Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Mailing Lists for Academia

Published: 2005-09-13
Last Updated: 2005-09-13 23:35:06 UTC
by Scott Fendley (Version: 1)
0 comment(s)
For most of us involved in security in academia, this story is old old news.  But I am going to do it anyway for those new to sometimes hectic world of security on a college or university campus.

There are 2 major mailing lists that are the primary resources for security discussions in this microcosm: Unisog and Educase Security.

First is the Unisog mailing list.  Unisog stands for UNIversity Security Operations Group, and this group was created out of  excellent discussions ocurring after hours or in the hallways at a SANS conference (correct me Unisogers if it was another conference).  It has been around for a number of years and has some very knowledgeable people involved and is usually more technical in nature.  For more information on this mailing list, please see Unisog mailing list information located at lists.sans.org.

Second is the Educause Security Discussion Group.  Educause was formed in the late 1990s by two professional associations with a mission to advance academia by promoting the intelligent use of IT.  A few years back, Educause formed an IT security discussion group to promote awareness, security solutions, effective practices and in general discussion for those in higher education.  In general, I see a policy and administrative level discussion on this list.  This is a great resource to see what your peer institutes are doing, and not have to re-invent the wheel on the more upper level details.  For more information on this mailing list, please see the Educase Security Discussion Group information.

In general, both of these mailing lists are an excellent resources.  There is no reason that those of us that work in the university community have to "re-invent the wheel" on any of our projects no matter if it is technical or administrative in nature.

----
Scott Fendley
Handler on Duty
University of Arkansas
Keywords:
0 comment(s)

Snort Denial of Service Vulnerability

Published: 2005-09-13
Last Updated: 2005-09-13 23:33:59 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Earlier Monday, Snort.org announced a vulnerability in the 2.x series of open source IDS software.  The vulnerability was found in the PrintTcpOptions() function and could allow an attacker to use a malformed, crafted TCP/IP packet to cause a DoS in Snort.  These vulnerabilities involve NULL pointer dereferences which should mean that only a Denial of Service is possible.  Additionally, proof of concept code has been released concerning this vulnerability. 

JustinF noted earlier today that the original advisory that I grabbed from the snort.org site may be not completely accurate. You _do not_ have to be running snort with the -v flag set as there are other execution paths that lead to the PrintTcpOptions() function.  Noteably, the PrintIPPacket() can be used to call the vulnerable function.  This requires you to jump through a few requirements like the packet can not be a fragment[1], and its protocol is TCP.  (For those looking at the code from cvs, this takes a couple levels of following the code to see this connection.)

Justin noted that using the "-A fast", those logging in ASCII mode, and the frag3 and stream4 preprocessors have some potential to get one to the PrintTcpOptions() as well as the initially reported -v flag.  Some of these appear to be pretty difficult to exploit, or are not typically used in a production environment.  However, they are noted in case someone is attempting to use them in a production environment.

Additionally, Justin noted that there were a number of changes to the code involving the TCP options including that of SACK. Much of these changes were made to prevent other NULL pointer dereferences from being possible per Marty Roesch's post located at SecurityFocus.

Thanks to all of the people that have offered their input to the above.

Fix and Workaround Details:
A fix for this vulnerability was checked into the Snort 2.4 CVS tree on August 23rd, 2005 and is available for download here. This fix will also be included in the upcoming 2.4.1 release. 

References:
Snort News
VulnFact Advisory
FRSIRT Bulletin
SecurityFocus

------------
Scott Fendley, Handler on Duty



Keywords:
0 comment(s)

Microsoft Releases Updates

Published: 2005-09-13
Last Updated: 2005-09-13 19:51:42 UTC
by Scott Fendley (Version: 1)
0 comment(s)
As you all probably know, today is the normal Black Tuesday of the month.  With no Microsoft security patches being released, I guess we can not really call it Black Tuesday.  Perhaps Grey Tuesday, or Gray Tuesday depending on your choice of spelling, would be more correct. 

Microsoft did release a couple of updates today nonetheless.

First, the monthly "Malicious Software Removal Tool" was updated to handle new variations of some new and old pieces of malware.  For more technical details, please go to Microsoft KB Article 890830  for information and a link to the manual download location.

Second,  Microsoft released an update for Windows 2000 SP4 Update Rollup 1.  That would make this, "Microsoft Windows 2000 Service Pack 4, Update Rollup 1 version 2."  Now that is a mouthful!  For those that don't remember, Update Rollup 1 was originally released in June 2005.  This version appears to fix some known problems with the original version that were discovered after the update went out for testing.  For more information please see Microsoft KB Article KB891861.

I have not found any other updated patches or anything else noteworthy on the Microsoft front today.  If I missed something else, please let me or the other handlers know.

----
Scott Fendley, Handler on Duty
Keywords:
0 comment(s)

WebCalendar Exploitation

Published: 2005-09-13
Last Updated: 2005-09-13 01:55:25 UTC
by Kevin Hong (Version: 1)
0 comment(s)

We have had reports submitted that web servers running WebCalendar 0.9.x or WebCalendar 1.x are being exploited. Currently some of defacer/cracker starts using WebCalendar php remote injection vulnerability. They are using when defacing web site, uploading Trojan and others. I saw some of defacer group use this kind of method then uploading Trojan which steal bank id/pw from user?s system.


Official WebCalendar releases can be obtained from the SourceForge  development server. The latest version is 1.0.1, please update to latest version.

Secunia Vulnerability description - WebCalendar "includedir" Atbitrary File Inclusion Vulnerability
SecurityFocus Vulnerability description - WebCalendar Send_Reminders.PHP Remote File Include Vulnerability

Kevin Hong
Handler On Duty

Keywords:
0 comment(s)
Diary Archives