Monday, January 10, 2011

Zero Day Vulnerabilities in Windows

Apologies, for writing after so long,

What brings me to write in here is, the issues seen early this year, two critical vulnerabilities in Microsoft. Almost all flavours of Microsoft operating systems are affected. And the worry is both issues are Zero day and no patch is available from the vendor, off-course some workarounds are there, follow the references.

First issue discovered is in Windows Graphic Rendering Engine (GRE), Issue is caused due to some stack overflow vulnerability in "CreateSizedDIBSECTION()" function in "shimgvw.dll" module. Attackers could exploit this vulnerability by luring users to view a malicious crafted thumbnail image.

Second issue is in Microsoft Internet Explorer 8 (IE8), almost all different flavours of MS has this latest browser. Issue is caused due to use-after-free error in mshtml.dll when processing circular references between JScript objects and Document Object Model (DOM) objects. Attackers can exploit this vulnerability by luring users to visit a crafted webpage or website.

After exploiting any of these vulnerabilities, attackers can take control of affected systems.

For more info, please follow the following links:

http://www.microsoft.com/technet/security/advisory/2490606.mspx
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit%3AWin32%2FCVE-2010-3970&ThreatID=-2147325626
http://tools.cisco.com/security/center/viewAlert.x?alertId=22180
http://www.vupen.com/english/advisories/2011/0018
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3970
http://community.websense.com/blogs/securitylabs/archive/tags/CVE-2010-3970/default.aspx
http://www.securityfocus.com/bid/45662
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0001
http://www.vupen.com/english/advisories/2011/0026
http://lcamtuf.coredump.cx/cross_fuzz/msie_crash.txt
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html
http://isc.sans.edu/diary.html?date=2011-01-05
http://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2011-0002
http://www.theregister.co.uk/2011/01/03/ie_0day_leaked/
at No comments:

Wednesday, September 1, 2010

Microsoft released workaround for DLL vulnerability

Microsoft released workaround for DLL vulnerability

Microsoft has released an advisory explaining the DLL preloading attacks and provides workaround that allows customers to disable the loading of libraries from remote network or WebDAV shares. This workaround tool can be configured to disallow insecure loading of per-application or global system basis.

When an application queries or loads a .dll file, but full path name is not hard coded, Windows searches a pre-defined set of directories for it. An attacker/intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code to exploit this vulnerability.

For testing this vulnerability you can use latest metasploit and any windows applications which searches for .dll, this metasploit server will dynamically generate .dll as requested by compromised system, but before that u need to compromise the system.

Workarounds suggested:

Disable loading of libraries from WebDAV and remote network
Disable the WebClient service.
Block TCP ports 139 and 445 at the firewall.
Microsoft has issued a tool to allow administrators to alter the library loading behavior on a system-wide basis or for specific applications. The tool is available at:
http://support.microsoft.com/kb/2264107
Users can consider the best practices against DLL preloading attacks described here(http://msdn.microsoft.com/en-us/library/ff919712%28VS.85%29.aspx)

To read more, follow:
http://www.cert-in.org.in/vulnerability/civn-2010-193.htm
http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
http://blog.metasploit.com/2010/08/better-faster-stronger.html
http://news.cnet.com/8301-27080_3-20014625-245.html
http://support.microsoft.com/kb/2264107
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://www.microsoft.com/technet/security/advisory/2269637.mspx
http://msdn.microsoft.com/en-us/library/ms682586(v=VS.85).aspx
http://isc.sans.edu/diary.html?storyid=9445

$3cur3 y0ur $y$t3m !!!

nj0y !!!
at No comments:

Monday, August 23, 2010

PT with Browser

PT with Browser

yes, penetration testing became so easy nowadays. You don't need heavy, bulky, expensive vulnerability assessment tools. Now you just need now is, a browser (Firefox) and its Add-ons (plug-ins), which are available freely. Here I'm going to tell you something about free Mozilla Add-ons, which can help you to effectively perform vulnerability assessment and penetration testing.

These tools are listed below:
1. SQL Inject Me: SQL Injection vulnerabilities can cause a lot of damage to a web application.
2. HackBar: Simple security audit / Penetration test tool.
3. Backend Software Information: Detect the backend software of the current website (Drupal 5.x, 6.x, Wordpress 2.x, Django, phpBB, MediaWiki, MoinMoin, Joomla, Reddit, ...).
4. Firebug: It integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page.
5. FxIF: View EXIF data in image properties.
6. Fireforce: Launches brute-force attacks on GET or POST forms.
7. Widerbug: web developing with CSS and JavaScript.
8. Lazarus: Lazarus securely auto-saves all forms as you type.
9. ShowIP: Show the IP address(es) of the current page in the status bar.
10. Multiproxy Switch: This tool lets you switch proxy between multiple configurations, and it's easy to manage, easy to configure.
11. FoxyProxy Standard: FoxyProxy is an advanced proxy management tool that completely replaces Firefox's limited proxying capabilities.
12. PassiveRecon: PassiveRecon provides information security professionals with the ability to perform "packetless" discovery of target resources utilizing publicly available information.
13. Live HTTP Headers: View HTTP headers of a page and while browsing.
14. Add N Edit Cookies: Cookie Editor that allows you add and edit session and saved cookies.
15. Greasemonkey: Allows you to customize the way a webpage displays using small bits of JavaScript.
16. XSS Me: Cross-Site Scripting (XSS) is a common flaw found in todays web applications.
17. Whiteacid's XSS assistant: Very powerful.
18. SQL Injection: SQL Injection is an Upgrade from the old form free, it is a component to transform checkboxes, radio buttons, select elements to a input text and enable disabled elements from all forms in a page.
It makes easier to test and identify SQL injection vulnerabilities in web pages.
19. FireCAT 1.5 "Plus" Edition: Security databse tools.
20. iMacros for Firefox: Automate Firefox. Record and replay repetitious work. If you love the Firefox web browser, but are tired of repetitive tasks like visiting the same sites every days, filling out forms, and remembering passwords, then iMacros for Firefox is the solution you’ve been dreaming of! ***Whatever you do with Firefox, iMacros can automate it.***
21. Xmarks Sync: Xmarks is the #1 bookmarking add-on. Keep your bookmarks, passwords and open tabs backed up and synchronized across computers and browsers. Search smarter with website ratings and reviews displayed with your search results.
22. Read It Later: Save pages to read later with just one click. When you have time, access your reading list from any computer or phone, even without an internet connection!

To read more, follow:

Have safe browsing, safe hacking and successful penetration testing.

nj0y !!!








at No comments:

Abode Patches

Adobe Patches

This month, adobe released patches for lots of severe vulnerabilities in their products. Most of these vulnerable applications are generally used by us. Hence it is requested, to update all adobe products and avoid system compromise & severe problems caused, and if possible use adobe update manager.

Affected Adobe Products

Adobe Flash Player 10.1.53.64 and earlier
Adobe AIR 2.0.2.12610 and earlier
Adobe ColdFusion 9.0.1 and previous versions
Flash Media Server 3.5.3 and earlier versions
Flash Media Server 3.0.5 and earlier versions

Detail are give below:
Adobe

CERT-In

#@V3 $@F3 8R0W$!N9 !!!

nj0y !!!
at No comments:

Wednesday, August 11, 2010

Hello Friends,

Today is Microsoft patch day, Microsoft has released 15 security bulletins which are covering 34 vulnerabilities.
These vulnerabilities are affecting Windows Kernel, Windows Movie Maker, SChannel, Microsoft XML Core Services, Microsoft MPEG Layer-3 Codecs, Cinepak Codec, SMB Server, Internet Explorer, Microsoft Office Word, Microsoft Office Excel, TCP/IP, Microsoft .NET and Silverlight. Install the patches as mentioned in Microsoft Security Bulletin. Most of them are critical and needs to be patched as early as possible.

