Re: [Full-disclosure] IOS rootkits (fwd)
In this email to I summarise the discussion thread. One thing we did not do in these threads is to thank Core Security and Sebastian Muniz for the work, and releasing it to help make the world safer. Gadi. Date: Sun, 25 May 2008 05:27:36 -0500 (CDT) From: Gadi Evron To: Joel Jaeggli Subject: Re: IOS rootkits On Sun, 18 May 2008, Joel Jaeggli wrote: Dragos Ruiu wrote: First of all about prevention, I'm not at all sure about this being covered by existing router security planning / BCP. I don't believe most operators reflash their routers periodically, nor check existing images (particularly because the tools for this integrity verification don't even exist). If I'm wrong about this I would love to be corrected with pointers to the tools. I have 6 years worth of rancid logs for every time the reported number of blocks in use on my flash changes, I imagine others do as well. That's hardly the silver bullet however. Cisco considerably updated its rootkits page (which was 3 lines, yes, just 3 lines, last week, you might think it was a previously unknown threat). Last Updated 2008 May 22 1600 UTC (GMT) For Public Release 2008 May 16 0400 UTC (GMT) Some update! The new page gives a lot of information on best practices, MD5 verifications, etc. Very good as a security best practices page but still not much of an anti rootkit page. Well worth taking a look: http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml Again, very good page even if it in no way addresses the threat. Last week my opinions were well-formed after a few years of thinking on the subject. I decided to re-examine my take as I may have just stagnated on the issue and the landscape changed. I reached the same conclusions. Still no decent response on why they never spoke to their clients on Trojan horses on IOS, rootkits on IOS.. or practically, what tools they provide to deal with them or what their plans are to help us protect ourselves and our infrastructure. One could guess they have non. As someone recently mentioned to me, after the Michael Lynn talk they started admitting to remote code execution vulnerabilities being more than just DoS in their announcements. Maybe that is a trend and we will get more information from them in the future, now that rootkits as a threat to IOS is a publis issue. Cisco's threats don't exist until our clients already know of them strategy is running out of steam, and will soon outlive its usefulness. Cisco is acting pretty much like Microsoft did 10 years ago, they shouldn't be surprised if security research treats them the same way as it treated Microsoft. I know what their treatment made _me_ do psychologically, it made me not want to reach out to them. It seems like the Michael Lynn way is the only way to go with their current attitude--full disclosure. As to the risk itself, it is my personal belief IOS rootkits are currently a threat as a targeted attack. Therefore, although of serious concern it is not yet something I fear on the Internet scale. Pure FUD, Cisco provided us with no real data: I do however dread the day XR gains some popularity, then it is as bad as Windows XP exploitability-wise. 2003, year of the worm. 2013, year of the Cisco worms? Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Need some help with management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Yup, CCEs and default configurations/passwords are definitely quite common. The folks over at gnucitizen have been hitting on this for some time with their work on the bt home hub... Elazar On Fri, 23 May 2008 12:16:45 -0400 Paul Schmehl [EMAIL PROTECTED] wrote: --On Friday, May 23, 2008 11:56:15 -0400 Elazar Broad [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Its not even funny how often this happens. I have a friend who does some consulting work for small businesses, and the amount of times that he has come across medical practices that run their billing and record keeping software on the same fully-loaded XP box that their receptionist(s) use to download random crap... Typical scenario - professor runs Windows XP with Skpe and Google Toolbar and a host of other helpful desktop applications - oh, but that's his server too - running IIS and mysql - default installs, mind you - replete with cross-site scripting and sql injection problems - and all his research with no backups - and then gets irate because his computer gets blocked at the switch port for policy violations. I could go on, but you get the idea. Why do they do it? Because they can - at least until we catch them. How many mysql installs do you think there are worldwide, listening on the default port, with [EMAIL PROTECTED], [EMAIL PROTECTED], @localhost and @FQHN all in the default state with no password? -- Paul Schmehl As if it wasn't already obvious, my opinions are my own and not those of my employer. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkg5iakACgkQi04xwClgpZghQgP9H9a9uQNzPe2O6RZ0IWJ4IAlMWRiH A4S8uQ5WRA5IpwVtq5mbKPxjemXziyBPmeNbUQcOw0ommho9L+invuTr0JmgOlPlPDj/ +cShHRfnwyuQH+UJW4W6tYI7QTY7mw+KenGQ2/dcdeRDQdLXFeBs5CvemM9aQ1Lm4WY0 U8FoTgQ= =SdpU -END PGP SIGNATURE- -- Click to create your dream holiday trip now. http://tagline.hushmail.com/fc/Ioyw6h4eO7NyyZb6Q8LWimgLvmFKntEPFrRw2cnGZNjsjUAICHl7YU/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pangolin v1.3.0.624 is out
Hi, all: I’m glad to tell you that Pangolin, the wonderful Sql injection tool, has been updated to version 1.3.0.624. In this version, I’ve added some new functions in it, and fixed some bugs: 1.Added Oracle Remote Data Reader function 2.Multi-language supported 3.Fixed corrupted characters problem 4.Support MSSQL2005 now ( you know, how to restore stored procedure in MSSQL 2005) 5.Fixed proxy issues which cannot use localhost proxy 6.anything else.. You can download it from here: http://www.nosec.org/web/pangolin Please feel free to contact us with any questions you may have, thanks ;) === Pangolin is a GUI tool running on Windows to perform as more as possible pen-testing through SQL injection. This version now supports following databases and operations: * MSSQL : Server informations, Datas, CMD execute, Regedit, Write file, Download file, Read file, File Browser... * MYSQL : Server informations, Datas, Read file, Write file... * ORACLE : Server informations, Datas, Accounts cracking... * PGSQL : Server informations, Datas, Read file... * DB2 : Server informations, Datas, ... * INFORMIX : Server informations, Datas, ... * SQLITE : Server informations, Datas, ... * ACCESS : Server informations, Datas, ... * SYBASE : Server informations, Datas, ... etc. And supports: * HTTPS support * Pre-Login * Proxy * Specify any HTTP headers(User-agent, Cookie, Referer and so on) * Bypass firewall setting * Auto-analyzing keyword * Detailed check options * Injection-points management etc. What's the differents to the others? * Easy-of-use : What I try to do is making pen-tester more care about result, not the process. All you should do is clicking the buttons. * Amazing Speed : so many people told you things about brute sql injection, is it really necessary? Forget char-by-char, we can row-by-row(of cource, not every injection-point can do this)? * The exact check mothod : do you really think automated tools like AWVS,APPSCAN can find all injection-points? So, whatever, just check it out, and then enjoy your feeling ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IOS rootkits (fwd)
On Sun, May 25, 2008 at 11:37 AM, Gadi Evron [EMAIL PROTECTED] wrote: One thing we did not do in these threads is to thank Core Security and Sebastian Muniz for the work, and releasing it to help make the world safer. Gadi. No I don't think the world is safer, in fact the presentation release onto the internet has been gagged because its too dangerous to release it yet. I do not thank Core Security I think the whole thing has been handled badly by EUSecWest and CORE Security, they rushed out the announcement of the presentation, with little time for the government, the security industry and CISCO enough time to evaluate what was going to be presented. The presentation was rushed through to meet a ticket sales deadline agenda, no thought for security or polite time frame for all involved to evaluate, prepare and coordinate. Announcing the presentation slot with only 2 weeks or so before the presentation is to be given is an unacceptable behaviour. If you want to know why Cisco didn't have anything up on their site or that the information they provide isn't what you're wanting, its because Cisco has had hardly anytime to prepare it. Cisco and the government had to accommodate a ticket sales deadline time frame, not the desired time frame before the conference that they would have hoped for. This is why the presentation isn't being released online yet, Cisco, the security industry and the government need more time. If anyone has any contracts with CORE Security I suggest you drop them at the earliest opportunity. All the best, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenSSL-Bug still allows MITM, Browser(s) set up badly - Re: Identify weak Debian OpenSSL clients in SSH DH key exchange
Alex, you recently wrote that you tested the CA-certificates - but you didn't test the certificates which have been *signed* by the CAs. They are a serious problem. The attack described in your recent post can easily be avoided by exchanging vulnerable certificates, BUT: If somebody grabbed an old (vulnerable) certificate quickly he or she could generate the private key which fits to it and then abuse the cert. for a man in the middle attack. I think all servers which had a vulnerable certificate, even for a short time, are still not secure - at least as long as the old certificates are still valid, which depends on the validity date saved in the certificate, only. No, CRLs don't work. Firefox for example does not check for CRLs (default setting), making certificate revocation senseless. I assume, other Browsers don't check CRLs either. And what about the german tax-software ELSTER? German CCC Member Fefe describes this here (english and german): http://blog.fefe.de/?ts=b6c9ec7e His post is dated 23rd of May. He says, somebody allready got the old cert. of a248.e.akamai.net. My comment with screenshots of Firefox' settings pages and an error message here (german): http://blog.datenritter.de/archives/208-gefaehrliche-Angriffsmoeglichkeit-durch-das-OpenSSL-Debakel.html I think the only option is to change domain names. :-( IMHO Felix is totally right in his criticism of PKI. When you download a browser you get a bunch of CA-Certificates but no reason to trust even a few of them. n. Everybody keeps talking about changing your keys and updating OpenSSL, but this is not the only issue with the Debian/OpenSSL debacle. Consider that someone has sniffed your SSH traffic (say at a securit conference?). If either a compromised server or client were involved, you have got a problem as the Diffie-Hellmann key exchange at the start of the SSH session can now be broken. This means that all the data (passwords, SSH tunnel anyone?) can now be considered compromised if you are reasonably paranoid. (...) You can find the script at http://www.cynops.de/download/check_weak_dh_ssh.pl.bz2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/