Hi,
I finally landed my hands on my own domain. So, henceforth all my blogging will be here.
R7-0038: Check Point Endpoint Security Server Information Disclosure February 7, 2011 -- Vulnerability Details: The Check Point Endpoint Security Server and Integrity Server products inadvertently expose a number of private directories through the web interface. These directories include the SSL private keys, sensitive configuration files (often containing passwords), and application binaries. Examples of exposed files include: https://server/conf/ssl/apache/integrity-smartcenter.cert https://server/conf/ssl/apache/integrity-smartcenter.key https://server/conf/ssl/apache/integrity.cert https://server/conf/ssl/apache/integrity.key https://server/conf/ssl/apache/smartcenter.cert https://server/conf/ssl/integrity-keystore.jks https://server/conf/ssl/isskeys.jks https://server/conf/ssl/openssl.pem https://server/conf/integrity.xml https://server/conf/jaas/users.xml https://server/bin/DBSeed.xml These files are also exposed via the Tomcat server: http://server:8080/conf/ssl/apache/integrity-smartcenter.cert -- Vendor Response: Check Point has issued a hotfix for Endpoint Security Server versions R71, R72 and R73 and Integrity Server version 7. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881 This patch blocks remote access to the Tomcat instance (8080) and restricts access to private directories via POST and GET requests. This patch does not prevent a remote attacker from determining the size of a sensitive file by using HEAD requests. -- Disclosure Timeline: 2010-11-08 - Vulnerability reported to Check Point 2010-11-09 - Acknowledgement from Check Point 2010-11-29 - Advisory and hotfix released by Check Point 2011-01-19 - Remote check published for Rapid7 NeXpose 2011-02-07 - Detailed advisory released by Rapid7 -- Credit: This vulnerability was discovered by HD Moore
Posted in Uncategorized | Leave a Comment »
Didier Stevens came up with this excellent task manager written in VBA excel. This would be a very helpful tool, when working on infected systems where the malware has disabled/prevents the task manager or process explorer from launching.
Great work Didier
http://blog.didierstevens.com/2011/02/03/taskmanager-xls/#comments
Posted in Uncategorized | Leave a Comment »
If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.
At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presented
a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe’s Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.
However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim’s computer in such a way that the computer’s web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker’s server via RTMP streaming.
While attackers need their potential victims to co-operate and accept a forged certificate in order to hack the SSL connection, an error when accessing one of Adobe’s Macromedia pages is unlikely to cause much suspicion.
A solution to the problem, is to add the following “AVHardwareDisable = 1” option to the mms.cfg file. mms.cfg is a Flash config file, and it cannot be overwritten using Flash player settings manager. The file resides in the below locations for Flash 8 or later:
- Windows NT, 2K– C:\WINNT\System32\Macromed\Flash
- Windows XP, Vista –C:\WINDOWS\System32\Macromed\Flash
- Windows 95, 98, or ME–C:\Windows\System\Macromed\Flash
- Macintosh–\Application Support\Macromedia
Using Flash versions older than 8, you seriously need to upgrade.
Edit the mms.cfg file and add the directive as shown below:
Setting “AVHardwareDisable =1” will ensure that the flash player does not have access to the systems audio video hardware.
Posted in Uncategorized | Leave a Comment »
What a unexpected Christmas present provided, by the identified “Security Watchmen“, to Carders.cc, a criminal forum specialized in trading stolen credit cards, but also to some well know security scene actors such as Exploit-DB.com, BackTrack-Linux.org, Ettercap, Inj3ct0r.com and Free-Hack.com.
The ezine “Owned and Exposed“, how begin to fear security experts, has release his second edition. The previous edition of this online magazine, dating from May 2010, had already targeted Carders.cc and revealed technical and organizational details of this group of pirates.
Contents of this second edition :
- Carders.cc “Owned and Exposed”
The authors of the magazine wanted, when editing the first edition of their magazine, to give a fatal blow to Carders.cc in order to stop their criminal activities. Unfortunately, the attack of May 2010, was not sufficient to stop this forum how came back online few time after to be “rm’ed“. Seven months later, Carders.cc is again a prime target.
All depths of the server hosting the forum Carders.cc are exposed in the magazine, and all administrative accounts are revealed. A copy of the forum database is currently available on Internet. The “Security Watchmen” hoping that this time the message is gone, and that we could see the definitive end of the criminal forum Carders.cc. Otherwise, it is clear that the forum will again be the target in the third edition of the “Owned and Exposed” magazine.
- Inj3ct0r “Owned and Exposed”
Inj3ct0r, for those who do not know this site is a copy of Milw0rm, offering a database of 0day’s and exploits. “Security Watchmen” motivation to attack Inj3ct0r is based primarily on the fact that Inj3ct0r is considered as “lameass wannabe milw0rm kid“, how reveal only XSS attacks (how are considered as low level attacks by the “Security Watchmen“), but also that behind this facade of exploits database a business based on stolen credit card is actually done by Inj3ct0r team.
