Security News #0x4C
- Metasploit has a module to exploit CVE 2013-0008, a privilege escalation vulnerability in multiple versions of Windows (Vista, 7, 8, 08, 08R2, 12, RT) that allows local users to move from low to medium privileges. This vulnerability was patched in MS 13-005.
- Many of my students have practiced their offensive skills on Metasploitable 2. If you want to jump to the end and see a number of ways to get into the system, you may want to take a look at the exploitability guide of H D Moore.
- Talking about offensive skills, some of my students have asked for different approaches to going from administrator to a system account on a windows system. The folks at Technet explained how this could be done back in 2008. One common use would be to gain access to the Windows hashes; Bernardo Damele discusses a couple of different techniques to do that, back in 2011.
- If you are a student who wants to learn more about SQL injection, you may want to take a look at the recent blog post from Troy Hunt. He talks about simple attacks, and then a few techniques for blind injections, including boolean attacks and timint aggatcks.
- Do you need to disassemble Android applications? You may want to try out ApkAnalyser. I haven’t had a chance to try it- I don’t do much with mobile stuff, but given the fact that it is open source, it seems worth a look-see.
- If you want to learn more about how to use Mimikatz (and who doesn’t?), check out the use case spelled out by Carnal0wnage, or the case described earlier by Rob Fuller.
- Registration for the 2013 Maryland Cyber Challenge is open.
- The folks at Exploit Monday have a nice piece on how to write shellcode for a Windows RT ARM system.
- Naked Security reports on the research of Karsten Nohl, who has claimed that some phones can be rooted with a text message. The problem seems to be with the cryptography on some older SIM cards. You may wish to look at the corresponding Threatpost take.
- Threatpost reports on DoS vulnerabilities in recent versions of the BIND server, up to 9.7.7, 9.8.5, and 9.9.3-P1.
- Symantec has recently patched critical flaws in their Web Gateway appliances that allowed for remote code execution. Ouch.
- Violet Blue in ZDNet reports on Mactans, the work of three researchers from Georgia Tech; Billy Lau, Yeongjin Jang and Chengyu Song. At Blackhat they demonstrated their faux USB charger for iPhones; if an iPhone is plugged into the charger, then it installs malware that silently took control of the phone.
- The BREACH attack is an attack on HTTPS protected web pages that uses the data compression techniques in web servers against them. If a piece of text occurs in a web page more than once, then compression will work to remove that redundancy to save space. By carefully prepending requests with targeted strings, one can determine if the encrypted page contains these strings, even without being able to decrypt the page.
- Some days, you have to just shrug your shoulders. The LIXIL Satis Toilet is a "smart" toilet that can be controlled by an Android application, and it turns out it uses a hard-coded PIN. Which one? Something hard to guess? Nope- "0000". In fact- "An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush … [and] could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user." From the Full Disclosure mailing list.