Security News #0x4E
Congratulations to my student, Rohan Vazarkar, whose talk Minecraft through a Metasploit Module was accepted for the upcoming B-Sides DC conference. If only I could score some tickets! Apparently all 300 were sold out within a few hours.
- It has been what, a few weeks since our last Java vulnerability? Packetstorm has exploit code for a new Java attack. Their advisory references CVE 2013-2465, which affects Oracle Java 7 Update 21 and earlier, and Java 6 Update 45 and earlier. However, they also say that the exploit works on Java 7 Update 25. There seems to be a Metasploit module in development (though I could not find it on Rapid7’s exploit database (yet). This module apparently only works on Java 7 Update 21.
- We recently mentioned a hack of Rob Heaton caused by an accidentally exposed secret token that appears by default in version control for many Rails applications. Well, it looks like the Metasploit folks are working on a module to exploit the problem. That said, the module does not yet appear on Rapid7’s exploit database, though is is mentioned in Metasploit’s weekly update.
- There is a vulnerability affecting Joomla up to 2.5.13 or 3.1.4 in the Media Manager component. As you might expect, there is an (upcoming) Metasploit module.
- Suppose that you have credentials for a system. How can you get a shell? Chris Truncer counts the ways.
- Altamira ran a CTF last weekend; Robert Weiss has a nice recap.
- Speaking of competitions, back before my vacation was the MITRE STEM CTF Cyber Challenge. Some 66 teams from across the country participated in the capture the flag competition which ran for 24 hours straight. We had three different teams participate in the competition:
- Team: SomethingClever; Finish: 4th. Students: David Bitner, Emily Jay, Matthew Mickel, Rohan Vazarhar
- Team: TUCrew; Finish: 26th. Students: John Feehly, James Grove, Justin Mavunkal, Matthew Spreisterbach
- Team: The Infinite Improbability Drives; Finish: 33rd. Students: Ryan Backhof, Matthew Carr, Be Lawrence
Well done to you all!
- Here is a wonderful description of an attack on the Transcend WiFi SD card. Students- if you want to learn more about how to go about hacking an embedded device, this is a great place to start!
- Some folks have figured how to get ModSecurity on Nginx.
- Did you know that there is a simple way to download a file from the Internet direct from the command line in Windows? Suppose that you want to download the syllabus from my Spring 2013 course; then from a command prompt just run
D:\Mike\Desktop>bitsadmin /transfer n http://pages.towson.edu/moleary/docs /Classes/Cosc481-S13/Syllabus.pdf d:\syllabus.pdf DISPLAY: 'n' TYPE: DOWNLOAD STATE: TRANSFERRED PRIORITY: NORMAL FILES: 1 / 1 BYTES: 50208 / 50208 (100%) Transfer complete.
and the file will be dropped on the
D:drive with the name
syllabus.pdf. I had never seen this trick before; thanks to @brutelogic.
- We all know that the Linux command prompt can be customized, but most of us never bother to mess with it much; then if you actually do want to change it, it is back to Google to dig out the syntax. Well someone has put together a Web GUI to let you build your own prompt. Why? Does everything in the world require a reason?
- Need a default router password?
- This week represents the 10 year anniversary of the Blaster worm. Ahhh, the fun! Robert Graham has a nice retrospective (including a link to dis-assembled Blaster source code).
- The Register describes a recent attack against a home security system.
- Ars Technica reports on a network attack aimed at the Phillips Hue lighing system.
- Graham Cluey reports on the hack of the New York Post by the Syrian Electronic Army, while Brian Krebs discusses the attack on the Washington Post.
- Hacking washing machines? Limpkin takes it to a new level.
- Joomla recently patched an important vulnerability, but Threatpost reports that a number of sites, including a number of European financial institutions were attacked. You may also want to check out Brian Krebs’ take.
- There is a significant problem with how Android generates random numbers; this flaw appears to have been used to 55 BTC.