OpenVAS

gsa 1.0.2 released

2010-08-17T22:00:00+00:00

The OpenVAS developers are happy to announce the release of gsa 1.0.2. This is the second maintenance release for the 1.0 series of GSA (Greenbone Security Assistant), an OMP web client for the Open Vulnerability Assessment System (OpenVAS).

It fixes an issue which caused users using Microsoft Internet Explorer to be unable to access individual NVT families from the "Edit Network Vulnerability Test Families" page.

Many thanks to everyone who has contributed to this release: Matthew Mundell and Michael Wiegand.

Main changes since 1.0.1:
* An issue which caused NVT family to be improperly submitted when using Microsoft Internet Explorer to edit NVT families has been fixed.

The source tarball for this release is available for download from the OpenVAS website at http://www.openvas.org/. Binary packages for major GNU/Linux distributions by third parties are expected in the following weeks.

openvas-manager 1.0.2 released

2010-08-17T21:57:00+00:00

The OpenVAS developers are happy to announce the release of openvas-manager 1.0.2. This is the second maintenance release for the 1.0 series of the openvas-manager module for the Open Vulnerability Assessment System (OpenVAS).

It fixes a bug which could cause changes in derived scan configs to affect predefined scan configs under certain circumstances.

Many thanks to everyone who has contributed to this release:
Matthew Mundell and Michael Wiegand.

Main changes since 1.0.1:
* A bug which could cause changes in derived scan configs to affect predefined
scan configs under certain circumstances has been fixed.

The source tarball for this release is available for download from the OpenVAS website at http://www.openvas.org/. Binary packages for major GNU/Linux distributions by third parties are expected in the following weeks.

XSS Vulnerability in ZeusCart Shopping Cart [0day]

2010-08-05T11:05:54+00:00

Folks,
SecPod Research Team member (Sooraj K.S) found an XSS flaw in ZeusCart Ecommerce Shopping Cart, which can be used to gain sensitive information and launch further attacks. The flaw lies in the search parameter while ZeusCart web app processes the user-supplied input and renders the content back to the client’s browser. The flaw can be exploited to inject arbitrary HTML codes and steal cookies and so on.

Currently, all the latest versions of ZeusCart Ecommerce Shopping Cart are affected by this vulnerability.

More information on this flaw can be found here.

openvas-libraries 3.1.2 released

2010-08-04T23:26:00+00:00

The OpenVAS developers are happy to announce the release of openvas-libraries
3.1.2. This release fixes a build issue that was discovered after the release
of openvas-libraries 3.1.1.

Many thanks to everyone who has contributed to this release:
Michael Wiegand.

Main changes compared to 3.1.1:
* A bug in the WMI interface stub which caused the build to fail when
configured without WMI has been fixed.

The source tarball for this release is available for download from the OpenVAS
website at http://www.openvas.org/. Binary packages for major GNU/Linux
distributions by third parties are expected in the following weeks.

Command line client 1.0.0 released

2010-08-04T23:25:00+00:00

OpenVAS CLI 1.0: Full command line client for OpenVAS Manager 1.0 now available

The OpenVAS CLI package contains the command line tool "omp" which allows to send any
command of the OpenVAS Management Protocol (OMP) in original form and some of
the commands as short cuts. This allows to create batch processes for remote
control of OpenVAS.

OpenVAS CLI is Free Software (Open Source), licensed
under GNU General Public License Version 2 or any later version.

The OpenVAS development team offers support for any efforts to create binary
packages for the various Linux distributions in order have this new tool
readily available for users as soon as possible. Please use our openvas-distro
mailing list for this purpose.

Web-Client GSA 1.0.0 released

2010-08-04T23:25:00+00:00

Greenbone Security Assistant (GSA) 1.0: Full web-client for OpenVAS Manager 1.0 now available

GSA 1.0 represents almost 2 years of intensive work. The mission of GSA is to be
a web client to the OpenVAS Manager 1.0 via the OpenVAS Management Protocol (OMP).

GSA offers a complete implementation of OMP in order to access all features
to organize and manage OpenVAS vulnerability scans. Additionally, GSA
optionally acts as a client for the upcoming openvas-administrator using the
OpenVAS Administration Protocol (OAP) which allows e.g. management of scan users.

Central features of Greenbone Security Assistant are:

* Full OMP 1.0 client. The XML-based OMP responses are transformed into
web pages via XSLT.

* No additional web-server required. The GSA daemon (gsad) uses microhttpd
to implement a HTTP service on its own.

* Plain HTML. Neither cookies, JavaScript nor other dynamic elements are used.
GSA works stateless and uses HTTP Basic Auth.

Greenbone Security Assistant is Free Software (Open Source), licensed
under GNU General Public License Version 2 or any later version.

The OpenVAS development team offers support for any efforts to create binary
packages for the various Linux distributions in order have this new server
readily available for users as soon as possible. Please use our openvas-distro
mailing list for this purpose.

gsa-desktop 0.1.0 released

2010-07-29T14:20:00+00:00

Those of you watching the SVN commits and the OpenVAS website closely will
already have noticed it: Our newest OpenVAS module just had it's first
release.

The newest member of the OpenVAS family is called gsa-desktop and is a Qt
based OMP client with the ultimate goal of providing an alternative to the
Gtk based OpenVAS-Client while offering the full potential of OMP.

We invite you to try out gsa-desktop and are looking forward to your feedback.

Please keep in mind that gsa-desktop is still in an early stage and does not
yet cover all the functionality provided by OMP. Please read the INSTALL and
README files provided and feel free to ask on the OpenVAS mailing lists if
you have questions.

OpenVAS Manager 1.0 released

2010-07-29T13:44:00+00:00

Substantial Technology Adance: Vulnerability Management with OpenVAS Manager 1.0

OpenVAS Manager 1.0 represents almost 2 years of intensive work. The mission of
OpenVAS Manager is to offer powerful and comfortable vulnerability management on
top of the actual vulnerability scanner, OpenVAS Scanner 3.1.

The OpenVAS Manager is a layer between the OpenVAS Scanner and various client
applications. The upcoming clients cover web, desktop and command line
technology and will replace the classic OpenVAS Client.

Central features of OpenVAS Manager are:

* New XML-based protocol OMP (OpenVAS Management Protocol) which client tools
use to control scans, results, etc.

* SQL database where configurations, scan results etc. are stored. Thus, clients
do not need to keep local storage anymore.

* Full control of scan processes. This includes multiple concurrent scans as
well as stopping, pausing, resuming and not at least the scheduling of scans.

* Management of scan notes, false positives and result escalators (notification
on finished scans).

OpenVAS Manager is Free Software (Open Source), licensed under GNU General
Public License Version 2 or any later version.

The first compatible client application to be released will be the web client
GSA (Greenbone Security Assistant), approximately next week.
Beta- and alpha versions of various clients are already available for download.

The OpenVAS development team offers support for any efforts to create binary
packages for the various Linux distributions in order have this new server
readily available for users as soon as possible. Please use our openvas-distro
mailing list for this purpose.

OpenVAS libraries and scanner 3.1.0 release

2010-07-29T13:42:00+00:00

OpenVAS libraries

The OpenVAS developers are happy to announce the release of openvas-libraries
3.1.0. This release adds a number of new features, for example support for
NTLMSSP, for LDAP authentication, for preference file uploads to memory, for
logging messages to syslog and for scanning virtual web hosts.

Many thanks to everyone who has contributed to this release:
Tim Brown, Geoff Galitz, Stephan Kleine, Goran Licina, Michael Meyer, Matthew
Mundell, Raimund Renkert, Preeti Subramanian, Jan-Oliver Wagner, Michael
Wiegand and Felix Wolfsteller.

Main changes compared to 3.0.5:
* Code cleanup: Code from openvas-administrator and openvas-manager which
could be more appropriately placed in openvas-libraries has been moved here.
* Initial support for LDAP authentication has been added.
* IPv6 support has been improved.
* Support for building parts of openvas-libraries on Windows has been added.
* Support for reading preference file uploads from memory instead of from disk
has been added.
* Support for NTLMSSP has been added.
* Authentication mechanism extended to support LDAP and ADS.
* An issue which caused SSH logins with RSA keys on remote systems to fail
under certain circumstances has been fixed.
* Support for logging to syslog has been added.
* Support for scanning virtual web hosts has been added.

The source tarball for this release is available for download from the OpenVAS
website at http://www.openvas.org/. Binary packages for major GNU/Linux
distributions by third parties are expected in the following weeks.

OpenVAS scanner

The OpenVAS developers are happy to announce the release of openvas-scanner
3.1.0. This release adds a number of new features, for example support for
soft pausing of scans, for retrieving the version of an installed NVT
collection, for automatically installing generated client certificates, for
storing uploaded preference files in memory, for dropping privileges for NASL
and NES NVTs and for scanning virtual web hosts. It also contains updated
feed synchronization scripts and removes legacy support for passwords stored
in plaintext (see OpenVAS change request #31,
http://www.openvas.org/openvas-cr-31.html).

Many thanks to everyone who has contributed to this release:
Geoff Galitz, Michael Meyer, Matthew Mundell, Jan-Oliver Wagner, Michael
Wiegand and Felix Wolfsteller.

Main changes compared to 3.0.2:
* Support for storing scanner passwords in plaintext has been removed.
* Support for dropping privileges in NASL and NES NVTs had been added.
* Support for scanning virtual web hosts has been added.
* The handling of NVTs with an invalid timestamp has been improved.
* A bug in the openvas-nvt-sync script which prevented synchronization via
http under certain circumstances has been fixed.
* Support for retrieving the version of the NVT collection has been added to
the openvas-nvt-sync and greenbone-nvt-sync scripts.
* Support for soft pausing of scans has been added.
* Support for automatically installing generated certificate file has been
added to the openvas-mkcert-client script.
* The obsolete C based NVT "ssl_cipher" has been removed from the
openvas-scanner module. It has been replaced by the NASL
implementation "secpod_ssl_ciphers.nasl".
* Support for storing an uploaded preference file in memory instead of on disk
has been added.

The source tarball for this release is available for download from the OpenVAS
website at http://www.openvas.org/. Binary packages for major GNU/Linux
distributions by third parties are expected in the following weeks.

Dumping Samba hashes

2010-07-04T21:16:01+00:00

So the other day, I was pondering whether it might be possible to use the passwords Samba stores as a crib to crack Unix level passwords. On my home NAS, Samba uses a plain text smbpasswd file like so:...

New OpenVAS 3.1 Release Candidates(rc2) released

2010-06-30T21:38:00+00:00

The OpenVAS developers are happy to announce the release of the second set of release candidates for the upcoming 3.1.0 release of both openvas-scanner and openvas-libraries.

Changes compared to the 3.0.x version include NTLMSSP support, improved IPv6 support, support for uploading preference file into memory and for soft pausing of scans. The latest set of release candidates adds support for LDAP and ADS authentication, scanning virtual web hosts, syslog logging and privilege dropping among other improvements and fixes. For more information please check the CHANGES file provided with each module.

Source tarballs for the two modules are available at
http://wald.intevation.org/frs/download.php/749/openvas-libraries-3.1.0.rc2.tar.gz
and
http://wald.intevation.org/frs/download.php/750/openvas-scanner-3.1.0.rc2.tar.gz

Binary packages for the major GNU/Linux distributions by third parties are expected in the following weeks.

Many thanks to everybody who has made this release possible.

Defcon 18 CTF qualifiers: who is the h4x13st h4x0r of them all

2010-05-24T23:13:06+00:00

Finally, the 3rd challenge that I solved was to correctly order a series of well known faces from coding, hacking and cryptography. The faces were presented via a Java client which downloads pairs of images in turn and presents them to the user. The user then selects one as more important than the other and the client submits this back to the server. If the selection was correct then a new pair is returned whilst if incorrect the server returns a flag which indicates this and the client terminates....

