Posts

Fake VirusTotal serves Drive-by Download Malware (May 24, 2011)

/in /by

SonicWALL UTM Research team received reports of a fake VirusTotal Website serving malware through drive-by download. By visiting the website, the embedded Java Applet code will download the malware as seen below:

Fake VirusTotal Website: http://ne{REMOVED}otal.tk/

screenshot

The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads the malware and executes it. The downloaded malware uses the following icon:

    screenshot

This malware is also known as n0ise bot designed primarily to add zombies for the malware author’s botnet. Attacks include the following:

  • UDP Flood
  • ICMP Flood
  • SYN Flood
  • HTTP Flood

Other features of this malware includes:

  • Anti Cain
  • Anti Debugger
  • Anti Emulator
  • Anti Filemon
  • Anti Netstat
  • Anti Networkmon
  • Anti ParallelsDesktop
  • Anti Processmon
  • Anti Regmon
  • Anti TCPView
  • Anti VirtualBox
  • Anti VirtualPC
  • Anti VMWare
  • Anti Wireshark

Command and Control Server:

Server Name: http://rea{REMOVE}trol.de/bot/gate.php

This malware sends to remote server system informations such as:

  • Bot Version
  • PC Name
  • Windows Version
  • IP Address

Backdoor Functionality:

  • Update Bot
  • Remove Bot
  • CheckInstall
  • Self Destruct
  • Disable Procedures
  • Get Server Command

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

GAV: Arcdoor.AG (Worm)
GAV: Downloader.AJ (Exploit)

Drive-by download leads to Backdoor Trojan (May 11, 2011)

/in /by

SonicWALL UTM Research team discovered instances of malicious java applets being used to perform drive-by download of malware. The malware is downloaded and excuted without any user interaction once the applet executes. The downloaded malware was found reporting system information back to a remote server and it also creates a backdoor on the victim’s machine. When a user visits a malicious domain hosting the applet it runs as seen below:

screenshot

The applet is unsigned and prompts for the user’s permission to run. If the user proceeds and runs the applet it downloads a file silently and executes it. The downloaded executable performs the following activities:

  • It creates the following copies of the same file:
    • %appdata%DocumentWriter.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%privzate.exe [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%6858.jpg [Detected as GAV: VB.SGQ (Trojan)]
    • %temp%51156.jpg [Detected as GAV: VB.SGQ (Trojan)]

  • It creates the following registry entry to ensure that it runs on every system reboot:
    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:”%appdata%DocumentWriter.exe”

  • It determines the public IP address by performing the following HTTP request to api.ipinfodb.com
    • GET /v2/ip_query_country.php?key=1d1bb511aed00402daada8d8706f74b477e3172d0ca020deab3b43c16441a73d&timezone=off

  • It creates a backdoor listening on TCP port 1232

  • It sends information back to a remote server such as version, infection date, IP address, OS information and screenshots

    • screenshot

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

GAV: ClsDLod.A ( Trojan )
GAV: ClsDLod.A_2 ( Trojan )
GAV: VB.SGQ (Trojan)

FakeXvid.A – Increase in drive-by infections (May 20, 2011)

/in /by

The SonicWALL UTM research team has seen a sudden increase in drive-by infection malware. Such infection takes place simply by visiting a website that uses a known browser exploit. Some of these websites are hosted on legitimate servers that have been compromised.

The Trojan is being actively spammed via e-mails containing malicious links:

The link in the email directs the user to a malicious website pretending to host a video that requires the XVID codec:

screenshot

The website page contains an iframe HTML tag that causes the download of a malicious PDF file:

The PDF file employs a known (heap spray) exploit to run malicious code. The code decrypts and runs a script. This script downloads and runs setup.exe [Detected as Kryptik.NTI_3 (Trojan)]:

The webpage will also initiate the download of XvidSetup.exe [Detected as FakeXvid.A (Trojan)]:

The Trojan performs the following DNS queries:

  • smtp.mail.ru

The Trojan creates the following files on the filesystem:

  • C:Documents and Settings{USER}Local SettingsTempsetup.exe [Detected as GAV: Kryptik.NTI_3 (Trojan)]
  • C:Documents and Settings{USER}Local SettingsTemporary Internet FilesContent.IE5SL2VSXQV37dbbd[2].pdf [Detected as GAV: Pdfka.OSQ (Trojan)]

The Trojan creates the following key in the Windows registry:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun AutoStart “C:DOCUME~1{USER}LOCALS~1Tempsetup.exe”

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: FakeXvid.A (Trojan)
  • GAV: Kryptik.NTI_3 (Trojan)
  • GAV: Pdfka.OSQ (Trojan)

Postfix SASL AUTH Reuse Memory Corruption (May 20, 2011)

/in /by

Postfix is a mail server for Unix-like platforms commonly used as a replacement for Sendmail. The SMTP protocol defines a set of commands that are used to deliver email messages between connected systems. The full SMTP protocol specification is outlined in RFC 821. SMTP commands are composed of ASCII text terminated by the newline sequence. In a standard SMTP session, an exchange ensues to ensure that the client is communicating with the correct host. Each SMTP session begins with the Server sending a 220 ready reply to the client. The client then sends a HELO command to which the server responds with a 250 OK. In configurations where a client must authenticate to the SMTP server, the “AUTH” SMTP command must be sent to the server. The client must then specify the type of authentication method with the “AUTH” command. An SMTP session is terminated by sending a QUIT command by the client. The format of the AUTH command is as follows: 

 AUTH

Where AUTH is the first word on a new line, is one space character (0x20) and is the end of line character sequence.
Simple Authentication and Security Layer (SASL), is a framework providing authentication and data security services in connection-oriented protocols via replaceable mechanisms. The Postfix server can use several SASL implementations such as Cyrus and Dovecot. Some supported authentication methods are listed: 

  ANONYMOUS  CRAM-MD5  PLAIN  GSSAPI  DIGEST-MD5  LOGIN  SRP

When SASL authentication is enabled, the Postfix server creates a SASL handle for each SMTP session and keeps using it until the SMTP connection is closed. The Cyrus SASL server handle is not supposed to be reused if the client authentication fails. The server should create a new Cyrus SASL handle for every client authentication request. Only if the client and the server decide to switch from a plaintext session to an encrypted session is a new SASL handle created by Postfix for the same SMTP session.

A memory corruption vulnerability exists in Postfix SMTP server which uses the Cyrus SASL library. The vulnerability is due to the Postfix server failing to create a new SASL handle after a client authentication failure using certain authentication methods.
Each Cyrus SASL authentication mechanism comprises of session data structures which contain data and pointers to functions that implement the mechanism and the authentication states.
When an initialized authentication session is aborted by the client and a new authentication request is subsequently sent, Postfix fails to create a new SASL handle for the new request. As such, it will reuse the session context data structures that were allocated for the previous authentication session. This can lead to heap memory corruption.
A remote attacker could exploit this vulnerability by sending an AUTH command using a SASL authentication method, aborting it and subsequently sending another AUTH command. Successful exploitation will result in memory corruption. Execution of arbitrary code within the context of the process may also be possible.

This vulnerability has been assigned the identifier CVE-2011-1720 by mitre. SonicWall has released an IPS signature that addresses this issue. The following signature has been released:

  • 6619 – Postfix SASL AUTH Handle Reuse Memory Corruption

Microsoft Security Bulletins Coverage (May 10, 2011)

/in /by

SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of May, 2011. A list of issues reported, along with SonicWALL coverage information follows:

MS11-035 Vulnerability in WINS Could Allow Remote Code Execution (2524426)

  • CVE-2011-1248 WINS Service Failed Response Vulnerability
    IPS: 4573 Generic Server Application Shellcode Exploit 10

MS11-036 Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2545814)

  • CVE-2011-1269 Presentation Memory Corruption RCE Vulnerability
    IPS: 6576 Malicious PowerPoint Document 2b
  • CVE-2011-1270Presentation Buffer Overrun RCE Vulnerability
    IPS: 6577 Malicious PowerPoint Document 3b

MS Excel catLabel Pointer Manipulation (May 06, 2011)

/in /by

Microsoft Excel is a commercial spreadsheet application written and distributed by Microsoft for Microsoft Windows and Mac OS X. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. The common extension used for Microsoft Excel documents is .xls or .xlw.

