Security News #0x65: New Ubuntu Privilege Escalation
- There is a new Linux root privilege escalation exploit available. The folks at Canonical have labelled it CVE 2014-0038, but I have not seen that designation make its way to the official MITRE database yet, though that will likely change soon enough. Exploit-db already has two different exploits, one by saleo and one by rebel. A discussion at YCombinator suggests that this is a problem with the X32_ABI, a feature that is not commonly available in most kernels. In fact, it seems likely that this issue will be primarily limited to Ubuntu 13.04 and Ubuntu 13.10 64-bit systems and their derivatives. Some folks on reddit have been discussing how it might impact other Ubuntu derived systems, like Mint. For additional context, you might want to try a few other threads on YCombinator. There are some details on the bug itself on hackerone.
- There is a new, updated version of
ntpasswd, a tool that allows for offline password changes to Windows systems (now up through Windows 8.1 and Server 2012). Head off and grab your copy!
- The folks at Open Security Research provide a nice example of how to attack Apache Struts via CVE 2013-2251. Meanwhile, Metasploit has released a new module, Apache Struts 2 Developer Mode OGNL Execution, to exploit CVE 2012-0394; it has been tested against Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.
- There is a new SQL Injection attack against Joomla 3.2.1 reported on exploit-db.
- If you want some practice exercises to develop skills in XSS and SQL injection, you might want to visit PentesterLab.
- Do you want to learn how to analyze captured packets on a Linux system? You might want to look at a recent article of Sahil Chelaramani who describes how to use the LibPCAP library on Linux systems.
- I saw a piece on a tool called XSS-SHELL over on SecurityLearn. I haven’t tried it out, and like all things XSS, it takes more than a few minutes to set up a test environment. Still if you are a student who wants to learn more about XSS, it might be worth an hour or two of your time.
- Students- are you wondering what Red Team might be thinking of doing at the various CCDC events this Spring? Well Matt Weeks, who runs Red Team for the southwest region, has released a nice tool to install Linux on a live Windows system. He has a short demonstration video that shows it running and the system rebooting to Linux; what made me laugh out loud was the care and attention paid to the desktop image on the resulting Linux system.
- Peter Gramantik from Sucuri Blog describes a new technique for iframe injections using .png metadata. This is not the first time recently where images have been found to be a malware source; you also might want see what has been done with EXIF data.
- Malware Jake has a story about the value of out-of-band communication during an incident. I don’t want to give away the punch line, (it involves Twitter and the SEA) but you do want to check it out…
- Brian Krebs has some more information about the Target attack, and is now reporting that the attackers got in through a HVAC company. Rich Mogull on Twitter remarked that it was a small exhaust port, right below the main port. I’ll just bet it was no bigger than two meters.