Security News #0x45
- FreeBSD 9.0 is vulnerable to a local privilege escalation attack. The folks at Packet Storm have not one, but two different exploits for the problem. The problem is in how FreeBSD manages virtual memory . This is listed both by Packet Storm and the original FreeBSD security notice as CVE 2013-2171, but this is still listed as reserved at MITRE.
- Some new features have been added to Veil, the anti-virus evasion tool. These include updating it to a modular framework, and adding some additional encryption techniques.
- Egor Homakov released a PoC attack that uses Flash to start the microphone and camera on victim’s system. The Reddit has some additional discussion, and Google Chrome has already pushed a fix.
- The latest version (4.0) of EMET (the Enhanced Mitigation Experience Toolkit) has no been released. If you don’t know what this is, take a look at Brian Krebs’ blog post on the subject. In short, this is a Windows security tool you can install that has a proven track record of stopping many of the recent 0-day attacks on Microsoft systems.
- There is a neat post-exploitation Metasploit module. It sets up a PPTP tunnel on the Windows victim, so the attacker can sniff traffic and perform MITM attacks. I learned about it by reading a nice blog post of Borja Merino.
- The discussion on the Spotify blog on how hijackers- were able to gain access to accounts by creating specially crafted user names is well worth reading, and is a hugely important example of the canonicalization problem.
- If you are a student and want to try your hand at hacking a web application, you may want to take a look at en exploit found by Chako in version 0.24 of the Simple File Manager. In the exploit description on exploit-db, he shows how to bypass the security restrictions and log into the admin panel. You can grab a copy of the vulnerable version of the application directly from exploit-db. Take a look at the source code (e.g. line 177 of fm.php) to get a feel for how the application works.
- Jordan at Texas Tech has a great blog post on how to extract stored passwords from browsers. I tried out the provided code on a Chrome browser, and boy did it ever work. One interesting thing to keep in mind about this attack is that many systems that use Active Directory for logins also provide web forms; in my history I found some interesting login /password combinations, ones I would not have expected.
- The folks at Sucuri have a nice blog piece on how malware authors are attacking Apache sites by using a the auto_prepend_file PHP directive to add and evaluate code on a web server before it heads out to the clients.
- Stalks discusses one of the Defcon qual challenges.
- Did you know that Cobalt Strike can use DNS as a beacon.
- LinkedIn may have been attacked last week, as DNS entries to their site were changed for a short period of time. Threatpost has some of the details.