Oracle Weblogic IIS remote buffer overflow

I think this new Weblogic exploit found on milw0rm is particularly nasty as Weblogic is a java web-app framework used as the backend for some very large enterprises. Both for internal and external facing web applications, many which house millions of financial records and transactions. These types of exploits scare me in that they have the potential to lead to a huge financial data compromise...

Also brings to mind some interesting attack vectors for finding targets, my girlfriend works in sales for an IT services/recruiting firm just last week she was asking me what a Weblogic administrator was and how she was trying to find some consultants to fill a new project. I immediately thought of this new vulnerability and that an attacker, instead of traditional banner scanning for Weblogic they can simply pull up Monster.com and find the next fortune 1000 company to 0wn.

http://jobsearch.monster.com/Search.aspx?brd=1&q=weblogic

Scary stuff... anyways, pop in this signature I wrote this morning for Emerging Threats into your IDS/IPS and let me know if they are knocking on your door yet...

**** Updated sig to match vulnerability not exploit code...

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT Oracle WebLogic IIS connector JSESSIONID Remote Overflow Exploit"; flow:to_server,established; uricontent:".jsp?"; nocase; uricontent:"JSESSIONID="; nocase; isdataat:5132,relative; reference:cve,2008-5457; reference:url,infosec20.blogspot.com/2009/04/oracle-weblogic-iis-remote-buffer.html; reference:url,doc.emergingthreats.net/2009216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_Oracle; sid:2009216; rev:4;)

Network Security Appliance testing and QA with Virtualization

While working on our newest Intrusion Prevention appliance Sentinel IPS 4.0, we are always working to streamline and automate all testing. Unfortunately an inline bridged network device can be a challenge...

Here are some of the strategies that have worked in the past and some of the issues we are currently struggling with:

The old fashioned way (QA environment round 1):

What the team before I joined was using, 4 separate physical machines configured like this:

QA Attacker/Tester (loaded with stateful attack scripts) --> Router (192.168.x.x <-> 10.10.x.x) <--> Sentinel IPS (inline bridged appliance) <--> Switch <--> QA Target Host/s

This works but is in my mind too much equipment and software to maintain, not only that but power consumption is in microwave oven levels. Adding a new attacker or target platform requires loading or reloading another piece of hardware.

QA environment round 2:

Hello Vmware! I believe it was VMware Workstation for Windows 5.x or so which added a wonderful new network feature called "teaming" in which you could create virtual labs by daisy chaining VM's and virtual interfaces together allowing Vmware to handle all of the routing.

Here is how it worked (QA Team1):
Attacker VM (Gentoo) <-bridged interface0-> Sentinel IPS VM <-Nat interface1-> Target VM1 (Windows Server 2000) Target VM2 (CentOS 5.x)

So you simply assign all of the VM's to a single team and the one interface each to your network appliance so it will bridge the traffic from your Attacker/Tester VM to the Internal target VM's. With one command you can start and stop the entire team or add and modify the attacker and target OS's. Adding Backtrack LiveCD as one of the attacker's is easy, simply install their VM and add it into the team using the bridged interface.

Now to avoid confusion there are two bridges in action, one which bridges the attacker and network appliance (Sentinel IPS in my case) to your normal physical LAN. This is chosen automatically by VMware but if you are on a laptop which may switch between wireless and wired networks you will want to manually create a bridged interface for your wireless card. They make it dead simple to switch your team interfaces around when your not on wireless.

The second bridge is the network appliance itself! If it is an inline bridge device like our IPS, then it will bridge the already bridged interface to the private NAT network which VMware created automatically. The auto NAT network is usually some derivative of 192.168.1xx.x which likely won't clobber your normal LAN.

Ok... so that seems like the perfect setup and it has worked rock solid for us requiring only one Windows machine with VMware, one actual real network interface and 2+ gig's of RAM. Pretty easy to come by these days.

Why do we want a new setup? Well I had to splurge on a Macbook Pro last year and VMware fusion does not support teaming.... Seem like small potatoes but it kills me that I can't put my 4 gigs or ram to good use. Yes my drive is encrypted :)

*** Update: maybe time to try Convirt 1.0 on my Mac

Internet Explorer XML 0-day and MS-SQL vulnerabilities

Two new critical MS vulnerabilities released in early January the IE flaw (buffer overflow in the XML parser) is particularly nasty. This is a client side bug which can be triggered by clicking a malicious link from anywhere including emails...

This bug is rated "Extremely Critical", easiest workaround is to use Firefox for browsing until patched.

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://secunia.com/advisories/33089/

The MS-SQL white has potential currently only allows privilege escalation and no remote code execution.

http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt

Sentinel IPS has signatures to protect against both.

Expoit Code Release for IE XML vuln:
http://www.milw0rm.com/exploits/7410
http://www.milw0rm.com/exploits/7477
http://www.milw0rm.com/exploits/7403

As always patch, patch, patch!

ASPROX SQL Injection Attacks cont.

ASPROX continues to ravage the web, please contact us for the information packet we put together with defense suggestions.

New ASPROX malware domains: app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com