End-of-Shift report
Timeframe: Mittwoch 25-09-2013 18:00 − Donnerstag 26-09-2013 18:00
Handler: Robert Waldner
Co-Handler: n/a
[papers] - Linux Classic Return-to-libc & Return-to-libc Chaining Tutorial
I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend once said “ you think you understand something until you try to teach it“.
http://www.exploit-db.com/download_pdf/28553
[papers] - Understanding C Integer Boundaries (Overflows & Underflow)
This is my first try at writing papers. This paper is my understanding of the subject. I understand it might not be complete I am open for suggestions and modifications. I hope as this project helps others as it helped me.
http://www.exploit-db.com/download_pdf/28550
Blue Coat ProxySG / Security Gateway OS (SGOS) Two Denial of Service Vulnerabilities
Two vulnerabilities have been reported in Blue Coat ProxySG and Blue Coat Security Gateway OS (SGOS), which can be exploited by malicious people to cause a DoS (Denial of Service).
https://secunia.com/advisories/54999
Research shows IT blocking applications based on popularity not risk
Tactic leads to less popular, but still risky cloud-based apps freely accessing networks
http://www.csoonline.com/article/740363/research-shows-it-blocking-applications-based-on-popularity-not-risk?source=rss_application_security
Popular iOS e-mail app acquired by Dropbox has serious bug, researcher warns (Updated)
Code-execution vulnerability could open users to a series of serious attacks.
http://feeds.arstechnica.com/~r/arstechnica/security/~3/hFtmTj9wjFg/story01.htm
Security Issue in Ruby on Rails Could Expose Cookies
Versions 2.0 to 4.0 of the popular open source web framework Ruby on Rails are vulnerable to a web security issue involving cookies that could make it much easier for someone to login to an app as another user.
http://threatpost.com/security-issue-in-ruby-on-rails-could-expose-cookies/102413
Analysis: The Icefog APT: Frequently Asked Questions
Here are answers to the most frequently asked questions related to Icefog, an APT operation targeting entities in Japan and South Korea.
http://www.securelist.com/en/analysis/204792307/The_Icefog_APT_Frequently_Asked_Questions
Cisco IOS Multiple Flaws Let Remote Users Deny Service
Multiple vulnerabilities were reported in Cisco IOS. A remote user can cause denial of service conditions.
http://www.securitytracker.com/id/1029087
Security Bulletin: Tivoli Endpoint Manager Security Compliance Analytics (SCA) is affected by multiple Java vulnerabilities
Security Compliance Analytics version 1.3 and prior affected by multiple Java vulnerabilities CVE(s):
CVE-2013-2463
CVE-2013-2465
CVE-2013-2471
Affected product(s) and affected version(s): Tivoli Endpoint Manager SCA 1.3 and earlier.
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_tivoli_endpoint_manager_security_compliance_analytics_sca_is_affected_by_multiple_java_vulnerabilities?lang=en_us
Java Security Vulnerabilitys addressed in IBM Tivoli Netcool OMNIbus
Multiple vulnerabilities related to the Java JRE shipped by Tivoli Netcool/OMNIbus have been resolved. CVE(s): CVE-2012-0502, CVE-2012-0503, CVE-2012-0506, CVE-2012-0507, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0505, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725, CVE-2012-1541, CVE-2012-1543, CVE-2012-3213, CVE-2012-4301, CVE-2012-4305, CVE-2013-0351, CVE-2013-0409,
https://www-304.ibm.com/connections/blogs/PSIRT/entry/java_security_vulnerabilitys_addressed_in_ibm_tivoli_netcool_omnibus?lang=en_us
Security Bulletin: GSKit Security Vulnerabilities addressed in IBM Tivoli Netcool OMNIbus
Several vulnerabilities related to the GSKit libraries used by Tivoli Netcool/OMNIbus have been resolved. CVE(s): CVE-2012-2190, CVE-2012-2191, CVE-2012-2333, CVE-2012-2203, CVE-2012-2131, CVE-2012-2110, CVE-2012-0884, CVE-2012-0050, CVE-2011-4108, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2011-3210, CVE-2011-0014, CVE-2010-3864, CVE-2013-0169, CVE-2013-0166, and CVE-2012-2686 Affected product(s) and affected version(s): Tivoli Netcool/OMNIbus 7.2.1 Tivoli
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_gskit_security_vulnerabilities_addressed_in_ibm_tivoli_netcool_omnibus?lang=en_us
Blue Coat ProxySG HTTP Request Processing Memory Leak Lets Remote Users Deny Service
A vulnerability was reported in Blue Coat ProxySG. A remote user can cause denial of service conditions.
