Security News #0x6E: The “Yeah, I’m Late” (part 1) Edition
Sorry for being so late with this (and the next one!). I got a bit behind at MACCDC, then farther behind working with the team to get ready for Nationals, and then HeartBleed hit. Right now, I have a huge backlogged queue of things to look over. I will try to knock these out a bit at a time, but it’ll be a while yet. Today I’ll post the material I have that pre-dates HeartBleed……
- If you are a student and interested in learning how to build a PHP backdoor, then you want to take a look at Matthew Bryant’s blog post where he shows how to do that. I like the fact that he explains in some detail the purpose of each component in his script. It is not an invisible, undetectable super-script, but it is a great place to start for someone who wants to learn.
- ASUS RT-AC68U routers appear to be vulnerable to both a remote code execution vulnerability and a cross-site scripting bug. I tried out the remote code execution attack on a vulnerable system using one of the vulnerable firmware versions. Boom! I had no problem grabbing the contents of
/etc/passwddirectly from the router. It did require access to the router from the internal network and it did require administrator access, but it is clear that the problem is real. Worse, it does not appear that updated firmware has been publicly released, as attempts to use the router’s interface to upgrade the firmware receive the notification "The router’s current firmware is the latest version.". Ouch.
- So you want to learn more about the
getsystemcommand in Metasploit? Ask Mudge. After you read his post though, remember there are a few exploits for privilege escalation that are not tried automatically via
getsystem. These include MS10-092 schelevator or MS13-015 EPATHOPJ. And if you have never tried MS 13-005 HWND_BROADCAST, you should. Unlike the first two, this won’t get you
systemin one shot. However, often your shell won’t allow you to upload files to the target; this exploit can get you those permissions. Just be sure you try it on a practice system and watch what happens on the target before you fire it off. Just sayin’.
- Last time we talked a bit about CVE 2014-1761, a vulnerability in MS Word caused by malformed
.rftfiles. Well the folks at McAfee have a nice blog post that provides some of the technical details behind the attack.
- The folks at disconnected.io have a nice piece on hacking an individual target. An unnamed person asked a colleague to try to hack his home network for the promise of (good) beer. The post describes the various attack methods- what worked, and what didn’t, and how social engineering provided a key point of entry. Well worth reading!
- There is a great piece on the Red Team point of view in the South East CCDC regional over at www.samcapella.com. It was a really interesting read, not only for how the author attacked his target team, but also because it gave me a new appreciation for the differences in structure and organization between the regional events, as our mid-Atlantic CCDC regional is set up very differently.
- I saw this on Twitter from @climagic and I could not help but share.
socat -d -d TCP-L:22,reuseaddr,fork SYSTEM:"nc \$SOCAT_PEERADDR 22" # Confuse people SSHing to your host with a redirect back to theirs.
- A five-year old was able to bypass the authentication mechanisms on the new Microsoft XBox One. Seriously.