Week 24 in Review – 2012

Event Related

• Recon 2012 Review – Exploit the Magic School Bus to Success – infosecalways.com
  Hands down Day 1 of Recon the Magic Bus by Travis Goodspeed and Sergey Bratus took the show. Great informational and entertaining presentation! I encourage anyone to check out the hardware Travis has developed and his papers if you are into understanding key security issues with the Bus.

Resources

• F5 BIG-IP
• F5 BIG-IP Remote Root Authentication Bypass Vulnerability – packetstorm.foofus.com
  Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass http://www.secmaniac.com
• F5 BIG-IP SSH Private Key Exposure – packetstorm.foofus.com
  This file is part of the Metasploit Framework and may be subject to redistribution and commercial restrictions. Please see the Metasploit web site for more information on licensing and terms of use.

• F5 BIG-IP remote root authentication bypass Vulnerability – trustmatta.com
  Vulnerable BIG-IP installations allow unauthenticated users to bypass authentication and login as the ‘root’ user on the device.

• Scanning for Vulnerable F5 BigIPs with Metasploit – community.rapid7.com
  F5 has published a patch for this issue, but you can bet that many users will be unaware of the issue , and even those that are aware may not want to take down their load balancer to apply it( applying the fix does not result in any downtime as stated in the comments below ). The private key is likely still on a large number of production appliances and any attacker with the access to a virtual or physical appliance can extract the key.

• BIG-IP network appliances remote access vulnerability – h-online.com
  Networking equipment specialist F5 Networks is warning users about a security vulnerability in its network appliances – including its flagship BIG-IP family of products – that could allow a remote attacker to gain root access via SSH on some devices.

• CVE-2012-2122 checker – pastie.org
  This is a script of CVE-2012-2122 checker created by Joshua J. Drake.
• Metadata: The Hidden Treasure – resources.infosecinstitute.com
  In this article we are going to learn about the information hidden in the documents, files present in the public domain which could be sensitive from security perspective and also how to deal with it.

• Directory Traversal Pentest Sheet – vulnerability-lab.com
  A lot of people asked us regarding our directory traversal pentest sheet for a fuzzer or own scripts. To have some good results you can use the following list with automatic scripts, software or for manually pentesting. This list goes out to all friends, nerds, pentester & exploiters. Please continue the List and we will update it soon.

• backtrack-scripts – code.google.com
  Custom bash scripts used to automate various pentesting tasks.

• SSH Tricks And More! Presented By Kyle Young
  [GR-ISSA] (4-20-12) – zitstif.no-ip.org
  What was covered in this presentation: SSH basics, Offensive uses of SSH, Defensive uses of SSH, automating SSH through scripting languages, brief history of SSH, setting up a poor man’s VPN, using SSH with IPV6, attacks on SSH and more!
• IPv6 Sets Stage For New Security Issues, Part II – blog.fortinet.com
  What kind of threats can we expect to see targeting IPv6 down the road? Thus far, the comprehensive launch of the new Internet protocol is just days old, and no one has a crystal ball. However, there are few security issues that we can expect to tackle in the not too distant future, according to Patrick Bedwell, Fortinet vice president of products.

• IObit Protected Folder Authentication Bypass – resources.infosecinstitute.com
  From time to time I come across various security tools and utilities and sometimes I enjoy analysing them in order to evaluate their effectiveness, especially if they are not given for free. In order to be clear, I am not saying that a free security tool shouldn’t be secure, especially if it claims to be.

• Teaching the Security Mindset – schneier.com
  In 2008 I wrote about the security mindset and how difficult it is to teach. Two professors teaching a cyberwarfare class gave an exam where they expected their students to cheat.

Tools

• mwielgoszewski / jython-burp-api – github.com
  Burpy is an ISC Licensed library, written in Jython, Java and Python. Burpy exposes a Jython interface to the popular Burp Suite web security testing tool, as an alternative to Buby for those testers who prefer Python over Ruby.
• Oyedata Tool – mcafee.com
  Oyedata by McAfee Foundstone is an intuitive GUI based tool to analyze and perform black-box security testing on OData implementations.

• Released RemoteDLL v2 – Simple Tool to Inject or Remove DLL from Remote Process – nagareshwar.securityxploded.com
  Finally I am happy to write this post on the mega version of RemoteDLL.

• Introducing Metasploitable 2 – community.rapid7.com

  I am happy to announce the release of Metasploitable 2, an even better punching bag for security tools like Metasploit, and a great way to practice exploiting vulnerabilities that you might find in a production environment.

• Checking out BackTrack Linux 5r2-PenTesting Edition Lab – blog.rootcon.org
  What’s a BackTrack Linux 5r2-PenTesting Edition Lab? What’s with the edition thingy? Isn’t BackTrack 5 a pentesting distro already? Why make a pentesting edition?
• escanner Escalation Pentesting Tool – theprojectxblog.net
  escanner is a small tool that helps you thread scan file(s)/directories recursively for possible vulnerability of insecure file permissions that could result on local privilege escalation due to some misconfiguration of operating systen, software vendors or by users.

• Stiltwalker – dc949.org
  Stiltwalker is a proof of concept tool that defeats Google’s reCAPTCHA with an insanely high accuracy (99%). We have released all of our research, code, tools and examples used in the reCAPTCHA domination. You can get the slides here (or here to get the mp3s as well) and the video is at the bottom of the page.

