Week 21 in Review – 2012

Event Related

• HITB2012 Amsterdam Day 1
• HITB2012AMS Day 1 – One Flew Over The Cuckoos Nest – corelan.be
  Claudio Guarnieri, senior researcher at iSight Partner, and part of the Shadowserver Foundation and the HoneyPot project. He works with malware on a daily basis, maintains malwr.com and is the main developer of the Cuckoo Sandbox, which is also the main topic of his talk.
• HITB2012AMS Day 1 – WinRT The Metro-politan Museum of Security – corelan.be
  Sébastien Renaud and Kévin Szkudlpaski start their talk by introducing themselves. They both work as Security Researcher at Quarkslab, focusing on reverse engineering, dissecting network protocols and file formats. They will talk about the Windows Runtime, the foundation for the Metro platform in Windows 8.
• HITB2012AMS Day 1 Intro and Keynote – corelan.be
  After spending a couple of hours on the train, picking up my HITB badge, meeting with some of the organizers and having a great evening hanging out with Steven Seeley, Roberto Suggi Liverani, Nicolas Grégoire, Andy Ellis, Didier Stevens, and some other folks, conference time has arrived.
• HITB Amsterdam Wrap-Up Day #1 – blog.rootshell.be
  The opening keynote was presented by Andy Elis, CEO of Akamai. The keynote title was “Staying ahead of the Security poverty line“. He started with a fact: To measure the quality of your security, just count the number of phone calls you receive outside the business hours!
• HITB2012AMS Day 1 Window Shopping | Corelan Team – corelan.be
  In the last talk of Day 1, Roberto Suggi Liverani and Scott Bell (not present during the presentation), security consultants at Security-Assessment.com, will share the results of some intensive browser bug hunting research, and will drop 5 0days.
• HITB2012 Amsterdam Day 2
• HITB2012AMS Day 2 Attacking XML Processing – corelan.be
  Dressed in a classy Corelan Team T-Shirt, Nicolas Grégoire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic.
• HITB2012AMS Day 2 Taint Analysis – corelan.be
  Nikita explains they have been working on reversing binaries and auditing source code for a long time. Alex currently works on the BitBlaze work, and moved to the US to be able to work on security research in a better way. The presentation is based on work done by Alex and Nikita a while ago, before Alex moved from Ukrain to the US.
• HITB2012AMS Day 2 PostScript Danger Ahead – corelan.be
  Multifunctional Printers (MFPs) care large abuse potential. People send confidential data to these devices. They are part of the internal network, a trusted resource, often have LDAP integration with Active Directory, and usually doesn’t have patch/vulnerability management. In some case, some of these devices are even directly accessible from the internet.
• HITB Amsterdam Wrap-Up Day #2 – blog.rootshell.be
  Do I still need to present him? He came to talk about ”Trust, security and society” which is the topic of his new book. Bruce has always a new book to promote!
• HITB2012AMS Day 2 Ghost in the Allocator – corelan.be
  Steven explains that he wanted to do a talk on the heap manager because it’s often used in mature apps, and knowledge is not widespread (yet). People like Halvar, Ben, Nico, Brett, Chris (and many others) made it cool 🙂
  There’s a couple of heap exploits available (CVE 2012-0003, 2010-3972, 2008-0356, 2005-1009). What they all have in common is that they are quite complex.

Resources

• SQL Injection
• SpiderLabs/SQLol – github.com
  A configurable SQL injection test-bed. Contribute to SQLol development by creating an account on GitHub.
• Advanced SQL Injection with SQLol: The Configurable SQLi Testbed – youtube.com
  a video on Youtube
• From LOW to PWNED
• From LOW to PWNED
  [10] Honorable Mention: FCKeditor – carnal0wnage.attackresearch.com
  FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.

• From LOW to PWNED [11] Honorable Mention: Open NFS – carnal0wnage.attackresearch.com
  Open NFS mounts/shares are awesome. talk about sometimes finding “The Goods”. More than once an organization has been backing up everyone’s home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.
• RSA Secure ID
• A closer look into the RSA SecureID software token – sensepost.com
  Widespread use of smart phones by employees to perform work related activities has introduced the idea of using these devices as an authentication token. As an example of such attempts, RSA SecureID software tokens are available for iPhone, Nokia and the Windows platforms.
• RSA SecureID software token update – sensepost.com
  There has been a healthy reaction to our initial post on our research into the RSA SecureID Software Token. A number of readers had questions about certain aspects of the research, and I thought I’d clear up a number of concerns that people have.
• Our thoughts on the RSA SecurID software token research – blogs.rsa.com
  In the security business, scrutiny by customers, peers and researchers is a fundamental industry principle. RSA embraces this principle — our Public Key Encryption algorithm, for example, has withstood more than 30 years of scrutiny and remains a foundational underpinning for secure e-commerce.
• The Common Vulnerability Reporting Framework (CVRF) v1.1 – icasi.org
  The Common Vulnerability Reporting Framework (CVRF) Version 1.1 was released in May 2012. CVRF is an XML-based language that enables different stakeholders across different organizations to share critical security-related information in a single format, speeding up information exchange and digestion. Enhancements in CVRF 1.1 offer users a more comprehensive and flexible format, while reducing duplication and the possibility of errors.
• Teensy USB HID for Penetration Testers – Part 4 – Kautilya – labofapenetrationtester.blogspot.com
  In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let’s have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test.
• FireEye Malware Intelligence Lab:Even Hackers Don’t Like to Work Weekends: Email Attack Trends from Q1 2012 – blog.fireeye.com
  In our second half (2H) of 2011 Advanced Threat Report, we provided compelling evidence that illustrated a possible correlation between an increase in email-based attacks and national holidays.
• Reading between the lines: Harvesting Credit Cards from ISO8583-1987 Traffic – blog.spiderlabs.com
  Having investigated cardholder data security breaches for a few years now, I have noticed changes in attacker behavior when choosing entities to target.

Tools

• Nmap 6 Release Notes – nmap.org
  The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade.
• Mandiant Introduces Reverse-Proxy Open Source Tool – mandiant.com
  Today, Mandiant™ is making available a highly efficient reverse HTTP(S) proxy called simply ‘RProxy™’. We are releasing RProxy as an open sources tool to encourage the general community to participate in its evolution. You can download the tool here.
• TheRook/CSRF-Request-Builder GitHub – github.com
  This is a tool for testing CSRF against web services. Such as RESTful JSON or even SOAP web services.
• Truecrack – code.google.com
  TrueCrack is a brute-force password cracker for TrueCrypt (Copyrigth) volume files. It works on Linux and it is optimized with Nvidia Cuda technology.
• Skipfish version 2.07b – code.google.com
  Skipfish is a fully automated, active web application security reconnaissance tool.
• Medusa 2.1.1 Release – foofus.net
  Medusa 2.1.1 is now available for public download.
• Hooray! An Open-Source Password Analyzer Tool! – MSI :: State of SecurityMSI :: State of Security – stateofsecurity.com
  I’m one of the resident “Password Hawks” in our office. Our techs consistently tell people to create stronger passwords because it is still one of the most common ways a hacker is able to infiltrate a network.

Techniques

• Accessing the native Windows API in PowerShell via internal .NET methods and reflection – exploit-monday.com
  It is possible to invoke native Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker? You can call any Windows API function (exported or non-exported) entirely in memory. For those familiar with Metasploit internals, think of this as an analogue to railgun.
• Analyzing Binaries with Hopper’s Decompiler – abad1dea.tumblr.com
  This is aimed at beginners in static analysis. The binary we examine is non-malicious and non-obfuscated, and is not run through the highest optimization settings of the compiler. We will start at line one and proceed linearly, just to get a feel for how to read decompiled code.
• wordpress version finder – 0xa.li
  I was thinking about wordpress version enumeration and while the meta generator tag is very explicit but it’s not always showing since some (most?) public/custom themes don’t show that meta tag.
• Automating SQLMap with data from wapiti – volatile-minds.blogspot.com
  Wapiti is really fast at finding possible sql injection points in a web application or website. SQLMap is great at figuring out how to exploit these possible injection points.

