Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Zynga is cutting about 5 percent of its workforce, and is "sunsetting" 13 of its older games, the company's founder and CEO Mark Pincus said Tuesday in a note to employees.
 

Attacks against Aussie Govt infosec infrastructure surge
SC Magazine Australia
The Australian Government's Cyber Security Operations Centre (CSOC) has dealt with a 52 percent increase in cyber security incidents in the first nine months of 2012. CSOC responded to 470 security incidents in the first nine months of 2012, Defence ...

and more »
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Asustek Computer on Tuesday introduced the VivoTab Smart, a tablet computer with a 10.1-inch screen that will be available with Windows 8 starting at $499.
 
Facebook, under extreme pressure to cheer up its disappointed investors, posted revenue growth of more than 30 percent in its third quarter on Tuesday, and beat Wall Street expectations, but also recorded a loss.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3990 Use After Free Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-4186 Remote Buffer Overflow Vulnerability
 
Mozilla Firefox/Thunderbird/Seamonkey CVE-2012-4180 Buffer Overflow Vulnerability
 
U.S. government agencies have long used open-source software. Now, some agencies are embracing the collaborative development model of open-source software development and are releasing code back to the wider community.
 
The arrival of Windows 8 makes "mobile device battles" Gartner's top technology trend for next year.
 
Apple today unveiled the iPad Mini, a smaller tablet starting at $329 that features a 7.9-in. 1024-x-768-pixel display and can run all existing iPad software without modification.
 
The new 7.9-in. iPad mini will be a huge hit with business users as well as consumers, several industry analysts predicted Tuesday.
 
SAP is working on a number of potential next-generation BI (business intelligence) technologies meant to exploit the company's HANA in-memory database, including a new version of the popular Explorer visualization tool, according to an internal document posted on the company's website.
 
Although China has been getting unwelcome attention in political circles, Cisco CEO John Chambers was far more sanguine about China at the Gartner Symposium/ITxpo.
 
Apple announced it will be including hybrid drive technology in its new iMac and Mac Mini desktops, which will offer flash-like performance with up to 3TB of hard drive capacity.
 
ViewVC 'svn_ra.py' Information Disclosure Vulnerability
 
ViewVC CVE-2012-4533 HTML Injection Vulnerability
 
Wondering how Apple's iPad Mini stacks up against popular 7-inch tablets from Google and Amazon? Here's a tech spec comparison.
 
cups-pk-helper 'cupsGetFile()' and 'cupsPutFile()' Local Security Vulnerabilities
 
Tinyproxy Header Multiple Denial of Service Vulnerabilities
 
Advanced Micro Devices on Tuesday introduced 8-core FX series chips for desktops with prices under $200 in units of 1,000, giving gamers the ability to build faster PCs at lower prices.
 
Microsoft will not sell Windows 8 as a physical boxed product in China and instead will only distribute the OS through downloads and pre-installs on devices, in a move that could help the company drive consumers away from pirated copies of its products.
 
Research In Motion continues to struggle as it works to finish the BlackBerry 10 operating system, but the audience at the London edition of the BlackBerry 10 Jam World Tour developer event still thinks the company can play an important role in the enterprise.
 
Marten Pieters, MD & CEO, Vodafone Essar, says IT has helped the company serve more customers, conquer rural India, and make Vodafone India's second largest mobile service provider.
 
Security expert Adam Gowdiak took just 30 minutes to develop a patch for a critical Java vulnerability for which Oracle does not intend to provide a fix until February.


 
Buffer overflows and array out of bounds errors make Shockwave Player vulnerable to code injection; Adobe suggests users upgrade their installations as soon as possible before someone exploits the vulnerabilities


 
Let me preface this by saying that the history part of this ended up being way more complicated than we have space to cover in this story, I'll try to keep it brief.



Back in the day, I remember the PC DOS Tech Ref manual (yes, I was there in 1981 to read this one. And yes, I still have my copy) - one of the many useful things in that manual was the by-now-very-familiar ASCII table, listing characters 1-127, which had been extended to include the next 128 characters, for an even 1-255 (1-FF in hex). I think this extension might have been for PC-DOS actually. I spent a lot of time using this, as it was handy in transcoding hex and binary data streams to characters (remember, this was before we had sniffers on PC DOS platforms).



At the time, the main competition for ASCII was EBCDIC, the character encoding used by IBM System/36, System /38 and mainframe architectures. IBM AIX and all the other Unix (this was pre-Linux) vendors used 8 bit ASCII along with everyone else. But at least we had decent packet sniffers on mainframes both mainframes, S/3x and Unix platforms!



