Threat Level: green Handler on Duty: Mark Hofman

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Ruby on Rails security vulnerability

Published: 2006-08-10
Last Updated: 2006-08-10 21:35:34 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.

The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".

Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.

The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.

The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.

Thanks to Christian for sending us a note about this.

UPDATE

Vulnerability details have been published: it is possible to execute Ruby code through the URL due to a bug in the routing code of Rails.

All of you who upgraded to 1.1.5, we have to disappoint you. The 1.1.5 upgrade doesn't completely fix this vulnerability, so version 1.1.6 was released which is supposed to patch this completely.

There is a good article on how to install this (and what to do if it breaks applications using third party engines) at http://weblog.rubyonrails.com/2006/8/10/rails-1-1-6-backports-and-full-disclosure, so we recommend that you visit this page and read it before installing the patch.

Keywords:
0 comment(s)

MS06-040 exploit(s) publicly available

Published: 2006-08-10
Last Updated: 2006-08-10 10:32:57 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
As almost everyone predicted, it didn't take long to have MS06-040 (vulnerability in the Server service) publicly available.

The current exploit seems to be working on all Windows 2000 systems and Windows XP SP0 and SP1. The good thing is that it doesn't work against Windows XP SP2 or Windows 2003 SP1.
The current version doesn't work against Windows 2003 SP0 or NT4 SP6 either, but this doesn't mean that they are safe.

This is probably a good opportunity to remind you of the host based firewall in SP2 which should, by default, protect the machine from this exploit. Of course, as it effectively stops administration, it's pretty common that in organizations administrators turn the firewall off via GPOs. If you need to do this then try to limit access to the machine instead of completely turning off the firewall (or opening it to your whole network), it's much better if you just allow traffic from your administration servers.

In any case, as the exploit is public, it's just a matter of time when script kiddies will start using this (if they haven't already). We can expect that this exploit will soon be added to the attack arsenal of bots such as Sdbot and similar. In other words patch!
Keywords:
0 comment(s)

eEye Releases Free Scanner for MS06-040

Published: 2006-08-11
Last Updated: 2006-08-11 02:07:24 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
We received a heads up tonight from Marc Maiffret (thanks Marc!!) that eEye had released a free vulnerability scanner that searches for the MS06-040 vulnerability.  According to Marc:

"we have released a free vulnerability assessment tool for the critical, and potentially wormable, MS06-040 vulnerability. This free tool can be used by IT administrators to scan their networks for any potentially vulnerable machines. This tool does not require administrator access to machines so it will give IT administrators a real-world perspective on where their network stands against this attack regardless of what they think they have or have not patched yet."


Another email about the scanner went out to a public mailing list and provided an email address in case you find bugs in it:

"Look forward to your feedback and please feel free to email skunkworks@eeye.com if you find any bugs in it etc..."

No one around the ISC has had a chance to test it yet, but many of us have downloaded for tomorrow.  Here is the tool and the link for it!

Retina MS06-040 NetApi32 Scanner
http://www.eeye.com/html/resources/downloads/audits/NetApi.html

Happy Scanning!

UPDATE

While testing the 16 IP address version (and as confirmed by one of our readers) we noticed a small bug with this tool. When selecting which IP addresses to scan, the user can pick between a single IP address, an IP range and a CIDR notation.
If the IP range option was used, a user simply has to enter the first and last IP address (there can be no more than 16 IP addresses scanned at the time). However, for some reason the tool doesn't scan the last 2 IP addresses. You can, of course, include those 2 IP addresses in the following scan, but we just wanted to warn you if you are already using this. We've contacted eEye and believe they will release a new version soon (the currently available version is 1.0.0.5).

Other than that we just wanted to add that, in order to download the tool, you have to either submit your e-mail address (for the 16 IP scanner) or fully register on eEye's site (this is required for the 256 IP scanner).



Keywords:
0 comment(s)

Snort Sigs for MS06-042 and ICMP tunnel mentioned in Diary

Published: 2006-08-10
Last Updated: 2006-08-10 00:10:23 UTC
by Mike Poor (Version: 1)
0 comment(s)
Frank Knobbe sent in these signatures today via Bleedingsnort.com.

Note that on the signatures below I have added the "\" continuation character to get better formatting on the Storm Center page.

Signature for the ICMP Banking Trojan:

# By Joe Stewart,  Based on valuable work by Tom Fisher
alert icmp any any -> any any (msg:"BLEEDING-EDGE TROJAN ICMP Banking Trojan \
sending encrypted stolen data"; dsize:>64; content:"|08|"; itype:8; icode:0; depth:1; \
byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; \
classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; \
sid:2003073; rev:1;)

The link to the signatures for ICMP tunnel


For the signatures for MS06-042, please refer to the link on bleedingsnort.com: signatures for MS06-042

Mike Poor
Intelguardians.com



Keywords:
0 comment(s)
Diary Archives