Archive for May, 2016


Squid proxy server

 
Tsinghua University postgraduate student Jianjun Chen has reported a critical cache poisoning vulnerability in the Squid proxy server, a transparent cache widely deployed by internet service providers.

 
The vulnerability allows attackers to compromise connections using a maliciously-crafted packet. A patch has been produced for daily versions but not yet distributed for regular builds, according to researchers.
Chen says the attack can be executed against versions 3.5.12 and below using malicious Flash advertisements.

 
“The attack enables cache poisoning of ANY unencrypted HTTP website,”.

 

Cache Poisoning issue in HTTP Request handling

 

Incorrect input validation of HTTP Request messages lets clients use an absolute-URI on port 80 to bypass the protection previously added to Squid for CVE-2009-0801 and other related attack vectors. This can lead to cache poisoning of the Squid and browser caches, bypass of same-origin and sandbox protections in browsers.

 

“The scenario requires an attacker who can send HTTP requests that pass through a shared transparent cache controlled by the attacker” before hitting a victim site. It’s not hard to stage the attack as “… attackers can readily obtain the necessary vantage point using techniques such as web ads.”

 
“For successful exploitation, an attacker must be able to send requests to some website (like attack.com) through the proxy server. Under this scenario, the attacker first establishes a TCP connection with the attack.com web server. As far as Squid works in transparent proxy mode, these requests are intercepted and transmitted further. At the next stage, the attacker initiates the following HTTP request:

 

GET http://victim.com/ HTTP/1.1 Host: attack.com
The cache module uses the host address from the request string (victim.com) to create the key; however, the verification module uses the Host header (attack.com) to check the communication between the host and the IP address. This is what makes the attack possible.

 

 

Protection

 

The vulnerability was already fixed but there is still no CVE for the issue or patched version of Squid available. The bug fix is included only in the daily builds for 4 and 3.5 versions.

 

C51 Security researchers recommend enabling the host_verify_strict option which is disabled by default, and considering the Suricata intrusion detection system rules to detect exploitation attempts.

 

 

https://drive.google.com/file/d/0ByM36MBckzBaQUFES0VYRlZydUE/view

Share

imagetragick_logo-100659291-primary.idge

 

 

Researchers have discovered several vulnerabilities in the popular image processing suite ImageMagick, including a serious remote code execution flaw that has been exploited in the wild.

 
ImageMagick is a free and open-source software package that allows users to display, convert and edit image files. The ImageMagick library is used by many image-processing plugins, which means that the software is present in a large number of web applications.

 

The vulnerability resides in ImageMagick, a widely used image-processing library that’s supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

 

While analyzing a flaw found by a researcher who uses the online moniker “Stewie,” Nikolay Ermishkin from the Mail.Ru security team discovered a remote code execution vulnerability (CVE-2016-3714) related to insuficient filtering of shell characters.

 
The vulnerability, dubbed “ImageTragick,” can be exploited by uploading a specially crafted file to a website that processes images using ImageMagick.

 

An attacker can create an exploit file and assign it an image extension, such as .png, in order to bypass the targeted site’s file type checks. ImageMagick determines the file type based on so-called “magic bytes,” the first few bytes of a file that are specific to each file type. Once it detects that it’s not an actual .png, ImageMagick converts the file and the malicious code is executed in the process, allowing the attacker to gain access to the targeted server.

 

An exploit for this vulnerability is publicly available and experts say it has already been leveraged in the wild.

 
ImageMagick developers attempted to patch the vulnerability with the release of versions 6.9.3-9 and 7.0.1-0 on April 30, but researchers say the fix is incomplete. Another patch will be included in ImageMagick 7.0.1-1 and 6.9.3-10, which are expected to become available by this weekend.

 
In the meantime, users have been advised to disable vulnerable coders by modifying their policy files. Another mitigation involves verifying that magic bytes correspond to image file types before sending the file to ImageMagick for processing.

 

Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in ‘/etc/ImageMagick’.
Other vulnerabilities found in ImageMagick can be exploited to move, read or delete files (CVE-2016-3716, CVE-2016-3717 and CVE-2016-3715), and for server-side request forgery, or SSRF, attacks (CVE-2016-3718).

Share

Map Real Time Cyber Attacks

Author: Satish Arthar
May 4, 2016

It seems nearly every day we’re reading about Internet attacks aimed at knocking sites offline and breaking into networks, but it’s often difficult to visualize this type of activity. In this post, we’ll take a look at multiple ways of tracking online attacks and attackers around the globe and in real-time.

 

A couple of notes about these graphics. Much of the data that powers these live maps is drawn from a mix of actual targets and “honeypots,” decoy systems that security firms deploy to gather data about the sources, methods and frequency of online attacks. Also, the organizations referenced in some of these maps as “attackers” typically are compromised systems within those organizations that are being used to relay attacks launched from someplace else.

 
The main method is by getting reports back from Intrusion Detection Systems. So each attack that hits an IDS is reported back you have the source of the attack – which may not be the instigator – just the ip registered as attacking you. and of course the target is known to the IDS as the IDS IS the target.The IDS could be software or hardware based.

 

FireEye Cyber Threat Map,¬†While the FireEye Cyber Threat Map doesn’t technically operate in real time, it does generate a very interesting picture of how surreptitiously installed malware communicates with the server systems that are remotely controlling the malicious software.

 

 

Screenshot

 

 

My favorite – and perhaps the easiest way to lose track of half your workday (and bandwidth) comes from the folks at Norse Corp. Their map – IPViking – includes a wealth of data about each attack, such as the attacking organization name and Internet address, the target’s city and service being attacked, as well as the most popular target countries and origin countries.

 

 

Screenshot from 2016-05-04 14:45:27

 

 
Another live service with oodles of information about each attack comes from Arbor Networks’ Digital Attack map. Arbor says the map is powered by data fed from 270+ ISP customers worldwide who have agreed to share anonymous network traffic and attack statistics.

 

 

Screenshot from 2016-05-04 14:13:50

 

 

Kaspersky’s Cyberthreat Real-time Map is a lot of fun to play with, and probably looks the most like an interactive video game. Beneath the 3-D eye candy and kaleidoscopic map is anonymized data from Kaspersky’s various scanning services. As such, this fairly interactive map lets you customize its layout by filtering certain types of malicious threats, such as email malware, Web site attacks, vulnerability scans, etc.

 

 

Screenshot from 2016-05-04 21:12:33

 

 

The Cyberfeed, from Anubis Networks, takes the visitor on an automated tour of the world, using something akin to Google Earth and map data based on infections from the top known malware families. It’s a neat idea, but more of a malware infection map than an attack map, and not terribly interactive either. In this respect, it’s a lot like the threat map from Finnish security firm F-Secure, the Global Botnet Threat Activity Map from Trend Micro, and Team Cymru’s Internet Malicious Activity Map.

 

 

The Honeynet Project’s Honey Map is not super sexy but it does include a fair amount of useful information about real-time threats on honeypot systems, including links to malware analysis from Virustotal for each threat or attack.

 

 

Additionally, the guys at OpenDNS Labs have a decent attack tracker that includes some nifty data and graphics.

 

Speaking of attacks, some of you may have noticed that this site was unreachable for several hours over the last few days. That’s because it has been under fairly constant assault by the same criminals who attacked Sony and Microsoft’s gaming networks on Christmas Day. We are moving a few things around to prevent further such disruptions, so you may notice that some of the site’s features are a tad flaky or slow for a few days.

 

We made ths post becoz, we Cyber51 decided to build one of our own. When we started more focused on user experience and information accessibility. We were able to create a close to real time cyber attack monitoring system that is engaging, interactive, and insightful. Soon it may suprise you all with nice some functions.

 

Share