Week 37 In Review – 2013

Resources

• Video Tutorial: Introduction to XML External Entity Injection – community.rapid7.com
  This video introduces XML injection to achieve XML external entity injection (XXE) and XML based cross site scripting (XSS).
• Errata Security’s blog
  • We scanned the Internet for port 22 – blog.erratasec.com
    Errata Security scanned the entire Internet for port 22 — the port reserved for “SSH”, the protocol used by sysadmins to remotely log into machines. Unlike their normal scans of port 80 or 443, this generated a lot more “abuse” complaints, so Robert Graham thought He’d explain the scan.
  • Masscan: the entire Internet in 3 minutes – blog.erratasec.com
    Robert thought he’d write up some notes about his “masscan” port mapper. Masscan is the fastest port scanner, more than 10 times faster than any other port scanner.
• 44CON Presentation – Additional Resources – shadow-file.blogspot.com
  Zach included a single slide with a link to this post. Here you’ll find links to additional resources that he may have referenced in his talk.

Tools

• BurpCSJ extension release – blog.malerisch.net
  Roberto Suggi Liverani released a new Burp Pro extension which integrates Crawljax, Selenium and JUnit. Download link is available here.
• Introducing SpearPhisher – A Simple Phishing Email Generation Tool – trustedsec.com
  SpearPhisher is a simple point and click Windows GUI tool designed for (mostly) non-technical people who would like to supplement the education and awareness aspect of their information security program. Not only is it useful to non-technical folks, penetration testers may find it handy for sending quick and easy ad-hoc phishing emails.
• OWASP ZAP 2.2.0 is out  – code.google.com
  The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

Techniques

• Stealing passwords every time they change – carnal0wnage.attackresearch.com
  Rob Fuller created an installer and “evil pass filter” that basically installed itself as a password filter and any time any passwords changed it would store the change to a log file locally to the victim (in clear text) as well as issue an HTTP basic auth POST to a server he own with the username and password.The full code can be found in his blog post.
• Changing proxychains’ “hardcoded” DNS server – carnal0wnage.attackresearch.com
  If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for 4.2.2.2, if the org that you are going after doesn’t allow this out of their network, or if you are trying to resolve an internal asset, you’re SOL. There isn’t much magic here other than knowing that this file exists, but /bin/proxyresolv is a bash script that calls “dig” using TCP and the DNS server specified so it goes through the proxychains. Here is what it looks like.
• The Windows Flaw That Cracks Amazon Web Services  – slashdot.org
  Some code tinkering allows you to copy data from Amazon Web Services (or another hosting provider) without the data’s owner realizing what’s going on. Here are the possible steps for making that happen.
• Automated SQL Injection Detection  – arneswinnen.net
  SQL Injection is still a common web application vulnerability these days, despite the fact that it’s already around for ages. However, because of limited adoption of best security practices by web application developers and, more importantly, the default use of parameterized queries in popular DB frameworks such as LINQ, SQL Injection is slowly becoming less prevalent in the wild.
• How did I get a root shell in my NAS, 0day inside  – blog.pentbox.net
  One day, Alberto Ortega realized that his firmware version was outdated so he decided to update it to the latest version. One thing led to another, and he end up with a root shell in the device, here is how.
• Cloning an Infrared Disarming Remote of a Consumer Grade Home Security System  – volvent.blogspot.com.au
  This blog post looks at a cheap home security system purchased from E-Bay and ways of defeating it by cloning the remote that disarms it. This post can also serve as a taster for Silvio’s Ruxcon talk in October.
• 64bit Pointer Truncation in Meterpreter – buffered.io
  The purpose of this post is to document the process and resolution of a bug that OJ Reeves have helped resolve since joining. He also aim to lift the lid on Meterpreter a little and help expose how some bits of it work. Hope you enjoy.

Vendor/Software Patches

• Adobe, Microsoft Push Critical Security Fixes  – krebsonsecurity.com
  Adobe and Microsoft each separately released a raft of updates to fix critical security holes in their software. Adobe pushed patches to plug holes in Adobe Acrobat/Reader and its Flash and Shockwave media players. Microsoft released 14 13 patch bundles to fix at least 47 security vulnerabilities in Windows, Office, Internet Explorer and Sharepoint.
  • Adobe September 2013 Black Tuesday Overview – isc.sans.edu
• Lovely tokens and the September 2013 security updates – blogs.technet.com
  This week microsoft released 13 bulletins–four Critical and nine Important–which addressed 47 unique CVEs in Microsoft Windows, Office, Internet Explorer and SharePoint. In the second Tuesday of the month comes a round of “lovely tokens” to help protect their customers.
  • Microsoft Security Advisory (2755801) – technet.microsoft.com
  • Microsoft Security Bulletin Summary for September 2013 – technet.microsoft.com
  • Microsoft September 2013 Black Tuesday Overview – isc.sans.edu

Vulnerabilities

• Installing Dropbox? Prepare to lose ASLR. – codeinsecurity.wordpress.com
  Graham Sutherland showed that the Dropbox extension DLL doesn’t have the ASLR flag set. How much of an impact does it have on the security of system?
  • interesting conversation around it – www.reddit.com
• WordPress < 3.6.1 PHP Object Injection – vagosec.org
  Vagosec shown here that WordPress contains a PHP Object Injection vulnerability. He exploited it and then discussed briefly about the fix by WordPress.

Other News

• The Geeks on The Frontlines – rollingstone.com
  Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. After decades of seeming like a sci-fi fantasy, the cyberwar is on!
• Wi-Fi isn’t radio!? – blog.kismetwireless.net
  The 9th Circuit Court of Appeals has ruled that Google can be prosecuted for the capturing of wireless data by Street view cars. The most controversial aspect of the ruling is the declaration that Wi-Fi isn’t radio.
  • Google must stand trial for Wi-Fi data grab, appeals court rules – arstechnica.com
  • The full text of the rule in pdf – uscourts.gov
• E-ZPasses Get Read All Over New York (Not Just At Toll Booths) – forbes.com
  A man in New Jersey became obsessed with the loss of privacy for vehicles on American roads. (He’s not the only one.) The man, who goes by the Internet handle “Puking Monkey,” did an analysis of the many ways his car could be tracked and stumbled upon something rather interesting: his E-ZPass, which he obtained for the purpose of paying tolls, was being used to track his car in unexpected places, far away from any toll booths.