By Jake Edge
May 15, 2013
Windows malware is not something that Linux users and administrators
typically need
to be concerned about. Though our systems can't be infected by
such code, it's unlikely we want them to be used as a vector for its
transmission, but that's just what's happening with the Linux/Cdorked.A
malware. Originally linked to Apache web servers, the malware has now been
found in both lighttpd and Nginx web servers as well. While there is a
fair amount known about how Cdorked works, it is still an open question as
to how
it is getting installed onto Linux systems.
The scope of the problem has widened a few times. At first it seemed
that only cPanel-based servers were affected
by the malware when it was first reported in late April. By early May,
it was clear that "it cannot be attributed solely to installations of
cPanel because only a fraction of the infected servers are using this
management software", according to a report
from ESET, an anti-virus company. That report was also the one that
pointed out that it
was more than just Apache web servers being affected.
Essentially, infected systems have a malicious version of the web server
binary installed. That is the only difference that shows up on the disk of
affected systems. All of the configuration information for the malware is
pushed into a
shared memory segment via unlogged HTTP requests sent by the attacker.
Typically, the compromised web server is configured to serve some subset of
incoming HTTP
requests with a
redirect to a site of the attacker's choice—likely one that serves up
malware.
The subset of requests is fairly carefully chosen. Cdorked avoids redirecting
any request that looks like it might be accessing an administrative page,
presumably to avoid doing anything suspicious to anyone likely to be
technically sophisticated. It also sets a cookie when it does the
redirection, so that it doesn't do so again.
The redirections are mainly done to sites that host the Blackhole exploit
kit, which tries to use a wide variety of browser holes and plugin
exploits to infect a victim's system. Typical configurations noted by
ESET redirect Windows Firefox and Internet Explorer users to the Blackhole
sites, while sending iPhone and iPad users to a pornographic site,
presumably trying to monetize requests that would not be affected by the
Blackhole exploits.
There are some other interesting restrictions on who gets redirected.
Roughly half of the IPv4 address space has been blacklisted (or whitelisted
depending on how you look at it) and will not get redirected. There is no
obvious pattern to the IP address ranges. Similarly, there are
restrictions based on the language configured for the browser, so browsers
set to Japanese, Finnish, Russian, Ukrainian, Belarusian, and Kazakh are
immune as well.
ESET has discovered a sophisticated set of commands that can be issued to
the trojanized web server binaries. That includes a command to create a
connection to the specified address with a shell attached. That would allow
the attacker full access as the UID that is running the web server, as described
in an earlier ESET blog post. As might be expected, the other commands
(all of which are sent via obfuscated URLs to the infected host) manipulate
the IP blacklist, language list, URL to redirect to, and so on.
The fact that the attackers have created trojanized binaries for three
separate web servers (at least so far), the extensive "command and control"
mechanism, and the stealthy nature of the attack, all add up to a fairly
sophisticated set of attackers. ESET has also found evidence
of subverted nameservers at the shared hosting sites that are (presumably
unknowingly) serving the Blackhole kits.
The most puzzling aspect,
perhaps, is how the initial infection of the web servers is happening.
"One thing is clear, this malware does not propagate by itself and it
does not exploit a vulnerability in a specific software", according
to ESET. It will be interesting to see what set of vulnerabilities was
actually used here; hopefully that will be determined soon. In the
meantime, for detecting compromised systems there is a tool
to look for the shared memory segments, though checking the integrity
of web server binaries is another possibility. On the worrisome side,
though, is that whatever vulnerability was used, it can presumably be used
again. This one seems worth keeping an eye on.
Comments (2 posted)
Brief items
If I'm really honest with myself, though, my interest in the preservation
of 0day was also because there was something
fun about an insecure
internet at the time, particularly since that insecurity predominately
tended to be leveraged by a class of people that I generally
liked against
a class of people that I generally
disliked.
[...]
Somewhere between then and now, however, there was an inflection
point. It's hard to say exactly when it happened, but these days, the
insecurity of the internet is now more predominantly leveraged by people
that I dislike against people that I like. More often than not, that's by
governments against people.
—
Moxie
Marlinspike (Thanks to Paul Wise.)
As we respond to the threat of terrorism, we must remember that there are other threats as well. A society without transparency and accountability is the very definition of a police state. And while a police state might have a low crime rate -- especially if you don't define police corruption and other abuses of power as crime -- and an even lower terrorism rate, it's not a society that most of us would willingly choose to live in.
We already give law enforcement enormous power to intrude into our lives. We do this because we know they need this power to catch criminals, and we're all safer thereby. But because we recognize that a powerful police force is itself a danger to society, we must temper this power with transparency and accountability.
—
Bruce Schneier
Comments (none posted)
The
Hack.lu security conference has
opened its
call for papers. The conference
will be held October 22-24 at the Parc Hotel Alvisse in Luxembourg. Papers
must be submitted by July 15 and can be on various topics: computer
security,
privacy, new vulnerabilities, legal and social aspects of technology,
forensics, and so on. Accepted speakers get accommodation and travel
assistance. "
The purpose of the hack.lu convention is to
give an open and free
playground where people can discuss the implication of new
technologies in society. hack.lu is a balanced mix convention where
technical and non-technical people can meet each other and share
freely all kind of information."
Comments (none posted)
Commit
b0a873ebb, merged for the 2.6.37 kernel, included an out of bounds
reference bug that went undetected until Tommi Rantala
discovered it
with the Trinity fuzzing tool this April. It
wasn't seen as a security bug by the kernel
developers until
an
exploit was posted; the problem is now known as CVE-2013-2094.
Mainline kernels 2.6.37-3.9 are vulnerable, but Red Hat also backported the
bug into the 2.6.32-based kernel found in RHEL6. Expect distributor
updates shortly.
Comments (38 posted)
New vulnerabilities
firefox: multiple vulnerabilities
| Package(s): | firefox |
CVE #(s): | CVE-2013-1669
CVE-2013-1671
|
| Created: | May 15, 2013 |
Updated: | June 10, 2013 |
| Description: |
From the Ubuntu advisory:
Multiple memory safety issues were discovered in Firefox. If the user were
tricked into opening a specially crafted page, an attacker could possibly
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking Firefox.
(CVE-2013-1669)
It was discovered that the file input element could expose the full local
path under certain conditions. An attacker could potentially exploit this
to steal sensitive information. (CVE-2013-1671) |
| Alerts: |
|
Comments (none posted)
firefox: multiple vulnerabilities
| Package(s): | firefox, thunderbird, seamonkey |
CVE #(s): | CVE-2013-0801
CVE-2013-1670
CVE-2013-1674
CVE-2013-1675
CVE-2013-1676
CVE-2013-1677
CVE-2013-1678
CVE-2013-1679
CVE-2013-1680
CVE-2013-1681
|
| Created: | May 15, 2013 |
Updated: | June 3, 2013 |
| Description: |
From the Red Hat advisory:
Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox. (CVE-2013-0801, CVE-2013-1674, CVE-2013-1675, CVE-2013-1676,
CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681)
A flaw was found in the way Firefox handled Content Level Constructors. A
malicious site could use this flaw to perform cross-site scripting (XSS)
attacks. (CVE-2013-1670) |
| Alerts: |
|
Comments (none posted)
gpsd: code execution
| Package(s): | gpsd |
CVE #(s): | CVE-2013-2038
|
| Created: | May 10, 2013 |
Updated: | May 29, 2013 |
| Description: |
From the Ubuntu advisory:
It was discovered that gpsd incorrectly handled certain malformed GPS data.
An attacker could use this issue to cause gpsd to crash, resulting in a
denial of service, or possibly execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
httpd: command execution
| Package(s): | httpd |
CVE #(s): | CVE-2013-1862
|
| Created: | May 14, 2013 |
Updated: | July 15, 2013 |
| Description: |
From the Red Hat advisory:
It was found that mod_rewrite did not filter terminal escape sequences from
its log file. If mod_rewrite was configured with the RewriteLog directive,
a remote attacker could use specially-crafted HTTP requests to inject
terminal escape sequences into the mod_rewrite log file. If a victim viewed
the log file with a terminal emulator, it could result in arbitrary command
execution with the privileges of that user. |
| Alerts: |
|
Comments (none posted)
java: multiple unspecified vulnerabilities
| Package(s): | java-1.7.0-ibm |
CVE #(s): | CVE-2013-2416
CVE-2013-2434
CVE-2013-2438
|
| Created: | May 15, 2013 |
Updated: | May 15, 2013 |
| Description: |
From the CVE entries:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to Deployment. (CVE-2013-2416)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier and JavaFX 2.2.7 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. (CVE-2013-2434)
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 17 and earlier allows remote attackers to affect integrity via unknown vectors related to JavaFX. (CVE-2013-2438)
|
| Alerts: |
|
Comments (none posted)
kdelibs: username and password disclosure
| Package(s): | kdelibs4 |
CVE #(s): | CVE-2013-2074
|
| Created: | May 13, 2013 |
Updated: | May 29, 2013 |
| Description: |
From the Mageia advisory:
Notification errors messages from kioslave http was exposing the
username and password in their content. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | linux-2.6 |
CVE #(s): | CVE-2013-1928
CVE-2013-2015
CVE-2013-3229
CVE-2013-3235
|
| Created: | May 15, 2013 |
Updated: | July 12, 2013 |
| Description: |
From the CVE entries
The do_video_set_spu_palette function in fs/compat_ioctl.c in the Linux kernel before 3.6.5 on unspecified architectures lacks a certain error check, which might allow local users to obtain sensitive information from kernel stack memory via a crafted VIDEO_SET_SPU_PALETTE ioctl call on a /dev/dvb device. (CVE-2013-1928)
The ext4_orphan_del function in fs/ext4/namei.c in the Linux kernel before 3.7.3 does not properly handle orphan-list entries for non-journal filesystems, which allows physically proximate attackers to cause a denial of service (system hang) via a crafted filesystem on removable media, as demonstrated by the e2fsprogs tests/f_orphan_extents_inode/image.gz test. (CVE-2013-2015)
The iucv_sock_recvmsg function in net/iucv/af_iucv.c in the Linux kernel before 3.9-rc7 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3229)
net/tipc/socket.c in the Linux kernel before 3.9-rc7 does not initialize a certain data structure and a certain length variable, which allows local users to obtain sensitive information from kernel stack memory via a crafted recvmsg or recvfrom system call. (CVE-2013-3235)
|
| Alerts: |
|
Comments (none posted)
libtiff: two vulnerabilities
| Package(s): | libtiff |
CVE #(s): | CVE-2013-1960
CVE-2013-1961
|
| Created: | May 9, 2013 |
Updated: | August 6, 2013 |
| Description: |
From the Mageia advisory:
A heap-based buffer overflow flaw was found in the way tiff2pdf of libtiff
performed write of TIFF image content into particular PDF document file,
in the tp_process_jpeg_strip() function. A remote attacker could provide a
specially-crafted TIFF image format file, that when processed by tiff2pdf
would lead to tiff2pdf executable crash or, potentially, arbitrary code
execution with the privileges of the user running the tiff2pdf binary
(CVE-2013-1960).
