Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Linux Kernel 'fs/udf/inode.c' Local Denial of Service Vulnerability
 
OpenStack Neutron Security Bypass Vulnerability
 
Linux Kernel 'tcp_set_keepalive()' Function Denial of Service Vulnerability
 
Doom on a printer's menu screen! Personally, we can't wait until someone makes Descent playable on a toaster.

On Friday, a hacker presenting at the 44CON Information Security Conference in London picked at the vulnerability of Web-accessible devices and demonstrated how to run unsigned code on a Canon printer via its default Web interface. After describing the device's encryption as "doomed," Context Information Security consultant Michael Jordon made his point by installing and running the first-person shooting classic Doom on a stock Canon Pixma MG6450.

Sure enough, the printer's tiny menu screen can render a choppy and discolored but playable version of id Software's 1993 hit, the result of Jordon discovering that Pixma printers' Web interfaces didn't require any authentication to access. "You could print out hundreds of test pages and use up all the ink and paper, so what?" Jordon wrote at Context's blog report about the discovery, but after a little more sniffing, he found that the devices could also easily be redirected to accept any code as legitimate firmware.

A vulnerable Pixma printer's Web interface allows users to change the Web proxy settings and the DNS server. From there, an enterprising hacker can crack the device's encryption in eight steps, the final of which includes unsigned, plain-text firmware files. The hacking possibilities go far beyond enabling choppy, early '90s gaming: "We can therefore create our own custom firmware and update anyone’s printer with a Trojan image which spies on the documents being printed or is used as a gateway into their network," Jordon wrote.

Read 4 remaining paragraphs | Comments

 
A greenhouse gas monitoring program developed by scientists at the National Institute of Standards and Technology (NIST) and several collaborating institutions has been named a Project to Watch by a United Nations organization that ...
 
The U.S. Department of Commerces National Institute of Standards and Technology (NIST) has awarded more than $2.2 million in Phase I and Phase II Small Business Innovation Research (SBIR) awards to 15 companies. The recipients conduct ...
 

2nd Update

All the packet captures we received so far show the same behavior. The scans are sequential, so it is fair to assume that this is an internet wide scan. We have yet to find a vulnerable system, and I don't think that vulnerable configurations are very common but please let me know if you know of widely used systems that allow for these SNMP commands. This could also just be a troll checking "what is happening if I send this". 

1st Update

Thanks to James for sending us some packets. Unlike suggested earlier, this doesn't look like a DoS against Google, but more like a DoS against vulnerable gateways. The SNMP command is actually a "set" command using the default read-write community string "private". If successful, it should:

- set the default TTL to 1, which would make it impossible for the gateway to connect to other systems that are not on the same link-layer network.

- turn off IP forwarding.

Still playing with this, and so far, I haven't managed to "turn off" any of my test systems. If you want to play, here are some of the details:

The SNMP payload of the packets reported by James:

Simple Network Management Protocol
    version: version-1 (0)
    community: private
    data: set-request (3)
        set-request
            request-id: 1821915375
            error-status: noError (0)
            error-index: 0
            variable-bindings: 2 items
                1.3.6.1.2.1.4.2.0:
                    Object Name: 1.3.6.1.2.1.4.2.0 (iso.3.6.1.2.1.4.2.0)
                    Value (Integer32): 1
                1.3.6.1.2.1.4.1.0:
                    Object Name: 1.3.6.1.2.1.4.1.0 (iso.3.6.1.2.1.4.1.0)
                    Value (Integer32): 2

 

The snmp set command I am using to re-create the traffic:

snmpset  -v 1 -c private [target ip] .1.3.6.1.2.1.4.2.0 int 1 .1.3.6.1.2.1.4.1.0 int 2

any insight is welcome. Still working on this and there may be more to it then I see now (or less...)

 

--- end of update ---

We are receiving some reports about SNMP scans that claim to originate from 8.8.8.8 (Google's public recursive DNS server). This is likely part of an attempt to launch a DDoS against Google by using SNMP as an amplifier/reflector.

