07-02-2009 2:00
Rentventory Multiple Remote SQL Injection Vulnerabilities
Advisories ::
milw0rm
Povezani zapisi:
08-31-2010 15:14
An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, web application vulnerabilities, and proof-of-concept exploits for patched vulnerabilities throughout the month of September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed in the month.
According to Trend Micro researcher Rajiv Motwani, the vulnerabilities that will be announced will be a collection of old and new ones, with Microsoft being a major target. The new vulnerabilities can be considered as zero-day flaws, and will leave users vulnerable until a vendor patch is offered and applied. However, this process may take some time, until then users should use any suggested workarounds.
It is also believed that detailed information for recently released advisories will also be published. The chances are that the released information mayinclude proof of concept code, making exploits more likely. Exploit packs on malicious and compromised websites will probably include these new exploits as well.
Any new information released during this time period will likely be exploited quickly, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the proof-of-concept code being announced. Portions of the many exploits already in the wild can be re-used in any new exploits, further hastening the process.
Enterprise users should note that server applications will be part of the applications that will have vulnerabilities exposed in September. These applications may take longer to patch, and in addition the potential for damage if one server is affected is greater than if one end-user system was affected.
Vendors will certainly rush out patches to fix any announced vulnerabilities, but hopefully the accelerated development will not cause complications. There have been cases in the past when vendors released patches that did not fix the vulnerabilities completely, resulting in re-issued patches.
For users, protecting themselves will prove to be difficult. No centralized update notification mechanism exists for third-party software, which means that ordinary users may not be aware that certain applications need to be updated. Many applications now integrate some form of auto-update, but this will still impose an unneeded burden on users who just want their computer to work.
Users should be on guard for any popular applications that have vulnerabilities revealed in September, as exploits for these are likely to spread even faster than usual. Applying patches and/or workarounds for vulnerable software that are released in September is highly recommended.
While patching of computers remains essential, Trend Micro also offers several free tools that can help prevent computer compromise – you can download them here.
Post from: TrendLabs | Malware Blog - by Trend Micro
New Zero-Day Vulnerabilities Imminent
trendmicro
08-31-2010 11:20
PHP injection attacks have become increasingly popular lately. If you look at your web server logs Im pretty sure that you will find dozens of requests for PHP injection, usually by bots that are simply trying some well known (and less known) vulnerabilities.
One of our readers, Blake, managed to capture some interesting attempts to exploit various PHP injection vulnerabilities on his web site, thanks to installation of mod_security. Contrary to popular PHP injection attempts, where the attacker tries to exploit a variable to get the PHP interpreter to retrieve a remote PHP script, Blake noticed that the attacker tried to exploit a vulnerability in a PHP script through POST request. The attacker submitted a malicious PHP script (with other data) hoping that the PHP interpreter will execute it this vulnerability also exist, although not that common. Here is what the attack looked like in log files:
POST http://www.hostname.somewhere en-US) AppleWebKit/133.7 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Host: www.hostname.somewhere boundary=---------------------------phpsploit
Content-Length: 46266
The POST request contained, besides data needed by the main script, an (of course) obfuscated PHP script that the attacker tried to execute. The deobfuscation part is shown in the picture below where I beautified it a bit and cut the long eval string.
Now, the interesting part is that the script uses the User-Agent field as the deobfuscation key. If you carefully check the User-Agent shown in above you will see that, while it looks legitimate, it in fact isnt the combination of versions is not legitimate.
But thats not all the injected PHP script contains multiple eval() calls of which every one uses a different deobfuscation key. This allows the attacker to test only parts of the script and never reveal its true side unless the attack works the part that I was able to deobfuscate is shown below and it just tries to connect to a well known (public and legitimate) IRC server. Very clever, especially if we know that PHP will nicely eat any garbage that it cant parse so the attacker doesnt have to worry about only one eval() call working.
This attack demonstrated how important it is to use all available protection layers not only Blakes scripts where not vulnerable, but he also ran mod_security which successfully blocked this attack and he was checking his logs, something that a lot of administrators underestimate.
What do your logs look like? If you find similar attacks or something else that looks interesting, let us know through our contact form available here.
--
Bojan
INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
ISC
08-24-2010 17:05
 Three years after the United Nations' website
was defaced by activist hackers using a SQL injection attack, the site
still contains multiple instances of these vulnerabilities. Read the full article. [Dark Reading] Shorten URL: . Click to copy to clipboard or post to Twitter
Threat Post
08-24-2010 17:05
Three years after the United Nations' website
was defaced by activist hackers using a SQL injection attack, the site
still contains multiple instances of these vulnerabilities. Read the full article. [Dark Reading] Shorten URL: . Click to copy to clipboard or post to Twitter
Threat Post
|
