Threat Level: green Handler on Duty: Adrien de Beaupre

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

ISC StormCast for Wednesday, November 26th 2014

Less is, umm, less?

Published: 2014-11-25
Last Updated: 2014-11-25 21:31:04 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

Following vulnerabilities discovered in tools many Linux and Information Security enthusiasts use such as the 'strings' command and the bash shell, a new series of issues have been discovered in the 'less' command. Less is used to paginate output, and can be used to view the text contents of a file one page at a time. It can also receive data from a pipe. Examples: 'less myfile.txt' and 'xxd mybinfile | less'. One of the most attractive features of less is that you can move forwards and backwards through the output. It would not be unusual to use less to view files downloaded from the Internet for example. The problem is that less on some versions of Linux run a lesspipe script that invokes other utilities to actually view the contents of the files. Many of these should not be used to view files from an untrusted source. So local arbitrary code execution is possible if less is run on a malformed file. Back to using more?


Adrien de Beaupré Inc.




2 comment(s)

Security update for Adobe Flash player

Published: 2014-11-25
Last Updated: 2014-11-25 21:17:49 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Adobe has released an out of band security update for the Adobe Flash player. This is an additional update for CVE-2014-8439. Everyone either update or double check that Flash either is not installed or cannot be invoked via Internet web sites.

Adrien de Beaupré Inc.


1 comment(s)

Guest diary: Detecting Suspicious Devices On-The-Fly

Published: 2014-11-25
Last Updated: 2014-11-25 20:27:26 UTC
by Adrien de Beaupre (Version: 1)
7 comment(s)

If you apply classic hardening rules (keep the patch level, use an AV, enable the firewall and use them with due diligence), modern operating systems are more and more difficult to compromise today. Extra tools like EMET could also raise the bar. On the other side, networks are more and more populated with unknown/personal devices  or devices which provide multiple facilities like storage (NAS), printers (MFP), VoIP, IP camera, ...

Being easily compromised, they became a very good target to pivot into the network. They run out-of-the-box, just plug the network/power cables and they are ready to go! A classic vulnerability management process will detect such devices but you still have the risk to miss them if you run a monthly scan! To catch new devices on the fly and to have an immediate idea of their attack surface (example: is there a backdoor present), I'm using the following toolbox: Arpwatch, Nmap and OSSEC as the conductor.

Arpwatch is a tool for monitoring ARP traffic on a LAN. It can detect new MAC addresses or pairing changes (IP/MAC). Nmap is the most known port scanner and OSSEC is a log management tool with many features like a built-in HIDS.

A first good news is that Arpwatch log entries are processed by default in OSSEC. It has a great feature called "Active-Response" which allows to trigger actions (read: execute scripts) in specific conditions. In our case,  I just created an active-response configuration to trigger a Nmap scan of any new device reported by Arpwatch:

conifguration snippet

The above configuration specifies that will be executed with the argument 'srcip' (reported by Arpwatch) on the agent '001' when the rule 7201 or 7202 will match (when a new host or a MAC address change is detected). The script is based on the existing active-response scripts and spawns a Nmap scan:

nmap -sC -O -oG - -oN ${PWD}/../logs/${IP}.log ${IP} | grep Ports: >>${PWD}/../logs/gnmap.log

This command will output interesting information in grepable format to the gnmap.log file: the open ports (if any) of the detected IP like in the example below. One line per host will be generated:

Host: (  Ports: 22/open/tcp//ssh///, 80/open/tcp///,3306/open/tcp/// ...

OSSEC is a wonderful tool and can decode this by default. Just configure the gnmap.log as a new events source:

And new alerts will be generated:

2014 Oct 27 17:54:23 (shiva)>/var/ossec/logs/gnmap.log
Rule: 581 (level 8) -> 'Host information added.'
Host: (, open ports: 22(tcp) 80(tcp) 3306(tcp)

By using this technique, you will immediately detect new hosts connected to the network (or if an IP address is paired with a new MAC address) and you'll get the list of the services running on it as well as the detected operating system (if the fingerprinting is successful). Happy hunting!

Xavier Mertens

7 comment(s)
ISC StormCast for Tuesday, November 25th 2014

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Less is, umm, less?
published 20 hours ago by Adrien de Beaupre (2 comments)

Guest diary: Detecting Suspicious Devices On-The-Fly
published 21 hours ago by Adrien de Beaupre (7 comments)

Someone is using this? PoS: Compressor
published 2 days ago by Richard (10 comments)

Craigslist Outage
published 2 days ago by tony (1 comment)

More Trouble For Hikvision DVRs
published 2 days ago by Dr. J. (0 comments)

Google Web "Firing Range" Available
published 5 days ago by Rob VandenBrink (0 comments)

Critical WordPress XSS Update
published 5 days ago by Dr. J. (0 comments)

"Big Data" Needs a Trip to the Security Chiropracter!
published 6 days ago by Rob VandenBrink (1 comment)

Security update for Adobe Flash player
published 4 decades ago by Adrien de Beaupre (1 comment)

View All Diaries →

Latest Discussions

CTF365 strange email
created 1 day ago by Alex (1 reply)

created 2 days ago by Anonymous (0 replies)

Marketing automation software vulnerabilities
created 1 week ago by Anonymous (0 replies)

Odd program from Google Chrome?
created 1 week ago by xParticle (2 replies)

How to handle with flood of spamy comments for a wordpress-based site?
created 2 weeks ago by height (0 replies)

View All Forums →

Latest News

View All News →