Security News #0x43
- Last week we were still discussing the latest Linux privilege escalation exploit; this week we have a Windows privilege escalation exploit from Tavis Ormandy. You can grab the exploit’s source code from exploit-db or from the original post to Full Disclosure. The original bug was disclosed back in May.
I tried messing with this for a while, but with no luck. I could not get it to compile on Win 8 (x86) with Visual Studio Express 2012. I did get it to compile on a Win 8 (x64) and a Win 7 (x64) using Visual Studio Express 2010, but even after dozens of attempts on each, all I got were crashes- no shells. When some free time appears (hah!) I’ll take a second look.
- We also have an exploit for CVE 2013-1311, a use-after-free vulnerability in Internet Explorer 8. The exploit is available from exploit-db in the form of a Metasploit module, but I cannot find it on the Metasploit module & exploit database. Presumably it is still in development. The underlying flaw was patched by Microsoft in May as MS13-037.
- We discussed Veil last week a bit. Veil is a tool to generate meterpreter payloads that are likely to bypass anti-virus. The folks at CyberArms tried out the tool, and had no trouble bypassing current anti-virus signatures.
- Metasploit has a new module to exploit Apache Struts, up to version 126.96.36.199. They list this as exploiting CVE 2013-2115 and CVE 2013-1966, but the Mitre database lists both those numbers as reserved but not yet assigned.
- Kingcope announced an exploit for the Plesk Control Panel for Apache servers, up through version 9.5.4. The reddit has some interesting discussions; many folks were unable to get the exploit to work. Ars Technica has a nice discussion, including a response from the folks at Plesk.
- Here is another piece on interviewing for that cyber security job, this one from Douglas Brush who gives some advice on how to get that first job in digital forensics. Most of his advice though is applicable to a broad variety of security-related positions.
- Have you ever needed to interact with shell on a system without using something as bulky as meterpreter? In the olden days, we would use netcat as a nice way to interact with a remote shell, but then the use of the
-eflag was disabled by default. Drat. Well Tim Tomes has a nice post where he shows a couple of alternatives, including a trick of Ed Skoudis that I had not seen before that uses a FIFO. Well worth reading!
Unless you have been living under a rock, you have heard about the stories of US government surveillance that was broken by Chris Greenwald from the Guardian.
I just have two comments. One general thread in the national (and international) discussion right now is that folks are outraged that the government is reading the data that companies like Verizon are gathering. Yet no one is asking why these companies are capturing the data, and what the companies themselves doing with the data. One can debate (and even be outraged) at the scope of the data collected by the government, but always remember that the companies already had this data and are using it for their own purposes.
The other comment goes out to those of you with active clearances. Brian Baskin writes that "A classified document released in the public does not negate its classification. Remember that when casually sharing NSA/Verizon docs.". Similar advice has been given by Christopher Soghoian from the ACLU, who points out that if your clearance prevents you from reading the Wikileaks documents, you may want to avoid reading the original Verizon/NSA order.