(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A screen showing the status of a Metasploit attack exploiting a vulnerable Android handset.

Recently-released attack code exploiting a critical Android vulnerability gives attackers a point-and-click interface for hacking a majority of smartphones and tablets that run the Google operating system, its creators said.

The attack was published last week as a module to the open-source Metasploit exploit framework used by security professionals and hackers alike. The code exploits a critical bug in Android's WebView programming interface that was disclosed 14 months ago. The security hole typically gives attackers remote access to a phone's camera and file system and in some cases also exposes other resources, such as geographic location data, and contents of SD cards and address books. Google patched the vulnerability in November with the release of Android 4.2, but according to the company's figures, the fix is installed on well under half of the handsets it tracks.

"This vulnerability is kind of a huge deal," Tod Beardsley, a researcher for Metasploit maintainer Rapid7, wrote in a recent blog post. "I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild. Don't believe me that this thing is that old? Just take a look at the module's references if you don't believe me."

Read 3 remaining paragraphs | Comments


A senior executive from Visa Inc. dismissed concerns over the manner in which the Europay MasterCard Visa (EMV) chip card standard is being implemented in the U.S. and insisted the move will yield significant security benefits for retailers, consumers and banks.
Apple was appointed the world's highest-valued brand today by Brand Finance, which said the Cupertino, Calif. company's brand is worth nearly $105 billion.
BMC Software wants to bring some social networking magic to the formal world of the IT help desk.

Security researchers have taken the unusual step of recommending that people stop using Belkin's WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.

WeMo products allow people to use smartphones and computers to remotely control light switches, Web cams, motion sensors, and other home appliances. Now the items are exposing the password and cryptographic signing key used to ensure that firmware updates are valid, according to an advisory published Tuesday by researchers from security firm IOActive. Attackers can use the credentials to bypass WeMo security checks and sign malicious firmware that masquerades as an official release from Belkin.

WeMo devices also fail to validate secure socket layer certificates when connecting to Belkin servers, even when the devices are running firmware that's fully up-to-date. What's more, firmware update notices are delivered through handsets or computers paired with the WeMo products and use a non-encrypted channel. IOActive Principle Research Scientist Mike Davis said he was able to combine exploits for those weaknesses into an attack that spoofed the RSS feed Belkin uses to push firmware updates to WeMo products. The counterfeit feeds, in turn, surreptitiously infected the devices with malware.

Read 7 remaining paragraphs | Comments



Using a vulnerable Linksys E1200 router in a lab, I was finally able to capture the complete (?) sequence of exploits used by the Linksys Worm "TheMoon". 

The quick summary of what I found so far:

  • The complete sequence uses three exploits, all exploiting the same vulnerable script "tmUnblock.cgi"
  • Initially, the worm binary is uploaded to the vulnerable router
  • Next, the binary is renamed to "/tmp/Gerty" and made executable
  • the third request starts "Gerty" and passes the infecting IP as parameters. Gerty will send a request to this IP, likely to confirm that it was launched.

I did not see any configuration changes in the router (password, DNS...)

As we wrote earlier, the initial "HNAP1" request is just used to fingerprint the router to figure out if it is vulnerable.

The worm sends a number of DNS queries:

  • one A query for (this doesn't really make sense, and is likely a bug. This is the network range that is then scanned)
  • A queries for ruhmanadin.dyndns.org which in my case resolved to I did not see any connections to this IP. I suspect that this is an IP address used to report successful exploitation.

The "Gerty" binary checks in with the host the infection comes from. The ports are send as parameters. In my case, the complete command was:

cd /tmp/;./Gerty -L -u xxxxxx

As a result, the connection went to port 9841 at About 1.4MBytes are sent, most of it binary.  But there are a few readable strings like a timestamp, the SSID of the router and the string "Lunar Industries LTD".

For a full pcap of the activity, see https://isc.sans.edu/diaryimages/moon.pcap . I tried to anonymize the pcap as much as possible, but some of the IPs were left intact. If you find anything else, please let me know. Note that the pcap includes a capture of the binary file as well (look for the http traffic on port 700). To protect others, I redirected all outbound port 80/8080 traffic to a sinkhole which may cause some artifacts.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Intel has added up to 15 cores in its latest Xeon E7 v2 family of server processors, but is stressing in-memory computing improvements with the latest chips.
Nearly half of all Americans are looking forward to the time when they can live in a city where all the cars are driverless.
Apple today has been awarded a patent for a sport motion and health monitoring system that can be attached to headphones, including ear buds, and used to monitor vital signs and even perspiration levels.
Nearly seven in 10 U.S. voters would pay a higher tax on their mobile phone bills if the money went toward wiring schools with faster broadband networks, according to a new survey.
Mozilla Firefox/SeaMonkey CVE-2014-1488 Remote Code Execution Vulnerability
Microsoft will demonstrate on Tuesday how Lync and Skype users will be able to communicate via video conferencing, the next stage of the integration between its enterprise unified communications server and its consumer IM and IP telephony network.
Microsoft last week said that it had sold 200 million licenses of Windows 8 since the operating system launched more than 15 months ago. But how many copies are actually being used?
Companies such as Comcast and Time Warner don't think the United States is ready for -- or even needs -- gigabit Internet, but Google Fiber and a host of independent initiatives suggest that they are faster and cheaper.
LinuxSecurity.com: Multiple vulnerabilities in Xpdf could result in execution of arbitrary code.
LinuxSecurity.com: Multiple vulnerabilities has been found and corrected in the Linux kernel: The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before 3.13.2, when CONFIG_X86_X32 is enabled, allows local users [More...]
LinuxSecurity.com: Updated ffmpeg packages fix security vulnerabilities: This updates provides ffmpeg version 0.5.13 and 0.10.11, which fixes several unspecified security vulnerabilities and other bugs which were corrected upstream. [More...]
LinuxSecurity.com: Updated varnish packages fix security vulnerabilities: Varnish before 3.0.5 allows remote attackers to cause a denial of service (child-process crash and temporary caching outage) via a GET request with trailing whitespace characters and no URI (CVE-2013-4484). [More...]
LinuxSecurity.com: Updated libgadu packages fix security vulnerability: A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow in Gadu-Gadu HTTP parsing (CVE-2013-6487). [More...]
LinuxSecurity.com: A vulnerability has been discovered and corrected in puppet: Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files [More...]

Why vulnerability scans give infosec officers nightmares
Computer Business Review
Why vulnerability scans give infosec officers nightmares. Malware. by Duncan MacRae| 18 February 2014. Ron Gula, Tenable Network Security CEO, says organisations are turning to continuous monitoring to close the gaps left by traditional vulnerability ...

and more »
SAP NetWeaver Multiple Security Vulnerabilities
The two most talked about smartphones ahead of this year's Mobile World Congress sit at opposites sides of the spectrum; the low-end Android-based Nokia X and Samsung Electronics' new flagship model, the Galaxy S5.
Microsoft is about to make a fresh run at its CRM rival Salesforce.com with new capabilities for marketing automation, customer support and social media monitoring.
AT&T and IBM will start jointly offering services designed to help municipalities, utility companies and other organizations use "Internet of things" technologies to better manage their infrastructure.
While clinging to the 11-year-old OS after Microsoft issues its last security patch in April is defensible, the security risks are going to keep mounting.
The smartphone giant's troubles are deeper than its big drop in quarterly profits.
D-Link DAP-2253 Router Cross Site Scripting and Cross Site Request Forgery Vulnerabilities
SAP Customer Relationship Management XML External Entity Injection Vulnerability
Vtiger 'return_url' Parameter Multiple Cross Site Scripting Vulnerabilities
Leaders of the tech sector laud the Obama administration's rollout of voluntary cybersecurity guidelines, but broader private-sector adoption could remain a challenge.
WordPress Download Manager Plugin 'file[title]' Parameter Cross Site Scripting Vulnerability
Linux Kernel 'security_context_to_sid_core()' Function Local Denial of Service Vulnerability
Linux Kernel '/fs/cifs/file.c' Local Memory Corruption Vulnerability
SAP NetWeaver Solution Manager Unspecified Security Bypass Vulnerability
Match.com and eHarmony also among those now saying, 'We didn't know our mobile apps did that.'
ZTE plans to unveil a range of "high-performance smartphones" in Barcelona next week, including the Grand Memo II LTE with a 6-inch screen.
A newly discovered variant of the notorious Zeus banking trojan is disguising a crucial configuration code in a digital photo, a technique known as steganography.
Minimize costs? Create a conference schedule with fewest early-morning sessions? In this excerpt from the book Data Smart, find out how to use Excel's free Solver add-in to do some data science optimization in a spreadsheet.
SEC Consult SA-20140218-0 :: Multiple critical vulnerabilities in Symantec Endpoint Protection
Re: [Full-disclosure] CVE-2013-1643 - Unauthorised Access To Other Users Email Messages in Symantec PGP Universal Web Messenger

Posted by InfoSec News on Feb 18


The Wall Street Journal
February 18, 2014

Computer-security researchers have discovered on a website documents that
could allow hackers easily to obtain electronic medical records and
payment information from health-care providers.

MaraDNS Remote Denial of Service Vulnerability
Oracle Fusion Middleware CVE-2012-3153 Remote Security Vulnerability
Oracle Fusion Middleware CVE-2012-3152 Remote Security Vulnerability
Cisco Content Security Management Appliance CVE-2013-3396 Cross Site Scripting Vulnerability
Xpdf 'FoFiType1::parse' Buffer Overflow Vulnerability
Internet Storm Center Infocon Status