21 April 2007

Writing Exploits With Perl ---> Book

Found this while browsing today, seems like a really worthwhile read. I'm going skip through it this w/end. http://www.securitydb.org/Warpboy/Learning_Perl_-_Writing_Exploits.rar

Technorati Tags: , ,

20 April 2007

InfoSec Europe Next Week

w00t!!

Technorati Tags:

ABN Amro Phishing attack bypasses Two Factor Authentication

This is actually pretty troubling, now to see what other attacks on two factor auth come out. Via Out-Law.com A two-factor authentication system operated by Dutch bank ABN Amro has been compromised and money stolen from the online accounts of customers who fell for a phishing scam. Advert: Infosecurity Europe, 24-26 April 2007, Grand Hall, Olympia, London, UKTwo-factor authentication for online banking usually involves passwords and tokens which provide synchronised, constantly changing numbers to use as additional evidence of identity. The security industry has promoted the tokens as a preventative measure against hacking for users of remote corporate or banking systems. However, experts have warned that they are still vulnerable to phishing attacks, where fraudulent emails lure recipients to bogus websites that are set up to gather security details. Four customers who used two-factor authentication have been compensated by ABN Amro for undisclosed amounts taken from their bank accounts. "We are taking this incident very seriously and, in addition to informing our clients, are also implementing all of the technical measures that are at our disposal to stop criminals in their tracks," said Johan van Hall of ABN Amro Netherlands. "Safe usage of home and office computers is an essential requirement for secure online banking, and we plan to remind our clients even more frequently and urgently than before of that fact." Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details. As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money. Security experts have warned that such 'man in the middle' attacks cannot be prevented by security tokens. At the E-Crime Congress in London last month, several experts spoke out about the limitations of the systems. "Even when all the banks have it [hackers] will still attack them," said Mikko Hypponen, chief research officer of security firm F-Secure, at the Congress. "'We see them using 'man in the middle' already." "There are a whole bunch of things that can go wrong with two-factor authentication," Ross Anderson, a professor of security engineering at Cambridge University, told the same conference. "Banks are resisting because their technical staff know that it will be expensive to introduce and will not be effective. Some banks will introduce it, it will be quickly broken and then quickly forgotten."

Technorati Tags: ,

Apple Security Update 2007-004

From Apple.com Installed this and it works perfectly, takes a couple of reboots though on Intel Macs, I think that it may have freaked Mail.app out a bit though, as I can't seem to see the sender ID anymore, oh well. It may not be this update though, I may have changed some setting ;-) This document describes Security Update 2007-004, which can be downloaded and installed via Software Update preferences, or from Apple Downloads. For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website. For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key." Where possible, CVE IDs are used to reference the vulnerabilities for further information. To learn about other Security Updates, see "Apple Security Updates." Security Update 2007-004 * AFP Client CVE-ID: CVE-2007-0729 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Under certain circumstances, AFP Client may execute commands without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * AirPort CVE-ID: CVE-2007-0725 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may be able to execute arbitrary code with elevated privileges Description: A buffer overflow vulnerability exists in the AirPortDriver module which processes control commands for AirPort. By sending malformed control commands, a local user could trigger the overflow which may lead to arbitrary code execution with elevated privileges. This issue affects eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card. This issue does not affect systems with the AirPort Extreme card. This update addresses the issue by performing proper bounds checking. * CarbonCore CVE-ID: CVE-2007-0732 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may be able to execute arbitrary code with elevated privileges Description: The CoreServices daemon could allow a local user to obtain a send right to its Mach task port, which may lead to arbitrary code execution with elevated privileges. This update addresses the issue by through improved checks in the CoreServices interprocess communication. This issue does not affect systems prior to Mac OS X v10.4. * diskdev_cmds CVE-ID: CVE-2007-0734 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening a maliciously-crafted UFS disk image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption vulnerability exists in fsck. It is possible to cause fsck to be run automatically on a disk image when it is opened. By enticing a user to open a maliciously-crafted disk image, or to run fsck on any maliciously-crafted UFS filesystem, an attacker could trigger the issue which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of UFS filesystems. * fetchmail CVE-ID: CVE-2006-5867 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: fetchmail may send passwords in plain text, even when configured to use TLS Description: fetchmail is updated to version 6.3.6 to fix a vulnerability that could allow authentication credentials to be sent in plain text, despite being configured to use TLS. This issue is described on the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2006-02.txt * ftpd CVE-ID: CVE-2006-6652 Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 Impact: FTP operations by authenticated FTP users may lead to arbitrary code execution Description: lukemftpd has been updated to version tnftpd 20061217 to address a buffer overflow vulnerability in the handling of commands with globbing characters that could lead to arbitrary code execution. This issue does not affect Mac OS X Server v10.3.9 or Mac OS X Server v10.4.9. Credit to Kevin Finisterre of DigitalMunition for reporting this issue. * GNU Tar CVE-ID: CVE-2006-0300 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Listing or extracting a maliciously-crafted tar archive may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow vulnerability exists in the handling of PAX extended headers in GNU tar archives. By enticing a local user to list or extract a maliciously-crafted tar archive, an attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems prior to Mac OS X 10.4. * Help Viewer CVE-ID: CVE-2007-0646 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening a help file with a maliciously-crafted name may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in the Help Viewer application. By enticing a user to download and open a help file with a maliciously-crafted name, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This has been described on the Month of Apple Bugs web site (MOAB-30-01-2007). This update addresses the issue by eliminating any format string processing of file names. * HID Family CVE-ID: CVE-2007-0724 Available for: Mac OS X v10.4 through Mac OS X v10.4.9, Mac OS X Server v10.4 through Mac OS X Server v10.4.9 Impact: Console keyboard events are exposed to other users on the local system Description: Insufficient controls in the IOKit HID interface allow any logged in user to capture console keystrokes, including passwords and other sensitive information. This update addresses the issue by limiting HID device events to processes belonging to the current console user. Credit to Andrew Garber of University of Victoria, Alex Harper, and Michael Evans for reporting this issue. This fix was originally distributed via the Mac OS X v10.4.9 update. However, due to a packaging issue it may not have been delivered to all systems. This update redistributes this fix in order to reach all affected systems. * Installer CVE-ID: CVE-2007-0465 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Opening an installer package with a maliciously-crafted name may lead to an unexpected application termination or arbitrary code execution Description: A format string vulnerability exists in the Installer application. By enticing a user to download and install an installer package with a maliciously-crafted file name, an attacker can trigger the vulnerability which may lead to an unexpected application termination or arbitrary code execution. This issue has been described on the Month of Apple Bugs web site (MOAB-26-01-2007). This update addresses the issue by eliminating any format string processing of file names. This issue does not affect systems prior to Mac OS X v10.4. * Kerberos CVE-ID: CVE-2006-6143 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon may lead to an unexpected application termination or arbitrary code execution with system privileges Description: An uninitialized function pointer vulnerability exists in the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt. This issue does not affect systems prior to Mac OS X v10.4. Credit to the MIT Kerberos Team and an anonymous researcher working with iDefense for reporting this issue. * Kerberos CVE-ID: CVE-2007-0957 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon or the KDC may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A stack buffer overflow vulnerability exists in the MIT Kerberos administration daemon (kadmind), as well as the KDC, which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt. Credit to the MIT Kerberos Team for reporting this issue. * Kerberos CVE-ID: CVE-2007-1216 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Running the Kerberos administration daemon may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A double-free vulnerability exists in the GSS-API library used by the MIT Kerberos administration daemon (kadmind), which may lead to an unexpected application termination or arbitrary code execution with system privileges. Further information on the issue and the patch applied is available via the MIT Kerberos website at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt. Credit to the MIT Kerberos Team for reporting this issue. * Libinfo CVE-ID: CVE-2007-0735 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Visiting malicious websites may lead to an unexpected application termination or arbitrary code execution Description: In some cases, Libinfo does not correctly report errors to applications that use it. By enticing a user to visit a maliciously-crafted web page, an attacker can cause a previously deallocated object to be accessed, which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing appropriate error reporting in Libinfo. Credit to Landon Fuller of Three Rings Design for reporting this issue. * Libinfo CVE-ID: CVE-2007-0736 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if the portmap service is enabled Description: An integer overflow vulnerability exists in the RPC library. By sending maliciously-crafted requests to the portmap service, a remote attacker can trigger the overflow which may lead to a denial of service or arbitrary code execution as the 'daemon' user. This update addresses the issue by performing additional validation of portmap requests. Credit to the Mu Security Research Team for reporting this issue. * Login Window CVE-ID: CVE-2007-0737 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Login Window does not sufficiently check its environment variables. This could allow a local user to execute arbitrary code with system privileges. This update addresses the issue by through improved validation of Login Window environment variables. * Login Window CVE-ID: CVE-2007-0738 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: The screen saver authentication dialog may be bypassed Description: Under certain conditions, the user's preference to "require a password to wake the computer from sleep" is ignored, and a password is not required to wake from sleep. This update addresses the issue by through improved handling of this preference. * Login Window CVE-ID: CVE-2007-0739 Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: The loginwindow authentication dialog may be bypassed Description: Under certain conditions, the software update window may appear beneath the Login Window. This could allow a person with physical access to the system to log in without authentication. This update addresses the issue by only running scheduled tasks after the user login. This issue does not affect systems prior to Mac OS X v10.4. * network_cmds CVE-ID: CVE-2007-0741 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if Internet Sharing is enabled Description: A buffer overflow vulnerability exists in the handling of RTSP packets in natd. By sending malformed RTSP packets, a remote attacker may be able to trigger the overflow which may lead to arbitrary code execution. This issue only affects users who have Internet Sharing enabled. This update addresses the issue by performing additional validation of rtsp packets. * SMB CVE-ID: CVE-2007-0744 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: Under certain circumstances, SMB may execute commands without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * System Configuration CVE-ID: CVE-2007-0022 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Local admin users may execute arbitrary code with system privileges without authentication Description: Admin users have the ability to alter system preferences through the writeconfig utility. When the writeconfig utility launches the launchctl utility, it does not clean the environment inherited from the user. This could allow arbitrary code execution with system privileges without authentication. This issue has been described on the Month of Apple Bugs web site (MOAB-21-01-2007). This update addresses the issue by cleaning the environment before calling the launchctl utility. * URLMount CVE-ID: CVE-2007-0743 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local users may obtain other user's authentication credentials Description: The username and password used to mount remote filesystems through connections to SMB servers are passed to the mount_smb command as command line arguments, which may expose them to other local users. This update addresses the issue by securely passing the authentication credentials to the mount_smb command. Credit to Daniel Ball of Pittsburgh Technical Institute, Geoff Franks of Hauptman Woodward Medical Research Institute, and Jamie Cox of Sophos Plc for reporting this issue. * VideoConference CVE-ID: CVE-2007-0746 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: Remote attackers may be able to cause an unexpected application termination or arbitrary code execution if iChat is running. Description: A heap buffer overflow vulnerability exists in the VideoConference framework. By sending a maliciously-crafted SIP packet when initializing an audio/video conference, an attacker can trigger the overflow which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of SIP packets. * WebDAV CVE-ID: CVE-2007-0747 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9 Impact: A local user may obtain system privileges Description: When mounting a WebDAV filesystem, the load_webdav program may be launched without properly cleaning the environment. This may allow a local user to create files or execute commands with system privileges. This update addresses the issue by cleaning the environment prior to executing commands. * WebFoundation CVE-ID: CVE-2007-0742 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact: Cookies set by subdomains may be accessible to the parent domain Description: An implementation issue allows cookies set by subdomains to be accessible to the parent domain, which may lead to the disclosure of sensitive information. This update addresses the issue by performing additional validation of the domain to which a cookie is being sent. This issue does not affect systems running Mac OS X v10.4. Credit to Bradley Schwoerer of University of Wisconsin-Madison for reporting this issue.