The file format used for storing Microsoft Excel documents is known as the Binary Interchange File Format (BIFF). Each version of Microsoft Excel uses a different, though similar format. The detailed file format information can be found in Openoffice website or Microsoft Official website. The compatibility chart is presented below:

Application version File version Start of File Identifier
Excel 2.1 BIFF2 x09x00
Excel 3.0 BIFF3 x09x02
Excel 4.0 BIFF4 x09x04
Excel 5.0 BIFF5 xD0xCFx11xE0xA1xB1x1AxE1
Excel 7.0 (Excel 95) BIFF7 xD0xCFx11xE0xA1xB1x1AxE1
Excel 8.0 (Excel 97) BIFF8 xD0xCFx11xE0xA1xB1x1AxE1
Excel 9.0 (Excel 2000) BIFF8 xD0xCFx11xE0xA1xB1x1AxE1
Excel 10.0 (Excel 2002) BIFF8X xD0xCFx11xE0xA1xB1x1AxE1
Excel 11.0 (Excel 2003) BIFF8X xD0xCFx11xE0xA1xB1x1AxE1

Note that versions before BIFF5 are in the Stream format. In BIFF5 versions and above, data inside all Office Document files is stored in a series of streams, the location of which is described by several sector allocation tables. This is generally referred to as OLE (Object Linking and Embedding) format. An allocation table contains values that represent stream offsets within the file. These streams contain meta-data information about the document, such as the author name, subject, and in the case of Excel documents, individual sheet names. Excel specific data is organized as a series of Records. The common structure of an Excel Record is a 2-byte identifier, followed by a 2-byte data size, and a number of data octets as specified in the size field:

Offset Size Contents
0x0000 2 bytes Identifier (Type)
0x0002 2 bytes Size of the following data N
0x0004 N bytes Record Data

The CatSerRange record specifies the properties of a category (3) axis, date axis, or series axis. The CatSerRange record has a two byte identifier of 4128 (0x1020) and the Record Data contains the following structure:

Offset Size Contents
0x0000 2 bytes catCross – A signed int specifying where the value axis crosses this axis.
0x0002 2 bytes catLabel – A signed int specifying the interval between the axis labels on this axis.
Must be in the range [1, 31999].
0x0004 2 bytes catMark – A signed int specifying tick mark intervals.
0x0006 3 bits fBetween – Whether the value axis crosses this axis between major tick marks.
fMaxCross – Whether the value axis crosses this axis at ‘catCross’
fReverse – Whether the axis is displayed in reverse order.

A pointer manipulation vulnerability exists in Microsoft Excel when parsing a CatSerRange record. An attacker must entice the target user to open a malicious Excel document in order to exploit this vulnerability. By exploiting this vulnerability, an attacker can inject and execute arbitrary code with the privileges of the currently logged-in user.

SonicWALL UTM research team has investigated this issue, and released the following IPS signatures for the exploits.

  • 6555 MS Excel catLabel Pointer Manipulation PoC 1
  • 6556 MS Excel catLabel Pointer Manipulation PoC 2

This vulnerability is referred by CVE as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0978.

Rogue AV targeting Mac users – MACDefender (May 4, 2011)

/in /by

SonicWALL UTM found reports of a new Rogue AV application called MACDefender targeting Apple’s Mac OS X users.

As seen in the past, Rogue AV cyber-criminals are known to take advantage of latest news stories that interests large user base by poisoning Google search results. When an unsuspecting user clicks on these search results it leads them to download of Fake AV malware as seen in the past: Valentines Day, Wikileaks and Holiday Shopping Deals.

This is the first instance where we saw SEO poisoning techniques being used to target both Windows and Mac OS X users alike. Search terms like “Osama bin laden” or even simple terms like “piranhas” on Google web or image search were returning poisoned results clicking on which would execute a malicious JavaScript leading to the download of Fake AV malware. For Mac OS X Safari users, the malicious payload that gets downloaded is called BestMacAntivirus2011.mpkg.zip as oppose to BestAntivirus2011.zip for windows users.

Following are the screenshots showing MACDefender infection if the user runs the file:

screenshot

screenshot

screenshot

screenshot

If the user attempts to clean the infections it will prompt the user to buy the software and enter a Serial Number which were easy to find inside the payload itself as seen below:

screenshot

screenshot

Besides displaying Fake infection alerts, it also opens pornographic websites in the browser randomly from a predetermined list.

screenshot

SonicWALL Gateway AntiVirus provides protection against this Rogue AV malware via the following signatures:

  • GAV: MacDefender.A (Trojan)

SCADA Systems and Stuxnet (Feb 25, 2011)

/in /by

Supervisory control and data acquisition (SCADA), generally refers to industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes. Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes. Infrastructure processes may be public or private, and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, Wind farms, civil defense siren systems, and large communication systems. And facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.

SCADA systems have evolved through three generations: Monolithic, Distributed, Networked. In the first generation, “Monolithic”, computing was done by mainframe computers. Networks did not exist at the time SCADA was developed. During the Second generation: “Distributed”, the processing was distributed across multiple stations which were connected through a LAN and they shared information in real time with proprietary protocols. The current generation SCADA systems, “Networked” generation, use open system architecture rather than a vendor-controlled proprietary environment. The SCADA system utilizes open standards and protocols, thus distributing functionality across a WAN rather than a LAN.

For the current generation SCADA system, SonicWALL UTM research team has researched the public protocols and created the following application signatures to monitor and control the SCADA traffic.

  • 773 Modbus — Outbound TCP
  • 774 Modbus — Inbound TCP
  • 6017 ICCP — COTP Connection Request
  • 6018 ICCP — Unauthorized Association Request
  • 6019 ICCP — Unauthorized MMS Write Request Attempt
  • 6029 ICCP — Invalid OSI-SSEL
  • 6034 ICCP — Invalid OSI PSEL
  • 6035 DNP3 — Disable Unsolicited Responses
  • 6036 DNP3 — Unsolicited Response Storm
  • 6037 DNP3 — Cold Restart From Client
  • 6038 DNP3 — Stop Application
  • 6039 DNP3 — Warm Restart
  • 6040 DNP3 — Broadcast Request from Client

From the statistics, we can see the SCADA systems are well distributed in the following countries: 

  Country			Networks	hits  UNITED STATES			2182		15539047  INDIA				486		20317  CANADA				391		389251  TAIWAN, PROVINCE OF CHINA	304		6479034  ITALY				266		150232  UNITED KINGDOM			224		42618  SPAIN				181		6823  BRAZIL				137		22696  TURKEY				123		480351  GERMANY			103		2499369

As the description of the third generation of the SCADA system, more and more open system architecture rather than a vendor-controlled proprietary environment are widely used. Due to the usage of standard protocols and the fact that many networked SCADA systems are accessible from the Internet, the systems are potentially vulnerable to remote cyber-attacks. In particular, the most security issues that researchers are concerned about:

  • the lack of concern about security and authentication in the design, deployment and operation of existing SCADA networks
  • the belief that SCADA systems have the benefit of security through obscurity through the use of specialized protocols and proprietary interfaces
  • the belief that SCADA networks are secure because they are physically secured
  • the belief that SCADA networks are secure because they are disconnected from the Internet

For the above concerns, SonicWALL research team has devoted consistent efforts to protect their customers from being attacked by attackers taking use of SCADA related vulnerabilities. For example, the following IPS signatures were developed especially for the SCADA vulnerabilities. There are also more than 100 generic shellcode IPS/GAV signatures that cover the rest of the SCADA attacks in the meantime.

