Your daily source of Pwnage, Policy and Politics.

ISD Episode 19

Play

Vulnerabilities of Interest:

  1. PostgreSQL Conversion Encoding Remote Denial of Service Vulnerability – PostgreSQL is prone to a remote denial-of-service vulnerability. Exploiting this issue may allow attackers to terminate connections to the PostgreSQL server, denying service to legitimate users. Example query is available:test=# CREATE DEFAULT CONVERSION test1 FOR ‘LATIN1′ TO ‘KOI8′ FROM

    ascii_to_mic;

    CREATE CONVERSION

    test=# CREATE DEFAULT CONVERSION test2 FOR ‘KOI8′ TO ‘LATIN1′ FROM

    mic_to_ascii;

    CREATE CONVERSION

    test=# set client_encoding to ‘LATIN1′;

  2. Adobe Flash Player APSB09-19 Multiple Unspecified Remote Vulnerabilities -Adobe has released advance notification that on December 8, 2009, the vendor will be releasing an advisory addressing multiple vulnerabilities affecting Flash Player and AIR. The highest severity rating of these issues is ‘Critical’. The following products are affected: Adobe Flash Player 10.0.32.18 (shoe edit:  current version today) and prior and Adobe AIR 1.5.2 (shoe edit:  current version today) and prior.
  3. udev (shoe edit for Nate: userspace device management aka.  usb, pci…)  Path Encoding Local Denial of Service Vulnerability – The ‘udev’ Linux application is prone to a local denial-of-service vulnerability. Exploiting this issue allows local attackers to crash the application. Attackers may also be able to execute code with elevated privileges, but this has not been confirmed. This issue affects udev as shipped with Ubuntu Linux releases; other versions may also be vulnerable.  Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
  4. DAZ Studio Scripting Support Remote Command Execution Vulnerability – DAZ Studio is prone to a remote command-execution vulnerability because the software fails to properly handle specially crafted files. An attacker could exploit this issue by enticing a victim to open a malicious document. Successful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user. An attacker must entice an unsuspecting victim into opening a malicious file. Proof of concept is available.
  5. Adobe Illustrator Encapsulated Postscript File Remote Buffer Overflow Vulnerability – Adobe Illustrator is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious Encapsulated PostScript file. Successfully exploiting this issue will allow attackers to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely result in a denial-of-service condition. This issue affects Illustrator CS4 14.0.0 and CS3 13.0.0; other versions may also be affected. Adobe reports that they are investigating this issue. Exploit code is available.
  6. UBB.threads Multiple File Include Vulnerabilities – UBB.threads is prone to multiple file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. Exploiting these issues may allow an attacker to compromise the application and the computer; other attacks are also possible. UBB.threads 7.5.4.2 is vulnerable; other versions may also be affected.  An attacker can exploit these issues via a browser. Example URIs are available:
    http://www.example.com/path/ubb/libs/smarty/Smarty_Compiler.class.php?_plugins_params=[RFI]http://www.example.com/path/ubb/libs/html.inc.php?[USER_LANGUAGE]=[RFI]

    http://www.example.com/path/ubb/ubbthreads.php?file=../../../../../../../../etc/passwd%00

  7. Mozilla Firefox Multiple Remote Memory Corruption Vulnerabilities – Mozilla Firefox is prone to multiple remote memory-corruption vulnerabilities. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition. Proofs of concept are available on the Mozilla Bugzilla website:  https://bugzilla.mozilla.org/attachment.cgi?id=384979
  8. acpid Local Denial of Service Vulnerability – The ‘acpid’ daemon is prone to a local denial-of-service vulnerability. Successful exploits will allow attackers to make the daemon unresponsive, resulting in denial-of-service conditions. The issue affects versions prior to acpid 1.0.10.  Attackers can use standard tools to exploit this issue.
  9. IPsec-Tools Prior to 0.7.2 Multiple Remote Denial Of Service Vulnerabilities – IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets. A successful attack allows a remote attacker to cause the application to crash or to consume excessive memory, denying further service to legitimate users. Versions prior to IPsec-Tools 0.7.2 are vulnerable.  Exploit code is available:
  10. UPDATE: Microsoft Internet Explorer ‘Style’ Object Remote Code Execution Vulnerability – Poof of concept and exploit code are now available. A working commercial exploit is available through VUPEN Security – Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild.  A Metasploit framework exploit module (’37085.rb’) is available.
  11. OpenSSL ‘ChangeCipherSpec’ DTLS Packet Denial of Service Vulnerability – OpenSSL is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference condition.  An attacker can exploit this issue to crash the affected application, denying service to legitimate users.  Versions prior to OpenSSL 0.9.8i are vulnerable.  Exploit code is available.
News Items of Interest:
News item 1: http://blogs.technet.com/msrc/archive/2009/12/03/december-2009-bulletin-release-advance-notification.aspx
News item 2: http://www.nessus.org/nessus/
News item 3:http://blogs.technet.com/mmpc/archive/2009/11/27/do-and-don-ts-for-p-w0rd.aspxStatistics about user names and passwords:

  • Longest user name: 15 chars
  • Longest password: 29 chars
  • Average user name length: 6 chars
  • Average password length: 8 chars

Here is a top 10 list with the most common user names used in automated attacks:

User names Count
Administrator 136971
Administrateur 107670
admin 8043
andrew 5570
dave 4569
steve 4569
tsinternetuser 4566
tsinternetusers 4566
paul 4276
adam 3287

And a similar list for passwords:

Passwords Count
password 1188
123456 1137
#!comment: 248
changeme 172
F**kyou (edited) 170
abc123 155
peter 154
Michael 152
andrew 151
matthew 151

News item 4: http://www.itworldcanada.com/news/northrop-grumman-launches-cybersecurity-group/139499

News item 5: http://news.cnet.com/8301-31114_3-10408603-258.html?part=rss&subj=news&tag=2547-1_3-0-20News item 6:http://news.yahoo.com/s/zd/20091203/tc_zd/246549
Tech Segment:

Tracking services such as LoJack for Laptops and GadgetTrak allow you to install a program on your notebook, and if it’s stolen, these services can help track down and try to recover your computer — or at least disable it so the thief cannot access the contents of the hard drive. The problem with these services is that they usually require a monthly or annual subscription fee, ranging anywhere from $20 to $60 a year.

So what is the SMB, or for that matter cheap home user to do?  It might surprise you to know that there are a few free, open-source options for tracking a stolen notebook. Aside from the price tag, one reason you might want to use an open-source tracker over a commercial product is that you can examine the code to ensure it isn’t doing anything shady with your private data, and compile it yourself.

Two free, open-source notebook tracking services standing: Prey and Pombo.Pombo works only with Linux, so that leaves us with Prey — which supports Windows, OS X and Linux. Prey looks good and work equally as well.  It is supported via a steady development team with a active community. The only downside is that it provides no mechanism for physically deleting files from the stolen machine and tracking software can be removed quit easily.

So how does it work?  Prey Can be deployed in two modes.  Both Prey + Control Panel and Prey Standalone.  When would use which mode?  Well, you would use Prey + Control Panel when you want to manage your computer state and Prey’s configuration through a web page, which also keeps track of all reports sent by Prey from your device. This is the method we recommend for most users, since you don’t have to worry about the URL.

In standalone mode, the report goes directly to your inbox but it’s up to you to generate the URL to activate Prey. In this case you don’t need to sign up in Prey but you’ll have to set up the different modules by hand if you want to tune things up. This is actually the way Prey worked before version 0.3 was released.

Of course, Prey needs to have an active Internet connection to send the information. If the computer isn’t connected, Prey will attempt to connect to the nearest open wifi access point available.

In Linux/Mac, Prey can (and should) be run as root so it doesn’t depend on an active user session to run, but only on a successful boot.

Installation

For Windows, Mac & Ubuntu Linux users simply download the package/installer and run it. Once all files are in place you’ll need to configure Prey, where you’ll be able to choose between both operation modes. In case you want to use Prey along with the control panel (recommended), you’ll have to register and add your device to obtain your API and Device keys. Prey needs them both so make sure you add them correctly.

If you want to use Prey in an independent way, you’ll have to set up your mail server (SMTP) settings, such as your Gmail account data (in this particular case make sure you put the complete username with the “@gmail.com”!). Sometimes email sending doesn’t work at once, so please try using a different target mailbox just in case — in fact that’s how the problem generally gets fixed.

If you have any firewall or antivirus software installed you would want to ensure that it will not block Prey from sending the report and that the Scheduled Tasks service has been remains active.  If you block Prey then you block the ability to track it.  Even if you mark it as stolen or lost.

Attacker: Easily defeated
Defender: Cheap and does equally as well as more expensive products.  Geolocation capabilities are in the works!

Upcoming Episodes: Chris Nickerson of Tiger Team Fame will be a guest next week.