Security News #0x47

Exploits

• Metasploit has another Java exploit; they call it "Java Applet ProviderSkeleton Insecure Invoke Method" and it works on Java 7 Update 21. It is based on CVE 2013-2460. I tested in on a Windows 8 system (with Windows Defender turned off) using 32 bit Java, and it worked like a charm. The only catch is that the Windows target does need to accept and run the application.
  
• While I am writing about Metasploit, you may recall that this past May, Tavis Ormandy announced a privilege escalation exploit against Windows systems. Some PoC exploit code was released in June, but gosh darn it, I just could not make it work. Well the Metasploit folks apparently have been hard at work, and now have an exploit module they call "Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation". The underlying vulnerability is CVE 2013-3660, and there is no patch as yet. I tried the Metasploit module on a pair of test systems- a Win 7 (32 bit) and a Win 7 SP 1 (64 bit). When run on the 64 bit target, Metasploit replied that "Running against WOW64 is not supported". The situation with the 32 bit version was different, and lo, it gives a root shell. Interestingly though, it took more than one attempt- see the screenshot.
  

  If you take a look at the pull request log for this module, you will see some folks getting a blue screen some 3-10 minutes after exploitation. Well, the same happened here, and my target went down hard after just a few minutes.

• The WPAD vulnerability in Microsoft systems is, quite frankly, a larger problem than most folks realize. Essentially, it gives an attacker a number or potential vectors to convince a system to send all of their web traffic through a proxy under the control of the attacker. Last year I pointed folks to Netresec, who have a nice explanation of the attack via Metasploit and Burp. Well, the folks at TrustedSec have a blog post showing how to use a tool from SpiderLabs called Responder to exploit this issue.
• Last week we mentioned that the source code for the Carberp trojan was released. Well, now that it has been made public, folks are discovering it has all sorts of vulnerabilities. There is a new Metasploit module to exploit these backdoors.

Security Tools

• Russ McFee has a longer discussion of the recently released EMET 4.0, including showing how it can defend against some common attack scenarios.

Learning More

• Chris John Riley shows how to find the Windows digital product key, when it is stored in the BIOS on a system with Windows pre-installed.
• Sophos has a nice piece on a technique to confuse users to try to get them to run downloaded files. They use a combination of a pop-under, and a Captcha to try to get the user to press a key that will automatically run the downloaded file.
• Jason Kratzer of the Corelan Team has an extensive tutorial on how to exploit integer overflows.

For Students

• Are you interested in reverse engineering? You might be interested in this walkthrough of a reverse engineering / debugging session. The problem starts when the intrepid blogger noted that their cursor would occasionally flicker, and ends in the assembly language code for the NVIDIA display driver.
• You will continually hear your professors tell you not to roll your own crypto solutions. Have you ever wondered why? Craig Gidney wrote a nice piece showing how he broke a toy hash function
• When learning about exploits, you often need old version of applications. Where can you get them? You can try oldapps.com or oldversion.com. Personally, I have been using oldapps.com for some years now.

Industry News

• The folks at Bluebox labs have discovered a way to modify an Android application without changing its cryptographic signature; this would enable an attacker to create a Trojan. Ars Technica has some perspective.
• The Cryptocat tool was meant to allow for encrypted chat sessions. Unfortunately, they used poor cryptography, and now DecryptoCat will decrypt stored chats from October 2011 through June 2013. You may want to check out the reaction from the folks at Cryptocat. And if you think that good crypto is easy, don’t forget to read the results of their February security audit.
• Ubisoft is reporting an attack on their web site that exposed their account database. The Register has some of the details. As many as 58 million accounts may have been compromised.
• Ars Technica reports on the continuing attacks on Apache servers. Though researchers have a good idea of the malware that the infected servers are sending to their clients, the underlying process by which the servers themselves are becoming infected remains unknown- and this has folks worried.
• Ben Lincoln has a piece on the incredible amounts of data that Motorola appears to be collecting from users of the Motorola X2 phone.
• While on the subject of phones, apparently Skype can be used to bypass the Android Lockscreen.
• I did mention that the worrying part about the release of phone data to the government was not the release, but that the companies already had that data. Here is a story that says that AT&T will begin selling this data.
• We start with Java, so we end with Java. Although Oracle has stopped issuing patches for the older Java 6, the folks at Red Hat will continue to provide security fixes for OpenJDK 6.