security.crudtastic.com

Today Microsoft are pleased to announce the availability of the Enhanced Mitigation Experience Toolkit (EMET) version 2.0.  Users can click here to download the tool free of charge. 

For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications.  This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited.  By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products.  In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.

Read the full story on the TECHNET BLOG

In case you’ve missed the news lately .. there’s been a few little issues with the way Microsoft handles some dll’s. A quick look on exploit-db will show a tonne of new dll hijacking exploits. HD from Metasploit has released version 2 of his DLLHijackAudit Kit that will basically check all the file associations on your machine for DLL hijack vulnerabilities, if it finds that a DLL is vulnerable, it will then create a POC and save it for you.

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

Full posting on the Metasploit blog

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

Read the rest of H D Moore’s post on the Metasploit blog

IT security and data protection firm Sophos has today released a free tool to protect against a Windows zero-day vulnerability that is being actively exploited to infect computers.

The Sophos Windows Shortcut Exploit Protection Tool protects against a high profile vulnerability that allows malicious hackers to exploit a bug in the way that all versions of Windows handles .LNK shortcut files. If Windows just displays the icon of an exploited shortcut file, malicious code can be executed – without requiring any interaction by the user.

But Sophos’s free tool, available for download from www.sophos.com/shortcut, intercepts shortcut files that contain the exploit, warning of the executable code that was attempting to run. That means it will stop malicious threats which use the vulnerability if they are on non-local disks, such as a USB stick.

Read the full article HERE

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.

In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.

Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.

Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

“Looks like this malware was made for espionage,” Boldewin writes.

Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.

Original Source – http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/

Link to Microsoft Security Advisory – http://www.microsoft.com/technet/security/advisory/2286198.mspx

Link to Security-Focus bid – http://www.securityfocus.com/bid/41732

Link to exploit-db code – http://www.exploit-db.com/exploits/14403/

So, I guess this isn’t really a security related post … but someone will find it useful I hope! Earlier today I wanted to upgrade my little notebook to the latest version of Windows 7 .. but of course most netbooks don’t have a DVD drive so you need to boot it off a USB stick.

You will need the following to create this bootable USB stick

• USB stick (4GB will do just fine)
• Vista or Windows 7 installation
• Windows 7 media (can be used with Vista as well)

So first of all we need to format the USB stick .. Insert the usual rubbish about it wiping everything on the drive and to back it all up etc etc (LAME). You do this by doing the following

1. Plug in your USB Flash Drive
2. Open a command prompt as administrator (Right click on Start > All Programs > Accessories > Command Prompt and select “Run as administrator”
3. Find the drive number of your USB Drive by typing the following into the Command Prompt window:
   diskpart
   list disk
   The number of your USB drive will listed. You’ll need this for the next step.  I’ll assume that the USB flash drive is disk 1.
4. Format the drive by typing the next instructions into the same window. Replace the number “1” with the number of your disk below.
   select disk 1
   clean
   create partition primary
   select partition 1
   active
   format fs=NTFS
   assign
   exit
   

When that is done you’ll have a formatted USB flash drive ready to be made bootable.

OK .. next we need to make the drive bootable .. this is pretty easy!

1. 1. go to your Windows 7 install directory (on the DVD).
   2. Change directory to the DVD’s boot directory where bootsect lives:
      d:
      cd d:\boot
   3. Use bootsect to set the USB as a bootable NTFS drive prepared for a Vista/7 image. I’m assuming that your USB flash drive has been labeled disk G:\ by the computer:
      bootsect /nt60 g:
   4. We’re done for this part

The final step (apart from actually runing the install) is to copy the contents of the Windows 7 DVD to the USB stick. You can use Windows explorer for this .. too easy huh?

Shove that USB stick into a netbook, power it up, make it boot from the USB stick and watch the magic of Windows 7 begin!!

That’s the basics .. if you have trouble with that you should see if there’s some video tutorials on youtube or something. Good luck team!

This is more for me than anyone else .. but i’m sure someone will find this useful.

I’ve just had the requirement to create a collection in Microsoft SCCM that excludes a pre-existing collection. Although it is a fairly straight forward task, trying to get the correct SQL query to do it was a pain (lack of support in the office). So after a bit of googling and a bit of testing I created the following SQL query that did the job.

First the set up

1. Check the properties of the existing collection that you want to EXCLUDE. There should be a collection ID that looks something like SMS000ES (where SMS is the site code and 000ES is the ID)
2. Create a new collection and choose to “Edit Query Statement”
3. Select the Criteria tab in the “Edit Query Statement” window and choose “Show Query Language”
4. Paste the following into the Query Statement window
   

"select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System where
SMS_R_System.OperatingSystemNameandVersion = "Microsoft Windows NT Workstation 5.1"
and SMS_R_System.Client = 1 and SMS_R_System.ClientType = 1 and SMS_R_System.ResourceId
not in (select ResourceID from SMS_CM_RES_COLL_CP20001E)" 

!!Remember to change the text in red to the value you got in step 1

Refresh the newly created collection to ensure the machines you wanted to exclude have in fact been excluded

That’s basically it, you can also do a similar thing with Active Directory OU’s.

Hope that helps someone else as well.