@RISK: The Consensus Security Vulnerability Alert
Week 37 2013



This is a weekly newsletter that provides in-depth analysis of
the latest vulnerabilities with straightforward remediation advice. Qualys
supplies a large part of the newly-discovered vulnerability content used in
this newsletter.

@RISK: The Consensus Security Vulnerability Alert
Week 37 2013

CONTENTS
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES /3/2013 - 9/10/2013


TOP VULNERABILITY THIS WEEK: A Metasploit module emerged this week for
a vulnerability silently patched by Microsoft in their July bulletin
set. While the vulnerability is restricted to Internet Explorer 8, the
publication of a simple exploit ensures that it will be used in the wild
immediately.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

TitleMicrosoft releases huge pile of patches
DescriptionMicrosoft's monthly patch release this week contained a
whopping 47 CVEs, spread across 13 total bulletins. Only a single one
of the vulnerabilities was listed as having been previously disclosed,
with no note on in-the-wild exploitation on any of the bugs. The
patches, which run the gamut from privilege escalation to remote code
execution, are certain to present fertile ground for attackers going
forward, with exploits likely to emerge for at least some of the bugs
in the near future.
Reference
http://technet.microsoft.com/en-us/security/bulletin/ms13-sep
http://vrt-blog.snort.org/2013/09/microsoft-update-tuesday-september-2013.html
Snort SID27818-27846, 27850-27860
ClamAVHTML.Exploit.CVE_2013_3205, DOC.Exploit.CVE_2013_3852,
HTML.Exploit.CVE_2013_3204, HTML.Exploit.CVE_2013_3205,
BC.Exploit.CVE_2013_3206, XML.Exploit.CVE_2013_3137,
Xls.Exploit.CVE_2013_3158-1, HTML.Exploit.CVE_2013_3209,
Html.Exploit.CVE_2013_3845, Xls.Exploit.CVE_2013_1315,
Win.Exploit.CVE_2013_0810

TitleSilently patched Internet Explorer 8 exploit now has Metasploit
module
DescriptionAfter being discovered by security researcher Orange Tsai
earlier this year, and discussed at Hitcon 2013, a bug in Internet
Explorer version 8 is gaining new life this week, with a fully
functional Metasploit module for the attack being made public. Though
the issue was silently patched in Microsoft bulletin MS13-055 this July,
the widespread availability of a working attack makes it considerably
more likely that exploitation will occur in the wild in the near future.
Reference
https://github.com/rapid7/metasploit-framework/commit/c3db41334bc510cf03cb99abdcfc6e4c8a11d8d6
https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf
Snort SID26666, 27908, 27909
ClamAV

TitleDropbox presents ASLR bypass for other programs when installed
DescriptionAn independent security researcher this week made public a
surprising consequence of running the popular Dropbox file-sharing
softwaredoing so, at least on 32-bit systems, presents an ASLR-free
zone for exploiting other high-risk applications, such as web browsers
or file sharing clients. Specifically, Dropbox injects itself in DLL
form into open windows, and as such can be used by exploits targeting
the injected processes for code execution techniques that are typically
mitigated by ASLR. Mitigation includes using EMET to force ASLR on all
processes system-wide.
Reference
http://codeinsecurity.wordpress.com/2013/09/09/installing-dropbox-prepare-to-lose-aslr/
Snort SIDN/A
ClamAVN/A


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

How to crack Cobalt Strike and backdoor it:
http://blog.strategiccyber.com/2013/09/05/how-to-crack-cobalt-strike-and-backdoor-it/

Polishing Chrome for fun and profit:
https://labs.mwrinfosecurity.com/system/assets/538/original/mwri_polishing-chrome-slides-nsc_2013-09-06.pdf

Obad.a now being distributed via mobile botnets:
http://www.securelist.com/en/blog/8131/Obad_a_Trojan_now_being_distributed_via_mobile_botnets

Fun with VMware Utilitiesvmware_mount exploit (CVE-2013-1662):
https://community.rapid7.com/community/metasploit/blog/2013/09/04/cve-2013-1662-vmware-mount-exploit

Large botnet cause of recent Tor network overload:
http://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

Users get routed: traffic correlation on Tor by realistic adversaries:
http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf

Cross-site web socket hijacking:
http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html