  • 6027 Modbus TCP Illegal Packet Size
  • 5056 CitectSCADA Buffer Overflow Attempt
  • 5951 RealFlex SCADA SCPC_INITIALIZE BO Attempt
  • 5952 RealFlex SCADA SCPC_INITIALIZE_RF BO Attempt

Stuxnet, as one of the SCADA vulnerabilities, is a Windows computer worm discovered in July 2010 that targets industrial software and equipment. The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only SCADA systems that are configured to control and monitor specific industrial processes. Different variants of Stuxnet targeted five Iranian organizations, with the probable target widely suspected to be uranium enrichment infrastructure in Iran. It is said the Iran nuclear program, which uses embargoed Siemens equipment procured clandestinely, has been damaged by Stuxnet.

SonicWALL research team paid attention to the Stuxnet worm when it was first discovered. The GAV signatures detecting Stuxnet worms were first created on July 13th, 2010. The signatures are listed as bellow. Some of them may have retired because those variants have been removed from the affected websites.

  • 5423 Stuxnet
  • 4228 Stuxnet.A_5
  • 3917 Stuxnet.A_4
  • 1601 Stuxnet.A_3
  • 41726 Stuxnet.B
  • 42142 Stuxnet.B_2
  • 41962 Stuxnet.D
  • 41730 Stuxnet.A_2
  • 41728 Stuxnet.A

For the current deployment, we can see the top 10 networks affected by Stuxnet grouped by countries are: 

  Country                         Networks   UNITED STATES                     206   INDIA                              11   BRAZIL                             10   CANADA                              8   UNITED KINGDOM                      3   FRANCE                              2   GERMANY                             2   ICELAND                             2   PHILIPPINES                         2

Spam from your Facebook account – (Apr 29, 2011)

/in /by

SonicWALL UTM Research team received reports of a new spam campaign pretending to be arriving from Facebook abuse Department spreading in the wild. It involves the new variant of Oficla Trojan that SonicWALL blocked as GAV: Oficla.MME. This worm also downloads component files including mass mailer, info-stealer and FakeAV malware.

The sample e-mail format of the spam campaign includes the following:

Subject:

  • Spam from your Facebook account
  • Spam from your account
  • Your password has been changed

Attachment: Attached_SecurityCode{Random Numbers}.zip

screenshot

If the user downloads and executes the malicious executable inside the zip attachment, it performs the following activity:

  • Creates the process SVCHOST.EXE and injects its code.
  • Deletes the original executable file

Downloads other malware:

  • Application Datagog.exe – [ detected as GAV: FakeAV.MME (Trojan) ]
  • %windir%system32aspimgr.exe – [ detected as GAV: Mailer.G (Trojan) ]
  • %temp%Qojmytwjb.exe – [ detected as GAV: Mailer.G_2 (Trojan) ]
  • %temp%grabbers – [ detected as GAV: Grabber.A (Trojan) ]

Dropped files:

  • %windir%s32.txt
  • %windir%ws386.ini
  • %temp%_check32.bat
  • Application Datainstall

Added Registry:

  • Key: HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    Value: Shell
    Data:”C:Documents and SettingsresearchApplication Datagog.exe”
  • Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesaspimgr
    Value: ImagePath
    Data: %windir%System32aspimgr.exe

Network Activity:

HTTP GET Requests:

  • http://campaign{REMOVED}ions.ru/connect/load.php
  • http://campaign{REMOVED}hools.ru/connect/load.php
  • http://campf{REMOVED}om.ru/connect/load.php
  • http://camp{REMOVED}a.ru/connect/load.php

HTTP POST Requests:
This worm downloads a malware component that steals information from the system. It sends those information to this URL:

  • http://campaign{REMOVED}ations.ru/connect/grabbers.php

DNS Requests:

  • cl6{REMOVED}tart.ru
  • hy{REMOVED}ys.ru
  • ml6{REMOVED}art.ru
  • 94.244.80.60

Mass Mailer

    Checks for internet connectivity by connecting to the following sites

  • www.yahoo.com
  • www.web.de

Checks connectivity to SMTP servers by querying MX records as show below: screenshot

Collects e-mail addresses but ignores addresses with the following strings:

  • abuse
  • accoun
  • admin
  • anyone
  • apache.org
  • arachnoid
  • -bugs
  • ca.com
  • caube
  • cauce
  • cauce.org
  • certific
  • -certs
  • ci.el-paso.tx.us
  • cloudmark.com
  • digsigtrust
  • e-trust
  • example
  • fraud
  • gold-certs
  • google
  • ht.ht
  • icrosof
  • linux
  • listserv
  • mailwasher
  • majordomo
  • messagelabs
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • paulgraham.com
  • phishing
  • postmaster
  • privacy
  • rating
  • rx.t-online
  • samples
  • secur
  • service
  • somebody
  • someone
  • submit
  • support
  • symantec
  • thawte
  • the.bat
  • valicert
  • verisign
  • verisign.com
  • webmaster
  • webroot.com

Information Stealing
Steals credentials from the following applications:

    Poker Games:

  • Full Tilt Poker
  • Pacificpoker
  • PartyPoker
  • Titan Poker

    • FTP Clients:

  • BitKinex
  • Bullet Proof FTP
  • BulletProof FTP Client 2009
  • BulletProof FTP Client 2010
  • ClassicFTP
  • CoffeeCup FTP
  • CuteFTP 6 Home
  • CuteFTP 6 Professional
  • CuteFTP 7 Home
  • CuteFTP 7 Professional
  • CuteFTP 8 Home
  • CuteFTP 8 Professional
  • CuteFTP Lite
  • CuteFTP Pro
  • CuteFTP
  • Dev Zero G
  • DirectFTP
  • ExpanDrive
  • FAR Manager FTP
  • FTP Commander
  • FTP Explorer
  • FTPClient
  • FTPRush
  • FileZilla
  • FlashFXP
  • Fling
  • Frigate3 FTP
  • NetDrive
  • SmartFTP
  • Sota
  • TurboFTP
  • WS_FTP
  • WebDrive

    • Web Browser

  • Flock
  • Google Chrome
  • IE
  • Mozilla
  • Opera
  • Safari
  • Seamonkey
  • ThuderBird

    • IM Clients

  • AIM
  • ICQ
  • MSN
  • Messenger-2
  • Miranda
  • Trillian
  • Yahoo
  • Vypress

    • Mail Clients

  • Eudora
  • Forte
  • Mail Commander
  • Mail.Ru
  • POP Peeper
  • PocoMail
  • Windows Mail

    • Others

  • Myspace
  • Pandion
  • Sipphone

FakeAV

    After Installing the FakeAV application, it will show a Fake Microsoft Security Essentials Alert as seen below:

    screenshot

    After Clicking the “Scan Online” Button, it will show this message and prompts for rebooting the system:

    screenshot

    After rebooting the system, the following FakeAV screens will appear. It will then ask the user to pay for the software to completely clean the system.

    screenshot

    screenshot

    screenshot

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.MME (Trojan)
  • GAV: Grabber.A (Trojan)
  • GAV: Mailer.G (Trojan)
  • GAV: Mailer.G_2 (Trojan)
  • GAV: Oficla.MME (Trojan)

CA Total Defense SQL Injection Vulnerability (Apr 29, 2011)

/in /by

CA Total Defense combines CA Anti-Virus, CA Anti-Spyware, CA Gateway Security and CA Host-Based Intrusion Prevention System to provide multi-layered protection. CA Total Defense contains a component called Unified Network Control (UNC), which is responsible for validating network accesses. Remote management to the UNC is provided by the Unified Network Control Web Service (UNCWS); the UNCWS accepts both HTTP POST and SOAP XML requests.

An SQL injection vulnerability exists in the CA Total Defense UNCWS. Specifically, the vulnerability is due to lack of sanitation of the modifiedData parameter in UNCWS requests. An attacker could exploit this vulnerability by sending a crafted HTTP POST or SOAP XML request to the target system. Successful exploitation would cause disclosure or manipulation of sensitive information. Arbitrary code execution on the target system is also possible, given the availability of the “exec” SQL function.

The vulnerability has been assigned as CVE-2011-1653.

SonicWALL has released an IPS signature to detect and block known exploits targeting this vulnerability. The following signature was released to address this issue:

  • 6523 – CA Total Defense Suite SQL Injection