Search

See Resources

@RISK Newsletter for October 03, 2013 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 40

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES 9/24/2013 - 10/1/2013


TOP VULNERABILITY THIS WEEK: A serious, long-term intrusion into several

large data brokers was unveiled this week by independent security
reporter Brian Krebs, who identified these breaches as the source of
data for identity theft service SSNDOB. The compromises, which are still
being investigated, are likely to have led to the disclosure of personal
information on millions of Americans.


NOTABLE RECENT SECURITY ISSUES SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Identity theft service discovered breaking into several data
brokers
Description: Independent security reporter Brian Krebs last week broke
the news last week that the notorious underground identity theft service
SSNDOB had gained access to several major personal and business data
aggregation services, including Lexis/Nexis and Dun & Bradstreet. The
intrusions, which were ongoing for at least several months, used malware
that exfiltrated data via an encrypted channel to attacker-controlled
systems. Investigations by the impacted firms are ongoing, but the scope
of the damage is expected to be extremely widespread.
Reference:
https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/
Snort SID: 28085
ClamAV:

Title: Rapid7, University of Michigan release unprecedented scan data
Description: A collaboration between the creators of Metasploit and the
University of Michigan last week is providing security researchers with
massive data sets collected through responsible, detailed scanning of
large sections of the Internet. The project, which aims to expose poor
security practices and help clear up issues such as the 10,000 root
shells available via Telnet found during the scans, is so far receiving
positive reviews from other researchers, and is likely to grow in scope
as others use the data provided by the project.
Reference:
http://threatpost.com/new-project-sonar-crowdsources-embedded-device-vulnerability-analysis/102457
https://community.rapid7.com/community/infosec/sonar/blog/2013/09/26/welcome-to-project-sonar
Snort SID: N/A
ClamAV: N/A

Title: Linksys WRT110 router remote command execution
Description: A trivially exploitable remote command execution
vulnerability, initially disclosed in July, had a Metasploit module
released last week, dramatically increasing the likelihood of widespread
exploitation in the wild. The bug, which likely applies to other related
firmware sets, can be exploited via the web without authentication. No
patches are available at this time.
Reference:
http://seclists.org/bugtraq/2013/Jul/78
http://www.exploit-db.com/exploits/28484/
Snort SID: 28052
ClamAV: N/A


USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Resources for getting started with iOS hacking:
http://winocm.com/research/2013/09/20/resources-for-getting-started/

CVE-2013-3122: from null to control - persistence pays off with crashes:
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/CVE-2013-3112-From-NULL-to-Control-Persistence-pays-off-with/ba-p/6217089#.Ukmb_sbktB1

http://privacy-pc.com/articles/from-russia-with-love-exe-the-russian-underground-hacking-culture.html

Large-scale detection of DOM-based XSS:
http://ben-stock.de/wp-content/uploads/domxss.pdf

Delivering an executable without an executable:
http://vrt-blog.snort.org/2013/09/delivering-executable-without-executable.html

CVE-2013-0640: Adobe Reader XFA oneOfChild uninitialized memory vulnerability:
http://labs.portcullis.co.uk/blog/cve-2013-0640-adobe-reader-xfa-oneofchild-un-initialized-memory-vulnerability-part-1/

Blind SQLi -> SQLi -> Command execution -> Meterpreter - based on a true story:
http://breenmachine.blogspot.com/2013/02/blind-sqli-sqli-command-execution.html

Mailbox.app JavaScript execution:
http://miki.it/blog/2013/9/24/mailboxapp-javascript-execution/

OSX/Leverage.a analysis:
http://www.alienvault.com/open-threat-exchange/blog/osx-leverage.a-analysis

Analysis of the FBI Tor malware:
http://oweng.myweb.port.ac.uk/fbi-tor-malware-analysis/


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM

This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.

ID: CVE-2013-3576
Title: HP System Management Homepage “ginkgosnmp.inc” Command Injection
Vulnerability
Vendor: HP
Description: ginkgosnmp.inc in HP System Management Homepage (SMH)
allows remote authenticated users to execute arbitrary commands via
shell metacharacters in the PATH_INFO to smhutil/snmpchp.php.en.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

ID: CVE-2013-3205
Title: Microsoft Internet Explorer CCaret Use-After-Free (MS13-069)
Vendor: Microsoft
Description: Microsoft Internet Explorer 6 through 8 allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted web site, aka “Internet Explorer Memory
Corruption Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0810
Title: Microsoft Windows Theme File Handling Arbitrary Code Execution
(MS13-071)
Vendor: Microsoft
Description: Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,
Windows Vista SP2, and Windows Server 2008 SP2 allow remote attackers
to execute arbitrary code via a crafted screensaver in a theme file, aka
“Windows Theme File Remote Code Execution Vulnerability.”
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: Not Available
Title: Joomla! Unauthorised Uploads
Vendor: Joomla!
Description: Inadequate filtering leads to the ability to bypass file
type upload restrictions.
Affects Joomla! version 2.5.13 and earlier 2.5.x versions; and version
3.1.4 and earlier 3.x versions
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-2251
Title: Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
Vendor: Apache
Description: Apache Struts 2.0.0 through 2.3.15 allows remote attackers
to execute arbitrary OGNL expressions via a parameter with a crafted (1)
action: , (2) redirect:, or (3) redirectAction: prefix.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


MOST PREVALENT MALWARE FILES 9/24/2013 - 10/1/2013 COMPILED BY SOURCEFIRE

SHA 256: 055788EB475E7AC5EA2E03383D3F95BCC88D62F06E4456A5F5DD6B9E78506AB5
MD5: 12336775941D49CE6A4D6F391CB5E02F
VirusTotal:
https://www.virustotal.com/en/file/ 055788EB475E7AC5EA2E03383D3F95BCC88D62F06E4456A5F5DD6B9E78506AB5/analysis/

Typical Filename: WebCakeDesktop.exe
Claimed Product: WebCake Desktop
Claimed Publisher: Web Cake

SHA 256: 6090C85CF5750E141F2BD6D2334EC0EB79188E2DE05DE06235726E73C0B0D792
MD5: 2ebbe2521176388c7bc5365e197bf801
VirusTotal:
https://www.virustotal.com/en/file/ 6090C85CF5750E141F2BD6D2334EC0EB79188E2DE05DE06235726E73C0B0D792/analysis/

Typical Filename: -
Claimed Product: Application Manager
Claimed Publisher: MediaTechSoft Inc.

SHA 256: DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C
MD5: 25aa9bb549ecc7bb6100f8d179452508
VirusTotal:
https://www.virustotal.com/en/file/ DF83A0D6940600E4C4954F4874FCD4DD73E781E6690C3BF56F51C95285484A3C/analysis/

Typical Filename: -
Claimed Product: -
Claimed Publisher: -

SHA 256: AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615
MD5: 3291e1603715c47a23b60a8bf2ca73db
VirusTotal:
https://www.virustotal.com/en/file/ AA0BBAECB678868E1E7F57C7CA9D61B608B3D788BE490790EB1D148BEADF4615/analysis/

Typical Filename: 01.tmp
Claimed Product: -
Claimed Publisher: -

SHA 256: F09AFC177AFBC8E2D36A57D105D3F79A70EC2E36701C9759E19D54A009279F11
MD5: 3b7a992ae53ebb41dd1e566e4172e9c0
VirusTotal:
https://www.virustotal.com/en/file/ F09AFC177AFBC8E2D36A57D105D3F79A70EC2E36701C9759E19D54A009279F11/analysis/

Typical Filename: -
Claimed Product: -
Claimed Publisher: -


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics