Posts Tagged ‘attackers’

Bots Searching for Keys & Config Files [Sans StormCast]

Wednesday, July 19th, 2017

If you don’t know our “404” project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to “dropped” events in firewall logs. They can have a huge value to detect ongoing attacks or attackers performing some reconnaissance. Reviewing 404 errors is one task from my daily hunting-todo-list but it may quickly become unmanageable if you have a lot of websites or popular ones. The idea is to focus on “rare” events that could usually pass below the radar. Here is a Splunk query that I’m using in a daily report:

index=web sourcetype=access_combined status=404
| rex field=uri "(?<new_uri>^\/{1}[a-zA-Z0-9_\-\~]+\.\w+$)"
| cluster showcount=true t=0.6 field=new_uri
| table _time, cluster_count, cluster_label, new_uri | sort cluster_count

What does it do?

  • It searches for 404 errors in all the indexed Apache logs (access_combined)
  • It extracts interesting URI’s. I’m only interested in files from the root directory eg. “GET /<name><dot><extension>”
  • It creates “clusters” of common events to help in detecting rare ones.

Here is an example of output (top-20):

"_time","cluster_count","cluster_label","new_uri"
"2017-07-18T13:42:15.000+0200",1,9,"/xml.log"
"2017-07-18T13:18:51.000+0200",1,11,"/rules.abe"
"2017-07-18T11:51:57.000+0200",1,17,"/tmp2017.do"
"2017-07-18T11:51:56.000+0200",1,18,"/tmp2017.action"
"2017-07-18T09:16:52.000+0200",1,23,"/db_z.php"
"2017-07-18T07:28:29.000+0200",1,25,"/readme.txt"
"2017-07-18T03:44:07.000+0200",1,27,"/sloth_webmaster.php"
"2017-07-18T02:52:33.000+0200",1,28,"/sitemap.xml"
"2017-07-18T00:10:57.000+0200",1,29,"/license.php"
"2017-07-18T00:00:32.000+0200",1,30,"/How_I_Met_Your_Pointer.pdf"
"2017-07-17T22:57:41.000+0200",1,31,"/browserconfig.xml"
"2017-07-17T20:02:01.000+0200",1,76,"/rootshellbe.zip"
"2017-07-17T20:01:00.000+0200",1,82,"/htdocs.zip"
"2017-07-17T20:00:54.000+0200",1,83,"/a.zip"
"2017-07-17T20:00:51.000+0200",1,84,"/wwwroot1.zip"
"2017-07-17T20:00:50.000+0200",1,85,"/wwwroot1.rar"
"2017-07-17T19:59:34.000+0200",1,98,"/rootshell.zip"
"2017-07-17T19:59:27.000+0200",1,103,"/blogrootshellbe.rar"
"2017-07-17T19:59:18.000+0200",1,104,"/rootshellbe.rar"

Many tested files are basically backup files like I already mentioned in a previous diary[2], nothing changed. But yesterday, I found a bot searching for even more interesting files: configuration files from popular tools and website private keys. Indeed, file transfer tools are used by many webmasters to deploy files on web servers and they could theoretically leave juicy data amongst the HTML files. Here is a short list of what I detected:

/filezilla.xml
/ws_ftp.ini
/winscp.ini
/backup.sql
/<sitename>.key
/key.pem
/myserver.key
/privatekey.key
/server.key
/journal.mdb
/ftp.txt
/rules.abe

Each file was searched with a different combination of lower/upper case characters. Note the presence of ‘rules.abe’ that is used by webmasters to specify specific rules for some web applications[3]. This file could contain references to hidden applications (This is interesting to know for an attacker).

So, keep an eye on your 404 errors and happy hunting!

[1] https://isc.sans.edu/404project/
[2] https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935
[3] https://noscript.net/abe/web-authors.html

Xavier Mertens (@xme)
ISC Handler – Freelance Security Consultant
PGP Key

Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Wednesday, July 19th, 2017
Cisco-WebEx-Remote-Command-Execution

A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer.

Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help users connect and collaborate with colleagues around the world.  The extension has roughly 20 million active users.Discovered by Tavis Ormandy of Google Project Zero and Cris Neckar of Divergent Security, the remote code execution flaw (CVE-2017-6753) is due to a designing defect in the WebEx browser extension. To exploit the vulnerability, all an attacker need to do is trick victims into visiting a web page containing specially crafted malicious code through the browser with affected extension installed.  Successful exploitation of this vulnerability could result in the attacker executing arbitrary code with the privileges of the affected browser and gaining control of the affected system.

“I see several problems with the way sanitization works, and have produced a remote code execution exploit to demonstrate them,” Ormandy said. “This extension has over 20M [million] active Chrome users alone, FireFox and other browsers are likely to be affected as well.”Cisco has already patched the vulnerability and released “Cisco WebEx Extension 1.0.12” update for Chrome and Firefox browsers that address this issue, though “there are no workarounds that address this vulnerability.”

“This vulnerability affects the browser extensions for Cisco WebEx Meetings Server, Cisco WebEx Centers (Meeting Center, Event Center, Training Center, and Support Center), and Cisco WebEx Meetings when they are running on Microsoft Windows,” Cisco confirmed in an advisory released today.

Download Cisco WebEx Extension 1.0.12

In general, users are always recommended to run all software as a non-privileged user in an effort to diminish the effects of a successful attack.

 Fortunately, Apple’s Safari, Microsoft’s Internet Explorer and Microsoft’s Edge are not affected by this vulnerability.  Cisco WebEx Productivity Tools, Cisco WebEx browser extensions for Mac or Linux, and Cisco WebEx on Microsoft Edge or Internet Explorer are not affected by the vulnerability, the company confirmed.The remote code execution vulnerability in Cisco WebEx extension has been discovered second time in this year.

 

Source: Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!

Multiple Cisco Wireless Gateways Vulnerable to Remote Attacks

Monday, July 21st, 2014

ultiple Cisco Wireless Residential Gateway products have a security vulnerability in the web server that could allow a remote attacker to hijack the devices remotely.

Cisco announced that a number of its Wireless Residential Gateway products are vulnerable to a remote-code execution attack, which is exploited by sending a specially crafted HTTP request to the web server running on the affected device.

According to Cisco, the flaw is due to the incorrect input validation for HTTP requests, which could allow an attacker to exploit a buffer overflow and run arbitrary code on the device. The bug is about as serious as they come, giving remote, unauthenticated attackers access to the affected machines.

“Successful exploitation of the vulnerability may cause the embedded web server to crash and allow the attacker to inject arbitrary commands and execute arbitrary code with elevated privileges,” the Cisco advisory says, and until now, “There are currently no known workarounds available for this vulnerability.”

The Cisco products affected by the vulnerability are as follows:

Cisco DPC3212 VoIP Cable Modem

Cisco DPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway

Cisco EPC3212 VoIP Cable Modem

Cisco EPC3825 8×4 DOCSIS 3.0 Wireless Residential Gateway

Cisco Model DPC3010 DOCSIS 3.0 8×4 Cable Modem

Cisco Model DPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Cisco Model DPQ3925 8×4 DOCSIS 3.0 Wireless Residential Gateway with EDVA

Cisco Model EPC3010 DOCSIS 3.0 Cable Modem

Cisco Model EPC3925 8×4 DOCSIS 3.0 with Wireless Residential Gateway with EDVA

Cisco said the security bug exists in the devices whether they are configured in a Gateway mode or Router mode on home or small office gateways.

Cisco uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. This vulnerability received a most critical rating according to its CVSS i.e. base score 10. The vulnerability was reported by Chris Watts of Tech Analysis to Cisco.

Cisco has released and distributed free software updates to its service provider customers that address the vulnerability, the service providers would further pass-on to the affected home and small office customers. The customers are advised to contact their service providers to confirm the software deployed by the service provider includes the fix.

via Multiple Cisco Wireless Gateways Vulnerable to Remote Attacks.