Week 10 in Review – 2011

Events Related

• CanSecWest
  Event debriefing
  • CanSecWest, a decade later and still growing – privasectech.com
  • CanSecWest 2011 day 1 – the-interweb.com
  • CanSecWest 2011 day 2 – the-interweb.com
  • CanSecWest 2011 day 3 – the-interweb.com
  • Highlights of CanSecWest Day 1 – blogs.mcafee.com
  • Highlights of CanSecWest Day 2 – blogs.mcafee.com
  • Understanding and Exploiting Flash Vulnerabilities – log.fortinet.com
  • CanSecWest Presentations – research.phreedom.org

• CodeGate 2011 YUT Quals – ppp.cylab.cmu.edu
  The problems consisted of web vulnerabilities, forensics, cryptography, binary reversing, and some problems related to security topics that had been in the news.

• Pwn2Own 2011
  What went down and various news bits
  • Researcher chains three exploits to take down IE8 at PWn2Own – computerworld.com
  • Google’s Chrome untouched at Pwn2Own hackmatch – computerworld.com
  • Safari, IE hacked first at Pwn2Own – computerworld.com
  • iPhone, BlackBerry tumble to Pwn2Own hackers – computerworld.com
  • Pwn2Own 2011: no one goes after Chrome – h-online.com
  • Pwn2Own Day 2: iPhone and BlackBerry hacked – h-online.com
  • Hacker kills his own Pwn2Own bug for Android phones – theregister.co.uk
  • IE8, Safari, iPhone, BlackBerry exploited in Pwn2Own contest – news.cnet.com
  • Pwn2Own Winner Stephen Fewer – threatpost.com
  • Apple Safari and Internet Explorer 8 Go Down at Pwn2Own, iPhone Up Next – threatppost.com
  • iPhone, BlackBerry Fall on Second Day of Pwn2Own – threatpost.com
  • Why Pwn2Own Is What’s Right With Security – threatpost.com
  • Safari, MacBook first to fall at Pwn2Own 2011 – zdnet.com
  • BlackBerry falls to webkit browser attack – zdnet.com
  • Charlie Miller wins Pwn2Own again with iPhone 4 exploit – zdnet.com
  • Pwn2Own considered (somewhat) harmful – Icamtuf.blogspot.com

Resources

• RootedCon 2011 “WCE Internals” presentation available at slideshare – hexale.blogspot.com
  Check out my presentation on “WCE Internals” (based on WCEv1.1) available at slideshare.
• 11th WhiteHat Website Security Statistic Report -whitehatsec.com
  WhiteHat Security’s 11th Website Security Statistics Report, presents a statistical picture gleaned from over five years of vulnerability assessment results taken from over 3,000 websites across 400 organizations under WhiteHat Sentinel management.
• PenTest Execution Standard
  The point behind all of this is a simple goal of raising the bar of penetration testing and how it’s performed.
  • Penetration Testing Execution Standard wiki – pentest-standard.org
  • PTES – Penetration Testing Execution Standard – zonbi.org
• Android Market Security Tool – globalthreatcenter.com
  The “Android Market Security Tool” performs a number of tasks on the handset to remove all remnants of the infections before deleting itself.
• Browser Exploitation for Fun & Profit Revolutions – blog.taddong.com
  Each episode content somehow builds on the topics and knowledge covered on the previous episodes, trying to minimize the overlap, except for the most important messages and goals I wanted to address with this initiative.

• Stack Based Buffer Overflow Tutorial
  This tutorial, in three parts, will cover the process of writing a simple stack based buffer overflow exploit based on a known vulnerability in the Vulnserver application.
  • Part 1 Introduction – resources.infosecinstitute.com
  • Part 2 Exploiting the Stack overflow – resources.infosecinstitute.com
  • Part 3 Adding shellcode – resources.infosecinstitute.com

Tools

• WCE v1.1 is out! – hexale.blogspot.com
  Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials.
• Metasploit Framework 3.6.0 Released! – blog.metasploit.com
  In coordination with Metasploit Express and Metasploit Pro, version 3.6 of the Metasploit Framework is now available.
• Agnitio v1.2 – darknet.org.uk
  Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way.
• AntiSamy 1.4.4 released! – i8jesus.com
  The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine.
• BeEF v0.4.2.3-alpha! – code.google.com
  BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes.
• iAnalizer: An Integrity Analyzer for SAP! – onapsis.com
  Though this tool was talked about last year at the BlackHat security conference, it is only now that the tool is being released for download.
• Analyzing PDF exploits for finding payloads used – research.zscaler.com
  In this blog, we will examine yet another in the wild PDF exploit which has hidden it’s malicious code under different objects.
• This Is Not the Android Market Security Tool You Are Looking For – intrepidusgroup.com
  We have been actively following and analyzing the spate of Android malware in the Android Market place.

Techniques

• Dumpstrings.1sc – blog.didierstevens.com
  I wrote another script for my 010 Editor.
• Can You Hack Your Own Site – net.tutsplus.com
  We’ve been asked by our client to incorporate into an existing site, a book review system.
• Flash InternalInterface.call() JavaScript Injection – soroush.secproject.com
  According to the Adobe website, ExternalInterface.call() can accept a JavaScript function name as the first argument and a string which would be sent to that JavaScript function.
• SMBRelay by Oracle – dsecrg.blogspot.com
  Our next target is Oracle. Oracle is one of the most widespread RDBMS and many Enterprises use it as backend.
• Hacking GDB – acsu.buffalo.edu
  To see how a function in GDB is implemented, seek calls to the following functions in GDB source tree.
• At least, I got DoS – blogs.recurity-labs.com
  Due to Wireshark having more than 1,000 different packet dissectors in this directory, I chose a pretty dumb approach to find interesting code parts.
• Hacking crappy password resets (part 1) – skullsecurity.org
  For this first part, I’m going to take a closer look at some very common code that I’ve seen in on a major “snippit” site and contained in at least 5-6 different applications.
• How Android/Fake10086 selectively blocks SMS – blog.fortinet.com
  In brief, Android/Fake10086.A!tr looks like a handy hotel reservation application, but in the background it communicates with a remote web server and blocks some incoming SMS messages.
• BFF 2.0 ImageMagick Fuzz Run Tutorial – youtube.com
  A walk-through of the Basic Fuzzing Framework’s default ImageMagick fuzz run.

Vendor/Software Patches

• Apple issues mammoth security update for Safari browser – nakedsecurity.sophos.com
  Apple has released Safari 5.0.4 – the latest version of Apple’s browser software for Windows and Mac users – patching an eye-watering 62 security vulnerabilities in the process.
• March 2011 Microsoft Black Tuesday Summary – isc.sans.edu
  Here are the March 2011 Black Tuesday patches.  Enjoy!
• VMWare Security Advisories 2011 – vmware.com
  VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.

Vulnerabilities

• Oracle padding attacks – isc.sans.edu
  We can see a valid request (HTTP status code 200) and then a series of 500 requests, as well as a single 403 request.

Other News

• Anonymous makes a laughing stock of HBGary – h-online.com
  Trying to explain Anonymous is a hopeless undertaking – as a first approximation you can view them as a group of anonymous internet activists.
• Hackers spear-phish, infiltrate French Ministry of Finances – arstechnica.com
  The break-in was reported in Paris Match, and has since been confirmed by Minster of Budget François Baroin.
• With hacking, music can take control of your car – itworld.com
  By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse.
• Making Sport of browser security, hackers topple IE, Safari once again – theregister.co.uk
  Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers.
• Green Skimmers Skimming Green – krebsonsecurity.com
  To combat an increase in ATM fraud from skimmer devices, cash machine makers have been outfitting ATMs with a variety of anti-skimming technologies.
• Router-rooting malware pwns Linux-based network devices – megapanzer.com
  Security researchers have discovered a rare strain of router-rooting malware that targets network devices running either Linux or Unix.
• Hackers versus Apple: An interview with Charlie Miller and Dino Dai Zovi –  h-online.com
  Heise’s new Mac & i magazine recently interviewed Charlie Miller and Dino Dai Zovi, co-authors of “The Mac Hacker’s Handbook” about Apple security and how to compromise it.