Proof of concept taken from above URL:

GET /prot%c0%afected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername

Adobe version 8-9.1 have been smacked with more JavaScript command execution bugs. A lot of vendors are starting to recommend disabling JavaScript, something I suggested back in 2007 when I released the Adobe JavaScript DB backdoor. Here are links to the 5 Adobe exploits released on Milw0rm thus far (2009):

You can disable Adobe Javascript as follows:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Products that have TFTP services enabled and that run CiscoWorks
Common Services versions 3.0.x, 3.1.x, and 3.2.x are vulnerable.
Only CiscoWorks Common Services systems running on Microsoft Windows
operating systems are affected.

CiscoWorks TFTP Directory Traversal Vulnerability. According to Cisco the following software types and versions are vulnerable:

• Cisco Unified Service Monitor versions 1.0, 1.1, 2.0, and 2.1
• CiscoWorks QoS Policy Manager versions 4.0 and 4.1
• CiscoWorks LAN Management Solution versions 2.5, 2.6, and 3.0
• Cisco Security Manager versions 3.0, 3.1, and 3.2
• Cisco TelePresence Readiness Assessment Manager version 1.0
• CiscoWorks Voice Manager versions 3.0 and 3.1
• CiscoWorks Heath and Utilization Monitor versions 1.0 and 1.1
• Cisco Unified Operations Manager versions 1.0, 1.1, 2.0 and 2.1
• Cisco Unified Provisioning Manager versions 1.0, 1.1, 1.2 and 1.3

Workarounds
To mitigate this vulnerability, administrators can disable TFTP services by completing the following steps:
Step 1. Choose “Start > Settings > Control Panel > Administrative Tools > Services to access the Services window.
Step 2. Right-click “CWCS tftp service” and select “Properties”.
Step 3. Set the “Startup Type” to “Disabled”.
Step 4. Click the “Stop” button to stop the TFTP service.

Still waiting for details on a proof of concept for this.

Inferno released an advisory in Bugtraq stating that he discovered a method of exploiting the following Google items (to name a few):
1. Steal your emails.
2. Steal your contacts.
3. Steal your documents.
4. Steal your code.
5. Steal your sites.
6. Steal your website analytics.
7. Backdoor your iGoogle Homepage with malicious gadgets.

With Twitter’s recent Cross Site Scripting worm and now Google’s universal vulnerability I think its time to re-think your client-side security controls if you haven’t already.

If you haven’t already looked at something like noscript for protection against these attacks, I’d highly recommend it. It may not provide you with complete peace of mind but at least you know you have an extra layer of security against pesky and basic XSS attacks!

In laymans terms this is how Public Key Cryptography works compliments of Wikipedia:

In an asymmetric key system, Bob and Alice have separate padlocks. First, Alice asks Bob to send his open padlock to her through regular mail, keeping his key to himself. When Alice receives it she uses it to lock a box containing her message, and sends the locked box to Bob. Bob can then unlock the box with his key and read the message from Alice. To reply, Bob must similarly get Alice’s open padlock to lock the box before sending it back to her.

But a history source, Hellmoyan recounts that there may be archives and antiques that demonstrate that the shared secret exchange that is key to the Diffie-Hellman Key Exchange had been discovered much earlier on:

In 1669, Lord Branston of Sinai Park in Stafford had an affair with a chambermaid, named May, whilst his wife, Lady Branston was away in Scotland. Upon her appending return, the clever Branston devised a strategy to get messages to his mistress and to keep him out of a pickle.

As he shared a romantic embrace with his May, Lord Branston shared a secret with his chambermaid, a white creamy sauce dressing from the Northern provinces of France, which he called May’s special sauce, which later became Mayo, after a late night session of “May oh May oh May!”

When Lady Branston returned, she was none the wiser as her and the Lord had their feast that was dinner of the key exchange, or should I say sauce exchange. You see the Lord was served May’s special sauce as a garnish that he loved so much. But when he left it, his chambermaid knew that was the signal to meet with her Lord in secret.

Lord Branston and May were never caught and details of their relationship only surfaced a long time after Lord Branston’s death. Several antiques including gifts to chambermaid May, crockery and inscriptions have been found to support this case.

The United Kingdom’s Centre for the Protection of National Infrastructure has just released the document “Security Assessment of the Transmission Control Protocol (TCP)”.

I find the document title a little ambiguous, as a security assessment generally refers to active research where from my brief overview, is in fact more of a whitepaper giving an excellent overview of existing and well-known TCP/IP vulnerabilities (i.e. SYN flooding, Weak sequence numbers, port scanning techniques and more). It must be one of the best TCP/IP security overview whitepapers I’ve seen. Worth a read. Very nice work.

FreeBSD Telnet 0-Day

Kingcope Kingcope released a zero-day telnetd vulnerability, affecting FreeBSD 7.x. Telnetd allows environment variables to get passed to a remote session. FreeBSD made some recent changes which allowed Kingcope to set malicious environment variables using dynamic linker files (LD_PRELOAD). Interesting seeing Telnet in the news again after the 2007, Solaris 10 Telnet exploit (telnet -froot host). FreeBSD have made a fix available.

RainbowCrack 1.3 Released

RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. In short, the RainbowCrack software is a hash cracker that use time-memory tradeoff algorithm.

RainbowCrack 1.3 has been formally released. It has some nice features including multicore processor support, improved hash algorithm and overlapped computation and harddisk read.

Nokia N95 DoS

jplopezy released a proof of concept exploit that supposedly crashes the Nokia N95. The vulnerability uses JavaScript’s setAttributeNode function, which is part of JavaScript’s XML DOM suite of functions. The PoC looks like this:

script
r=document.getElementById('c');
a=r.setAttributeNode();
/script


$250,000 reward for Microsoft Worm Writer

A bounty has been set by Microsoft for information leading to the arrest of the Conficker worm author.

Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.

The guys at Backtrack have released Backtrack 4 BETA. Cool changes include Kernel 2.6.28.1 with better hardware support, Pico e12, e16 support, better wireless injection support, RFID support and a bunch of new tools.

Fasttrack security tool gets spotlight

David Kennedy’s Fasttrack tool got high reviews after Shmoocon. It provides CLI and a cool web frontend. You can automate Metasploit, brute force weak sa passwords on MS SQL serve IP ranges, find SQL injection vulnerabilities with an INJECTME placeholder and more more. The tool is only available in Backtrack. A nice demo here.

SQL Map 0.6.4 released

Bernardo Damele releases Sqlmap version 0.6.4. New features include a better string comparison engine and some major bug fixes.

Monster gets hacked

Monster got hacked and had millions of hob seeker data stolen. Would hate to be the infosec manager. I don’t think data has been released about how the hack occured, however, contact and account details were lost, including user IDs, passwords, email addresses, names, phone numbers, and basic demographic data.

Next-Gen WordPress Vulnerability Scanner released

BlogSecurity releases next-gen WordPress scanner. The tool is still BETA but has some cool new features like an XML driven test engine allowing anyone to contribute tests. We hope to split this project off to other open source apps. as resources permit.

DNS DDoS Saga Continues

For those who haven’t heard, a few weeks ago reports started coming in of odd (.) DNS queries. It has since been found to be a distributed denial of service vulnerability targetting the Internet ROOT nameserver. The attack was actually working and the ROOT nameservers began to slow… SANS have released  a tool to test your DNS server and include some config advice to fix it.

There are rumours that this attack may have been part of some mass DNS poisoning attack inspired by Dan Kaminsky’s DNS vulnerability research released last year.

Laramies Corner’s gives some nice links to web services pentesting

Christian Martorella over at Laramies Corner has put together some nice links for web services testing. Definately a page to keep bookmarked for quick reference.

Automated Web Vulnerability Scanner Comparison

anantasec posted a scanner comparison to the web security mailing list. I found it quite an interesting read. Its really useful if anyone is planning on forking out for one of these tools. A copy of the report is here.

http://flickr.com/photos/mousyboywithglasses/ photo author

GOLD COAST, Austrailia— Many mourned upon hearing that famous super hacker, Bruce Blubber, 21, had died before giving his his long awaited talk, “He’s just not that into you”.

Close friends made the effort to poke his Facebook profile with messages of love and condoleances to his friends and family. One friend, Kevin, repeatedly superpoked him. When asked why, he said, holding back tears, “He’s worth it!”.  Another close friend, which wishes to remain anonymous, defaced over a thousand web sites with the message, “Free Mitnick”. In a private interview, the  hacker told us it was for his friend who he had gotten close to during many long IM sessions.

Although IWAS-P thought of cancelling the conference, a replacement talk has been prepared, titled, “Advanced Injection Techniques”. Many have commented, saying it just wont be the same without Blubber.

http://flickr.com/photos/mousyboywithglasses/ photo author

What is pwntry?

pwntry is an extremely technical and complex form of poetry. Those endowed with such abilities write  with an unequalled eloquence rarely if ever seen in human literature. Some believe it to be the next stage of our monkey -> human  -> super hero evolution.

This term although used loosely elsewhere has never before been explored as it has.

1. A mash-up of pwning and poetry

There once was a geek that liked to hack,
He got so high that he went on the attack;
Pwning every system in sight,
Until he got caught in the night;
And ended up with the sack.

2. Pwning but with a hint of irony often becomes pwntry or viral in motion

Hacker safe falls off a cliff or organisation releases  security standard only to become a victim of their own lack of compliance.

3. Pwntry changing lives

Hacking Elevators is an example of how pwntry can create mass hesteria and change lives. In the case of the elevator it could save you 10 minutes every day by skipping all requested stops… I know exactly where to use this!

Hacking buildings for serious gaming…

4. L33t speak evolved

“4 z eg, 2day i h4>< da guv 1N and pwN d33r l1nux syst3ms & set the background of every user to a painting of Monet’s Garden.”
Note: Referencing art work in l33t speak is certainly a new development!

5. Pwntry in web defacements

Web defacements are often where we see pwntry at its best. These pwntric messages often use all available sensory perception, see Michael Daw’s pwned slideshow

See also “pwntry in motion” and “pwntric justice”.

1. We believe for anonymity in security through ambiguity and obscurity. Confuse them and they will come.
2. Yo XSS, what will we do today? The same thing we do everyday, try to “hack the planet”!
3. Hacking has no roots in kung-fu. Regardless of what anyone tells you, hackers are not master ninjas.
4. DO NOT use the title penetration tester loosely
5. Sarcasm in infosec is career limiting
6. Satire is the most advanced form of communication having been founded by Egyptian monkeys
7. Join the house of flying hackers social network and look up Debbie. Refer to point 3.
8. Beware of the Council of Internet Supervillans
9. Web application security is the only security! 999% of all reported vulnerabilities affect web applications (i.e. SQL Injection in the widely used Webgoat v1.000001 BETA)
10. How to mitigate additional attacks: (1) Find hacker, (2) Baseball bat.
11. Know how to use the term “pwned”. For example, I got pwned in the back “orfaces”.

The implications of those remarks are alledgedly quite bad. Those comments are an open invitation to hackers, online criminals and organised crime to redouble their efforts to steal this data according to a security expert.

A well-organized crime gang has stolen credentials for more than a half-million financial accounts in less than three years using a sophisticated trojan that remains undetectable to the vast majority of its victims, a report published Friday warns. (See The Register

A super, invisible trojan is the makings of a Hollywood movie but this is nothing new. It should make one question the last time their PCs were re-installed, better-yet, browsers in virtual machines!