Feeds:
Posts
Comments

Hi,

I finally landed my hands on my own domain. So, henceforth all my blogging will be here.

Advertisements
R7-0038: Check Point Endpoint Security Server Information Disclosure
February 7, 2011

-- Vulnerability Details:

The Check Point Endpoint Security Server and Integrity Server products
inadvertently expose a number of private directories through the web
interface. These directories include the SSL private keys, sensitive
configuration files (often containing passwords), and application binaries.

Examples of exposed files include:

https://server/conf/ssl/apache/integrity-smartcenter.cert
https://server/conf/ssl/apache/integrity-smartcenter.key
https://server/conf/ssl/apache/integrity.cert
https://server/conf/ssl/apache/integrity.key
https://server/conf/ssl/apache/smartcenter.cert
https://server/conf/ssl/integrity-keystore.jks
https://server/conf/ssl/isskeys.jks
https://server/conf/ssl/openssl.pem
https://server/conf/integrity.xml
https://server/conf/jaas/users.xml

https://server/bin/DBSeed.xml

These files are also exposed via the Tomcat server:

http://server:8080/conf/ssl/apache/integrity-smartcenter.cert



-- Vendor Response:
Check Point has issued a hotfix for Endpoint Security Server versions
R71, R72 and R73 and Integrity Server version 7.

 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk57881

This patch blocks remote access to the Tomcat instance (8080) and
restricts access to private directories via POST and GET requests. This
patch does not prevent a remote attacker from determining the size of a
sensitive file by using HEAD requests.


-- Disclosure Timeline:
2010-11-08 - Vulnerability reported to Check Point
2010-11-09 - Acknowledgement from Check Point
2010-11-29 - Advisory and hotfix released by Check Point
2011-01-19 - Remote check published for Rapid7 NeXpose
2011-02-07 - Detailed advisory released by Rapid7


-- Credit:
This vulnerability was discovered by HD Moore

TaskManager.xls

Didier Stevens came up with this excellent task manager written in VBA excel. This would be a very helpful tool, when working on infected systems where the malware has disabled/prevents the task manager or process explorer from launching.

Great work Didier

http://blog.didierstevens.com/2011/02/03/taskmanager-xls/#comments

If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera.

At the "Meta Rhein Main Chaos Days 111b" (German language link), Fraunhofer SIT employee Alexander Klink presentedPDF a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe’s Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS – a fixed link to it is encoded into the browser.

However, the MiTM attack allows attackers to inject a specially crafted applet which, to put it simply, manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim’s computer in such a way that the computer’s web cam and microphone become accessible to arbitrary domains – by default, no domain has access to these components. This, in turn, allows images and audio to be transmitted to the attacker’s server via RTMP streaming.

While attackers need their potential victims to co-operate and accept a forged certificate in order to hack the SSL connection, an error when accessing one of Adobe’s Macromedia pages is unlikely to cause much suspicion.

A solution to the problem, is to add the following “AVHardwareDisable = 1” option to the mms.cfg file. mms.cfg is a Flash config file, and it cannot be overwritten using Flash player settings manager. The file resides in the below locations for Flash 8 or later:

  • Windows NT, 2K— C:\WINNT\System32\Macromed\Flash
  • Windows XP, Vista —C:\WINDOWS\System32\Macromed\Flash
  • Windows 95, 98, or ME–C:\Windows\System\Macromed\Flash
  • Macintosh–\Application Support\Macromedia

Using Flash versions older than 8, you seriously need to upgrade.

Edit the mms.cfg file and add the directive as shown below:

image

image

Setting “AVHardwareDisable =1” will ensure that the flash player does not have access to the systems audio video hardware.

 

What a unexpected Christmas present provided, by the identified “Security Watchmen“, to Carders.cc, a criminal forum specialized in trading stolen credit cards, but also to some well know security scene actors such as Exploit-DB.com, BackTrack-Linux.org, Ettercap, Inj3ct0r.com and Free-Hack.com.

The ezine “Owned and Exposed“, how begin to fear security experts, has release his second edition. The previous edition of this online magazine, dating from May 2010, had already targeted Carders.cc and revealed technical and organizational details of this group of pirates.

Contents of this second edition :

  • Carders.cc “Owned and Exposed”

The authors of the magazine wanted, when editing the first edition of their magazine, to give a fatal blow to Carders.cc in order to stop their criminal activities. Unfortunately, the attack of May 2010, was not sufficient to stop this forum how came back online few time after to be “rm’ed“. Seven months later, Carders.cc is again a prime target.

All depths of the server hosting the forum Carders.cc are exposed in the magazine, and all administrative accounts are revealed. A copy of the forum database is currently available on Internet. The “Security Watchmen” hoping that this time the message is gone, and that we could see the definitive end of the criminal forum Carders.cc. Otherwise, it is clear that the forum will again be the target in the third edition of the “Owned and Exposed” magazine.

  • Inj3ct0r “Owned and Exposed”

Inj3ct0r, for those who do not know this site is a copy of Milw0rm, offering a database of 0day’s and exploits. “Security Watchmen” motivation to attack Inj3ct0r is based primarily on the fact that Inj3ct0r is considered as “lameass wannabe milw0rm kid“, how reveal only XSS attacks (how are considered as low level attacks by the “Security Watchmen“), but also that behind this facade of exploits database a business based on stolen credit card is actually done by Inj3ct0r team.

Again all the depths of the server hosting Inj3ct0r are exposed in the magazine, and all administrative accounts are revealed. A copy of the website database is currently available on the Internet.

  • Ettercap “Owned and Exposed”

Ettercap is a software to perform MITM attacks (Man in the Middle). This software exist since 2001 and is used by computer security experts. “Security Watchmen” motivation to attack Ettercap is based primarily on the fact that Ettercap software suite to be detrimental to the security community and that the team in charge of maintaining the software is considering themselves as security experts.

What is disturbing about this hack is that firstly, as the “Security Watchmen” suggest, the Ettercap source code is compromised for about 5 years, and secondly the fact that Ettercap website is hosted at SourceForge. We could assume that all projects hosted at SourceForge are potentially compromise !

Again the depths of the server hosting the Ettercap project are outlined in the magazine, and all administrative accounts are revealed. The list of processes running on the SourceForge server, how is hosting the Ettercap project, reveal that bots have upper hand on this server.

  • Exploit-DB and BackTrack Linux “Owned and Exposed”

Exploit-DB is a 0day’s and exploits database, BackTrack Linux is an operating system containing computer security software well used by security experts. “Security Watchmen” motivation to attack Exploit-DB and BackTrack Linux is based primarily on the fact that they think that such projects allow computer criminals to use new ways to commit crimes.

Again the depths of the servers hosting the Exploit-DB and BackTrack Linux are exposed in the magazine, and all administrative accounts are revealed. We should get some clarifications from the BackTrack Linux team on if the distribution was compromised or not.

These attacks targeting sites, well known from the computer security community, will surely create a sense of paranoia until the third edition of the electronic magazine “Owned and Exposed“.

IE zero day exploit

Thanks to Abbysec, a zero day exploit on IE is going on in the wild, and not much talk about it. Abbysec has made a video that clearly shows the exploit working on a fully patched Win 7 machine, as of 12/20/2010. It bypasses DEP and ASLR without any 3rd party extensions. I have linked the video below:

 

All credits for the video belong to Abbysec

 

Relying on the growing popularity of Ransomware like Rouge Antivirus, new kinds of Ransomware are popping up in the wild. MBR Ransomwares or Master Boot Record Ransomwares. See the below post from Kaspersky labs.

One day after a new version of the GpCode ransomware popped up, researchers have discovered another piece of malware that overwrites the master boot record on infected machines and demands a payment of $100 to reverse the damage.

The new MBR-infecting ransomware is known as Seflad and it has a couple of interesting traits. First, after infection, it tells victims that their hard drives have been encrypted and that any attempt to recover their files will result in data loss. However, the hard drive isn’t actually encrypted, according to an analysis of Seflad [1] by Kaspersky Lab malware analyst Denis Maslennikov. Instead, the malware simply replaces the infected PC’s MBR with a malicious one.

Second, it appears to be possible to restore the original master boot record without actually paying the ransom to the attackers. After infection, Seflad reboots the victim’s machine and then displays an image that asks the victim to enter a password, which the user obviously doesn’t have. Entering an incorrect password three times will cause the PC to reboot a second time and display the same message again. Maslennikov’s analysis showed that using the password "aaaaaaciip" without the quotation marks will deactivate the malware and restore the original MBR.

image

"If the victim browses the malware author’s website, he is asked to pay $100 using ‘Paysafecard’ or ‘Ukash’. If you are infected by this malware do not visit the website. Use the password ‘aaaaaaciip’ (without quotes) to restore the original MBR. If the password doesn’t work, you can cure your MBR with Kaspersky Rescue Disk 10 [2]," Maslennikov said.

The tack taken by Seflad is a potentially scary and damaging one, going after the master boot record of an infected machine. The MBR is the first section of a hard disk to be loaded and is used to load the operating system and overwriting or damaging the MBR can be extremely difficult to reverse. MBR-infecting malware has been around for a long time and can cause serious problems for victims, but they haven’t been very widespread in recent years.