February 08, 2010

Wardriving Arizona

August 5 2009 – RSS Feeds

Here are a few RSS feeds to keep things semi-fresh.


SANS Institute Security Awareness Tip of the Day:


Packet Storm Security Headlines: Packet Storm Headlines


Packet Storm Security Exploits: Packet Storm Last 10 Exploits
Uiga Business Portal suffers from cross site scripting and remote SQL injection vulnerabilities.
This is a denial of service (kernel panic) proof of concept exploit for the UCODE_GET_VERSION ioctl NULL pointer dereference vulnerability on Solaris / OpenSolaris.
Exponent CMS version 0.96.3 suffers from a remote SQL injection vulnerability. This really old version has been known vulnerable to various issues since 2005.
Mongoose version 2.8 seems to suffer from yet another source disclosure vulnerability.
Belkatalog CMS suffers from a remote SQL injection vulnerability.
Zen Tracking versions 2.2 and below suffer from a remote SQL injection vulnerability that allows for authentication bypass.
Baal Systems version 3.8 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
DA Mailing List version 2 suffers from remote SQL injection and database disclosure vulnerabilities.
VideoDB version 3.0.3 suffers from a cross site scripting vulnerability.
WSN Guest Database appears to suffer from a database disclosure vulnerability.


Packet Storm Security Advisories: Packet Storm Last 10 Advisories
Wippien suffers from a flawed key negotiation vulnerability.
Mandriva Linux Security Advisory 2010-033 – A vulnerability have been discovered and corrected in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15, which allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. This update provides a fix to this vulnerability.
Secunia Research has discovered some vulnerabilities in libmikmod, which can be exploited by malicious people to potentially compromise a user’s system. Successful exploitation may allow arbitrary code execution in the context of the process using the libmikmod library when opening a specially crafted module file. Version 3.1.12 is affected.
HP Security Bulletin – A potential security vulnerability has been identified with HP System Management Homepage (SMH) for Linux and Windows. This vulnerability could be exploited remotely to allow cross site scripting (XSS) and unauthorized access.
Ubuntu Security Notice 894-1 – Various kernel related vulnerabilities have been addressed. It was discovered that FUSE did not correctly check certain requests. It was discovered that KVM did not correctly decode certain guest instructions. It was discovered that the OHCI fireware driver did not correctly handle certain ioctls. It was discovered that print-fatal-signals reporting could show arbitrary kernel memory contents.
Debian Linux Security Advisory 1992-1 – Several vulnerabilities have been discovered in chrony, a pair of programs which are used to maintain the accuracy of the system clock on a computer. This issues are similar to the NTP security flaw CVE-2009-3563.
Mandriva Linux Security Advisory 2010-032 – It was brought to our attention by Ludwig Nussel at SUSE the md5 collision certificate should not be included. This update removes the offending certificate. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The mozilla nss library has consequently been rebuilt to pickup these changes and are also being provided.
Debian Linux Security Advisory 1991-1 – Two denial of service vulnerabilities have been discovered in squid and squid3, a web proxy.
Debian Linux Security Advisory 1990-2 – The trac-git package released in DSA-1990-1 had a wrong dependency that could not be satisfied in Debian stable. This update corrects this problem.
Hellcode Research has discovered a heap overflow vulnerability in AOL 9.5. Opening a malformed vCard file (.vcf) with AOL 9.5 causes a crash on waol.exe . Successful exploitation may allow execution of arbitrary code.


Packet Storm Security Tools: Packet Storm Last 10 Tools
dradis is a tool for sharing information during security testing. While plenty of tools exist to help in the different stages of the test, not so many exist to share interesting information captured. When a team of testers is working on the same set of targets, having a common repository of information is essential to avoid duplication of efforts.
netsniff-ng is a high performance linux network sniffer for packet inspection. Basically, it is similar to tcpdump, but it doesn’t need syscalls for fetching packets. Instead, it uses an memory mapped area within kernelspace for accessing packets without the need of copying them to userspace (’zero-copy’ mechanism). Therefore, netsniff-ng is libpcap independent. netsniff-ng can be used for protocol analysis and reverse engineering, network debugging, measurement of performance throughput or network statistics creation of incoming packets on central network nodes like routers or firewalls.
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, NNTP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon’s code.
tinc is a Virtual Private Network (VPN) daemon that uses tunneling and encryption to create a secure private network between multiple hosts on the Internet. This tunneling allows VPN sites to share information with each other over the Internet without exposing any information.
Pound is a reverse HTTP proxy, load balancer, and SSL wrapper. It proxies client HTTPS requests to HTTP backend servers, distributes the requests among several servers while keeping sessions, supports HTTP/1.1 requests even if the backend server(s) are HTTP/1.0, and sanitizes requests.
Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.
Squipy is a proxy server that allows you to capture and modify HTTP traffic.
zzuf is a transparent application input fuzzer. It works by intercepting file operations and changing random bits in the program’s input. zzuf’s behavior is deterministic, making it easy to reproduce bugs.
Scannedonly is a samba VFS module that ensures that only files that have been scanned for viruses are visible and accessible to the end user. Scannedonly was developed because of scalability problems with samba-vscan. Scannedonly comes in two parts: a Samba VFS module and (one or more) daemons. The daemon scans files and marks them when they are known to be clean. The samba module simply filters out files that aren’t marked clean.
iScanner is a free open source tool written in Ruby that lets you detect and remove malicious code from webpages.


