[SECURITY] [DSA 2798-2] curl security update

At SANS Hackfest Penetration Testing summit I had the pleasure of reminiscing with Jedi Master Ed Skoudis about assembly language on our old Commodore 64s.   Then Ed made one of his typical profound statements.  He said, "In the end, it is all peeks and pokes."   On the Commodore 64 the PEEK command was use to read from memory.   The POKE command was used to write a value to memory.  Ultimately that is all we need to be able to control any process on any computer.   

Doing a PEEK in live memory is easy with winpmem.  I've already shown you how you can use Python and winpmem to read live memory.   If you missed the article click here to take a peek.  (Pun intended)  Today I'm going to show you how to poke.   Not a Facebook poke; a Commodore 64 poke.  Which is, of course, much much cooler.    You see, winpmem can also write to anywhere in memory that you choose.

Winpmem has two different device drivers.  One is used for read only access to memory.   The read only device driver is installed by default when you use the "-L" option.   This is the device driver of choice for capturing forensics images.  The other driver is used for read and write access to memory.    To install the write driver you run "winpmem_write_1.4.exe" and specify the "-L" and the "-W" option.

Winpmem will indicate that write mode is enabled and gives you a friendly warning by saying, "Hope you know what your doing."  Well, ignorance has never stopped me.  But, it is wise to note that are should save what you are doing before experimenting with this.  You are using a device driver (that is running in Kernel memory) and you can write to anywhere you want to in memory.  That includes KERNEL memory space.  You can very easily render your machine unusable, blue screen your box or worse. 

In yesterdays diary I showed you how you could read memory by calling two python functions.  Writing to memory also only requires two functions.   First you call win32file.SetFilePointer() to set the address you want to update.   Then you call win32file.WriteFile() to write data.   To make the process even simpler I'll add a writemem() function to the memsearch.py script I wrote yesterday.  I add the following lines to yesterdays script:  (Email me if you want a copy of the script or grab a copy from yesterday diary)

def writemem(fd,location, data):
    win32file.SetFilePointer(fd, location, 0 )
    win32file.WriteFile(fd, data)

Then I start the script and a Python interactive shell by running "python -i memsearch.py".   Then I can use the memsrch() function to search for interesting data to update.   In this case I am searching for the string "Command Prompt - python" in hopes of updating the titlebar for my command prompt.   It finds the string at several addresses in memory.  Then I can call writemem() and update the string.    When you provide a string to write to memory keep in mind that strings in memory may be in ASCII, UTF-16LE OR UTF-16BE format.   In this example I wrote "P0wned Shell" in UTF-16le format to the memory address 40345926.    But it didn't update my command prompt title bar.   Darn.  Windows has several memory locations that contain that string.   So I use readmem() to check the memory address to see if it changed.   I can see that it did!  The memory address contains the updated string. 

One of those others addresses that I didn't change must contained our command prompts title bar.   memsrch() returns a list of all the addresses that contain the search string.   So I could do something like this to change all of the instances of that string between two given addresses.

for addr in memsrch(fd, "Command Prompt - python", 0x100000, 3fef0000, 1000):
     writemem(fd, addr, "p0wned shell".encode("utf-16le"))

But as I said, be careful.  I've spent as much time rebooting my machine as I have actually writing code.  A better approach is to import Volatility into your script so you can parse memory intelligently and update memory data structures rather than just guessing.  

In their excelent paper titled Anti-Forensics resilient memory acquisition, Johannes Stuttgen and Michael Cohen discuss how making small changes to magic values in memory data structures can defeat tools like Volatility.   If you have a chance give the paper a read.  It is here.

If that sounds interesting to you and you want to know more about Python programming check out SEC573 Python for Penetration Testers.  I am teaching it in Reston VA March 17th!  Click HERE for more information.

Follow me on twitter?  @MarkBaggett

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Qualcomm wants to make tablets and smartphones more perceptive by giving the devices a "silicon brain," company CEO Paul Jacobs said Wednesday.
After 12 years in IT, this month's Resume Makeover candidate has accumulated a wealth of experience, but his highlights and successes were hidden in a dense six-page resume. But our resume writer and career consultant cleared a new path to success.
Supercomputing power is being concentrated in a smaller number of machines, according to the latest Top500 list of high-performance computers. Keepers of the list are uncertain how to parse that trend.
SSL/TLS RC4 CVE-2013-2566 Information Disclosure Weakness
Linux Kernel IP Virtual Server Multiple Stack Buffer Overflow Vulnerabilities
SAP NetWeaver 'SHSTI_UPLOAD_XML()' Function XML External Entity Injection Vulnerability
SAProuter NI Route Message Handling Heap Buffer Overflow Vulnerability
SAP NetWeaver SAP Portal URI Redirection Weakness
SAP NetWeaver Logviewer Security Bypass Vulnerability
Micron is challenging conventional computer architectures conceived decades ago with Automata, a highly parallel processor that can change its behavior to process the task at hand.
NASA engineers have suspended the Mars rover Curiosity's work for a few days while they try to fix an electrical short circuit.
Crucial last week joined the ranks of leading venders to announce it will be shipping DDR4 memory by the end of the year, but Intel and AMD aren't expected to begin supporting the new memory boards with their processors until late next year.
Microsoft today said it will ship the first service pack for Office 2013 sometime early next year -- most likely in late February -- if it sticks to its usual release cadence.
The International Space Station hit a major milestone today, marking 15 years in space.
Diagram showing how Tomdep receives commands and spreads to new machines.

