Wednesday, April 25, 2007

Compromising Windows Vista Security using Vboot Kit

Vbootkit is a bootkit that is able to load from Windows Vista boot-sectors. Vbootkit is developed by Nitin Kumar and Vipin Kumar, security consultant from NV Labs. It is one of Window's Vista bootkit that is used to hijack Vista's booting process right from the beginning. Vbootkit testing was performed on Windows Vista RC1(build 5600) & Windows Vista RC2(build 5744).
If you want to get the vbootkit white-paper and presentation slides, you can visit here:
http://www.nvlabs.in/?q=node/27

Tuesday, April 24, 2007

U.S. Army team wants second chance at Hack In The Box (HITB) Kuala Lumpur???

A team of U.S. Army hackers will attend the Hack In The Box (HITB) Security Conference 2007 in Kuala Lumpur later this year, seeking redemption after falling short at a hacker competition in Dubai earlier this month.
http://www.networkworld.com/news/2007/042407-us-army-team-wants-second.html

I want to see them this year in KL.....

Saturday, April 21, 2007

Port 443

SANS inform that there is a significant increase in port 443 scans. They said if you see attacks against https servers, please let them know. If you see something like that, I think you can send your web server logs/IDS logs/Firewall logs to them to confirm whether there is an attack or not.
http://isc.sans.org/diary.html?storyid=2673

Last year, I got the same problems at my client site. One of my team reported to my Security Consultant that she detected series of Attack Response alerts from our Snort IDS. This alert involves 443 port (https). So we analyzed that alert and checked the source IP because the 443 service comes from that source IP. After analyzing that alert, we confirmed that there is no SSL/https related services available on the source IP. It looks like a normal website. There is no https service available on that IP. If there is https service, it should be encrypted. We want to analyze details and make decision about that alert, but we didn't have more resources. Maybe attacker was compromised earlier and installed backdoor/trojan/malware at that IP and used it to communicate through 443 port? Or maybe misconfiguration?? See this link:
http://blog.hazrulnz.net/121/finally-2.html

From my experience, this question is not easy to answer if you only have Snort alerts. It will make this question too difficult to answer. Looking at the alerts, there is nothing else we can do. You cannot give right answer to this question.

That's why I like to use Sguil. Sguil is an open source suite for performing NSM (Network Security Monitoring). NSM equips security staff to deal with the inevitable consequences of too few resources and too many responsibilities. NSM collects the data needed to generate better assessment, detection, and response processes, resulting in decreased impact from unauthorized activities.

Tuesday, April 03, 2007

Exploiting Microsoft ANI Vulnerability in 10 minutes

Trirat Puttaraksa posted about Microsoft ANI vulnerability and how to exploit it in 10 minutes. He started to write this exploit after doing a lot of researches about Exploiting the ANI vulnerability on Vista, Windows Animated Cursor Stack Overflow Vulnerability and Analysis of ANI “anih” Header Stack Overflow Vulnerability.
http://sf-freedom.blogspot.com/2007/04/ani-again-exploiting-microsoft-ani.html

Sunday, April 01, 2007

Sguil Problem

Today, I got problem with my Sguil machine. When I want to run Sguil script, i got this error, "Table `event` is marked as crashed and should be repaired".















I checked the error message with dmesg to find out the problem:














After that, I'm trying to restart sguild script, but I got same error. At the same time, I remember TaoSecurity posting about MYSQL problem. I try to search from TaoSecurity blog and I found this link:
http://taosecurity.blogspot.com/2007/03/recovering-from-corrupted-mysql.html

I run this mysqlcheck command like this:
izhar/root #mysqlcheck -r sguildb -p
Enter password















After running mysqlcheck, I try to start sguild script again, but it still not working. I reboot my FreeBSD 6.1. and go to maintenance mode. I run fsck command to check file system consistency and interactively repairs the file system:
#fsck














After running fsck command, i reboot my Sguil machine and trying to run again my Sguil. Everything work without any errors. So I can used back my Sguil machine.

Conclusion: Shutdown your Sguil machine properly. Hehehe, yesterday I forgot to shutdown it and immediately closed my VMware Sguil without shutdown it.