SecurityFocus News: SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Twitter attacker had proper credentials
PhotoDNA scans images for child abuse
Conficker data highlights infected networks

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Popular apps need better patching, says report
Google offers bounty on browser bugs
Cyberattacks from U.S. "greatest concern"

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
Microsoft patches as fraudsters target IE flaw
Attack on IE 0-day refined by researchers
Most consumers reuse banking passwords

>> Advertisement <<
Can you answer the ERP quiz?
These 10 questions determine if your Enterprise RP rollout gets an A+.
http://www.findtechinfo.com/as/acs?pl=781&ca=909
CIA, PayPal under bizarre SSL assault


SecurityFocus Vulnerabilities: SecurityFocus is the most comprehensive and trusted source of security information on the Internet. We are a vendor-neutral site that provides objective, timely and comprehensive security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
Sun Java SE November 2009 Multiple Security Vulnerabilities
Oracle 11gR2 Remote Command Execution Vulnerability
Linux Kernel ‘drivers/scsi/gdth.c’ Local Privilege Escalation Vulnerability
[security bulletin] HPSBUX02503 SSRT100019 rev.1 – HP-UX Running Java, Remote Increase in Privilege, Denial of Service and Other
RE: Samba Remote Zero-Day Exploit
[ MDVSA-2010:034 ] kernel
[security bulletin] HPSBMA02487 SSRT100024 rev.1 – HP Operations Agent Running on Solaris 10, Remote Unauthorized Access
News, Infocus, Columns, Vulnerabilities, Bugtraq …


Darknet – The Darkside: Ethical Hacking, Penetration Testing & Computer Security


Hack a Day: Fresh hacks every day
“Everyone needs a hobby,” they tell us. For the blogger mysteriously identified only as “R,” that hobby would be an almost fanatical nostalgia for the Commodore 64 computer. At first we thought this was a fan community site, but apparently it’s all the work of a single person. [R] has tweaked, extended, repackaged and resurfaced this 1980´s [...]
Meet GuruPlug, an all-in-one server that is now available for pre-order. This is the next generation of the popular SheevaPlug that features some added goodies. The base model sells for the same $99 and appears to have the same specs as the original but for $30 more, the GuruPlug Server PLUS moves to 2 Gigabit [...]
[Oliver] has been doing some work to use his TI ez430 Chronos wristwatch for some home automation. He’s working with a RF controllable lightbulb adapter which operates in the 433 MHz band. A dirt-cheap breadboard-friendly transmitter is available from Seeed Studios and he uses this in conjunction with a computer and an Arduino. Before the [...]
[Nick] tipped us off about a guide to unlock extra features on Panasonic televisions. The hack works on the G10 models of plasma TVs and uses the service menu to gain access to the EEPROM memory. With a few quick steps you can change some data with a built in hex editor, unlocking several new [...]
Just when you think you’ve heard all you can about the N900 PUSH competition, we have some more news for you. The original PUSH competition was only for UK members, but now Nokia has introduced the ‘Mod in the USA‘ N900 PUSH competition. Similar to the original, anyone (within region) can submit a cool mod, hack, [...]
[Rahul Sapre] sent us a guide to porting EFSL to any microcontroller (PDF). The Embedded Filesystems Library adds FAT support to C compiled microcontrollers. It is targeted at the AVR line of chips but can be adapted to any architecture that works with a C compiler. [Rahul's] guide will take you through the process of [...]
Bot gives head to passersby This free range robot was spotted at this year’s Kinetica Art Fair. You can place your hand above it and it will stop and pour you a beer. That’s if you consider 7/8 of a glass of head ‘a beer’. Photo booth adds fun – consumes floor space Face it, photo booths are [...]
Let’s face it, walking around in the rain sucks. [Matth3w] is trying to add a little whimsy to an unpleasant experience by adding an LED matrix to his umbrella. The array contains 80 LEDs that are individually addressable. This is a mutiplexed array that relies on a MIC2981 source driver for the eight rows (or [...]
[Mario the Magician] wrote in to let us know that he makes Hackaday a priority every morning with his coffee. Well, so do we. He also included a link to his homepage when submitting this revelation. The juicy details that are as much of a fix as the caffeine in the coffee are missing from [...]
The folks over at Engadget have posted some pictures of the ExoPC’s insides. With the recent return of the tablet craze (remember xp tablet edition?) we’re seeing tablets everywhere. This one has some promise on the hardware side, sporting a 1.6GHz processor and 2GB of RAM.  Unfortunately we’ve heard using solely a tablet interface with [...]


