(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Multiple HP Products CVE-2016-8529 Unspecified Remote Code Execution Vulnerability
IBM UrbanCode Deploy CVE-2016-0320 Security Bypass Vulnerability
IBM InfoSphere BigInsights CVE-2016-2924 Unspecified Cross Site Scripting Vulnerability
Trend Micro Control Manager Multiple Information Disclosure Vulnerabilities

Enlarge / Nipsey Hussle and YG pose backstage at Nokia Theatre LA Live on January 13, 2012. (credit: Joe Scarnici / Getty Images)

A certain model of Low Power FM radio transmitter with known vulnerabilities has been targeted in a new wave of radio-station hacks this week. Armed with an exploit that was known all the way back in April 2016, hackers have commandeered terrestrial radio stations—and in apparent unity, the hackers all decided to broadcast the YG and Nipsey Hussle song "Fuck Donald Trump."

News of the song's unexpected playback on radio stations began emerging shortly after Trump's inauguration on January 20, and the hack has continued to affect LPFM stations—a type of smaller-radius radio station that began to roll out after the FCC approved the designation in 2000. Over a dozen stations experienced confirmed hacks in recent weeks, with more unconfirmed reports trickling in across the nation. Thus far, the stations' commonality isn't the states of operation or music formats; it's the transmitter.

Specifically, hackers have targeted products in the Barix Exstreamer line, which can decode many audio file formats and send them along for LPFM transmission. If that sounds familiar, that's because Ars Technica reported on this kind of hack last year. As Barix told its products' owners in 2016, Exstreamer devices openly connected to the Internet are incredibly vulnerable to having their remote login passwords discovered and systems compromised. The company recommends using full, 24-character passwords and placing any live Internet connections behind firewalls or VPNs.

Read 2 remaining paragraphs | Comments

SageCRM SQL Injection and Arbitrary File Upload Vulnerabilities
OpenSSL CVE-2017-3732 Information Disclosure Vulnerability

Enlarge (credit: Alex Eylar)

OAKLAND, Calif.—In September, KrebsOnSecurity—arguably the Internet's most intrepid source of security news—was on the receiving end of some of the biggest distributed denial-of-service attacks ever recorded. The site soon went dark after Akamai said it would no longer provide the site with free protection, and no other DDoS mitigation services came forward to volunteer their services. A Google-operated service called Project Shield ultimately brought KrebsOnSecurity back online and has been protecting the site ever since.

At the Enigma security conference on Wednesday, a Google security engineer described some of the behind-the-scenes events that occurred shortly after Krebs asked the service for help, and in the months since, they said yes. While there was never significant hesitancy to bring him in, the engineers did what engineers always do—weighed the risks against the benefits.

"What happens if this botnet actually takes down google.com and we lose all of our revenue?" Google Security Reliability Engineer Damian Menscher recalls people asking. "But we considered [that] if the botnet can take us down, we're probably already at risk anyway. There's nothing stopping them from attacking us at any time. So we really had nothing to lose here."

Read 8 remaining paragraphs | Comments

Jenkins CVE-2017-2613 Cross Site Request Forgery Vulnerability

The tweet originally announcing this issue stated that Windows 2012 and 2016 is vulnerable. I tested it with a fully patched Windows 10, and got an immediate blue screen of death (see below for screenshot).

A Proof of Concept (PoC) Exploit causing a blue screen of death on recent Windows version was released on Github earlier today. The exploit implements an SMBv3 server, and clients connecting to it will be affected. An attacker would have to trick the client to connect to this server. It isnt clear if this is exploitable beyond a denial of service. To be vulnerable, a client needs to support SMBv3, which was introduced in Windows 8 for clients and Windows 2012 on servers.

Right now, I do not see a Microsoft statement regarding this exploit and the vulnerability triggered by it. Of course, it is best practice to block port 445 inbound AND outbound on your firewall, limiting the impact somewhat.

A traffic capture I collected between two virtual machines (Windows 10 victim) can be found here: https://isc.sans.edu/diaryimages/smbexploit.pcap. The exploit can be seen in packet 27 and 28. The long string of Cs does trigger the buffer overflow.

After the (normal) Tree Connect Request message, the server responds with a crafted Tree Connect Response message. The message itself is actually kind of ok, but the length of the message is excessive (1580 Bytes) and includes a long trailer.

The tree connect response message consists of:

  1. NetBIOS header. This just includes the message type (0) and the total length (1580 in this case).
  2. SMB2 header: The usual 64 bytes. The Command indicates that this is a tree connect message and the response flag is set.
  3. The Three Connect Response Message. This message has a fixed length of 8 bytes in addition to the fixed header.

This is where the message should end. But apparently, since the total message size according to the NetBIOS header is larger, Windows keeps on decoding in the crafted header (all Cs in the exploit) which then triggers the buffer overflow.

Based on this understanding of the exploit (please let me know if I didnt get it right or missed something), I wrote a simple snort signature that looks for Tree Connect messages that exceed 1000 bytes in size. Use this at your own risk. It is in works for me state:

alert tcp $EXTERNAL_NET 445 - $HOME_NET any msg: SMB Excessive Large Tree Connect Response byte_test: 3, content: |fe 53 4d 42 40 00| content: |03 00|)

The exploit can be found here:https://github.com/lgandx

Blue Screen of death after successful exploit:

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM Security Key Lifecycle Manager CVE-2016-6116 Information Disclosure Vulnerability
Jenkins CVE-2017-2609 Information Disclosure Vulnerability
Linux Kernel 'fs/pipe.c' Local Denial of Service Vulnerability
IBM Security Key Lifecycle Manager CVE-2016-6095 Brute Force Authentication Bypass Vulnerability
Jenkins CVE-2017-2605 Information Disclosure Vulnerability
IBM Security Key Lifecycle Manager CVE-2016-6099 Information Disclosure Vulnerability
Jenkins CVE-2017-2601 HTML Injection Vulnerability
Jenkins CVE-2017-2612 Security Bypass Vulnerability
Jenkins CVE-2017-2611 Multiple Security Bypass Vulnerabilities
Jenkins CVE-2017-2604 Privilege Escalation Vulnerability
Jenkins CVE-2017-2599 Security Bypass Vulnerability
Jenkins CVE-2017-2598 Information Disclosure Vulnerability

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux Kernel CVE-2016-4565 Local Security Bypass Vulnerability
Linux Kernel KVM 'kvm_pit_load_count()' Function Divide By Zero Denial of Service Vulnerability
Linux Kernel 'net/x25/x25_facilities.c' Local Information Disclosure Vulnerability
Cisco Prime Service Catalog CVE-2017-3810 Open Redirection Vulnerability
[FOXMOLE SA 2016-07-05] ZoneMinder - Multiple Issues
Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3812 Denial of Service Vulnerability
EMC Isilon InsightIQ CVE-2017-2765 Authentication Bypass Vulnerability
Cisco Firepower Device Manager CVE-2017-3822 Remote Security Bypass Vulnerability
Multiple Cisco Products CVE-2017-3806 Local Command Injection Vulnerability
WordPress 'class-wp-rest-posts-controller.php' Privilege Escalation Vulnerability
Cisco Firepower System Software CVE-2017-3814 Remote Security Bypass Vulnerability
Cisco Firepower Management Center CVE-2017-3809 Security Bypass Vulnerability
Ghostscript 9.20 Filename Command Execution
Internet Storm Center Infocon Status