Tageszusammenfassung - Dienstag 18-02-2014

End-of-Shift report

Timeframe: Montag 17-02-2014 18:00 − Dienstag 18-02-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner

Wait a minute... that's not a real JPG!

When attackers compromise a website and want to harvest credit cards, they need to either find where the data is stored or capture the data in transit. This blog post shows how identifying files with false file signatures can uncover malicious activity on a server. I recently discovered credit card data hidden behind a .jpg extension that lead me to the work of an attacker capturing credit cards from customers using an online checkout page.

http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/3m5-LV3n59k/wait-a-minute-thats-not-a-real-jpg.html


[2014-02-18] Critical vulnerabilities in Symantec Endpoint Protection

Attackers are able to completely compromise the Symantec Endpoint Protection Manager server as they can gain access at the system and database level because of critical XXE and SQL injection vulnerabilities. Furthermore attackers can manage all endpoints and possibly deploy attacker-controlled code on clients.

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt


Scanning for Symantec Endpoint Manager, (Mon, Feb 17th)

Last week, we mentioned a new vulnerability in Symantec Endpoint Protection Management. According to Symantecs advisory, this product listens on port 9090 and 8443/TCP. Both ports are scanned regularly for various vulnerabilities, in particular 8443, being that it is frequently used by web servers as an alternative to 443. However, on February 7th, we detected a notable increase in scans for both ports.

http://isc.sans.edu/diary.html?storyid=17657&rss


GE Proficy Vulnerabilities

OVERVIEW Researchers amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI) have identified two vulnerabilities in the General Electric (GE) Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) - CIMPLICITY application. GE has released security advisories, GEIP13-05 and GEIP13-06, to inform customers about these vulnerabilities.These vulnerabilities could be exploited remotely.

http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01


PHP Backdoors: Hidden With Clever Use of Extract Function

When a site gets compromised, one thing we know for sure is that attackers love to leave malware that allows them access back to the site; this type of malware is called a backdoor.

http://feedproxy.google.com/~r/sucuri/blog/~3/kPCRBZwe1mQ/php-backdoors-hidden-with-clever-use-of-extract-function.html


A journey to CVE-2014-0497 exploit

Last week we published a blog post about a CVE-2013-5330 exploit. We've also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability (CVE-2014-0497). The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014. Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details.

http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx


WordPress two-factor login plugin bug, er, bypasses 2-factor login

Cross-site vulnerability exposes bloggers The maker of a popular plugin that provides two-factor authentication for WordPress bloggers is preparing an update - after finding a vulnerability in its system. It advises that anyone using two-factor plugins from any vendor need to check their security strength.

http://go.theregister.com/feed/www.theregister.co.uk/2014/02/18/wordpress_2fa_bug_can_bypass_authentication/


VU#656302: Belkin Wemo Home Automation devices contain multiple vulnerabilities

Vulnerability Note VU#656302 Belkin Wemo Home Automation devices contain multiple vulnerabilities Original Release date: 18 Feb 2014 | Last revised: 18 Feb 2014 Overview Belkin Wemo Home Automation devices contain multiple vulnerabilities. Description CWE-321: Use of Hard-coded Cryptographic Key - CVE-2013-6952Belkin Wemo Home Automation firmware contains a hard-coded cryptographic key and password. An attacker may be able to extract the key and password to sign a malicious firmware

http://www.kb.cert.org/vuls/id/656302


SSA-892342 (Last Update 2014-02-18): Denial-of-Service Vulnerability in RuggedCom ROS-based Devices

Summary: A potential vulnerability might allow attackers to perform a Denial-of-Service attack over the network without authentication on RuggedCom products running ROS. RuggedCom and Siemens address this issue by a firmware update. AFFECTED PRODUCTS All RuggedCom ROS-based devices with: All ROS versions before 3.11 ROS 3.11 (for RS950G): all versions ROS 3.12: all versions < ROS v3.12.4 ROS 4.0 (for RSG2488)

https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-892342.pdf


Exploit Released for Vulnerability Targeted By Linksys Router Worm

Technical details about a vulnerability in Linksys routers thats being exploited by a new worm have been released Sunday along with a proof-of-concept exploit and a larger than earlier expected list of potentially vulnerable device models.

http://www.cio.com/article/748352/Exploit_Released_for_Vulnerability_Targeted_By_Linksys_Router_Worm?taxonomyId=3089