[Full-disclosure] Windows 7 Firewire Attacks - and Defense Techniques

[Security Research Publications]

Hello,

In the course of the Windows 7 RTM release, the Security Research Lab would 
like to share some results on firewire/DMA based hacks and Windows 7, which is 
susceptible to such attacks.

While the attack vector itself is already known from previous Windows versions, 
we also describe the impact of Firewire-based Windows authentication bypassing 
on Microsoft's full-disk encryption solution BitLocker, the Encrypted File 
System (EFS) and Windows domains. A comprehensive section on countermeasures on 
different layers concludes this whitepaper, which can be downloaded from:

http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf

Moreover, we have developed a software solution to protect against 
Firewire-based physical security attacks on Windows systems which is discussed 
in a separate whitepaper:

http://www.securityresearch.at/publications/windows_firewire_blocker.pdf

The software can be downloaded here - use at your own risk:

http://www.securityresearch.at/publications/firewireblocker.zip 

Kind regards,
Benjamin

--
Dipl.-Ing. Mag. Mag. Benjamin Böck
IS Services & Audit
Security Research Sicherheitsforschung GmbH
Office: Sommerpalais Harrach / Favoritenstr. 16 / 1040 Wien
M: bbo...@securityresearch.at
T: +43 699 1929
F: +43 1 505 
http://www.securityresearch.at

Identifizierung gemäß § 14 UGB:
Firmenname: Security Research Sicherheitsforschung GmbH
Firmensitz: Favoritenstraße 16 / 1040 Wien
Firmenbuchnummer: FN271386 y
Firmenbuchgericht: Handelsgericht Wien

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Redspin, Inc. (C+)

[Gichuki John Chuksjonia]

Just read this.

What happened to your blog, http://secreview.blogspot.com?



On 8/11/09, secreview  wrote:
> We received 22 requests from different people to perform a review of
> Redspin! Their website can be found at http://www.redspin.com. We
> haven’t done a review of anyone in quite a while, the last review that
> we did was for Pivot Point Security who got an A (we still recommend
> them). We apologize for this long delay but we have been very busy
> traveling (yes we still have jobs doing consulting work sometimes).
>
> As you can see from the comments that we received in other posts we
> have a lot of catch up work to do, but to be honest we are not sure
> that we will be able to do it. This review might be our final and last
> review depending on how much more travel we have. (We have lives, some
> of us have families, and we can’t keep doing this for free even though
> we feel that this is a great service).
>
> We did a lot of research on Redspin and we managed to get a copy of two
> reports that they did for two different customers. We won’t share those
> reports with you because that would be unethical, don’t ask.
>
> Redspin claims that it is a “pure penetration testing firm”. What they
> mean by “pure penetration testing” is that they do not resell third
> party software or hardware. They also say that “don't find problems on
> your network so that [they] can make more money; [their] penetration
> testing services reveal vulnerabilities, [that] will help you become
> more secure.”
>
> We verified their claim with our own research. Redspin will not try to
> sell you software or hardware… but they might try to sell you software
> as a service. (see their www.jetmetric.com website).
>
> Redspin takes it a step further and is brutally honest about their
> methodology for delivering penetration-testing services. They openly
> admit that their services rely on automated vulnerability scanners
> (Nessus) and are enhanced by manual testing. In fact, Redspin says that
> automated scanners “can miss about 40% of the security risk so they
> alone do not adequately assess risk. Furthermore, about half of the
> findings from a vulnerability scan are false positives”.
>
> Any security company that relies on automated scanners can weed out
> false positives, but doing that doesn’t really increase the depth and
> accuracy of testing. A false positive, also known as an error of the
> first kind, or a Type I Error, is the rejection of a null hypothesis
> when it is in fact true. In more simple terms, this is the error of
> observing a difference when in fact there isn’t one. Identifying false
> positives is fairly easily done, as it only requires inspecting the
> results produced by a scanner.
>
> But what about False Negatives? A False Negative, also called a Type II
> Error, or an error of the second kind, is the error of failing to
> reject a null hypothesis when it is in fact not true. More simply, a
> False Negative is the error of failing to observe a difference when in
> truth there is one. So, if an automated vulnerability scanner tests a
> vulnerable service (a known vulnerability) but the scanner doesn’t
> detect the vulnerability then the vulnerability is excluded from the
> report. If this is the case then Redspin’s methodology will break down
> because there will be no result in the report for Redspin to manually
> test. That vulnerability will fly under the Redspin radar but might not
> be missed by a hacker. So how many vulnerabilities does Redspin miss?
> It’s a question worth asking.
>
> Redspin does say that “vulnerability scanning is not suitable on its
> own as a complete or billable service offering, it does provides some
> value in the early reconnaissance phase of a more comprehensive
> External Network Security Assessment”. They have a typo in that
> sentence, but other than that, they are right. Vulnerability scanning
> does have a position in the industry and is a huge time saver,
> especially when testing large numbers of systems. Just don’t rely on
> one vulnerability scanner like Redspin does, use two or more like the
> OSSTMM proposes.
>
> Redspin says “manual analysis is at the heart of all of [their]
> assessments which not only gives you confidence that you have a
> complete view of your security risk, but provides tailored reporting
> and recommendations enabling simple work-arounds and cost-effective
> mitigation strategies for most security issues.” Based on our research
> Redspin’s “manual analysis” isn’t what we expected it to be. It is not
> based on vulnerability research and is strictly based on the inspection
> and verification of scanner output.
>
> What we can say is that their “manual analysis” doesn’t produce the
> highest quality reports that ever we’ve seen, but it does produce
> reports that are higher than average quality. The Redspin reports have
> very few, if any, False Positives but will contain more False Negatives
> than a report that is centered on sol

[Full-disclosure] [IMF 2009] Call for Participation

[Oliver Goebel]

Dear all,

please find enclosed the call for participation for IMF 2009.

See the program at:
http://www.imf-conference.org/imf2009/program.html

The conference will be held from Tuesday (Sept. 15th) through Wednesday
(Sept. 16th).

On Thursday (Sept. 17th) selected topics will be addressed in greater
detail in three workshops.

Please excuse possible cross postings.




CALL FOR PARTICIPATION

   IMF 2009

  5th International Conference
   on IT Security Incident Management & IT Forensics

  September 15th - 17th, 2009
  Stuttgart, Germany

  Early Registration Closes on September 1st!



Information and communication technology is more and more becoming an
integral and in most cases even a vital part of life.  The worldwide
economy, public administration, health care, education and even personal
life depend on working IT.  Constriction of the availability of its
service, loss of confidentiality or alteration of data processed, or
loss of integrity of the IT infrastructure usually lead to serious or
disastrous consequences.  Hence security plays an increasingly important
role for operators and users of IT systems and infrastructures.

The establishment of static security measures like policies, standards,
and guidelines slowly but steadily is getting more common amongst IT
operators.  Nevertheless in the vast majority of cases operators do not
have the capability to detect and respond to security incidents or do a
forensic analysis of its traces that can be used in a lawsuit.
Jurisdiction in most countries is starting to change and applies
regulations on legal duty to maintain safety on operators of IT.  Hence
incident response and forensic capabilities become indispensable to
avoid successful assertion of claims for damages caused by compromised
or misused systems.

IMF's intent is to gather experts from throughout the world in order to
present and discuss recent technical and methodical advances in the
fields of IT security incident response and management and IT forensics.
The conference provides a platform for collaboration and exchange of
ideas between industry, academia, law-enforcement and other government
bodies.

CONFERENCE PROGRAM
==
Please find the conference program at:

   http://www.imf-conference.org/imf2009/program.html


REGISTRATION

Please find an overview of the conference fees as well as the
registration form at:

   http://www.imf-conference.org/imf2009/registration.html

Early registration discounts will be available until

  September 1st, 2009


PROGRAM COMMITTEE
=
Susan Brenner   University of Dayton, USA
Jack Cole   US Army Research Laboratory, USA
Andrew Cormack  JANET, UK
Ralf DoerrieGermany
Ralf Ehlert Universitaet Magdeburg, Germany
Felix Freiling  Universitaet Mannheim, Germany
Sandra Frings   Fraunhofer IAO, Germany
Oliver Goebel   Universitaet Stuttgart, Germany
Detlef Guenther Corporate Internal Audit, Volkswagen AG, Germany
Vijay K. GurbaniBell Labs, USA
Bernhard M. Haemmerli   ACRIS GmbH, Switzerland
Jim LyleNIST, USA
Robert Martin   MITRE Corp., USA
Holger Morgenstern  gutachten.info, Germany
Henning Pagnia  Berufsakademie Mannheim, Germany
Dirk Schadt SPOT, Germany
Albert SchaenzleLandeskriminalamt Baden Wuerttemberg, Germany
Mark Schiller   Statton Security Ltd, UK
Andreas SchusterDeutsche Telekom, Germany
Marco Thorbruegge   ENISA, EU
Stephen D. WolthusenRoyal Holloway, Univ. of London, UK
Steven W. Wood  Alste Technologies GmbH, Germany