Vendor/Software Patches

• Pastemon.pl Upgrade – blog.rootshell.be
  What’s new with this version? First some bug fixes! (yes, I’m writing buggy code!) But there are also new features/options.
• THC-HYDRA version 7.3 – pentestit.com
  THC-HYDRA is a very fast network logon cracker which support many different services. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. THC-HYDRA was tested to compile cleanly on Linux, Windows, Cygwin, Solaris, FreeBSD and OSX.
• Symantec End Point Protection 11.x & Symantec Network Access Control 11.x LCE POC – exploit-db.com
  Symantec End Point Protection 11.x & Symantec Network Access Control 11.x Local Code Execution POC
• A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability – blogs.technet.com
  Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you’re using vulnerable version, you need to update your Flash Player now to be protected against these attacks.
• SUDOERS Commented Includes used for Evil – room362.com
  Too bad that nmap’s interactive mode was taken out, but there are a great number of other such methods, most notably VI’s shell mode.
• Post Exploitation withPhantomJS – room362.com
  If you have never heard of PhantomJS ( http://phantomjs.org/ ) before, it’s a “Full Web Stack with No Browser Required”, basically it a GUI-less browser. One of the magical “example” files that it has is called “rasterize.js”
• PowerSploit – A PowerShell Post-Exploitation Framework – exploit-monday.com
  After recently reviewing my code for Powersyringe, I realized it was total crap. Although it worked and got the job done in most cases, it was ugly. Also, upon discovering how to achieve true memory-residence when working with Win32 functions, I decided it was time to dismember Powersyringe. Behold… PowerSploit.
• Lab of a Penetration Tester: Fun with Sticky Keys, Utilman and Powershell – blogspot.com
  Recently, carnal0wnage and mubix blogged about sticky keys. I have implemented this in Kautilya and found this usefult during many internal penetration tests.

Vulnerabilities

• WhatsApp Considered Insecure – mathyvanhoef.com
  For my internship I created a methodology to test the security of mobile applications. After I finished it I decided to take a look at WhatsApp and test the methodology I created. Several new vulnerabilities were found, including a very severe one that even affected people not using WhatsApp. But before going into detail let’s first investigate the security history of WhatsApp.
• GPP Password Retrieval with PowerShell – obscuresecurity.blogspot.com
  Last week, I read a great post entitled “Exploiting Windows 2008 Group Policy Preferences” that I wish I saw sooner. The article included a nice Python script to accomplish the task of decrypting passwords that were set using the GPP feature in Windows 2008 domains.

Other News

• Smartphone hijacking vulnerability affects AT&T, 47 other carriers – arstechnica.com
  Computer scientists have identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted websites.
• Anonymous hacks Bureau of Justice, leaks 1.7GB of data – zdnet.com
  Anonymous has apparently hacked the United States Bureau of Justice Statistics and posted 1.7GB of data belonging to the agency on The Pirate Bay. This is a Monday Mail Mayhem release.
• Major Airline Reveals Passenger Information – blog.tinfoilsecurity.com
  Something we talk about a lot at Tinfoil is the existence of two mindsets when engineering software: building and breaking. Thinking about security requires a different mindset than building working software.
• FBI quietly forms secretive Net-surveillance unit – news.cnet.com
  CNET has learned that the FBI has formed a Domestic Communications Assistance Center, which is tasked with developing new electronic surveillance technologies, including intercepting Internet, wireless, and VoIP communications.