"s3cur1ty" via m1k3 in Google Reader

Sold 1 copy on Amazon.de - Sunday, May 27th at 5am

2012-05-27T12:01:52Z

"Metasploit: Das Handbuch zum Penetration-Testing-Framework" by Michael Messner (Perfect Paperback) has sold 1 book on Amazon.de on Sunday, May 27, 2012 at 5am Pacific Time.
It has jumped to a new Amazon SalesRank of 5,470 from a previous SalesRank of 12,615.

Avira erklärt Ausfall der Verhaltenserkennung

2012-05-27T10:55:00Z

In einer Stellungnahme erklärt Avira, weshalb die Verhaltenserkennung seiner Produkte Mitte Mai zahlreiche Rechner lahmlegte. Das Modul soll in Kürze wieder eingeschaltet werden.

[remote] - Symantec Web Gateway 5.0.2 Remote LFI Root Exploit

2012-05-26T07:28:20Z

Symantec Web Gateway 5.0.2 Remote LFI Root Exploit

Microsoft: Mehr Datenschutz für die Cloud

2012-05-26T15:48:00Z

Seit Dezember versucht Microsoft, die Bedenken potenzieller europäischer Cloud-Kunden beim Datenschutz zu zerstreuen. Nun kündigt Microsoft einen weiteren Schritt für den Cloud-Dienst CRM Online an.

New tool: Hyperion - A runtime encrypter for 32-bit PE files

2012-05-26T12:49:39Z

Posted by Levent Kayan on May 26

Hi there,

We just published Hyperion-1.0.zip source code at nullsecurity. The
presentation / slides are also available.

[ FILE ]

Hyperion-1.0.zip

[ DESCR ]

Hyperion is a runtime encrypter for 32-bit portable executables. It is
a reference implementation and bases on the paper "Hyperion:
Implementation of a PE-Crypter".

[ SITE ]

Tool @ http://www.nullsecurity.net/binary.html
Slides @ http://nullsecurity.net/papers.html...

Sold 1 copy on Amazon.de - Friday, May 25th at 12pm

2012-05-25T19:05:53Z

"Metasploit: Das Handbuch zum Penetration-Testing-Framework" by Michael Messner (Perfect Paperback) has sold 1 book on Amazon.de on Friday, May 25, 2012 at 12pm Pacific Time.
It has jumped to a new Amazon SalesRank of 15,613 from a previous SalesRank of 53,718.

Polizei warnt per Facebook vor Trojaner

2012-05-26T08:31:00Z

Per Facebook warnt die Polizei Hannover vor der neuesten Variante des Ukash/Paysafe-Trojaners. Gegen die bislang unbekannten Täter werde bereits in rund 35 Verfahren ermittelt.

An Insider's Look at the Social-Engineer.Org SE CtF at DEFCON

2012-05-25T12:11:00Z

By Chris Hadnagy I want you to picture this scene: It is a warm day in sunny Maryland, my phone rings. I answer it. Me – “Chris speaking…” Voice – “Hello Sir, this is Special Agent Smith (name changed) from the FBI, I would like to speak to you about this social engineering contest…” Me – “Nice Dave, not falling for it. Good try sucker!” Voice – “Sir, I already mentioned my name is Special Agent Smith, not Dave. It is important that we… Me – “Blah, Blah Blah.. right Dave. You are always trying to get me....

Erstes Project-Glass-Video aufgetaucht

2012-05-25T13:00:00Z

Ein Google-Mitarbeiter hat ein erstes Videos veröffentlicht, das mit der Augmented-Reality-Brille Project Glass aufgenommen wurde

Russischer "Superhacker" erhält Haftstrafe

2012-05-25T13:20:00Z

Soll mehr als 30 Millionen Rechner attackiert haben

SMS-Dienstleister soll wegen Android-Malware zahlen

2012-05-25T16:35:00Z

Mit gefälschten Apps haben Betrüger Android-Nutzern durch Premium-SMS das Geld aus der Tasche gezogen. Jetzt muss der in Großbritannien registrierte Betreiber der Rufnummern den entstandenen Schaden erstatten und eine Strafe zahlen.

