Security News #0x48
- I had a chance to play with the BEEF framework for browser exploitation, and I can say that it is definitely worth a look. It is not installed on Kali by default, so you will need a bit of
apt-get installto get it. Just remember that it is
apt-get install beef-xss; if you install
beef, you get something different, flexible, and less polite (check the man page!). Cyberarms has a nice introduction to the BEEF framework that I followed. I tested it on Windows 7 SP1 with IE 9 (unptached), and my experiences were similar. When testing, you definitely want to try some of the exploits marked in red, as they will work, while a number of the green ones did not work for me.
- Last month, a vulnerability was announced in Adobe Reader and Acrobat before 9.5.5, 10.1.7, and 11.0.03, CVE 2013-2729. Well, Exploit-db has an exploit, at least for Adobe Reader 10.1.4.38.
- You may recall last week’s vulnerability in Android phones that allows hackers to modify signed binaries without modifying the signature; this could potentially allow signed trojans. Well a PoC is now available.
- The folks at Unintended Results have a nice piece summarizing different ways to finish compromising a system once you have the ability to execute a single root command on that system.
- If you want a practice space for advanced attack and defense, you might want to try CTF365; they are running a capture the flag competition for teams of 4-10.
- Students quickly learn that SQL injection is bad, but there are so many (bad) ways to try to prevent it that often folks get confused. The Stack Overflow answer on how to prevent SQL injection in PHP is a great place to start.
- I has the chance to read one of the coolest pieces I have seen in a while, from Justin Kettner. Most security conscious folks are aware of PATH name attacks, and the fun things that can be done with them. If you want to run a particular program, say netstat, and I have an executable with that name at the beginning of your PATH, my code will run before the program you are expecting to see. Well, Justin shows how something similar can be done with shared function calls in Linux. In his example, he creates a new shared object (
.so) to modify the behavior of the
putsfunction call, so that other programs that use the function have their behavior modified. He then goes to add a logging "feature" to look at SSL function calls. Most cool!
- Are you interested in learning more about how to use GPG to protect your privacy? You might want to check out the Alan Eliasen’s GPG tutorial.
- Back in March, a vulnerability was found in Java 7 U15 and Java 6 U41, CVE 2013-0809. As yet, I do not know of any public exploits for this particular Java flaw, however Axtaxt discusses the flaw in some detail. He shows precisely where in the source code the problem occurs, and then shows how to crash the program via a buffer overflow. It looks like the overflow flattens not only EIP but ECX as well, so turning this approach into an exploit should be quite possible.
- Although Dropbox has the option for two-factor authentication, it seems possible that it can be bypassed. The trick is that the attacker creates an a typosquatted dropbox account, but where the attack account has additional periods "." in the email address; then they can use account recovery features to get at the target.
- Have you ever wondered what kind of data Facebook has collected about you? You might want to take a look at what Daylan Pearce has to say.
- Ars Technica reports that 24,000 accounts at Club Nintendo were compromised.
- It is now possible to manipulate the Emergency Alert System, thanks to firmware coded SSH keys. This may have caused the (fake) Zombie Apocalypse warning in Montana earlier this year.
- The facepalm of the week goes to the government agency that destroyed their own network after malware was detected.