CONFERENCE CHAIR

Dirk Schadt
SPOT Consulting
mailto: chair-2009 @ imf-conference.org


PROGRAM CHAIR
=
Oliver Goebel
RUS-CERT
Universitaet Stuttgart
mailto: pc-chair-2009 @ imf-conference.org


ORGANIZING COMMITTEE

Jack Cole
Ralf Ehlert
Sandra Frings
Oliver Goebel
Detlef Guenther
Holger Morgenstern
Dirk Schadt


STEERING COMMITTEE
==
Sandra Frings
Oliver Goebel
Detlef Guenther
Jens Nedon
Dirk Schadt


UNDER THE AUSPICES OF
=
German Informatics Society (GI e.V.)
Wissenschaftszentrum Ahrstr. 45, 53175 Bonn, Germany
Tel.: +49 228 302 145, Fax: +49 228 302 167
Special Interest Group SIDAR
http://www.gi-ev.de/allgemeines/index-english.html


IN CO-OPERATION WITH

Institue of Electrical and Electronics Engeneers, Inc. (IEEE)
IEEE Computer Society
SPOT Consulting
Fraunhofer Institut fuer Arbeitswirtschaft und Organisation (IAO)
European Network and Information Security Agency (ENISA)
gutachten.info
Universitaet

[Full-disclosure] Drupal Print Module Multiple Vulnerabilities

[Justin Klein Keane]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vulnerability Report

Date of Original Vendor Contact:  May 27, 2009
Author: Justin C. Klein Keane 
Details of this vulnerability are also posted at the public URL
http://lampsecurity.org/drupal-print-module-vulnerabilities

Description of Vulnerability:
- - -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL that provides extensibility through various
third party modules.  The Printer, e-mail and PDF versions (hereafter
referred to as Print) module (http://drupal.org/project/print) allows
for the generation of printer friendly versions of nodes, PDF version of
nodes, and the sending of nodes to e-mail recipients.  The Print module
contains numerous cross site scripting (XSS) vulnerabilities:

The Print module contains a XSS vulnerability because it does not
properly sanitize the output of the footers in printer friendly views.
This allows users with 'administer print' permissions to inject
arbitrary HTML in the footer field that is rendered whenever the printer
friendly version of any node is displayed.

The Print module also contains a XSS vulnerability due to the fact that
'Stylesheet URL' input is not properly sanitized when displayed.  This
allows malicious users the ability to inject external stylesheet
locations into the link tag displayed on printer friendly versions of
nodes.  This vulnerability, combined with Internet Explorer support for
"expression" in CSS allows for XSS attacks.

The print module also contains a XSS vulnerability due to the fact that
the 'site name' is not properly sanitized when displaying e-mail
confirmation in the "Thank you for spreading the word about [site_name]"
area.  The print module also contains a XSS vulnerability due to the
fact that it does not properly sanitize the 'Thank You Message:' input.

The print module also contains a XSS vulnerability due to the fact that
it does not properly sanitize node titles for display in the breadcrumbs
on printer friendly versions of nodes.

The print module also contains a XSS vulnerability due to the fact that
it does not properly sanitize the 'font family' setting when displaying
PDF versions of nodes.

Systems affected:
- - -
Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to
be vulnerable to footer XSS injection.  Drupal 6.12 with Print 6.x-1.7
and IE 6 was tested and shown to be vulnerable to link XSS injection.
Additional testing indicated that the 5.x branch of the Print module is
also vulnerable.  Versions of Drupal more recent than those tested are
likely affected as well.

Impact:
- - ---
XSS vulnerabilities may expose site administrative accounts to
compromise which could lead to web server process compromise.

Mitigating factors:
- - ---
Print must be installed and enabled.  Attacker must have 'administer
print' permissions in order to carry out the proof of concept exploit
detailed below.  Site administration permissions are required to carry
out the site name injection described in the proof of concept below.
Internet Explorer is vulnerable to the malicious style sheet inclusion
proof of concept detailed below, other browsers may not be affected
depending on their support for the 'expression' statement in cascading
style sheets (CSS).  Note that the proof of concept provided utilizes
known attack vectors, other vectors may exist.

