JBoss attack proves Microsofts Zero-Day findings

JBoss attack proves Microsoft’s Zero-Day findings. Credit: Red Hat.

JBoss attack proves Microsoft’s Zero-Day findings

A Worm targeting unpatched or improperly configured JBoss installations adds some proof to Microsoft’s research findings released earlier this month, which point to the fact that unknown vulnerabilities aren’t as big of a threat as they are made out to be.

According to Red Hat, a Worm targeting problems addressed over a year ago is spreading online, which allows an attacker to run arbitrary code on compromised systems. The Worm was broken down by a freelance security researcher, who happened to come across it when his Honeypot server was attacked.

“I explored the contents of the malicious payload left, and it contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET,” wrote the researcher, who uses the name @guerilla7 on Twitter.

"[The Perl Scripts] install and run a remote access tool using DynDNS (Flu.pl), and two Windows batch scripts, one is for exploring JBOSS Services (wstools.bat) and a script to discover all UDP-based members running on a certain mcast addressJGroups called "JGroups Cluster Discovery Script for Win32" (probe.bat)."

The authentication bypass vulnerabilities in JBoss were patched in April 2010, and they were covered along with other issues by Christian Papathanasiou, during Trustwave’s BlackHat EU talk the same year. It’s worth reading up on the security concerns, if your organization is one of the tens of thousands of enterprises using it in JSP deployments. [BlackHat EU 2010 Slides]

Likewise, guidance on dealing with password configuration protection related issues can be seen here.

“This problem is exacerbated by many organizations deploying systems that they don’t keep up to date. Many businesses outsource Web application development and once the application is deployed, service contracts may lapse or IT staff may not be paying much attention to them. Many organizations treat these deployments as black boxes, and don’t touch them out of fear that they'll break something,” commented Marcus Carey, security researcher at Rapid7.


“There are three exploit modules in Metasploit, an open source security tool, that exploit this vulnerability. There is also a scanner available in Metasploit to allow organizations to scan for it...yet many organizations are not doing so and are seriously dropping the ball. The use of this new malware associated with JBoss is something we have not seen before; however, the actual vulnerability it is exploiting should have been snuffed out years ago. This is far more a business failure than a software security failure at this point.”

As mentioned, the JBoss attack is a textbook example of what Microsoft reported earlier this month. In their annual Security Intelligence Report, Microsoft said that security flaws where patches are available greatly outnumber zero-day attacks.

According to the research, exploits with a patch available for over a year accounted for 3.2% of compromises, compared to 2.4% for patches available for less than a year. Much-talked-about zero-day attacks were responsible for just 0.12% activity.

“The numbers don't lie; organizations are much more likely to be hit with something they didn't patch instead of a zero-day. This latest news story, as well as the Microsoft report both scream the need to get back to the basics in security. This means better training users and system administrators to prioritize known threats,” added Carey.

Additional Red Hat information on JBoss is can be viewed here and here.

Continue Reading

Duqu Malware Detection Tool

The Free Duqu Detector Toolkit comes from the CrySyS Lab at the Budapest University of Technology and Economics, which was the first group to discover Duqu, as well as to discover a dropper file (installer) for Duqu that offered additional clues into how the malware would have infected computers and spread. Notably, the installer recovered by CrySyS was a malicious Word document (.doc) file, although security researchers said the malware may have been spread through other means as well.

CrySyS said its toolkit, which includes four command-line-executable components, intentionally includes "very simple, easy-to-analyze program source code . To check that there is no backdoor or malicious code inside." That way, potential users can easily validate the source code before using it in highly specialized environments.

To date, Microsoft has detailed a workaround for the zero-day vulnerability that researchers unearthed in the Duqu source code, which involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. That vulnerability would have helped the malware to spread and infect its target without being detected. But Microsoft has yet to issue a patch that fixes the flaw exploited by Duqu.

Download Duqu Detector Toolkit 

Project Page

Continue Reading

Wordpress 3.2.1 persistent xss exploit

Wordpress 3.2.1 persistent xss exploit

Here is Wordpress 3.2.1 Core (post-template.php) Improper Sanitizing(Persistent XSS)by silentph33r aka Darshit Ashara.This is author level vulnerability

Recently wordpress vulnerabiltiy reported in timthumb & now new vulberability is discovered in core modules

Author : Darshit Ashara
Contact : john_pwnr@yahoo.com
Love to : A Gondela, Y Jaygadkar, A Dhaka, Rahul Sasi,
Team Indishell and Garage4hackers.

