Resources

  • Efficient Padding Oracle Attacks on Cryptographic Hardware – hal.inria.fr
    Stealing RSA private keys from hardware using oracle attacks in a few hours.
  • JSLR – thespanner.co.uk
    Cross-Site Scripting (XSS) has been around for ages – with first incidents being reported in the late nineties. Despite the attack technique not being the most complex of all, XSS is not only still around in 2011 but has gained incidence and gravity. In many real life attacks XSS was used as an entry-door for other exploits, such as the successful source code compromise against the Apache Foundation and several attacks against code management systems and Intranet systems.
  • Escaping Restricted Linux Shells – pen-testing.sans.org
    The purpose of this article is to create a better resource for penetration testers to assist them when confronted with a restricted shell. In no way will this be an exhaustive account of all techniques, but instead, I’m going to cite several of the most applicable and effective techniques in this handy reference document.

Tools

  • CERT Failure Observation Engine 1.0 Released – cert.org
    These strategies are similar to those used in other dumb fuzzers such as zzuf and fuzz. Because these mutators work at a binary level, they work best against binary file formats. Copy, an additional “strategy,” doesn’t actually fuzz the seed file, but can be useful for testing a new config or triaging known crashing test cases.
  • IDA Toolbag – thunkers.net
    As promised, now that our SummerCon talk is over, we’re releasing the IDA Toolbag version 1.0. You can fetch it here.
  • Vivisect Release – visi.kenshoto.com
    So, I’ve finally created some shared resources for vdb/vivisect! The vdb/vivisect wiki (and shortly, a bug/ticket system!) Check out the /releases directory for the latest vdb releases! The new vivisect release dir is /releases/vivisect with the same user/pass as before.
  • TheRook/subbrute – github.com
    subbrute – A python subdomain bruteforce tool for pentesters.

Techniques

  • Tips for Pen Testers on Exploiting the PHP Remote Execution Vulnerability – pen-testing.sans.org
    As you probably know by now, a remote execution vulnerability in PHP (CVE-2012-1823) was published a couple of weeks ago (http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/). This vulnerability only affects those servers where PHP is configured as a CGI script. Although it is not the default configuration in the majority of the systems, there are some well known services such as Facebook that use PHP as a CGI.
  • IPMI: Hacking servers that are turned “off” – isc.sans.edu
    One of the challenge in managing large server farms remotely is how to deal with crashed / hanging servers once the operating system no longer responds. The classic answer is usually a mix of serial consoles, maybe KVM over IP devices and remote power switches.

Vendor/Software Patches

  • Critical Security Fixes for Adobe Flash Player – krebsonsecurity.com
    Adobe has released a critical update to its Flash Player software that fixes at least seven security vulnerabilities in the program. The new version also extends the background updater to Mac OS X users browsing the Web with Mozilla Firefox.

Vulnerabilities

  • Flame
    • Microsoft certification authority signing certificates added to the Untrusted Certificate Store
      – blogs.technet.com
      Today, we released Security Advisory 2718704, notifying customers that unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority. With this blog post, we’d like to dig into more technical aspects of this situation, potential risks to your enterprise, and actions you can take to protect yourself against any potential attacks that would leverage unauthorized certificates signed by Microsoft.
    • Microsoft releases Security Advisory 2718704
      – blogs.technet.com
      We recently became aware of a complex piece of targeted malware known as “Flame” and immediately began examining the issue. As many reports assert, Flame has been used in highly sophisticated and targeted attacks and, as a result, the vast majority of customers are not at risk. Additionally, most antivirus products will detect and remove this malware.
    • Flame: Before and After KB271870 – blog.didierstevens.com
      You probably know Microsoft issued security advisory KB2718704 to revoke Microsoft certificates present in the certificate chain of a signed Flame component.
    • Microsoft Update and The Nightmare Scenario – f-secure.com
      About 900 million Windows computers get their updates from Microsoft Update. In addition to the DNS root servers, this update system has always been considered one of the weak points of the net. Antivirus people have nightmares about a variant of malware spoofing the update mechanism and replicating via it.
    • Flame malware collision attack explained – Security Research & Defense – Site Home – TechNet Blogs
      – blogs.technet.com
      When we first examined the Flame malware, we saw a file that had a valid digital signature that chained up to a Microsoft Root authority. As we reviewed this certificate, we noticed several irregularities.
    • Crypto breakthrough shows Flame was designed by world-class scientists – arstechnica.com
      The Flame espionage malware that infected computers in Iran achieved mathematic breakthroughs that could only have been accomplished by world-class cryptographers, two of the world’s foremost cryptography experts said.
  • Passwords Leaked
    • 6.46 million LinkedIn passwords leaked online – zdnet.com
      More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords.
    • LinkedIn vs. password cracking – erratasec.blogspot.com
      I’m running through the LinkedIn password hashes right now, so I thought I’d do a live blog of the steps I’m doing. As I do each step, I’ll update this blog live. When you reach the end, chances are good I’ll be updating it again in a few hours.

    • Confirmed: LinkedIn 6mil password dump is real – erratasec.blogspot.com
      Today’s news is that 6 million LinkedIn password hashes were dumped to the Internet. I can confirm this hack is real: the password I use for LinkedIn is in that list.
    • Analysis of Passwords Dumped from LinkedIn – cyberarms.wordpress.com
      I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities.
    • eHarmony member passwords compromised – news.cnet.com
      Dating site eHarmony confirmed today that passwords used by its members were compromised following reports of references to the site among allegedly stolen passwords that were posted to a hacker site.

Other News