Week 35 in Review – 2012

Event Related

• OWASP DC’s Videos – vimeo.com
  Here are all of the videos that OWASP DC has uploaded to Vimeo. Appearances are videos that OWASP DC has been credited in by others.
• Stripe CTF 2 – Web Challenges – abiusx.com
  I participated in the Stripe CTF Web Attacks and thus far it was the most well designed CTF I have ever encountered (and I have participated in a couple dozen). This is the second Stripe CTF, the first was exploitation based and this one was web based.
• Exploits 2: Exploitation in the Windows Environment – opensecuritytraining.info
  Must have a basic understanding of the C programming language, as this class will show how C code can be exploited. Must have taken Intro x86 and Exploits 1. Some knowledge of the PE header format from Life of Binaries would be useful as well.
• WordPress Security – Cutting Through The BS – blog.sucuri.net
  I recently spoke at WordCamp Chicago 2012 and did so on WordPress Security. In this post I’ll share my presentation but also provide context such that it allows the reader to better digest the presentations content.

Resources

• Just released – Fireeye Advanced Threat Report – 1H 2012 – blog.fireeye.com
  The third issue of the FireEye Advanced Threat Report was released today. We are excited to share this report which contains the latest advanced threat information and new insights into the continued evolution of the cyber threat landscape.
• Mobile Attack Surface – 1raindrop.typepad.com
  Jim Bird and Jim Manico are working on a new addition to the OWASP Cheat Sheets family, they have a draft cheat sheet on Attack Surface in process. The Attack Surface helps you see where your system can be attacked, from the Cheat Sheet.
• Teensy USB HID for Penetration Testers – Part 5 – Advanced Windows Payloads of Kautilya – labofapenetrationtester.blogspot.com
  This is the fifth post in the series of Teensy USB HID for Penetration Testers. Sorry for the gap between this and the last post (almost three months). I was not sitting idle though, I released Nishang in between and there is a new and shiny version of Kautilya is out 🙂
• The Exploit Magazine 02/2012 – theexploitmag.com
  I would like to invite you to read the brand new, second issue of the Exploit Magazine. As the previous one, this one is totally for free and the issue is available on the webpage for free users. This month’s key figure is our long-time collaborator, top contributor and most zealous supporter – Dan Dieterle.

Techniques

• Free Shells with Plink and Pageant – room362.com
  Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with.
• Cracking Story – How I Cracked Over 122 Million SHA1 and MD5 Hashed Passwords – blog.thireus.com
  It was several months ago, when I (m3g9tr0n) saw a tweet from KoreLogic about a torrent file containing various password hash lists for a total of 146 million passwords. This very big amount of password hashes at first discouraged me, as I only own a classic computer configuration with an AMD Phenom II 4 cores at 3,2 Mhz in addition to an ATI/AMD 5770 graphics card. But at least, I really wanted to give them a try because the field of password cracking fascinates me.
• How I cracked my neighbor’s WiFi password without breaking a sweat – arstechnica.com
  Last week’s feature explaining why passwords are under assault like never before touched a nerve with many Ars readers, and with good reason. After all, passwords are the keys that secure Web-based bank accounts, sensitive e-mail services, and virtually every other facet of our online life. Lose control of the wrong password and it may only be a matter of time until the rest of our digital assets fall, too.
• Bypassing Microsoft Windows ASLR with a little help by MS-Help – greyhathacker.net
  Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a while hopefully everyone should be using this version as msvcr71.dll does not exist with Java 7.
• Old School On-target NBNS Spoofing – room362.com

Tools

• The Social-Engineer Toolkit (SET) v3.7 “Street Cred” has been released. – trustedsec.com
  The Social-Engineer Toolkit 3.7.1 has been released which adds the java zero day natively to the SET java applet attack. New video released below! This one was a bit funny, we actually coded the applet to pop up so it looks legit. When they hit cancel, it still executes.
• rdp-sec-check v0.8 the RDP Service Security Scanner released – labs.portcullis.co.uk
  rdp-sec-check is a tool to remotely check if certain security features of an RDP service (AKA Terminal Services) have been enabled. It does not require authentication, only network connectivity to TCP port 3389.
• Deviare API Hook Overview – nektra.com
  Deviare API is a professional API hook engine that was designed to create end user products. Intercepting applications is a complex task which can take place in many different scenarios. We continually test all these scenarios to avoid unpleasent crashes that might cause the end user to uninstall your product. Most popular Hook engines do not address these issues. Although they work in many situations, a trully professional hook engine must work in all situations.

Vendor/Software Patches

• Java 7
• Java 7 Applet RCE 0day Gondvv CVE-2012-4681 Metasploit Demo – eromang.zataz.com
  Vulnerability found exploited in the wild and discovered by Michael Schierl
  First details of the vulnerability the 2012-08-26
  Source code of the vulnerability provided by jduck the 2012-08-26
  Metasploit PoC provided the 2012-08-27
• Java 7 0-Day vulnerability information and mitigation. – deependresearch.org
  The purpose of this post is not to provide the vulnerability analysis or samples, but to offer additional information that may help prevent infections on some targeted networks. We all know what kind of damage Java vulnerabilities can cause if used in drive by exploits or in exploit packs.
• Let’s start the week with a new Java 0-day in Metasploit – community.rapid7.com
  On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.
• 
  Attackers Pounce on Zero-Day Java Exploit – krebsonsecurity.com
  News of the vulnerability (CVE-2012-4681) surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6.
• New Java 0day – erratasec.blogspot.com
  In usual 0day style, a Java vuln is available that works on both Windows and Linux as a Metasploit module. I wanted to see for myself. The Windows 7 client didn’t have Java enabled by default so I have to turn it on.
• New Java Zero-Day Vulnerability (CVE-2012-4681) – symantec.com
  Yesterday, FireEye documented a Java zero-day vulnerability (CVE-2012-4681) in the wild that is thought to have been used initially in targeted attacks. Symantec is aware that attackers have been using this zero-day vulnerability for at least five days, since August 22.
• Are you vulnerable to the latest Java 0-day exploit? (Updated) – research.zscaler.com
  You may be aware that a 0-day vulnerability in the latest version of Java is presently being exploited on the Web. This vulnerability affects all versions of Java 1.7 (aka Java 7). Oracle has not yet released a fix and if they stick to their quarterly patch cycle, one isn’t likely to emerge until October.
• Java 0day analysis (CVE-2012-4681) – immunityproducts.blogspot.com
  A couple of days ago, a Java 0day was found running like crazy in the wild. While a lot of defense bunnies where asking “WWMAD” (What will my Antivirus do?), we decide to dive into Java for the details of the vulnerability and as we expected, the unpatched vulnerabilities used in the Gondvv exploit were more than one (When we said, “dive deep into Java”, we actually meant open our new Infiltrate 2013 Master Class slide deck which will include a full day of Java auditing).
• Researchers find critical vulnerability in Java 7 patch hours after release – computerworld.com
  Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.
• Critical bug in newest Java gives attackers complete control of PCs – arstechnica.com
  Researchers said they’ve uncovered a flaw in the Java 7 update released by Oracle on Thursday that allows attackers to take complete control of end-user computers.
• Here we go again: Critical flaw found in just-patched Java – theregister.co.uk
  Security Explorations, the Polish security startup that discovered the Java SE 7 vulnerabilities that have been the targets of recent web-based exploits, has spotted a new flaw that affects the patched version of Java released this Thursday.
• EIP-2012-0001: When wrapping it up goes wrong… – blog.exodusintel.com
  The issue was discovered in EMC NetWorker in a remotely accessible SunRPC service running as SYSTEM on Windows-based installations. The affected process is the nsrd.exe executable whose description states it is responsible for “save and recover operations, gathering statistics, and maintaining the NetWorker resource database.”
• The Shylock “LNK” Awakening – symantec.com
  A new development observed in the sophisticated financial banking Trojan.Shylock highlights the ongoing evolution of this threat. Shylock, a threat first observed by Trusteer in September 2011, was named after a character in the Shakespeare play the ‘Merchant of Venice’ due to quotes from the play being found in the original binary code.
• ALuigi 0216 Story – aluigi.org
  This vulnerability (and accompanying exploit) was detailed in our Exodus Intelligence feed and distributed to our customers in June.
• A technical analysis on CVE-2012-1535 Adobe Flash Player vulnerability: Part 2 – blogs.technet.com
  To avoid being vulnerable, you need to update Adobe Flash Player to the latest release from here. Recent versions of Adobe Flash Player offer a Background Updater feature, which you should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security updates automatically, in the background, to users who have enabled the background update feature. For more information on Background Updater and to determine whether it is enabled on your machine, you can read this article.
• Skipfish-2.08b Update – code.google.com
  kipfish is a fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Vulnerabilities

• UPEK Fingerprint Readers: a Huge Security Hole – blog.crackpassword.com
  Most laptops today ship with a fingerprint reader. Most likely, you have a laptop with one. Until very recently, most major manufacturers such as Acer, ASUS, Dell, Gateway, Lenovo, MSI, NEC, Samsung, SONY, Toshiba, and many others were using fingerprint readers manufactured by a single company: UPEK.
• Content hosting for the modern web – googleonlinesecurity.blogspot.com
  Our applications host a variety of web content on behalf of our users, and over the years we learned that even something as simple as serving a profile image can be surprisingly fraught with pitfalls. Today, we wanted to share some of our findings about content hosting, along with the approaches we developed to mitigate the risks.
• Top-Level Universal XSS – superevr.com
  A flaw in Internet Explorer could expose users to JavaScript exploits and Universal XSS by abusing the way the browser classifies websites into specific security zones.

Other News

• Impressions as a customer/employee/professional about infosec consultancies? – reddit.com
  Specifically, I’m looking for your impressions on how they do with pentesting or application assessment work, though if you have experience with other consulting work from companies like this (Forensics? Architecture?) I’m sure someone would be interested.
• Inside Huawei, the Chinese tech giant that’s rattling nerves in DC – news.cnet.com
  A congressional committee wants to know whether this telecommunications powerhouse is a national security threat. Why? CNET went to China to find out.
• Videos Show Hackers Refining Hotel Lock Trick That Opens Millions Of Rooms – forbes.com
  When lock maker Onity first responded last month to news that a hacker’s exploit could open millions of its keycard locks installed on hotel room doors around the world, it downplayed the attack on its hardware as “unreliable, and complex to implement.” It seems the hacker community took that statement as a challenge.
• Air Force Openly Seeking Cyber-Weapons – threatpost.com
  The Air Force Life Cycle Management Center (AFLCMC) posted a broad agency announcement
  [PDF] recently, calling on contractors to submit concept papers detailing technological demonstrations of ‘cyberspace warfare operations’ (CWO) capabilities.
• Research and tools not certs – trustedsignal.blogspot.com
  People ask me about certifications and whether or not they will be beneficial, either in terms of knowledge gained or for career advancement.
• Governments and banks still using weak MD5-signed SSL certificates – news.netcraft.com
  Netcraft’s August 2012 SSL Survey shows there are 1,300 websites still using SSL certificates that have been signed using the cryptographically weak MD5 digest algorithm. This algorithm is demonstrably vulnerable to several types of attack, including collision attacks.