A remote server can return specially crafted data to trigger a memory leak and cause the target device to drop or bypass traffic. HTML with a large number of recursively embedded HREF tags can trigger this flaw.
http://www.securitytracker.com/id/1029088
Nodejs js-yaml load() Code Execution
Topic: Nodejs js-yaml load() Code Execution
Risk: High
http://cxsecurity.com/issue/WLB-2013090177
InstantCMS 1.10.2 Multiple vulnerabilities
Topic: InstantCMS 1.10.2 Multiple vulnerabilities Risk: Low Text:Hello 3APA3A! These are Login Enumeration, Cross-Site Scripting and Content Spoofing vulnerabilities in InstantCMS. ...
http://cxsecurity.com/issue/WLB-2013090179
Boffins: Internet transit a vulnerability
Mirror, mirror on the port, is this something I can rort? If you think of an Internet exchange, you probably think of infrastructure thats well-protected, well-managed, and hard to compromise. The reality, however, might be different. According to research by Stanford Universitys Daniel Kharitonov, working with TraceVectors Oscar Ibatullin, there are enough vulnerabilities in routers and the like that the Internet exchange makes a target thats both attractive and exploitable.…
http://go.theregister.com/feed/www.theregister.co.uk/2013/09/26/boffins_internet_transit_a_vulnerability/
1. Cybercrime-Konferenz von Europol und Interpol: Die Jagd den Privaten überlassen?
Cybercrime-Ermittlungen privaten Firmen zu überlassen, habe einige Vorteile, meinen Firmenvertreter. Strafverfolger wollen aber genau die Kompetenzen der Privatfirmen entwickeln und ihre Aktionspläne ebenso gut ausgebildeten Richtern vorlegen.
http://www.heise.de/newsticker/meldung/1-Cybercrime-Konferenz-von-Europol-und-Interpol-Die-Jagd-den-Privaten-ueberlassen-1966902.html
XEN - Information leak on AVX and/or LWP capable CPUs
When a guest increases the set of extended state components for a vCPU saved/restored via XSAVE/XRSTOR (to date this can only be the upper halves of YMM registers, or AMDs LWP state) after already having touched other extended registers restored via XRSTOR (e.g. floating point or XMM ones) during its current scheduled CPU quantum, the hypervisor would make those registers accessible without discarding the values an earlier scheduled vCPU may have left in them.
http://lists.xenproject.org/archives/html/xen-announce/2013-09/msg00005.html
VLC 2.1 "Rincewind" is a major new version of our popular media player
Rincewind fixes around a thousand bugs, in more than 7000 commits from 140 volunteers.
http://www.videolan.org/vlc/releases/2.1.0.html
Google Hangouts schickt Nachrichten an falsche Personen
Zu ungewollt peinlichen Situationen könnte es derzeit mit Googles Chat-Tool Hangouts kommen.
http://futurezone.at/produkte/google-hangouts-schickt-nachrichten-an-falsche-personen/28.430.509
IBM Rational ClearQuest JSON Hijacking and Cross-Site Request Forgery Vulnerabilities
IBM Rational ClearQuest JSON Hijacking and Cross-Site Request Forgery Vulnerabilities
https://secunia.com/advisories/55010
Microsoft veröffentlicht Ereignis- und Paketanalysator Message Analyzer
Der bislang nur als Beta-Version erhältliche Message Analyzer steht nun Version 1.0 zum Download bereit.
http://www.heise.de/newsticker/meldung/Microsoft-veroeffentlicht-Ereignis-und-Paketanalysator-Message-Analyzer-1967419.html
How do you monitor DNS?, (Thu, Sep 26th)
Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using? The script is supposed to detect DNS outages and unauthorized changes to my domains. Here are some of the parameters I am monitoring now: - changes to the zones serial number - changes to the NS records (using the TLDs name servers, not mine) - changes
http://isc.sans.edu/diary.html?storyid=16661&rss
Blog: Icefog OpenIOC Release
OpenIOC rules for the IceFog campaign
http://www.securelist.com/en/blog/208214070/Icefog_OpenIOC_Release
Spear Phishing Poses Threat to Industrial Control Systems
While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing. Rather than worry about exotic cyber weapons like Stuxnet and its big brother, Flame, companies that have SCADA systems ... should make sure that their anti-phishing programs are in order, say security experts.
http://www.cio.com/article/740402/Spear_Phishing_Poses_Threat_to_Industrial_Control_Systems?taxonomyId=3089
Barracuda CudaTel Communication Server Cross-Site Scripting and SQL Injection Vulnerabilities
Vulnerability Lab has reported multiple vulnerabilities in Barracuda CudaTel Communication Server, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks.
https://secunia.com/advisories/54258
Emerson ROC800 Multiple Vulnerabilities
This advisory provides mitigation details for multiple vulnerabilities affecting the Emerson Process Management’s ROC800 remote terminal units (RTUs) products (ROC800, ROC800L, and DL8000).
http://ics-cert.us-cert.gov/advisories/ICSA-13-259-01