Security News #0x31- Security Claus comes to town

You know, you take a few days off, and the whole security world seems to come to an end. Vulnerabilities in Internet Explorer, Java, PostgreSQL, Rails, NVidia, Nagios, Cisco phones, and even the venerable WRT54GL all make the list. My student remarked- “It like Security Claus came to visit…”

• CVE 2012-4792, the most recent Internet Explorer vulnerability did not get patched as part of the regular patch Tuesday rollout in January. The good news is that it did get patched later in MS 13-008.
• An older Microsoft Internet Explorer vulnerability, CVE 2011-1996, patched in MS 11-081 has gotten its own Metasploit module, named Microsoft Internet Explorer Option Element Use-After-Free. The module affects IE 8 on Windows XP, Vista, and 7, while the vulnerability affects IE 6 and 7 as well. Eric Romang has some of the story on his blog.
• There is another vulnerability in Java; this one affecting Java 7 up to and including update 10; it does not affect Java 6. The story was first broken by @Kafeine, and AlienVault Labs quickly followed up with some preliminary details. This has been labelled CVE 2013-0422, and appears to be the result of a number of related problems that allow for arbitrary code execution. A module was quickly added to Metasploit, called Java Applet JMX Remote Code Execution. Eric Romang has a demo of the module in action. How did this problem end up in Java? Well Ars Technica reports claims that this new problem is possible because the patch released for an earlier Java vulnerability was incomplete. The US Computer Emergency Response Tea, (US-CERT) does not recommend uninstalling Java, but they do recommend disabling it in the browser. The folks at Sun have detailed instructions. I just ended up uninstalling it- we’ll see if I need it later. Am I being paranoid? Maybe- but it appears that the latest Java patch (to Java 7 U11) does not even completely fix the problem. Oh yeah- Brian Krebs is reporting that new Java exploits are being circulated for the low, low price of $5,000, while Threatpost reports that researchers have been able to bypass the patch and continue to exploit the latest release. Who is paranoid again?
• We mentioned a SQL Injection problem in Ruby on Rails in our last news update. By the way, the CVE number for that problem has since been changed to CVE 2012-6496 and CVE 2012-6497. Those vulnerabilities affected Rails up to 3.2.9. Well, there is a new problem (CVE 2013-0156) that affects those recently patched installs, and causes trouble up to and including 3.2.10. This one is more severe, as it affects all installations, and can result in code execution on the server. The problem is in how Rails parses XML parameters, and the folks at Insinuator has a description, and you may also want to read Ars Technica’s take. Ronin has some of the technical details. Metasploit has a pair of modules, one to scan for the problem and one to exploit it. To assist the good guys, SpiderLabs has ModSecurity rules to help with mitigation.
• Back around Christmas, Peter Winter-Smith released a PoC attack against NVidia graphics cards. That PoC was subsequently pulled from Pastebin, however SecurityWeek provides a description of the attack. NVidia released an updated driver that addresses this issue.
• There also is a vulnerability in Nagios 3.4.3; in particular the file history.cgi is vulnerable to a stack-based buffer overflow. Exploit code appeared on Pastebin and then soon after in Metasploit, where it is called Nagios3 history.cgi Host Command Execution. This vulnerability has been labeled by some as CVE 2012-6096, though the Mitre database still lists that number as reserved. You can see a demo of the Metasploit module on Eric Romang’s site.
• The Register reports that the Foxit PDF reader up to 5.4.4.1128 is also vulnerable to an unpatched buffer overflow that allows for malicious code execution.
• PostgreSQL allows authenticated users both to write and execute files; the folks at Metasploit have built a module that takes advantage of these features.
• The Register reports that hackers can now directly attack certain kinds of Cisco Phones, giving them the ability to eavesdrop on conversations.
• The folks at Defensecode say that they have a functioning remote root-level 0-day in the venerable Linksys WRT54GL home wireless router. Ouch. Naked Security has some perspective on the issue and some details. The actual PoC appeared yesterday on Exploit-DB.
• Tim Tomes has a nice piece on PaulDotCom on how to use features of MySQL to enumerate a file system. Be sure to read to the end!
• The Debian wiki was attacked and potentially compromised, and all account passwords have been reset.
• While we are talking about hacked web sites, the folks at Novainfosec have news about a pair of apparent attacks, one against the Goddard Space Flight Center, and the second against a subdomain of DHS.
• Kaspersky Labs announced the detection of a sophisticated collection of attacks they called Red October aimed primarily at governments in the former Soviet Union.
• If you are just learning about security and have never cracked a password hash before, then you might want to take a look at what the folks at Texas Tech have put together to demonstrate John the Ripper.
• At a more advanced level, the folks at Open Security Research have a nice introduction to the basics of DLL injection; it is well worth a read.
• The Metasploit blog talks about a new free service, called HackaServer that provides targets on which you can develop your skills. I mean "skillz"
• UIC gives an elementary lesson on how to deobfuscate a malicious Java applet.
• Sherif Eldeeb has an improved way to develop Meterpreter executables.
• One of the first topics in our capstone course in security is the basics of setting up a DNS server. The 304 Geeks show a nice way to use DNS cache snooping to guess what kinds of AV might be deployed on a network.
• The folks at Open Security Research have a fantastic piece on how to de-obfucate URLs. Great reading!
• Did you know that there is a website that does online code disassembly? Me neither.
• One of the big advantages to learning cyber security here in Baltimore is that the job market here is red hot!