[Full-disclosure] Windows 7 Firewire Attacks - and Defense Techniques
Hello, In the course of the Windows 7 RTM release, the Security Research Lab would like to share some results on firewire/DMA based hacks and Windows 7, which is susceptible to such attacks. While the attack vector itself is already known from previous Windows versions, we also describe the impact of Firewire-based Windows authentication bypassing on Microsoft's full-disk encryption solution BitLocker, the Encrypted File System (EFS) and Windows domains. A comprehensive section on countermeasures on different layers concludes this whitepaper, which can be downloaded from: http://www.securityresearch.at/publications/windows7_firewire_physical_attacks.pdf Moreover, we have developed a software solution to protect against Firewire-based physical security attacks on Windows systems which is discussed in a separate whitepaper: http://www.securityresearch.at/publications/windows_firewire_blocker.pdf The software can be downloaded here - use at your own risk: http://www.securityresearch.at/publications/firewireblocker.zip Kind regards, Benjamin -- Dipl.-Ing. Mag. Mag. Benjamin Böck IS Services & Audit Security Research Sicherheitsforschung GmbH Office: Sommerpalais Harrach / Favoritenstr. 16 / 1040 Wien M: bbo...@securityresearch.at T: +43 699 1929 F: +43 1 505 http://www.securityresearch.at Identifizierung gemäß § 14 UGB: Firmenname: Security Research Sicherheitsforschung GmbH Firmensitz: Favoritenstraße 16 / 1040 Wien Firmenbuchnummer: FN271386 y Firmenbuchgericht: Handelsgericht Wien ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [Professional IT Security Providers - Exposed] Redspin, Inc. (C+)
Just read this. What happened to your blog, http://secreview.blogspot.com? On 8/11/09, secreview wrote: > We received 22 requests from different people to perform a review of > Redspin! Their website can be found at http://www.redspin.com. We > haven’t done a review of anyone in quite a while, the last review that > we did was for Pivot Point Security who got an A (we still recommend > them). We apologize for this long delay but we have been very busy > traveling (yes we still have jobs doing consulting work sometimes). > > As you can see from the comments that we received in other posts we > have a lot of catch up work to do, but to be honest we are not sure > that we will be able to do it. This review might be our final and last > review depending on how much more travel we have. (We have lives, some > of us have families, and we can’t keep doing this for free even though > we feel that this is a great service). > > We did a lot of research on Redspin and we managed to get a copy of two > reports that they did for two different customers. We won’t share those > reports with you because that would be unethical, don’t ask. > > Redspin claims that it is a “pure penetration testing firm”. What they > mean by “pure penetration testing” is that they do not resell third > party software or hardware. They also say that “don't find problems on > your network so that [they] can make more money; [their] penetration > testing services reveal vulnerabilities, [that] will help you become > more secure.” > > We verified their claim with our own research. Redspin will not try to > sell you software or hardware… but they might try to sell you software > as a service. (see their www.jetmetric.com website). > > Redspin takes it a step further and is brutally honest about their > methodology for delivering penetration-testing services. They openly > admit that their services rely on automated vulnerability scanners > (Nessus) and are enhanced by manual testing. In fact, Redspin says that > automated scanners “can miss about 40% of the security risk so they > alone do not adequately assess risk. Furthermore, about half of the > findings from a vulnerability scan are false positives”. > > Any security company that relies on automated scanners can weed out > false positives, but doing that doesn’t really increase the depth and > accuracy of testing. A false positive, also known as an error of the > first kind, or a Type I Error, is the rejection of a null hypothesis > when it is in fact true. In more simple terms, this is the error of > observing a difference when in fact there isn’t one. Identifying false > positives is fairly easily done, as it only requires inspecting the > results produced by a scanner. > > But what about False Negatives? A False Negative, also called a Type II > Error, or an error of the second kind, is the error of failing to > reject a null hypothesis when it is in fact not true. More simply, a > False Negative is the error of failing to observe a difference when in > truth there is one. So, if an automated vulnerability scanner tests a > vulnerable service (a known vulnerability) but the scanner doesn’t > detect the vulnerability then the vulnerability is excluded from the > report. If this is the case then Redspin’s methodology will break down > because there will be no result in the report for Redspin to manually > test. That vulnerability will fly under the Redspin radar but might not > be missed by a hacker. So how many vulnerabilities does Redspin miss? > It’s a question worth asking. > > Redspin does say that “vulnerability scanning is not suitable on its > own as a complete or billable service offering, it does provides some > value in the early reconnaissance phase of a more comprehensive > External Network Security Assessment”. They have a typo in that > sentence, but other than that, they are right. Vulnerability scanning > does have a position in the industry and is a huge time saver, > especially when testing large numbers of systems. Just don’t rely on > one vulnerability scanner like Redspin does, use two or more like the > OSSTMM proposes. > > Redspin says “manual analysis is at the heart of all of [their] > assessments which not only gives you confidence that you have a > complete view of your security risk, but provides tailored reporting > and recommendations enabling simple work-arounds and cost-effective > mitigation strategies for most security issues.” Based on our research > Redspin’s “manual analysis” isn’t what we expected it to be. It is not > based on vulnerability research and is strictly based on the inspection > and verification of scanner output. > > What we can say is that their “manual analysis” doesn’t produce the > highest quality reports that ever we’ve seen, but it does produce > reports that are higher than average quality. The Redspin reports have > very few, if any, False Positives but will contain more False Negatives > than a report that is centered on sol
[Full-disclosure] [IMF 2009] Call for Participation
Dear all, please find enclosed the call for participation for IMF 2009. See the program at: http://www.imf-conference.org/imf2009/program.html The conference will be held from Tuesday (Sept. 15th) through Wednesday (Sept. 16th). On Thursday (Sept. 17th) selected topics will be addressed in greater detail in three workshops. Please excuse possible cross postings. CALL FOR PARTICIPATION IMF 2009 5th International Conference on IT Security Incident Management & IT Forensics September 15th - 17th, 2009 Stuttgart, Germany Early Registration Closes on September 1st! Information and communication technology is more and more becoming an integral and in most cases even a vital part of life. The worldwide economy, public administration, health care, education and even personal life depend on working IT. Constriction of the availability of its service, loss of confidentiality or alteration of data processed, or loss of integrity of the IT infrastructure usually lead to serious or disastrous consequences. Hence security plays an increasingly important role for operators and users of IT systems and infrastructures. The establishment of static security measures like policies, standards, and guidelines slowly but steadily is getting more common amongst IT operators. Nevertheless in the vast majority of cases operators do not have the capability to detect and respond to security incidents or do a forensic analysis of its traces that can be used in a lawsuit. Jurisdiction in most countries is starting to change and applies regulations on legal duty to maintain safety on operators of IT. Hence incident response and forensic capabilities become indispensable to avoid successful assertion of claims for damages caused by compromised or misused systems. IMF's intent is to gather experts from throughout the world in order to present and discuss recent technical and methodical advances in the fields of IT security incident response and management and IT forensics. The conference provides a platform for collaboration and exchange of ideas between industry, academia, law-enforcement and other government bodies. CONFERENCE PROGRAM == Please find the conference program at: http://www.imf-conference.org/imf2009/program.html REGISTRATION Please find an overview of the conference fees as well as the registration form at: http://www.imf-conference.org/imf2009/registration.html Early registration discounts will be available until September 1st, 2009 PROGRAM COMMITTEE = Susan Brenner University of Dayton, USA Jack Cole US Army Research Laboratory, USA Andrew Cormack JANET, UK Ralf DoerrieGermany Ralf Ehlert Universitaet Magdeburg, Germany Felix Freiling Universitaet Mannheim, Germany Sandra Frings Fraunhofer IAO, Germany Oliver Goebel Universitaet Stuttgart, Germany Detlef Guenther Corporate Internal Audit, Volkswagen AG, Germany Vijay K. GurbaniBell Labs, USA Bernhard M. Haemmerli ACRIS GmbH, Switzerland Jim LyleNIST, USA Robert Martin MITRE Corp., USA Holger Morgenstern gutachten.info, Germany Henning Pagnia Berufsakademie Mannheim, Germany Dirk Schadt SPOT, Germany Albert SchaenzleLandeskriminalamt Baden Wuerttemberg, Germany Mark Schiller Statton Security Ltd, UK Andreas SchusterDeutsche Telekom, Germany Marco Thorbruegge ENISA, EU Stephen D. WolthusenRoyal Holloway, Univ. of London, UK Steven W. Wood Alste Technologies GmbH, Germany CONFERENCE CHAIR Dirk Schadt SPOT Consulting mailto: chair-2009 @ imf-conference.org PROGRAM CHAIR = Oliver Goebel RUS-CERT Universitaet Stuttgart mailto: pc-chair-2009 @ imf-conference.org ORGANIZING COMMITTEE Jack Cole Ralf Ehlert Sandra Frings Oliver Goebel Detlef Guenther Holger Morgenstern Dirk Schadt STEERING COMMITTEE == Sandra Frings Oliver Goebel Detlef Guenther Jens Nedon Dirk Schadt UNDER THE AUSPICES OF = German Informatics Society (GI e.V.) Wissenschaftszentrum Ahrstr. 45, 53175 Bonn, Germany Tel.: +49 228 302 145, Fax: +49 228 302 167 Special Interest Group SIDAR http://www.gi-ev.de/allgemeines/index-english.html IN CO-OPERATION WITH Institue of Electrical and Electronics Engeneers, Inc. (IEEE) IEEE Computer Society SPOT Consulting Fraunhofer Institut fuer Arbeitswirtschaft und Organisation (IAO) European Network and Information Security Agency (ENISA) gutachten.info Universitaet
[Full-disclosure] Drupal Print Module Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vulnerability Report Date of Original Vendor Contact: May 27, 2009 Author: Justin C. Klein Keane Details of this vulnerability are also posted at the public URL http://lampsecurity.org/drupal-print-module-vulnerabilities Description of Vulnerability: - - - Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL that provides extensibility through various third party modules. The Printer, e-mail and PDF versions (hereafter referred to as Print) module (http://drupal.org/project/print) allows for the generation of printer friendly versions of nodes, PDF version of nodes, and the sending of nodes to e-mail recipients. The Print module contains numerous cross site scripting (XSS) vulnerabilities: The Print module contains a XSS vulnerability because it does not properly sanitize the output of the footers in printer friendly views. This allows users with 'administer print' permissions to inject arbitrary HTML in the footer field that is rendered whenever the printer friendly version of any node is displayed. The Print module also contains a XSS vulnerability due to the fact that 'Stylesheet URL' input is not properly sanitized when displayed. This allows malicious users the ability to inject external stylesheet locations into the link tag displayed on printer friendly versions of nodes. This vulnerability, combined with Internet Explorer support for "expression" in CSS allows for XSS attacks. The print module also contains a XSS vulnerability due to the fact that the 'site name' is not properly sanitized when displaying e-mail confirmation in the "Thank you for spreading the word about [site_name]" area. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'Thank You Message:' input. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize node titles for display in the breadcrumbs on printer friendly versions of nodes. The print module also contains a XSS vulnerability due to the fact that it does not properly sanitize the 'font family' setting when displaying PDF versions of nodes. Systems affected: - - - Drupal 6.12 with Print 6.x-1.7 and TCPDF 4.6.012 was tested and shown to be vulnerable to footer XSS injection. Drupal 6.12 with Print 6.x-1.7 and IE 6 was tested and shown to be vulnerable to link XSS injection. Additional testing indicated that the 5.x branch of the Print module is also vulnerable. Versions of Drupal more recent than those tested are likely affected as well. Impact: - - --- XSS vulnerabilities may expose site administrative accounts to compromise which could lead to web server process compromise. Mitigating factors: - - --- Print must be installed and enabled. Attacker must have 'administer print' permissions in order to carry out the proof of concept exploit detailed below. Site administration permissions are required to carry out the site name injection described in the proof of concept below. Internet Explorer is vulnerable to the malicious style sheet inclusion proof of concept detailed below, other browsers may not be affected depending on their support for the 'expression' statement in cascading style sheets (CSS). Note that the proof of concept provided utilizes known attack vectors, other vectors may exist. Proof of concept: - - - 1. Install Drupal 6.12. 