Vol. 13, Num. 27
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 6/25/2013 - 7/2/2013
TOP VULNERABILITY THIS WEEK: Phone maker Motorola was caught in a major
privacy scandal this week, as an independent security researcher showed
that certain of its phones were sending sensitive user data such as
account credentials to Motorola servers silently in the background,
without user interaction - sometimes without encryption.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Major privacy breach discovered on Motorola phones
Description: An independent security researcher published proof this
week that Motorola phones with the Blur service installed are sending a
myriad of credentials and private information silently to Motorola
servers, as well as communicating via a modified version of the Jabber
protocol in a format reminiscent of botnet command-and-control. The
disclosure - which featured packet captures, screen shots, and a full
analysis of all of the data being sent - includes reproduction
instructions for anyone concerned about their Motorola phone behaving
in a similar manner. Impacted phone owners appear to have little
recourse at this time, as the service responsible for this information
disclosure cannot be removed without rooting the phone and installing a
stock version of Android.
Reference:
http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html
Snort SID: N/A
ClamAV: N/A
Title: Metasploit module emerges for new Java sandbox bypass
Description: A Metasploit module targeting a recently patched Java
sandbox bypass was released last week. The issue - which allows for
arbitrary execution of static methods with user-supplied arguments - is
likely to be exploited heavily in the field, as it is both trivial to
implement and useful for bypassing recently implemented Java protections
that are intended to contain the scope of attacks. System administrators
are urged to patch immediately.
Reference:
http://metasploit.com/modules/exploit/multi/browser/java_jre17_provider_skeleton
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf
Snort SID: 27076, 27077
ClamAV: Java.Exploit.CVE_2013_2460
Title: Android_OBAD shows sophisticated new stealth techniques
Description:
Reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/
Snort SID: 27065, 27066
ClamAV: Andr.Trojan.OBad
Title: New “Nailed” exploit kit surfaces in the wild
Description: The latest in a series of exploit kits to emerge over the
last 6 months as that model becomes more popular for attackers on the
Internet, this particular kit is noteworthy not because of its
sophistication or ability to evade defenses - but instead because of how
simplistic it is, with Metasploit developers calling it just a
re-implementation of that tool’s browser autopwn functionality. As the
barrier to entry in creating kits like this continues to drop, defenders
are continuing to see an increase in their numbers generally and
diversity in particular.
Reference:
http://www.basemont.com/june_2013_exploit_kit_2
Snort SID: 27078 - 27084
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
SMS to Meterpreter: fuzzing USB modems:
http://www.youtube.com/watch?v=0en-xfxSUpk&feature=youtu.be
Reversing and auditing Android’s proprietary bits:
http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits
Investigation of a new undocumented instruction trick:
http://blogs.technet.com/b/mmpc/archive/2013/06/24/investigation-of-a-new-undocumented-instruction-trick.aspx
Hijacking a Facebook account with SMS:
http://blog.fin1te.net/post/53949849983/hijacking-a-facebook-account-with-sms
Writing exploits for exotic bug classes: unserialize():
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
Can Apple read your iMessages?
http://blog.cryptographyengineering.com/2013/06/can-apple-read-your-imessages.html
Carberp remote code execution: Carpwned:
http://www.xylibox.com/2013/06/carberp-remote-code-execution-carpwned.html
ICS-CERT: Industrial incidents increasing in 2013:
https://ics-cert.us-cert.gov/sites/default/files/ICS-CERT_Monitor_April-June2013.pdf
Next generation mobile rootkits:
https://www.hackinparis.com/sites/hackinparis.com/files/Slidesthomasroth.pdf
The Java autorun worm, Java.Cogyeka:
http://www.symantec.com/connect/blogs/java-autorun-worm-javacogyeka-1-3
Indicators of compromise in memory forensics:
http://www.sans.org/reading_room/whitepapers/forensics/indicators-compromise-memory-forensics_34162
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-2460
Title: Java Applet ProviderSkeleton Insecure Invoke Method
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK
7, allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors related to Serviceability. NOTE: the
previous information is from the June 2013 CPU. Oracle has not commented
on claims from another vendor that this issue allows remote attackers
to bypass the Java sandbox via vectors related to “insufficient access
checks” in the tracing component.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3576
Title: HP System Management Homepage JustGetSNMPQueue Command Injection
Vendor: HP
Description: ginkgosnmp.inc in HP System Management Homepage (SMH)
allows remote authenticated users to execute arbitrary commands via
shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2013-2551
Title: Microsoft Internet Explorer COALineDashStyleArray Integer
Overflow (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 10 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to a deleted object, as
demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013,
aka “Internet Explorer Use After Free Vulnerability,” a different
vulnerability than CVE-2013-1308 and CVE-2013-1309.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1533
Title: Java Web Start Double Quote Injection Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update
35 and earlier, allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1311
Title: Microsoft Internet Explorer textNode Use-After-Free
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka “Internet Explorer
Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1559
Title: Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Oracle WebCenter Content
component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows
remote authenticated users to affect availability via unknown vectors
related to Content Server.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
MOST PREVALENT MALWARE FILES 6/25/2013 - 7/2/2013 COMPILED BY SOURCEFIRE
SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal:
https://www.virustotal.com/file/aa0bbaecb678868e1e7f57c7ca9d61b608b3d788be490790eb1d148beadf4615/analysis/
Typical Filename: avz00001.dta
Claimed Product: -
Claimed Publisher: -
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal:
https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal:
https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: -
Claimed Publisher: -
SHA 256: A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03
MD5: e010f298c086c2e1d7265fd18aea2dfbaa9dcd35
VirusTotal:
https://www.virustotal.com/file/A6B140EC734C258C5EBF19C0BC0B414B5655ADC00108A038B5BE6A8F83D0BD03/analysis/
Typical Filename: lpkjnn.sys
Claimed Product: -
Claimed Publisher: -
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services