Scammers pop up in Android's calendar app:
http://www.webroot.com/blog/2013/09/09/scammers-pop-androids-calendar-app/

MIPS Linux routers use dummy get_cycles() implementation, weakening randomness:
https://lists.openwrt.org/pipermail/openwrt-devel/2013-September/021318.html

Allowing low-privileged users to create directories in "C:\":
http://labs.portcullis.co.uk/blog/allowing-low-privileged-users-to-create-directories-in-c/


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID    CVE-2013-2367
Title HP SiteScope Remote Code Execution
VendorHP
DescriptionMultiple unspecified vulnerabilities in HP SiteScope 11.20
and 11.21, when SOAP is used, allow remote attackers to execute
arbitrary code via unknown vectors, aka ZDI-CAN-1678.
CVSS v2 Base Score10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID    CVE-2013-3184
Title Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free (MS13-059)
VendorMicrosoft
DescriptionMicrosoft Internet Explorer 7 through 10 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka "Internet Explorer Memory
Corruption Vulnerability."
CVSS v2 Base Score9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID    CVE-2013-2370
Title HP LoadRunner Remote Code Execution
VendorHP
DescriptionUnspecified vulnerability in HP LoadRunner before 11.52
allows remote attackers to execute arbitrary code via unknown vectors,
aka ZDI-CAN-1671.
CVSS v2 Base Score7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

ID    Not Available
Title Joomla! Unauthorised Uploads
VendorJoomla!
DescriptionInadequate filtering leads to the ability to bypass file
type upload restrictions.
Affects Joomla! version 2.5.13 and earlier 2.5.x versions; and version
3.1.4 and earlier 3.x versions
CVSS v2 Base Score10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID    CVE-2013-2251
Title Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
VendorApache
DescriptionApache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action, (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES /3/2013 - 9/10/2013 COMPILED BY SOURCEFIRE

SHA 256CB6873925C7ABF41B494B722D6FA350938800B9BD877A251DE7767E391200F65
MD52c2c06dedc3a3b089d6e8813b2d49b04
VirusTotal
https://www.virustotal.com/file/ CB6873925C7ABF41B494B722D6FA350938800B9BD877A251DE7767E391200F65/analysis/

Typical FilenameNirCmd
Claimed ProductNirCmd
Claimed PublisherNirCmd

SHA 256CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B
MD57961a56c11ba303f20f6a59a506693ff
VirusTotal
https://www.virustotal.com/file/ CB85D393C4E0DB5A1514C21F9C51BA4C12D82B7FABD9724616758AE528A5B16B/analysis/

Typical Filenamem3SrchMn
Claimed Productm3SrchMn
Claimed Publisherm3SrchMn

SHA 256D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503
MD568b7f7a26b76805432e3d50009d2ab1f
VirusTotal
https://www.virustotal.com/file/ D14B66BD4C4C8F66A6EDF2820FD4162D09B326BEAF6A42014596571E81A1A503/analysis/

Typical Filenamefcjdnu.exe
Claimed Productfcjdnu.exe
Claimed Publisherfcjdnu.exe

SHA 256E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07
MD58bc3498a39fb2d290a8975fd5419eb55
VirusTotal
https://www.virustotal.com/file/ E83A61AE6CFED6861AFDFA73CA41B0000BFCFD4FF710B8C0067805024286CD07/analysis/

Typical Filename8bc3498a39fb2d290a8975fd5419eb55
Claimed Product8bc3498a39fb2d290a8975fd5419eb55
Claimed Publisher8bc3498a39fb2d290a8975fd5419eb55

SHA 2566DDD0C3C4CC0A59E91964177139E979EF2D47C6C4645AADAC6A7A99A0DB16D12
MD5e6daf677556826186b78b03d035be182
VirusTotal
https://www.virustotal.com/file/ 6DDD0C3C4CC0A59E91964177139E979EF2D47C6C4645AADAC6A7A99A0DB16D12/analysis/

Typical Filenamee6daf677556826186b78b03d035be182
Claimed Producte6daf677556826186b78b03d035be182
Claimed Publishere6daf677556826186b78b03d035be182

Qualys Solutions
Qualys Community
Free Tools & Trials
Free Trial

Nothing to install or download!

1 (800) 745 4355