Top Exploits of the Week #1

Quicktime 0day

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on :)

Share

SSH Gets Attacked

SSH

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ’00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Share

Gotcha CAPTCHA!

reCAPTCHA

Well your favorite website’s, favorite way to see if your human or not has a problem — their ‘protection’ has been ‘broken’. Who knew that asking a user to read and type the contents of a distorted image of text would be so easy for a computer/code to do as well? CAPTCHA’s have never even looked secure to anyone with a open security mind, and those swimming in the unconscious thoughts that some day this ‘protection’ would see its core cracked… well today is your lucky day.

But never fear! There is hope (really..?)! The Carnegie-Mellon University team behind CAPTCHA’s big brother, reCAPTCHA, is for some reason continuing research towards the “effort to mix basic  security and useful work”. While the reCAPTCHA service seems like a step in the right direction, I have my doubts. Actually, I think it won’t be too long until the next article at YOURFAVORITETECHNEWSSITE is about this new ‘improvement’ being ‘broken’. Oh internet, have mercy on the little people, and send your spam bots to wreck havoc on another interNET.

Share

Kaspersky’s SAFE Internet

Kaspersky

Recently Kaspersky, the company who makes your favorite, or not-so-favorite anti-malicious software, called upon government and banking institutions to be more secure. But is it really up to these agencies to make draw the perfect picture of security, or should the end users stop making such bad decisions, both on and offline?

If these ‘safety nets’ are deployed, it won’t going to make the best out of security situation, but it will help. On the other side of the packet, using outdated software or insecure browsers (cough!*IE*cough!) that do little or nothing to protect the web surfers, directly and indirectly, should also be of major concern. Wouldn’t it be something if, when accessing one of these websites running INSECUREBROWSER, it suggested you use MORESECUREBROWSER, FOR SECURITY REASONS IF NOTHING ELSE? Woah, wouldn’t that be a different color light bulb. Especially if it was something like, say, Internet Explorer VS Firefox (Yes, I am saying that Firefox’s security is better than Internet Explorer. I believe both core and rendering engines are better, too).

Now, if they try to regulate the internet with security laws and cyber architecture boundaries, its just going to be one big mess. If you’d like one reason it wouldn’t work, just think about how outlawish the internet already is, and has been, since its inception. Then take a break and elaborate on it. I’m sure you’ll find more than one reason we can’t import some crazy set of regulations and actually believe they are going to work and/or solve our problems.

Here is some more fuel for thought: How about separating the internet for low and high bandwidth data flow. Interconnected, but bridged. Not a good idea? Well why not? As long as we are on the same network, there will be fighting over who owns what (more than just headers and footers). But as long as we put the big with the small, there is going to be controversy. There are going to be debates. This last part may have been a little off topic, but I feel like it needed to be said. Security isn’t made, its planned and implemented before regulation begins.

Share

Engineering Elections

Engineering Elections

Did you vote in the last election? If not, you should have. If so, did it really count? I mean, literally, besides the aspect of consideration, did your ballot reach the total counter?

Many people who are part of a democracy and have this magical ‘right to vote’ (There is no amendment or part of the US constitution that directly states that Americans have the right to vote; only that you cannot be discriminated against via race or sex, and you must be at least 18 years of age. Look it up and you’ll see that it is only indirectly implied) probably question where their votes really go each and every time they leave the polls.

Furthermore, the most important question should be this: If election fraud is part of our elections, and we all know at least some part of it is, how can we prevent it? The simple answer is, we can’t. Electronic voting machines are a joke. Really, the security on these machines are inferior to the most common lock and key at the dollar store. Security on these ‘secure’ election devices is comparable a Windows 98 (SE!) box running ZoneAlarm (pro!).

Wouldn’t it be nice and convenient to be able to vote via the Internet, without ever having to leave your home? Sure it would be. Safe though? Not in this century. If you have Netflix or any other movie service, you should add this to your queue: Hacking Democracy. Watch it, learn it, believe it. Do not hesitate at all to think its real. ITS BEEN PROVEN! Not a believer? Just wait around our next big election — we’ll see who wins.

Share

Websites Beware

Websites Beware

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

Share

Opera’s Latest Hitman

Opera Logo

Opera the web browser is apparently now great at one thing: following the standards.

Yesterday, Opera 10 Alpha was released and flaunted its 100/100 score on the Acid3 test, passing with all the colors of the rainbow this time. But honestly, Opera, like several other ‘alternative’ browsers (and if your a hardcore fan/follower, excuse me), is just trying to catch up with the old dogs.

Firefox in particular has had many of Opera’s ‘new’ features and ‘improvements’ for quite a while. Security issues in Opera, often simple and totally trivial bugs, have been found and released. Not saying more than other browsers; both Firefox and Internet Explorer have them doubled to say the least, but I just never could bring myself to trust this unique web browser.

Auto-update has just been put in place, and I feel, as a security researcher, that it is an extremely valuable mitigation tool when new exploits spring up. Thank God the development team FINALLY put this sub-standard feature in place. Presto 2.2 has taken things to the next level with most of these improvements, more details of which you can find for windows, mac, and ‘linux/unix‘.

Has security been incorporated into Opera recently more than ever? Maybe. Has Opera been built with security from the ground up? Certainly not. Pay attention to your favorite XYZ exploit/advisory feed for inevitable updates.

Share

Fooling biometric face recognition

CNet has a nice article about a Vietnamese company called BKIS that was able to login to the reporter’s laptop by simply recording him in a video chat and then using the blurry printout to authenticate with the face-recognition software.

I like to make fun of biometric authentication, mainly because it was overhyped in the 90′s as the authentication that will make remembering passwords obsolete. But it’s not useless technology – you just have to know how to use it.

Using a biometric system (this, or another) in a public place with a guard watching is good enough to make it difficult to hack. I imagine even a minimum-wage rentacop will notice when someone looking like Tom Cruise comes up to the biometric system with someone’s eyeballs in his hand. They should even notice if I come with a printout of someone else’s face. The same is true for passwods: a 50-character long password can be practically as strong as a 4 digit PIN if the proper lock out procedures are in place. Likewise, if I can try billions of password combinations per second then the difference between guessing a 8 character password and a 10 character password is just a few hours.

Share

Cloud Computing Security Blog

As cloud computing seems to be the latest hot topic, getting about the same, if not more heat than virtualization, I thought that it would be a good idea to post about a blog that I found a few days ago.

It has some really decent points, and good advice for anyone wondering about security in the cloud, take a look, and please post more links in the comments section if you have any of your own, and I will add them to the post, you’ll also get the credit for posting the link :-)
Here’s the link:

http://cloudsecurity.org/

Share

Purolator knoweth not privacy

My wife happened to go and pick up the book parcel today.  My wife knows about security and privacy.  (Not only does she have to listen to me at the dinner table, but she does her own research.)  One of the things I found out from her, was that it’s legal, in Canada, to ask for and look at a driver’s licence as ID, but it’s illegal, in Canada, for retailers to write down and keep that information.

So when the Purolator staff asked for her driver’s licence, she gave it to them, but made a point to ask them not to write it down.  The Purolator staff member then took the licence and input the details into their computer system.  When my wife complained, the Purolator staff member’s response was insulting and sarcastic.

So, Purolator, is that corporate policy?

Or maybe your need a little more staff training?
(Oh, and Purolator also uses those boxes to collect a digitized sample of your signature.)

Share

Who’s your SMTP daddy?

In a hotel in Beijing, using their wifi in the lobby. Everything goes fine until Noam tells me my email headers are weird.

Return-Path: aviram@hsia.com.cn
[...]
Received: (qmail 9613 invoked from network); 19 Nov 2008 13:26:43 -0000
Received: from mail.hsia.com.cn (HELO hsia.com.cn) (61.152.154.60)
by 0 with SMTP; 19 Nov 2008 13:26:43 -0000
Received: from FBH.hsia.com.cn ([123.124.225.63])
by hsia.com.cn (8.13.1/8.13.1) with ESMTP id mAJDTJlY005475;
Wed, 19 Nov 2008 21:29:20 +0800
Received: from beat.local (unknown [172.31.8.65])
by FBH.hsia.com.cn (Postfix) with ESMTP id 8AFEB520B0;
Wed, 19 Nov 2008 21:13:54 +0800 (CST)

Clearly I’m sending through another SMTP server, who goes as far as mangling my ‘Return-Path’ address header.

Only I’m not. My SMTP server is set (as always) to the corporate SMTP who is accessible through the VPN, in an encrypted connection that should not allow anyone to change fields. Just in case, I check it again. Yup, the SMTP server is there. So what’s up?
A quick investigation shows the following: The hotel’s network blocks my VPN (as some of them do) but happily resolves any unresolvable host name (such as my SMTP server’s hostname). This is resolved to a catch-all server that proxies everything. Transparently. (well, almost)

Lesson learned. Changed the hostname to the IP, and will soon switch to SSL based SMTP who will authenticate the server. In the meanwhile – be careful from helpful Beijing wifi providers who are only too happy to forward your mail on! (with some changes, of course).

Share

My name is Elvis Presley and here is my RFID passport

The group using name The Hacker’s Choice has managed to clone a biometric passport with name Elvis Presley. Right – The King who died 31 years ago :-)
Demonstration video and some technical information here.

Share

Finding the name behind the gmail address

Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

How to do it:

- Go to the ‘share this calendar’ tab

- Enter the email address in the ‘person’ box

- Click ‘add person’ and ‘save’

- When you return to this screen you will see the first and last name along with the gmail address

Screenshots:

I always wondered who was behind admin@gmail.com

Tell google you want to share your calendar and put their gmail email address

Oh, I guess they figured people like me would be interested…

admin@gmail.com is a smart ass

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

Share

Your life on an RSS feed

Social networks mean different things to different people. Some people want the world to know what they are doing NOW. So they blog, update their facebook status, use twitter to tell friends and stalkers what they’re thinking and dopplr to make sure everybody knows where they’re going.

Other people think social networks are a danger to privacy. A friend of mine wrote back in response to a linkedin invitation:

i regret to inform you that i don’t do social networking in any form.

This is a man that was there when the Internet started (and in fact laid some of its corner stones), and yet he refuses to take part in the most important revolution on the Internet in the last 10 years?

I used to think there was a third way to look at it. Use social networking in moderation: write what you want people to know, like where you work or what zip code you’re in and do that only because you have a use for it and not because you’re invited (ok, the last part is horseshit. I join things early so that I can reserve aviram as a username to the service. This strategy earned me aviram at gmail.com). For me, privacy was not an issue as long as you know what kind of information you put there. But now, it seems, things are getting out of hand.

I got an email from one of my linkedin connections with a link to a video sharing site called vidjar.com. This link was to videos tagged with his first name – not too uncommon, and you can probably imagine there were a few videos there with that tag.

But his problem was that on the sidebar, was the sentence:

[his full name] is now connected to Aviram Jenik

A deeper investigation showed that the sidebar included a widget that had an RSS feed into linkedin. This RSS feed somehow recorded the fact that he and I had connected. I’m not an expert in linkedin’s new API platform, so I’m not sure how that works – but I can understand how he was not happy to see that everybody on vidjar could see that he and I were connected via linkedin. This is information that only people directly connected to him or me should be able to see, and only when logged into linkedin. Here, it was viewable to the world – we verified it by looking at the flattened google cache.

An API issue? Maybe. But it definitely demonstrates the old saying that information you give, is no longer yours.

Share

Photos and laptop crypto

The lead article/editorial in Bruce Schneier’s latest CryptoGram (http://www.schneier.com/crypto-gram.html) points out the foolishness in warning people to beware of terrorists taking pictures.  Millions of people take billions of pictures every year for legitimate or innocent reasons, and the major terrorist attacks have not involved terrorists walking around taking photographs of the targets.  It doesn’t make sense to try and protect yourself by raising an alarm about an activity that is probably (*extremely* probably) not a threat.

Rather ironically, the second piece talks about the fact that your laptop may be searched when you fly to another country, and the advisability of laptop encryption.  Leaving aside privacy and legality concerns, Schneier is for encryption.

Now, I don’t fly as much as some, but more than many.  Since I’m a security researcher, I’ve got all kinds of materials on my laptop that would probably raise all kinds of flags.  I’ve got files with “virus,” “malware,” “botnet,” and all kinds of other scary terms in the filenames.  (I’ve got a rather extensive virus zoo in one directory.)  Nobody at immigration has ever turned a hair at these filenames, since nobody at immigration has ever asked to look at my laptop.  (Even the security screeners don’t ask me to turn it on as much as they used to, although they do swab it more.)

I’m not arguing that people shouldn’t encrypt materials on their laptops: it’s probably a good idea for all kinds of reasons.  However, unless I’m very fortunate in my travels (and, from my perspective, I tend to have a lot more than my fair share of travel horror stories), the risk of having immigration scan your laptop is not one of them.

Share

What is your blackberry doing without telling you?

I recently added a contact to my BlackBerry PIN network. The contact was informed of this via an email, and then went on to reply (accept) to this email based invitation.

The response sent from his blackberry was not visible in his “sent” folder, nor was it visible in my “inbox” as apparently BlackBerry has the ability to secretly delete emails as soon as they are processed – thus making it do things a bit “under the radar”.

It’s not yet clear to me how difficult it is to do this manually – adding of a contact to your BlackBerry PIN list – but here are some clues on the email mechanism. Apparently, you need to include in the subject and in the beginning of the message body (subject works in most cases – html appears to behave differently) the following string:

< $RemoveOnDelivery,SuppressSaveInSentItems>

You can combine the above in the subject line with confirm, which will cause BlackBerry to send back a delivery confirmation, combined with the deletion and suppression of saving the item:

< $confirm, RemoveOnDelivery,SuppressSaveInSentItems>

Share