Critical
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

Critical
Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

Critical
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

Critical
Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

Critical
Cumulative Security Update for Internet Explorer (2183461)

Critical
Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

Critical
Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

Critical
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

Critical
Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Important
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

Important
Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

Important
Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

Important
Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

Important
Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

Important
Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Apply patches of all vulnerabilities applicable for you and nj0y $@f3 8r0w$!n9 . . .

nj0y !!!
at No comments:

Monday, July 19, 2010

Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!
at 1 comment:

Friday, July 16, 2010

Fake Spam page: "Ten Things Girls Should Never Say to Guys"

Today, I found another interesting post on my wall, which caught my attention. This is again related to fake and spam pages on Facebook which is posted earlier in my blog past months. This page claims around 313K fans to lure users. This is also doing the same task, automatically posting at your wall and suggesting others as you like this page, which you haven't done, this application page does it for you. Along with all these weird activities, it will serve you with Adwares and Spywares. If you want to know more about it, please scroll down.

Have a look to this page. This is a fake spam page, using the quote "Ten Things Girls Should Never Say to Guys" for enticing naive users to perform certain clicks. This is not much dangerous as compare to earlier ones, which used to install Backdoors and Trojans, but yes, it installs Adware, which could be also a Spyware.

As for my analysis, this time I decided instead of clicking on "Like" button, I'll click somewhere else where they are telling me to click. So i did and landed up to this page:
This page ask me to prove I'm human, not a bot. But actually it doesn't make any sense. I noticed it is random, only one out of two is functioning. If BLUE one is functioning and if u clicked RED first, u'll find, it works. but if RED one is functioning and u clicked BLUE followed by RED, it doesn't make any sense.
In both of the cases, it will take you to another page, which looks like age confirmation page, look like something at your right. Which I believe a fake confirmation. This is used to trick naive users. See the next page and u'll come to know why they are asking you to confirm.

Here comes the real story, this page will tell you to download two sophisticated Adwares which may be spywares named:

"Create a cartoon image of yourself for your Facebook profile"
and
"Get free Smileys for AIM and other IM programs".
If you click on these links, you will land on two different application download pages, which respectively are like this,

These two applications are meant for the special purpose for what they are claiming. Upon clicking, these pages will serve you two different nice applications. I personally suspected , Apart from their usual business, they are doing something unusual. So I decided to upload these binaries to virustotal for verification, and the results were eye opening. These binaries which I recently downloaded are not a plain applications, they are Adwares and possibly Spywares.
Virustotal analysis is shown below:Once these Adware/Spyware installed on your system, this programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited and could also allow remote attacker to access your computer. This all will be done without your consent, because you have already allowed them to run on your system.

Along with these activities, you will find something on your wall, which look like this:
This will be posted on your wall which shows that you like this page and suggesting others to like the same, which is very much weird. and you actually haven't done.

After putting all these efforts, I was not able to know what are those 10 things which girls should never say to boys, isn't it funny.

Here, I suggest you friends there not to like or allowing access to your profile, who are using FB and blindly clicking on the pages to like without thinking what these pages are doing. Whenever you find any pages which tell you to like first then shows you the content, this is enough to sense something fishy is there. So please beware of these pages.

Similar things I posted earlier in my blog, kindly refer to gain more knowledge about these fake pages. Kindly let me know if you observe anything unusual, over internet obviously.

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!
at No comments:
Subscribe to: Posts (Atom)

Reporting Cyber Crime

            Govt. of India took great initiative by facilitating citizens with “National Cyber Crime Reporting Portal”  ( https://cybercrime...

  • Microsoft released workaround for DLL vulnerability
    Microsoft released workaround for DLL vulnerability Microsoft has released an advisory explaining the DLL preloading attacks and provides wo...
  • Fake prize call from +92**********
    Today early morning (12:07 AM), I got missed call from a number starts from +92 . I know about this number very well so didn't picked up...
  • Fake POS Devices
    Nowadays, hardware have become so cheap that cybercriminals can easily reproduce fake point-of-sale (POS) devices that can be used to skim ...