A stack-based buffer overflow was found in the way tiff2pdf of libtiff
performed write of TIFF image content into particular PDF document file,
when malformed image-length and resolution values are used in the TIFF
file. A remote attacker could provide a specially-crafted TIFF image
format file, that when processed by tiff2pdf would lead to tiff2pdf
executable crash (CVE-2013-1961). |
| Alerts: |
|
Comments (none posted)
openstack-keystone: password disclosure
| Package(s): | openstack-keystone |
CVE #(s): | CVE-2013-2006
|
| Created: | May 10, 2013 |
Updated: | May 22, 2013 |
| Description: |
From the Red hat advisory:
In environments using LDAP (Lightweight Directory Access Protocol), if
debug-level logging was enabled (for example, by enabling it in
"/etc/keystone/keystone.conf"), the LDAP server password was logged in
plain text to a world-readable log file. Debug-level logging is not enabled
by default. |
| Alerts: |
|
Comments (none posted)
owncloud: multiple vulnerabilities
Comments (none posted)
php-geshi: multiple vulnerabilities
| Package(s): | php-geshi |
CVE #(s): | CVE-2012-3521
CVE-2012-3522
|
| Created: | May 14, 2013 |
Updated: | June 7, 2013 |
| Description: |
From the Fedora advisory:
Update to 1.0.8.11 :
- Fix for CVE-2012-3521 : Remote directory traversal and information disclosure (local file
inclusion) in the contrib module.
- Fix for CVE-2012-3522 : Non-persistent XSS in langwiz contrib script.
|
| Alerts: |
|
Comments (none posted)
php-sabredav-Sabre_DAV: local file exposure
| Package(s): | php-sabredav-Sabre_DAV |
CVE #(s): | CVE-2013-1939
|
| Created: | May 13, 2013 |
Updated: | May 15, 2013 |
| Description: |
From the Red Hat bugzilla:
A local file exposure flaw was found in the way HTML browser plug-in of SabreDAV, a WebDAV framework for the PHP language, processed certain file system paths for icon and image files on certain platforms. A remote attacker could provide a specially-crafted icon / image file location that, when processed by an application using the SabreDav framework, would allow them to (remotely) obtain arbitary system file, accessible with the privileges of that SabreDAV application. |
| Alerts: |
|
Comments (none posted)
python-httplib2: SSL certificate verification failure
| Package(s): | python-httplib2 |
CVE #(s): | CVE-2013-2037
|
| Created: | May 13, 2013 |
Updated: | September 9, 2013 |
| Description: |
From the bugzilla entry:
httplib2 only validates SSL certificates on the first request to a
connection, and doesn't report validation failures on subsequent requests.
|
| Alerts: |
|
Comments (none posted)
xen: denial of service
| Package(s): | xen |
CVE #(s): | CVE-2013-1918
CVE-2013-1952
|
| Created: | May 13, 2013 |
Updated: | July 19, 2013 |
| Description: |
From the Debian advisory:
CVE-2013-1918: (XSA 45) Several long latency operations are not preemptible
Some page table manipulation operations for PV guests were not made
preemptible, allowing a malicious or buggy PV guest kernel to mount a
denial of service attack affecting the whole system.
CVE-2013-1952: (XSA 49) VT-d interrupt remapping source validation flaw for bridges
Due to missing source validation on interrupt remapping table
entries for MSI interrupts set up by bridge devices, a malicious
domain with access to such a device, can mount a denial of service
attack affecting the whole system. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