=======================================================
Improper sanitized code in Wordpress Core Module(post-template.php)
Causing Cross site Scripting.
and its will give out alert on index page and post page.


Below are the temporary patches for fixing.
Vendor notified about this vulnerability.



/*This will patch XSS in Index Page*/
Vulnerable Code Part 1

function the_title($before = '', $after = '', $echo = true) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $title = $before . $title . $after;

    if ( $echo )
        echo htmlentities($title); /* Line No 52 Patch*/
    else
        return htmlentities($title); /* Line No 54 Patch*/}  

 Vulnerable Code Part 2

function the_title_attribute( $args = '' ) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $defaults = array('before' => '', 'after' =>  '', 'echo' => true);
    $r = wp_parse_args($args, $defaults);
    extract( $r, EXTR_SKIP );


    $title = $before . $title . $after;
    $title = esc_attr(strip_tags($title));

    if ( $echo )
        echo htmlentities($title) ;/* Line No 87 Patch here By adding htmlentities*/
    else
        return htmlentities($title); /* Line No 89 Patch*/
} 

Patch for this wordpress vulnerability

Vulnerable Code Part 3
function get_the_title( $id = 0 ) {
    $post = &get_post($id);

    $title = isset($post->post_title) ? $post->post_title : '';
    $id = isset($post->ID) ? $post->ID : (int) $id;

    if ( !is_admin() ) {
        if ( !empty($post->post_password) ) {
            $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
            $title = sprintf($protected_title_format, $title);
        } else if ( isset($post->post_status) && 'private' == $post->post_status ) {
            $private_title_format = apply_filters('private_title_format', __('Private: %s'));
            $title = sprintf($private_title_format, $title);
        }
    }
    return htmlentities(apply_filters( 'the_title', $title, $id )); /* Line No 119 Patch*/
} 

Continue Reading

Skype Zeroday HTML/Javascript code injection

Noptri Public Security has released a working Skype zero day vulnerability with POC for Skype. Skype users need be aware of this vulnerability.

Vendor:

=======
Skype - http://www.skype.com/


Affected Product:
=================
Skype in version <= 5.5.0.113


Affected Platforms:
===================
Windows (XP, Vista, 7)

Problem Description:
====================
Skype suffers from a persistent code injection vulnerability due to a lack
of input validation and output sanitization of following profile entries:
    
    [+] home
    [+] office
    [+] mobile

POC of Skype 0day vulnerability 

The following HTML codes can be used to trigger the described vulnerability:

--- SNIP ---

    [+] Home Phone Number:
    <b>INJECTION HERE</b>

    [+] Office Phone Number:
    <center><i>INJECTION HERE</i></center>
    
    [+] Mobile Phone Number:
    <a href="#">INJECTION HERE</a>

--- SNIP ---

By using this code An attacker could for example inject HTML/Javascript code. It has not been verified though, if it's possible to hijack cookies or to attack the underlying operating system. Attacker could give a try using extern .js files

Continue Reading

Tim Thumb Wordpress Exploit

Recently tim thumb wordpress 0 day exploit is released by MaxE it caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.

TimThumbCraft – Image Crafting Tool

The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. Here is small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.

Feature List:

List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use

References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

source: http://www.exploit-db.com/wordpress-timthumb-exploitation/

Continue Reading

Adobe confirms critical Flash zero-day bug

For the second time in the last four weeks, Adobe has told users that hackers are exploiting an unpatched bug in Flash Player, again by embedding malicious code inside a Microsoft Office document.

In a security advisory issued Monday, Adobe said that attackers are exploiting the vulnerability by embedding Flash attack files within a Microsoft Word document sent as an email attachment.

adobe did not spell out a patch timeline for the newest Flash zero-day.
Four weeks ago, Adobe issued a similar warning about a different flaw that hackers manipulated via attack code tucked inside Excel spreadsheet attachments.
Later, RSA Security confirmed that the March vulnerability had been used by cybercriminals to gain a foothold on its corporate network, then steal information related to the company's SecurID two-factor authentication products.
Adobe patched last month's Flash bug on March 21.
Mila Parkour, the independent security researcher who reported the newest Flash flaw to Adobe, said attackers have inserted a malicious Flash Player file into a Word document named "Disentangling Industrial Policy and Competition Policy," which is then sent to targeted recipients as an attachment.
The email message's subject heading is "Disentangling Industrial Policy and Competition Policy in China," Parkour said in an April 6 entry on her Contagio Malware Dump blog.
One message that Parkour cited claimed the attached Word document was a copy of the American Bar Association's Antitrust Source newsletter, hinting that the target recipients may have been the legal departments at corporations or government agencies.
People seeing the email and attachment could be expected to fall for the ruse, since the most recent issue of Antitrust Source does contain an article by the same name. The legitimate article is available on the newsletter's Web site ( download PDF document).
Parkour has reported numerous vulnerabilities to Adobe, including one last September in the company's popular PDF viewer, Adobe Reader.
The Flash vulnerability also exists in Adobe Reader and Acrobat, both of which include code that renders Flash content inserted into PDF files.
"At this time, Adobe is not aware of any attacks via PDF targeting Adobe Reader and Acrobat," Adobe said in the advisory.



Last month, Microsoft urged Excel users to install and run the Enhanced Mitigation Experience Toolkit (EMET) to block those attacks, and said that Excel 2010 was not susceptible to the exploit because of its "Protected View" sandbox.
While those same recommendations may apply today for Word, Microsoft was not immediately able to confirm that to Computerworld.
Currently, only one anti-virus firm, Commtouch, has issued a signature that tags the rogue Word document as a threat, according to VirusTotal, a free service that analyzes suspicious files.
Flash vulnerabilities are an attractive target to hackers, said Andrew Storms, director of security operations at nCircle Security. When asked if the rash of Flash flaws meant it was time for companies to consider ditching the browser plug-in, Storms answered, "That's going to be incredibly hard due to the pervasiveness of its use in valid business systems."

Continue Reading

IE9 exploit puts Windows 7 SP1 at risk

A new exploit for IE9 bypasses all security measures in even the latest fully patched version of Windows 7, according to a French security company Vupen.
The exploit uses an unpatched zero-day vulnerability in Internet Explorer 9 and bypasses all the extra security measures of Windows 7. The latest version of Microsoft's operating system, fully up-to-date with service pack 1 (SP1), is vulnerable. The security hole was reported by the French security company Vupen, that previously discovered an IE8 vulnerability in December of last year.(MS11)

Vupen classifies the exploit for IE9 as reliable, which means it's an effective way for cyber attackers to run malicious code of their choosing on Windows 7 PCs. The exploit manages to break through Windows' additional security layers, such as ASLR, DEP and the sandbox (Protected Mode) in IE9.
"The exploit uses two distinct vulnerabilities. The first one allows execution of arbitrary code within the IE9 sandbox. The second one allows the bypass of the sandbox to achieve full code execution," Vupen's CEO Chaouki Bekra told Dutch IDG news site Webwereld.
The risk of this exploit so far is limited: exploit code has not been spotted in the wild. The vulnerabilities were discovered by researchers from Vupen, who made their own exploit. "We confirmed the exploitability of the vulnerability and we created a code execution exploit which works with Internet Explorer 9 on Windows 7 and Windows 7 SP1," Bekra said.
Bekra stressed that the vulnerabilities have not been publicly disclosed. "Access to our code and to the in-depth analysis of the vulnerability is restricted to our government customers who use the information to protect their critical infrastructures," he said.
IE9 is not much in use by governments or even companies. However, the vulnerability is not limited to the latest version of Microsoft's browser. The security hole is also present in IE8, 7 and 6, for which Vupen has not made a working exploit.
"The flaw affects Internet Explorer 9, 8, 7, and 6, and results from a use-after-free error within the 'mshtml.dll' library when processing a specific combination of HTML and JavaScript code." Vupen advises all IE users to disable JavaScript or use another Web browser which is not affected by the vulnerability.
Vupen's exploit code is only effective on IE9, which can run on Windows 7 and predecessor Windows Vista. IE9 has recently been released and is not yet being distributed through Windows Update. Microsoft will start that rollout in the coming weeks. An exact date for the wider distribution and installation of the latest Windows browser has not been disclosed.
IE9 currently has a market share of 3.6 percent amongst Windows 7 users, according to figures from market researcher NetApplications. Windows 7 itself has a global market share of nearly 25 percent. Windows XP still has a larger installed base.
Measured across all PC users IE9 has a market share of only 1.04 percent, reports NetApplications. Competitor StatCounter doesn't even show IE9 as a separate browser in its market share overview, but puts it in the category "other."

Continue Reading

MHTML EXPLOIT LATEST MICROSOFT BUG :P

Latest microsoft MHTML exploit is in fashion for hackers ;)

Microsoft is investigating new public reports of vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities.

MHTML, or Mime HTML, is a standard that allows web objects such as images to be combined with HTML into a single file. The vulnerability lies in how MHTML interprets Multipurpose Internet Mail Extensions (Mime) for content blocks in a document.

On a Blog post Friday afternoon Google Security Team members said “We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site.”

Now we are finding that Microsoft and Google are working to create a fix on the server side so it can reduce the risk of MHTML Vulnerability, while you can check your machine to determine if you are vulnerable by using the test scenario previously posted by Microsoft.

As a workaround user can also disable ActiveX, but this would affect web applications including banking and e-commerce sites that use ActiveX to provide online services.

 May be a sad news for normal users but :D you know what i mean to say enjoy the exploit guys its not patched yet :P

Continue Reading

PWN2OWN OVERVIEW & RESULTS

The Zero Day Initiative team is having the annual Pwn2Own contest March 9th, 10th, and 11th of 2011 in Vancouver. The contest always seems to be an interesting spectacle – seeing how fast certain systems are compromised, learning how companies respond to the vulnerability disclosures, and seeing patches come out up to the very last minute. The targets this year will be 4 popular web browsers and 4 mobile devices.

Browers

This year the web browser targets will be the latest release candidate (at the time of the contest) of the following products:

• Microsoft Internet Explorer
• Apple Safari
• Mozilla Firefox
• Google Chrome

Each browser will be installed on a 64-bit system running the latest version of either OS X or Windows 7.
A successful hack of IE, Safari, or Firefox will net the competitor a $15,000 USD cash prize, the laptop itself, and 20,000 ZDI reward points which immediately qualifies them for Silver standing. Benefits of ZDI Silver standing include a one-time $5,000 USD cash payment, 15% monetary bonus on all ZDI submissions in 2011, 25% reward point bonus on all ZDI submissions in 2011 and paid travel and registration to attend the DEFCON Conference in Las Vegas.
As for Chrome, the contest will be a two-part one. On day 1, Google will offer $20,000 USD and the CR-48 if a contestant can pop the browser and escape the sandbox using vulnerabilities purely present in Google-written code. If competitors are unsuccessful, on day 2 and 3 the ZDI will offer $10,000 USD for a sandbox escape in non-Google code and Google will offer $10,000 USD for the Chrome bug. Either way, plugins other than the built-in PDF support are out of scope.

Mobile Devices

The following are the target mobile devices for the contest:

• Dell Venue Pro running Windows 7
• iPhone 4 running iOS
• Blackberry Torch 9800 running Blackberry 6 OS
• Nexus S running Android

As mentioned previously, we’ve upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD. While HP TippingPoint is funding $105,000 of that, we’ve partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser.

Interestingly, an RF enclosure box will be used for the mobile targets as there seems to be the possibility that

The Results of Pwn2Own 2011

 Browsers

“Safari goes down first at #pwn2own”
“Stephen Fewer @stephenfewer just successfully compromised Internet Explorer (complete with a Protected Mode bypass) at Pwn2Own.”
The exploit used to exploit IE8 is not present in IE9, which ships on Monday.
Chrome and Firefox, the other browsers in the contest, went unchallenged.

MOBILE PHONES

the Apple iPhone 4 and RIM’s Blackberry Torch 9800 were both successfully compromised on day 2 of the contest.
Android and Windows Phone 7 based devices survived the challenge.
It was a vulnerability in WebKit that allowed the Blackberry to be compromised. Google has responded by patching the exploit in their WebKit-based Google Chrome.

REPORTS


Ars Technica has good write-ups on Day 1 and Day 2 of Pwn2Own 2011. In those write-ups you’ll find a lot more details of the winners and some of the compromises.

 

Continue Reading