Monday, April 6, 2009

Oracle Weblogic IIS remote buffer overflow



I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...

Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.

http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic

Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...

**** Updated sig to match vulnerability not exploit code...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)

Friday, April 3, 2009

Dude, Where's my Conficker?

With all the hoopla about Conficker, many of our customers are blowing up our inbox's wondering why they are not seeing Conficker related alerts on their Sentinel IPS?

Well congratulations to those customers, you have proper firewall rules in place, therefore Conficker cannot open up attacks to the MS08-067 vulnerability in Windows filesharing.

For those of you who are unsure, you have two easy possible solutions to barracade your front door from the thousands of daily Conficker attempts.

Firewall TCP port 445 inbound, or simply turn off Network Print/Filesharing on your Windows servers.

Also if you want to quickly sweep your internal network or DMZ for Conficker infections the latest version of Nmap can do the job in a snap! Just download the latest version and give this command a whirl:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [mylanaddress]

That's it!