Security News #0x4B
- We recently noted that Apache Struts up to 2.3.15 is vulnerable to a remote code execution attack. (CVE 2013-2251). Well, the folks at Rapid7 now have a Metasploit module to exploit it (and a spiffy new web interface).
- Rob Heaton shows how the Rails default settings include an applications security token in version control, and that an attacker with this knowledge can execute code remotely on the application’s server.
- Kuronosec reports on MS 13-056, DirectShow Arbitrary Memory Overwrite Vulnerability. This is an issue with how Windows parses .gif files; they even provide a PoC to demonstrate the technique.
- Did you know that there are simple programs out there that can identify TrueCrypt, Bitlocker, or other encrypted files? Here is TCHunt looking for a TrueCrypt volume on a test system:
c:\Users\seldon\Desktop>TCHunt.exe _/_/_/_/_/ _/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/_/_/_/ _/ _/ _/_/_/_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/_/_/ _/ _/ _/_/_/ _/ _/ _/_/ v1.6 Allowed options for TCHunt: -d [ --dir ] arg The directory to search (recursive). -h [ --help ] Print this message and exit. -v [ --verbose ] Print verbose output. c:\Users\seldon\Desktop>TCHunt.exe -d c:\Users Suspect_File: c:\Users\seldon\Desktop\TrueCryptVol
Total elapsed time- about two seconds!
- Raphael Mudge has a great piece on situational awareness in Meterpreter. He shows you how to find out about the process, token, system architecture, and desktop from within a Meterpreter shell.
- It may not be in style, but there is a lot of value in knowing the various command line options on a Windows system. Do you know the Windows equivalents of
grep? Take a look at this piece from TunnelsUp.
- The folks at Addepar describe how they found a bug (CVE 2013-3300) in Lift. The piece shows a couple of nice things- how paying close attention to the errors can find larger flaws, and how important it is for programmers to think hard about error messages- who should get them, and what they should contain.
- Last week Forbes reported on research to show how to hack into cars, including taking control of speed, brakes, and steering in a moving car.
- Speaking of cars, The Guardian reports on an injunction from the High Court of London against a British security researcher, Flavio Garcia, who apparently was able to crack the security of devices that allow the starting of various brands of luxury cars. He is being prevented from revealing his techniques as he had planned at the next USENIX conference.
- Forbes also has an article on how "smart homes", where everything from thermostats to lights are hooked up to a controller, can also be attacked remotely.
- And since we are talking about hacking practically everything that is not hermetically sealed, Fox News reports on research of Todd Humphreys from the University of Texas; his group was able to spoof GPS signals, and send a multi-million dollar yacht off course.
- TechCrunch reports on an attack at Stanford; they have asked everyone there to re-set their passwords. Interestingly, the article is written by Billy Gallagher, the co-student body president at Stanford.
- You know that the security industry is going to be around for a while yet when the MITRE folks have to increase the number of digits in CVE identifiers. Will we look back on the "good old days" when fewer than 10,000 vulnerabilities were found each year?
- Financial Review reports that systems manufactured by Lenovo have been banned from secret and top secret networks in many countries.