Week 17 In Review – 2014

Resources

• Verizon Data Breach Investigations Report – verizonenterprise.com
  The 2014 Data Breach Investigations Report (DBIR) casts new light on threats — taking 10 years of forensic data and finding that 92% of these can be categorized into nine basic attack patterns. This approach also helps identify primary threats to your industry, which you can analyze to reinforce your defenses.
  • Stolen Passwords Used In Most Data Breaches – darkreading.com
    Findings from the new and much-anticipated 2014 Verizon Data Breach Investigations Report (DBIR) show that two out of three breaches involved attackers using stolen or misused credentials.
  • DBIR: Point-of-Sale Breaches Trending Downward – threatpost.com
    The DBIR, points out that point-of-sale intrusions were a declining threat among the 1,367 breach investigations conducted by Verizon and data submitted by 50 global law enforcement and private organizations. While retailers and small enterprises were still a prime target for cybercrime, point-of-sale attacks accounted for 14 percent of the breaches in the report, down from a high of more than 30 percent in 2011 and 2012./li>
• Kansa: Get-Started – trustedsignal.blogspot.com
  Last week davehull posted an introduction to Kansa, the modular, Powershell live response tool He’s been working on in preparation for his presentation at the SANS DFIR Summit. The post was a high level overview. This one will dive in.

Tools

• DIBF Tool Suite – isecpartners.github.io
  Introducing iSEC Partners’ Windows driver testing suite. The source, binaries and example output are available here under the GPLv2 license. Currently three tools are included.
• Kautilya 0.4.5 – Reboot Persistence, DNS TXT exfiltration and more – labofapenetrationtester.com
  This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.
• oclHashcat v1.20 – hashcat.net
  Latest version of oclHashcat is available now. Download it from here.

Techniques

• Hacking the Java Debug Wire Protocol – or – “How I met your Java debugger” – blog.ioactive.com
  In this post, Christophe Alladoum will explain the Java Debug Wire Protocol (JDWP) and why it is interesting from a pentester’s point of view. This post provides techniques and exploitation code that should not be used against vulnerable environments without prior authorization.
• Symantec Endpoint Protection Manager – CVE-2013-1612 – Remote Buffer Overflow – PoC – funoverip.net
  The PoC code, simply overwrite EIP by using a SEH-based technique. Unfortunately, due to memory protection mechanisms, FoIP wasn’t able to create a stable exploit using this technique since all modules are compiled using the /SafeSEH flag and workarounds (that he knew) were found useless.

Vendor/Software patches

• Struts2 zero day in the wild – www3.hp.com
  Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters.
  • Announcements -struts.apache.org
    The Apache Struts group is pleased to announce that Struts 2.3.16.2 is available as a “General Availability” release.

Vulnerabilities

• OpenSSL code beyond repair, claims creator of “LibreSSL” fork – arstechnica.com
  OpenBSD developers removed half of the OpenSSL source tree in a week. OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.
• ssl-hearbleed.nse mod – blog.didierstevens.com
  This modification is not necessary. You can force a script to run on all open ports, regardless of the result of the portrule function, by prefixing the scriptname with a +.
• Privilege Escalation Vulnerability in Cisco ASA’s SSL VPN – blog.spiderlabs.com
  Trustwave SpiderLabs security researcher Jonathan Claudius has discovered a privilege escalation vulnerability in Cisco ASA’s SSL VPN service. This vulnerability allows any user with an established VPN to gain full administrative access to the ASA device.
• Microsoft discloses zero day in all versions of Internet Explorer – www.zdnet.com
  Late Saturday Microsoft revealed a vulnerability in all versions of Internet Explorer that is being used in “limited, targeted attacks.” They are investigating the vulnerability and exploit and have not yet determined what action they will take in response or when.
  • New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks -fireeye.com
    FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.
  • Zero-Day Internet Explorer Vulnerability Let Loose in the Wild -symantec.com
    Symantec is aware of reports of a zero-day vulnerability, Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2014-1776), that affects all versions of Internet Explorer. Symantec Security Response encourages users to temporarily switch to a different Web browser until a patch is made available by the vendor.