Security News #0x83

March 7, 2015 Leave a comment
Categories: Uncategorized

Security News #0x82

February 25, 2015 Leave a comment
Categories: Uncategorized

Security News #0x81

February 17, 2015 Leave a comment
Categories: Uncategorized

Security News #0x80

February 10, 2015 1 comment
  • ET Pwn Phone? (Thanks to Ryan for the idea!) This is a Metasploit module that exploits the futex_requeue bug in Android phones prior to June 2014. This exploits CVE 2014-3153.
  • It is possible to crash the Google email application with a single email. What makes this denial of service particularly problematic is that the target then needs to find a way to delete the malicious email without using the Google mail application.
  • Internet Explorer 10 and 11 are vulnerable to a universal cross site scripting attack. As yet, this is unpatched; there isn’t even a CVE number. Of course, Metasploit has a module. A technical description is available.
  • An attacker that has gained a foothold on a network often needs to obtain network credentials before moving laterally. One interesting approach is to ask the user. This is a new Metasploit module to phish credentials by popping up a dialog box on a compromised system.
  • Linux is not immune to this type of attack. Here is a Metasploit module that steals passwords used to unlock the screensaver or use the Policy Kit
  • Are you interested in learning more about how a Linux system boots?
  • Recent Samsung televisions allow for voice control. The catch is that the voice recognition is not done on the television, but rather at a remote site. Now imagine that every word you speak in your living room is sent to a third party. Maybe I don’t need a TV with voice recognition.
  • LD_PRELOAD is a way of modifying code execution in Linux without modifying the code; this is done by changing the library functions that the code relies on. One malicious use of LD_PRELOAD is as a way to hide malware and rootkits. haxelion has one of the best write-ups on the topic I have seen, especially the question of detection.
  • Nat McHugh has provided a step-by-step method to generate MD5 collisions using Amazon AWS and HashClash at a cost of roughly 65 cents per collision.
  • Stephen Brennan has a nice tutorial on how to write your own shell. Well worth a read.
Categories: Uncategorized

Security News #0x7F

February 3, 2015 Leave a comment
  • I have been asked how to make your computer "100%" secure. Last year, someone posted an excellent video with recommendations. I can’t quite endorse the method; if you watch to the end the attacker is still able to get in, but it did require some significant effort. Call it "99+%" security and I am happy. My students should know though, that this technique is not permitted during Exercise 1.
  • There is a proof of concept for a privilege escalation attack on Windows 8.1 that exploits a race condition during login. The underlying issue is CVE 2015-0004 and was patched in MS 15-003.
  • There is a new Metasploit module to bypass protected mode on Internet Explorer on Windows 7 SP1 (32 bits). The underlying problem is CVE 2015-0016, which was patched in MS15-004.
  • Did you know you can crack the WEP key of a wireless network without being in signal range of the AP and without sending any packets to the AP? (I didn’t!). Take a look at this piece at the Penetration Testing Lab that describes the Hirte attack. [The key is finding a client that has connected to the AP in the past!]
  • If you want to learn about the technical details behind CVE 2014-9322, a privilege escalation exploit in recent (<3.17.5) Linux kernels, take a look at this blog post from Rafal Wojtczuk at Bromium Labs.
  • Samsung phones are vulnerable to an attack named currupdate. [As an aside, is anyone else tired of naming vulnerabilities? It’s like folks are trying to sell products!] The underlying issues are named CVE 2015-0863 and CVE 2015-0864, though they have not yet made it to the MITRE database.
  • May DDos attacks rely on amplification, where at attacker sends a (spoofed) packet to a host of size s, which sends to the DDoS target of size a*s. The number a is the amplification factor of the attack, and if a is large then a small number of attackers can flood the bandwidth of a victim. Last year a DDoS attack against the city of Columbia (MO) was launched using MSSQL achieving an amplification of as much as 440. Take a look at Default Deny for the technical details.
  • Here is a neat trick to tunnel Meterpreter over SSH.
Categories: Uncategorized

Security News #0x7E

January 28, 2015 1 comment
  • A vulnerability in glibc that affects the gethostbyname was announced by Qualys. As seems to be all the rage, it was given a nickname, in this case “ghost”. I prefer the easier to remember CVE-2015-0235, though it should be noted that this is marked as reserved rather than assigned in the various databases. Ars Technica has a broad overview of the vulnerability. Because this affects a commonly used library, there are many applications that could potentially be vulnerable; for a list, check out the Sucuri blog. After some reading though, my conclusion is that the best technical analysis is available at lcamtuf’s blog; it should be required reading.
  • I read a wonderful blog post where they build and run a functioning C program without a main() function. In fact, the entire program (which prints “Hello World!” to the screen) consists of a single variable declaration. Intrigued? Check it out..
  • It turns out that Firefox and Chrome can be persuaded via a bit of Javascript to give up the local IP address of the system. This can be useful if, for example, an attacker wants to perform reconnaissance of a target’s internal network. Take a look at the GitHub page of the code; the lifars blog has a demo and defensive techniques.
  • Do you want root on a Nexus 5 with Android 4.4.4? Packetstorm has proof of concept code.
Categories: Uncategorized

Security News #0x7D

January 6, 2015 1 comment

With my class starting in just a few weeks, I am going to try to catch up on all of the cyber security news that has started to fill my inbox to bursting.

  • Did you know that John Troony has a page full of PHP webshells available for analysis? Just don’t trust them- remember the story about the C99/C99.PHP shells.
  • Raphael Mudge has developed and released a virtual machine named Morning Catch configured to be used as a sample system for phishing attacks. Similar in spirit to Metasploitable, students can use the system as a target in phishing and other types of attacks.
  • If you spend a lot of time working in Virtual Box, you might want to know about a Metasploit module that attacks VirtualBox up to 4.3.6 running on Windows 7 SP1 (x64). The underlying problem is in 3D acceleration on the virtual machines; it is designatedCVE 2014-0983.
  • Firefox 15-22 is exploitable via a Metasploit module. There are two underlying problems, CVE 2013- 1710 and 2013-1670.
  • Various NTP server implementations are vulnerable to DoS Amplification. In an amplification attack, the attacker sends x bytes of traffic to a server that responds by sending n times x bytes of traffic at a different system. In one of the vulnerabilities, the amplification factor n is 46, so an attacker can flood the target with 46 times the traffic they themselves can send out.
Learning More
  • One new topic in the upcoming book (and not in these notes) is the DNS amplification attack. if you want to know if your DNS server might be contributing to DNS amplification attacks, check out the Open Resolver Project.
  • Brad Antoniewicz has developed an an ActiveX control and tutorial for Internet Explorer to help students learn the basics of browser exploitation. Most cool.
For Students
Hacking the World
  • The Nest thermostat is vulnerable to attack, at least by folks close enough to gain physical access to the device.
Categories: Uncategorized