Thursday, July 29, 2010

Major Oil Company Data Leaked By Service Provider at Black Hat USA 2010 Conference

At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company's domain. According to the detailed, 39-page report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft Word could read the report in full.

The file was inadvertently distributed on USB keys provided to some attendees.

I guess the lesson here is that, as a service provider, you must take every absolutely every precaution to safeguard customer data.

As a purchaser of pentest services, you should make sure that you contractually require your pentest vendor to take any necessary precautions to safeguard whatever reports and data they might retain. If you need boilerplate terms and services contract language, please contact me via email or as @sharpesecurity on Twitter. If there is enough demand, I may post the sample contract language online for download.

Essentially the process used was fairly standard for such a insider threat type pentest:
1). gain access to an internal Windows client
2). stop the client's AV
3). identify candidate local admin accounts on that client to compromise
4). use fgdump to extract the password hashes from those accounts
5). use rcrack to convert those hashes to cleartext passwords
6). identify which of those accounts get used on all windows client builds
7). NET VIEW to get a list of usernames and machines in target domain
8). NET GROUP "domain admins" /domain to get list of candidate domain admins
9). Use results of steps 7 and 8 to pivot to client machines of domain admin. Steps below show how.
10). attack a domain admin's client machines using the Metasploit Framework’s incognito token impersonation utility to obtain access to that domain admin's privilege level.
11). accessed the domain admin client machine with local admin privileges over the admin$ pipe to upload the Metasploit Meterpreter. This allowed full control over the client machine, with local admin privileges as one of the shared local admin accounts taken in steps 3-5. The psexec module in Metasploit to conduct the attack. This allowed a binary to to be uploaded inside of a process and reside in memory for the duration of the attack.
12). use the Metasploit incognito commands to list out available tokens to impersonate. Impersonating the the target domain admin user and create a new account in the “domain admins” group to demonstrate the successful compromise of the target Windows domain.
13). dump every username and password hash on the domain controller using “fgdump.exe” for later offline cracking using rcrack
14). This should be enough to access any machine or data in the domain.



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 27, 2010

Google Chrome 5.0.375.125 Released

Google Chrome 5.0.375.125 has been released for Windows, Mac, and Linux. The update includes fixes for five vulnerabilities, three of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, July 26, 2010

Firefox 3.6.8 Released

Mozilla has released Firefox 3.6.8 This version contains security fixes according to the release notes (below).


References:
http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 21, 2010

Dell Confirms Malware in Some PowerEdge Motherboard Firmware

Dell confirms malware is present in the firmware in some PowerEdge motherboards. No further details are available at this time beyond what is in the link below. If someone has a copy of the problematic firmware image and can send that to me, I will reverse the malware and post the results here. My contact information is below.


References:
http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Possible End to Adobe Reader Upgrade Hamster Wheel

Adobe has announced that the next major version of their Adobe reader product will contain "Adobe Reader Protected Mode" or sandboxing.

From Adobe's description of the new feature:

"The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of Adobe Reader, we plan to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer."


References:
http://blogs.adobe.com/asset/2010/07/introducing-adobe-reader-protected-mode.html
http://krebsonsecurity.com/2010/07/adobe-sandbox-will-stave-off-reader-attacks/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Firefox 3.6.7 and 3.5.11 Released

Mozilla has released Firefox 3.6.7 and 3.5.11. These versions contain security fixes and other changes as outlined in the links below.


References:
http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes/
http://www.mozilla.com/en-US/firefox/3.5.11/releasenotes/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 20, 2010

CFCE Forensics Cert Open to People Outside of Law Enforcement?

From http://www.iacis.com/news/view/33:

"The IACIS Membership recently voted to open certification programs to non-members or those who do not qualify for membership. Therefore, the Certified Forensic Computer Examiner (CFCE) Certification will be available to applicants of the computer/digital forensics community who qualify. A comprehensive background check will be required, and we will provide more details as they become available. Please check back often as the program is unveiled".



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, July 19, 2010

Microsoft Office 2003 and 2007 SKU Uninstall Strings

For the software packagers out there who need this type of list, the following command lines are provided as a reference can be used to silently uninstall updates from the various Office 2003 and 2007 SKUs. Please test these on a test machine before using them in any production environment.

%windir%\System32\msiexec.exe /package /uninstall {8F1CF36F-7BC8-42CF-8A5A-8B803DE8423A} /QN /L*V %temp%\KB980373_Uninstall.log

%windir%\System32\msiexec.exe /package /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A} /QN /L*V %temp%\KB980376_Uninstall.log

Office 2003 Product Codes (see KB832672 for related info):

Office 2003 Standard
{90120409-6000-11D3-8CFE-0150048383C9}

Office 2003 Professional Edition
{90E30409-6000-11D3-8CFE-0150048383C9}

Office 2003 Enterprise
{90110409-6000-11D3-8CFE-0150048383C9}

Office 2003 Small Business Edition
{90CA0409-6000-11D3-8CFE-0150048383C9}

Office 2007 Product Codes (see KB928516 for related info):

Office 2007 Standard
{90120000-0012-0000-0000-0000000FF1CE}

Office 2007 Enterprise
{90120000-0030-0000-0000-0000000FF1CE}

Office 2007 Professional
{90120000-0014-0000-0000-0000000FF1CE}

Office 2007 Professional Plus
{90120000-0011-0000-0000-0000000FF1CE}

For example, the following two command lines are specific to Office 2003 and Office 2007 Standard and would remove patch MS10-045:

%windir%\System32\msiexec.exe /package {90120409-6000-11D3-8CFE-0150048383C9} /uninstall {8F1CF36F-7BC8-42CF-8A5A-8B803DE8423A} /QN /L*V %temp%\KB980373_Uninstall.log

%windir%\System32\msiexec.exe /package {90120000-0012-0000-0000-0000000FF1CE} /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A} /QN /L*V %temp%\KB980376_Uninstall.log



If you need any assistance with this or any other software packaging/repackaging project, please don't hesitate to contact us:
email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

HP OpenView Network Node Manager Vulnerability

Exploit code has been made publicly available for a vulnerability (CVE-2010-1964) in HP OpenView Network Node Manager. HP has stated that this vulnerability could potentially be remotely exploited.


References:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439
http://www.zerodayinitiative.com/advisories/ZDI-10-108/
http://www.exploit-db.com/exploits/14256/
http://cve.mitre.org/cgi-bin/cvename.cgi?




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Windows XP SP2 32-Bit, Windows 2000 Off Support

As a reminder, starting after 13 July 2010 (unless you have purchased Microsoft Custom Support) you will no longer receive patches for the following Microsoft products:

- Windows XP Service Pack 2 (32 bit only. XP 64-bit remains under support through April 2014)
- Windows 2000 Server and Professional
- Microsoft Office 2007 Service Pack 1



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Vulnerability in IBM SolidDB

IBM has released a fix for IBM solidDB to address a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by an unauthenticated remote attacker to execute arbitrary code and potentially gain administrative access. The relevant Fix Pack is available from the second References section link below.

From IBM's bulletin:
"This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the solid.exe process which listens by default on TCP port 1315. The code responsible for parsing the first handshake packet does not properly validate the length of the username field. By crafting an overly long value in the request an attacker can exploit this to execute arbitrary code under the context of the SYSTEM user."


References:
http://www.zerodayinitiative.com/advisories/ZDI-10-125/
http://www-01.ibm.com/support/docview.wss?uid=swg21439148&myns=swgimgmt&mynp=OCSSPK3V&mync=R


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

PHP Unserialize() Vulnerability

A vulnerability in the PHP unserialize() function was announced at the SyScan 2010 security conference. Proof of concept exploit code has been published publicly. PHP developers have committed a fix to their source code repository (see link below), but have not released an offical fix as of this writing.

Affected versions:
PHP 5.2 <= 5.2.13
PHP 5.3 <= 5.3.2


References:
http://nibbles.tuxfamily.org/?p=1837
http://svn.php.net/viewvc?view=revision&revision=300843
http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-freevulnerability/


email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

New Security Update in Apple iTunes 9.2.1 Released

Apple has released iTunes version 9.2.1. This release contains one security patch.

From http://support.apple.com/kb/HT4263 :
"Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of "itpc:" URLs. Accessing a maliciously crafted "itpc:" URL may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking."


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, July 15, 2010

New USB Threat - Link Files

According to this article, there appears to be a newly discovered threat affecting Windows 7 from USB devices NOT related to autorun or autoplay. This one has to do with viewing .LNK files through the Windows GUI.

The major AV companies already have samples are releasing definitions for the known variants. For example, Symantec detects the malware as W32.Temphid and released that detection on 13 July 2010.


References:
http://anti-virus.by/en/tempo.shtml
http://en.securitylab.ru/viruses/395815.php


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 14, 2010

Gregory Evans - Ligatt allowed to speak at HTCIA conference

As a HTCIA member, I think I am slightly ashamed of this.

"Gregory Evans Why Cybercrime Pays from an Ex-Computer Hacker's Perspective "

UPDATE 29 July 2010 - HTCIA reports that LIGATT's Gregory Evans has been removed from the speaker's list. HTCIA (eventually) did the right thing. I am happy again.

References:
http://twitter.com/HTCIA
http://www.htciaconference.org/speakers.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, July 13, 2010

Oracle July 2010 Quarterly Patches Released

Oracle has released their July 2010 quarterly patches. Oracle indicates that, for some of the products affected, several of these vulnerabilities may be remotely exploitable without authentication.


References:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

July 2010 Microsoft Monthly Patches Released

Microsoft has released the July 2010 monthly patches. This set includes a fix (MS10-042) for the vulnerability that Tavis Ormandy released a few weeks ago that caused a bit of a media storm and controversy about disclosure. Public exploit code exists for that vulnerability.


References:
https://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Microsoft Exchange Server 2007 OWA CSRF Exploit Code Released

Exploit code has been published for a CSRF vulnerability in Microsoft Exchange Server 2007 Outlook Web Access. Early reports indicate that Microsoft has fixed the underlying bug in Service Pack 3 for Exchange Server 2007. Whether or not Exchange 2003 is affected is unknown at this time.

References:
http://www.securityfocus.com/bid/41462/
http://www.exploit-db.com/exploits/14285/
http://sites.google.com/site/tentacoloviola/pwning-corporate-webmails



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, July 11, 2010

Default Writable SNMP Community Names Vuln in Cisco Industrial Ethernet 3000 Series Switches

Cisco Industrial Ethernet 3000 (IE 3000) Series switches running IOS versions 12.2(52)SE or 12.2(52)SE1 have vulnerability where the SNMP "public" and "private" community names are hard-coded for both read and write access.

Vendor workaround and upgrade information is at the link below.


References:
http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, July 7, 2010

Google Chrome 5.0.375.99 Released

Google Chrome 5.0.375.99 has been released for Windows, Mac, and Linux. The update includes fixes for nine vulnerabilities, four of which are classified as critical.

References:
http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity