A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users' browsing sessions. Microsoft officials said they're working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.

To demonstrate the attack, the demo injects the words "Hacked by Deusen" into the website of the Daily Mail. But it also could have stolen HTML-based data the news site, or any other website, stores on visitors' computers. That means it would be trivial for attackers to use it to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a user name and password. Once in possession of the cookie, an attacker could access the same restricted areas normally available only to the victim, including those with credit card data, browsing histories, and other confidential data. Phishers could also exploit the bug to trick people into divulging passwords for sensitive sites.

Read 3 remaining paragraphs | Comments

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
WebKit CVE-2014-1298 Unspecified Memory Corruption Vulnerability
WebKit CVE-2013-2871 Use After Free Remote Code Execution Vulnerability
WebKit Use-After-Free Multiple Memory Corruption Vulnerabilities

Millions of Android fans downloaded 'adware' game app – infosec biz
The Register
Card-game players are being warned about an Android app in Google's Play Store that reportedly slaps adverts all over your handheld. The accused app recreates Durak, a traditional Russian game, and is rather imaginatively called Durak Card Game.

and more »

This is a guest diary written byMr. William Glodek Chief, Network Security Branch, U.S. Army Research Laboratory

As a network analysis practitioner, I analyze multiple gigabytes of pcap data across multiple files on a daily basis. I have encountered many challenges where the standard tools (tcpdump, tcpflow, Wireshark/tshark) were either not flexible enough or couldnt be prototyped quickly enough to do specialized analyzes in a timely manner. Either the analysis couldnt be done without recompiling the tool itself, or the plugin system was difficult to work with via command line tools.

Dshell, a Python-based network forensic analysis framework developed by the U.S. Army Research Laboratory, can help make that job a little easier [1]. The framework handles stream reassembly of both IPv4 and IPv6 network traffic and also includes geolocation and IP-to-ASN mapping data for each connection. The framework also enables development of network analysis plug-ins that are designed to aid in the understanding of network traffic and present results to the user in a concise, useful manner by allowing users to parse and present data of interest from multiple levels of the network stack. from tweaking an existing decoder to extract slightly different information from existing protocols, to writing a new parser for a completely novel protocol. Here are two scenarios where Dshell has decreased the time required to identify and respond to network forensic challenges.

  1. Malware authors will frequently embed a domain name in a piece of malware for improved command and control or resiliency to security countermeasures such as IP blocking. When the attackers have completed their objective for the day, they minimize the network activity of the malware by updating the DNS record for the hostile domain to point to a non-Internet routable IP address (ex.">Dshell decode d reservedips *.pcap

    The reservedips module will find all of the DNS request/response pairs for domains that resolve to a non-routable IP address, and display them on a single line. By having each result displayed on a single line, I can utilize other command line utilities like awk or grep to further filter the results. Dshell can also present the output in CSV format, which may be imported into many Security Event and Incident Management (SEIM) tools or other analytic platforms.

    1. A drive-by-download attack is successful and a malicious executable is downloaded [2]. I need to find the network flow of the download of the malicious executable and extract the executable from the network traffic.
      Using the web module, I can inspect all the web traffic contained in the sample file. In the example below, a request for xzz1.exe with a successful server response is likely the malicious file.

    I can then extract the executable from the network traffic by using the rip-http module. The rip-http module will reassemble the IP/TCP/HTTP stream, identify the filename being requested, strip the HTTP headers, and write the data to disk with the appropriate filename.

    dlink extracting stream from cap

    There are additional modules within the Dshell framework to solve other challenges faced with network forensics. The ability to rapidly develop and share analytical modules is a core strength of Dshell. If you are interested in using or contributing to Dshell, please visit the project at https://github.com/USArmyResearchLab/Dshell.

    [1] Dshell https://github.com/USArmyResearchLab/Dshell
    [2] http://malware-traffic-analysis.net/2015/01/03/index.html

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
MITKRB5-SA-2015-001 Vulnerabilities in kadmind, libgssrpc, gss_process_context_token

Security researchers have once again found Google Play offering malicious apps that have been downloaded by millions of Android users. According to a blog post published Tuesday by antivirus provider Avast, the apps include the Durak card game app and at least two other titles. Combined, those apps have been installed as many as 15 million times. Researcher Filip Chytry wrote:

When you install Durak, it seems to be a completely normal and well working gaming app. This was the same for the other apps, which included an IQ test and a history app. This impression remains until you reboot your device and wait for a couple of days. After a week, you might start to feel there is something wrong with your device. Some of the apps wait up to 30 days until they show their true colors. After 30 days, I guess not many people would know which app is causing abnormal behavior on their phone, right?

Each time you unlock your device an ad is presented to you, warning you about a problem, e.g. that your device is infected, out of date or full of porn. This, of course, is a complete lie. You are then asked to take action, however, if you approve you get re-directed to harmful threats on fake pages, like dubious app stores and apps that attempt to send premium SMS behind your back or to apps that simply collect too much of your data for comfort while offering you no additional value.

It's not the first time Google's official Android app bazaar has been found to host malicious apps. In the past, it has offered titles laced with surreptitious remote access trojans, Bitcoin miners, and rogue advertising networks. Three years ago, Google introduced a cloud-based scanner that scours Play for malicious apps, but attackers have been known to bypass it.

Google officials regularly remove apps from Play when they are found to be malicious. At the time this post was being prepared, all three flagged by Avast remained available for download.

Read 2 remaining paragraphs | Comments

CVE-2015-1437 XSS In ASUS Router.

Last year with OpenSSL, and this year with the GHOST glibc vulnerability, the question came up about what piece of software is using what specific library. This is a particular challenging inventory problem. Most software does not document well all of its dependencies. Libraries can be statically compiled into a binary, or they can be loaded dynamically. In addition, updating a library on disk may not always be sufficient if a particular piece of software does ues a library that is already loaded in memory.

To solve the first problem, there is ldd. ldd will tell you what libraries will be loaded by a particular piece of software. For example:

$ ldd /bin/bash
linux-vdso.so.1 = (0x00007fff9677e000)
libtinfo.so.5 = /lib64/libtinfo.so.5 (0x00007fa397b43000)
libdl.so.2 = /lib64/libdl.so.2 (0x00007fa39793f000)
libc.so.6 = /lib64/libc.so.6 (0x00007fa3975aa000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa397d72000)

The first line (linux-vdso) doesnt point to an actual library, but to the Virtual Dynamic Shared Object which represents kernel routines. Whenever you see an arrow (=), it indicates that there is a symlinkto a specific library that is being used.Another option that works quite well for shared libraries is readelf. e.g. readelf -d /bin/bash will list

To list libraries currently loaded, and programs that are using them, you can use lsof.

One trick with lsof is that it may appreviate command names to make the output look better. To fix this, use the +c 0">#lsof +c 0 | grep libc-
init 1 root mem REG 253,0 1726296 131285 /lib64/libc-2.5.so
udevd 836 root mem REG 253,0 131078 /lib64/libc-2.5.so (path inode=131285)
anvil 987 postfix mem REG 253,0 1726296 131285 /lib64/libc-2.5.so

The first column will tell you what processes need restarting. Also the number in front of the library (131285) is the inodefor the library file. As you may note above, the inode is different for some of these libraries, indicating that the library changed. These are the processes that need restarting.

It is always best to reboot a system to not have to worry about remnant bad code staying in memory.

In addition, if your system uses RPMs, you can find dependencies using the RPM. But this information is not always complete.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[SECURITY] [DSA 3152-1] unzip security update
articleFR CMS 3.0.5 - Arbitrary File Upload
articleFR CMS 3.0.5 - SQL injection vulnerability
CVE-2014-5360 Landesk Management Suite XSS (Cross-Site Scripting) Security Vulnerability
[SECURITY] [DSA 3151-1] python-django security update
[CVE-2014-9331] ManageEngine Desktop Central CSRF vulnerability to add an Admin user advisory
[security bulletin] HPSBMU03232 rev.3 - HP SiteScope, Remote Elevation of Privilege
[security bulletin] HPSBGN03237 rev.1 - HP Insight Remote Support v7 Clients running SSLv3, Remote Disclosure of Information
[security bulletin] HPSBGN03247 rev.1 - HP IceWall SSO Dfw using glibc, Remote Execution of Abitrary Code

Posted by InfoSec News on Feb 03


By Jaikumar Vijayan

Google will offer up-front grants of up to $3,133.70 to selected
vulnerability researchers who will receive rewards regardless of whether
they find a bug.

Buoyed by the success of its existing bug-bounty program, Google has
launched an initiative to reward researchers interested in finding
Django 'django.views.static.serve()' Function Denial of Service Vulnerability

Posted by InfoSec News on Feb 03

Forwarded from: Vic Vandal <vvandal (at) well.com>

h4x0rs, InfoSec geeks, script kidz, posers, and friends,

CarolinaCon is back for its 11th year, which is also billed as "the last
CarolinaCon as we know it". For about the price of your average movie
admission with popcorn and a drink ($20), YOU are invited to join us for yet
another intimate and informative weekend of hacking-related education.

This year's event will...

Posted by InfoSec News on Feb 03


By Rex Santus

BMW has mended a security flaw in its ConnectedDrive car connectivity
system that affected 2.2 million cars, including Rolls-Royce and Mini
cars, the company announced on Friday.

It concerned software in the car that would have allowed hackers to open
car doors. It highlights a oft-voiced concern around connected home
products — sometimes called...

Posted by InfoSec News on Feb 03


By John E Dunn
Jan 30, 2015

The ‘Mastermind’ hacker who stole 20 million user credentials from Russian
dating website Topface has got an extraordinary response from his victim –
an undisclosed payment for “finding” the vulnerability that led to the
calamitous breach.

It’s an extraordinary turns of events...

Posted by InfoSec News on Feb 03


By Aliya Sternstein
February 2, 2015

The Obama administration will spend about $20 million on a new White House
cyber unit to oversee dot-gov network security, including, for the first
time, making sure agencies notify victims of breaches according to a
specific timetable.

The "E-gov Cyber" division, housed within...
Internet Storm Center Infocon Status