The XP hardening settings that were pushed out to my test group have found their first potentially major casualty. The NAS server from Buffalo Tech is not accessible when the client is set to the LM compatibility level 4; use NTLM refuse LM. Sniffing the network connection shows that the TeraStation is using a SAMBA server from 4/3/2003. A quick google finds that this device does not support Lanman and everybody’s “fix” is to lower the security level of windows and allow lanman.
While I question the wisdom of a bunch of ad hoc, non-backed up, consumer level NAS servers, this may still be a problem for me. I don’t see Buffalo releasing firmware with a newer version of SAMBA any time soon.
The setting that I am trying to enforce on my computers is the default in Vista.
Archive for November 2006
Why buy a NAS?
The ballad of Symantec licensing
License files. A necessary evil, or just evil? I nearly went insane while trying to obtain a license file from Symantec yesterday. Half the day was shot waiting on hold. Today I attempted to apply the license file. No dice.
The knowledge base wasn’t helpful. It suggested I use a later version of the product. I’d like to do that, but Symantec likes to trickle out access to major releases. As a result, I dont have access to the latest major release. The KB further implies that my license file is incomplete because I did not add all available serial numbers to the licensing website before creating the license. Since I only have the one serial number, I don’t think that is the case.
To avoid hour long hold times, I should call in early tomorrow. Unfortunately I have a morning meeting, so that isn’t going to happen.
So this is how I have fun now
While Googling for more information on exploits of the SYM06-010 vulnerability, I got side tracked looking at the Information Security Office website at Carnegie Mellon University. They’ve put together an EXE that checks for all vulnerable versions of Symantec Antivirus version 10 and applies the appropriate patches.
Most companies have only deployed one specific build of each major version of SAV so they don’t need to go to so much trouble. I for example had been running 10.0.2.2000 when this came out. So it was a simple matter to upgrade to apply the patch. I thought it would be interesting to look at the language they used to create this EXE and apply the patch to a more heterogeneous SAV environment.
Looking at their executable, I quickly found that the EXE could not be opened with WinZip or Unrar.
Upon further investigation I found that the EXE unpacked itself to a temp directory \7zSA9.tmp. In that directory I found another exe and a folder containing all of the MSP patches needed for this vulnerability. This new EXE also could not be opened with WinZip or Unrar. A closer examination with ‘strings’ (I used the former Sysinternals program now available through Technet) revealed this file was packed with UPX. I used UPX to decompress, but did not make further progress.
Moving back up a step, I found that the version tab indicated that this file was created with AutoIT version 3. AutoIT is a basic scripting language. AutoIT has a utility for converting EXEs back to script format, but I found that a password was required. Strings did not find anything that worked as a password.
Further investigation led to a suggestion that a breakpoint could be set with a debugger pointing to the location of the password in the stack. I must have skipped reading that chapter in my forensics class. It was about this time, that I decided its pretty late and I’m going to call it a night. I’m not very good at this. 
ISC Reports Exploit of SAV/SCS vulnerability
The SANS Internet Storm Center is reporting exploitation attempts against unpatched versions of Symantec Antivirus 10 and Symantec Client Security 3.
The vulnerability first announced in May (with patches trickling out over the next month) allows remote code execution on a computer via Symantec’s remote management port. To reiterate, this vulnerability is exposed remotely only in managed versions of these products.
DShield is showing a remarkable uptick in scans against this service port currently.
To mitigate against this attack, personal firewalls should be blocking access to this port when the computer is on the Internet. When on the corporate network, the Symantec Antivirus management ports should only be accessible by the Symantec parent server.
Of course the best bet is to be patched. The list of vulnerable and patched versions is available in the Symantec writeup.
Waiting on hold for symantec
The post is mainly an as it happens record of a call to try to get a license file for one of my Symantec products. Its not necessarily going to be funny, interesting or informative. Sort of like the rest of my posts.
Right now I’m waiting on hold for Symantec. It took 20 minutes to get through to someone in customer support. I can’t get a license out of their darn licensing website. The customer support guy couldn’t do anything but read irrelevent knowledge base articles to me. (“How to download from fileconnect”, “How to register at the licensing site”). Hello are you listening to me?
