Irregular Expressions

May 7, 2010  8:29 AM

Microsoft May Release Notice

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is two bulletins for this month, one for Office and the other for Windows both rated critical. The windows update does require a restart according to the release and the office one may require one.

The windows vulnerability being patched appears to go from Windows 2000 to Windows 7 ( including Windows Server ).

Here is the link to the MS posting.

May 6, 2010  9:30 AM

Root DNS Server update

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

In case you missed it the root DNS servers were updated with DNSSEC early this week, it seems the updates went well I have not heard of any issues.

Here is some more information on DNSSEC from wikipedia

For those of you running older DNS servers you will need to update, I have heard problems with old DNS servers and the large reply’s they get from DNSSEC enabled servers.

April 30, 2010  8:36 PM

Automating system tasks with Perl – Part 1

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Bash and sh scripts are great for automating system tasks on the local host.

For remote hosts I preferred to use Perl, you can use Perl to login via ssh or telnet ( great for routers ) and you can also do simple tasks on web sites.

For connecting to remote systems I use Net::SSH:Expect.

Here is a simple connection, from the documentation.

        my $ssh = Net::SSH::Expect->new (
            host => "",
            password=> 'pass87word',
            user => 'bnegrao',
            raw_pty => 1

        my $login_output = $ssh->login();
        if ($login_output !~ /Welcome/) {
            die "Login has failed. Login output was $login_output";

This will create a connection object called $ssh then verify that you get a welcome prompt.

Doing interactive operations can be completed with the ‘send’ and ‘waitfor’ subs, again another example.

        $ssh->waitfor('password:\s*\z', 1) or die "prompt 'password' not found after 1 second";
        $ssh->waitfor(':\s*\z', 1) or die "prompt 'New password:' not found";
        $ssh->waitfor(':\s*\z', 1) or die "prompt 'Confirm new password:' not found";

Part 2 will get more complicated.

April 30, 2010  10:46 AM

XSS in sharepoint

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is a privilege escalation vulnerability in MS Sharepoint.  There is a mitigation for IE 8 users, you can enabled a XSS filter ( see the links ).  There is also a work around if you ACL the help.aspx file, you wont be able to view the help for the site, but it is supposed to stop the attack.

Here is the suggested actions from MS.

Customers can mitigate the impact to systems running Microsoft Windows SharePoint Services 3.0 or Microsoft Office SharePoint Server 2007 by applying the following workarounds.

Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Restrict Access to SharePoint Help.aspx

An administrator can apply an access control list to SharePoint Help.aspx to ensure that they can no longer be loaded. This effectively prevents exploitation of the vulnerability using this attack vector.

To restrict access to the vulnerable Help.aspx:

Run the following commands from a command prompt:

cacls “%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx” /E /P everyone:N

cacls “%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx” /E /P everyone:N

Impact of workaround. This workaround will disable all help functionality from the SharePoint server.

How to undo the workaround.

Run the following commands from a command prompt:

takeown /f “%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx”

takeown /f “%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx”

cacls “%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx” /E /R everyone

cacls “%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx” /E /R everyone

April 27, 2010  11:21 PM

A little more of buffer overflows

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

With out getting very technical there is a few things worth noting when referring to overflows.

There is some programing languages that buffer overflows are more difficult then others.  An application written in a low level language like ‘c’ which gives the developer very fine control over the system memory is more likely to have a overflow then something written in Perl or Java.

Also buffer overflows are something in an application that is extremely easy to not do, checking the bounds on your variables when the are accepted will make sure what you are getting is going to fit into the buffer.  This means moving a developer past the point of this “works” to this is “correct”, not to say that are bad developers but that bar needs to be moved up.

April 27, 2010  11:11 PM

Snort updated

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Snort was updated on the 26th, .

Here is the list of new additions and improvements from the update.

2010-04-22 - Snort 2.8.6

[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these buffers.

     HTTP server-specific configurations to normalize the HTTP header and/or
     cookies have been added.

     Support gzip decompression across multiple packets.

   * Added a Sensitive Data preprocessor, which performs detection of
     Personally Identifiable Information (PII).  A new rule option is available
     to define new PII.  See README.sensitive_data and the Snort Manual
     for configuration details.

   * Added a new pattern matcher and related configurations.  The new pattern
     matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
   * Addressed problem to resolve output obfuscation affecting packets
     when Snort is inline.

   * Preprocessors with memcap settings can now be configured in a "disabled"
     state.  This allows you to configure that memcap globally, but only enable
     the preprocessor in targeted configurations.

April 25, 2010  11:08 PM

MS10-025 And Buffer Overflows

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

The MS10-025 update has been retracted, MS states that it “does not address the underlying issue” .

MS10-025 is a Windows Server 2000 SP4 Windows media services Stack-based buffer overflow. Both are the same concept, but Stack vs Heap referrers to where the overflow occurred.

A Heap overflow takes place in a dynamically allocated section of memory, for those of you that can understand c it would be a variable crated with the “malloc” function. Heap memory is allocated at run time ( dynamic ).

char *buff = malloc(10);

Stack overflows take place in static variables ( set at compile time ). Again if you can read c and if you cannot this will look familiar.

char buff[10];

Either one is exploited by the same technique, sending more data then the buffer can hold.

Here is the technical write up at US-Cert.

April 25, 2010  10:14 PM

3rd Suricata Beta

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is a 3rd Suricata Beta available, head on over to .

Be warned that there is still a few items that need to be fixed.

Here is the list from the download section.

Known issues & missing features

We have made significant progress towards reaching our first full (non-beta) release
 of Suricata.  Your feedback is always important to us and we appreciate
 your time and effort.  As always, we are doing our best to make you
aware of continuing development and items within the engine that are not
 yet complete.  With this in mind, please notice the list we have
included of known items we are working on.

- Using the http_cookie keyword seems to cause a match on all packets.
- Currently we dont' support the dce option for byte_test and byte_jump.
- Stream reassembly is currently only performed for app-layer code.
- Inconsistent time stamps in http log file due to handling & updating of the http state.
- DCE/RPC over udp is not currently supported.
- dce_stub_data does not respect relative modifiers.
- Engine does not work properly on big endian platforms.
- Time based stats are not calculated correctly.

I don’t see anything that would effect the install procedures, it seems like the dependencies have not changed from I have found.

April 19, 2010  2:12 PM

Business Continuity With Volcanos

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am thinking that most airlines and other companies that rely on air traffic for day to day business did not put too much time planning for a volcanic ash cloud grounding flights for an extended period of time.

I have been seeing reports of this costing airlines 200 million dollars a day, if you need to get freight to NA or from NA to Europe what do you do? Wait? Send it by ship?

This is one of those situations that will happen once in a life time and something that no one really plans for.

Makes you think of what could happen to your business that was ruled out as “never” happening or even though of.

April 19, 2010  9:36 AM

ClamAV EOL of V 0.94

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

ClamAV is going to be releasing signature files that are going to be too large for version 0.94 to handle, if that is what you are running you need to update.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: