Week 1 in Review – 2013

Event Related

• 29C3
• 29C3: When USB memory sticks lie – h-online.com

  USB memory sticks are thought to be among the less exciting hardware components – simple storage media that have many uses and function the same way in almost any hardware environment.

• 29C3: Budget mobile turns into GSM base station – h-online.com

  Belgian hacker Sylvain Munaut presented a proof of concept at the 29th Chaos Communication Congress (29C3) in Hamburg on Saturday.

Resources

• A prototype model for web application fingerprinting: w3 scrape – resources.infosecinstitute.com

  Web application fingerprinting is one of the most important aspects of the information gathering phase of ethical hacking. This allows us to narrow down the criteria instead of playing around with a large pool of possibilities. Fingerprinting simply means identification of objects using a certain methodology.

• bAdmin Project – The “bad admin” project – whitehatsec.com

  WhiteHat provides this informational database as a public service to all members of the Web Security Community.

• 10 Skills Needed to be a Successful Pentester – blog.securiteam.com

  Mastery of an operating system. I can’t stress how important it is. So many people want to become hackers or systems security experts, without actually knowing the systems they’re supposed to be hacking or securing.

• Password Analysis of Journal News LoHud Subscriber Database Dump – cyberarms.wordpress.com

  As usual, I like to take sanitized lists (user account information stripped) of public password dumps and analyze them for password strength and patterns.

• Root Certificate Authority research – 0xdabbad00.com

  asteriskpound on reddit has pointed out a flaw in how I determine the root certifcate, and how I calculate the length of the certificate. The flaw is that I thought that the last certificate in the “certificate chain” from openssl’s output would always be the root of the chain, but actually this “chain” can be very broken (as is the case with me thinking www.olivenoel.com had 21 certificates in it’s chain).

Tools

• Be Off the Beaten XPath, Go Blind – blog.spiderlabs.com

  XPath (XML Path Language) is a language used to query XML documents in order to extract data. XML files are commonly used to store information on the server and particularly configuration settings.

• Jingle BOFs, Jingle ROPs, Sploiting all the things with Mona v2!! – corelan.be

  Ho Ho Ho friends, It has been a while since we posted something on the Corelan Team blog, I guess we all have been busy doing … stuff and things, here and

• Padding oracle attacks: in depth – skullsecurity.org

  This post is about padding oracle vulnerabilities and the tool for attacking them – “Poracle” I’m officially releasing right now. You can grab the Poracle tool on Github!

• Username Anarchy – morningstarsecurity.com

  This is useful for user account/password brute force guessing and username enumeration when usernames are based on the users’ names. By attempting a few weak passwords across a large set of user accounts, user account lockout thresholds can be avoided.

• Pentest Geek WordPress Pingback Portscanner Metasploit Module – pentestgeek.com

  The latest version of WordPress, version 3.5 was recently released on December 11, 2012. This latest version of WordPress comes pre-packaged with the XML-RPC interface enabled by default.

Techniques

• Assessing iOS Applications – setting up a test environment and grabbing low hanging fruit – blog.spiderlabs.com

  This guide should serve as an introduction for those wishing to get into iOS application security testing.

• Getting Terminal Access to a Cisco Linksys E-1000 – blog.spiderlabs.com

  Over the past couple weeks, I’ve been spending a lot of time hacking on various embedded devices to figure out how they work and perhaps identify a couple vulnerabilities in the process.

• Look Back on 2012s Famous Password Hash Leaks – Wordlist, Analysis and New Cracking Techniques – blog.thireus.com

  Nowadays, different hacking communities around the World publish their leaks on various online paste Web Services like Pastebin, Paste2.org, and others. The most usual target’s vulnerability is SQL Injection.

• Running Code From A Non-Elevated Account At Any Time – scriptjunkie.us

  You may have found yourself in a situation where you have access to a system through a limited user account, or could not or did not want to bypass UAC (AlwaysOn setting for example) and you needed to continue running code even when the account logged off and/or the system rebooted (and even if you don’t have the account’s password).

• Reversing a Malicious Word Document – resources.infosecinstitute.com

  In this post, I am going to explain in detail how to go about reversing an exploit with which one can easily insert his/her own payload, providing an exploit sample is available. I have taken exploit sample CVE 2010-3333 in order to complete this exercise.

• Dissecting a CVE-2012-4792 Payload – blog.spiderlabs.com

  A little while ago I was fortunate enough to get ahold of a sample that was dropped on a system after it was infected via the exploit outlined in CVE-2012-4792.

• Realtime iOS Filesystem Monitoring – Installing and Using filemon.ios – securityaegis.com

  For the longest time a big struggle with doing mobile application assessments on iOS has been monitoring applications as they drop files to the file system.

Vendor/Software Patches

• ColdFusion servers
• Serious security threat for #ColdFusion servers, not covered by hotfixes – carehart.org/blog

  Hey folks, there’s a fairly serious security threat out in the wild, and you may want to check if your server’s been hit. (It may be old news to some, but for now it’s hitting people in the past week or so.)

• Part 2: Serious security threat for #ColdFusion servers, not covered by hotfixes – Charlie Arehart’s Blog – carehart.org

  Since I posted my entry earlier today about a Serious security threat for #ColdFusion servers, not covered by hotfixes, I have had many questions and discussions which lead me to share more info.

• Security Advisory for ColdFusion – adobe.com

  There are reports that these vulnerabilities are being exploited in the wild against ColdFusion customers. Note that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

• Happy New Year Analysis of CVE-2012-4792 – blog.exodusintel.com

  A new year has arrived and, although a little late, the time has come for me to unpack the present that Santa gave to the Council on Foreign Relations this Christmas. Quite a few blogs have already been written in this issue that has gotten CVE-2012-4792, including one by Microsoft, but that didnt stop me from doing my own analysis.

Vulnerabilities

• SQL injection vulnerability hits all Ruby on Rails versions – h-online.com

  An SQL Injection vulnerability has been found in Ruby on Rails that affects all versions of the web framework. The problem was originally discovered by a researcher who used it to bypass Ruby on Rails user authentication

• EMET 3.5: The Value of Looking Through an Attacker’s Eyes – isc.sans.edu

  So it’s probably worth talking about the recent IE 8.0 0-day. While the use-after-free exploit specifically targets IE 6 through IE 8 web browsers, its worth of mentioning because of its widespread use in targeted attacks seen in the US, China, and Taiwan.

• New year and new CA compromised – isc.sans.edu

  In december 24 2012, google detected a non-authorized certificate for the google.com domain. After investigations, it was confirmed that Turktrust Inc incorrectly created two subsidiary certificate authorities: *.EGO.GOV.TR and e-islam.kktcmerkezbankasi.org.

• what’s the deal with the cisco phone eavesdropping hack? – terminal23.net

  A few weeks ago a new physical attack against Cisco phones was announced

  [YouTube clip]. A few days ago, this was detailed further in a 29C3 presentation by Ang Cui and Michael Costello [YouTube clip].
• iOS Hubris Security Aegis – securityaegis.com

  This is absurd people. I have seen a few articles recently praising iOS6 for its security. It’s become a bit of broken record lately.