Re: [Full-disclosure] [SECURITY] [DSA 2200-1] nss security update
On 2011-08-31 20:37, Packet Storm wrote: Is this supposed to be DSA-2201-1 and not DSA-2200-1? DSA-2200-1 already exists as an Iceweasel advisory.. You would really expect DSA-2299 to be followed by DSA-2300, but apparently there was an overflow. ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] China - the land of open proxies
I'd be interested to know if you find more than 1% active in that list. My timeout was 45 seconds, so you might do much better if you're patient. But the live ones are usually pretty fast. I forgot to post list yesterday after testing. |NiX| Checked 135440 proxies in 0 days 4 hours 11 minutes 57 seconds. Threads used: 125 Working proxies: 429 429 working out of 135k is not that bad from an old list. Here's the list: http://pastebin.com/sEuxdV8f You may want to recheck it since it's about 15 hours old. The Taiwanese proxies aren't blocked like the ones on the mainland. They are the best. I don't think it's a botnet, though. I think it's just stupid programming. But, I don't have any hard evidence one way or the other. Neither do I but it's likely a botnet or bad progamming. I mean just like the port 27977 proxies, there were a ton of them and afterwards it proved to be botnet. BTW, I am a great fan of your work. I would appreciate a Pro TIP or two on how you do it if you have the time. What kind of tips you're looking for? How do I do it? Im hard worker and usually if I do something, I do it as good as I can or I don't do it all. That's my motto. Thanks, Hinky On Thu, 2011-09-01 at 22:39 +0300, n...@myproxylists.com wrote: In July, hundreds of Chinese proxies on port 8909 started showing up every day on public proxy lists. In August the daily numbers were in the thousands. Here is the list I collected during that period. There are 135K proxies in this file (text, tab delimited, ~8 megs). http://www.mrhinkydink.com/utmods/135k.txt You may want to right-click and save as. This is offered as data you may be able to use for forensic purposes or router block lists. Most of these proxies are currently offline. When they are online, they're very good proxies. I believe this is similar to the PPLiveVA issue with TCP port 9415 that I noted back in April. http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html New port 9415 proxies stopped showing up on proxy lists when 8909 began to take over, which leads me to believe this is the hot new media client (either Youku or QQ) in Chinese-speaking countries. Thanks for the list, I will post working proxies out of that list as soon as NiX Proxy Checker has finished. It can beat 600k proxy in 24 hours so this list has been checked in ~5.5 hours. I believe those proxies are new botnet proxies, just like port the U.S port 27977 ones were. PS. HTTP Proxy: 113.254.87.30:8909 RDNS: 113.254.87.30 |NiX| AnonyLevel: 1 Country: HONG KONG [HK] State/Region: - City: HONG KONG SSL CONNECT: No Delay: 3.18 seconds Nice post mrhinkydink ;) --Mr. Hinky Dink walk like a mannequin roll like a tyre act on reaction dodge the Big Spud Fryer http://mrhinkydink.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] China - the land of open proxies
not asked, but ~suggested: This is offered as data you may be able to use for forensic purposes or router block lists. It's stupid to block blindly. So for example, every proxy is being tested before it's being added to the blacklist, at least when it comes to NiX API. This way if someone doubt it, the API will return when the proxy worked last and what type the proxy was and from which country/city. On Fri, Sep 2, 2011 at 12:42 AM, Thor (Hammer of God) t...@hammerofgod.com wrote: No agenda. Heâs providing a proxy list based on his continual research in the area.  He didnât ask you to block anything. T Common stock, we work around the clock; we shove the poles in the holes. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of rancor Sent: Thursday, September 01, 2011 9:09 AM To: d...@mrhinkydink.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] China - the land of open proxies 2011/9/1 Mr. Hinky Dink d...@mrhinkydink.com In July, hundreds of Chinese proxies on port 8909 started showing up every day on public proxy lists.  In August the daily numbers were in the thousands. Here is the list I collected during that period.  There are 135K proxies in this file (text, tab delimited, ~8 megs). http://www.mrhinkydink.com/utmods/135k.txt You may want to right-click and save as.  This is offered as data you may be able to use for forensic purposes or router block lists.  Most of these proxies are currently offline.  When they are online, they're very good proxies. You maybe just want us to block this IP since the most are offline and we will not be able to verify it's existens... What is your agenda? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ferenc Kovács @Tyr43l - http://tyrael.hu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-278: Novell Cloud Manager Insufficient Framework User Validation Vulnerability
