, Infocon returns to green, (Mon, Jan 26th)

Mon, 01/26/2015 - 09:14

On Saturday, 24 JAN 2015, Adobe updated their Security Advisory for Adobe Flash Player specific to CVE-2015-0311. From the update:

Users who have enabled auto-update for the Flash Player desktop runtime will be receiving version 16.0.0.296 beginning on January 24. This version includes a fix for CVE-2015-0311. Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11. For more information on updating Flash Player please refer to this post.

To that end we">GREEN. Please ensure you apply updates as soon as possible and stay tuned here as additional related information">|">@holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, January 26th 2015 http://isc.sans.edu/podcastdetail.html?id=4327, (Mon, Jan 26th)

Sun, 01/25/2015 - 20:31
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

"Stealth" Update for Flash from Adobe, (Sat, Jan 24th)

Sat, 01/24/2015 - 18:58

[Update] Adobe now updated its advisory and confirmed that version 16.0.0.296 fixes the o-day vulnerability (CVE-2015-0311). [2][3]

Adobe apparently just released Flash version 16.0.0.296. There is nothing on Adobes website if this is a patch. As a matter of fact, Adobe still lists 16.0.0.287 as the most recent version [1]. You can download 16.0.0.296 if you manually check for updates using Flash.

This article will be updates as we learn more. I have NO IDEA if this new version fixes the current vulnerability, but given that this is a surprise weekend release, chances are that it was released in response to the vulnerability. Apply this update at your own risk.

Thanks to Christopher for noticing!

[1]http://www.adobe.com/software/flash/about/

[2]http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

[3]http://blogs.adobe.com/psirt/?p=1160

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Flash 0-Day: Deciphering CVEs and Understanding Patches, (Fri, Jan 23rd)

Sat, 01/24/2015 - 18:30

(updated with Jan 24thupdate)

The last two weeks, we so far had two different Adobe advisories (one regularly scheduled, and one out of band), and three new vulnerabilities. I would like to help our readers deciphering some of the CVEs and patches that you may have seen.

CVE Fixed in Flash Version">yes APSA15-01

So in short: There is still one unpatchedFlash vulnerability. System running Windows 8 or below with Firefox or Internet Explorer are vulnerable. You are not vulnerable if you are running Windows 8.1 and the vulnerability is not exposed via Chrome. EMET appears to help, so may other tools like Malwarebytes Anti-Exploit.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Infocon change to yellow for Adobe Flash issues, (Fri, Jan 23rd)

Fri, 01/23/2015 - 10:05

We have decided to change the Infocon 1to yellow in order to bring attention to the multiple recentAdobe Flash Player vulnerabilities2 that are being actively exploited. There have been 3 patchedvulnerabilities thathave an update and applying themis highly recommended. 1 of the vulnerabilities has not yet been patched, and is expected to be released as an OOB (Outof Band) next week by Adobe 3.

Our reasoning is that the Adobe Flash Player is very widely installed, the vulnerability affects multiple platforms, remote code execution gives the attacker complete control of the system, the patch is not yet available, it affects both organizational IT systems as well as home or soho users, a crimeware kit is actively exploiting the vulnerabilities, people might mistakenly believe that the patch from yesterday fixes all of the issues, and last but not least mitigation through the use of EMET or other tools/means is not normally feasible for home users or quick deployment in enterprise environments without testing. In short, the high impact of these vulnerabilities being exploited warrants raising the Infoconfrom now until Monday.

1-https://isc.sans.edu/infocon.html

2-https://isc.sans.edu/forums/diary/Flash+0Day+Deciphering+CVEs+and+Understanding+Patches/19223/

3-">Adrien de Beaupr">My SANS teaching schedule

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.6.5 is available, (Fri, Jan 23rd)

Fri, 01/23/2015 - 06:18
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

How Vulnerabilities Happen: Input Validation Problems, (Fri, Jan 23rd)

Fri, 01/23/2015 - 05:29

We would like to thank Richard Ackroyd of RandomStormfor reporting a critical input validation error in our site to us. As we have done before, here is how it happened so hopefully you can learn from it as well.

Lets start with a bit of background. Our site deals a lot with IPv4 addresses. Most of the time, we store IPv4 addresses as a string. I know this isnt the most efficient way, but well, that decision goes back to the beginning. To make sorting and indexing simpler, we pad IPv4 addresses with zeros, and you may have seen this on the site. 192.0.2.1 becomes 192.000.002.001.

Originally, I used a simple trick to validate IP addresses. I just converted the IP address to its long integer format, and then back to a string. This guarantees that you end up with a valid IP address. Later, we started using more of the standard FILTER functions in php to make some input validation easier, and modified the IPv4 validation function to use it. At the same time, to make the code a bit simpler,we also added an unpad function to fix up the IP address by removing extra 0s first.

Here is a quick view at the vulnerable code:

if ( is_ipv4($sIPAddress) { ... use $sIPAddress ...} else { ... display error ...}function is_ipv4($sValue) { if ( filter_var($sValue,FILTER_VALIDATE_IP,FILTER_FLAG_IPV4) ) { }}function unpadip($sIP) { $aIP=explode(. if ( sizeof($aIP) return sprintf(%d.%d.%d.%d}

So why is this wrong? The big problem is that I am modifying the value (unpad) before validating it, and then use the unmodified value, not the one I modified. At first, that doesnt look too bad in this case. But turns out that the unpad function does more then just remove extra 0s. Any other non-numeric character is removed. E.g. try:

printf(%d,123 this is an exploit

and you will get 123 back. That is part of the point of %d. The end result was that we validated a value that was cleansed by unpad, but then used the dirty value which still included the exploit code.

Our solution for now is twofold:

- add a bit more input validation to the unpad function, just in case we use it unsafely in other parts of the code
- remove the unpad from the is_ipv4 validation function.

The ultimate solution would be to change how we store IPv4 addresses and store them as long integer, which is much more efficient, but will take some time as we got a lot of code that needs to read/write from those tables. For IPv6 we use two 64 bit numbers (BIGINT in mysql) which works very well as it splits network and interface part.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, January 23rd 2015 http://isc.sans.edu/podcastdetail.html?id=4325, (Fri, Jan 23rd)

Thu, 01/22/2015 - 19:03
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts