End-of-Shift report
Timeframe: Dienstag 02-09-2014 18:00 − Mittwoch 03-09-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
Bugtraq: Defense in depth -- the Microsoft way (part 18): Microsoft Office 2010 registers command lines with unquoted pathnames
Microsoft Office 2010 registers the following command lines with unquoted
pathnames containing spaces for various supported file types:
http://www.securityfocus.com/archive/1/533317
Quick Analysis of a DDoS Attack Using SSDP
Last week, one of our many clients came under an interesting attack. Enough that it was flagged for human intervention. The interesting aspect of the case was that it was a multi-faceted DDoS attack. The first issue we noticed was a Layer 7, HTTP Flood Attack, Distributed Denial of Service (DDoS) attack ...
http://blog.sucuri.net/2014/09/quick-analysis-of-a-ddos-attack-using-ssdp.html
New international cybercrime unit, J-CAT, launches pilot program
A new European cybercrime organization, the Joint Cybercrime Action Taskforce (J-CAT), announced the launch of its six-month pilot program yesterday.
The group will investigate global cybercrime threats and targets, according to a release. The Federal Bureau of Investigation (FBI) and the U.K.'s National Crime Agency (NCA) have partnered up to create the unit. Other countries, including Canada and Australia, have signed on to the initiative.
http://www.scmagazine.com/new-international-cybercrime-unit-j-cat-launches-pilot-program/article/369320/
ShadowServer Scans Confirm Scale of Netis Threat
Our friends at the ShadowServer Foundation are now scanning for the Netcore/Netis router backdoor which we found in August. Their findings are in line with what we published then: that the vast majority of those affected in China, with more than a million scanned IP addresses currently affected by this threat.
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CSrl4YNzdgE/
Firefox 32 released, time to update
Firefox 32 released, time to update - now with support for Public Certificate Pinning. Release notes here:
https://www.mozilla.org/en-US/firefox/32.0/releasenotes/
https://isc.sans.edu/diary.html?storyid=18609&rss
IBM Security Bulletin: Missing access restriction on service types in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (CVE-2014-4758)
When invoking a service using the callService URL, there is no access restriction based on the service type and services that were meant for internal use only are available for authenticated users.
CVE(s): CVE-2014-4758
Affected product(s) and affected version(s):
IBM Business Process Manager Standard V7.5.x, 8.0.x 8.5.x
IBM Business Process Manager Express V7.5.x, 8.0.x 8.5.x
IBM Business Process Manager Advanced V7.5.x, 8.0.x 8.5.x
IBM WebSphere Lombardi Edition V7.2.x
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_missing_access_restriction_on_service_types_in_ibm_business_process_manager_bpm_and_websphere_lombardi_edition_cve_2014_4758?lang=en_us
Mozilla Firefox for Android file: Protocol Lets Remote Users Obtain Potentially Sensitive Information in Certain Cases
A vulnerability was reported in Mozilla Firefox for Android. A remote user can obtain potentially sensitive information from the target user's system in certain cases.
A remote user can create a specially crafted 'file:' URL that, when loaded by the target user, will access a local file in the Firefox profile directory and copy the data to the SD card without user intervention. A local application can then access the data.
http://www.securitytracker.com/id/1030792
LogAnalyzer 3.6.5 Cross Site Scripting
It was found that an XSS injection is possible on a syslog server
running LogAnalyzer version 3.6.5.
by changing the hostname of any entity logging to syslog server with
LogAnalyzer to <script>alert("xss")</script>, and sending an arbitrary
syslog message, a client-side script injection execution is possible.
http://cxsecurity.com/issue/WLB-2014090008
Exploit PHP's mail() to get remote code execution
While searching around the web for new nifty tricks I stumbled across this post about how to get remote code exeution exploiting PHP's mail() function. First, I must say that this is only going to happen under some really rare circustances. Never the less, it's really something to think about and keep an eye out for. I will explain an example scenario which I think could be a real life scenario later in this article.
http://securitysucks.info/exploit-phps-mail-to-get-remote-code-execution/
Tests compare Mac OS X anti-malware products
Every day, independent test lab AV-TEST.org captures more than 400,000 new malware samples for Windows and 5,000 new samples for Android. For the Mac they identify less than 100 per month. But there is malware out there for the Mac and it does hit users in the real world, if less often and less intensely than on the PC. ... Thats why AV-TEST just completed a test of 18 products in this space
http://www.zdnet.com/tests-compare-mac-os-x-anti-malware-products-7000033178/
Xen Project Maintenance Releases Available (Versions 4.4.1, 4.3.3, 4.2.5)
Vulnerabilities fixed:
Xen 4.4.1
CVE-2014-2599 CVE-2014-3125 CVE-2014-3124 CVE-2014-2915 CVE-2014-2986 CVE-2014-3714 CVE-2014-3715 CVE-2014-3716 CVE-2014-3717 CVE-2014-3967 CVE-2014-3968 CVE-2014-3969 CVE-2014-4021 CVE-2014-4022 CVE-2014-5147 CVE-2014-5148
Xen 4.2.5 + 4.3.3
CVE-2014-2599 CVE-2014-3124 CVE-2014-3967 CVE-2014-3968 CVE-2014-4021
Apart from those there are many further bug fixes and improvements.
http://lists.xen.org/archives/html/xen-announce/2014-09/msg00000.html
ZDI-14-301: SAP Crystal Reports Datasource Stack Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
http://www.zerodayinitiative.com/advisories/ZDI-14-301/