2. Install Print and enable all Print functionality through Administer - - -> Modules. Install TCPDF per the Print module INSTALL.txt 3. In Administer -> Site configuration set the site name to "alert('site name');" 4. Create a new content node with the title "alert('node title');" 5. Click "Save configuration" 6. Create malicious stylesheet at arbitrary URL (for this PoC the stylesheet is at http://192.168.0.2/style.css). Include the following: BODY { width:expression(alert("stylesheet xss")); } 7. Click on Administer -> Site Configuration -> Printer, e-mail and PDF versions 8. Select the 'Settings' link 9. Fill in "http://192.168.0.2/style.css' a='" for the "Stylesheet URL" 10. Expand the "Footer options" input area 11. Check the "User-specified" radio button 12. Fill in "alert('footer xss');" for the "User-specified:" text input 13. Click the "Save configuration" button 14. Navigate to the homepage 15. View the node created in step 3 above and click the "Printer-friendly version" link 16. Observe three JavaScript alerts in IE, other browsers may only display the node title and footer XSS alerts. 17. Return to the node view and click the "Send to friend" link. Fill in arbitrary values and click the "Send e-mail" button 18. Observe the site name JavaScript alert 19. Modify the PDF settings from Administer -> Site configuration -> Printer, e-mail and PDF versions. 20. Fill in "dejavusans' alert('font family');" in the "Font F
[Full-disclosure] Linux NULL pointer dereference due to incorrect proto_ops initializations
Linux NULL pointer dereference due to incorrect proto_ops initializations - In the Linux kernel, each socket has an associated struct of operations called proto_ops which contain pointers to functions implementing various features, such as accept, bind, shutdown, and so on. If an operation on a particular socket is unimplemented, they are expected to point the associated function pointer to predefined stubs, for example if the "accept" operation is undefined it would point to sock_no_accept(). However, we have found that this is not always the case and some of these pointers are left uninitialized. This is not always a security issue, as the kernel validates the pointers at the call site, such as this example from sock_splice_read: static ssize_t sock_splice_read(struct file *file, loff_t *ppos, struct pipe_inode_info *pipe, size_t len, unsigned int flags) { struct socket *sock = file->private_data; if (unlikely(!sock->ops->splice_read)) return -EINVAL; return sock->ops->splice_read(sock, ppos, pipe, len, flags); } But we have found an example where this is not the case; the sock_sendpage() routine does not validate the function pointer is valid before dereferencing it, and therefore relies on the correct initialization of the proto_ops structure. We have identified several examples where the initialization is incomplete: - The SOCKOPS_WRAP macro defined in include/linux/net.h, which appears correct at first glance, was actually affected. This includes PF_APPLETALK, PF_IPX, PF_IRDA, PF_X25 and PF_AX25 families. - Initializations were missing in other protocols, including PF_BLUETOOTH, PF_IUCV, PF_INET6 (with IPPROTO_SCTP), PF_PPPOX and PF_ISDN. Affected Software All Linux 2.4/2.6 versions since May 2001 are believed to be affected: - Linux 2.4, from 2.4.4 up to and including 2.4.37.4 - Linux 2.6, from 2.6.0 up to and including 2.6.30.4 Consequences --- This issue is easily exploitable for local privilege escalation. In order to exploit this, an attacker would create a mapping at address zero containing code to be executed with privileges of the kernel, and then trigger a vulnerable operation using a sequence like this: /* ... */ int fdin = mkstemp(template); int fdout = socket(PF_PPPOX, SOCK_DGRAM, 0); unlink(template); ftruncate(fdin, PAGE_SIZE); sendfile(fdout, fdin, NULL, PAGE_SIZE); /* ... */ Please note, sendfile() is just one of many ways to cause a sendpage operation on a socket. Successful exploitation will lead to complete attacker control of the system. --- Mitigation --- Recent kernels with mmap_min_addr support may prevent exploitation if the sysctl vm.mmap_min_addr is set above zero. However, administrators should be aware that LSM based mandatory access control systems, such as SELinux, may alter this functionality. It should also be noted that all kernels up to 2.6.30.2 are vulnerable to published attacks against mmap_min_addr. --- Solution --- Linus committed a patch correcting this issue on 13th August 2009. http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=e694958388c50148389b0e9b9e9e8945cf0f1b98 --- Credit --- This bug was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team. -- - tav...@sdf.lonestar.org | finger me for my gpg key. --- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BART disclosure by Jacob Appelbaum
I have a question about the recent BART disclosure by Jacob Appelbaum or supposedly by Jacob Appelbaum. Which technical details about BART magstripes is correct? Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/