Techniques

• Getting Started with GNU Radio and RTL-SDR (on Backtrack) – blog.opensecurityresearch.com
  In this blog post I’ll aim to get you at least partially familiar with Software Defined Radio, the Realtek RTL2832U chipset, and provide Backtrack 5 R2 setup and usage instructions so that you can easily get off to a good start.

• Using Nmap to Screenshot Web Services – blog.spiderlabs.com
  I’ll walk you through installing the pre-requisites, then we’ll take this for a test drive by running a penetration testing scenario. For this exercise, I’ll assume that you’re using BackTrack 5.

• Parsing Nessus CSV Reports with PowerShell – darkoperator.com
  Recently in the Pauldotcom Podcast Paul was mentioning how he uses Awk, cut and other bash tools to process a Nessus CSV report file and format the host output so he could use it in another tool. I saw his command and thought I would do it in PowerShell for kicks since PowerShell turns each row in to an object I can manipulate.

• Reverse engineer an obfuscated .Net application – travisaltman.com
  Some of the concepts I’ll be covering will be new to some people and may be hard to understand but for others who are familiar with this field will find the concepts simple. Hopefully no matter what your comfort level or experience you’ll get something out of this.

Vendor/Software Patches

• Microsoft
• Microsoft Patches 26 Flaws, Warns of Zero-Day Attack – krebsonsecurity.com
  Microsoft today released updates to plug at least 26 separate security holes in its Windows operating systems and related software. At the same time, Microsoft has issued a stopgap fix for a newly-discovered flaw that attackers are actively exploiting.

• Microsoft Security Bulletin MS12-036 – Critical
  Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939) – technet.microsoft.com
  This security update resolves a privately reported vulnerability in the Remote Desktop Protocol. The vulnerability could allow remote code execution if an attacker sends a sequence of specially crafted RDP packets to an affected system. By default, the Remote Desktop Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk.

• Assessing risk for the June 2012 security updates – blogs.technet.com
  
  Today we released seven security bulletins. Three have a maximum severity rating of Critical and the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

• Microsoft Patch Tuesday – June 2012 – symantec.com
  Hello, welcome to this month’s blog on the Microsoft patch release. This is a larger month—the vendor is releasing seven bulletins covering a total of 27 vulnerabilities.

• Apple, Oracle Ship Java Security Updates – krebsonsecurity.com
  There must have been some rare planetary alignment yesterday, because the oddest thing happened: Apple and Oracle both shipped software updates for the same Java security flaws on the very same day.

• SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware – kb.cert.org
  Intel claims that this vulnerability is a software implementation issue, as their processors are functioning as per their documented specifications. However, software that does not take the unsafe SYSRET behavior specific to Intel processors into account may be vulnerable.

Vulnerabilities

• MySQL
• Simple authentication bypass for MySQL root revealed – Update – h-online.com
  Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild, partly because the flaw is remarkably simple to exploit in order to gain root access to the database.

• Trivial Password Flaw Leaves MySQL Databases Exposed – threatpost.com
  There is a trivially exploitable vulnerability in MySQL that enables an attacker to gain root access to the database server. The bug, which recently was patched, stems from an error in the way that MySQL and MariaDB handle passwords, giving an attacker a chance of getting root access by supplying any password to an affected server.

• CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL – community.rapid7.com
  On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character).

• Security Vulnerability in MySQL – blog.sucuri.net
  A serious security vulnerability discovered in MySQL was disclosed this weekend. It basically allows anyone to bypass authentication and log in directly into the database. We tried on a few 64bit Ubuntu systems and were able to replicate the issue (it seems that only 64 bit platforms are affected).

• Massive MYSQL Authentication Bypass Exploit – secmaniac.com
  There has been a new MYSQL authentication bypass exploit released on seclist here: http://seclists.org/oss-sec/2012/q2/493. It is absolutely trivial to gain root access to a MySQL database at this point. Thanks to jduck for the tweet bringing this to our attention.

• Security vulnerability in MySQL/MariaDB sql/password.c – seclists.org
  We have recently found a serious security bug in MariaDB and MySQL. So, here, we’d like to let you know about what the issue and its impact is. At the end you can find a patch, in case you need to patch an older unsuported MySQL version.

• Last.fm tell users to change passwords IMMEDIATELY – theregister.co.uk
  Last.fm users are the latest internet community to get the “change your password” message as the music streaming site investigates a “leak of some user passwords”.

• LinkedIn Passwords Cracked with Pipal Stats – Work in Progress – christophertruncer.com
  I’ve spent the past couple days attempting to crack the hashes from the LinkedIn dump. I’ve used a combination of dictionary and bruteforce methods to discover the plaintext password.

• Discovery of new “zero-day” exploit links developers of Stuxnet, Flame – arstechnica.com
  Security researchers say they’ve found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran’s nuclear program.

• 256-bit AES encryption broken in SandForce SSD controllers – techreport.com
  When SandForce announced the SF-2000 SSD controller family, it touted the controller’s ability to encrypt data with a 256-bit AES algorithm. The previous generation of SandForce controllers did 128-bit AES encryption, but the new chip added a second hardware engine with AES-256 support.