Enter the rest of the world which needed to read and write in characters that exceeded the limited A-Z ASCII character set. Unicode 1.0 was established back in 1987 (yes, really, it was that long ago!) and has seen regular updates since then. The current version is 6.2 (released just last month, in September 2012), which supports 110,000 different characters, 100 scripts, including rendering, collation, bidirectional order (to handle right to left scripts). All of a sudden simple text got a lot less simple !



How does this relate to security? Because many of today's defence technologies still live in the 1981, 8 bit ASCII world.
Consider a directory traversal attack. Say you have a website at http://somesite.domain.com/somepage

A directory traversal attack will traverse the directory structure to steal files outside of the web page. For instance, http://somesite.domain.com/../../../etc/passwd to steal the passwd file from a unix or Linux system that might host that site.



So, how do we protect from that? The web server should prevent you from using that pesky ../../.. string, or any variant that looks like it. But how about in straight up ASCII, where the ./ character is character can be encoded in Hexadecimal - as 2E 2F. So now we need to protect against %2E%2F, and any other variation on that.



Simple so far, but now consider Unicode, where the . and / can now be represented as (again in hexadecimal) 002E 002F. So we also need to protect against %002E%002F. But now factor in that there are hundreds of other alphabets and character sets, each with their own Unicode table, so we now have more than a few different hexadecimal representations for the . and / characters! For instance the / character, which we now know as %2F or %002F, can also be represented as %C0AF (this one was missed in an early version of IIS). Or we can mis-code it intentionally, and %ca%9v also works!



Oh, remember that if you're on a Windows machine, where the subdirectory delimeter is backwards, using the \ character (hex 5C)? That means we need to take everything above and double the number of checks!



Now add every other web attack method (directory traversal is just of the most simple ones), and you can see how character encoding can complicate matters tremendously in defending web (and other) applications!



One of the character encoding attacks that we're all expecting to see more common is the use of Unicode in spear-phishing attacks. We covered this a while back in a diary: http://isc.sans.edu/diary/non-latin+TLD+to+be+issued/8755

Consider if you're google searches - it's now easy to redirect you to a site where the o characters were actually a different character entirely, in another code page. It's unlikely that most people would detect an attack like this, and most of our technical controls for things like this are not prepared for non-latin domain names either.


What got me started on this you ask? We received a note from one of our readers (thanks again Larry) - he had captured a cross site scripting attack against his web application (an unsuccessful attack, thankfully). The neat thing for me was the character encoding used to obfuscate the attacking script - the attack as captured is shown (partially)here:



GET

%20i++)%20%7B%20%20%20%20%20%2

0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20

%20%20%20%20%20%20%20if%20(parts[i].substr(0,%201)%20==%20'q')%20%7B%2

0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20return%20unescape(part

%20%20%20%20%20%20%20%20%2

0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20

%20%20%20%20%7D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%

20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%20%20%20%20%20%20%20%20%2

0%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%20%20%20

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2

0%20%20%20%20%20%20%7D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%

20goog

le.load('search',%20'1',%20%7B%20language:%20'en',%20style:%20google.l

%20%20%20%20%20%20%20%20%20%20%20%20%20%2

0%20%20%20%20%20%20%20%20%20%20google.setOnLoadCallback(function()%20%

7B%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2

0%20var%20customSearchControl%20=%20new%20google.search.CustomSearchCo

%20%20%20%20%20%20%20%20%20

%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20customSearchC

%

20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2

%20%20%20%20%20%20%20%20%

20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20customSearc

%20%20%20%20%20%20%20%20%20%20%20%20%20%2

%20%20%20%20%20%20%20%20%2

0%20%20%20%20%20%20%20%20%20%20%20%3C/script%3E%20%20%20%20%20%20%20%2

0%20%20%2 0%20%20%20%20%20%20%20%20%20%3Clink%20rel= HTTP/1.1





This looks complicated, but it's essentially an obfuscation attack based on simple 8 bit ASCII.

%20 is ASCII 32 (decimal), which is a space character.

%7D is }

%7B is {

%3C is

%3E is


After you undo all the encoding and pretty it up

i

i++) {

if (parts[i].substr(0, 1) == 'q') {

}}}



}

google.load('search', '1', {

language: 'en',

style: google.loader.themes.GREENSKY

google.setOnLoadCallback(function () {









/script



This looks fairly straightforward, but that weird string in the middle '004498978135172075721:ll4byhgudkg' had me stumped. Bojan Zdrnja (another Handler here at the ISC) clued me in - it's a stored search string on Google. So what this attack script does, once successful, is pull the real attack down from a stored site, indexed and called indirectly courtesy of Google. This real attack might often be a command and control channel back to a botnet or other controller host, but it could be just about anything really.



Anyway, back to character encoding - you see that the majority of this attack was encoded / obfuscated in 8 bit ASCII - it's not unicode or anything complex at all. The IPS in front of the website had no trouble dealing with this, it was blocked and sent to our reader as an alert, and he passed it on to us.



But remember what I mentioned about many of our defences still living in the 1980's world of 8-bit ASCII? While the attack *looks* complicated to the human eye, it's 10-years-ago complicated, ie - it looks complex but if you've got any defences at all attacks of this nature are likely to be blocked handily. Throwing in unicode, especially from one of the less used tables, and doctoring it up with some mis-coded characters might have made this simple XSS attack more likely to avoid detection by a signature based IPS.



The proper method for an IPS (or Web Application Firewall or WAF) to deal with this is to have it decode the attack the same way the target host will (this is true of web attacks as well as network based attacks like packet fragmentation methods), rather than use a signature database. If you have multiple hosts, the IPS/WAF may need to decode the attack multiple times to get it right for each target. The tough part is that the IPS or WAF has to decode *everything* before it knows what traffic is good and what is an attack, which is why IPS's these days usually have lots of CPU and memory !



We covered a lot of ground in today's story, I hope that the example made things clearer by showing a real attack you might see on your network today. If you have any comments, perhaps a neat attack you may have seen lately that uses character encoding, please use our comment form!
So when you're thinking about attack and defense on the net - until you've had a chance to look at the character encoding, don't believe everything you read !

===============

Rob VandenBrink

Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Some employees are failing to enable security capabilities on their smartphones and tablets, putting corporate email and other sensitive data at risk.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Oracle January 2007 Security Update Multiple Vulnerabilities
 
Oracle October Security Update Multiple Vulnerabilities
 
A workers' rights group has slammed what it called the 'iPad mini manufacturer' for maintaining poor working conditions at a factory in China.
 
Dell on Tuesday said its XPS 10 tablet with Windows RT will start at $499, matching the price of the Microsoft Surface tablet that became available last week.
 
Sharp said Tuesday that mobile devices using its new IGZO display technology, which can triple battery life while offering higher touch sensitivity, are about to surge.
 
Intel researchers envision a future of driverless smart cars that can be updated at any time with the latest technology and apps.
 
Apple will webcast its event today, where most expect the company to unveil a smaller iPad.
 
As PC sales decline and smartphone and tablet sales climb, the world of computing is poised for a dramatic shift. While mobile users do, in fact, 'compute' with their devices, application data and functionality actually reside in the cloud. To accommodate this, columnist Bernard Golden says, the cloud will have to grow in ways that few can currently comprehend.
 
The Lumia 510 is Nokia's new entry-level Windows Phone, priced at about $199 excluding taxes and subsidies and due to be released in November.
 
One of the seven patents at the heart of Apple's $1.05 billion lawsuit against Samsung Electronics has been tentatively rejected by the U.S. Patent and Trademark Office.
 
FirePass SSL VPN 'refreshURL' Parameter URI Redirection Vulnerability
 
Cerulean Studios Trillian Multiple Remote Buffer Overflow Vulnerabilities
 
Users installing the Windows and Mac OS X desktop clients for Google's free sync tool should ensure that their computers are well protected; it opens a backdoor to their Google accounts


 
XSS Vulnerabilities in ClipBucket
 
XSS Vulnerabilities in CMSMini
 
ManageEngine Security Manager Plus Advanced Search SQL Injection Vulnerability
 
XSS Vulnerabilities in TaskFreak
 
All the questions that you pose to vendors in a request for proposal can be the basis for the eventual contract. (Insider; registration required)
 
Privacy advocates and consumer rights groups are keeping a wary eye on a new copyright enforcement mechanism set to be rolled out by major Internet Service Providers.
 
Django 'HttpRequest.get_host()' Information Disclosure Vulnerability
 
Asustek is shipping its upcoming Vivo Tab RT tablet starting at $599, which will cost more than Windows RT tablets from Microsoft and Dell, which have an entry price of $499.
 
As Microsoft launches Windows 8, and with it, an attempt to stabilize a precipitous decline in its share of operating systems for 'personal devices, 2013 is going to be a tough, very tough year, research firm Forrester said today.
 
Mobile payment systems could get a boost from a 2015 deadline that credit card companies are imposing on retailers to upgrade their point-of-sale terminals.
 
Over 17,600 users in U.S. Immigration & Customs Enforcement (ICE) are being moved from their BlackBerry devices to Apple's iPhone, after it was found that technology from Research In Motion cannot meet the mobile technology needs of the agency, according to contract documents.
 
A developer has discovered that the popular modified Android firmware saved swipe gestures used to unlock smartphones. A small patch fixes this security vulnerability


 
JW Player 'logo.link' Parameter Cross Site Scripting Vulnerability
 
Real Networks RealPlayer Write Access Violation Arbitrary Code Execution Vulnerability
 
Internet Storm Center Infocon Status