Xen CVE-2015-4105 Local Denial of Service Vulnerability
 
Xen CVE-2015-4106 Local Security Bypass Vulnerability
 
QEMU CVE-2016-5403 Denial of Service Vulnerability
 
Xen CVE-2015-2756 Denial of Service Vulnerability
 
Oracle MySQL CVE-2016-3521 Remote Security Vulnerability
 
Oracle MySQL CVE-2016-3615 Remote Security Vulnerability
 
Oracle MySQL CVE-2016-3477 Local Security Vulnerability
 
Oracle MySQL CVE-2016-5440 Remote Security Vulnerability
 
[SECURITY] [DSA 3635-1] libdbd-mysql-perl security update
 
CVE-2016-5672: Intel Crosswalk SSL Prompt Issue
 
[SYSS-2016-038] CHERRY B.UNLIMITED AES - Keystroke Injection Vulnerability
 
[SYSS-2016-032] CHERRY B.UNLIMITED AES - Insufficient Protection of Code (Firmware) and Data (Cryptographic Key)
 
OpenSSL 'crypto/asn1/a_d2i_fp.c' Local Denial of Service Vulnerability
 

This page redirected some would-be donors to a fake website controlled by hackers, Reuters reports. (credit: Democratic Congressional Campaign Committee)

Yet another cyber-attack has targeted a Democratic Party organization—or more specifically, the party's donors. Reuters reports that the FBI is investigating a breach of the systems of the Democratic Congressional Campaign Committee. While the details of the alleged intrusion were not revealed, visitors to the DCCC's site were apparently redirected to a malicious lookalike website mimicking the DCCC contribution page.

Visitors to the DCCC page who clicked a link to donate were directed to a look-alike domain name registered in June instead of the site of a donation processing contractor. The IP address of the fake site "resembled one used by Russian government-linked hackers suspected in the breach of the DNC," Reuters' Joseph Menn, Dustin Volz, and Mark Hosenball reported. Data collected included donor's contact information, e-mail addresses, and possibly credit card information.

It is not clear whether the attackers were after financial information for credit card fraud, or if they were collecting personal data for use in directed attacks against donors. But the attack's timing—or at least the registration of the domain used in the attack—matches up with the recent discovery of a Democratic National Committee breach. The DCCC shares office space with the DNC in Washington.

Read on Ars Technica | Comments

 
[SYSS-2016-059] Microsoft Wireless Desktop 2000 - Insufficient Verification of Data Authenticity (CWE-345)
 

About a year ago I received RTF samples that I could not analyze with RTFScan or rtfobj (FYI: Philippe Lagadec has improved rtfobj.py significantly since then). So I started to write my own RTF analysis tool (rtfdump), but I was not satisfied enough with the way I presented the analysis result to warrant a release of my tool. Last week, I started analyzing new samples and updating my tool. I released it, and show how I analyze sample 07884483f95ae891845caf0d50ce507f in this diary entry.


This sample is an heavily obfuscated RTF file. RTF files are essentially sets of nested strings that start with { and end with }. Like this (strongly simplified):

{\rtf {data {more data}}}.

Malicious RTF files contain a payload. Objects in RTF files are embedded in hexadecimal, like this (strongly simplified):
{\rtf {data
{\*\objdata
01050000
02000000
08000000
46696C656E616D6500000000000000...
}}}

Malicious RTF files obfuscate the hexadecimal data in many ways, one of them is to put extra control strings inside the hexadecimal data, like this:
{\rtf {data
{\*\objdata
01050000
02000000
08000000
46696C656E61{\obj}6D6500000000000000...
}}}

The sample I analyzed takes this to the extreme. After each hexadecimal digit, extra control strings and whitespace are inserted:


(I removed a lot of whitespace to be able to put several hexadecimal digits on the screen).
The hexadecimal digits (highlighted in red) are 01050" />

And a bit further, we even find a URL:

Taking a closer look, I don" />

And of course also dump it to a file (option -d), so that we scan analyze it with the

t YARA search doesn" />

If you have interesting tools or techniques to analyze RTF files, please post a comment.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[SYSS-2016-047] Perixx PERIDUO-710W - Keystroke Injection Vulnerability
 
[SYSS-2016-046] Perixx PERIDUO-710W - Missing Protection against Replay Attacks
 
[SYSS-2016-044] Logitech K520 - Insufficient Protection against Replay Attacks
 
[S21SEC-047] Fotoware Fotoweb 8.0 Cross Site Scripting
 
libarchive 'archive_read_support_format_zip.c' Heap Buffer Overflow Vulnerability
 
Vicon Network Cameras - Authentication Bypass
 
Internet Storm Center Infocon Status