Community SANS Atlanta 2010 Spring Schedule has been posted. There are 5 classes currently being offered. Leading off with Scott Moulton’s SEC606.
SEC-606: Drive and Data Recovery Forensics 2/9/10 to 2/13/10
SEC-502: Perimeter Protection In-Depth 2/22/10 to 2/27/10
AUD-507: Auditing Networks, Perimeters, and Systems 3/15/10 to 3/20/10
MGT-512: SANS Security Leadership Essentials For Managers with Knowledge Compression 4/15/10 to 4/21/10
SEC-566: 20 Critical Security Controls – In Depth 5/17/10 to 5/21/10
Go online to register by emailing sales@sans.org or call (301) 654-SANS(7267).
DC404 meeting is this Saturday, December 19th @ 2PM at the Vortex Midtown. Nick Owen will be presenting on “WiKiD Two-factor Auth and Securing Network Access with Open Source Solutions”. For more information and direction go to dc404.kaos.to or simply google DC404.
Vulnerabilities of Interest:
- Mozilla Firefox and Sea Monkey are affected by a spoofing vulnerability. An attacker could exploit this issue to place a legitimate-looking but invalid URL in the location bar and inject HTML and JavaScript into the body of the webpage, To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document.
- Xpdf is prone to multiple integer-overflow vulnerabilities. Exploiting these issues may allow remote attackers to execute arbitrary code in the context of an affected application or cause denial-of-service conditions. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service. A seperate proof of concept is publicly available and known to be circulating in the wild.
- Winamp is prone to multiple integer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied input. Attackers may leverage these issues to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions. These issues affect versions *prior to* Winamp 5.57. A commercial proof of concept is available through VUPEN Security – Exploit and PoCs Service.
- Zen Cart is prone to a security vulnerability that may allow attackers to obtain sensitive information or delete the application’s database. An attacker can exploit this issue to view files in the context of the webserver process and delete the application’s database. Successful exploits may lead to further attacks. An attacker can exploit this issue via a browser.
- WHMCS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Attackers can use a browser to exploit this issue. The following is an example URL: http://www.example.com/weblink_cat_list.php?bcat_id=-1+UNION+SELECT+1,GROUP_concat(id,0x3a,username,0x3a,password),3,4+from+user
- WP-Forum WordPress plugin is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to WP-Forum 2.4 are vulnerable. Attackers can use a browser to exploit these issues. The following URL strings are available:
http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=0&t=.0
http://www.example.com/blog/?page_id=3&wpforumaction=editpost&id=1%20and%201=1&t=.0
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=0
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=2.0&delete_topic&topic=3%20and%201=1
http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=0
http://www.example.com/blog/?page_id=3&wpforumaction=viewtopic&t=1.0&sticky&id=1%20and%201=1
http://www.example.com/blog/?page_id=3&wpforumaction=viewforum&f=1.0&delete_topic&topic=5%20or%201=1
Exploit code is available in the wild.
- OSSIM is prone to multiple vulnerabilities that attackers can leverage to execute arbitrary commands because the application fails to adequately sanitize user-supplied input.Successful attacks can compromise the affected application and possibly the computer. These issues affect OSSIM 2.1.5; other versions may be affected as well. The following URL strings are available:
http://www.example.com/ossim/sem/wcl.php?uniqueid=1;ls%20%3E%20/tmp/listing
http://www.example.com/ossim/sem/storage_graphs.php?uniqueid=;ls%20%3E%20/tmp/listing;
http://www.example.com/ossim/sem/storage_graphs2.php?uniqueid=;ls%20%3E%20/tmp/listing;
http://www.example.com/ossim/sem/storage_graphs3.php?uniqueid=;ls%20%3E%20/tmp/listing;
http://www.example.com/ossim/sem/storage_graphs4.php?uniqueid=;ls%20%3E%20/tmp/listing;
- Quick Heal AntiVirus is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges, resulting in a complete compromise of the affected computer. Quick Heal AntiVirus 2010 is vulnerable; other versions may also be affected. An attacker can use readily available command-line utilities to exploit this issue.
News item 1:http://www.neowin.net/news/main/09/12/16/us-and-russia-hold-secret-talks-on-fighting-cyber-crime?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+neowin-main+(Neowin.net+Main+News)
An update to the news item that we had on the U.S. joining the UN talks on Cybersecurity are that they have apparently been in secret talks with Russia. This may be directly related to the Albert Gonzalez attacks involving Russian citizens.
News item 2: http://www.csoonline.com/article/511269/Hackers_Take_Twitter_Offline_Again?source=rss_news
Twitter went offline for a while Friday after hackers calling themselves the Iranian Cyber Army apparently managed to change DNS records, redirecting traffic to another Web page. Iranian hackers are responsible for the attack wasn’t immediately clear. However, Twitter and other Internet sites have been used by Iranian opposition groups and protestors to share details of anti-government protests in that country.
Twitter blamed the outage on changes made to the company’s DNS (Domain Name System) records, which match the company’s domain name with the IP addresses of its servers.
“Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon,” Twitter said on its Twitter Status page.
News item 3: http://government.zdnet.com/?p=6507
According to Doug Hanchard at ZDNet, Regulators such as CRTC, Ofcom, FCC should be concerned with the opening up of wireless phone operating systems. The article goes on to explain that there should be a set of standards and verification tools that regulators use to verify software code on a phone and must be LOCKED DOWN prior to release. Because a wireless phone has access to both communications platforms – the public switched telephone network (PSTN) and internet, the danger is significant and no software application should be released without vetting its ability to withstand attacks to and from the user’s device. There is a genuine threat to national security of every country’s phone network. There should be penalties for software applications that create vulnerabilities impacting the telephone network.
News item 4: http://www.theregister.co.uk/2009/11/11/hooksafe_rootkit_protection/
Researchers at North Carolina State University and a researcher from Microsoft released a hypervisor-based system called “HookSafe.” http://www.sigsac.org/ccs/CCS2009/techprogram.shtml (Session 17). Hooksafe relocates kernel hooks in a guest host to a page-aligned memory space. Hooksafe successful prevented nine “real-world” rootkits targeting a Ubuntu 8.04 guest with only a 6% reduction in performance benchmarks. In the test, Hooksafe achieves this protection by relocating 5.881 kernel hooks across 41 physical pages with some in dynamic kernel heap. Their paper: http://discovery.csc.ncsu.edu/pubs/ccs09-HookSafe.pdf Notes: By leveraging hardware-based virtualization support to intercept and validate write attempts to hardware registers, HookSafe has hardware register protection capabilities, which in turn subverts attempts to overwrite HookSafe’s protected memory. The paper assumes that the system is trusted at boot, and subsequently a trustworthy hypervisor can be securely loaded and that runtime integrity of hypervisor is maintained. So while HookSafecan can potentially resolve and protect kernel hooks that it relocates, it doesn’t address VMBRs(Virtual Machine Based Rootkits) or SMBRs(System Managemnt Mode Based Rootkits). Check out the Press and Resources sections over at http://invisiblethingslab.com for more information on VMBRs and SMBRs. BlackHat paper from ’08 on SMM Rootkits: http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf. For information on VMBRs, you might want to checkout SubVirt (remember the “Blue Pill” discussions?).
News item 5: http://blog.seattlepi.com/microsoft/archives/188706.asp
Anti-COFEE tool DECAF revealed as spoof. Two developers said they created a tool, called DECAF, that compromises Microsoft’s COFEE computer-forensics tool by killing its processes, disabling a computer’s connection ports and even conjuring up fake MAC addresses.
It’s fake.
The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools.