Milw0rm and SANS Internet Storm Center Widgets

Just finished these two off as well, I've submitted them to Apple as well, so I'm really hoping that they get approved and listed. I'm hoping that I'll know tomorrow, as it seemed to take a day for the Reg one to get listed, I'll post links on here if they do though. Here's the info on them and the links to my site at this point: Milw0rm Widget This widget gets it’s feed from Milw0rm.com, and lists the last 30 exploits that have been added. SANS Internet Storm Center Widget This widget updates your Dashboard with the feed from the SANS Internet Storm Center. It displays the last 30 entries published. They can be downloaded from my site here.

First Dashboard Widget!

I just finished making my first Dashboard widget for OS X, so I'm pretty chuffed that it turned out okay. I just submitted it to Apple, so hopefully it gets put up on their widgets section. The widget that I created grabs the daily news feed from the The Register, it's something that I've been looking for and never managed to find. Okay, so I didn't look too hard for one, but hey. I'm hoping to get a couple more done this weekend with more of a securtity/exploit focus to them. I'll be updating my blog though as I get them done, I don't want to give out too many details, as I really don't want someone else beating me to it. You can grab the Reg widget from my downloads page here. UPDATE: It's officially listed on Apple's widget site now. http://www.apple.com/downloads/dashboard/news/theregisterwidget.html

Technorati Tags: Apple, Dashboard Widgets

Local Privilege Escalation Vulnerability found in X-Kryptor

From the UNIRAS website: ID: 0107 Ref: 0107 Date: 01 February 2007:0900:00 Title: Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client Abstract: X-Kryptor is a range of multi-role, dynamic-VPN products. The X-Kryptor Secure Client is a software-based VPN client that is used to connect home-base or mobile workers to a secure Local Area Network (LAN). A vulnerability has been discovered by NCC Group plc that, if exploited, could potentially allow a malicious person to take full control of the local system and to execute arbitrary code. Barron McCann is aware of this issue and has produced patches to address it. Please see 'Solution' for further details. Vendors affected: Barron McCann Operating Systems affected: Windows Applications affected: X-Kryptor Driver BMS1446HRR,Xgntr Version BMS1351,Install Release BMS1472 Document link: Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client CPNI Vulnerability Advisory 0107-XKryptor-February 2007 Local User Privilege Escalation Vulnerability in X-Kryptor Secure Client Version Information ------------------- Advisory Reference VAN 0107-XKryptor Release Date 1 February 2007 Last Revision 25 January 2007 Version Number 1.0 Acknowledgement --------------- This issue was reported by NCC Group plc (http://www.nccgroup.com). What is affected? ----------------- The vulnerability was verified against the following product version running on Microsoft Windows: - X-Kryptor Driver BMS1446HRR - Xgntr Version BMS1351 - Install Release BMS1472 Other versions may also be affected. Impact ------ If exploited, this vulnerability can potentially allow a malicious user to take control of the local system. Severity -------- Medium Summary ------- X-Kryptor is a range of multi-role, dynamic-VPN products. The X-Kryptor Secure Client is a software-based VPN client that is used to connect home-base or mobile workers to a secure Local Area Network (LAN). A vulnerability has been discovered by NCC Group plc that, if exploited, could potentially allow a malicious person to take full control of the local system and to execute arbitrary code. Barron McCann is aware of this issue and has produced patches to address it. Please see 'Solution' for further details. Details ------- CVE ID: CVE-2007-0436 Under certain circumstances it is possible for users, when using the X-Kryptor Secure Client on Microsoft Windows, to escalate privileges on the machine to the local SYSTEM account. Solution -------- Barron McCann has produced a fix for this issue; please contact them for further details. Vendor Information ------------------ Based in Letchworth, Hertfordshire, Barron McCann Technology is a leading supplier of high assurance security products including the X-Kryptor, a range of VPN products that secure sensitive government communications across the United Kingdom and Europe. For further details regarding Barron McCann, please visit http://www.bemac.com/. Credits ------- The CPNI Vulnerability Management Team would like to thank NCC Group plc for reporting these issues. Please visit http://www.nccgroup.com for further details about NCC Group plc. The CPNI Vulnerability Management Team would also like to thank Barron McCann for their co-operation and assistance in the handling of this vulnerability. Contact Information ------------------- The CPNI Vulnerability Management Team can be contacted as follows: Email vulteam@cpni.gov.uk Please quote the advisory reference in the subject line Telephone +44 (0)870 487 0748 Ext 4511 Monday - Friday 08:30 - 17:00 Fax +44 (0)870 487 0749 Post Vulnerability Management Team CPNI PO Box 60628 London SW1P 1HA We encourage those who wish to communicate via email to make use of our PGP key. This is available from http://www.cpni.gov.uk/key.aspx. Please note that UK government protectively marked material should not be sent to the email address above. If you wish to be added to our email distribution list please email your request to info-sec@cpni.gov.uk. What is CPNI? -------------- For further information regarding the Centre for the Protection of National Infrastructure, please visit http://www.cpni.gov.uk. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI. The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. Neither shall CPNI accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this notice. © 2007 Crown Copyright <End of CPNI Vulnerability Advisory> * Accessibility | * Terms and conditions | * Privacy statement | * Data protection act |

Technorati Tags: Vulnerabilities, Security

3 Held For Questioning Over 7th Of July Bombing In London

Via BBC's website: Anti-terrorism police are to begin questioning three men arrested over the 7 July suicide bombings in London. Two suspects, aged 23 and 30, were detained at Manchester Airport as they prepared to fly to Pakistan while a third, 26, was detained in Leeds. The arrests, which are the first major ones since the attacks, followed a lengthy police operation. Fifty-two people died in 2005 after four bombers detonated devices on three London Underground trains and a bus. Police have been searching five houses in the Beeston area of Leeds, and two premises in east London. The three men will be interviewed at Paddington Green police station in the capital. Under new anti-terror laws, police can hold them for a maximum of 28 days. We need to know who else, apart from the bombers, knew what they were planning Scotland Yard spokesman 'Low-key' approach of police The men were held on suspicion of the commission, preparation, or instigation of acts of terrorism. Mohammad Sidique Khan, 30, Shehzad Tanweer, 22, and Germaine Lindsay, 19, detonated bombs on three Tube trains and Hasib Hussain, 18, attacked a bus. Home Secretary John Reid said: "I think the best thing here is not to get ahead of ourselves, not to get into speculation or heighten all of this. The scene after the arrests in Leeds The searches are expected to take some time "It is a normal part of a very serious and continually ongoing operation and the police will keep everybody informed as is appropriate." The arrests at Manchester Airport were made shortly before 1300 GMT on Friday, while the other in Leeds was made just after 1600 GMT. The addresses of the Leeds searches are in Cardinal Road, Colwyn Road, Firth Mount, Tempest Road, and Rowland Place. Tanweer and Hussain had both been living in Beeston when the attacks were carried out and Khan grew up in Beeston. Tanweer lived in Colwyn Road with his parents. The east London searches involve a flat, understood to be in Bromley-by-Bow, and a business, understood to be in Whitechapel. Scotland Yard said the arrests were part of a pre-planned, intelligence-led operation and also involved the West Yorkshire Police Counter Terrorism Unit. Map showing the homes being searched in Leeds Ch Supt Mark Milsom, of West Yorkshire Police, said it had not been a high profile operation and unarmed officers were carrying out the searches. He said the searches may take "some time" but they were not expecting to find firearms or bomb-making equipment. A Scotland Yard spokesman said: "We need to know who else, apart from the bombers, knew what they were planning. Did anyone encourage them? Did anyone help them with money, or accommodation?" BBC correspondent Danny Shaw said that, before Thursday's arrests, the police investigation into the 7 July bombings had been "going on with very little publicity". The investigation had included a search of a landfill site - "the size of 18 Olympic swimming pools" - at Skelton Grange in Leeds, he said. Police had "quietly but assiduously" gone through the entire site looking for evidence, our correspondent added.

Technorati Tags: Terrorism, Security, UK

Web Application Auditing Over Lunch

Johanness Ulrich over at SANS has a really good quick howto on Web Application Security over at the SANS Institute, this really is a worthwhile read for anyone new to web application security, and provides a very good walkthrough at a high level of some of the steps that you should take when auditing web applications. Take a look: Web Application Auditing Over Lunch For a more in-depth view on Web application security audits, have a look at the OWASP Testing Guide. It's a long document, but it covers evrything that you're going to need to check. Mourn - Non-Stop Violence from the album "7" by Apoptygma Berzerk

Technorati Tags: Web Application, Security

BackTrack 2.0 and Parallels

I know that BackTrack 2.0 was release about a week ago now, but I'm only getting around to writing about it now as I only got my MacBook Pro a couple of days ago, and I didn't have a chance to download it or try it out. For those of you who are unfamiliar with BackTrack, it is probably the ultimate penetration tester's bootable Linux distro. BackTrack is what came out of a merger between two of the most famous security related bootable Linux distro's, namely Whax and the Auditor Security Collection. From a pen-tester's point of view, it really does have everything that you could want in a live Linux distro, and more. Here are some of the new features in version 2.0 * Updated Kernel-Running 2.6.20, with several patches. * Broadcom based wireless card support * Most wireless drivers are built to support raw packet injection * Metasploit2 and Metasploit3 framework integration * Alignment to open standards and frameworks like ISSAF and OSSTMM * Redesigned menu structure to assist the novice as well as the pro * Japanese input support-reading and writing in Hiragana / Katakana / Kanji. You can download it from http://www.remote-exploit.org/backtrack.html Now I also mentioned Parallels in the subject of this one, which is something that I have been dying to play with since before I got my MacBook Pro, and well, all I can say is that I am shocked at the speed of it. I installed BackTrack 2.0 on a virtual disk within Parallels, allocated 256MB of RAM to it, and to say that it's damn quick would be an understatement. This blows away my dedicated Linux PC at work! Maybe later on today I'll install XP within Parallels and see how that goes, but at this point, I am really impressed. I know have the perfect setup, OS X as my main OS, and then BackTrack for anything that I can't run within OS X, from a penetration testing point of view, this really is perfect. I'm kinda regretting ordering an Alienware laptop for work now, but hey, I kinda need it to run Core Impact and WebInspect, so I'm sure it'll be worthwhile, when I get it of course. Alienware's build time seems to take forever! Anyway, if anyone reading this hasn't tried BackTrack 2.0 or Parallels yet, do yourself a favour and go and try it out. Love Never Dies [part 1] from the album "7" by Apoptygma Berzerk

Technorati Tags: Apple, Linux, Security

MacBook Pro 17" Core 2 Duo 2.33 GHz

Well, it finally arrived yesterday, and since I got it I've been installing all the tools and programs that I need and want onto it. In regard to my aging G4 PowerBook 1.33 GHz, this little baby flies! Everything that I have done on it so far have been so much quicker, it's pretty scary to be honest, and it also makes me realize that even though I had my doubts about Apple's whole switch to Intel chips, it was definitely worthwhile. I must say though that now that I have a 17" screen I don't think that I could ever go back to a 15" again, also if anyone's curious the glossy display is so much better than the matte displays that I've seen. Everything is really clear and crisp. I read a lot of reviews about the glossy screen and they have all been really bad, and then I saw one at work, and decided that glossy was the way to go almost instantaneously. I must say that I was still a bit concerned about the glare and reflection that kept getting mentioned in the various forums that I read, but well, I've had no problems with it all. The one thing that really amazed me is the speed at which Fink compiles things on the MacBook Pro, it really is quick, to say the least. Also I had to pull down the SVN version of KisMac as the current stable build doesn't support the new Airport Extreme cards in the MacBook Pro's, but the SVN version works perfectly! I'll post more updates as and when I have them, take it easy all. Brain Bypass from the album "What The Fuck Is Wrong With You People?" by Combichrist

Technorati Tags: Apple

Yet another reason that I really like Frank Zappa

This has got to be one of his best interview clips ever, I'd hate to be the interviewer in this one ;-) http://www.youtube.com/watch?v=RFjZOeL10MA&NR

Flu and the SCNA exam != Pass

Well, my body has decided recently that having a dose of flu would be a great thing to do to me, just make the SCNA exam more of a challenge, and well, I didn't make it. You need 62% to pass the exam and I got a grand total of 49%, I know the stuff, but while I was sitting there all I could think about was going home and crawling into bed. I guess I'll give it a couple of weeks or so and then try again, now that it's beaten me, I really want to get this one under my belt. Also to add insult to injury, while I was out failing the exam, the UPS man dropped by to deliver my MacBook Pro, typical! I gave them a call though and they will re-deliver it tomorrow, so at least now I know that I'll be getting it tomorrow. Now I feel a nap coming on, and then some quality time spent in front of the TV, maybe watching cartoons for the rest of the day.

GCIH Certified - 96% on 2nd Exam As Well

So, I couldn't do it, I just couldn't leave the two remaining GCIH books alone and get on with the SCNA studying that I've gotta do before Tuesday. Oh well, right now though I am damn excited to have passed both the GCIH exams! I must say though that I found the second exam a hell of a lot tougher than the first one, but also a hell of a lot more interesting. Well, both the books for the second exam were actually a lot more interesting than the three for the first exam, all in all though, SANS courseware has once again exceeded my expectations. Well, tomorrow and Monday I'm going to be getting into serious study mode for the SCNA exam, and then hopefully on Tuesday I'll pass that one as well. I won't ever be doing 3 exams in the space of 5 days again though, I didn't realise how insane it was actually going to be. Now to decide if I'm going to go for the gold certification on GCIH or not, hmmmmm...

Studying For The SCNA exam *bleh*

OK, so I'm sitting here studying for the Sun Certified Network Administrator (SCNA) for Solaris 10 exam, and well, to be honest it's boring as hell, and I'm forcing myself to study for it. I've been working with Solaris for over 10 years, and this covers things like the TCP/IP model, Subnetting, DHCP, DNS, NTP, and well, I know these things, damnit! I used to be a SysAdmin in a previous life, so I was expected to know these things, and now I'm worried about passing the exam on Tuesday, as I can't remember the last time I actually configured a DHCP server! Yeah, I've hacked a DHCP/NTP/DNS server, I know how the damn TCP/IP model works, but for some reason I'm still stressed about this exam. It really doesn't help either that I have the last two books of courseware for the GIAC Certified Incident Handler (GCIH) sitting on my desk, and all I want to do is pick them up, read them, and do the exam. I'm hoping to do that one next Friday, but then my MacBook Pro is supposed to be getting here next Weds, so we'll have to see how that goes. Oh well, enough of my ranting for now, better get back to some studying. Bleh! I'll leave you with a funny one though: Solaris 10/11 Telnetd vulnerability telnet -l -froot bwahahahahah!!!!!!!

GCIH Exam 1 = Pass 96%

Well, I sat this one this morning and passed it with quite a decent score, so I'm quite happy to say the least. I'm just hoping that I can get the same score or better for the next one, which I'm hoping to sit next Friday, so we see how it goes. Now to carry on studying for the Solaris 10 SCNA exam which I'm sitting on Tuesday. Still no MacBook Pro, but I got an update from Apple saying that it should be delivered next Weds.

GCIH, SCNA and going dark for a while

Well, things have been rather interesting lately to say the least, I'll be sitting the SCNA exam next Tuesday, so I am going to be spending most of this week and next Monday studying for that one. At present though I'm studying for the first GCIH exam, which if all goes as well as I'm hoping I'll be sitting tomorrow night, so wish me luck. I've also recently invested in a nice shiny new 17" MacBook Pro, and yesterday the auction for my PowerBook finished, so I spent last night formatting it, and packaging it up. I sent it off to it's new home this morning. The only catch is though, that I Apple told me that I will probably only be getting my new MacBook Pro around the 24th-26th of this month, so that's going to leave me without a laptop for a couple of weeks. It's going to be damn weird, but I'm so excited about getting my new MBP! If any of the ISW guys are reading this post, please don't send me any encrypted mails, as I won't be able to read them until I get my new MBP, as I'll be using webmail to check my mail until then. Well, take it easy all.

Solaris 10 Network Admin Course

Well, this week was pretty interesting to say the least, I was on the Solaris 10 network admin course at Sun's UK headquarters, and I've gotta say that this has been the best course that I've been on at Sun so far. You can find more details about the course here http://uk.sun.com/training/catalog/courses/SA-300-S10.xml. The first two days of the course were pure networking, which was great, although I seriously detest working out subnets. There were also sections that I knew, and feel very confident about for the exam, namely Bind, DHCPd and XNTPd, the sections on IPv6 and IPFilter were really worthwhile though. The great part about the course though was for a change the instructor seriously had security in mind, even to the point of showing the class how to exploit the Solaris telnetd vulnerability. Okay, so it's not the most complex exploit, but it was still mind blowing to be shown that on a course at Sun. :-) Okay so the lecturer was contracted to teach the course and not a Sun employee, but it was still great. There were also constant references to security throughout the course, which makes a great change from the other courses that I've been on at Sun in the past. Before I went on the course I was planning on sitting the SCNA exam next Friday. To be honest though, after spending a week on the course, I think that a couple of weeks will be a better bet, I really want to make sure that I get through the exam first time. I'll let you know how the exam goes when I go and sit it, I'm hoping to book it sometime this weekend. Well, till next time, and remember: telnet -l -froot Solaris10host ciao If You Want Peace... Prepare For War from the album "Are You Dead Yet?" by Children Of Bodom

