Vol. 13, Num. 38
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 9/10/2013 - 9/17/2013
TOP VULNERABILITY THIS WEEK: A new Internet Explorer remote code
execution vulnerability was disclosed on Tuesday this week, with
Microsoft acknowledging targeted exploitation concurring already in the
wild. The vulnerability, which depended on the loading of a Microsoft
Office library loaded without ASLR for exploitation, has prompted a
“Fix-It” mitigation already, although no out-of-cycle patch was
forthcoming at the time of writing.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Internet Explorer 0-day flaw emerges, being used in targeted attacks
Description: Microsoft on Tuesday publicly announced that a new remote
code execution vulnerability in all current versions of Internet
Explorer was being used in targeted attacks in the wild. Tagged with
CVE-2013-3893, the vulnerability takes advantage of memory corruption
issues related to deleted objects, as do most modern IE bugs. Microsoft
has provided a “Fix-It” workaround, and notes that EMET mitigates the
vulnerability if enabled. At the time of writing, it was unclear whether
Microsoft would issue an out-of-band patch for the issue, or await its
next standard patch cycle for a full fix.
Reference:
http://technet.microsoft.com/en-us/security/advisory/2887505
http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx
Snort SID: 27943, 27944
ClamAV: BC.Exploit.CVE_2013_3893
Title: Popular Django web framework trivially DoS-able via oversized passwords
Description: The Python-based Django web development framework - used
by major sites such as Instagram, Mozilla, and Pinterest - released a
patch this week to limit the size of passwords accepted by its
authentication system, after a security researcher publicly disclosed
that oversized passwords could lead to a denial of service due to the
complexity of the password hashing algorithms involved. Though no
proof-of-concept code exploits are available, administrators should
assume active exploitation in the wild due to the simple nature of the
vulnerability, and apply available patches immediately.
Reference:
https://www.djangoproject.com/weblog/2013/sep/15/security/
http://permalink.gmane.org/gmane.comp.python.django.devel/39831
Snort SID: 27940
ClamAV: N/A
Title: Wordpress < 3.6.1 PHP object injection vulnerability disclosed
Description: A remote code execution vulnerability in Wordpress was
announced last week by an independent security researcher in Belgium,
who detailed a way to bypass the CMS system’s built-in sanity checks on
serialized data by way of MySQL’s behavior of truncating characters in
an input string following UTF-8 characters within a given range. The
vulnerability - which is highly dependent on certain characteristics of
the PHP code being called - is not exploitable in the core Wordpress
system, but is noted by the researcher as being present in popular
plugins. Administrators should ensure that their Wordpress core is up
to the most current patch level.
Reference:
http://vagosec.org/2013/09/wordpress-php-object-injection/
Snort SID: N/A
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
DarkLeech says hello:
http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/darkleech-says-hello.html
Rogue iframe injected web sites lead to mobile malware:
http://ddanchev.blogspot.com/2013/09/rogue-iframe-injected-web-sites-lead-to.html
Internet Explorer version detection & ROP generation:
https://zdresearch.com/internet-explorer-version-detect-rop-genration/
Non-alphanumeric PHP backdoors:
http://blog.sucuri.net/2013/09/ask-sucuri-non-alphanumeric-backdoors.html
Stealthy Dopant-level hardware trojans:
http://people.umass.edu/gbecker/BeckerChes13.pdf
Wordpress < 3.6.1 PHP object injection:
http://vagosec.org/2013/09/wordpress-php-object-injection/
How did I get a root shell on my NAS?
http://blog.pentbox.net/index.php?controller=post&action=view&id_post=4
Technical analysis of CVE-2013-3147:
http://www.fireeye.com/blog/technical/2013/09/technical-analysis-of-cve-2013-3147.html
Microsoft SharePoint 2013 (Cloud) - persistent exception handling vulnerability MS13-067:
http://www.exploit-db.com/exploits/28238/
Content and popularity analysis of Tor hidden services:
http://arxiv.org/pdf/1308.6768v1.pdf
You can type, but you can’t hide: a stealthy GPU-based keylogger:
http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-4983
Title: Sophos Web Protection Appliance sblistpack Arbitrary Command Execution
Vendor: Sophos
Description: The get_referers function in /opt/ws/bin/sblistpack in
Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows remote
attackers to execute arbitrary commands via shell metacharacters in the
domain parameter to end-user/index.php.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-4811
Title: HP ProCurve Manager SNAC UpdateDomainControllerServlet File Upload
Vendor: HP
Description: UpdateDomainControllerServlet in the SNAC registration
server in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and
Identity Driven Manager (IDM) 4.0 does not properly validate the adCert
argument, which allows remote attackers to upload .jsp files and
consequently execute arbitrary code via unspecified vectors, aka
ZDI-CAN-1743.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2367
Title: HP SiteScope Remote Code Execution
Vendor: HP
Description: Multiple unspecified vulnerabilities in HP SiteScope 11.20
and 11.21, when SOAP is used, allow remote attackers to execute
arbitrary code via unknown vectors, aka ZDI-CAN-1678.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-3184
Title: Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free (MS13-059)
Vendor: Microsoft
Description: Microsoft Internet Explorer 7 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: Not Available
Title: Joomla! Unauthorised Uploads
Vendor: Joomla!
Description: Inadequate filtering leads to the ability to bypass file
type upload restrictions.
Affects Joomla! version 2.5.13 and earlier 2.5.x versions; and version
3.1.4 and earlier 3.x versions
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 9/10/2013 - 9/17/2013 COMPILED BY SOURCEFIRE
SHA 256: CB6873925C7ABF41B494B722D6FA350938800B9BD877A251DE7767E391200F65
MD5: 2c2c06dedc3a3b089d6e8813b2d49b04
VirusTotal: https://www.virustotal.com/file/CB6873925C7ABF41B494B722D6FA350938800B9BD877A251DE7767E391200F65/analysis/
Typical Filename: NirCmd
Claimed Product: NirCmd
Claimed Publisher: NirCmd
SHA 256: CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD5: 7961a56c11ba303f20f6a59a506693ff
VirusTotal: https://www.virustotal.com/file/CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/
Typical Filename: m3SrchMn
Claimed Product: m3SrchMn
Claimed Publisher: m3SrchMn
SHA 256: D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503
MD5: 68b7f7a26b76805432e3d50009d2ab1f
VirusTotal: https://www.virustotal.com/file/D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503/analysis/
Typical Filename: harfst.exe
Claimed Product: harfst.exe
Claimed Publisher: harfst.exe
SHA 256: 055788EB475E7AC5EA2E03383D3F95BCC88D62F06E4456A5F5DD6B9E78506AB5
MD5: 12336775941d49ce6a4d6f391cb5e02f
VirusTotal: https://www.virustotal.com/file/055788EB475E7AC5EA2E03383D3F95BCC88D62F06E4456A5F5DD6B9E78506AB5/analysis/
Typical Filename: WebCakeDesktop.exe
Claimed Product: WebCakeDesktop.exe
Claimed Publisher: WebCakeDesktop.exe
SHA 256: E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07
MD5: 8bc3498a39fb2d290a8975fd5419eb55
VirusTotal: https://www.virustotal.com/file/E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07/analysis/
Typical Filename: 8bc3498a39fb2d290a8975fd5419eb55
Claimed Product: 8bc3498a39fb2d290a8975fd5419eb55
Claimed Publisher: 8bc3498a39fb2d290a8975fd5419eb55
OVERVIEW
CAPABILITIES
PLATFORM APPS
Use Cases
Segments
Resources
Research
Enterprise TruRisk Platform
Free Services