@RISK Newsletter for June 27, 2013
The consensus security vulnerability alert.
Vol. 13, Num. 26
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 6/18/2013 - 6/25/2013
TOP VULNERABILITY THIS WEEK: A massive dump of malware source code hit
the Internet this week, with well-known banker trojan Carberp having it
source disclosed for the first time ever. The disclosure is likely to
spawn a series of derivative pieces of malware, even as it allows
security researchers to improve detection for existing strains.
NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Carberp, other malware sources leaked
Description: For the first time ever, the notorious banker trojan
Carberp has had its source code publicly leaked, after it had been on
sale in underground forums for as much as $50,000. The dissemination of
the source code means that many more variants are likely to begin
appearing soon, as the barrier to entry for creating derivatives of the
trojan has been substantially lowered. Defensive companies are currently
poring through the source, looking for improved ways to detect existing
variants of Carberp and other included malware families.
Reference:
http://touchmymalware.blogspot.ru/2013/06/carberp-source-code-now-leaked.html
http://www.kernelmode.info/forum/viewtopic.php?p=19792#p19792
http://www.xylibox.com/2013/06/carberp-archive.html
Snort SID: 18098 18099 19368 19369 19370 19041
ClamAV: Win.Trojan.Carberp-*
Title: Microsoft launches bug bounty program, paying up to $100,000 per
exploit
Description: In a major policy shift, Microsoft announced its first ever
bug bounty program, in which it will pay researchers who discover
vulnerabilities in Microsoft software. The program is multi-tiered, with
additional cash being given for functional exploits, and $50,000 being
available for those who can present mitigations for the bugs they
discover.
Reference:
http://blogs.technet.com/b/srd/archive/2013/06/17/new-bounty-program-details.aspx
http://www.wired.com/threatlevel/2013/06/microsoft-bug-bounty-program/
Snort SID: N/A
ClamAV: N/A
Title: Fake BlackBerry Messenger app on Google Play market downloaded
100,000 times
Description: Playing on a public announcement of an official BlackBerry
Messenger app to be released June 27, a rogue app appeared this week on
the Google Play store, claiming to be this new application and declaring
a creator name of “RIM” (despite Resarch in Motion’s recent name change
to BlackBerry). While the app was quickly pulled by Google, and damage
appears at this point in time to have been limited to nonexistent, it
highlights how rapidly problems can spread through mobile ecosystems,
even in the context of official markets.
Reference:
http://androidcommunity.com/blackberry-messenger-app-fake-tricks-thousands-before-being-pulled-20130624/
Snort SID: N/A
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Malicious ads infect 65 web sites, drop ZeroAccess:
https://threatpost.com/malicious-ads-infect-65-websites-drop-zeroaccess-trojan/
GitHub hacking for fun and…sensitive data search!
http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html
Post-PC attack site: only interested in smartphones/tablets:
http://www.f-secure.com/weblog/archives/00002569.html
New boutique iframe crypting service spotted in the wild:
http://blog.webroot.com/2013/06/18/new-boutique-iframe-crypting-service-spotted-in-the-wild/
Metasploit: man in the middle through PPTP tunnel:
http://www.shelliscoming.com/2013/06/metasploit-man-in-middle-through-pptp.html
Malware monetization scheme through parked domains:
http://ddanchev.blogspot.jp/2013/06/bogus-shocking-video-content-at-scribd.html
Remoting Android applications for fun and profit:
http://kaiyou.fr/files/2013/06/main.pdf
Cracking IPMI passwords remotely:
http://fish2.com/ipmi/remote-pw-cracking.html
Cracking iPhone hotspot passwords in 50 seconds:
http://thehackernews.com/2013/06/cracking-iphone-hotspot-passwords-in-50.html
Adobe XFA exploits for all:
http://immunityproducts.blogspot.com/2013/06/adobe-xfa-exploits-for-all-first-part.html
Metasploit forensics: recovering deleted files (NTFS):
http://www.shelliscoming.com/2013/05/metasploit-forensics-recovery-deleted.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2013-3576
Title: HP System Management Homepage JustGetSNMPQueue Command Injection
Vendor: HP
Description: ginkgosnmp.inc in HP System Management Homepage (SMH)
allows remote authenticated users to execute arbitrary commands via
shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2013-2551
Title: Microsoft Internet Explorer COALineDashStyleArray Integer
Overflow (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
6 through 10 allows remote attackers to execute arbitrary code via a
crafted web site that triggers access to a deleted object, as
demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013,
aka “Internet Explorer Use After Free Vulnerability,” a different
vulnerability than CVE-2013-1308 and CVE-2013-1309.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2012-1533
Title: Java Web Start Double Quote Injection Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update
35 and earlier, allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors related to Deployment.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1311
Title: Microsoft Internet Explorer textNode Use-After-Free
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka “Internet Explorer
Use After Free Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-1559
Title: Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code
Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Oracle WebCenter Content
component in Oracle Fusion Middleware 10.1.3.5.1 and 11.1.1.6.0 allows
remote authenticated users to affect availability via unknown vectors
related to Content Server.
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P)
ID: CVE-2013-2423
Title: Java Applet Reflection Type Confusion Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 Update 17 and earlier, and OpenJDK
7, allows remote attackers to affect integrity via unknown vectors
related to HotSpot. NOTE: the previous information is from the April
2013 CPU. Oracle has not commented on claims from the original
researcher that this vulnerability allows remote attackers to bypass
permission checks by the MethodHandles method and modify arbitrary
public final fields using reflection and type confusion, as demonstrated
using integer and double fields to disable the security manager.
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
MOST PREVALENT MALWARE FILES 6/18/2013 - 6/25/2013 COMPILED BY SOURCEFIRE
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal:
https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal:
https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal:
https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal:
https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/
Typical Filename: lmlkl.sys
Claimed Product: lmlkl.sys
Claimed Publisher: lmlkl.sys
SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/file/DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/
Typical Filename: File_0_2.ok
Claimed Product: File_0_2.ok
Claimed Publisher: File_0_2.ok