Friday, October 31, 2008

Paul Craig show Kiosk's nightmare at HITB Conf 2008

Paul Craig bring excited to HITB Conf 2008 Day1 by demo how Kiosk can be hacked easily within few minutes. Presentation material can be obtained from HITB . I would like to share with you guys tool used to hack kiosk. Paul share lots technique and methods to comprise internet Kiosk terminals.

Tool:
ikat - http://ikat.ha.cked.net/

For Kiosk developer, you better come out with better solutions to mitigate the risk of kiosk usage before it become one of famous target for newbies. :)

MS08-067 Checks

This tool can be used to anonymously check if a target machine or a list of target machines are affected by MS08-067 (Vulnerability in Server Service Could Allow Remote Code Execution)

Usage

$ python ms08-067_check.py -h
Usage: ms08-067_check.py [-d] {-t |-l }

Options:
--version show program's version number and exit
-h, --help show this help message and exit
-d show description and exit
-t TARGET target IP or hostname
-l LIST text file with list of targets
-s be silent

Example

$ python ms08-067_check.py -t 192.168.123.30
192.168.123.30: VULNERABLE

Requirement

This tool can be downloaded from ms08-067_check.py

MD5: 67E72C148E5B3E606E4FEAAEF9436563
SHA1:5F0EF8BDBA8B58F2E2FF9F0C1B2176823A2FB92B

Friday, October 24, 2008

MS08-067 POC published

Finally I found the PoC (Proof-Of-Concept) for Microsoft patch MS08-067 published in milw0rm website. I try looking the PoC since early morning when posting another topic regarding Microsoft patch MS08-067.

I download the PoC as sample for own research purpose. To get the thread from original, you can get it from http://www.milw0rm.com/exploits/6824

**********************************************************
In vstudio command prompt:

mk.bat

next:

attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)

net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc

In some cases, /user:"" "", will suffice (i.e., anonymous connection)

You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc. However, in some cases, you will get
nothing.

This is because it depends on the state of the stack prior to the "overflow".
You need a slash on the stack prior to the input buffer.

So play around a bit, you'll get it working reliably...

poc:
http://milw0rm.com/sploits/2008-ms08-067.zip

# milw0rm.com [2008-10-23]
*********************************************************

Thursday, October 23, 2008

Security Provider busy with MS08-067 emergency released

Microsoft Out-of-cycle released emergency MS08-067 patch to public on 23-Oct-08, it makes several security provider like Symantec, Mcafee, Sophos, Trend Micro and etc busy updating their latest advisory page regarding this patch. Some of them, may updating this patch signature or coverage detection to their securiy product.

Basically this critical vulnerability exploited using SMB/RPC session. The vulnerability allow remote code execution if infected system received special RPC request. Fully patched with firewall enabled by default will prevent from this kind of vulnerability attack, however this not cover condition that could expose RPC endpoint according to blog Microsoft Security Vulnerability Research and Defence
- Firewall is disabled
- Firewall is enabled/ but file and printer sharing is enabled

However, you can read more in details from
  1. http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
  2. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
  3. http://www.symantec.com/security_response/threatconlearn.jsp
  4. http://www.trendmicro.com/vinfo/zh-cn/secadvisories/default6.asp?VName=(MS08-067)+Vulnerability+in+Server+Service+Could+Allow+Remote+Code+Execution+(958644)
  5. http://www.sophos.com/security/blog/2008/10/1878.html?_log_from=rss
  6. http://www.frsirt.com/english/advisories/2008/2902

Tuesday, October 21, 2008

Chrome file-type checking vulnerability XSS

###########################################################
# Google Chrome 0.2.149.30, #
# file type check vulnerability #
# when browsing through ftp. #
###########################################################
# For example, when browsing: #
# ftp://ftp.example.net/picture.jpg #
# or it could be .txt, .pdf, etc... #
# Google Chrome does not check the file type. #
# #
# When browsing only ftp://ftp.example.net/ #
# you will see the picture.jpg file, like any other #
# image file. #
###########################################################

Example content of the picture.jpg file:
/Begin:
html>
body>
script>alert('backdoored');
/body>
/html>

End\

Reference:http://packetstormsecurity.org/0810-exploits/googlechrome-check.txt

Wednesday, October 15, 2008

XSS Me ....start to exploits website.

Just sharing regarding for XSS attacks, if want to learn what is XSS and how it works. You may refer from wiki. I am not going to explain in details since wiki did. However, I just want to share out one of resource to read regarding XSS is from Http://ha.ckers.org/xss.html. Rsnake did try the XSS exploits by using different browsers.

Another tools that would like to share are Xss-me, SQL Inject-me and Access-me can be obtained from Security Compass. These tools only applicable with Firefox-addon. Use it in your own risks since these penetrate tools are used to exploit and access others web applications.

Good reading while take snacks!

Wow....McAfee security journal released finally after waiting it for quite long time since Sage Issue 5. I get used to read their 'yearly' journal since last two years. For this released, they covered few topics that fit current security concerns.



Topics:
1. The Origins of Social Engineering
2. They psychology of Social Engineering:Why does it works?
3. Social Engineering 2.0 - What’s Next?
4. Beijing Olimpics:Prime target for social engineering malware
5. Vulnerabilities in the Equities Markets
6. The Future of Social Networking Sites
7. The changing face of vulnerabilities
8. Typosquatting - Unintended Adventures in Browsing
9. Whatever happened to Adware and Spyware
10. Statistics

Among the topics, Vulnerabilities in the Equities Markets , The changing face of vulnerabilities and Whatever happened to Adware and Spyware catch my interest more. Personally would like to get know current and future threat trend. This e-book would be another good reading while taking snacks.

The material can be download from http://www.mcafee.com/us/research/mcafee_security_journal/index.html

Reference from: McAfee Avert Blog

Monday, October 13, 2008

Rogue Antivirus in trend ?

Well, recently I just keep hearing people/website discussing about the rogue antivirus. Today I get one pop-up reagarding this new threat when try browsing in internet using my *nix system. I was laughing when it able to scan my *nix machine (ex, c:\windows\....) and mentioned my *nix systems was infected.
At here, I want salute to them and impressive on how professional they created their fake website and infects they 'legitimate' software to end users machine. Lots people especially newly to security area or internet can easily believed that their systems was infected by malware that showed in screen.















http://computer-scan.com/2009/1/_freescan.php?id=880606

Their website http://computer-scan.com look similar to any security products.

By searching from whois, that the information that I able to get.
WHOIS information for: computer-scan.com:

***********************************************************************************
[whois.PublicDomainRegistry.com]
Domain Name: COMPUTER-SCAN.COM

Registrant:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

Creation Date: 03-Oct-2008
Expiration Date: 03-Oct-2009

Domain servers in listed order:
philsdomains.mars.orderbox-dns.com
philsdomains.earth.orderbox-dns.com
philsdomains.venus.orderbox-dns.com
philsdomains.mercury.orderbox-dns.com


Administrative Contact:
PrivacyProtect.org
Domain Admin (contact@privacyprotect.org)
P.O. Box 97
Note - All Postal Mails Rejected, visit Privacyprotect.org
Moergestel
null,5066 ZH
NL
Tel. +45.36946676

***********************************************************************************
On top of that, 'PrivacyProtect.org' is registered at Zurich and located at Oklahoma City, OK, UNITED STATES according to http://www.hostip.info/index.html after you get the domain IP address 209.62.85.54 from http://centralops.net/co/

It is not hard to believe that this kind of threat will becoming an another trend on malware author to commercialize they 'Antivirus' or security products. :D