Researchers have identified new self-replicating malware that infects computers running the Apache Tomcat Web server with a backdoor that can be used to attack other machines.

Java.Tomdep, as the backdoor worm has been dubbed, is Java Servlet-based code that gives Apache Tomcat platforms malicious capabilities. It causes infected machines to maintain Internet relay chat (IRC) communications with attacker servers located in Taiwan and Luxembourg. The control servers send commands and receive progress reports to and from the infected machines. Affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows.

In a blog post published Wednesday, Takashi Katsuki, a researcher at security firm Symantec, said Java.Tomdep appears to be designed to harness the huge amounts of bandwidth and computing power available to Web servers for use in denial-of-service attacks against other machines. Unlike Darkleech and other malware targeting Web servers, there's no indication that it's used to attack end users visiting websites. Katsuki explained:

Read 2 remaining paragraphs | Comments


Joining Fedora and Ubuntu, the new version of the community driven OpenSUSE can now be run on AArch64 processors, further preparing the market for servers running on the new 64-bit ARM architecture.
Dell's new Venue 8 Pro Windows 8.1 tablet offers users a fine display, good features and impressive audio -- at a reasonable price.
Open DC Hub 'MyInfo' Message Remote Stack Buffer Overflow Vulnerability
cTorrent and dTorrent Torrent File Buffer Overflow Vulnerability
More than a year after the FTC heralded a major crackdown on fraudsters posing as Microsoft technical support personnel, consumers continue to receive calls from scammers.
[ MDVSA-2013:270 ] nss
[ MDVSA-2013:269 ] firefox
The National Institute of Standards and Technology (NIST) is requesting comments on its updated draft publication on information technology and cybersecurity role-based training for federal organizations.Credit: copy vege FotoliaA ...
Epson and Evena today unveiled their Eyes-On Glasses System, which enables nurses to see a patient's vasculature system to help locate hard-to-find veins beneath the skin.
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenVPN, allowing remote attackers to read encrypted traffic.
LinuxSecurity.com: A vulnerability in Open DC Hub could result in execution of arbitrary code.
LinuxSecurity.com: A stack-based buffer overflow in CTorrent might allow a remote attacker to execute arbitrary code or cause a Denial of Service condition.
Google Chrome CVE-2013-6631 Use After Free Remote Code Execution Vulnerability
Hackers reportedly stole 42 million customer records including email addresses and clear-text passwords from Cupid Media, a network of dating websites.
Popular source code repository service GitHub has recently been hit by a brute-force password-guessing attack that successfully compromised some accounts.
Qualcomm has introduced a mobile chip that will play back 4K video on smartphones and tablets in addition to supporting the latest 802.11ac Wi-Fi.
Kaseya 'SystemTab/UploadImage.asp' Arbitrary File Upload Vulnerability
Mozilla Netscape Portable Runtime CVE-2013-5607 Integer Overflow Vulnerability
Google's futuristic Glass headgear is currently available only to developers and early adopters, the so-called Glass Explorers, with commercial release expected sometime next year. But Google Glass is already raising questions about its use behind the wheel of an automobile. Is using the head-mounted device for navigation or other purposes inherently riskier than using, say, a smartphone while driving? Or is it actually safer?
Three prominent U.S. senators have in a federal court filing questioned the claim of the National Security Agency that its bulk collection of phone records is required for intelligence purposes.
Wikimedia Foundation has asked editing services firm Wiki-PR to cease and desist editing the Wikipedia site for allegedly authoring articles for money and passing them off as written by unbiased sources.
Much has been made about the "Internet of things," but behind every device is a customer, and companies that fail to recognize this do so at their own peril, according to Salesforce.com CEO Marc Benioff.
Apple repeatedly bows to censorship demands in places like China.

Huge chunks of Internet traffic belonging to financial institutions, government agencies, and network service providers have repeatedly been diverted to distant locations under unexplained circumstances that are stoking suspicions the traffic may be surreptitiously monitored or modified before being passed along to its final destination.

Researchers from network intelligence firm Renesys made that sobering assessment in a blog post published Tuesday. Since February, they have observed 38 distinct events in which large blocks of traffic have been improperly redirected to routers at Belarusian or Icelandic service providers. The hacks, which exploit implicit trust placed in the border gateway protocol used to exchange data between large service providers, affected "major financial institutions, governments, and network service providers" in the US, South Korea, Germany, the Czech Republic, Lithuania, Libya, and Iran.

