IT Alerts

Apache Dangling Pointer Vulnerability

March 6th, 2010

Apache mod_isapi Dangling Pointer Vulnerability - Security Advisory - SOS-10-002

Release Date.                  5-Mar-2010
Last Update.                   -
Vendor Notification Date.      9-Feb-2010
Product.                       Apache HTTP Server
Platform.                      Microsoft Windows
Affected versions.             2.2.14 verified and
                               possibly others.
Severity Rating.               High
Impact.                        System access
Attack Vector.                 Remote
Solution Status.               Upgrade to 2.2.15 (as advised by
                               Apache)
CVE reference.                 CVE-2010-0425

Details.
The Apache HTTP Server, commonly referred to as Apache, is a popular open source web server software. mod_isapi is a core module of the Apache package that implements the Internet Server extension API. The extension allows Apache to serve Internet Server extensions (ISAPI .dll modules) for Microsoft Windows based hosts.

By sending a specially crafted request followed by a reset packet it is possible to trigger a vulnerability in Apache mod_isapi that will unload the target ISAPI module from memory. However function pointers still remain in memory and are called when published ISAPI functions are referenced. This results in a dangling pointer vulnerability.

Successful exploitation results in the execution of arbitrary code with SYSTEM privileges.

Proof of Concept.
Proof of concept code is available for this vulnerability. The payload will write a text file (sos.txt) to the Apache working directory demonstrating that code execution is possible. The code can be downloaded from the following link:

http://www.senseofsecurity.com.au/advisories/SOS-10-002-pwn-isapi.cpp

Furthermore, a video demonstrating the exploitation of this vulnerability using a bind shell has been created. It can be viewed at the following link:

http://www.senseofsecurity.com.au/movies/SOS-10-002-apache-isapi.mp4

Solution.
Upgrade to the latest version of Apache HTTP Server (currently 2.2.15).

Discovered by.
Brett Gervasoni from Sense of Security Labs.

Reminder: Do Not Click Links in Email you do not Turst

October 6th, 2009

Please remember not to follow webpage links embedded in your emails. If the site linked in the email is one you know and trust, type the address in to your address bar instead of clicking it (it's possible that the link only looks familiar, but is actually a link to a virus).

Even if an email comes from a friend, do not trust it outright. Please watch this news excerpt from MSNBC for information on a recent scam using stolen accounts from friends and family: www.msnbc.com

Rental Scam Warning - U of S Housing

September 17th, 2009

Campus Safety has been made aware of an online scam whereby individuals with listings on the U of S Housing Registry have received interest in their properties from international sources with intent to defraud the property owner.

Fraudsters will contact the renter stating that they are interested, and will be sending a money order in the mail for the property. The money order will be of funds far exceeding the asking rent. Often times the sender will claim some sort of difficulties with money, and to have a portion of the money order returned via Western Union (see example below).

The money order received by the renter is either entirely fraudulant, or issued from a bank who is unable to process requests instantly. Once money is deposited, it may take several weeks for the money order to be processed by the originating bank, whereby the funds are most likely missing and the renter is out the money.

The scam artist insists on Western Union because the money is transferred instantly.

If you receive interest in a rental property that seems suspicious, please contact Campus Safety immediately. Do not issue any money to the sender under any circumstances. Please view this example below for more details:

EXAMPLE:

I instructed [name] to send you the deposit($750) since i m still in oversea for business and balance($1500) was meant for [name] Ticket and Traveling Expenses.[name] made a mistake sending you all my money.It is very unfortunate i don't have much on me now,i have just paid for my bills,accommodation and mortgages ..So can't get [name] flight bookings done, reason i have given her most money with me ''money order'' (Cash able in Canada only)for the things she will be needing as soon as she comes over there,she will be paying you on the first day of every month in cash or paying you the whole rent depending on how you want it.You will need to send $1450 Canadian Dollars to [name] through western union to get her Ticket and $30 to $50 dollars for the western union charges.Western Union is prefer,it is fast,reliable and convenience.Have you send money via western union before?

Email Warning - Webmail Upgrade Team

September 2nd, 2009

Please be aware of the following fraudulant email going around the university:


Dear University Webmail Email Owner,

This message is from the university webmail messaging center to all
university webmail e-mail owners. We are currently upgrading our 
data base and e-mail center. We are deleting all unused
university webmail e-mail accounts to create more space for new ones. 

To prevent your account from closing you will have to
update it below so that we will know its an existing 
account. 

CONFIRM YOUR E-MAIL BELOW: 


Name:................. 

Email Username :..... 

EMAIL Password : ................. 

Territory : ........... 

Warning!!! E-mail owner who fails to update his or her e-mail 
within Seven days of receiving this warning will risk losing 
his or her e-mail account permanently. 
 

Thanks,

University Webmail Upgrade Team 

UNIVERSITY WEBMAIL BETA. 

-------------------

Do NOT follow the link inside the email, it will take you to a fraudulant site where you will be coerced into giving up your login credentials or where you will become infected with a virus. Do not respond to the email. Delete the email immediately.

Conficker - How to Test Before It Hits

March 31st, 2009

For those concerned about the upcoming virus Conficker, expected to strike April 1st, please check out this Increased Visibility post with instructions on how to check your systems remotely for Conficker.

Campus Safety has performed a scan of the U of S main campus with negative results, however systems with firewalls may still be infected without being able to remotely identify them.

If your system is updated regularly with security patches, runs a firewall, and you utilize up-to-date antivirus software, you should be not be at risk of the Conflicker virus. High risk activities such as downloading pirated materials, or utilizing peer-to-peer software may increase your chances of infection.

Canadians Advised to Watch Credit Card Statements

January 22nd, 2009

Canadians who have travelled to the US or who may have made credit card purchases at US businesses are advised to keep a close watch on their credit card statements as Heartland Payment Systems recently announced that they found signs of an intrusion into their computer systems.

New Virus Siezes 8 Million Computers

January 20th, 2009

(From DailyTech):

New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years. The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday. Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million. It's getting worse, not better."

Critical Internet Explorer Security Flaw Identified

Updated December 17th, 2008

*A patch is now available from Microsoft. Please install it immediately if you wish to continue to use IE.

Vulnerability in Internet Explorer Could Allow Remote Code Execution - (961051)

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer. Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

There is NO PATCH available for this at this time. Campus Safety recommends that you implement the security settings identified by Microsoft or you switch to a different browser such as Firefox.

Read more at Sophos' Blog with details from Sophos Here.

Emergency Microsoft Security Patch

October 23rd, 2008

Microsoft said late Wednesday that it plans to break out of its monthly patch cycle to issue a security update today for a critical vulnerability in all supported versions of Windows.

Redmond rarely releases security patches outside of Patch Tuesday, the second Tuesday of each month. The software giant isn't providing many details yet, but the few times it has departed from its Patch Tuesday cycle it has always done so to stop the bleeding on a serious security hole that criminals were using to break into Windows PCs on a large scale......

....Microsoft does not release these so-called "out-of-band" updates lightly. I would highly recommend applying this patch as soon as possible, either by visiting Windows Update or enabling Automatic Updates. A quick scan with Windows Update on my Vista system offered the patch, which installed without incident (requires a reboot).

Virus Warning

September 24th, 2008

Please be aware that the following email contains a virus. DO NOT open the attachmed .zip file. Delete the email immediately:

Dear Sirs,
We have prepared a contract and added the paragraphs that you wanted to seein it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.

If necessary, we can send it by fax.
Looking forward to your decision.

Email Scam Warning - Confirm U of S Webmail

September 4th, 2008

Please note, the following email is a fraud. The University of Saskatchewan will never request your password. Do not EVER provide this information to anyone. If you receive this or similar emails, delete them immediately!

Current Scam:

Dear University of Saskatchewan Subscriber,

We are currently performing maintenance for our Digital Webmail University of Saskatchewan Webmail. We intend upgrading our Digital Webmail Security Server for better online services.

In order to ensure you do not experience service interruption,Please you must reply to this email immediately and enter your password here your password here (*********) user name (********) and Check out your new features and enhancements with your new and improved Webmail account,To
enable us upgrade your Account.

Failure to do this will immediately render your email address deactivated from our database

You can also confirm your email account by logging into your University of Saskatchewan account at https://webmail.usask.ca/horde/imp/

for better online services please reply to this mail.

Thank you for using usask.ca webmail ! THE UNIVERSITY OF SASKATCHEWAN IT TEAM

Copyright 2008 University of Saskatchewan

Securing Your Virtual Goods: MMORPG Security

September 2nd, 2008
From: ars technica

Massively multiplayer online games (MMOG)s, particularly of the role-playing variety (MMORPGs), have been growing for years, and while a great deal of that growth since 2004 is solely attributable to WoW, games like Runescape, EVE Online, and Second Life have established their own solid game bases north of 250,000 subscribers, while plenty of other games (Lord of the Rings Online, Conan, Pirates of the Burning Sea) have seen respectable if not overwhelming results of their own....

... on the security side, however, are less clear, as McAfee details in a new report on online gaming, authored by Dr. Igor Muttik. While the large-scale MMOs appear to have done a good job when it comes to securing user information (and let's not get started on the fact that Blizzard can be trusted with your credit card data, but the bank can't be), the existing client/server structure of many MMOs is not secure. This is particularly true in MMOs that allow certain scripted activities to occur client-side without limiting the speed with which such actions can be repeated...(more)

Gmail Vulnerability - Fix: Enable SSL Encryption

August 22nd, 2008
From: Hungry-Hackers

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks.

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

Open SSH Blacklist Script

August 22nd, 2008
From: Red Hat

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

Find a script to check your Red Hat system for this vulnerability: HERE

Greeting Card Virus Warning

August 12th, 2008

If you receive an email indicating you received a greeting card, be very wary of the links you follow. The below email contains a link to a virus and should you receive a copy, do not click the link:

Good day.