Again all the depths of the server hosting Inj3ct0r are exposed in the magazine, and all administrative accounts are revealed. A copy of the website database is currently available on the Internet.
- Ettercap “Owned and Exposed”
Ettercap is a software to perform MITM attacks (Man in the Middle). This software exist since 2001 and is used by computer security experts. “Security Watchmen” motivation to attack Ettercap is based primarily on the fact that Ettercap software suite to be detrimental to the security community and that the team in charge of maintaining the software is considering themselves as security experts.
What is disturbing about this hack is that firstly, as the “Security Watchmen” suggest, the Ettercap source code is compromised for about 5 years, and secondly the fact that Ettercap website is hosted at SourceForge. We could assume that all projects hosted at SourceForge are potentially compromise !
Again the depths of the server hosting the Ettercap project are outlined in the magazine, and all administrative accounts are revealed. The list of processes running on the SourceForge server, how is hosting the Ettercap project, reveal that bots have upper hand on this server.
- Exploit-DB and BackTrack Linux “Owned and Exposed”
Exploit-DB is a 0day’s and exploits database, BackTrack Linux is an operating system containing computer security software well used by security experts. “Security Watchmen” motivation to attack Exploit-DB and BackTrack Linux is based primarily on the fact that they think that such projects allow computer criminals to use new ways to commit crimes.
Again the depths of the servers hosting the Exploit-DB and BackTrack Linux are exposed in the magazine, and all administrative accounts are revealed. We should get some clarifications from the BackTrack Linux team on if the distribution was compromised or not.
These attacks targeting sites, well known from the computer security community, will surely create a sense of paranoia until the third edition of the electronic magazine “Owned and Exposed“.
Posted in Uncategorized | Leave a Comment »
Thanks to Abbysec, a zero day exploit on IE is going on in the wild, and not much talk about it. Abbysec has made a video that clearly shows the exploit working on a fully patched Win 7 machine, as of 12/20/2010. It bypasses DEP and ASLR without any 3rd party extensions. I have linked the video below:
All credits for the video belong to Abbysec
Posted in Uncategorized | Leave a Comment »
Relying on the growing popularity of Ransomware like Rouge Antivirus, new kinds of Ransomware are popping up in the wild. MBR Ransomwares or Master Boot Record Ransomwares. See the below post from Kaspersky labs.
One day after a new version of the GpCode ransomware popped up, researchers have discovered another piece of malware that overwrites the master boot record on infected machines and demands a payment of $100 to reverse the damage.
The new MBR-infecting ransomware is known as Seflad and it has a couple of interesting traits. First, after infection, it tells victims that their hard drives have been encrypted and that any attempt to recover their files will result in data loss. However, the hard drive isn’t actually encrypted, according to an analysis of Seflad [1] by Kaspersky Lab malware analyst Denis Maslennikov. Instead, the malware simply replaces the infected PC’s MBR with a malicious one.
Second, it appears to be possible to restore the original master boot record without actually paying the ransom to the attackers. After infection, Seflad reboots the victim’s machine and then displays an image that asks the victim to enter a password, which the user obviously doesn’t have. Entering an incorrect password three times will cause the PC to reboot a second time and display the same message again. Maslennikov’s analysis showed that using the password "aaaaaaciip" without the quotation marks will deactivate the malware and restore the original MBR.
"If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’. If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10 [2]," Maslennikov said.
The tack taken by Seflad is a potentially scary and damaging one, going after the master boot record of an infected machine. The MBR is the first section of a hard disk to be loaded and is used to load the operating system and overwriting or damaging the MBR can be extremely difficult to reverse. MBR-infecting malware has been around for a long time and can cause serious problems for victims, but they haven’t been very widespread in recent years.
Posted in Uncategorized | Leave a Comment »
Agnitio is a tool to help developers and Info.Sec professionals, conduct security code reviews in a consistent and repeatable way. It aims to replace the adhnoc nature of manual security code review documentation, and create an audit trail and reporting.
Two main goals drive the development of Agnitio:
1. Help further adoption of Secure Code Development
2. Bring repeatability and integrity to security code reviews
Agnitio forces a reviewer to follow a checklist for each code review. It also forces the reviewer to think about the real risk associated with a finding, in the context of the application being reviewed, rather than blanket labeling findings “high”.
Posted in Uncategorized | Leave a Comment »
BT4 R2 is out. One of the features that is long been awaited is the rebuild of Metasploit with SQL support, out of the box, and the new Kernel 2.6.35.8 which has better 80211 stack.
Posted in Uncategorized | Leave a Comment »
Vupen security has discovered a critical vulnerability in Google Chrome. The vulnerability is caused by a memory corruption error when processing focus events, which could be exploited by remote attackers to potentially execute arbitrary code by tricking a user into visiting a specially crafted web page. Google Chrome versions prior to 6.0.472.53 are affected.
Posted in Uncategorized | Leave a Comment »
Vangaveti’s blog