ZDI-11-278: Novell Cloud Manager Insufficient Framework User Validation Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-278 September 2, 2011 -- CVE ID: CVE-2011-2654 -- CVSS: 9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C) -- Affected Vendors: Novell -- Affected Products: Novell eDirectory -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Cloud Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the application implements an RPC method. Due to incompletely initializing an object, the application will store a partially initialized session. This partially initialized session will allow one to make privileged RPC calls to the server. This can lead to code execution under the context of the service. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=NSONlV5PqMo~ -- Disclosure Timeline: 2011-04-04 - Vulnerability reported to vendor 2011-09-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 1c239c43f521145fa8385d64a9c32243 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-279: (0day) Witness Systems eQuality Unify Remote Code Execution Vulnerability
ZDI-11-279: (0day) Witness Systems eQuality Unify Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-279 September 2, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Nortel Witness Systems -- Affected Products: Nortel Contact Recording and Quality Monitoring Witness Systems eQuality -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Witness Systems eQuality Suite. This application is bundled with Nortel Contact Recording and Quality Monitoring Suite. Authentication is not required to exploit this vulnerability. The flaw exists within the Unify2.exe component which listens by default on TCP port 6821. When handling a packet type the process trusts a remaining packet length value provided by the user and blindly copies user supplied data into a fixed-length buffer on the stack. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Nortel states: Due to the small number of installations using this software the risk of potential exploitation has been determined to be very low and therefore this issue will not be addressed. Avaya recommends implementing firewall rules that restrict access to trusted hosts to mitigate the risk. Witness Systems: No response was ever given. -- Disclosure Timeline: 2011-03-01 - Vulnerability reported to vendor 2011-09-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri of ThirdEyeTesters -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote: ** Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the “msfpayload” Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the “webdav_dll_hijacker” Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 – Vulnerability was identified. 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on ongoing investigations”. 2011/08/19 – Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 – Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! t From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Mario Vilas Sent: Friday, September 02, 2011 1:06 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.commailto:cybsecl...@cybsec.com wrote: Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High - CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the msfpayload Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the webdav_dll_hijacker Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 - Vulnerability was identified. 2011/08/19 - Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 - Vendor stated: As a matter of policy, we cannot comment on ongoing investigations. 2011/08/19 - Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 - Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.comhttp://www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Reverse Proxy
Well your options are limited. You can look for some type of information disclosure, find other hosts the target owns and then scan their subnets for http servers, etc. And of course if the situation permits it, pwn the proxy and check their logs. Assuming you have permission naturally :P On Tue, Aug 30, 2011 at 1:58 PM, char...@funkymunkey.com wrote: Hi, I am wondering how someone would find out the IP address of a web server if it were behind a reverse proxy, but still on a public IP? Say for instance, the website was using CloudFlare, the A record points to CloudFlare but the website is hosted elsewhere on a public IP. Charlie --- This message was sent from the FunkyMunkey mail server (mail.funkymunkey.co.uk) If you have any queries/complaints regarding mail sent from this server please direct them to ad...@funkymunkey.com Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. On Fri, Sep 2, 2011 at 7:35 PM, CYBSEC Labs cybsecl...@cybsec.com wrote: ** Advisory Name: Windows Script Host DLL Hijacking Internal Cybsec Advisory Id: 2011-0901-Windows Script Host DLL Hijacking Vulnerability Class: Remote Command Execution Vulnerability Release Date: September 2, 2011 Affected Applications: Windows Script Host v5.6; other versions may also be affected Affected Platforms: Any running Windows Script Host v5.6 Local / Remote: Remote / Local Severity: High – CVSS: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Researcher: Juan Manuel Garcia Vendor Status: Acknowedged Reference to Vulnerability Disclosure Policy : http://www.cybsec.com/vulnerability_policy.pdf Vulnerability Description: DLL Hijacking takes advantage of the way an application dynamically loads dll libraries without specifying a fully qualified path. This is usually done invoking the LoadLibrary and LoadLibraryEx functions to dynamically load DLLs. In order to exploit this vulnerability