WindowSecurity.com: WindowSecurity.com provides Windows security news, articles, tutorials, software listings and reviews for information security professionals.
Taking a look beyond the sensationalized headlines about IE browser security whilst asking whether switching will really keep you safe from attack.
Authenex ASAS was selected the winner in the Authentication & Smart Cards category of the WindowSecurity.com Readers’ Choice Awards. Aladdin eToken and Smart Enterprise Guardian were runner-up and second runner-up respectively.
What is involved in the Advanced Security settings in IE and how best to configure each one.
How Windows creates and stores password hashes and how those hashes are cracked.
How securing a network in this new user environment differs from the old model and why it may be beneficial to change some longstanding policies and training methods to adapt to the natives.
This article reviews the capabilities and features of GFI WebMonitor 2009, an integrated Web security, monitoring and Internet access control product from GFI Software.
Admin Report Kit for Windows Server (ARK) was selected the winner in the Network Auditing Software category of the WindowSecurity.com Readers’ Choice Awards. GFI LANguard and Altiris SecurityExpressions were runner-up and second runner-up respectively.
Taking a look at the anatomy of a null session attack, how it works and how to prevent it from happening to you.

10/23/2008 – Out of band update MS08-067

Microsoft announced an out of band update that is going to be released today. Looks to be a vulnerability in the server service that is remotely exploitable and likely wormable. 2000/XP/2003 are rated as critical to patch. Looks to be the worst vulnerability in a while….patch patch patch.

http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

01/17/2008 – Too busy to blog

I am alive and well, but haven’t had the extra time or energy to blog anything as of late.
Maybe I’l pick things back up in 2008………..or maybe it’s time for things to change here a little.

04/19/2007 – Microsoft DNS server RPC Vulnerability and Rinbot Exploitation

If you are running Microsoft DNS services this may be of interest to you.

http://www.microsoft.com/technet/security/advisory/935964.mspx

Rinbot has been seen exploiting this vulnerability so even if the DNS servers are not facing the internet it may be a good time to implement the Registry workaround that disables managment of Microsoft via RPC as noted in the above article.

I know a lot of smaller IT shops run DNS on their domain controllers, and if that gets compromised then it’s game over.

04/05/2007 – Windows .ANI Cursor Woes

Since late March I’ve been following news on the Windows animated cursor vulnerability.

Basically the code that Windows uses to parse those annoying .ani cursors is vulnerable to attack if somebody maliciously crafts an .ani cursor file.

I’ve seen a lot of people mis-understand the scope of the problem claiming they don’t use custom cursors.
The truth of the matter is that if you use internet explorer to browse the web, or any variant of Outlook to view e-mail (even in the preview pane) then cursors with the exploit can be embedded within the html code and you are vulnerable.

To make things worse the exploit has made it into the metasploit framework so anybody can point, click and exploit the vulnerability.

Admirably Microsoft did release an early patch on Tuesday April 3rd that resolves the issue.
(They almost never release patches unless it is the 2nd tuesday of the month)

If you haven’t installed it yet I reccomend you do so now. I’ve seen 9 or 10 in the wild instances of the exploit being embedded within web content directed towards some of my userbase at work over the last couple days and things are only going to get worse.

02/12/2007 – Vulnerability in Solaris Telnet

SANS is reporting a remote root vulnerability in the Solaris implementation of Telnet. Linkage can be found here. If you’ve got telnet on solaris facing the internet fix it NOW!

08/17/2006 – Hardcore IDS

If you get the time, or are looking to rapdily deploy a open source Snort based IDS solution a friend of mine has a nice IDS solution out there.

Hardcore IDS was created to make installing an Open Source IDS as simple as possible while providing a complete and secure IDS solution.

Hardcore IDS builds a secured GNU/Linux operating system using Fedora Core 4 with Snort 2.6 and Aanval series 2 as an optional front-end to monitor your network for attacks and vulnerabilities.
Support for other GNU/Linux distributions is planned.
You can setup Hardcore IDS on one host or many. There are three install types that you can use depending on your rollout of your IDS solution; Sensor, Console and Console+Sensor.

Included in the setup of Hardcore IDS are the Snort and Bleeding Edge Snort rules.
slipnet.org

08/10/2006 – MS06-040

If you have not done so it is time to install MS06-040.

The proof of concept exploit has been added to the metasploit framework, and it is speculated that a new blaster or sasser like worm that utilizes this exploit will be released very soon.

07/24/2006 – Patch McMuffin with Cheese

POC code for MS06-034, MS06-035, and MS06-036 has been spotted on the net. If you have not already applied the July updates, now would be a good time to do so.

06/29/2006 – Uh oh…….VM Rootkits

There has been a lot of buzz regarding Virtual Machine Based Rootkits. They have the potential to render conventional methods of detecing malware and rootkits useless.

Interesting read, I would highly reccomend it.