security.crudtastic.com

The last two days have been pretty busy. I have been analyzing the latest Adobe vulnerability. It all began when HD alerted me to a post on Mila Parkour’s “contagio malware dump” blog. After giving the blog post a once over, it was pretty clear that he had discovered a live sample of a previously unpublished and currently unpatched vulnerability. The clearest indicator was the screen shot of the Adobe Reader “About” dialog with dropped files showing. Great image! This most definitely piqued my interest.

Read the rest of jduck’s post on the Metasploit blog

I’ll be honest .. after doing the Offensive-Security Pentesting with Backtrack course, sitting the SANS SEC-560 course lost a bit of its lustre for me. Nothing against the course .. it was awesome .. and I love all the SANS stuff!! The OffSec course though was pretty tough and I had only just completed it a few months before the SANS training, and to be honest, the OffSec course went a lot deeper.

I originally thought I’d give myself a break from doing SANS stuff for a while .. then I woke up yesterday .. and with 30 days left to sit the GPEN exam I booked it! Funnily enough, straight after that I looked at signing up for 2 other SANS courses ahahhahaah.

So now I have the task of getting ready to sit in exam in 15 days after not looking at the books in over 2 months (im so bad). This is very reminicent of my GSEC study (do a search for my post) .. and I managed to nail that ok.

Anyway .. i’m whining about my GPEN when Chris is about to head off and tackle his GSE .. Good luck nerdlinger!!

My old chum Chris called me on the weekend to tell me about this .. the call was full of a lot of street-talk and keepin’ it real .. you know, cause that’s how the kids roll these days (like wearing a kilt)!

Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest have descended into farce after it emerged that vulnerabilities with a dedicated site can be easily rickrolled.

Read all about the awesomeness that is Snoop Dogg and Security HERE

WORD TO YOUR MOTHER!

Today Microsoft are pleased to announce the availability of the Enhanced Mitigation Experience Toolkit (EMET) version 2.0.  Users can click here to download the tool free of charge. 

For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications.  This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited.  By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products.  In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.

Read the full story on the TECHNET BLOG

In case you’ve missed the news lately .. there’s been a few little issues with the way Microsoft handles some dll’s. A quick look on exploit-db will show a tonne of new dll hijacking exploits. HD from Metasploit has released version 2 of his DLLHijackAudit Kit that will basically check all the file associations on your machine for DLL hijack vulnerabilities, if it finds that a DLL is vulnerable, it will then create a POC and save it for you.

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

Full posting on the Metasploit blog

The Pentagon has opened the kimono on what it described as the “most significant breach of US military computers ever,” in which a flash drive in 2008 was used to infect large numbers of computers, including those used by the Central Command overseeing combat zones in Iraq and Afghanistan.

When the device was plugged into a military laptop located on an undisclosed base in the Middle East, malicious code soon linked highly sensitive machines to networks controlled by an unnamed foreign intelligence agency, Deputy Defense Secretary William J. Lynn III wrote in the first official account of the episode.

Read the full story on theregister.co.uk

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

Read the rest of H D Moore’s post on the Metasploit blog