Defcon 18 CTF qualifiers: all about the boobs

2010-05-24T20:30:14+00:00

The second challenge that I solved was f200, ostensibly a forensic challenge but as we will see in the next few paragraphs, more a case of knowing the right tools for the job. This challenge got delivered as a .tar.lzma file which is Ark from the KDE project is eaily able to open. Inside were a large number of varying sized (but small) .png files. .png files don't normally carry metadata but I ran strings across them to check as I wasn't too sure what to expect....

Defcon 18 CTF qualifiers: a non-exhaustive write up

2010-05-24T19:45:18+00:00

I say non-exhaustive, it doesn't cover all of the CTF qualifiers, or even everything the team I played with achieved. It does however document some of the challenges I played and my successes and failures. Over the course of the 55 hours in which the game was in play, I must have looked at all of the challenges, either from the start or to help my friends when they got stuck....

Building latest (stable) OpenVAS

2010-05-23T09:15:00+00:00

In case you're tired of building latest versions of OpenVAS when each new (stable) release comes out, there is nice script on OpenVAS trunk which can help you in building OpenVAS (once you satisfy dependencies).

It is located in trunk/tools directory on Subversion, but if you don't like to use Subversion just to grab this script, you can look up build-openvas-3-x.sh script on the web or download latest version of build-openvas-3-x.sh directly.

How to proceed with the build? Very simple! Just say something like this:

SUDOCMD="sudo" sh build-openvas-3-x.sh

Script will automatically download latest version, build it and install it to /opt/openvas-current-date (for example: /opt/openvas-2010-05-23).

There is also other options which you can pass as environment variable to the script, but you can look it up in the script source (there is some examples in the comment section). For the sake of completeness, here are few examples:

SUDOCMD="sudo" sh build-openvas-3-x.sh
OVNOCLI="yes" sh build-openvas-3-x.sh
OPENVASPATH="/opt/openvas-3" sh build-openvas-3-x.sh
OVSKIPLATEST="yes" sh build-openvas-3-x.sh
OVSKIPRM="yes" sh build-openvas-3-x.sh
OVSKIPBUILD="yes" sh build-openvas-3-x.sh
OVSKIPRM="yes" OVSKIPBUILD="yes" sh build-openvas-3-x.sh

Have a pleasant scanning with the OpenVAS! :)

OpenVAS LiveCD/Virtual machine - version 1.0

2010-05-21T10:10:00+00:00

Trying out OpenVAS can be as easy as starting a VM image or a Live-CD.

Two versions are available: OpenVAS Server providing just the scan engine framework to be used via a browser or OpenVAS Management Protocol (OMP) clients. And OpenVAS Desktop which adds a desktop to the server including the OMP clients and immediately offers a graphical user interface to OpenVAS after booting.

Please note that both, OpenVAS Server and OpenVAS Desktop, are for demonstration and are not recommended for regular production uses, particularly for more than a few hosts depending on local system resources. The OpenVAS scanner is resource intensive and may take a long time to start on slower systems, especially when run as a VM on laptops.
Login credentials are dynamically generated on firstboot of the appliance and are specified at the console.

Tested with: VirtualBox 3.x, VMWare Workstation 6.5 and XenServer 5.5.0.

For more information go to: http://openvas.org/vm.html

0x3e3e7f56 ^ 0x585f163a = "fail"

2010-01-11T19:36:18+00:00

On a job recently, I was asked to look at a Sarian GSM router, specifically the configuration files for the device. This was interesting as it had a number of obfuscated strings which were clearly credentials but for which I didn't know the plain text values. A quick Google allowed me to pull up a document from Juniper on how to configure their devices to establish an IPsec tunnel with one. You'll document had an example configuration file for the Sarian which gave the default credentials in both plain and obfuscated form. Returning to the configuration I had been given, it was clear that my device had different credentials which left me with a bit of a problem. Having noticed that the obfuscated and plain text strings were of the same length, which is indicative of a stream cipher, I decided to check whether the algorithm used by Sarian was xor based or whether it was in fact using a more secure stream cipher. The below perl code shows how I did this:...

SSHatter 1.0 is coming...

2009-12-10T02:02:25+00:00

Well, it's taken a while (lots of other interesting stuff to keep me busy) but I'm pleased to announce that SSHatter 1.0 is almost ready for release. I tagged a private 0.9 release last night and assuming no major bugs are identified I'd expect that 1.0 will be released over the weekend. So what can you look forward to in SSHatter 1.0? Well, I've taken a long hard look at what other tools exist (notably keimpx by one of my colleagues which aims to take the pain out of large Windows networks). The upshot is that SSHatter 1.0 as been rebuilt for exploitation. Take a look at the session below which should give you some idea of what to expect:...

If you're happy with your ekey

2009-11-12T10:19:00+00:00

C                                       G
If you're happy with your ekey, blog your praise

                                      C
If you're happy with your ekey, blog your praise

       F                              C
If you're happy with your ekey, then your blog will surely show it.

       G                              C
If you're happy with your ekey, blog your praise

Remote OpenVAS check for MS09-050

2009-10-15T12:07:20+00:00

MS09-050 addresses the much talked about SMB2 Negotiation vulnerability. A crafted SMB packet could crash the Windows Vista/2008 systems with blue screen.

The OpenVAS plugin for checking MS09-050 hotfix is now available in the svn. This doesn’t require any credentials. The patched system responds differently to a particular SMB negotiation request (a crafted PID’s low_id field) from an un-patched system. The response is verified to confirm if the patch is installed. This has been tested on Windows Vista and 2008.

Notes from a HAR (2009)

2009-09-23T04:09:42+00:00

Last month myself and a number of my team had the distinct pleasure of attending HAR 2009. Since a lot of good folk missed it, here are some notes I made on my personal highlights of the conference....

(1`) K@*V s>uZ >.1H#g -@(w< p[Zo 6;`D Qb`-j_ ys '@aa i@RJ %gu G~i8 H".hz.S SlZd

2009-09-01T12:49:00+00:00

maulkin@cheshire:/usr/share/doc/ekeyd$ cat /proc/sys/kernel/random/entropy_avail 
4096

Thanks to my eKey.

The lifecyle of a NASL #1

2009-07-18T02:35:41+00:00

One of the things that keeps me interested in OpenVAS, apart from the beer is writing new NASLs. I write them for several reasons, either to check for a vulnerability myself or a colleague has found, for interesting vulnerabilities others have reported or in many cases to check for issues where an advisory isn't appropriate but where a trivial issue may exist for which the manual check might be forgotten....

Microsoft Bulletins Plugins – Jul09

2009-07-15T18:25:54+00:00

OpenVAS plugins for Microsoft Security Bulletins – July 2009 are now available in the SVN repository. The plugins can be also synced via openvas-nvt-sync method.

There were 6 bulletins in total, including the much in-news Video ActiveX control (MS09-032)

I'm going to 4096R!

2009-05-11T16:36:00+00:00

B345BDD3 → A40F862E

OpenVAS Crosses 10000 NVT’s (plugins)

2009-04-17T04:56:42+00:00

The news…

Passing the 10000th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1].

In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and has now reached an average of 10 code updates per day. The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day.

The significantly grown and globally distributed developer team will gather at the second OpenVAS developers conference[2] July 9-12 2009 in Germany. During the conference features and a roadmap for OpenVAS 3.0 will be scheduled.

The OpenVAS project is backed by a number of companies, which also supplement the project with professional services[3]. These companies include Greenbone Networks, SecPod, Intevation and SecuritySpace.
“Reaching the professional enterprise market is a good indicator that OpenVAS gained maturity very fast” says Tim Brown, founder of the OpenVAS project.

While OpenVAS 3.0 will likely appear in 2009, users of OpenVAS 1.0 should prepare to migrate as support for 1.0 will end during 2009.

Regards,

Michael Wiegand

[1] http://www.openvas.org
[2] http://www.openvas.org/openvas-devcon2.html
[3] http://www.openvas.org/professional-services.html

Microsoft Bulletins Plugins – Apr09

2009-04-17T04:53:00+00:00

OpenVAS plugins for Microsoft Bulletins – April 2009 are now available in OpenVAS. Update your OpenVAS plugins by running openvas-nvt-sync or download from the SVN directly.

MS08-067 (Conficker worm) detection – OpenVAS plugin

2009-04-01T04:14:17+00:00

Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm.

We have plugins for OpenVAS,
900055 – secpod_ms08-067_900055.nasl
900056 – secpod_ms08-067_900056.nasl

to detect patch condition of MS08-067. The plugin 900055 requires SMB credentials and verifies if the required hotfix is installed through Windows Registry and verifying the updated file versions. The plugin 900056 is a Proof of Concept exploit that tries to crash the server service (safe_checks has to be disabled). This can work on anonymous login credentials if the target system allows anonymous login (Windows 2000 by default allows anonymous login). The plugin checks the RPC response status of an un-patched system.

If your system is found to be vulnerable, make sure to run the AV scanners to see if you are infected by Conficker worm. All major AV vendors have signature. Manual procedure to verify if you are infected is and also to clean is available at,

http://download.nai.com/products/mcafee-avert/documents/combating_w32_conficker_worm.pdf

Analysing PinSentry

2009-03-27T16:54:10+00:00

Since Ahead Of The Times took their PinSentry apart, I thought it was about time to share my analysis thus far of the numbers it generates:...

It's that time of year again...

2009-03-20T20:47:00+00:00

Yay! Debian is in the Google Summer of Code!
We've had a suggestion today for a GUI that makes Debian packages. Here's my mock up:

If you have any better ideas, please submit them at http://wiki.debian.org/SummerOfCode2009.

Shellcode for setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux

2009-03-17T00:06:53+00:00

There are many people that know more about the black arts of low-level exploitation than me. Fact. Shell code isn't that novel and that with only 30 or 40 bytes to play with chances are high that someone else will have done it first. Fact. However, in the spirit of learning, I proudly present my first working(?) shellcode. It's a small chunk of AT&T style assembly for the x86_64 architecture running GNU/Linux which calls first setuid(0) and secondly execve("/bin/sh") for use in local exploits. I've attempted to document each and every line of code, so maybe it will be of some use to others that are yet to embark on this journey....

Exploit Shield

2008-12-30T06:37:51+00:00

Introduction

In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.

Overview

F-Secure Exploit Shield is a tool developed completely in C and C++ (using GFx libraries), designed to protect the machines responsively and proactively. And the scheme/type of detection and defence method can be set by the end user. If user wants to keep track of the attack logs only or if the user wants to protect the machine immediately once it detects any malicious activities which can be customized through this tool. This tool is currently developed for Windows box and its in Beta state as lots of new features has to be added and lots of bugs are to be fixed yet! This product can be downloaded from their labs page in free. It comes with a straight forward installer and gets installed in less than one minute. It takes less resource from your CPU and hooks itself into the system once you install the application in your win box.

Tech Overview

Once the application gets installed into the system it makes itself hooked into the system APIs. Then it starts monitoring the user’s activities and alerts/blocks any unknown client side vulnerabilities which may affect the system. It checks for some generic shellcode patterns, malicious IE/Firefox objects which affects the system security. It also monitors the user’s browsing activities and if any malicious code is found in the current web page then either it blocks the attack by showing an alert in the victim’s web browser (IE/Firefox) or it will log the attack details in a log file which can be verified by the user later and take proper actions against it. As it hooks into the system APIs so it slightly slows down the rendering speed of pages as it works as a MITM (Man-in-the-middle) communication between the user and the browser, but the page rendering speed is quite insignificant and can be ignored as security matters at the end of the day! Once it blocks any attacks then it shows the alert in the browser itself immediately having the exploit type and its details. This tool is basically aimed at blocking most of the browser vulnerabilities. And as per the current Microsoft Security Advisory (961051), which is declared as a critical vulnerability, this tool does the job very well against blocking those vulnerabilities.

Pros

Real time monitoring of user browsing activities and immediate action on the detected attack.
Installer and Application is very user-friendly and self-explanatory.
Updates the attack detection modules automatically from the F-Secure server so that the end-user doesn’t have to care about updating it manually as some application does.
Catches most of the known IE and Firefox vulnerabilities in real-time.
Feature to detect malicious ActiveX controls and applying the hot patches immediately so that the user doesn’t have to follow the manual processes to set the registry kill bit values to block that exact activex object execution in Internet Explorer.

Cons

While uninstalling, the application reboots Windows immediately without any alerts where as it should let
the user reboot the system at later time or immediately.

Conclusion

As we know the tool is still in Beta state, so still there are lots of new features and modifications required which will be added in the next releases. But this tool should be a must have for everyone who is really concerned about security as its very light weight to use and very user friendly also.

Sujit Ghosal
sghosal@secpod.com
Security Research Analyst

SecDigest – MS08-067 Exploit

2008-10-31T13:37:52+00:00

We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.

We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!

SecDigest – MS08-067

2008-10-24T07:56:07+00:00

The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.

SecDigest – 09-10-2008

2008-09-10T15:40:54+00:00

Microsoft Bulletins – Sept08

There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.

1. MS08-052 – GDI+ Remote Code Execution Vulnerability

2. MS08-053 – Windows Media Encoder 9 Remote Code Execution Vulnerability

3. MS08-054 – Windows Media Player Remote Code Execution Vulnerability

4. MS08-055 – Microsoft Office Remote Code Execution Vulnerability

More details can be found here. Also we have released SecPod Plugins for Nessus.

One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.

First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.

SecDigest – 08-25-2008

2008-08-25T13:51:26+00:00

Antivirus XP 2008
Be careful with what you click! This Trojan makes you believe that there are viruses/worms in your computer, makes you download a file named XPantivirus2008_v880421.exe (v880421 is a variable component in the file) and installs another executable named xpa.exe which is a worm. This will create entries in multiple locations including ProgramFiles, Windows Registry and also adds an entry in the System Startup so that it can reappear after reboot.

This was actually reported to us by an infected user who also reported that many users in Australia are affected. The worm is described in more detail here.

Action:
1. Do not open any link that claims to clean the Virus/Worms existing on your computer
2. If you are already infected, AVG Free has cleanup means and others are adding as well, so run your AV scanner.
3. We have Snort signature written for this.

SQL Injection Attacks, on the rise!

2008-08-21T13:34:51+00:00

SQL injection attacks are the techniques used by hackers to inject malicious SQL queries into the Web Applications to steal information from the stored database.

SQL injection attacks are on the rise and these days attackers are targeting Social Networking Sites, Online Shopping Cart web pages and other such web based applications. Search Engines are used to search vulnerable pages by attackers. An example search query ‘.*mysql_query\(.*\$_(GET|POST).* ‘ in
Google Code search will yield vulnerable pages which are constructing SQL queries from the user supplied inputs in the Forms.

Web application developers should go with best practices like, Do’s: Alway Filter and Escape user inputs, always go with minimum privileges. Don’t’s: Do not trust user inputs, do not dynamically generate sql queries.

Attacks targeting social networking sites

2008-08-20T10:40:28+00:00

Any message that appears to have come from a friend in the network is trusted by default. By this nature, social networking sites are the easy targets for worm writers to spread the attack. Also, behavioral analysis is possible by looking at enormous amount of content available. An attack that is targeted is thus possible, based on individual’s interest.

The recently identified MySpace, FaceBook worm is one example of such an attack, which transforms victim’s machine into a zombie computer that can be used in the botnet. This worm creates spam messages and sends them to users in the friends network through infected user’s account. The messages include Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments.

Upon clicking these links, a message appears saying latest Flash player is required and it downloads codecsetup.exe which is a worm.

KasperSky coverage is here