The ease of altering or deleting authorized BGP routes, or of creating new ones, has long been considered a potential Achilles Heel for the Internet. Indeed, in 2008, YouTube became unreachable for virtually all Internet users after a Pakistani ISP altered a route in a ham-fisted attempt to block the service in just that country. Later that year, researchers at the Defcon hacker conference showed how BGP routes could be manipulated to redirect huge swaths of Internet traffic. By diverting it to unauthorized routers under control of hackers, they were then free to monitor or tamper with any data that was unencrypted before sending it to its intended recipient with little sign of what had just taken place.

Read 11 remaining paragraphs | Comments


Having spent a few weeks with the new iPad Air, columnist Michael deAgonia is ready to declare that it's a stunning improvement on what was already a rightfully successful tablet.
Yahoo is taking a "mobile first" approach to its product strategy, to the point where mobility could reinvent the company, according to CEO Marissa Mayer.
NetApp is upgrading its lineup of dedicated storage systems, rolling out a faster all-flash array and improved platforms for branch offices and large enterprises.
Anyone looking for clues Tuesday from Microsoft's annual shareholders meeting about who will next lead the technology firm came away disappointed.
Google gave developers at its Hackathon in San Francisco on Tuesday a look at its upcoming Glass Development Kit and launched five new Glassware apps.

GitHub is experiencing an increase in user account hijackings that's being fueled by a rash of automated login attempts from as many as 40,000 unique Internet addresses.

The site for software development projects has already reset passwords for compromised accounts and banned frequently used weak passcodes, officials said in an advisory published Tuesday night. Out of an abundance of caution, site officials have also reset some accounts that were protected with stronger passwords. Accounts that were reset despite having stronger passwords showed login attempts from the same IP addresses involved in successful breaches of other GitHub accounts.

"While we aggressively rate-limit login attempts and passwords are stored properly, this incident has involved the use of nearly 40K unique IP addresses," Tuesday night's advisory stated. "These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this. In addition, you will no longer be able to login to GitHub.com with commonly used weak passwords."

Read 3 remaining paragraphs | Comments


Appologics AirBeam v1.9.2 iOS - Multiple Web Vulnerabilities

A hack on niche online dating service Cupid Media earlier this year has exposed names, e-mail addresses, and—most notably—plaintext passwords for 42 million accounts, according to a published report.

The cache of personal information was found on the same servers that housed tens of millions of records stolen in separate hacks on sites including Adobe, PR Newswire, and the National White Collar Crime Center, KrebsonSecurity journalist Brian Krebs reported Tuesday night. An official with Southport, Australia-based Cupid Media told Krebs that user credentials appeared to be connected to "suspicious activity" that was detected in January. Officials believed they had notified all affected users, but they are in the process of double-checking that all affected accounts have had their passwords reset in light of Krebs' discovery.

The compromise of 42 million passwords makes the episode one of the bigger passcode breaches on record. Adding to the magnitude is the revelation the data was in plaintext, instead of a cryptographically hashed format that requires an investment of time, skill, and computing power to crack. As Krebs noted:

Read 3 remaining paragraphs | Comments


Mybb Ajaxfs Plugin Sql Injection vulnerability
Paypal Bug Bounty #14 - Persistent Payment Mail Encoding Vulnerability
[ MDVSA-2013:268 ] torque

Posted by InfoSec News on Nov 20


Business Insider
NOV. 19, 2013

The next generation hackers may be taking to sound waves, and the Navy is
understandably spooked.

Speaking at last week's Defense One conference, retired Capt. Mark
Hagerott cited recent reports about sonic computer viruses as one way that
hackers could "jump the air gap" and target...

Posted by InfoSec News on Nov 20


By Michael Lee
ZDNet News
November 20, 2013

Brisbane's traffic management systems have been found vulnerable to attack
under an audit conducted by the Queensland Audit Office (QAO).

Over a three week period, QAO performed penetration tests (PDF) of the
systems used to manage traffic infrastructure in Brisbane and found that
it was able to...

Posted by InfoSec News on Nov 20


By Brian Krebs
Krebs on Security
November 20, 2013

An intrusion at online dating service Cupid Media earlier this year
exposed more than 42 million consumer records, including names, email
addresses, unencrypted passwords and birthdays, according to information
obtained by KrebsOnSecurity.

The data stolen from Southport, Australia-based niche dating service Cupid...

Posted by InfoSec News on Nov 20


By Antone Gonsalves
CSO Online
November 18, 2013

The sketchy details in an FBI warning that hacktivists breached computer
systems of multiple government agencies and stole sensitive information
have fueled speculation on how the compromises occurred.

In a memo obtained by Reuters, the Federal Bureau of Investigation said

Posted by InfoSec News on Nov 20


November 19, 2013

Not only is healthcare.gov at risk, it may already have been compromised,
a security expert testified before the Senate.

"Hackers are definitely after it," said David Kennedy, CEO of information
security firm TrustedSEC before a House Science, Space, and Technology
committee hearing on security concerns...
Internet Storm Center Infocon Status