Category Archives: Vulnerabilities

Exploit status for MS08-067

4
Filed under Vulnerabilities
Tagged as ,

I won’t go into detail about the new Microsoft vulnerability…you all know it’s pretty serious and there are a ton of blogs and websites talking about the dirty details. Hopefully you have all read about it and are getting the word out about patching. However, there are some updates on the status of currently available exploits for the vulnerability that I found interesting.

Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A – Is it a worm or a trojan?
Don’t let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in “targeted” attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a “network-aware” trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities…reliable public exploit code will be out before you know it! Make sure you take your patching seriously…

UPDATE: If you follow HD Moore on Twitter you will see that he has just released MS08-067 PoC code for Metasploit.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Exploit in the wild for the Kaminsky DNS vulnerability

3
Filed under Vulnerabilities
Tagged as , ,

Looks like the exploit code has been released by HD Moore as a Metasploit module. Hope everyone took the DNS patching requests seriously since we all know Metasploit is really easy to use (yes, especially for script kiddies!).

If you haven’t patched your DNS yet…do it now! Check here for more information and here to check your DNS servers to see if they are vulnerable. If your ISP’s DNS is still vulnerable…change your DNS servers to use OpenDNS!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Has the DNS vulnerability been revealed?

0
Filed under Vulnerabilities
Tagged as , ,

Perhaps someone has figured it out or just decided to announce it but the big DNS vulnerability that Dan Kaminsky told the world about may have been revealed. Apparently a reverse engineer named Halver Flake was pretty close to figuring out how the vulnerability works. Then someone at Matasano apparently posted the details and then pulled them. Something is going on in the blogosphere…you can find details about the vulnerability on Slashdot and other blogs regarding the post that was on Matasano then removed:

Via McGrew Security:

“Let’s try again to convince Bob that WWW.VICTIM.COM is 6.6.6.0.

This time though, instead of getting Bob to look up WWW.VICTIM.COM and then beating Alice in the race, or getting Bob to look up WWW.EVIL.COM and slipping strychnine into his ham sandwich, we’re going to be clever (sneaky).

Get Bob to look up AAAAA.VICTIM.COM. Race Alice. Alice’s answer is NXDOMAIN, because there’s no such name as AAAAA.VICTIM.COM. Mallory has an answer. We’ll come back to it. Alice has an advantage in the race, and so she likely beats Mallory. NXDOMAIN for AAAAA.VICTIM.COM.

Alice’s advantage is not insurmountable. Mallory repeats with AAAAB.VICTIM.COM. Then AAAAC.VICTIM.COM. And so on. Sometime, perhaps around CXOPQ.VICTIM.COM, Mallory wins! Bob believes CXOPQ.VICTIM.COM is 6.6.6.0!

Poisoning CXOPQ.VICTIM.COM is not super valuable to Mallory. But Mallory has another trick up her sleeve. Because her response didn’t just say CXOPQ.VICTIM.COM was 6.6.6.0. It also contained Additional RRs pointing WWW.VICTIM.COM to 6.6.6.0. Those records are in-bailiwick: Bob is in fact interested in VICTIM.COM for this query. Mallory has combined attack #1 with attack #2, defeating fix #1 and fix #2. Mallory can conduct this attack in less than 10 seconds on a fast Internet link.”

Meanwhile, Dan Kaminsky posted the following on his blog:

“Patch. Today. Now. Yes, stay late. Yes, forward to OpenDNS if you have to. (They’re ready for your traffic.) Thank you to the many of you who already have.”

This might imply that Matasano has the goods…I hope everyone is patched out there! Things are about to get interesting!

EDIT: Thomas over at Matasano has issued a public apology about the post in question.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

The big DNS issue

0
Filed under Vulnerabilities

I won’t ramble on about the DNS vulnerability discovered by Dan Kaminsky this week…plenty of other blogs and news sites are covering it. Yes…it’s important, groundbreaking and all that jazz. However, if you want the real scoop especially if you need to convince your employer that this needs to be addressed quickly…then I point you to Rick Mogull’s web site securosis.com (specifically this post) and listen to the podcast over at the Network Security Podcast which has a good interview with Dan Kaminsky.

Oh yeah..Dan has a cool “DNS Checker” on his web site where you can test your own DNS servers to see if they are vulnerable.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Stumbling upon Security Issues

5
Filed under Vulnerabilities

Seriously…I don’t go looking for web site security issues or vulnerabilities but sometimes you do “stumble” upon them. :-P

Several weeks ago I was looking for an online schedule of events at one of the local community centers where I live so I did what anyone would do and typed in the URL of the city’s web site into my browser, but without typing “www” first. The actual URL starts with “www” but many times just by typing the URL without “www” will take you to the web site. So to my surprise instead of getting the main index page of the city’s web site I get a web form prompting for login credentials to what looked like an HVAC system attached to the Internet! The header of the page had some information about a system version so I did what any other security guy would do and launched a Google search to find out more details about this system. Yep, it was an HVAC system alright. So I thought no big deal right….out of curiosity I hit the ‘enter’ key thinking that there was no way that there was an anonymous login on this baby…low and behold, it logged me in! I was able to view the HVAC system configuration and potentially manage the HVAC for not only the community center but the city hall and other facilities. Looked like I could have caused some mischievous outages like changing the temperatures and even shutting down the HVAC system. At this point many scenarios entered my head, including why someone would put an HVAC system that should be on the company “Intranet” on the “Internet” with an anonymous administrator level account…nahh…I’m a pen tester so this isn’t shocking to me at all!

Being the ethical person that I am I emailed the city that manages this domain letting them know of the issue…today a received an email that said they were looking into the issue and it should be resolved shortly. So here are the questions. What would you have done (put your non-evil hat on please…yes, methodically messing with the temperature in the mayors office would be a blast…)? Do you just forget that you stumbled upon this vulnerability or do you believe in more of a full disclosure policy to the people running the web site? In talking to some others…attempting to contact the site owners is the best option (which I agree with) yet some others may take a different approach. Some “grey-hat” hackers might even resort to causing havoc with the HVAC system just to prove a point, then disclose the vulnerability the right way. Thoughts from the community?

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Debian and Ubuntu OpenSSL Vulnerability

4
Filed under Vulnerabilities

<%image(20080517-debian-girl.jpg|137|103|Debian Girl)%>

I won’t go into all the details since every other security blogger on earth is covering it….however, as a reminder this issue is pretty serious if you had generated any keys on affected Debian or Ubuntu systems. The best summary I have found of the issue with links to all the “toys” that have come out to attack this vulnerability are on HD Moore’s web site. Here is a summary from HD:

“All SSL and SSH keys generated on Debian-based systems (Ubuntu, Kubuntu, etc) between September 2006 and May 13th, 2008 may be affected. In the case of SSL keys, all generated certificates will be need to recreated and sent off to the Certificate Authority to sign. Any Certificate Authority keys generated on a Debian-based system will need be regenerated and revoked. All system administrators that allow users to access their servers with SSH and public key authentication need to audit those keys to see if any of them were created on a vulnerabile system. Any tools that relied on OpenSSL’s PRNG to secure the data they transferred may be vulnerable to an offline attack. Any SSH server that uses a host key generated by a flawed system is subject to traffic decryption and a man-in-the-middle attack would be invisible to the users. This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system.

Ugly vulnerability is right for an OS that changes you….

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

phpBB2 Retirement Plan Announced

1
Filed under Vulnerabilities

<%image(20080506-phpbb_logo.png|204|94|phpBB2 goes bye bye)%>

For those of you using phpBB2 (which last I checked was still one of the most popular open source forum software out there), you had better start to think about upgrading to the latest version, phpBB3 “Olympus”.

I have always had a love/hate relationship with phpBB…it has been the most popular target for attackers in the last couple years in terms of forum hacking so as a webmaster you really needed to keep up with phpBB security patches. There were some rather serious vulnerabilities discovered multiple times over the years so I am not sad to see the 2.0 branch bite the dust. It almost reminds me of how WordPress is being targeted because of it’s recent surge in popularity right now. Anyway, it is good to see the phpBB development team taking secure coding much more seriously with the new version 3.0.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Flash, Adobe Reader and Java…Oh My!

0
Filed under Vulnerabilities

<%image(20080415-exploit_hat.jpg|112|107|Put your exploit hat on!)%>.

Breaking News!

90% of all Windows machines are vulnerable to Adobe Flash vulnerabilities…(not really breaking news by any means for security professionals, right?). But for the average home user I certainly hope it is. You see articles all the time talking about the latest client-side vulnerabilities and usually they are just talking about one specific vulnerability. What about all the other client-side software that users fail to either patch or keep up-to-date. Shall I give you examples besides Adobe Flash? How’s this for starters?

Internet Explorer, Firefox, Opera, Skype, Windows Media Player, Quicktime, Adobe Reader, Java, Microsoft Office…the list goes on and on.

The scary thing is that the “average” user really has no clue on why this software should be updated and patched- even when they are prompted by the application to “Update me now!”. Most users will just click “cancel” and go about their business…and if their business includes checking their email, lets not hope there is a malicious PDF waiting for them in their inbox…or a link taking them to the latest Excel exploit. This is currently the most popular attack vector right now and until either applications get smarter about how they update themselves, programmers learn secure coding practices, and users become security aware, these types of attacks will “keep on coming”. Oh, and don’t forget about 0day vulnerabilities like the ones discovered in the pwn to own contest at CanSecWest.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

New Windows TCP/IP Vulnerability (MS08-001)

0
Filed under Vulnerabilities

Lots of talk on the net recently about the first “critical” vulnerability (MS08-001) released by Microsoft this year. If exploited, this vulnerability can allow an attacker to run arbitrary code on a remote system bypassing personal firewalls and in the case of Vista, the kernel protection mechanisms. Note that one caveat to this is that the attacker has to be on the same subnet as the victim machines.

Microsoft says that “there are a number of factors that make exploitation of this issue difficult and unlikely in real-world conditions”. However, researchers over at Immunity Inc. (these are the guys that make CANVAS, an automated pen testing product) demonstrated how this vulnerability could be exploited via this flash demo. Immunity only has released the exploit to it’s customers of the CANVAS product and admits that the exploit is not 100% reliable…yet. Now that everyone knows that an exploit is “possible”, it’s only a matter of time before someone releases working, reliable exploit code in the wild. Patch now!

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

SANS Top 20 for 2007 Released

0
Filed under Vulnerabilities

<%image(20071207-SP32-20071207-104621.gif|106|65|SANS Logo)%>

Once again SANS has released it’s “Top 20″ security risks for 2007. This is always a good report and I recommend all security professionals read it. This year they give highlight to two increasing attack vectors, users who are easily misled (aka: Social Engineering) and custom built web applications.

Either of these should be of no surprise. I know I have seen a major increase over the last year in “spear phishing” types of targeted attacks in my organization as well as your typical PayPal and Ebay phishes. Until users become more security aware I am not sure how this will decrease. All an attacker needs to do is get a user to click a link or visit a web site and it’s pretty much game over!

Custom built web applications is not a huge surprise either. Most of the time internal developers are not using secure coding practices and usually have no idea their applications are even vulnerable to simple things like SQL injections. Again, it all starts with education and making users and developers more security aware.

Two scenarios they mention highlight this risk. From the executive overview:

“Scenario 1: The Chief Information Security Officer of a medium sized, but sensitive, federal agency learned that his computer was sending data to computers in China. He had been the victim of a new type of spear phishing attack highlighted in this year’s Top 20. Once they got inside, the attackers had freedom of action to use his personal computer as a tunnel into his agencys systems.”

and

“Scenario 3. A hospitals Web site was compromised because a Web developer made a programming error. Sensitive patient records were taken. When the criminals proved they had the data, the hospital had to choose between paying extortion or allowing their patients health records to be spread all over the Internet.”

You can read the entire 2007 SANS Top 20 article here.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS