Home > Uncategorized > Security News #0x42

Security News #0x42

Exploits
  • The folks at Metasploit have leveraged a pair of vulnerabilities (CVE 2013-0758, CVE 2013-0757) in Firefox ≤17.0.1 to build a module that gains remote code execution. The module requires Flash to be present on the target, but only as a vector to launch the scripts. Eric Romang has a demo.
  • Chris Truncer has developed a tool called Veil which generates meterpreter payloads (currently) able to bypass many anti-virus solutions.
  • It looks like ModSecurity (<2.7.4) is vulnerable to a remote denial of service attack. This is reported as CVE 2013-2765, but MITRE lists that number only as reserved.
  • The Linux PERF privilege escalation exploit (CVE 2013-2094) continues to make the news; the folks at grsecurity tweeted that they have "The definitive exploit for the perf events vuln". I tried it out on a couple of VMs I had laying around. I had no luck on the Ubtunu 10.04, which is expected, as it had an older kernel (It runs 2.6.32). I did expect success with my Mint 11 box, which came with a 32 bit version of 2.6.38, but alas it failed.
    seldon@nexon ~/Desktop/enlightenment $ uname -a
    Linux nexon.cosc.tu 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11
    03:31:50 UTC 2011 i686 i686 i386 GNU/Linux
    seldon@nexon ~/Desktop/enlightenment $ ./run_nonnull_exploits.sh 
    Compiling exp_abacus.c...OK.
    Compiling exp_cheddarbay.c...OK.
    Compiling exp_ingom0wnar.c...OK.
    Compiling exp_moosecox.c...OK.
    Compiling exp_paokara.c...OK.
    Compiling exp_powerglove.c...OK.
    Compiling exp_sieve.c...OK.
    Compiling exp_therebel.c...OK.
    Compiling exp_vmware.c...OK.
    Compiling exp_wunderbar.c...OK.
    Choose your exploit:
     [0] Abacus: Linux 2.6.37 -> 3.8.8 PERF_EVENTS local root
     [1] Ingo m0wnar: Linux 2.6.31 perf_counter local root (Ingo backdoor method)
     [2] Sieve: Linux 2.6.18+ move_pages() infoleak
     [3] Exit
    > 0
     ------------------------------------------------------------------------------
     The person lives most beautifully who does not reflect upon existence.
     --Nietzsche
     ------------------------------------------------------------------------------
    exploit: exp_abacus.c:465: prepare: Assertion `!mlock(&num_incs1, 
    0x1000)' failed.
    Aborted
    

    Mind you, I could not get the x86 version of the exploit to work on Mint 11 either. There the process just hung and soaked up most of the CPU.

    The reddit page for the link has some useful discussion as well.

  • There is a vulnerability CVE 2013-2730 in Adobe Reader (≤ 9.5.4, ≤ 10.1.6, ≤ 11.0.2) that may allow remote code execution. There is a Metasploit module for the vulnerability, but so far all it does is "achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process".
  • The folks at SpiderLabs have a nice piece on exploting Linksys E1000, E1200, and E3200 routers.
  • Henry Hoggard shows how to compromise a Virgin Superhub using CSRF.
Security Tools
  • Are you interested in learning more about differences between Kali and Backtrack?
  • I found a tool called DNSQuerySniffer that simply records the DNS queries picked up on the wire. I can see how this might be quite useful in class, both as a debugging tool as well as a reconnaissance tool.
For Students
  • Are you looking for preparing for a job interview? (Probably not, as most of my students have told me they already have jobs, but …). Daniel Miessler has a set of interview questions for candidates for infosec jobs. Your is likely to be quite different, but you really should know the answers to all of these questions!
Learning more!
Industry News
  • A 17 year old found a bug in PayPal and submitted the result for their bug bounty program. When PayPal disqualified him for being 17, he published the result publicly on the FullDisclosure mailing list.
  • Ars Technica reports on ongoing attacks on Ruby on Rails servers. Remember that over the winter Ruby on Ralis was hit hard (CVE 2013-0333, CVE 2013-0156, CVE 2012-6497, CVE 2012-6496); it seems that attackers are now going after any unpatched and vulnerable servers. Jeff Jarmoc has some of the technical details.
  • Servers at Drupal.org have been compromised. Ars Technica reports that nearly 1 million accounts had their passwords reset.
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: