Windows 0-day
A new vulnerability has been identified and POC code has been published for this Windows 0-day affecting the help functionality.
Windows use what is called as HCP protocol when the helpctr.exe executable is invoked to open the help files and connect using the HCP URI. HCP is similar to the HTTP protocol and uses a similar prefix hcp://
The vulnerability is due to not validating URLs while using the HCP protocol, this allows passing arbitrary scripts to the operating system. In order to exploit this vulnerability, one has to invoke the help file to connect to a specially crafter URL. Such specially crafted URL could be sent in an email enticing the user to click on it. Once exploited, the adversary could assume the rights of the logged in user. So, if the user is logged on with administrative privileges, the adversary could take over the entire system.
Microsoft issued an advisory and recommends removing or unregistering the HCP protocol through a registry setting.
The full disclosure and the POC is here and the Microsoft advisory is here
If you recall, this is not the first time vulnerabilities have come up in the "help" function. Here are the last two announcemets.
Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution
Mass script injection attacks
Several sites were the victims of a mass script injection attacks. The common point was that all were running ISS/ASP.net, the general behavior which is observed on the affected sites include insertion of a particular script (ex: "http://ww.robint.us/u.js").
Another round of injection attacks was reported yesterday, affecting about 1000 sites. This time the script points to "2677.in/yahoo.js".
More information available here, here, and here
Wordpress script injection attacks
Thousands of WordPress blogs and other PHP-based sites were the victims of injection attacks, they were injected with a malicious script aimed at infecting visitor's machines with rogue security products.
More information, available here
AT&T iPad owners email leak
Gawker reported that they were given data on 114,000 iPad user accounts by intruders who hacked an AT&T server.
As per the technical details released by Gawker, it involved spoofing the user-agent in the header to make AT&T's servers respond to a request for harvesting the data.
Analysis
What's common on all these attacks?
It is input validation.
Input validation is the source of various attack techniques such as buffer overflows, cross-site scripting, SQL injection, and manipulation (query string, form field, cookie, header, etc). Input validation refers to how the application filters, scrubs, or rejects input. Proper validation should be done for variety of inputs such as type, length, format, and range.
Detection and prevention methods include
- Network IPS, which can look at the script inserts and alert
- Host IPS and file integrity monitoring tools
- Web application firewalls that can block the inline scripts.
- Log monitoring - Proper log monitoring can identify script and file injection attacks
- URLSCAN - This Microsoft tool is an ISAPI filter that intercepts every request the web server receives from the Internet and scans each request for anything unusual such as scripts.
- URLRewrite - Another tool, it has similar functionality as the URLSCAN. The major difference is that with URLREWRITE allows you define regular expressions, so it is much more flexible and powerful.
One interesting aspect that you may have noticed is the India connection in the mass injection attacks, specifically the domain 2677.in has an India TLD. Let's try to get more information on this.
lab:$ whois 2677.in
Domain ID:D4266272-AFIN
Domain Name:2677.IN
Created On:10-Jun-2010 10:33:51 UTC
Last Updated On:10-Jun-2010 10:33:52 UTC
Expiration Date:10-Jun-2011 10:33:51 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:TS_11029084
Registrant Name:liu xiaowei
Registrant Organization:liu xiaowei
Registrant Street1:huang he lu 28 Hao
Registrant Street2:
Registrant Street3:
Registrant City:zhou zhou
Registrant State/Province:henan
Registrant Postal Code:450001
Registrant Country:CN
This has an India TLD but registered in China. Let's look at where is it hosted
lab:$ host 2677.in
2677.in has address 95.211.130.71
lab:$whois 95.211.130.71
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
So, as you can see, it was registered in China, has an India domain but hosted in Netherlands. This shows the international reach of cyber criminals making it difficult for organizations and law enforcement to act against them.
No comments:
Post a Comment