a user must open a file with an extension associated to the vulnerable application. A malicious dll, named exactly as a dll the apllications loads using the vulnerable function, must be placed in the same directory as the opened file. The application will then load the malicious dll instead of the original, thus executing the malicious code. The following application loads external libraries following an insufficiently qualified path. Application: wscript.exe Extensions: js, jse, vbe, vbs, wsf, wsh Library: wshesn.dll Exploit: Option 1 - Using the “msfpayload” Metasploit module as shown below: msfpayload windows/exec CMD=calc.exe D exploit.dll Option 2 - Using the “webdav_dll_hijacker” Metasploit module. Impact: A successful exploit of this vulnerability leads to arbitrary code execution. Vendor Response: 2011/08/09 – Vulnerability was identified. 2011/08/19 – Cybsec sent detailed information on the issue and a Proof of Concept. 2011/08/19 – Vendor stated: “As a matter of policy, we cannot comment on ongoing investigations”. 2011/08/19 – Vendor was informed that the security advisory would be published after 15 days. 2011/09/02 – Vulnerability was released. Contact Information: For more information regarding the vulnerability feel free to contact the researcher at jmgarcia at cybsec dot com About CYBSEC S.A. Security Systems Since 1996, CYBSEC is engaged exclusively in rendering professional services specialized in Information Security. Their area of services covers Latin America, Spain and over 250 customers are a proof of their professional life. To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is associated with other software and/or hardware provider companies. Our services are strictly focused on Information Security, protecting our clients from emerging security threats, maintaining their IT deployments available, safe, and reliable. Beyond professional services, CYBSEC is continuously researching new defense and attack techniques and contributing with the security community with high quality information exchange. For more information, please visit www.cybsec.com (c) 2011 - CYBSEC S.A. Security Systems ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
but if you execute a trusted vbs, you would successfully exploit anything wouldnt you ? id would be like running a dll using rundll32.exe my.dll , cept a vbs :s to me makes no sense, never has, and i know what loadlibrary does, i looked at the implications of theyre advisories, i remember when we were swarmed by about 100 dlls wich were not 'unloaded' rproperly... lol... ok anyhow, this makes no sense, executing a trusted vbs is 'script' many viruses have been named .vbs and run vb script...right? so why would we need news on this... xd On 3 September 2011 07:53, Nahuel Grisolia nah...@bonsai-sec.com wrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
What you say? my trolling hampered by facts? unpossible! On 09/02/2011 06:53 PM, Nahuel Grisolia wrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. pgp0MojC9aHat.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
If it's a trusted .vbs then how would you drop a .dll in the same directory? If you have write permissions it's easier to just modify the .vbs. You might as well claim the added value is to backdoor a .vbs file subrepticiously so it doesn't show when inspecting the source code. But it doesn't add that much, really, since a new and misterious .dll file would also draw the attention, so it's probably easier to hide malicious intent into the source code by obfuscating it. On Fri, Sep 2, 2011 at 11:53 PM, Nahuel Grisolia nah...@bonsai-sec.comwrote: List, On 09/02/2011 06:45 PM, root wrote: You don't get the worst part: unsuccessful exploitation also leads to code execution. Scary stuff. On 09/02/2011 05:05 PM, Mario Vilas wrote: Are you guys seriously reporting that double clicking on a malicious .vbs file could lead to remote code execution? :P Either I'm missing something (and I'd welcome a rebuttal here!) or you might as well add .exe to that list. All those extensions are already executable. I think that they're talking about that executing a trusted vbs could lead to the execution of malicious code. :S regards, -- Nahuel Grisolia - C|EH Information Security Consultant Bonsai Information Security Project Leader http://www.bonsai-sec.com/ (+54-11) 4777-3107 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I disagree. If this so called vulnerability had any added value in terms of social engineering, it would actually make sense to report it. Social engineering isn't bad, I really don't care how leet it is. My claim is simpler: this advisory makes no sense at all, because it replaces an easy way of exploitation for a hard way of exploitation, so its added value is actually *negative* for the attacker. Most likely whoever found this is new in the infosec world and never stopped to consider this details - he/she just blindly repeated what the dll injection crowd was doing and posted whatever results were found, without understanding really well what was going on. And THAT is the state of infosec today. People who report stuff for the sake of reporting, without really understanding how things work or why. On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
hi, hope you are well, Prediction 3: Until spammers learn PROP use of english, things wont change, the spam will still ahve speeling errors. thats about the only thing saving some of us i think... thats my own observation, and seems to go back to when i was phreaking 'engineering' via telephone, using att pbx cards, to act like a security engineer at att to get more cards, wich, lasted many years... the people who could NOT phish, and relied on the few who could, were all europeans, wich yes now this has changed. originally, and in general, the better use of language wich is what prevails with most social engineering in any format and will always continue to, however, the use of english is also nowdays becoming easier to learn, people are becoming smarter from each failure, wich is why computers failure rate dissolves. Social engineering was the basis of many hackers/black or white, in some form, many years ago... there is not much documented on it but hey, im just yer avergae Eric jones. Anyhow, have a good day sir, interesting topically, in 2011.. cheers, xd On 3 September 2011 07:46, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cybsec Advisory 2011 0901 Windows Script Host DLL Hijacking
I must agree, considering i have yet to see it used in even botnet circles, who would surely have used a decent local exploit if it was 'decent'... I know this dll hijacking, has gone unpassed to the community in general because of its useless ness. I agree completely, i never have seen this actively exploited, nor part of a decent framework where it can be used in a remote or local session Basically, it is something to wich i read the PDF on, and thought here is the most useless 'exploit' as it was being called , i have ever, laid eyes on , my opinion still has yet to be changed by any factor, there could be many factors, ie: exploitation even in the wild reported, or just someone saying hey dont forget blah.c! , but this aint happened, nor will... hey wanna read msdn and look and see how a lib is loaded would make more sense. I still dont see anything 'good' in this whole fiasco of the dll hijacking. no active code/poc. etc etc etc as i said, many factors id reconsider my stance on... anyhow, enjoyable topic. xd On 3 September 2011 11:03, Mario Vilas mvi...@gmail.com wrote: I disagree. If this so called vulnerability had any added value in terms of social engineering, it would actually make sense to report it. Social engineering isn't bad, I really don't care how leet it is. My claim is simpler: this advisory makes no sense at all, because it replaces an easy way of exploitation for a hard way of exploitation, so its added value is actually *negative* for the attacker. Most likely whoever found this is new in the infosec world and never stopped to consider this details - he/she just blindly repeated what the dll injection crowd was doing and posted whatever results were found, without understanding really well what was going on. And THAT is the state of infosec today. People who report stuff for the sake of reporting, without really understanding how things work or why. On Fri, Sep 2, 2011 at 11:46 PM, valdis.kletni...@vt.edu wrote: On Fri, 02 Sep 2011 20:55:35 -, Thor (Hammer of God) said: LOL. Warning, if you get the user to execute code, then it is possible to get the user to execute code!! All you have to do is get files on their system, and then get them to execute those files! Note that once you get the user to execute the code, it will actually run in the context of that user!! This is remote code execution vulnerability! Welcome to today's Infosec! The sad part is that this is the future of infosec as well. Microsoft got the security religion a few years back, and even I have to admit their current stuff isn't that bad at all. The various Linux distros are (slowly) getting their acts together, and maybe even Apple and Adobe will see the light sometime reasonably soon. Yes, there will still be software failures - but once the effort of finding a new 0-day reaches a certain point, the economics change And once that happens, social engineering will become an even bigger part of both the attack and defense sides of infosec. For the black hats, the cost/ benefit of looking for effective 0-day holes will continue to drop, while the cost/benefit of phishing a user will remain steady - so that's a push towards more social engineering. Why go to the effort of spending 3 months finding a browser bug that allows you to push malware to the victim's machine, when you can just spend 45 minutes creating a Your machine is infected - click here to fix it pop-up that will catch 80% of the people? Meanwhile, as the software gets more hardened and patching is more automated, the white hats will find a bigger percent of their time is spent defending their systems from attacks triggered by their own users. Because the failure rate of people's brains is already about 4.7*10**9 times as high as the software failure rate, and the ratio is only getting worse - software is improving, people aren't. Prediction 1: 10 years from now, organized crime will be hiring cognitive psychologists to help design more effective phish the way they currently hire programmers to write better spambots. Prediction 2: It ain't gonna get better till the average IQ starts going up faster than the software improves. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/