Security News #0x59
- Tavis Ormandy has found another wild attack. Upon connecting a Blackberry to a Windows system, apparently it starts up an nginx web server, running WebDAV, which then serves up direct access to the Windows %APPDATA% directly. Authhentication? Pshaw! His blog post goes on to show how this problem can be exploited; he goes so far as to drop an arbitrary file in the Startup directory. He lists this as CVE 2013-3694, but it is still listed as onley "reserved" by our good friends at MITRE.
- We all know the value of a good Google dork. Well, you can try the same with GitHub. Face palm time.
- Over on wootsec, Bernardo Rodrigues shows how to unpack the firmware image from a Cisco DPC3925, which is a DOCSIS 3.0 modem cable modem. Nice work.
- Jake Williams (@MalwareJake) pointed out that every instance of
svchost.exeshould be running at 1 service. He recommended using tasklist; you can do so simply with
C:\Users\mike>tasklist /svc /fo table /fi "IMAGENAME eq svchost.exe" Image Name PID Services ========================= ======== ============================================ svchost.exe 916 DcomLaunch, PlugPlay, Power svchost.exe 384 RpcEptMapper, RpcSs svchost.exe 1104 AudioSrv, Dhcp, eventlog, HomeGroupProvider, lmhosts, wscsvc svchost.exe 1140 AudioEndpointBuilder, hidserv, IPBusEnum, Netman, PcaSvc, TrkWks, UxSms, Wlansvc svchost.exe 1172 EventSystem, fdPHost, FontCache, netprofm, nsi, WdiServiceHost svchost.exe 1200 Appinfo, BITS, Browser, EapHost, gpsvc, iphlpsvc, LanmanServer, MMCSS, ProfSvc, Schedule, SENS, ShellHWDetection, Themes, Winmgmt, wuauserv svchost.exe 1596 CryptSvc, Dnscache, LanmanWorkstation, NlaSvc svchost.exe 1992 BFE, DPS, MpsSvc svchost.exe 2128 FDResPub, SSDPSRV, upnphost, wcncsvc svchost.exe 3228 PolicyAgent svchost.exe 1232 p2pimsvc, p2psvc, PNRPsvc
/svcflag looks for services, the
/foflag sets the output to table form, while the
/fiflag is a filter; here it returns only svchost.exe. If you end up with one without a corresponding service, then you want to investigate.
- So, you want to learn about offense? Check out Raphael Mudge’s sequence of videos on Red Team Operations.
- khr0x40sh has a nice piece on his blog where he develops some techniques to use meterpreter as a botnet. He starts by looking at how to run a single command across all of the different meterpreter sessions under the attacker’s control, and continues by discussing scripts that are executed on back connections.
- The folks behind Veil have added some additional detection evasion techniques.
- I have been a big fan of OpenSuSE for some time now. Well, they now have a hysterical video entitled "What Does the Chameleon Say?". Well worth a listen.
- I also had a chance to read a piece from James Mickens, an academic researcher who focuses on low level systems programming. His writing is absolutely fabulous-
This is not the world of the systems hacker. When you debug a distributed system or an OS kernel, you do it Texas-style. You gather some mean, stoic people, people who have seen things die, and you get some primitive tools, like a compass and a rucksack and a stick that’s pointed on one end, and you walk into the wilderness and you look for trouble, possibly while using chewing tobacco. As a systems hacker, you must be prepared to do savage things, unspeakable things, to kill runaway threads with your bare hands, to write directly to network ports using telnet and an old copy of an RFC that you found in the Vatican. When you debug systems code, there are no high-level debates about font choices and the best kind of turquoise, because this is the Old Testament, an angry and monochromatic world, and it doesn’t matter whether your Arial is Bold or Condensed when people are covered in boils and pestilence and Egyptian pharaoh oppression. HCI people discover bugs by receiving a concerned email from their therapist. Systems people discover bugs by waking up and discovering that their first-born children are missing and "ETIMEDOUT" has been
written in blood on the wall.