Week 42 in Review – 2010

Events Related:

• Save the date: 23 & 24 Sept 2011 – brucon.org
  For those who like to plan ahead, keep Friday and Saturday 23 & 24 September 2011 free.
• BSidesOttawa Schedule Confirmed! – andrewhay.ca
  BSides Ottawa is fast approaching and today we can share the schedule of superb talks that cover a broad spectrum of Information Security subjects.
• WACCI Digital Forensics (Part 2) – sans.org
  The day began with a light breakfast followed by a few conference announcements.  There were to be no keynote speeches that day, so next up were the breakout sessions.

Resources:

• CIS Apple iPhone Benchmark v.1.2.0 – cisecurity.org
  This document, Security Configuration Benchmark for Apple iOS 4.1.0, provides prescriptive guidance for establishing a secure configuration posture for the Apple iOS version 4.1.0.
• Free Online Course & Downloads – benchmarkdevelopment.mitre.org
  The PowerPoint briefing slides below are used in MITRE’s E-Learning Benchmark Development Course.
• Verizon PCI Report is Out – chuvakin.blogspot.com
  Organizations struggled most with requirements 10 (track and monitor access), 11 (regularly test systems and processes), and 3 (protect stored cardholder data).
• Cross-site scripting explained (video) – itsecuritylab.eu
  Actually it’s a live scenario of persistent XSS exploitation, so may be quite interesting for you to watch as well.
• DEF CON 18 Talks – Video is Live! – djtechnocrat.blogspot.com
  DEF CON 18 talks with the speaker video and slides has been processed and posted.
• The Open Checklist Interactive Language (OCIL) – scap.nist.gov
  The Open Checklist Interactive Language (OCIL) defines a framework for expressing a set of questions to be presented to a user and corresponding procedures to interpret responses to these questions.
• Security Checklists – disa.mil
  STIGs, and checklists

Tools:

• Download and execute Script Shellcode on Windows 7 – grey-corner.blogspot.com
  I have just released a new version of my Download and Execute Script shellcode which now works on Windows 7.
• Social-Engineering Ninja V0.2 Download – grey0.wordpress.com
  Now you can download Social-Engineering Ninja.
• pywebfuzz v0.6.0 – neohaxor.org
  There are a few improvements to the file reads happening to retrieve data in the fuzzdb.py module.
• UPDATE: Andiparos v1.0.6! – pentestit.com
  Andiparos is a fork of the famous Paros Proxy. It is an open source web application security assessment tool that gives penetration testers the ability to spider websites, analyze content, intercept and modify requests, etc.
• Padbusterdotnet: A Microsoft .NET Framework Padding Attack Tool! – pentestit.com
  Padbusterdotnet is a tool that concentrates on exploiting padding attacks on the .NET Ajax Framework.
• NSDECODER – Automated Website Malware Detection Tool – darknet.org.uk
  Also, NSDECODER will analyze which vulnerability has been exploited and the original source address of malware.
• USBsploit 0.3b – Generate Reverse TCP Backdoors & Malicious .LNK Files – darknet.org.uk
  PoC to generate Reverse TCP backdoors (x86, x64, all ports), running Autorun or LNK USB infections, but also dumping all USB files remotely on multiple targets at the same time.
• UPDATE: Samurai Web Testing Framework 0.9! – pentestit.com
  The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment.
• PinDr0p: Voice-routing Call Fingerprint System. – marcoramilli.blogspot.com
  The PinDr0p analysis can’t produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.
• Exploit Next Generation® SQL Fingerprint™ – code.google.com/p/esf/
  The Exploit Next Generation® SQL Fingerprint™ uses well-known techniques based on several public tools that are capable to identify the Microsoft SQL Server version.

Techniques:

• Java DSN Rebinding + Java Same IP Policy = The Internet Mayhem – mindedsecurity.com
  Consider the following points: Java DNS Rebinding: an attacker can point a controlled host to any IP of the web. Java applet same IP Host access: an attacker can read the response of any host which points to the same IP the applet originates.
• Adobe Shockwave player rcsL – exploit-db.com
  There is a 4bytes value in the undocumented rcsL chunk in our sample director movie and it may be possible to find similar rcsL chunks in other director samples.
• Upstream Attacks from Distributed Devices – digitalbond.com
  Control4 doesn’t necessarily fall into the category of a device that has upstream connectivity but there are some parallels about the device design that I think are going to present some security challenges for those that do need to communicate back to the local utility company.
• Cracking 14 Character Complex Passwords in 5 Seconds – cyberarms.wordpress.com
  One article in March of this year stated that the technique using SSD drives could crack passwords at a rate of 300 billion passwords a second, and could decode complex password in under 5.3 seconds.
• Decoding Javascript Hex Encoding – securityonion.blogspot.com
  So how does it work? “xxd -r -p” converts from hex to ASCII, but it’s expecting the hex digits to be space delimited.
• [0Day] Moxa MDM Tool 2.1 Buffer Overflow – reversemode.com
  The 0day I’m releasing today took exactly 2 minutes to find it out. Any decent code review or blackbox pentest would had uncovered it so I assume it didn’t happen before releasing the product.
• In Memory Fuzzing – corelan.be
  In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit-in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable.
• How to Add XSSF to Metasploit Framework? – pentestit.com
  It contains some interesting payloads (if we may call it!) – .pdfs that exploit different vulnerabilities to launch cmd.exe on unpatched systems, JAVA vulns and clones of GMail and Facebook.
• Integrating Hydra with Nessus Video – tenablesecurity.com
  When installing Hydra on Ubuntu-based systems, here are a few tips to get all of the modules working properly.
• PDF RCE et al. (CVE-2010-3625, CVE-2010-0191, CVE-2010-0045) – xs-sniper.com
  Naturally, when a string that looks like URI is encountered one of the first things that’s attempted is to point the URI value to a file:// location and observe whether the local file is opened.
• Analysis of multiple exploits – zscaler.com
  The JavaScript code is heavily obfuscated. It cannot be de-obfuscated by a simple copy-paste of the code into Malzilla, some of the decoding has to be done by hand.
• Checking for user-agent header SQL injection vulns – holisticinfosec.blogspot.com
  As I analyze various web applications in the name of fun or fortune, I am sometimes treated to those little reminders that result in a “doh!”.
• PenTestIT Post Of The Day: Automated detection of CSRF-worthy HTML forms through 4-pass reverse-Diff analysis! – pentestit.com
  In general, the majority of vulnerability detection techniques depend on fairly simple injections of strings and subsequent blind pattern matching of the body of the induced HTTP response.
• Peach + someawesome.xml + xml.XmlAnalyzer == Free Pits? – l1pht.com
  Fuzzing is a lazy man’s game.  We’re like toothless hill people, sitting on the porch of our minds in a rocking chair, a shotgun loaded with crackable data resting soundly on our filthy little laps.  Waiting.
• Malicious USB Devices: Is that an attack vector in your pocket or are you just happy to see me? – irongeek.com
  Programmable HID USB Keyboard Dongle Devices along with detection and mitigation techniques involving GPO (Windows) and UDEV (Linux) settings.
• Java Applet Same IP Host Access – mindedsecurity.com
  By taking advantage of this design issue, if an attacker can control at least one host on a virtual server pool (uploading an applet), it will be possible for the attacker to use an applet against a legit user and read every information from the other domains on the same IP.

Vulnerabilities:

• New Shockwave Zero-Day Loose
  A security researcher has released an exploit for an unpatched security vulnerability in Adobe’s Shockwave Player, warning that the flaw could be targeted to launch drive-by malware download attacks.
  • Security Advisory for Adobe Shockwave Player (APSA10-04) – adobe.com
  • Attack Code Published for Adobe Shockwave Zero Day – threatpost.com
  • Oracle 10 & 11g exp.exe 0day Stack Overflow – net-ninja.net
  • Adobe Shockwave player rcsL chunk memory corruption 0day – abysssec.com
• MS10-070 ASP.NET Auto-Decryptor File Download PoC exploit – hexale.blogspot.com
  On average, this exploit should allow you to do the same as the previous one but faster (which is important/desirable in this scenario).
• Linux Kernel Flaw Coughs Up Root Rights – threatpost.com
  According to VSR Security, the research outfit that discovered the security hole, Linux installations are only vulnerable if the CONFIG_RDS kernel configuration option is set, and if there are no restrictions on unprivileged users loading packet family modules, as is the case on most stock distributions.

Other News:

• Have you checked the Java? – technet.com
  What I discovered was that some of our exploit “malware” families were telling a scary story – an unprecedented wave of Java exploitation.
• Top Ten Most Dangerous Places to Leave Your Social Security Number – mcafee.com
  Cases of identity theft are skyrocketing, and 32% of all ID theft victims had their social security number compromised according to Javelin’s 2010 Identity Fraud Survey Report.
• Metasploit: One Year After The Rapid7 Acquisition – darkreading.com
  Pen testers weigh in on whether the deal was a success or a sellout.
• Microsoft: ‘Unprecedented Wave of Java Exploitation’ – krebsonsecurity.com
  Java exploits have usurped Adobe-related exploits as attackers’ preferred method for breaking into Windows PCs.
• Apple unbundles Flash Player from Mac OS X; Java next – zdnet.com
  The decision to remove Flash Player and Java from the Mac operating system is most likely driven by security consideration.
• PSA: FaceTime beta endangers your Apple ID password and security questions – engadget.com
  Turns out there’s a gaping security hole in the FaceTime beta, which allows anyone with access to your computer to change your password without knowing it to begin with.