On a job recently, I was asked to look at a Sarian GSM router, specifically the configuration files for the device. This was interesting as it had a number of obfuscated strings which were clearly credentials but for which I didn't know the plain text values. A quick Google allowed me to pull up a document from Juniper on how to configure their devices to establish an IPsec tunnel with one. You'll document had an example configuration file for the Sarian which gave the default credentials in both plain and obfuscated form. Returning to the configuration I had been given, it was clear that my device had different credentials which left me with a bit of a problem. Having noticed that the obfuscated and plain text strings were of the same length, which is indicative of a stream cipher, I decided to check whether the algorithm used by Sarian was xor based or whether it was in fact using a more secure stream cipher. The below perl code shows how I did this:...

Well, it's taken a while (lots of other interesting stuff to keep me busy) but I'm pleased to announce that SSHatter 1.0 is almost ready for release. I tagged a private 0.9 release last night and assuming no major bugs are identified I'd expect that 1.0 will be released over the weekend. So what can you look forward to in SSHatter 1.0? Well, I've taken a long hard look at what other tools exist (notably keimpx by one of my colleagues which aims to take the pain out of large Windows networks). The upshot is that SSHatter 1.0 as been rebuilt for exploitation. Take a look at the session below which should give you some idea of what to expect:...

C                                       G
If you're happy with your ekey, blog your praise

                                      C
If you're happy with your ekey, blog your praise

       F                              C
If you're happy with your ekey, then your blog will surely show it.

       G                              C
If you're happy with your ekey, blog your praise

MS09-050 addresses the much talked about SMB2 Negotiation vulnerability. A crafted SMB packet could crash the Windows Vista/2008 systems with blue screen.

The OpenVAS plugin for checking MS09-050 hotfix is now available in the svn. This doesn’t require any credentials. The patched system responds differently to a particular SMB negotiation request (a crafted PID’s low_id field) from an un-patched system. The response is verified to confirm if the patch is installed. This has been tested on Windows Vista and 2008.

Last month myself and a number of my team had the distinct pleasure of attending HAR 2009. Since a lot of good folk missed it, here are some notes I made on my personal highlights of the conference....

maulkin@cheshire:/usr/share/doc/ekeyd$ cat /proc/sys/kernel/random/entropy_avail 
4096

Thanks to my eKey.

One of the things that keeps me interested in OpenVAS, apart from the beer is writing new NASLs. I write them for several reasons, either to check for a vulnerability myself or a colleague has found, for interesting vulnerabilities others have reported or in many cases to check for issues where an advisory isn't appropriate but where a trivial issue may exist for which the manual check might be forgotten....

OpenVAS plugins for Microsoft Security Bulletins - July 2009 are now available in the SVN repository. The plugins can be also synced via openvas-nvt-sync method.

There were 6 bulletins in total, including the much in-news Video ActiveX control (MS09-032)

B345BDD3 → A40F862E

The news…

Passing the 10000th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1].

In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and has now reached an average of 10 code updates per day.  The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day.

The significantly grown and globally distributed developer team will gather at the second OpenVAS developers conference[2] July 9-12 2009 in Germany. During the conference features and a roadmap for OpenVAS 3.0 will be scheduled.

The OpenVAS project is backed by a number of companies, which also supplement the project with professional services[3]. These companies include Greenbone Networks, SecPod, Intevation and SecuritySpace.
“Reaching the professional enterprise market is a good indicator that OpenVAS gained maturity very fast” says Tim Brown, founder of the OpenVAS project.

While OpenVAS 3.0 will likely appear in 2009, users of OpenVAS 1.0 should prepare to migrate as support for 1.0 will end during 2009.

Regards,

Michael Wiegand

[1] http://www.openvas.org
[2] http://www.openvas.org/openvas-devcon2.html
[3] http://www.openvas.org/professional-services.html

OpenVAS plugins for Microsoft Bulletins - April 2009 are now available in OpenVAS. Update your OpenVAS plugins by running openvas-nvt-sync or download from the SVN directly.

When you try to install Net::SSLeay as dependency of IO::Socket::SSL using Strawberry Perl and you get something like this:

Running install for module 'Net::SSLeay' Running make for F/FL/FLORA/Net-SSLeay-1.35.tar.gz Has already been unwrapped into directory C:\strawberry\cpan\build\Net-SSLeay-1.35-zncySb 'C:\strawberry\perl\bin\perl.exe Makefile.PL' returned status 512, won't make Running make test Make had some problems, won't test Running make install Make had some problems, won't install

or this:

dmake.EXE Error code 129, while making SSLeay.o
or error code 512.

You should download OpenSSL library from Shining Light Productions - Win32 OpenSSL and NOT from gnuwin32 sourceforge page. After that, you just need to copy the files from C:\OpenSSL\lib\MinGW to C:\OpenSSL\lib. Installation will succeed. At least it did for me ;)

Technorati tags: perl windows ssl strawberry openssl debian

Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm.

