Archive for Exploit
Author: Dave Lewis
May 7, 2008 at 10:14 am · Filed under Exploit
A new SQL Injection attack is making the rounds. There is a great analysis of the attack over on Shadowserver Foundation.
From Shadowserver:
As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name “winzipices.cn” is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations.
It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks.
For the full analysis read on.
Article Link
Author: Dave Lewis
February 7, 2008 at 12:16 pm · Filed under Apple, Exploit
From the Reg:
Security researchers have discovered you can crash an iPhone through the medium of a cleverly crafted webpage.
The exploit, dubbed a “memory exhaustion remote denial of service vulnerability” by the SecurityFocus website, affects Apple’s Mobile Safari web browser, a key component of both the iPhone and the iPod Touch.
Code up a webpage a certain way - all it takes is 19 lines of JavaScript - and if you can persuade an iPhone user to view it, the site will trigger the handset’s version of Mac OS X to experience a kernel panic and reboot.
Biting tongue.
Article Link
Tags: iPod Touch, iPhone, iPhone JavaScript Exploit
Author: Dave Lewis
February 4, 2008 at 9:07 am · Filed under Exploit, Vulnerability
Well, it’s not too often that I see a 5/5 rated security vulnerability on Secunia. So, I figured I would pass this one along.
From Secunia
Description:
Some vulnerabilities have been discovered in Yahoo! Music Jukebox, which can be exploited by malicious people to compromise a user’s system.
1) A boundary error in the YMP DataGrid ActiveX control (datagrid.dll) when handling arguments passed to the “AddImage()” and “AddButton()” methods can be exploited to cause a stack-based buffer overflow via an overly long argument.
2) A boundary error in the Yahoo! Mediagrid ActiveX control (mediagridax.dll) when handling arguments passed to the “AddBitmap()” method can be exploited to cause a stack-based buffer overflow via an overly long argument.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
NOTE: Working exploit code is publicly available.
The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected.
Article Link
The exploits are in the wild:
http://milw0rm.com/exploits/5043
http://milw0rm.com/exploits/5051
http://milw0rm.com/exploits/5052
Tags: Exploit, Vulnerability, Security Exploit, Yahoo Exploit
Author: Dave Lewis
January 30, 2008 at 9:00 am · Filed under Exploit, Patches
Aitel to Microsoft…Ya know what? Uh, uh.
From Computer World:
Security researchers yesterday said they’d discredited Microsoft’s claim that the year’s first critical Windows vulnerability would be “difficult and unlikely” to be exploited by attackers.
On Tuesday, Immunity Inc. updated a working exploit for the TCP/IP flaw spelled out Jan. 8 in Microsoft’s MS08-001 security bulletin, and posted a Flash demonstration of the attack on its Web site. The exploit, which was released to customers of its CANVAS penetration testing software — but is not available to the public — was a revised version of code first issued two weeks ago.
“This demonstrates conclusively that the MS08-001 IGMPv3 vulnerability is highly exploitable,” said Dave Aitel, Immunity’s chief technology officer, in a message to his Dailydave security mailing list.
Read on.
Article Link
Tags: MS08-001, Microsoft Exploit, Dave Aitel
Author: Dave Lewis
January 8, 2008 at 5:19 pm · Filed under Exploit, Malware
OK, so now that I have my home machine I can dig into the anatomy of the uc8010[dot]com hack’s javascript.
First off after a site has been infected a web user that surfs to a hosted page will have a javascript file, typically named “0.js”, executed in an unprotected system as well as setting a cookie. This then calls an iframe and another javascript file that (in the instance I tested) was called “w.js”. It is this file which has an “eval” function that launches the exploit.
This second file (w.js) would launch another iframe that would call a counter from cnzz[dot]com as well as calling a third javascript file called “007.js”.
Smart ass.
This last javascript file would create another iframe that would call a page from mywordmyspace[dot]cn. This would in return with a script file that called another counter from a site called 51yes[dot]com.
The first counter I presume to announce to the hacker that a successful breach occurred and the second to indicate a payload delivered.
This is by no means an exhaustive test. I’ve only started teasing it apart.
Tags: uc8010, SQL Hack, Javascript, iframe
Author: Dave Lewis
December 14, 2007 at 8:30 am · Filed under Email, Exploit, Vulnerability
A commonly deployed ass ugly webmail software application, SquirrelMail, is in the news this morning. Apparently the version 1.4.12 package was compromised. This came to light when it was noticed that the MD5 checksums were not matching up. This was the result of a compromised release maintainers account according to the notice published on the SquirrelMail site.
From SquirrelMail:
Further investigations show that the modifications to the code should have little to no impact at this time. Modifications seemed to be based around a PHP global variable which we cannot track down. The changes made will most likely generate an error, rather than a compromise of a system in the event the code does get executed.
Original packages, stored on secure media, have been restored to the Sourceforge download servers, and additional signatures for the packages are now available on the SquirrelMail download page at http://www.squirrelmail.org/download.php
While we believe the changes made should have little impact, we strongly recommend everybody that has downloaded the 1.4.12 package after the 8th December, to redownload the package.
