Full Disclosure

The need for Full, Partial, Responsible and Zero disclosure. Issues with reporting vulnerabilities to vendors.

Microsoft Black Tuesday Summary July 2010

I decided that it would be a good idea to publish summaries of MS’s patch updates on here each month, let me know your thoughts. I know that you can get these from MS directly, but I just figured that if you read SecuriTeam anyway, then here’s some more useful information for you.

My personal opinion on this one is that if there’s one patch you really should apply ASAP, then it should be MS10-042.
So without further ado.

MS10-042 (Critical – Remote Code Execution)

Vulnerability in Help and SupportCenter Could Allow Remote Code Execution (2229593)

This security update resolves a publicly disclosed vulnerability in the Windows Help and Support Center feature that is delivered with supported editions of Windows XP and Windows Server 2003. This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser or clicks a specially crafted link in an e-mail message. The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must click a link listed within an e-mail message.

MS10-043 (Critical – Remote Code Execution)

Vulnerability in Canonical Display Driver Could Allow Remote Code Execution (2032276)

This security update resolves a publicly disclosed vulnerability in the Canonical Display Driver (cdd.dll). Although it is possible that the vulnerability could allow code execution, successful code execution is unlikely due to memory randomization. In most scenarios, it is much more likely that an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart.
MS10-044 (Critical – Remote Code Execution)

Vulnerabilities in Microsoft Office Access ActiveX Controls Could Allow Remote Code Execution (982335)

This security update resolves two privately reported vulnerabilities in Microsoft Office Access ActiveX Controls. The vulnerabilities could allow remote code execution if a user opened a specially crafted Office file or viewed a Web page that instantiated Access ActiveX controls. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-045 (Important – Remote Code Execution)

Vulnerability in Microsoft Office Outlook Could Allow Remote Code Execution (978212)

This security update resolves a privately reported vulnerability. The vulnerability could allow remote code execution if a user opened an attachment in a specially crafted e-mail message using an affected version of Microsoft Office Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Have fun patching all, and please remember to test these patches in a non-production environment before applying directly to production environments guys and girls.

Pirate Bay Hacked!

So The Piratebay has been hacked, and the hacker who did it has made off with the details of 4 million users on the site.

The details in question are usernames, e-mail addresses and internet addresses, this was all accomplished via a SQL injection attack.

The hacker in question here is of Argentinian origin, and goes by the handle of Russo, he mentions that he considered selling the data, but then decided to just go public to show that the Piratebay’s security wasn’t up to scratch.

This brings up a very interesting point though, as he could probably get a fair amount of money for these details if he was to sell them to say, oh I don’t know, the RIAA or the MPAA for example?

Even with all the problems that the Piratebay have had over the last few months, it still remains one of the largest bittorrent trackers on the Internet, and having the details of 4 million users is a really nice bounty to walk away with.

The cynic in me is half expecting most of these users to wind up with nice little letters from either the RIAA or the MPAA or both in the next few months, but I guess we’ll just wait and see.

The Piratebay was down for a while yesterday, with the following message posted on the site. “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

Yeah, upgrading some stuff, that’s a good one actually. Maybe Zone-h should change their defacement archieve title to something along the lines of “Upgrade Archieve”

On a side note though, it is interesting when hackers tend to go after sites that are helping to distribute copyright material. This also begs the question of, could he have been sponsored to do this, say under NDA, with a large sum of money from some 4 letter acronym? I’ll leave you with that thought, but if I was running a bittorrent tracker at the moment, I’d be a bit concerned…

Where To Sell Software Vulnerabilities/Exploits?

So the last post that I wrote, and Aviram’s follow on post really got me thinking, unless you know where to sell software vulnerabilities or exploits, finding places isn’t really that easy at all. I knew about ZDI and VPC, but that was it really, and it took me ages to remember VPC.

So I spent some time Googling, and well that didn’t help me much to me honest. So I’ve decided to compile a list on here, with a subject that’s easy enough to search for.

So what I’m asking all our readers is that if you know of anywhere that buys software vulnerabilities legitimately, please let me know by leaving a comment and I’ll update the list here accordingly.

So without any further ado, here’s the definitive list of where you can sell those exploits and vulnerabilities that you worked so hard on discovering and writing.

Beyond Security

Zero Day Initiative (Tippingpoint)

Vulnerability Contributor Program (iDefense)

Global Vulnerability Partnership

Why Is Free Vuln Disclosure so Damn Difficult?

Xyberpix described how difficult it is to disclose vulnerabilities to ZDI and iDefense. But even after you sold it, the process is just beginning. Sure, the researcher gets paid and he is free to resume his work, but the work us, the vulnerability coordinator, just begins.

We recently received 2 disclosures to our SecuriTeam Secure Disclosure program for Sonicwall and google vulnerabilities. We received sponsors for both vulnerabilities which means there is a commercial organization out there that was willing to pay the researcher for their efforts. That part ended well for the researchers.

Now both organizations want the vendors to patch up. Sounds easy, right? We are giving Sonicwall and google free information about security holes in their products, and want nothing in return except for them to fix it.

Well, it’s damn difficult.

Google is always difficult when it comes to security. When I reported an information disclosure vulnerability in google calendar they ignored me, then sent their PR person to say “it’s a feature”, then silently fixed it claiming it was never there. Dealing with google on security issues is like talking to a girl that speaks a foreign language. But more on that later – lets start with Sonicwall.

Wouldn’t you be expect security vendors to be more aware of security problems in their products? Well, for the last few weeks we’ve tried to bang every door, calling in personal favors to tell Sonicwall (for free, let me remind you) about a security hole in their product.
Why bang every door? Because they won’t talk to us since “we’re not Sonicwall customers”. We can’t open a support ticket and they won’t give “us” support. security@sonicwall? yeah, right. Even good friends couldn’t help. The system will not accept a report from non-customers.

I guess our only course of action is to pay Sonicwall money to let them know about their vulnerabilities. I wonder if that’s Sonicwall’s long term strategy for profit? BTW, if you work for Sonicwall and can help, please contact me – but keep in mind paying Sonicwall for telling them about their own security issues is not a part of our plan.

Back to google. The story there is simple and boring. It’s not a bug, it’s a feature. In fact, every browser has this problem, errm I mean feature. In fact, it’s been proven you can execute javascript on the chrome user’s browser so we’ll leave this open as well. If the stupid web app developers can’t solve this we certainly aren’t going to help them.
But why am I boring you with the broad strokes, go read the discussion:
http://code.google.com/p/chromium/issues/detail?id=46795. Nothing we haven’t seen with previous google security bug handling, just ask this guy.

Yes, it is 2010, and we are still talking about Vulnerability Disclosure to vendors. I guess next we’ll be arguing if heap overflows are exploitable.

Update: We were contacted by Sonicwall and the bug will be looked at. Hopefully security@sonicwall will start accepting submissions from non-customers.

Why Is Paid Responsible Disclosure So Damn Difficult?

So I’ve been sitting on an Apple vulnerability for over a month now, and I’m really starting to realise that maybe just sending the details to the Full-Disclosure mailing list and Exploit-DB.com is the right way to go about disclosing vulnerabilities and exploits.

I initially contacted ZDI to see if they would be at all interested in buying the exploit off of me, as I spent a lot of time researching and finding this one, and I’d like to get something for my efforts. I am a firm believer in the No More Free Bugs movement, I understand and appreciate what ZDI are doing, but the fact that it took them just under a month to get back to me, is really not good enough to be very honest. If they don’t have the researchers, then advertise worldwide, instead of just US only. I know I for one, would be happy validating bugs all day, and this is the the type of work that can be remotely.
Yesterday I also submitted the same information to iDefense Labs Vulnerability Contributor Program (VCP), who claim to get back to me within 48 hours, so we’ll see how that goes. I will update this post as and I when I know more.

I also took the off chance of mailing Apple directly, and asking if they offer any rewards for vulnerabilities that have been found, and if so what they would be. I don’t have high hopes on Apple offering anything, but to be honest, I would prefer to  disclose this one directly to Apple. They however  have paid staff to do this work on a full time basis on all their products, so why aren’t they doing it properly, and I feel that anyone else finding bugs for them, should be compensated appropriately. However, I e-mailed them yesterday and recieved an automated response, so we see how long it takes them to respond to me as well.

This may end up being a rather long post, but let’s see. I’m also expecting to see quite a few interesting comments on this post as well, so come on people.

UPDATE 30/06/2010:

Received a response from iDefense last night,and a request for more info. So just over 24 hour response time, which is brilliant, I’m really impressed so far.

Recieved a response from Apple, and if I would like any reward (aside from credit for the find), then I was informed that I should go through ZDI or iDefense.

Backtrack – The Future, The Funding, The Roadmap

Great news, Backtrack now has funding to move ahead with scheduled releases, and a roadmap moving forward up to Backtrack 5. You can view the roadmap here. It seems that the worlds leader in penetration testing training, namely Offensive Security is going to be funding the BackTrack Linux distribution’s development going forward. No need to worry though, BackTrack is still going to remain an Open Source distro.

Other news on this front is that the Exploit Database now has new EDB Research and Development teams that are actively working on vulnerability discovery and development, so watch this space for more news and good things to come. It’s also very worthwhile checking out the Exploit Database Blog.

Hack In The Box Security Conference Comes to Europe

The first ever HITB Security conference will be help in Amsterdam on the 1st and 2nd July, so apologies for only posting this now, but there’s still time to register.

The full conference agenda can be found here.

Some of the talks listed are:

– Breaking Virtualization by Switching to Virtual 8086 Mode

– Attacking SAP Users Using sapsploit

– Fireshark – A tool to Link the Malicious Web

– Having Fun with Apple’s IOKit

So all in all, it looks like it’s going to be an interesting couple of days.

Leave a comment if you’re going, it’d be good to hook up.

DNS and DNScat

So the other day I was conducting a penetration test, and compromising the host in question was easy enough, but I wanted something that would make a bit more of an impact in the report, rather than the standard, used Metasploit with X exploit and a reverse shell. So I spent some time looking through my little bag of tricks and came across DNScat. Now I’ve been wanting to use this tool for a while now, as it just seems like it’d make a nice high impact paragraph to have in a report, with a bit of a different swing on it.

For those of you who haven’t heard of DNScat before, here’s the blurb taken directly from the web site, which can be found here.

“DNScat (pronounced “D-N-S cat”) is a “swiss-army knife” tool to tunnel traffic through DNS servers. It provides a bi-directional communication through DNS servers, and in conjunction with PPP, can be used to set up a virtual private network (VPN).
DNScat, like a swiss army knife can be used for a variety of purposes, including:
– penetration testing of networks behind firewalls
– sending messages though firewalled networks
– setting up a VPN though firewalled networks
– learning how to detect covert channels through DNS servers
– and more… ”

So lo and behold, I finally got a chance to play with DNScat, and the look on the security managers face when he read the report was priceless, he words were something along the lines of. “We made sure to secure everything we could think of, but DNS, really?”

For those of you that do professional penetration testing, if you haven’t used DNScat yet, take the time to have a look at it, and learn how to use, it’s a decent tool and a lot of fun!