2010
01.30

Java Signed Applets

Been pretty busy these past few weeks, and finding the time to post stuff up is getting difficult. But I do bring something fun to watch.

If you administer users, you should have a look at this video:
Java Signed Applet

If you want a little more information on how to test this exploit in a controlled environment.
Head over to pauldotcom
The screencast is a little more “complete” then mine. I just wanted to prove a point.

Hope you enjoy it.

2010
01.19

Windows wide open ?

With recent attacks on Google/Adobe and Yahoo (just to name a few) thanks to the Aurora exploit. Internet Explorer is something to be avoided at the moment. Unless you’re running version 5.01, I would suggest switching to FireFox for the time being. As far as I know, Microsoft has not released a patch for this one. Let’s hope they do.

As far as I can tell, and with a little info from exploit-db, remote code execution is only functional under Windows XP running Internet Explorer 6. That doesn’t mean newer versions of Internet Explorer are not effected… we just don’t know about it yet. IE 7/8 will crash under Windows XP, and the DEP under Vista/7 should stop the crash in time.

So it’s a good idea to listen to Microsoft and enable DEP and everything else under the sun to protect your system(s)… Especially now there’s another exploit that basically guarantees privilege escalation.

The Ring-Zero exploit
Is the latest one, and let me tell you. I’ve tested this privilege escalation exploit on Windows XP sp2/xp3, Windows Server 2008 Enterprise and Windows 7. Dookie from exploit-db tested it on Windows Server 2003…
We all got System shell… Not scared yet? You should be. You can read more about it in the link I provided just above.

Does this mean Windows is wide open at the moment? Should we close down the Internet and our corporate networks? Well even if that would be a great solution, it’s impossible. There is one way to protect one’s self (or help reduce the risk/damage). DON’T RELY ON JUST A FIREWALL! Let your network administrators install snort. Let them monitor inbound as well as outbound traffic. Don’t close your eyes and say “there’s no reason to get hacked.. we’re a small company” (of course this is more for any managers reading this). Like to meet the guy that said Linux is less secure now…

So good luck this week, and lets hope Microsoft comes up with something soon. I need to scare the pants off my boss tomorrow. Need to work on a nice scenario to really convince him…

Again, good luck… All of you

2010
01.16

Happy new year

Happy new year ! (I know I’m late…)

Been a busy new year for me, which is basically a continuation of how 2009 finished. Either being sick or extremely busy at work and family life. Personal projects and other testing took a back seat unfortunately.
Since I don’t have much of anything to write up, here’s part of SANS’ newsletter. One article, in m opinion, is worth reading. Skoudis’ comment is on the money. It’s too bad that the powers that be (management) probably never read this stuff…

–Zero-Day IE Flaw Used in Attacks on Google, Adobe and Others
(January 14, 2010)
Attackers exploited a zero-day vulnerability in Internet Explorer (IE)
to launch attacks on Adobe, Google and about 30 other US companies. The
flaw reportedly affects all versions of IE. Microsoft became aware of
the vulnerability on January 13 and plans to issued an advisory on
January 14. The memory corruption vulnerability allows attackers to
inject malware onto users’ computers. So far, the flaw has been
exploited only in targeted attacks. While there have been reports that
the attackers also used maliciously crafted PDF files to launch their
attacks against the companies, now it is believed that only the IE flaw
was used in the attacks.
http://www.wired.com/threatlevel/2010/01/hack-of-adob
http://www.theregister.co.uk/2010/01/14/cyber_assault_followup/
http://www.computerworld.com/s/article/9144844/Hackers_used_IE_zero_day_not_PDF_in_China_Google_attacks?source=rss_security
Microsoft advisory: http://www.microsoft.com/technet/security/advisory/979267.mspx
Storm Center: http://isc.sans.org/diary.html?storyid=7993
[Editor's Note (Skoudis): The news this week about Google, China, and
advanced persistent threats illuminates an important change in security.
The threatscape has been shifting from cyber crime to more insidious
attacks over the past couple of years, but in a way that didn't garner
a lot of attention. Until now. I think it's a good thing to see folks
finally waking up to this issue, rather than pretending it doesn't
exist.
(Honan): This vulnerability when exploited uses the same user levels as
the logged on user; maybe it is time to convince your management and
users that they do not need local administrator access.]

On another note, Kioptrix will be tapping it’s first pod-cast this evening. Must warn you, it’s in French… It’s going to be available for download soon. Bare in mind, this is our first crack at this.

As always, visit us at kioptrix.com and check out our media section and VM download section. A few things are in the works that we hope people will enjoy. Also pretty soon, I’ll be moving this blog post to it’s new home permanently.

Have a good one.
LF