Technorati Tags: ,

Van Eck Method For Laptops and Flat Panels -- Walls Mean Nothing now

Okay now the Van Sck method for seeing through walls has been around for a while now, for CRT's at least, but now this is kinda scary.... Via Newscientist.com Have you considered that someone could be reading what's on your monitor from a few rooms away? It's unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows. A radio antenna and radio receiver - equipment totalling less than £1000 - is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls. Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking, and NATO spent a fortune making its systems invulnerable to it. It was a major part of Neal Stephenson's novel Cryptonomicon. CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too. It works slightly differently. With a flat panel display the aim is to tune into the radio emissions produced by the cables sending a signal to the monitor. The on-screen image is fed through the cable one pixel at a time. Because they come through in order you just have to stack them up. And Kuhn has worked out how to decode the colour of each pixel from its particular wave form. If everything is just right, you can pick up signals from some distance. "I was able to eavesdrop certain laptops through three walls," says Kuhn. "At the CEBIT conference, in 2006, I was able to see the Powerpoint presentation from a stand 25 metres away." Here's the image he managed to get: Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximise the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference. As for defending against this kind of attack, Kuhn says using well-shielded cables, certain combinations of colours and making everything a little fuzzy all work.

Technorati Tags: , ,

Okay, now this is just bad...

Via Out-Law.com The private details of 100,000 internet users have been stolen from broadband provider Bulldog. The security breach happened when the company was owned by Cable & Wireless. The data was stolen from Cable & Wireless in December 2005 by a third party which the company believes it can identify. Bulldog's customer base has since been sold to broadband provider Pipex, but C&W is investigating the breach. James Brown, managing director of Bulldog Internet, told the Guardian newspaper: "Our understanding is that, following an external enquiry by Cable & Wireless, it has become apparent that at some point in December 2005 Cable & Wireless had some of their customer contact details illegally obtained by a third party. This resulted in a small number of their customers receiving unsolicited calls." C&W said that it was preparing legal action against a third party which it said could be the source of the leak. It is not yet clear exactly what customer data was taken. Several customers have reported receiving telephone calls that alerted them to the security breach. It is not known whether or not credit card or bank details were among those taken. C&W said that there was no evidence that that was the case. Large scale data thefts are becoming increasingly common as identity theft becomes a more lucrative crime. With individuals carrying out more and more of their economic activity online, impersonating those people can bring ever greater rewards. The US has been the location of the most serious data breaches. One recent US breach had implications for UK citizens, though. The owners of High Street discount clothes chain TK Maxx suffered one of the biggest ever breaches when the credit card details of 45 million customers were stolen by a hacker. In a regulatory filing last month the shop's parent company, TJX Companies, said that data had been stolen in the UK. "We believe that information was stolen in the computer intrusion from … a portion of our computer systems in Watford, U.K. that processes and stores information related to payment card transactions at T.K. Maxx in the United Kingdom and Ireland," said the filing. ----------------------------------------------------- Glad I never signed up to Bulldog ;-)

04 April 2007

Going To Be A SANS Stay Sharp Instructor!

After passing my GCIH exams with 96% for both of them, I got a mail from Stephen Northcutt at SANS inviting me to be a SANS Stay Sharp and SANS Mentor Instructor. This happened when I passed my GSEC exams as well, but that kinda fell by the wayside for various reasons. This time however I am going to go for it, for those of you that don't know what the SANS Stay Sharp programs are they are basically short courses that range from about 3 hours to 3 days depending on the course. You cna get more info from the SANS Stay Sharp site here. So around the 20th of this month I am going to sign up for the "Defeating Rogue Access Points" course, and so long as I pass that one with a score of over 85%, I'll then be qualified to teach it, so you can expect some spam coming from me once I get through the exams about various training sessions that I'll be setting up in the Reading area, and maybe even London, we'll see how the demand goes. I'm planning on getting trained up on as many of the Stay Sharp courses as possible as it would be great to be able to offer some SANS courses in the UK. I know that SANS awareness is growing gradually in the UK, but it's just not as quickly as I'd like it to. So I'm going to do my best to make it grow a lot quicker. Later all, and apply that darn ANI patch.

Widgets listed on Apple's Dashboard Downloads

I'm actually quite shocked on this one, not so much about the SANS widget, but the fact that Apple actually put up the Milw0rm exploit feed widget is amazing! Here are the links to both of them, so please grab them from there and save my bandwidth. http://www.apple.com/downloads/dashboard/networking_security/sansinternetstormcenterwidget.html http://www.apple.com/downloads/dashboard/networking_security/milw0rmexploitfeed.html

02 April 2007

Month Of MySpace Bugs is a Go

Well, it seems that the Month Of Myspace Bugs is going ahead, and with a European mirror configured as well, just in case of a U.S based shutdown. Great thinking guys! Here's the link to the site. http://momby.livejournal.com/ And the first advisory: Advisory MOMBY-00000001: MySpace Official URL Spoofing Press Embargo until April 1, 2007 Rankings: Noobs: ***** LOLs: ** 0wnz: * Myspace allows registered users to create arbitrary pathnames under the http://www.myspace.com/ domain. This can be used in the furtherance of a confidence scheme. Example: http://www.myspace.com/PasswordReset Details: Upon creating a new account, users are presented with an option to pick a MySpace Name/URL, as shown on this screenshot (click). Combined with the allowed CSS editing that allows users to essentially create custom layouts which may appear exactly as the targeted (or invented) MySpace service (such as a password resetting web application), and the "remember my password" functionality of some browsers which respect only domain names + form input names, this technique can help create a very convincing illusion of MySpace officialdom. As an example, the personal profile for "Mondo Armando" is now registered as the above example URL, which can now be used to trick victims into setting a password to a value known by, well, me. The downside (from the attacker's perspective) is that there are technically finite variations. However, a url such as "http://www.myspace.com/PasswordActivate" and "PASSW0RDRESET" may work just as well, so it'll be a while before all the "good" target URLs are taken. Credit: Originally noticed by mybeNi websecurity at http://mybeni.rootzilla.de/mybeNi