You have received an eCard

To pick up your eCard, choose from any of the following options:

Click on the following link (or copy & paste it into your web browser):

http://(link removed).exe

Your card will be aviailable for pick-up beginning for the next 30 days.

Please be sure to view your eCard before the days are up!

We hope you enjoy you eCard.

Thank You!

UPS Virus - Attachment Warning

August 12th, 2008

Please be aware of a virus that has been making rounds throughout campus. It comes as an email stating that there has been some problem with a package shipped through UPS and that you should view the attached file.

DO NOT open the attachment and delete the email immediately. If you do have packages shipping through UPS, close all open browser and email windows, open a new browser and log directly into the UPS website to verify their shipping status - DO NOT follow any links in the email or open any attached files.

Multiple DNS Implementations Vulnerable to Cache Poisoning

July 25th, 2008

The Domain Name System (DNS) is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. DNS cache poisoning is not a new concept; in fact, there are published articles that describe a number of inherent deficiencies in the DNS protocol and defects in common DNS implementations that facilitate DNS cache poisoning.

See more: CERT.ORG

Samba Vulnerability

May 29th, 2008

Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "receive_smb_raw()" function in lib/util_sock.c when parsing SMB packets. This can be exploited to cause a heap-based buffer overflow via an overly large SMB packet received in a client context.

Successful exploitation allows execution of arbitrary code by tricking a user into connecting to a malicious server (e.g. by clicking an "smb://" link) or by sending specially crafted packets to an "nmbd" server configured as a local or domain master browser.

Update to version 3.0.30 or apply patches.

www.samba.org

Email Password Fraud

May 5th, 2008

Please note the following email scam. This is not an official U of S email. Do not respond to this or any similar email you receive:

Dear usask.ca Subscriber,

We are currently carrying-out a mentainance process to your usask.ca account, to complete this process you must reply to this email immediately, and enter your User Name here (**********) And Password here(**********) if you are the rightful owner of this account.

This process we help us to fight against spam mails. Failure to summit your password, will render your email address in-active from our database. You can also confirm your email address by logging into your usask.ca account at: https://webmail.usask.ca/

NOTE: You will be send a password reset messenge in next seven (7) working days after undergoing this process for security reasons.

Thank you for using usask.ca!

THE usask.ca TEAM

Disturbing Email Spam

April 23rd, 2008

Users should be aware of the following email and ones like it which appear to be personalized and of a disturbing nature. These emails are an attempt to frustrate or worry you so that you will follow the included link and be taken to a site that may attempt to install a virus onto your system. Please do not follow the included link and delete the email immediately.

Example:

From: angeliney@yahoo.com
Sent: April-23-08 9:49 AM
To: xxxxxxxxxxx@usask.ca
Subject: She has already gone to hospital! ! !

Hello, xxxxxxxxxxxxx.

Listen to me carefully, i don't know what your name is, but i'll find you and i'll cripple you, because this is you who tempted her!!! She has already gone to hospital, you're next, this is evidence:

angeliney

Usask Webmail Support - Update

March 19th, 2008

Please DO NOT respond to any emails indicating they are from the Usask Webmail Support Team which request your username and password. No legitimate IT resource on campus will request your username and password for any reason. Here is an example of the most recent version of this email:

Verify Your USASK Webmail Account
Dear USASK Webmail User,

This message is from USASK Webmail messaging center to all USASK Webmail users.
We are currently upgrading our data base and e-mail center.
We are deleting all unused USASK Webmail. You are required to verify and update your email by confirming your webmail identity. This will prevent your webmail from been closed during this exercise. In order to confirm you webmail identity, you are to provide the following data;

CONFIRM YOUR WEBMAIL IDENTITY BELOW

First Name:...................
Last Name:...................
Webmail Username : ...............
Webmail Password : ................

Warning!!! USASK Webmail user that refuses to verify and subsequently update his or her Webmail within Seven days of receiving this warning will lose his or her Webmail permanently.

Thank you for using USASK!
Warning Code:VX2G99AAJ

Kind Regards,
USASK Management

If you have responded to this email and provided your password, please go to mits.usask.ca and change your password immediately. If you no longer have access to your account, contact the ITS Help Desk at 966-4817 (1-800-966-4817 long distance).

Past and Future Threats Abound

February 5th, 2008
Computer Power User
February 2008 • Vol.8 Issue 2
Page 11 in print issue

Sigh. If only all those smart little hackers out there could only use their power for good. According to security firm F-Secure, its database of malware signatures totaled about 500,000 at 2007’s end, double what it started with at year’s beginning. Wait, there’s more bad news. F-Secure says it detects 10 to 40 new variants of online banking-related Trojans a day, and we can look forward to the cyber thugs responsible for the Storm worm leasing access to other criminals in 2008. Meanwhile, Web-sense Security Labs’ researchers predict loads of scams, attacks, and other malicious activities will stem from the 2008 Olympics. That’s the competitive spirit.

Campus Safety