Week 34 in Review – 2012

Event Related

• BsidesLA Slides/Code – atenlabs.com
  So I whipped a talk recently to give at BSidesLA about how to stack tools voltron-style together and get some pretty gnarly successes. Here are some light talking points to give you an idea of what the subject matter was, but I should let the slides do most of the talking for me (though they may be slightly vague without the video, which isn’t up at the time of this writing.)

Resources

• JBOSS Exploitation – resources.infosecinstitute.com
  JBoss Application Server is an open-source Java EE-based application server. JBoss is widely used and is deployed by many organizations on their web servers. There are various vulnerabilities and bugs have been found on JBoss, but today we will have a look at one of the most critical bug in the JBoss application that can be used widely.
• Automated Static Malware Analysis with Pythonect – blog.ikotler.org
  About 5 months ago I have released the first version of Pythonect – a new, experimental, general-purpose high-level dataflow programming language based on Python, written in Python.
  It aims to combine the intuitive feel of shell scripting (and all of its perks like implicit parallelism) with the flexibility and agility of Python.
• I accidentally the whole private key. – nzinfosec.com
  RuggedCom’s gear has a fairly well concealed immutable private RSA key packed up in its firmware. Accidentally showed it on screen at BSidesLA last Friday.
• All Your Password Hints Are Belong to Us – blog.spiderlabs.com
  This past weekend I ended up coming into the SpiderLabs office and “nerded out” with my good friend Ryan Reynolds to follow-up on the research we released at DEFCON and BlackHat this year. As some of you may already know, our research was focused on corruption of LM and NTLM password hashes when they were extracted from the Windows registry (specifically, the SAM) by many tools.
• CTF: Capture the Flag – 6dev.net
  Walkthroughs and Debriefings by Sofian Brabez
• Help Review Code for the Cryptography and Code Breaking Book – inventwithpython.com
  The programs all implement classic cryptographic ciphers (Caesar cipher, simple substitution, etc.) as well as programs that can crack them. I’m posting it for public review so people can make any suggestions for edits.

Techniques

• Mainframe
• Y’all encountered a Mainframe and didn’t even know it! – mainframed767.tumblr.com
  So it’s very likely you’ve encountered a Mainframe in your security scans, pentests or whatever and didn’t even know it. Over the last few weeks I’ve been using some googlefu to find mainframes that are internet accessible. No surprises but its mostly university mainframes (but some government and some corporations).
• Mainframe Screen Grabbin’ – mainframed767.tumblr.com
  I decided to release the script I wrote to grab manframe logon screens. I made it a little prettier and added a 1 host only mode. Eventually I’d like to add TOR proxy to it but it works well enough for now. You can get it at my github: https://github.com/mainframed/MFScreen
• Hiding Your Shells – securepla.net
  I’ve been working on a couple of little of side projects and finally had a couple hours to sit down and test some things out. I’m always looking for better ways to hide my reverse shells (and of course meterpreter) and evade anti-virus. Through some of the conferences I recently attended, here are a couple of new techniques.
• Bypassing CAPTCHAs by Impersonating CAPTCHA Providers – blog.opensecurityresearch.com
  CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model between the CAPTCHA provider and the consumer. A variety of damage can occur if any component of this ecosystem is compromised.
• NFTF: Bypassing Group Policy Denied Command Prompt – blog.owobble.co.uk
  This is an old trick but I ended up doing it the other day just for kicks, it will only work on 32bit systems at the moment (edit.exe is a 16bit editor and won’t run on a 64bit OS).
• Plaintext Caching With IOS Document Interaction APIs – blog.gdssecurity.com
  The iOS Document Interaction APIs provide applications with the ability to have another application installed on the device handle a file. The most common scenario of this behavior is the Mail application. The Mail application receives emails which may contain document files like PDFs as attachments.
• Using Nmap to find Local Admin – pentestgeek.com
  While conducting penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials. If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

Tools

• Findbugs v2.0.1 The Java Code Analyzer available – sourceforge.net
  Findbugs looks for bugs in Java Programs. It is based on the concept of bug patterns.
• New tool PyInjector Released – Python Shellcode Injection – trustedsec.com
  Awhile back Bernardo Damele showed a cool method for utilizing an executable to deliver alphanumeric shellcode straight into memory. This was an awesome attack vector and allowed for AV and other security mechanisms such as HIPS and others to be circumvented extremely easy.
• kautilya – code.google.com
  Kautilya is a toolkit which provides various payloads for Teensy device which may help in breaking in a computer. The toolkit is written in Ruby.
• ASEF: The Android Security Evaluation Framework – code.google.com
  ASEF – Android Security Evaluation Framework : Open Source Project to perform security analysis of Android Apps by various security measures.
• Microsoft’s Free Security Tools – Threat Modeling – blogs.technet.com
  This article in our series focused on Microsoft’s free security tools is on the Security Development Lifecycle (SDL) Threat Modeling Tool.
• Update: Artillery 0.6 – svn.secmaniac.com
  Artillery is a combination of a honeypot, monitoring tool, and alerting system. It is an open-source Python driven tool for making it difficult for attackers to hit your network. Attackers utilize predefined patterns in most cases for attacking systems and servers. Artillery takes advantage of that by making vulnerabilities and exposures look like they are existent when they are really not there. When the attacker goes after a given port, Artillery sends random data back to the attacker then bans them permanently.
• No source? No problem… – blog.mdsec.co.uk
  When performing any kind of product assessment, it is always preferable to have the source code. However, in the real world we all know that this isn’t always possible and as a security consultant we have to be prepared to use both static and dynamic analysis to reverse engineer what a product is doing.

Vendor/Software Patches

• Adobe Flash Player
• New Adobe Flash Player Update Fixes 6 Flaws – krebsonsecurity.com
  For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.
• Security updates available for Adobe Flash Player – adobe.com
  Adobe has released security updates for Adobe Flash Player 11.3.300.271 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.11 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.10 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
• Adobe Flash Player Exploit CVE-2012-1535 Now Available for Metasploit – community.rapid7.com
  Recently, a new Adobe Flash vulnerability (CVE-2012-1535) was being exploited in the wild as a zero-day in limited targeted attacks, in the form of a Word document. The Metasploit team managed to get our hands on the malware sample, and began our voodoo ritual in order to make this exploit available in the Metasploit Framework.
• Microsoft Security Advisory (2743314) – technet.microsoft.com
  Microsoft is aware that detailed exploit code has been published for known weaknesses in the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). The MS-CHAP v2 protocol is widely used as an authentication method in Point-to-Point Tunneling Protocol (PPTP)-based VPNs. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
• Inject-Shellcode Update – exploit-monday.com
  I just released an updated version of Inject-Shellcode. Significant portions of the code have been cleaned up and its parameters were simplified. While I hate to change the original interface, there were several redundancies in the original parameters that didn’t make any sense. Here is the changelog for this release.
• Registry Decoder 1.4 Released and Updated Registry Decoder Live – dfsforensics.blogspot.com
  We are writing to announce updates to both Registry Decoder and Registry Decoder Live.
• Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus – repret.wordpress.com
  I’ve just tested the exploit on Windows 2008 R2 SP1 x64, exploit works like a charm without any modification.
• Bypassing EMET 3.5′s ROP Mitigations – repret.wordpress.com
  I have managed to bypass EMET 3.5, which is recently released after Microsoft BlueHat Prize, and wrote full-functioning exploit for CVE-2011-1260 (I choosed this CVE randomly!) with all EMET’s ROP mitigation enabled.

Other News

• Did Bush’s Broadband Deregulation Upend His Own NSA Wiretapping? – wired.com
  As Congress prepares to reauthorize the controversial FISA Amendments Act of 2008 — which effectively legalized the notorious warrantless wiretap program launched by President Bush — much about the law remains shrouded in secrecy: The National Security Agency has refused to give legislators even a rough estimate of how many Americans’ communications have been swept up in the digital dragnet.