SMS-Dienstleister zahlt Strafe wegen Android-Malware

2012-05-25T16:35:00Z

Mit rund 30 gefälschten Apps haben Betrüger Android-Nutzern durch Premium-SMS das Geld aus der Tasche gezogen. Jetzt muss der Betreiber der genutzten Rufnummern den entstandenen Schaden erstatten und eine Strafe zahlen.

HITB2012AMS Day 2 – Ghost in the Allocator

2012-05-25T14:59:50Z

Ghost in the Allocator – Abusing the Windows 7 / 8 Low Fragmentation Heap After introducing himself, Steven Seeley, Senior Penetration Tester and Security Researcher at Stratsec starts his presentation by sharing the talk agenda: Why target the heap manager Heap terms Some Windows 7 theory WIndows 7 exploitation Changes introduced in Windows 8 Heap Windows [...]

Jailbreak für iOS 5.1.1 veröffentlicht

2012-05-25T13:20:00Z

Mit Version 2.0 des Programms Absinthe können Nutzer einen ungebundenen Jailbreak von iOS 5.1.1 durchführen – auch auf dem iPhone 4S und dem neuen iPad.

HITB2012AMS Day 2 – Attacking XML Processing

2012-05-25T13:30:16Z

Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Grégoire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in [...]

From LOW to PWNED [11] Honorable Mention: Open NFS

2012-05-25T12:00:00Z

Post [11] Honorable Mention: Open NFS

Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5

Anyway, you probably want to know about finding it. You have a few options.

standard portscanning (of course)

1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module

example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/ (everyone)
/export/mnt/ (everyone)
/export/share/ (everyone)

3. look to see what's exported and who is mounting ("everyone" FTW)

To mount an NFS share use the following after first creating a directory on your local machine:

[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms

change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1

to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:

"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."

NfSpy is supposed to assist with the above: https://github.com/bonsaiviking/NfSpy

nmap scripts to do additional info gathering

nfs-ls
nfs-showmount
nfs-statfs

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) video white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf

HITB2012AMS Day 2 – Taint Analysis

2012-05-25T10:32:48Z

Automatically Searching for Vulnerabilities: How to use Taint Analysis to find Security Flaws (by Alex Bazhanyuk (not present) and Nikita Tarakanov, Reverse Engineers, CISS) Nikita explains they have been working on reversing binaries and auditing source code for a long time. Alex currently works on the BitBlaze work, and moved to the US to [...]

HITB2012AMS Day 2 – PostScript – Danger Ahead

2012-05-25T09:30:20Z

Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam ! Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. Files are made available right after a talk or lab finishes, you [...]

Vier Jahre Haft für Botnetz-Betreiber

2012-05-25T08:30:00Z

Ein 27 Jahre alter Russe, der das Bredolab-Botnetz betrieben hat, wurde von einem armenischen Gericht verurteilt.

SUDOERS Commented Includes used for Evil

2012-05-25T05:33:00Z

I found a number of things interesting when reading the following post:

http://www.offensive-security.com/vulndev/freepbx-exploit-phone-home/

Too bad that nmap's interactive mode was taken out, but there are a great number of other such methods, most notably VI's shell mode.

But when I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines:

# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d

Both look commented out, but in actuality, exactly as-is the #includedir line is interpreted and acted upon. So any file that you put in the /etc/sudoers.d directory counts as an extension of the /etc/sudoers file. Make a small edit to the default README file with a bunch of added # commented out lines copied directly from the sudo man page, with a

nobody ALL = NOPASSWD: ALL

or www-data plus a webshell makes for easy re-exploitation

Just an evil way to stay hidden on a 'nix box…

Update:

nmap --script <(echo "os.execute('/bin/sh')")

'nuf said… (thanks @bonsaiviking )