Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Adobe Vulnerability Exploited in Targeted Attacks

Published: 2009-10-08
Last Updated: 2009-10-08 20:09:19 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Adobe's PSIRT (Product Security Incident Response Team) published a new blog post today [1]. The post reveals that a critical vulnerability, CVE-2009-3459, is now being exploited in the wild in targeted attacks. The vulnerability affects Adobe 9.1.3 on Windows, Unix and OS X. However, the exploits have been limited to Windows so far.

An update scheduled to be released on Oct 13th should fix the problem. Until then, Windows users are advised to enable DEP. Anti malware vendors have been informed by Adobe.

This vulnerability does not require Javascript. If you disabled Javascript in the past, it will not protect you in this case. Another workaround I found helpful: You can "clean" PDF documents by first converting them into another format (like Postscript) and then back into PDF. However, this is not 100% certain to remove the exploit and you may infect the machine that does the conversion as it will likely still use the vulnerable libraries to convert the document. But the likelyhood of this happening is quite low.

[1] http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe vulnerability
10 comment(s)
Nessus.org is coming back up, very slow right now. Thank you for writing in.

Cyber Security Awareness Month - Day 8 - Port 25 - SMTP

Published: 2009-10-08
Last Updated: 2009-10-08 16:13:51 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

My personal favorite port is port 53, but well, it was already taken. So I am going to cover port 25, my least favorite port :)

Port 25 is used by mail servers to receive e-mail. E-mail in itself is of course a mixed blessing. Spam levels in the 90% range make it a less and less useful business tools. There is a lot of history involved here, and SMTP wasn't the first "E-Mail" protocol. Before SMTP became popular, protocols like UUCP (Unix-to-Unix-CoPy) were used to exchange email. SMTP in some ways extends these older protocols and inherited some of the properties.

For a full description of SMTP, start with RFC821 (http://www.faqs.org/rfcs/rfc821.html). But RFC821 is just the start. Later RFCs expand on it substantially and you will need to understand them to fully appreciate how today's e-mail servers work. Let me try to assemble a quick SMTP primer here.

First of all, the mail client will connect to the mail server, the mail server will identify itself with a line like:

220 mailserver.example.com ESMTP Postfix

The number in the beginning is the important part, the rest is mostly ignored. "220" means the service is ready to receive your spam. Next the client has to identify itself. There are two ways this may happen. The old way (RFC821) is to send a "HELO" message like:

HELO mailclient.example.com

However, modern clients will typically use "EHLO" instead of "HELO". EHLO is defined in RFC 1869. Sending an "EHLO" will signal to the server that your client understands the extensions defined in RFC 1869.

The servers response to a HELO or EHLO will be a "250" code (if there wasn't an error).

250 zimbra.den.giac.net

For an EHLO, additional '250' lines will be returned listing the capabilities of the server. At this point, we do have an established connection and are able to send our first e-mail. The e-mail itself consists of 3 parts:

- an envelope. This is typically not part of the e-mail, but indicated the From and To address to the mail server. The From and To address in the envelope can be different from the From and To address used in the header of the message

- a header. The header includes typically a Subject/From/To and other fields.

- a body. Delimited from the header by an empty line you will find the body of the message.

But well, you probably knew all of that. Lets talk about a few more interesting features:

STARTTLS: This scheme, if both sites support it, can be used to negotiate an SSL connection on the fly. RFC 2487 will tell you more about it. But here the details: The connection starts as outlined above. But after the initial EHLO/250 exchange, the client will send a STARTTLS command. This will lead to an SSL connection being established. The SSL certificate may be used for authentication purposes as well as encryption in this case.

Message Submission: RFC 2476 outlines a new method to submit messages which is widely implemented. The basic idea is to distinguish between message forwarding, and injection new messages ("message submission"). RFC 2476 suggests the use of TCP Port 587 to submit messages.

Non Delivery Receipts: This is a sore point in many mail server configurations. There are two ways to indicate that a message is not deliverable. As the server receives the envelope, it will check the "To" address, and reply with an error message before accepting the e-mail. This is preferred as it cuts down on network traffic and non-delivery receipts beind sent to the wrong people later. However, it requires that the mail server knows all the users that are deliverable. For a simple relay server, this can be hard to figure out at times.

lots more to tell you about SMTP, port 25 and why I don't like e-mail. But maybe that will be a later diary.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: email port 25 smtp spam
1 comment(s)

Firefox Plugin Collections

Published: 2009-10-08
Last Updated: 2009-10-08 14:18:17 UTC
by Johannes Ullrich (Version: 1)
10 comment(s)

Our reader Mark send us a link to his firefox "Security Suite" https://addons.mozilla.org/en-US/firefox/collection/securitysuite .

Mozilla started offering the ability to setup these collections to make it easier to share sets of plugins like that. Our handler Swa got inspired by Mark's submission, and setup his own https://addons.mozilla.org/en-US/firefox/collection/isc

I think this is a great idea. And I am wondering what plugins our readers would recommend for a suite like this. I can see three different suites:

- Home user security suite
- Security professional suite
- Pentesting suite.

Let me know which tools you would add to either one of them, and I will publish the top 5 plugins in each category (and maybe even setup the corresponding suites)

 

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: firefox plugin
10 comment(s)
Diary Archives