BASE – 3 Persistent Cross Site Scripting Vulnerabilities

Posted by Jabra on May 30

BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting
Vulnerabilities.

For those who don’t know, Cross-Site Scripting allows the attacker to inject
Javascript to modify the functionality of the webpages. Since this
vulnerability exists in BASE, this allows an attacker to…

URL: http://seclists.org/fulldisclosure/2009/May/0278.html

CIS releases security configuration standards for iPhone

The nonprofit Center for Internet Security (CIS) this week released free guidelines that can help organizations develop custom policies related to use of the increasingly popular mobile device, said Blake Frantz, CTO of the CIS. The benchmarks inform users about the security configuration settings available to them on the iPhone. For example, the standards explain how to make adjustments to protect data and deter potential attacks, such as disabling Bluetooth or JavaScript, or creating a strong password policy.

Frantz told SCMagazineUS.com on Friday that feedback from the CIS’ 150 members showed that there was a need for iPhone security standards. “It’s going to have your organization’s confidential information on it,” he said. “We want to equip organizations with some best practices that that information remains confidential.”

The guidance arrive at a time when businesses are facing increased pressure to manage their employees’ smartphones. A recent Osterman Research study, sponsored by Zenprise, provider of mobile management solutions, reported that the percentage of North American workers issued mobile devices by their employers will double from 23 percent last year to 46 percent in 2011. Other studies have said the number of iPhones in use in the enterprise will triple between now and 2011.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31541

Malicious Web Site / Malicious Code: Mass Injection Compromises More than Twenty-Thousand Web Sites

Websense Security Labsâ„¢ Threatseekerâ„¢ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.

Screeenshot of injected code in an injected site:

The exploit site is laden with various attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate.

Websense® Messaging and Websense Web Security customers are protected against this attack.

URL: http://securitylabs.websense.com/content/Alerts/3405.aspx

Re: FFSpy, a firefox malware PoC

Posted by FUDder Guy on May 25

> From: saphex <saphex_at_gmail.com>
> Date: Wed, 20 May 2009 01:42:16 +0100
>
> I think this is interesting, myf00.net/?p=18
>

So, how does someone manage to edit the overlay file?

Are they going to use some javascript from a malicious website to edit
the…

URL: http://seclists.org/fulldisclosure/2009/May/0203.html

D-Link¡¦s CAPTCHA ¡V A Big Question on Security

As per the security report, it took nearly a week for the researchers at SourceSec to detect a flaw in the implementation of CAPTCHA (completely automated public Turing test to tell humans and computers apart) by D-Link in its routers, which was originally meant to stop the malware that changes DNS from attaining its goal automatically.

SouceSec stated that the flaw in implementation allowed a malware/attacker to obtain Wi-Fi Protected Access (WPA) passphrase that too by means of merely user-level access, and without a properly solved CAPTCHA. This is apparently because the authentication system based on CAPTCHA was improperly integrated into some of the pages.

Further, a combination of simple JavaScript code using anti-DNS (Domain Name System) may be implemented without having the need for attacker to install the malware on router. Rather, the assault can be launched by visiting a site. In other words, a D-Link user’s visit to a site with its router may simply result in downloading of malware on his/her system, all due to this malicious flaw.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31427

Analyzing malicious PDF documents, (Sun, May 24th)

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it seems still JavaScript will be enabled by default in Adobe Acrobat and Reader. As a consequence, I foreshadow more PDF vulnerabilities, exploits and attacks in the near future (let’s hope I’m wrong).
On the one hand, I’ve been actively using PDF exploits in recent penetration tests, emulating the real-world attacks we have seen in the wild and described in several ISC diaries during the last 2-3 years (you can get most of them using the following search in Google: pdf site:isc.sans.org). Both, the open-source Metasploit Framework, and commercial pen-testing tools, like Core Impact, include these capabilties.
On the other hand, we need to be able to disect these malicious files when we are the target . The Hakin9 magazine has made available this week (for free) a great introductory article on the internal formatting of PDF files and how to analyze malicious PDF documents, those exploiting a vulnerability in the embedded JavaScript interpreter (very common), by Didier Stevens (a well known PDF expert we’ve mentioned regarding previous PDF vulnerabilities):
Anatomy of Malicious PDF Documents. Didier Stevens. Hakin9 magazine.
In order to get a copy of the article, in PDF format (What a coincidence! Is it malicious or not? ), you just need to provide an e-mail address. Do not forget to download the RTF document with the code listing (link on the right hand side).
This article is a must read and great starting point for incident handlers interested on increasing their skills to analyze malicious PDF documents.If you want to start practicing today, before being a target, generate a malicious PDF document in Metasploit and analyze it. For more advanced inspection, I encourage you to use some specific PDF analysis tools.

]]> http://sechero.com/analyzing-malicious-pdf-documents-sun-may-24th/feed/ 0 http://sechero.com/patching-and-apple-java-issue-fri-may-22nd/ http://sechero.com/patching-and-apple-java-issue-fri-may-22nd/#comments Fri, 22 May 2009 14:06:08 +0000 invalid string

Patching and Apple – Java issue, (Fri, May 22nd)

At the other end of the spectrum is Apple. There is a java issue (CVE-2008-5353)which was reported to Sun and fixed by Sun back in December. For some reason the fix for this was not included in the recent security updates all Mac users would have received recently. Why not?
Actually thats what we asked, but the response was a tad disappointing and not at all enlightening. In the mean time Mac users are vulnerable to a simple driveby exploit. The POC code was posted on Milw0rm a couple of days ago. You can read more on the issue hereand here. The page on the first link has a link which will execute the /usr/bin/say command using a java applet it demonstrates the issue nicely.
It won’t be long before it is being used in live exploits. Apple, please fix it, soon. In the mean time people disable java.
Mark H

URL: http://isc.sans.org/diary.php?storyid=6442&rss

Google Accelerates Chrome 2 For Windows

Google’s Chrome browser got faster Thursday with the release of Chrome 2.0.172.28. No, that’s not an IP address. While Microsoft prefers to hide incremental update designations in Internet Explorer to confound hackers, Google wants everyone to know that its engineers are upgrading everything as fast as they can.

At the same time, Google recognizes that some of its users may be confounded by its impenetrable version designations. “We’re referring to this as Chrome 2, but that’s mainly a metric to help us keep track of changes internally,” concedes Google software engineer Darin Fisher in a blog post. “We don’t give too much weight to version numbers and will continue to roll out useful updates as often as possible.”

The new Chrome 2 is mainly about speed. It runs JavaScript-heavy Web pages about 30% faster than the last stable version of Chrome, according to Google.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31406

Angered by Apple delay, hacker posts Mac Java attack code

In an effort to draw attention to a long-standing security problem in Apple’s Mac OS X operating system, a security researcher has posted attack code that exploits the flaw.

The software, which could be used by hackers to run an unauthorized system on a Mac, was posted Tuesday by Landon Fuller, a security researcher in San Francisco. It exploits a nasty bug in the Java software that ships with Mac OS X. This bug was fixed by Java’s creator, Sun Microsystems, on Dec. 3, but Apple has still not included the fix in its software updates.

“Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated,” Fuller wrote in a blog posting describing the issue. “Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept.”

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31384

Vuln: Sun Java System Communications Express ‘search.xml’ Cross Site Scripting Vulnerability

Sun Java System Communications Express ‘search.xml’ Cross Site Scripting Vulnerability

URL: http://www.securityfocus.com/bid/34154

Breakfast: Java, Serial, and an Apple , (Wed, May 20th)

According to Julien Tinnes in the CR0 Blog, it appears that Apple’s recent security update failed to fix a Java flaw that was reported to Sun back in August 2008 and patched by Sun way back in December 2008. The upshot: according to the blog (and I’ve yet to be able to independently confirm it) any browser on OSX that uses the Apple-supplied version of Java is vulnerable to remote exploitation against a class of flaws known as Java deserialization vulnerabilities.

Deserialization is the process of retrieving stored data that an application previously persisted. Deserialization attacks take advantage of the fact that the deserialization process trusts that the data being pulled from storage is correctly formatted– i.e. it contains only the types of data expected.

It’s all rather complicated, but suffice to say, both Firefox and Safari appear to be exploitable, so until we hear something definitive from Apple on the subject, we would recommend running with Java disabled in your browser on OSX.

Speaking of hearing something definitive from AAPL, I’ll be happy to print whatever they send us in an update to this diary.

Tom Liston – InGuardians, Inc.

ISC – Handler On Duty

URL: http://isc.sans.org/diary.php?storyid=6418&rss

Web Toolz, (Wed, May 20th)

Ok, a couple of web app testing tools have been recently updated/released:

My buddies Kevin Johnson, Justin Searle, and the rest of the SamuraiWTF dev team have released version 0.6 of the SamuraiWTF live web testing framework CD. From the announcement:

The SamuraiWTF project team is proud to announce the immediate release of

SamuraiWTF 0.6. This release is available at samurai.inguardians.com. />

If there are any questions, please either send them to samurai@inguardians.com />

or join the developers mailing list on sourceforge.net.

httpsScanner, a Java program that scans a web server to test the strength of its SSL connections has been released in version 1.1. You can get a copy here.

URL: http://isc.sans.org/diary.php?storyid=6415&rss

Researcher publishes Java proof-of-concept to urge Apple action

Calling Apple’s patching process “opaque,” a security researcher has decided that publishing a proof-of-concept exploit is the best way to force the computing giant to fix a months-old flaw.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/shT93FcubG4/

Gumblar Exploit is the Most Prevalent Web Threat

Malware analysts from security vendor Sophos warn that the number of pages infected with the Gumblar malcious script has recently sky-rocketed, putting the exploit at the top of the list of Web threats. The impact of the previous record setter Mal/Iframe-F now dwarfs in comparison.

According to Sophos, Troj/JSRedir-R, otherwise known as the Gumblar exploit, after the rogue domain it points to, amounts to a whopping 42% of all infections on the Web today. Mal/Iframe-F occupies the second place, its number of infections being six times lower and accounting for only 7%.

“Typically, JSRedir-R is found on legitimate websites, hidden behind obfuscated JavaScript, loading malicious content from third-party sites without the user’s knowledge. In the below case, the obfuscated script tries to download dangerous code from a site called gumblar.cn,” Graham Cluley, Sophos’ senior technology consultant, explains.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31333

CVE-2009-1598 (chrome)

Google Chrome executes DOM calls in response to a javascript: URI in the target attribute of a submit element within a form contained in an inline PDF file, which might allow remote attackers to bypass intended Adobe Acrobat JavaScript restrictions on accessing the document object, as demonstrated by a web site that permits PDF uploads by untrusted users, and therefore has a shared document.domain between the web site and this javascript: URI. NOTE: the researcher reports that Adobe’s positi…

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1598