Thursday, September 10, 2009

MS Windows 2000 SP4 and XP Owners beware, "No patch for you" for MS09-048

| Brett D. Arion |

Microsoft Co. Ltd.Image via Wikipedia

Microsoft this week started what will be one of the largest debated issues they will have in some time. Especially given that organizations that pay maintenance on their software are supposed to get patches for that software as long as it is supported by Microsoft. When Microsoft released MS09-048 to address certain D0S/Remote Code Execution issues, it did not include patches for Windows 2000 SP4 and Windows XP operating systems, citing this in the FAQ for the update:

"If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?

The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows 2000 Service Pack 4 to eliminate the vulnerability. To do so would require rearchitecting a very significant amount of the Microsoft Windows 2000 Service Pack 4 operating system, not just the affected component. The product of such a rearchitecture effort would be sufficiently incompatible with Microsoft Windows 2000 Service Pack 4 that there would be no assurance that applications designed to run on Microsoft Windows 2000 Service Pack 4 would continue to operate on the updated system. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.

If Windows XP is listed as an affected product, why is Microsoft not issuing an update for it?
By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. Windows XP Service Pack 2 and later operating systems include a stateful host firewall that provides protection for computers against incoming traffic from the Internet or from neighboring network devices on a private network. The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. This makes the severity rating Low for Windows XP. Windows XP is not affected by CVE-2009-1925. Customers running Windows XP are at reduced risk, and Microsoft recommends they use the firewall included with the operating system, or a network firewall, to block access to the affected ports and limit the attack surface from untrusted networks.

Does this update completely remove the vulnerabilities, TCP/IP Zero Window Size Vulnerability - CVE-2008-4609 and TCP/IP Orphaned Connections Vulnerability - CVE-2009-1926?
Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack. Also, these denial of service vulnerabilities can be further mitigated through the use of NAT and reverse proxy servers, further lowering the severity of this issue on client workstations."

Besides the fact that they are not patching the vulnerability for these supported products is one thing, but the following statement is just comical:

"The impact of a denial of service attack is that a system would become unresponsive due to memory consumption. However, a successful attack requires a sustained flood of specially crafted TCP packets, and the system will recover once the flood ceases. Microsoft recommends that customers running Microsoft Windows 2000 Service Pack 4 use a firewall to block access to the affected ports and limit the attack surface from untrusted networks.

Is this not the case for any denial of service attack? The systems always recover once the flood attack ceases. Is it not best practices anyways to have a firewall limiting the attack surface from untrusted networks? It is also hard to believe that this can be "Critical" for newer operating systems, but just "Low" or "Important" for older Operating Systems. Is this not backwards?

Ok, so they are not patching the issue, so maybe we should consider updating our servers to Windows 2003 or Windows 2008. Wait, they say they still do not fix the issues with those products either:

"Since the denial of service vulnerabilities, CVE-2008-4609 and CVE-2009-1926, affect the TCP/IP protocol itself, the updates for Windows Server 2003 and Windows Server 2008 do not completely remove the vulnerabilities; the updates merely provide more resilience to sustain operations during a flooding attack."

So an issue from 2008 is included here, but it really is not fixed, just made more resilient......

For some reason, I have a sneaking suspicion that this is the first of many to come until these Operating Systems go into the Extended Support phase. Maybe Customers should ask for some of thier maintenance costs to be refunded as no patch is being created according to support contracts. It will be interesting to see if any breach of contract issues, or other litigation in the event of a breach or exploit of these vulnerabilities occurs.


Disclaimer: The opinions expressed in this article are those of the author and do not represent the views of Hackers Center or its affiliates.

Reblog this post [with Zemanta]

Avert Labs Releases A New Version of McAfee FileInsight

| Brett D. Arion |

McAfee, Inc.Image via Wikipedia

Today Avert released the new version 2.1 of McAfee FileInsight. You can download a free copy from the Avert Tools site. FileInsight is a handy integrated tool environment for web site and file analysis. Hex editing, syntax highlighting, and it comes with several built-in decoders, built-in calculator, a disassembler, JavaScript scripting support, a Python-based plugin system and many more.

Let’s go through some stages of an exemplary malware attack to highlight some of its analysis features – but don’t try this stunt at home, unless you know what you’re doing; a safe, isolated lab environment is absolutely mandatory for any such research work.



The above screen shows the initial malicious web site, trying to determine your browser and redirect to one or more respective exploits of choice. One of them being an exploit for the Microsoft DirectShow Video ActiveX Control Vulnerability (MS09-032) (stopped as “Exploit-MSDirectShow.b” by McAfee Virus Scan and as “BehavesLike.Exploit.CodeExec.EBEO” by McAfee Gateway Anti-Malware).



Getting to the actual shellcode takes some JavaScript unpacking steps. The JavaScript code is spread over several script files and custom encoded. In the above screen, we take that malicious code into FileInsight’s Scripting window and let it deobfuscate there.









Once we’re down to the shellcode level, we can directly look at the shellcode in the built-in disassembler. The Disassembler window also features recursive traversal to come up with branch labels automatically.

It CALLs-to-POP in order to determine actual memory location of the obfuscated payload, sets up and loops to decode the payload, and then executes that in order to download a XOR-obfuscated executable that turns out to be a UPX-packed backdoor (stopped by Artemis and by McAfee Gateway Anti-Malware as „LooksLike.Win32.Suspicious.C“).


Advanced users may also want to look into FileInsight’s Python-based plugin system, but be warned: writing plugins at the overwhelming simplicity of the Python language has a certain addiction potential! ;-)


FileInsight is available here.


Reblog this post [with Zemanta]

Wednesday, September 2, 2009

Absolute Poker Scandal

| Armando Romeo |

In the Summer of 2007, a disturbing trend was occurring on the poker site Absolute Poker. Four accounts were consistently winning large amounts of money in high stakes games by playing a clearly losing style of poker. Players complained at first and when nothing was done to answer their concerns, the players started their own investigation. This led to uncovering the super user account scandal at Absolute Poker.

From Megaloser to Megawinner Overnight

Four accounts that were significant losers in 2006 returned to play in 2007. This time, the players were posting huge wins although they were playing what should have been losing poker. The accounts were those of "potripper", "Steamroller", "Doubledrag", and "Graycat." The accounts were play very short sessions, post huge wins, and then leave. The accounts also never played together at the same time.

Players started doing analysis of hands and win rates and saw that the win rates were well above what even the best players on the site should be able accomplish. On September 13, 2007, potripper won a $1,000 buy-in event on Absolute Poker and Marco "CrazyMarco" Johnson insisted that there was cheating going on. What convinced him was when CrazyMarco moved all-in with a 9-high bluff only to be called by potripper, who was holding ten-high.

After his loss, CrazyMarco contacted Absolute Poker requesting a hand history. What they sent by mistake was a copy of all the hand, including all hole cards of all players. Upon looking at the data it was determined that potripper won every showdown in the torunament, he folded when he was behind and raised when he wasn't, and saw nearly every flop in the event unless an opponent held at least pocket queens.

User363

The file that CrazyMarco was further analyzed and the IP addresses and emails of the players and observers in the tournament are traced. It is noticed that during potripper's torunament run, user363 joined potrippers table and stayed at his table during the entire tournament run. The account is then traced back to the offices of Absolute Poker in Costa Rica.

Absolute Poker First Denies and Then Recants

At first, Absolute Poker denied that there was any wrongdoing going on at the site. On October 12, 2007, they stated, "We have determined with reasonable certainty that it is impossible for any player to see the hole cards as was alleged. There is no part of the technology that allows for a '¨superuser' account."

Allegations of a cover-up flew and as the company's name was continually smeared around the world, Absolute Poker finally came forward and admitted there was a problem. The following is part of a statement admitting the security breach:

"Based upon our preliminary findings, it appears that the integrity of our poker system was compromised by a high-ranking trusted consultant employed by AP whose position gave him extraordinary access to certain security systems. As has been speculated in several online forums, this consultant devised a sophisticated scheme to manipulate internal systems to access third-party computers and accounts to view hole cards of other customers during play without their knowledge."

Kahnawake Investigation

The Kahnawake Gaming Commission ran an investigation and released their findings on January 11th, 2008. They confirmed that the potripper account as well as several others had indeed used a superuser account to gain access to opponents hole cards. They required Absolute Poker refund players for any money lost to the accounts and also fined the company $500,000. In addition, they would continue to monitor the site for two years.

As we know, this was just the beginning as another scandal would unfold with Absolute Poker's sister site UltimateBet.com. Since the findings of the Kahnawake Gaming Commission, Absolute Poker and UltimateBet have joined the Cereus Network to ensure better security and gaming integrity.

The parties responsible for the cheating have never been brought to justice and it is suspected that they never will be. As a result, Absolute Poker has taken a black eye in public perception. The site still has a loyal following and has tried to move forward since the scandal, however the nagging thought will always be in the back of people's minds wondering if there will be a SonofPotrpper in the future.

Free Security Magazines