So this guy decided pulling it would be too much work to actually solve my problem so he is transfering me to the “licensing specialist.” Any bets on whether this will actually be a licensing specialist or if has he merely dumped me back into the 20 minute customer support queue in hopes that he wont get my call the second time around.
- 30 minutes in – I’m reminded of the advice in “Internet Help Desk” by Three Dead Trolls in a Baggy, “always put them on hold, it takes the fight out of them”.
- 33 minutes in- I’m installing JAVA Runtime Environment 1.4.2-12 so maybe my McAfee for Sharepoint will work.
- 43 minutes in – wow, this is the most ecclectic mix of music.
- 53 minutes in – shouldn’t have drunk so much Pepsi
- around 65 minutes in – lost the connection.
- Tried to call the number I was given for customer service and it is not valid .
New call to support since its the only number I have. Vent a bit about my Symantec experience so far today. Guy goes to check on something
-10 minutes in on second call -
guy says I dont need to talk to licensing and the hold time there is one hour right now (would have been nice if they guy on the first call had set that expectation).
I’m being transfered to customer service again. Oh and apparently the number I have for that is correct, not sure why I got a busy signal then.
- 34 minutes into the second call – the customer service drone could not help me and is transfering me back to licensing. His oh so helpful suggestion is that I call back in the morning when the hold times are less. Quote of the call: “You’re from Virginia, where is that?”
- around 90 minutes into the second call, I got licensing, and we stepped through the website. We found that it had actually imported the newer certficate even though it didn’t display on the website. There was an advanced search that I hadn’t tried that turned it up. Once I did that there was an option to register the serial number. that’s kind of odd because that is what I thought I was doing when I imported the serial number into the website.
They’ve made a complicated mess of licensing that is causing a lot of problems. I’d say of the people I talked to today, two cared about solving the problem and reducing frustration. The rest of them couldn’t be bothered.
Word URL autolaunch
Michael Daw is at it again. In September SANS reported on his report of a vulnerability in Adobe Reader and Adobe Professional whereby an external webpage could be opened without further user interaction if a user opens a malicious PDF document.
Now, SANS is reporting on a similar vulnerability he accessed through IFRAMEs in Microsoft Word.
Michael’s website is not accessible right now. I remember checking out the sample pdf files on his site back in September.
Thanksgiving
Psalm 100
A psalm. For giving thanks.
1 Shout for joy to the LORD, all the earth.
2 Worship the LORD with gladness;
come before him with joyful songs.
3 Know that the LORD is God.
It is he who made us, and we are his ;
we are his people, the sheep of his pasture.
4 Enter his gates with thanksgiving
and his courts with praise;
give thanks to him and praise his name.
5 For the LORD is good and his love endures forever;
his faithfulness continues through all generations.
Requests for Gambling Websites Surges in October
The shuttering of BetOnSports in the U.S. and the signing of the “Unlawful Internet Gambling Enforcement Act” have served as advertisement for the on-line gambling industry. According to ScanSafe’s Global Threat Report for October, they saw a 40% increase in U.S. based requests for gambling related pages.
IM Manager Day
Today Symantec I’M Manager (formerly IMLogic IMManager) took far more of my time than I really planned. Last night I got approval to block AIM 6 users until I’M Manager supports that version. The method provided by support was to redirect or block a specific host name. The problem, which I discovered later is that host name is also used for AIM Triton. So redirecting that host name broke AIM Triton which had been working for months. I really don’t see a way to block AIM 6 without taking out Triton as well. It would be easier to deal with this if I was sure Triton 1.3 and 1.5 were successfully being filtered by I’M Manager before. If they were bypassing the I’M Manager protection for the past few months, I dint feel back about blocking them now.
So that was my morning. After a series of afternoon meetings, I found that I’d received the I’M Manager renewal license certificate in the mail. Unfortunately, Symantec has changed how you download license files and I haven’t figured out how to do that yet. I also notice that I the Serial Number gives me access to the 8.0.x version of the product rather than the newer 8.1. What’s the deal with that?