We have plugins for OpenVAS,
900055 - secpod_ms08-067_900055.nasl
900056 - secpod_ms08-067_900056.nasl

to detect patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the required hotfix is installed through Windows Registry and verifying the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabled). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin checks the RPC response status of an un-patched system.

If your system is found to be vulnerable, make sure to run the AV scanners to see if you are infected by Conficker worm. All major AV vendors have signature. Manual procedure to verify if you are infected is and also to clean is available at,

http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf

Since Ahead Of The Times took their PinSentry apart, I thought it was about time to share my analysis thus far of the numbers it generates:...

Yay! Debian is in the Google Summer of Code!
We've had a suggestion today for a GUI that makes Debian packages. Here's my mock up:

If you have any better ideas, please submit them at http://wiki.debian.org/SummerOfCode2009.

There are many people that know more about the black arts of low-level exploitation than me. Fact. Shell code isn't that novel and that with only 30 or 40 bytes to play with chances are high that someone else will have done it first. Fact. However, in the spirit of learning, I proudly present my first working(?) shellcode. It's a small chunk of AT&T style assembly for the x86_64 architecture running GNU/Linux which calls first setuid(0) and secondly execve("/bin/sh") for use in local exploits. I've attempted to document each and every line of code, so maybe it will be of some use to others that are yet to embark on this journey....

Debian released 5.0 version (aka lenny). You can read announcement here. First upgrade to lenny on testing server went good. No problems at all. Few notes regarding the packages I use: mod-security is not in default repositories due to late fix. Also, they have only client for OpenVAS available on repositories. Hope they will fix it in later revisions...

Any way, more about mod-security legal saga in Lenny you can read here. Unofficial apt repository for mod-security you can reach here.

Technorati tags: lenny security apache linux xandros debian

Introduction

---

In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.

Overview

---

F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defence method can be set by the end user. If user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities which can be customized through this tool. This tool is currently developed for Windows box and its in Beta state as lots of new features has to be added and lots of bugs are to be fixed yet! This product can be downloaded from their labs page in free. It comes with a straight forward installer and gets installed in less than one minute. It takes less resource from your CPU and hooks itself into the system once you install the application in your win box.

Tech Overview

---

Once the application gets installed into the system it makes itself hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client side vulnerabilities which may affect the system. It checks for some generic shellcode patterns, malicious IE/Firefox objects which affects the system security. It also monitors the user’s browsing activities and if any malicious code is found in the current web page then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it. As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignored as security matters at the end of the day! Once it blocks any attacks then it shows the alert in the browser itself immediately having the exploit type and its details. This tool is basically aimed at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which is declared as a critical vulnerability, this tool does the job very well against blocking those vulnerabilities.

Pros

---

• Real time monitoring of user browsing activities and immediate action on the detected attack.
• Installer and Application is very user-friendly and self-explanatory.
• Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
• Catches most of the known IE and Firefox vulnerabilities in real-time.
• Feature to detect malicious ActiveX controls and applying the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry kill bit values to block that exact activex object execution in Internet Explorer.

Cons

---

• While uninstalling, the application reboots Windows immediately without any alerts where as it should let
  the user reboot the system at later time or immediately.

Conclusion

---

As we know the tool is still in Beta state, so still there are lots of new features and modifications required which will be added in the next releases. But this tool should be a must have for everyone who is really concerned about security as its very light weight to use and very user friendly also.

Sujit Ghosal
sghosal@secpod.com
Security Research Analyst

We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.

We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!

The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.

Microsoft Bulletins - Sept08

There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.

1. MS08-052 - GDI+ Remote Code Execution Vulnerability

2. MS08-053 - Windows Media Encoder 9 Remote Code Execution Vulnerability

3. MS08-054 - Windows Media Player Remote Code Execution Vulnerability

4. MS08-055 - Microsoft Office Remote Code Execution Vulnerability

More details can be found here. Also we have released SecPod Plugins for Nessus.

One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.

First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.

This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.

Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV   scanner.
3. We have  Snort signature written for this.

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.

SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used to search vulnerable pages by attackers. An example search query ‘.*mysql_query\(.*\$_(GET|POST).* ‘ in
Google Code search will yield vulnerable pages which are constructing SQL queries from the user supplied inputs in the Forms.

Web application developers should go with best practices like, Do’s: Alway Filter and Escape user inputs, always go with minimum privileges. Don’t’s: Do not trust user inputs, do not dynamically generate sql queries.

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, based on individual’s interest.

The recently identified MySpace, FaceBook worm is one example of such an attack, which transforms victim’s machine into a zombie computer that can be used in the botnet. This worm creates spam messages and sends them to users in the friends network through infected user’s account. The messages include Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments.

Upon clicking these links, a message appears saying latest Flash player is required and it downloads codecsetup.exe which is a worm.

KasperSky coverage is here