October 15th, 2009
MS09-050 addresses the much talked about SMB2 Negotiation vulnerability. A crafted SMB packet could crash the Windows Vista/2008 systems with blue screen.
The OpenVAS plugin for checking MS09-050 hotfix is now available in the svn. This doesn’t require any credentials. The patched system responds differently to a particular SMB negotiation request (a crafted PID’s low_id field) from an un-patched system. The response is verified to confirm if the patch is installed. This has been tested on Windows Vista and 2008.
Posted in Uncategorized | No Comments »
July 15th, 2009
OpenVAS plugins for Microsoft Security Bulletins - July 2009 are now available in the SVN repository. The plugins can be also synced via openvas-nvt-sync method.
There were 6 bulletins in total, including the much in-news Video ActiveX control (MS09-032)
Posted in Uncategorized | No Comments »
April 17th, 2009
The news…
Passing the 10000th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1].
In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and has now reached an average of 10 code updates per day. The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day.
The significantly grown and globally distributed developer team will gather at the second OpenVAS developers conference[2] July 9-12 2009 in Germany. During the conference features and a roadmap for OpenVAS 3.0 will be scheduled.
The OpenVAS project is backed by a number of companies, which also supplement the project with professional services[3]. These companies include Greenbone Networks, SecPod, Intevation and SecuritySpace.
“Reaching the professional enterprise market is a good indicator that OpenVAS gained maturity very fast” says Tim Brown, founder of the OpenVAS project.
While OpenVAS 3.0 will likely appear in 2009, users of OpenVAS 1.0 should prepare to migrate as support for 1.0 will end during 2009.
Regards,
Michael Wiegand
[1] http://www.openvas.org
[2] http://www.openvas.org/openvas-devcon2.html
[3] http://www.openvas.org/professional-services.html
Posted in Uncategorized | No Comments »
April 17th, 2009
OpenVAS plugins for Microsoft Bulletins - April 2009 are now available in OpenVAS. Update your OpenVAS plugins by running openvas-nvt-sync or download from the SVN directly.
Posted in Uncategorized | No Comments »
April 1st, 2009
Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm.
We have plugins for OpenVAS,
900055 - secpod_ms08-067_900055.nasl
900056 - secpod_ms08-067_900056.nasl
to detect patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the required hotfix is installed through Windows Registry and verifying the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabled). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin checks the RPC response status of an un-patched system.
If your system is found to be vulnerable, make sure to run the AV scanners to see if you are infected by Conficker worm. All major AV vendors have signature. Manual procedure to verify if you are infected is and also to clean is available at,
http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf
Posted in Uncategorized | No Comments »
December 30th, 2008
Introduction
In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.
Overview
F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defence method can be set by the end user. If user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities which can be customized through this tool. This tool is currently developed for Windows box and its in Beta state as lots of new features has to be added and lots of bugs are to be fixed yet! This product can be downloaded from their
labs page in free. It comes with a straight forward installer and gets installed in less than one minute. It takes less resource from your CPU and hooks itself into the system once you install the application in your win box.
Tech Overview
Once the application gets installed into the system it makes itself hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client side vulnerabilities which may affect the system. It checks for some generic shellcode patterns, malicious IE/Firefox objects which affects the system security. It also monitors the user’s browsing activities and if any malicious code is found in the current web page then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it. As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignored as security matters at the end of the day! Once it blocks any attacks then it shows the alert in the browser itself immediately having the exploit type and its details. This tool is basically aimed at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which is declared as a critical vulnerability, this tool does the job very well against blocking those vulnerabilities.
Pros
- Real time monitoring of user browsing activities and immediate action on the detected attack.
- Installer and Application is very user-friendly and self-explanatory.
- Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
- Catches most of the known IE and Firefox vulnerabilities in real-time.
- Feature to detect malicious ActiveX controls and applying the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry kill bit values to block that exact activex object execution in Internet Explorer.
Cons
- While uninstalling, the application reboots Windows immediately without any alerts where as it should let
the user reboot the system at later time or immediately.
Conclusion
As we know the tool is still in Beta state, so still there are lots of new features and modifications required which will be added in the next releases. But this tool should be a must have for everyone who is really concerned about security as its very light weight to use and very user friendly also.
Sujit Ghosal
sghosal@secpod.com
Security Research Analyst
Posted in SecDigest | No Comments »
October 31st, 2008
We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.
We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!
Posted in Uncategorized | No Comments »
October 24th, 2008
The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.
Posted in Uncategorized | No Comments »
September 10th, 2008
Microsoft Bulletins - Sept08
There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.
1. MS08-052 - GDI+ Remote Code Execution Vulnerability
2. MS08-053 - Windows Media Encoder 9 Remote Code Execution Vulnerability
3. MS08-054 - Windows Media Player Remote Code Execution Vulnerability
4. MS08-055 - Microsoft Office Remote Code Execution Vulnerability
More details can be found here. Also we have released SecPod Plugins for Nessus.
One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.
First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.
Posted in Uncategorized | No Comments »
August 25th, 2008
Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.
This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.
Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV scanner.
3. We have Snort signature written for this.
Posted in SecDigest | No Comments »