Proof of concept:
- - -
1.  Install Drupal 6.12.
2.  Install Print and enable all Print functionality through Administer
- - -> Modules.  Install TCPDF per the Print module INSTALL.txt
3.  In Administer -> Site configuration set the site name to
"alert('site name');"
4.  Create a new content node with the title "alert('node
title');"
5.  Click "Save configuration"
6.  Create malicious stylesheet at arbitrary URL (for this PoC the
stylesheet is at http://192.168.0.2/style.css).  Include the following:
BODY {
width:expression(alert("stylesheet xss"));
}
7.  Click on Administer -> Site Configuration -> Printer, e-mail and PDF
versions
8.  Select the 'Settings' link
9.  Fill in "http://192.168.0.2/style.css' a='" for the "Stylesheet URL"
10.  Expand the "Footer options" input area
11.  Check the "User-specified" radio button
12.  Fill in "alert('footer xss');" for the
"User-specified:" text input
13.  Click the "Save configuration" button
14. Navigate to the homepage
15. View the node created in step 3 above and click the
"Printer-friendly version" link
16. Observe three JavaScript alerts in IE, other browsers may only
display the node title and footer XSS alerts.
17. Return to the node view and click the "Send to friend" link.  Fill
in arbitrary values and click the "Send e-mail" button
18. Observe the site name JavaScript alert
19. Modify the PDF settings from Administer -> Site configuration ->
Printer, e-mail and PDF versions.
20. Fill in "dejavusans' alert('font family');" in the
"Font F

[Full-disclosure] Linux NULL pointer dereference due to incorrect proto_ops initializations

[Tavis Ormandy]

Linux NULL pointer dereference due to incorrect proto_ops initializations
-

In the Linux kernel, each socket has an associated struct of operations
called proto_ops which contain pointers to functions implementing various
features, such as accept, bind, shutdown, and so on.

If an operation on a particular socket is unimplemented, they are expected
to point the associated function pointer to predefined stubs, for example if
the "accept" operation is undefined it would point to sock_no_accept(). However,
we have found that this is not always the case and some of these pointers are
left uninitialized.

This is not always a security issue, as the kernel validates the pointers at
the call site, such as this example from sock_splice_read:

static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
struct pipe_inode_info *pipe, size_t len,
unsigned int flags)
{
struct socket *sock = file->private_data;

if (unlikely(!sock->ops->splice_read))
return -EINVAL;

return sock->ops->splice_read(sock, ppos, pipe, len, flags);
}

But we have found an example where this is not the case; the sock_sendpage()
routine does not validate the function pointer is valid before dereferencing
it, and therefore relies on the correct initialization of the proto_ops
structure.

We have identified several examples where the initialization is incomplete:

- The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct
  at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX,
  PF_IRDA, PF_X25 and PF_AX25 families.

- Initializations were missing in other protocols, including PF_BLUETOOTH,
  PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN.


Affected Software


All Linux 2.4/2.6 versions since May 2001 are believed to be affected:

- Linux 2.4, from 2.4.4 up to and including 2.4.37.4
- Linux 2.6, from 2.6.0 up to and including 2.6.30.4


Consequences
---

This issue is easily exploitable for local privilege escalation. In order to
exploit this, an attacker would create a mapping at address zero containing
code to be executed with privileges of the kernel, and then trigger a
vulnerable operation using a sequence like this:

/* ... */
int fdin = mkstemp(template);
int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0);

unlink(template);

ftruncate(fdin, PAGE_SIZE);

sendfile(fdout, fdin, NULL, PAGE_SIZE);
/* ... */

Please note, sendfile() is just one of many ways to cause a sendpage
operation on a socket.

Successful exploitation will lead to complete attacker control of the system.

---
Mitigation
---

Recent kernels with mmap_min_addr support may prevent exploitation if
the sysctl vm.mmap_min_addr is set above zero. However, administrators
should be aware that LSM based mandatory access control systems, such
as SELinux, may alter this functionality.

It should also be noted that all kernels up to 2.6.30.2 are vulnerable to
published attacks against mmap_min_addr.

---
Solution
---

Linus committed a patch correcting this issue on 13th August 2009.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98

---
Credit
---

This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google
Security Team.


-- 
-
tav...@sdf.lonestar.org | finger me for my gpg key.
---

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] BART disclosure by Jacob Appelbaum

[auto793094]

I have a question about the recent BART disclosure by Jacob 
Appelbaum
or supposedly by Jacob Appelbaum.

Which technical details about BART magstripes is correct?

Thanks.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/