September 2006 - Posts

Wednesday, September 20, 2006 6:16 PM

SANS - PDF Vulnerabilities

 

http://isc.sans.org/diary.php?storyid=1718&rss

Handler's Diary September 19th 2006

PDF vulnerabilities

Published: 2006-09-19,
Last Updated: 2006-09-20 00:01:15 UTC by donald smith (Version: 1)
Several new Adobe pdf vulnerabilities were recently announced.
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
 
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp

Here is a quick risk assessment.

How widely deployed is the application?
Adobe reader is widely used and deployed. (9)

Are vendor patches available?
No patches currently available (10)

Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)

Is user participation required?

Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html

Is the vulnerability cross platform?

Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)

Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)

Overall risk score 8.7 on a scale of 0 – 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.

 

Posted by Anonymous | with no comments
Friday, September 01, 2006 4:38 PM

A answer to a question, and a bit more

Question: If I were doing a check upon logon to see if McAfee and ePO are
installed and running, would this be a good thing to check?

Answer:

What to Check for:

ePO

Check if key exists and return the values:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\Installed Path

Returned Value example:
C:\Program Files\Network Associates\Common Framework

Check if file(s) exist:
FrameworkService.exe

Check if service exists:

McAfeeFramework

Check if Process is running:

FrameworkService.exe

VirusScan

Check if key exists and return the values:

HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\szInstallDir

Returned Value example:
C:\Program Files\Network Associates\VirusScan\

Check if file(s) exist:

Mcshield.exe
scan32.exe

Check if service exists:

McShield
McTaskManager

Check if Process is running:

McShield.exe


WMIC examples of how to check for this (you could create a vb script or smsinstaller script to do the checks):

Let’s cut to the chase and see if the processes are running:

Click Start, then Run and Type cmd.exe

Then Type:

wmic process where (Name='FrameWorkService.exe') get name,processid
wmic process where (Name='McShield.exe') get name,processid

But maybe we want to check more than one machine:

Click Start, then Run and Type cmd.exe

Type cd \ and hit enter

Type Notepad.exe

Paste a line by line list of computers

For example:

Redrider1
redriderDC2
redridersms5
smsjackleg
smellyserver3

Then  hit the alt + f key
Then hit the a key
Save the document to the SystemDrive as computers.txt  (usually C:\computers.txt)
Exit Notepad.exe

Now Type in your cmd.exe window:

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid
for /F %i in (computers.txt) do wmic /node:%i process where (Name='McShield.exe') get name,processid

How cool, but you say that you dont want to just see it, you want to document it.
K, lets put all this in a document

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid /FORMAT:CSV >> Results.csv

Now open c:\Results.csv with excel:

Thats pretty cool too, because we now have an document we can open with excel. We love excel. Unfortunately, our boss wants a pretty document. So lets give her/him one.

for /F %i in (computers.txt) do wmic /node:%i process where (Name='FrameWorkService.exe') get name,processid /FORMAT:htable >> Results.htm

Now open c:\Results.htm with internet explorer:

It seems like the longer the command line the better the Results(.htm)  ;)

 

Posted by Anonymous | 2 comment(s)
Friday, September 01, 2006 4:28 PM

Did you notice?

 Probably not.

 My blog is missing something.

 Its last months Microsoft Security Updates.

 I hate my blog. Somewhere along the way I lost what wanted my blog to be.

 I forgot rule # 3

3) Most importantly, I will have have fun with my blog.

I got to the point that I was just propagating news, and I realy wanted to share some content.

Going forward, I will not forget about rule # 3 . If I do , and my blog gets boring again, please let me know.

Posted by Anonymous | with no comments