So. If you are using version 1.4.12 get on yer bike. You have some patching to do.
Article Link
Tags: Webmail, SquirrelMail, Web Base Email, SquirrelMail Compromised
Author: Dave Lewis
December 12, 2007 at 8:00 am · Filed under Exploit, Vulnerability
This morning while choking down the morning coffee I noticed that HP notebooks have a fly in the ointment. It turns out that software that ships on the laptops has an ActiveX control that can enable a remote attack.
From milw0rm:
Multiple Hewlett-Packard notebook series are prone to a remote code execution attack. The manufacturer’s preinstalled software contains a critical flaw within the software built to support one-touch button quick feature access.
Overview:
/////////
Software called “HP Info Center” is shipped with almost every HP laptop model for few years. It is designed to support user with quick system information and hardware configuration using single button touch. One of its ActiveX controls deployed by default by the vendor has three insecure methods that allow a malicious person to target the HP notebook machines for a remote code execution and remote registry manipulation based attacks.
Impact:
///////
Remote code execution
Remote system registry read/write access
Remote shell command execution
For the full advisory read on.
Article Link
Tags: HP Laptops, HP Exploit, HP Vulnerability
Author: Dave Lewis
November 26, 2007 at 11:09 am · Filed under Exploit, Vulnerability
There is a working exploit for Apple QuickTime on the loose.
From Secunia:
Description:
h07 has discovered a vulnerability in Apple QuickTime, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a boundary error when processing RTSP replies and can be exploited to cause a stack-based buffer overflow via a specially crafted RTSP reply containing an overly long “Content-Type” header.
Successful exploitation allows execution of arbitrary code and requires that the user is e.g. tricked into opening a malicious QTL file or visiting a malicious web site.
The vulnerability is confirmed in version 7.3. Other versions may also be affected.
NOTE: A working exploit is publicly available.
Advisory Link
Exploit Link
Tags: Apple QuickTime Exploit, QuickTime Exploit, QuickTime Vulnerability
Author: Dave Lewis
November 12, 2007 at 12:56 pm · Filed under Exploit, Vulnerability
Here is an exceptionally interesting article (via slashdot) on a security hole that was discovered by a team from the University of Haifa. The hole deals with a loophole specifically in the Windows 2000 operating systems random number generator.
From Eurekalert:
A group of researchers headed by Dr. Benny Pinkas from the Department of Computer Science at the University of Haifa succeeded in finding a security vulnerability in Microsoft’s “Windows 2000″ operating system. The significance of the loophole: emails, passwords, credit card numbers, if they were typed into the computer, and actually all correspondence that emanated from a computer using “Windows 2000″ is susceptible to tracking. “This is not a theoretical discovery. Anyone who exploits this security loophole can definitely access this information on other computers,” remarked Dr. Pinkas.
Various security vulnerabilities in different computer operating systems have been discovered over the years. Previous security breaches have enabled hackers to follow correspondence from a computer from the time of the breach onwards. This newly discovered loophole, exposed by a team of researchers which included, along with Dr. Pinkas, Hebrew University graduate students Zvi Gutterman and Leo Dorrendorf, enables hackers to access information that was sent from the computer prior to the security breach and even information that is no longer stored on the computer.
The researchers found the security loophole in the random number generator of Windows. This is a program which is, among other things, a critical building block for file and email encryption, and for the SSL encryption protocol which is used by all Internet browsers.
Read on.
Article Link
Tags: Windows 2000 Security, Windows Security, Windows Random Number Generator
Author: Dave Lewis
November 5, 2007 at 10:02 am · Filed under Exploit, Hacker
From the London News:
IT engineers have developed a new method of self-destruction to secure computer networks against hacking. The approach works by giving all the devices on a network or “nodes” - the ability to destroy themselves, taking any nearby malevolent device with them.
Self-sacrifice provides a check against malicious nodes attacking legitimate ones.
“Our suicide mechanism is similar in that it enables simple devices to protect a network by removing malicious devices - but at the cost of its own participation,” said Tyler Moore, a security engineer at the University of Cambridge in the UK.
The technique, called “suicide revocation,” lets a single node decide quickly whether another node’s behaviour is malevolent and shut it down. But there’s a drastic cost involved in this procedure: the single node must deactivate itself too. It simply broadcasts an encrypted message declaring itself and the malevolent node dead.
I can’t even begin to fathom the rationale that was put in place here. OK, so the systems off themselves to avoid being hacked. Well, then this would make for one hell of a denial of service scenario.
“Suicide attacks are found widely in nature, from bees to helper T-cells in the immune system,” says Ross Anderson, a colleague of Moore’s.
Yeah, but in those cases the adversary didn’t see it as a leverage opportunity.
Article Link
Tags: Suicidal Computers, Computer Defense, Denial of Service
Next entries »
Explore
Security Bloggers Network