Interview with Fyodor

I caught up with Fyodor yesterday in regard to the recent goings on with godaddy.com and his seclists.org domain, the full interview can be found on the Securiteam site here: http://blogs.securiteam.com/index.php/archives/806

SCSA Certified Now!

Passed the second exam today, and well, aside from considering half way through the exam I thought of walking out, as I thought I'd failed. I actually passed it with a better score than the previous one! So, that's another 4 letters behind my name now, so long as it keeps me up to date, and if it helps to get me a decent increase all the better. Oh well, time to be off now, gotta carry on celebrating! At least this means that I don't have to spend any more nights studying for a while, and now I can spend more time with my guitar. Woman from the album "Bloody Kisses" by Type O Negative

Microsoft Windows XP/2003/Vista memory corruption0day

3APA3A just posted the following e-mail to the FD list, so if anyone is looking for details on the Vista 0-day mentioned earlier. Here's the mail that was sent: Dear full-disclosure@lists.grok.org.uk, Since it's already wide spread on the public forums and exploit is published on multiple sites and there is no way to stop it, I think it's time to alert lists about this. On the one of Russian forums: http://www.kuban.ru/forum_new/forum2/files/19124.html message was published by NULL about vulnerability in Windows on processing MessageBox() with MB_SERVICE_NOTIFICATION flag and message/caption beggining with \??\. Vulnerability seems to be memory corruption in kernel and causes system crash or hang after few attempts. It seems to happen because message is logged to event log and may point to some problem with event logs processing. Vulnerability details and code may be found here: http://www.security.nnov.ru/Gnews944.html There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function. Messenger service is not vulnerable in this way, because it prepends user-supplied input with additional string. I contacted Microsoft on this issue on December, 16.

Too much effort to carry around a laptop and an RSA token?

This is classic!! Security By Oblivity

Month Of Apple Bugs, Beginning January 1st 2007

As you all know I am a huge fan of Apple's OS X operating system, but I am also heavily involved in information security as well. I personally think that something like this is one of the best things that can happen to Apple's operating system, I also think that the timing is perfect as well, as this will put some strain on Apple to get these fixed in a timely manner. On the 9th of January Steve Jobs will be giving his keynote at Macworld, so I am guessing this means that most of Apple's techies will be working to find any bugs in any of the new kit that will obviously be getting announced. Having the Month Of Apple Bugs at this time, will hopefully show us all just how seriously Apple takes the security of it's operating system. The really great thing with this is though that any bugs found by LMH and KF will hopefully help to make OS X even more secure once they have been patched, and if Apple plays this hand right, it could also show MS how things are supposed to be done in the security world. I don't know whether this second part will happen, but it's a nice thought at least. I guess we'll just have to wait and see what happens. Either way, I think that January is going to be a damn good month!

Does Microsoft really take security seriously?

I've been wondering about the above question for a while now, and I really can't wait to sit face to face with an MS security person next month and ask them that exact question. It seems of late all of their effort has been going into releasing Vista, and well, even that isn't exactly secure is it? There are already a couple of 0-day's floating around the net for Vista, now I'm sure that no company in their right mind would have rolled Vista out into the production networks yet (well, aside from MS anyway), but this is still a major threat. The folks over at SANS have updated the list of MS vulnerabilities that have still not been patched, and these are known to be getting exploited. The oldest one of these goes back to the 19th July this year, that's over 6 months old! This really makes me wonder what they hell they are playing at. MS has a lot more money that any security researchers/hackers do, and well if the vulnerabilities can be found, they can be patched. So I would really like to know why these are taking so damn long. In total SANS have 9 vulnerabilities listed, I seem to think that there may be a couple more on top of that as well! The list of vulnerabilities can be found here. So what are everyone else's views on this situation?