Information about a vulnerability in the TLS protocol was published in the beginning of November 2009. Attackers can take advantage of that vulnerability to inject arbitrary prefixes into a network connection protected by TLS. This can result in severe vulnerabilities, depending on the application layer protocol used over TLS.
RedTeam Pentesting used the External linkPython module External linkTLS Lite to develop proof of concept code that exploits this vulnerability. It is published here to raise awareness for the vulnerability and its potential impact. Furthermore, it shall give interested persons the opportunity to analyse applications employing TLS for further vulnerabilities.
For information details, here.
For POC Exploit, please click here.
Friday, December 25, 2009
Thursday, December 24, 2009
Microsoft IIS File Parsing Extension Vulnerability
A vulnerability has been identified in Microsoft Internet Information Services (IIS) where the server in incorrectly handling files with multiple extensions separated by the ";" character such as "malicious.asp;.jpg" as an ASP file. This could allow attackers to upload malicious executables on a vulnerable web server, bypassing file extension protections and restrictions. This vulnerability does not work with ASP.Net.
Finding Date: April 2008
Report Date: Dec. 2009
Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
Website: Soroush.SecProject.com
Weblog: Soroush.SecProject.com/blog/
Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria‐Security Team, and other ethical hackers.
Vulnerability/Risk Description:
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
Impact Description:
Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi‐colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
Method of Finding:
Simple fuzzer by using ASP language itself.
More Details:
In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.
More details about this vulnerability here.
Finding Date: April 2008
Report Date: Dec. 2009
Found by: Soroush Dalili (Irsdl {4t] yahoo [d0t} com)
Website: Soroush.SecProject.com
Weblog: Soroush.SecProject.com/blog/
Thanks From: Mr. Ali Abbas Nejad, Mormoroth, Aria‐Security Team, and other ethical hackers.
Vulnerability/Risk Description:
IIS can execute any extension as an Active Server Page or any other executable extension. For instance “malicious.asp;.jpg” is executed as an ASP file on the server. Many file uploaders protect the system by checking only the last section of the filename as its extension. And by using this vulnerability, an attacker can bypass this protection and upload a dangerous executable file on the server.
Impact Description:
Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semi‐colon after an executable extension such as “.asp”, “.cer”, “.asa”, and so on.Many web applications are vulnerable against file uploading attacks because of this weakness of IIS. In a measurement which was performed in summer 2008 on some of the famous web applications, 70 percent of the secure file uploaders were bypassed by using this vulnerability.
Method of Finding:
Simple fuzzer by using ASP language itself.
More Details:
In case of having the “malicious.asp;.jpg”, web applications consider it as a JPEG file and IIS consider it as an ASP file and pass it to “asp.dll”. This bug does not work with ASP.Net as the .Net technology cannot recognize “malicious.aspx;.jpg” as a .Net file and shows a “page not found” error.
Besides using semi‐colon, “:” can be used to make an empty file with any arbitrary extension. For example by uploading “test.asp:.jpg”, an empty ASP file ‐ “test.asp” ‐ would be created on the server on an NTFS partition. This is only because of “NTFS Alternate Data Streams” and it is completely different from the semi‐colon vulnerability.
More details about this vulnerability here.
DDoS attack scrooges Amazon and others
Service to Amazon, Wal-Mart and several other shopping sites was briefly blocked on Wednesday evening when their DNS provider was hit by a distributed denial of service (DDoS) attack.
Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.
The websites were only down for about an hour — but needless to say at a very inopportune time for some. Neustar said that it first detected the trouble around 4:45 p.m. Pacific Time (12:45 AM Thursday, GMT).
Folks attempting last-minute shopping at Amazon, Wal-Mart, the Gap, and the travel site Expedia were ankled by outages and slow web browsing as a result of the DDoS attack. Other websites impacted include Salesforce.com and Linden Labs (maker of the game Second Life). In a message posted on Twitter, Jeff Barr of Amazon Web Services wrote that the retailer's outages were mostly in the US West Coast, and took down S3 and EC2 — as well as Amazon.com in "many places."
"We analyzed the patterns and were able to put mitigation measures in place within minutes of identifying the attack," NeuStar said in an emailed statement. "We had everything under control in well under an hour. The attack was limited to Northern California internet users. All along the way we were proactively communicating to our customers to let them know exactly what was happening and the steps we were taking."
This isn't the first time UltraDNS and its clients have been downed by DDoS attacks. In April, a larger DDoS attack took Amazon, SalesForce, Oracle and Juniper offline for several hours. Although more limited, Wednesday's malicious torrent of web traffic will insure that someone gets coal in their stocking. ®
This article is taken from http://www.theregister.co.uk/2009/12/24/ddos_attack_ultradns_december_09/
Neustar, which provides DNS services to high profile website addresses under the UltraDNS brand, said the flood of malicious traffic, just two days before Christmas, was directed at the company's facilities in San Jose and Palo Alto, and that the effects were mostly limited to California users.
The websites were only down for about an hour — but needless to say at a very inopportune time for some. Neustar said that it first detected the trouble around 4:45 p.m. Pacific Time (12:45 AM Thursday, GMT).
Folks attempting last-minute shopping at Amazon, Wal-Mart, the Gap, and the travel site Expedia were ankled by outages and slow web browsing as a result of the DDoS attack. Other websites impacted include Salesforce.com and Linden Labs (maker of the game Second Life). In a message posted on Twitter, Jeff Barr of Amazon Web Services wrote that the retailer's outages were mostly in the US West Coast, and took down S3 and EC2 — as well as Amazon.com in "many places."
"We analyzed the patterns and were able to put mitigation measures in place within minutes of identifying the attack," NeuStar said in an emailed statement. "We had everything under control in well under an hour. The attack was limited to Northern California internet users. All along the way we were proactively communicating to our customers to let them know exactly what was happening and the steps we were taking."
This isn't the first time UltraDNS and its clients have been downed by DDoS attacks. In April, a larger DDoS attack took Amazon, SalesForce, Oracle and Juniper offline for several hours. Although more limited, Wednesday's malicious torrent of web traffic will insure that someone gets coal in their stocking. ®
This article is taken from http://www.theregister.co.uk/2009/12/24/ddos_attack_ultradns_december_09/
Sunday, December 20, 2009
Twitter investigates DNS hijack
Twitter, the popular micro-blogging network, welcomed visitors on Thursday night with a page claiming that the site had been hacked by a defacers with links to Iran.
In reality, the company's domain name had been hijacked by the vandals and visitors redirected to an unrelated site hosting the page. Passive domain-name service (DNS) records showed the DNS poisoning, as Twitter's record pointed first to two domains registered in Moldova and then to a domain registered to an undisclosed person in Pompano Beach, Florida, according to information posted by the SANS Internet Storm Center.
Twitter acknowledged the issue late last night, following earlier media reports.
"Twitter’s DNS records were temporarily compromised but have now been fixed," the site administrators' wrote at 11:28 p.m. PT. "We are looking into the underlying cause and will update with more information soon."
The popularity of the social networking service has made it a target of hackers and a focus of security researchers this year. In August, a botnet targeted both Twitter and Facebook with a distributed denial-of-service attack. The micro-blogging service has also had to contend with the spreading of worms, the exploitation of a security vulnerability, and the use of its network as a command-and-control channel.
Thursday's defacement claimed to be done by the "Iranian Cyber Army," but another message -- translated from Farsi by Google's automated translation engine -- reportedly claimed the attack was motivated by the U.S. and Twitter's interference in "my country," suggesting the attacker was an individual.
From: SecurityFocus
In reality, the company's domain name had been hijacked by the vandals and visitors redirected to an unrelated site hosting the page. Passive domain-name service (DNS) records showed the DNS poisoning, as Twitter's record pointed first to two domains registered in Moldova and then to a domain registered to an undisclosed person in Pompano Beach, Florida, according to information posted by the SANS Internet Storm Center.
Twitter acknowledged the issue late last night, following earlier media reports.
"Twitter’s DNS records were temporarily compromised but have now been fixed," the site administrators' wrote at 11:28 p.m. PT. "We are looking into the underlying cause and will update with more information soon."
The popularity of the social networking service has made it a target of hackers and a focus of security researchers this year. In August, a botnet targeted both Twitter and Facebook with a distributed denial-of-service attack. The micro-blogging service has also had to contend with the spreading of worms, the exploitation of a security vulnerability, and the use of its network as a command-and-control channel.
Thursday's defacement claimed to be done by the "Iranian Cyber Army," but another message -- translated from Farsi by Google's automated translation engine -- reportedly claimed the attack was motivated by the U.S. and Twitter's interference in "my country," suggesting the attacker was an individual.
From: SecurityFocus
Friday, December 04, 2009
Using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus
This subject has been covered before, but why not once more? Metasploit 3.3 adds some new options, and better Windows support. As stated in the title, this video will cover using msfpayload and msfencode from Metasploit 3.3 to bypass anti-virus. I will also talk a little about using CWSandbox and VirusTotal to examine malware.
If you find this video useful, consider going to the Metasploit Unleashed page and donating to the Hackers For Charity Kenya food for work program, or come to the IndySec charity event.
By the way, I've put out two versions of this video, one an SWF and the other a streaming video. Please let me know which you prefer.
To see this video, please refer to this link:
http://www.irongeek.com/i.php?page=videos%2Fmsfpayload-msfencoder-metasploit-3-3
If you find this video useful, consider going to the Metasploit Unleashed page and donating to the Hackers For Charity Kenya food for work program, or come to the IndySec charity event.
By the way, I've put out two versions of this video, one an SWF and the other a streaming video. Please let me know which you prefer.
To see this video, please refer to this link:
http://www.irongeek.com/i.php?page=videos%2Fmsfpayload-msfencoder-metasploit-3-3
GreenSQL- Free database firewall protects PostgreSQL and MySQL
GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.
You can download it here
GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they're safe, will forward them to the back-end MySQL server.
The following picture describes the whole process:
As you can see, GreenSQL calls the real database server to execute SQL commands and the web application connects to the GreenSQL server as if it were a real database server.
GreenSQL can be installed together with the database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (the default MySQL setting). These settings can be altered using the GreenSQL Console.
For more details, please refer to GreenSQL website:
http://www.greensql.net/about
You can download it here
GreenSQL works as a reverse proxy for MySQL connections. This means, that instead of connecting TO THE MySQL server, your applications will connect to THE GreenSQL server. GreenSQL will analyze SQL queries and then, if they're safe, will forward them to the back-end MySQL server.
The following picture describes the whole process:
As you can see, GreenSQL calls the real database server to execute SQL commands and the web application connects to the GreenSQL server as if it were a real database server.
GreenSQL can be installed together with the database server on the same computer or it can use a distinct server. By default GreenSQL listens on local port 127.0.0.1:3305 redirecting SQL requests to 127.0.0.1:3306 (the default MySQL setting). These settings can be altered using the GreenSQL Console.
For more details, please refer to GreenSQL website:
http://www.greensql.net/about
FreeBSD 8.0/7.1 local root issue
There is a new local root bug in FreeBSD.This bug discovered & exploited by Nikolaos Rangos also known as KingcopeThere is an unbelievable simple local r00t bug in recent FreeBSD versions.
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like
LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
Please read this advisory for more details:
http://securityreason.com/securityalert/6799
The bug resides in the Run-Time Link-Editor (rtld).
Normally rtld does not allow dangerous environment variables like
LD_PRELOAD
to be set when executing setugid binaries like "ping" or "su".
With a rather simple technique rtld can be tricked into
accepting LD variables even on setugid binaries.
Please read this advisory for more details:
http://securityreason.com/securityalert/6799
Tuesday, December 01, 2009
FreeBSD 8.0-RELEASE
The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 8.0-RELEASE. This release starts off the new 8-STABLE branch which improves on the functionality of FreeBSD 7.X and introduces many new features. Some of the highlights:
-Xen Dom-U, VirtualBox guest and host, hierarchical jails.
-NFSv3 GSSAPI support, experimental NFSv4 client and server.
-802.11s D3.03 wireless mesh networking and Virtual Access Point support.
-ZFS is no longer in experimental status.
-Ground-up rewrite of USB, including USB target support.
-Continued SMP scalability improvements in many areas, especially VFS.
-Revised network link layer subsystem.
-Experimental MIPS architecture support.
Please read here for more details:
http://www.freebsd.org/releases/8.0R/announce.html
-Xen Dom-U, VirtualBox guest and host, hierarchical jails.
-NFSv3 GSSAPI support, experimental NFSv4 client and server.
-802.11s D3.03 wireless mesh networking and Virtual Access Point support.
-ZFS is no longer in experimental status.
-Ground-up rewrite of USB, including USB target support.
-Continued SMP scalability improvements in many areas, especially VFS.
-Revised network link layer subsystem.
-Experimental MIPS architecture support.
Please read here for more details:
http://www.freebsd.org/releases/8.0R/announce.html
Subscribe to:
Posts (Atom)
Posts