Please let us know if you see any of the packet. The source IP should be 8.8.8.8 and the target port should be 161 UDP. For example in tcpdump:

tcpdump -s0 -w /tmp/googlensmp dst port 161 and src host 8.8.8.8

Thanks to James for sending us a snort alert triggered by this:

Sep 15 11:07:07 node snort[25421]: [1:2018568:1] ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1) [Classification: Attempted Denial of Service] [Priority: 2] {UDP} 8.8.8.8:47074 -> x.x.251.62:161

So far, it does not look like service to Google's DNS server is degraded.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Myths and truths about employing women in Infosec
CSO Online
I'm sure you've read the statistics about how women make up only 11 percent of the information security workforce, and how 56 percent of women who start a career in tech leave it at the mid-point. And I'm sure you've seen all sorts of proposed ...

 

For a few weeks now, I keep receiving a few "Delta Ticket" e-mails a day with zipped executables as attachments. The e-mails are done about as bad as it gets:

  • The "From" address uses a random domain
  • The e-mail does not use the typical "Delta" formating/branding.
  • The attachment is a straight executable, just zipped.
  • Antivirus is ok on a new sample received right now (8/55 according to virustotal) and excellent (>30/55) on older samples. [1]
  • The e-mail (flight information) is very specific and does not appear to be customized to the sender
  • Delta doesn't send tickets as attachments like this.

Fake Delta Ticket e-mail

So they could do a lot better. The sad part is, that they apparently have no need to do better.

The "From" name, which is what most people are looking at, reads "Delta Air Lines". Some major/popular AV tools still don't detect it well at all, and well, users like to click on stuff I guess.

The initial piece of malware appears to be a generic downloader. In my system, it installed what looked like a fake Adobe update. Still running it to see what is exactly going on, but not expecting too much.

 

[1] https://www.virustotal.com/en/file/4cf652e71bbbe37eecda58169471df27db15ca1e5a8f14006128a4883b095409/analysis/1410799974/
 

 

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Briefcase 4.0 iOS - Code Execution & File Include Vulnerability
 

Infosec professionals see security investment as 'gigantic waste of money'
SC Magazine UK
A new survey conducted by Lieberman Software at BlackHat USA, reveals a general lack of confidence among IT security professionals when it comes to the threat of advanced, state-sponsored attacks and the suceptibility of today's networks. The survey ...

 
LinuxSecurity.com: Several security issues were fixed in curl.
 
LinuxSecurity.com: Updated qemu-kvm-rhev packages that fix two security issues are now available for Red Hat Enterprise Linux OpenStack Platform 4 and 5 for Red Hat Enterprise Linux 6. [More...]
 
MantisBT Null Byte Poisoning LDAP Authentication Bypass Vulnerability
 
SolarWinds Storage Manager 'AuthenticationFilter' Class Remote Code Execution Vulnerability
 
Passwords^14 Norway - CFP
 
Open-Xchange Security Advisory 2014-09-15
 
Multiple Vulnerabilities with Aztech Modem Routers
 
Re: HttpFileServer 2.3.x Remote Command Execution
 
OpenOffice CVE-2014-3575 Information Disclosure Vulnerability
 
cURL/libcURL CVE-2014-3620 Cookies Handling Remote Security Bypass Vulnerability
 
cURL/libcURL CVE-2014-3613 Remote Security Bypass Vulnerability
 
Jasig Multiple CAS Clients CVE-2014-4172 Security Bypass Vulnerability
 

Infosec geniuses hack a Canon PRINTER and install DOOM
Register
Security researchers have demonstrated a hack that allowed them to get into the web interface of a Canon Pixma printer before modifying its firmware to run the classic 90s computer game Doom. The proof-of-concept demo by security researchers at Context ...

and more »
 
Internet Storm Center Infocon Status