(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
WordPress Image Gallery Plugin HTML Injection Vulnerability


Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.

Read 8 remaining paragraphs | Comments

Red Hat JBoss BRMS and BPM Suite CVE-2016-8608 Incomplete Fix HTML Injection Vulnerability
Drools CVE-2016-7041 Directory Traversal Vulnerability
WordPress Dukapress Plugin 'dukapress/download.php' SQL Injection Vulnerability
Guidance Software EnCase Multiple Security Vulnerabilities
Core FTP Client Buffer Overflow Vulnerability
IBM BigFix Remote Control CVE-2016-2927 Information Disclosure Vulnerability
IBM BigFix Remote Control CVE-2016-2929 Information Disclosure Vulnerability
metapixel 'rwgif.c' Heap Buffer Overflow Vulnerability
WebKit CVE-2016-9642 Memory Corruption Vulnerability
WebKit CVE-2016-9643 Denial of Service Vulnerability

Enlarge (credit: YouTube)

Black Friday was a dark day for San Francisco's Municipal Transportation Agency, as an apparent crypto-ransomware infection spread across the Muni system's networks, taking down ticketing for Muni's train stations and systems used to manage the city's buses. The operator of the ransomware demanded $73,000 in exchange for restoration of Muni's data, according to a report from the San Francisco Examiner.

The malware's effects were visible on screens in station agents' booths at multiple Muni train stations, which displayed the message, "You Hacked, ALL Data Encrypted." The ransom message gave an e-mail address ([email protected]) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.

A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows' "GetLogicalDrives" volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message.

Read 3 remaining paragraphs | Comments

Multiple IBM Products CVE-2016-0284 XML External Entity Denial of Service Vulnerability
IBM iNotes CVE-2016-0282 Cross Site Scripting Vulnerability
IBM BigFix Remote Control CVE-2016-2928 Information Disclosure Vulnerability
Multiple IBM Products CVE-2016-0273 Cross Site Scripting Vulnerability
Multiple IBM Products CVE-2016-0285 HTML Injection Vulnerability
Cybozu Kintone App CVE-2016-7816 SSL Certificate Validation Security Bypass Vulnerability
Siemens SICAM PAS Products CVE-2016-8566 Local Security Bypass Vulnerability

(this article is work in progress. Please let us know if you have any more details to share)

UPDATE (0830 PST/1630 GMT) - Russ

German Telekom is now offering a firmware update for the affected routers. Details (in German) are here: https://www.telekom.de/hilfe/geraete-zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v. Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.

Help URL for Detusche Telekom Customers that are affected: https://www.telekom.de/hilfe/hilfe-bei-stoerungen/anschluss-ausfall

Reviewing port 7547 scans with port 443 open results in the exclusive receipt of Zyxel SSL certificates.
depth=0 C = CN, ST = TAIWAN, L = XINZHU, O = ZyXEL, OU = DSL Unit, CN = ZyXEL, emailAddress = [email protected]
It appears they make the vulnerable routers but that they are likely sold under different brands, or distributed by ISPs using their brand.

Be sure to read comments below as well. In particular, Austria is experiencing a strong increase in TR-069 traffic within the last 24 hours. According to Shodan, there are approximately 53,000 devices reachable on Port 7547 in Austria. Most of the traffic we currently see originates from other end-user DSL modems, a lot of it especially from Brazil.


Quick Action: If you suspect that you have a vulnerable router, then reboot it, and check if port 7547 is listening after you reboot (if infected, the router will no longer listen). If you can, block port 7547 and update your firmware if there is an update available. A reboot will clean the router until it is infected again. But given that the host name used no longer resolved, new infections should stop until the host name is changed again.

Update: Somewhat expected, but with the old host name l.ocalhost.host being taken down, the bot now uses timeserver.host and ntp.timerserver.host . Both resolve to for now (Thanks Franceso). See the addition below for a list of hostnames observed in our honeypots.

For the last couple days, attack against%%port:7547%% have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just waking up from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.

According to Shodan, ">">A Metasploit module implementing as exploit for the vulnerability can be found here:- ). It currently resolves for me to, but others also observed 5.188.232.[1,2,3,4]. Right now, the host name appears to no longer resolve for me on Comcast, but it still resolves on other ISPs that have the data still cached.">The file 1 is a MIPS executable. Based on strings, the file includes the SOAP request above, as well as a request to retrieve a file 2 which is an MSB MIPS variant of 1. There is also appears to be a file 3">
">7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2 1
7e84a8a74e93e567a6e7f781ab5764fe3bbc12c868b89e5c5c79924d5d5742e2 2
1fce697993690d41f75e0e6ed522df49d73a038f7e02733ec239c835579c40bf 3
828984d1112f52f7f24bbc2b15d0f4cf2646cd03809e648f0d3121a1bdb83464 4
c597d3b8f61a5b49049006aff5abfe30af06d8979aaaf65454ad2691ef03943b 5
046659391b36a022a48e37bd80ce2c3bd120e3fe786c204128ba32aa8d03a182 6
5d4e46b3510679dc49ce295b7f448cd69e952d80ba1450f6800be074992b07cc ">1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
2: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped
4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
6: ELF 32-bit MSB executable, SPARC version 1 (SYSV), statically linked, stripped
7: ELF 32-bit MSB ">">">">">

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Linux Kernel SCSI arcmsr Driver CVE-2016-7425 Local Heap Buffer Overflow Vulnerability
Linux Kernel CVE-2016-7042 Local Denial of Service Vulnerability
Linux Kernel CVE-2016-6130 Local Information Disclosure Vulnerability
LibTIFF 'NeXTDecode()' Function Out of Bounds Write Memory Corruption Vulnerability
SEC Consult SA-20161128-0 :: DoS & heap-based buffer overflow in Guidance Software EnCase Forensic
Linux Kernel CVE-2016-8666 Stack Overflow Denial of Service Vulnerability
ICU CVE-2016-6293 Out of Bounds Read Denial of Service Vulnerability
Core FTP LE v2.2 Remote SSH/SFTP Buffer Overflow
[SECURITY] [DSA 3725-1] icu security update
International Components for Unicode CVE-2016-7415 Stack Buffer Overflow Vulnerability
ImageMagick CVE-2016-7906 Use After Free Denial of Service Vulnerability
ImageMagick 'coders/tiff.c' Memory Corruption Vulnerability
CVE 2016-6803: Apache OpenOffice Unquoted Search Path Vulnerability
WorldCIST'2017 - Submission deadline: November 30
Linux Kernel 'ip_tunnel.c' Local Integer Overflow Vulnerability
Internet Storm Center Infocon Status