Week 8 In Review – 2014

Events Related

• Course Review: Offensive Security AWE (Advanced Windows Exploitation) – www.ethicalhacker.net
  In terms of training, Offensive Security is best known for their Pentesting with BackTrack/Kali (PWK) and Cracking the Perimeter (CTP) courses. The course was delivered by its creators, Matteo Memelli and Devon Kearns. Matteo handled all of the speaking responsibilities, and Devon apparently participated solely to increase the intimidation factor.

Resources

• Responder 2.0 – Owning Windows Networks part 3 – blog.spiderlabs.co
  Responder is a powerful and easy-to-use tool for penetration testers looking to highlight and exploit weaknesses in a number of popular default network configurations. In this post Spiderlabs will review the latest Responder changes, take a closer look at some new features and discuss some popular usage options and configurations.
• Secure your rsync shares, please. – blog.steve.org.uk
  Recently Steve started doing a internet-wide scan for rsync servers, thinking it might be fun to write a toy search-engine/indexer.
• Verizon 2014 PCI compliance report – verizonenterprise.com
  Verizon 2014 PCI compliance report is available now. Download the report from here.
• Secure Coding Guide – developer.apple.com
  • Interesting comments are going on here about this guide -reddit.com
• How To Check If Your Oracle Reports Server Has Been Compromised? – blog.netinfiltration.com
  To start off with, we have been working on a metasploit module and it is now functioning and will probably be live soon. And by “we” Dana Taylor means herself setting up and helping with the server and someone smarter than her doing the coding.
• Resolving some trigger GUIDs – trustedsignal.blogspot.com
  How would you use this data in a breach hunt? davehull would begin by stack-ranking the data from many similar systems and looking for outliers that he would mark for follow up investigation.

Tools

• creds.py – github.com
  Harvest FTP/POP/IMAP/HTTP/IRC credentials along with interesting data from each of the protocols.
• LANs.py – github.com
  Automatically find the most active WLAN users then spy on one of them and/or inject arbitrary HTML/JS into pages they visit. Technically: multithreaded asynchronous packet parsing/injecting ARP/DNS poisoner.
• The Credentials Listener – blog.didierstevens.com
  A Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).
• HQLmap – github.com
  HQLmap, Automatic tool to exploit HQL injections. The tool has been written in Python and is released under MIT License.
• WordPress Build Review Tool – labs.portcullis.co.uk
  WordPress-build-review is a tool to check the basic security settings in a WordPress installation. Download the tool from the link inside and uncompress it.

Techniques

• Bluetooth Recon With BlueZ – blog.lacklustre.net
  Bluetooth devices are all around us and a surprising number of them are left discoverable. In this post Mike Ryan describes techniques for finding discoverable Bluetooth devices and listing the services running on them.
• Wait a minute… that’s not a real JPG! – blog.spiderlabs.com
  This blog post shows how identifying files with false file signatures can uncover malicious activity on a server. Richard Wells recently discovered credit card data hidden behind a .jpg extension that lead him to the work of an attacker capturing credit cards from customers using an online checkout page.
• From CVS import to cmd.exe – via SQL injection – secforce.com
  This blog post explains the process that Secforce followed in a recent penetration test to gain command execution from a CVS import feature. One of the most challenging issues was that they had to escape commas during the SQL injection attack, as it would break the CVS structure.
• JBOSS JMXInvokerServlet Update – breenmachine.blogspot.com
  A few months ago Stephen Breen posted some exploit code that abuses unauthenticated access to the JBOSS JMXInvokerServlet. There were a few problems with his previous method.
• Pre RSA Conference Demo – Win 8.1 attack machine vs 2012r2 DC w/ Win 8.1 client – passing-the-hash.blogspot.com
  This is the way NTLM works. All authentication operations work on the password hash. Internally the NTLM security provider only saves the username / hash for use during Single Sign On. If it needed more, it would have saved more. Just ask the Digest SSP, which saves the username / plaintext password.
• Using Burp Intruder to Test CSRF Protected Applications – blog.nvisium.com
  Web applications often implement some form of Cross-site Request Forgery (CSRF) protection, such as a viewstate parameter that is passed through requests, or a per-session nonce. This post will highlight a method for handling these CSRF prevention tokens using Burp Intruder’s Recursive Grep payload.
• You know how to send my signal — Setting up RFCat from scratch – leetupload.com
  RFCat is firmware/python-client combination written by “atlas”. Here admin of this blog has mapped-out how he “made” his un-flashed CC1111EMK into a fully-functional RFCat dongle.

Vendor/Software patches

• Adobe, Microsoft Push Fixes For 0-Day Threats – krebsonsecurity.com
  For the second time this month, Adobe has issued an emergency software update to fix a critical security flaw in its Flash Player software that attackers are already exploiting. Separately, Microsoft released a stopgap fix to address a critical bug in Internet Explorer versions 9 and 10 that is actively being exploited in the wild.
  • Security updates available for Adobe Flash Player -helpx.adobe.com
    Adobe has released security updates for Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.336 and earlier versions for Linux.
  • Microsoft Security Advisory (2934088) -technet.microsoft.com
    Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability.

Vulnerabilities

• IOActive Lights Up Vulnerabilities for Over Half a Million Belkin WeMo Users – www.ioactive.com
  IOActive, Inc., the leading global provider of specialist information security services, announced that it has uncovered multiple vulnerabilities in Belkin WeMo Home Automation devices that could affect over half a million users. Mike Davis, IOActive’s principal research scientist, uncovered multiple vulnerabilities in the WeMo product set.
• Time to Harden Your Hardware? – krebsonsecurity.com
  This past week has seen alerts about an unusual number of vulnerabilities and attacks against some important and ubiquitous hardware devices, from consumer-grade Internet routers, data storage and home automation products to enterprise-class security solutions.
• CVE-2013-5880: Oracle Demantra authentication bypass vulnerability – labs.portcullis.co.uk
  The purpose of this post is to present a technical report of the CVE-2013-5880 vulnerability. This bug was found on a bug hunt weekend.
  • CVE-2013-5795: Oracle Demantra database credentials leak vulnerability -labs.portcullis.co.uk
    The purpose of this post is to present a technical report of the CVE-2013-5880 vulnerability. This bug was found on a bug hunt weekend.
• Apple security flaw could allow hackers to beat encryption -news.yahoo.com
  A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.
  • Apple’s SSL/TLS bug -news.ycombinator.com
    Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details. The answer is at the top of the Hacker News thread.
  • Apple’s SSL/TLS bug -www.imperialviolet.org
    Here’s the Apple bug (Quoted from Apple’s published source code).
  • Apple SSL Vulnerability Affects OSX too -threatpost.com
    The certificate-validation vulnerability that Apple patched in iOS yesterday also affected Mac OS X up to 10.9.1, the current version. Several security researchers analyzed the patch and looked at the code in question in OS X and found that the same error exists there as in iOS.
  • Here is a snapshot of apple product security email reply regarding this -i.imgur.com

Other News

• 300000 usernames passwords posted to pastebin – threatpost.com
  More than 300,000 credentials, usernames and passwords, were posted on the clipboard website Pastebin.com in the year 2013 alone according to a recent analysis by a Swiss security firm.
• NTP ATTACKS: Welcome to The Hockey Stick Era – arbornetworks.com
  Although Network Time Protocol (NTP) reflection/amplification attacks have been observed in the wild for many years, they have received an uptick in popularity due to recent high-profile attacks, first in late December 2013 on gaming networks, and again last week in Europe.
• Hackers Circulate Thousands of FTP Credentials, New York Times Among Those Hit – www.cio.com
  Hackers are circulating credentials for thousands of FTP sites and appear to have compromised file transfer servers at The New York Times and other organizations, according to a security expert.