Home > Uncategorized > Security News #0x59

Security News #0x59

  • Tavis Ormandy has found another wild attack. Upon connecting a Blackberry to a Windows system, apparently it starts up an nginx web server, running WebDAV, which then serves up direct access to the Windows %APPDATA% directly. Authhentication? Pshaw! His blog post goes on to show how this problem can be exploited; he goes so far as to drop an arbitrary file in the Startup directory. He lists this as CVE 2013-3694, but it is still listed as onley "reserved" by our good friends at MITRE.
  • We all know the value of a good Google dork. Well, you can try the same with GitHub. Face palm time.
Learning More
  • Over on wootsec, Bernardo Rodrigues shows how to unpack the firmware image from a Cisco DPC3925, which is a DOCSIS 3.0 modem cable modem. Nice work.
  • Jake Williams (@MalwareJake) pointed out that every instance of svchost.exe should be running at 1 service. He recommended using tasklist; you can do so simply with
    C:\Users\mike>tasklist /svc /fo table /fi "IMAGENAME eq svchost.exe"
    Image Name                     PID Services
    ========================= ======== ============================================
    svchost.exe                    916 DcomLaunch, PlugPlay, Power
    svchost.exe                    384 RpcEptMapper, RpcSs
    svchost.exe                   1104 AudioSrv, Dhcp, eventlog,
                                       HomeGroupProvider, lmhosts, wscsvc
    svchost.exe                   1140 AudioEndpointBuilder, hidserv, IPBusEnum,
                                       Netman, PcaSvc, TrkWks, UxSms, Wlansvc
    svchost.exe                   1172 EventSystem, fdPHost, FontCache, netprofm,
                                       nsi, WdiServiceHost
    svchost.exe                   1200 Appinfo, BITS, Browser, EapHost, gpsvc,
                                       iphlpsvc, LanmanServer, MMCSS, ProfSvc,
                                       Schedule, SENS, ShellHWDetection, Themes,
                                       Winmgmt, wuauserv
    svchost.exe                   1596 CryptSvc, Dnscache, LanmanWorkstation,
    svchost.exe                   1992 BFE, DPS, MpsSvc
    svchost.exe                   2128 FDResPub, SSDPSRV, upnphost, wcncsvc
    svchost.exe                   3228 PolicyAgent
    svchost.exe                   1232 p2pimsvc, p2psvc, PNRPsvc

    Here the /svc flag looks for services, the /fo flag sets the output to table form, while the /fi flag is a filter; here it returns only svchost.exe. If you end up with one without a corresponding service, then you want to investigate.

  • So, you want to learn about offense? Check out Raphael Mudge’s sequence of videos on Red Team Operations.
  • khr0x40sh has a nice piece on his blog where he develops some techniques to use meterpreter as a botnet. He starts by looking at how to run a single command across all of the different meterpreter sessions under the attacker’s control, and continues by discussing scripts that are executed on back connections.
  • The folks behind Veil have added some additional detection evasion techniques.
Industry News
General Silliness
  • I have been a big fan of OpenSuSE for some time now. Well, they now have a hysterical video entitled "What Does the Chameleon Say?". Well worth a listen.
  • I also had a chance to read a piece from James Mickens, an academic researcher who focuses on low level systems programming. His writing is absolutely fabulous-

    This is not the world of the systems hacker. When you debug a distributed system or an OS kernel, you do it Texas-style. You gather some mean, stoic people, people who have seen things die, and you get some primitive tools, like a compass and a rucksack and a stick that’s pointed on one end, and you walk into the wilderness and you look for trouble, possibly while using chewing tobacco. As a systems hacker, you must be prepared to do savage things, unspeakable things, to kill runaway threads with your bare hands, to write directly to network ports using telnet and an old copy of an RFC that you found in the Vatican. When you debug systems code, there are no high-level debates about font choices and the best kind of turquoise, because this is the Old Testament, an angry and monochromatic world, and it doesn’t matter whether your Arial is Bold or Condensed when people are covered in boils and pestilence and Egyptian pharaoh oppression. HCI people discover bugs by receiving a concerned email from their therapist. Systems people discover bugs by waking up and discovering that their first-born children are missing and "ETIMEDOUT" has been
    written in blood on the wall.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: