Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: MS05-036 Color Management Exploit Code in Wild; mod_jrun exploit scanning from Europe; Insecure by Design - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS05-036 Color Management Exploit Code in Wild; mod_jrun exploit scanning from Europe; Insecure by Design

MS05-036 Color Management Exploit Code in Wild



We've received reports that the Color Management Module ICC Profile Buffer Overflow Vulnerability has exploit code available and is being used out in the wild. The vulnerability information from Microsoft is available over at . The mitigate this vulnerability, apply the appropriate patch. It appears that this version of the exploit code will only crash the browser, but it wouldn't be difficult to put in code for execution. put out an advisory on the code being in the wild this morning.

mod_jrun exploit scanning from Europe



A reader sent in an email with the observation of a large increase in mod_jrun exploits being thrown at webservers. Has anyone else seen similar behavior or problems and, if so, an IP list of sources and the specific attacks being used?

Insecure by Design



*Disclaimer* - This won't be as interesting as Tom's FTBM. Sorry. I'm not that creative. I can do haiku, that's about it.

Let's say at a fictional organization, they offer wireless for their clients, employees, guests, and so on. In a town that has free wireless almost everywhere, it's almost a political necessity to offer wireless, despite the security issues. At first, the required all wireless users to authenticate through a VPN server and then have full and complete access to the internet. Some complained and they developed an economy solution that uses a username and password to authenticate via a webserver and then you get limited access to the internet. Not secure, no... but a compromise, if not for one thing.

The password the users have to use and type in is the master password for a multiple logon environment. This password controls all others and allows you to change them, including the password that controls, say, direct deposit for employees. Say you want to make some money. Here's how you do it.

Remember airpwn? Allegedly the only interesting thing out of this year's DefCon? It shows you that if you are on the same subnet as someone, you can always respond to their requests faster than a remote server. So, when someone walks up, sits down, and fires up their web browser, your evil hacker machine sends a request with a "fake" webpage back to the user. Sure, you might have the real webserver using SSL, but would an end-user really check to make sure their session is encrypted? Would you? If you answered yes, you are either working for a 3-letter security agency or aren't being honest with yourself.

They send you their credentials, you have them tunnel through you out to the Internet. Everyone is happy, no one suspects a thing. Then you wait til a day or two before the end of the month for payday. You start changing direct deposit information. Money comes in, you get out of town. Sure, that's crude and you'd get caught, but I'm not an expert in laundering money.

The point is, if you are going to offer wireless, it will be insecure if you don't tunnel it through a VPN and even then could have problems. The second point is, if you are going to choke down that risk, please don't make the users authenticate with credentials that means something and give them access to anything important. The information is easy enough to steal and there are plenty of 14 year olds out there with laptops wanting to try.

-----------

John Bambenek

bambenek -at- gmail -dot- com

(insert obligatory 'ph' joke here)
John

248 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!