Posts Tagged ‘Security’

Microsoft updates ASP.NET Flaw CVE-2010-333 with fix

September 29th, 2010 No comments

As mentioned earlier, the ASP.NET Session Security flaw has been keeping all .NET developers and Microsoft on the ball about possible exploits with their applications. Microsoft have updated their security advisory CVE-2010-333 with more information about the severity of the flaw – its taking Exchange and Sharepoint down with it too.

See Microsoft Security Bulletin MS10-070 for affected products and download the update fix for your setup :)

For ease of downloading, some configurations for you:

{lang: 'en-GB'}

ASP.NET Session Cookie Crypto Attack Exploiting

September 20th, 2010 No comments

If the Linux CVE-2010-3081: 64bit Linux Kernel Root Exploit didn’t get you, then this little birdy might. It seems the implementation of the AES encryption algorithm which protects the integrity of the Session Cookies in ASP.NET has a weakness which could enable an attacker to hijack sessions – Which bank? The idea behind the use of AES is to ensure that the crypt’d data hasn’t been tampered with – and hence decryptable, but unfortunately the flawed implementation of the use of AES and how it handles errors gives out some much needed clues for an attacker to pursue.

From TheThreatPost article:

In this case, ASP.NET’s implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application’s decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it’s actually possible.

There is a Microsoft Security Advisory (2416728) which gives some workarounds until a proper fix is made available. What’s really concerning is this little tidbitt from Thai Duong about Using their tool the Padding Oracle Exploit Tool or POET:

“It’s worth noting that the attack is 100 [per cent] reliable, [that is], one can be sure that once they run the attack, they can exploit the target. It’s just a matter of time. If the attacker is lucky, then he can own any ASP.NET website in seconds. The average time for the attack to complete is 30 minutes. The longest time it ever takes is less than 50 minutes.”

What’s really interesting is seeing the video of the exploit in action on dotnetnuke (don’t close your eyes). ScottGu has blogged about this exploit which goes into far more detail than I can, but if you’re keen there’s a nice document on using the Padding Oracle exploit and includes discussions regarding the JSF View state, cracking CAPTCHA schemes as well as some juicy details on CBC-R.

{lang: 'en-GB'}

CVE-2010-3081: 64bit Linux Kernel Root Exploit

September 20th, 2010 1 comment

Well its been a heavy week on the security front, first up is a Linux root exploit for 64bit Machines.

A vulnerability in the 32-bit compatibility layer for 64-bit systems was reported. It is caused by insecure allocation of user space memory when translating system call inputs to 64-bit. A stack pointer underflow can occur when using the “compat_alloc_user_space” method with an arbitrary length input.

What does that mean? Essentially, some sanity checks in the compat_alloc_user_space function to check the length and ensure that the pointer to the block of memory is within the user-space of the process is valid was missing. The fix has already been committed but if you are running any x64 versions of Linux, make sure you update your Kernel – especially now that the exploit code is publicly available!

Read up on the exploit by Jeff Arnold from Ksplice and use this very useful CVE-2010-3081 high-profile exploit detection tool to determine if you’re boxens are already compromised.

Of particular note from his article is the breadth of exploitable distributions – see the references below for vendor specific information:

This vulnerability was introduced into the Linux kernel in April 2008, and so essentially every distribution is affected, including RHEL, CentOS, Debian, Ubuntu, Parallels Virtuozzo Containers, OpenVZ, CloudLinux, and SuSE, among others. A few vendors have released kernels that fix the vulnerability if you reboot, but other vendors, including Red Hat, are still working on releasing an updated kernel.

After downloading and running the tool under a non-sudo account, you should cheerfully get the following output.

thushan@dingo:~/tmp$ ./diagnose-2010-3081
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.

$$$ Kernel release: 2.6.32-23-server
!!! Not a RHEL kernel, will skip LSM method
$$$ Backdoor in LSM (1/3): not available.
$$$ Backdoor in timer_list_fops (2/3): checking...not present.
$$$ Backdoor in IDT (3/3): checking...not present.

Your system is free from the backdoors that would be left in memory by the published exploit for CVE-2010-3081.

If not, its time to put those security drills into action!


{lang: 'en-GB'}

Boffins get 1,000,000 Linux Kernels running as virtual machines!

August 4th, 2009 No comments

Thats right, that wasn’t a typo. Some crazy boffins at Sandia National Laboratories in Livermore, have run more than a million Linux kernels as virtual machines out of which 20,000 can be run simultaneously! Why on earth would they attempt such feats?

Prehaps this XKCD may jog your memory

XKCD: Networking

Yep, just about:

The technique will allow them to effectively observe behaviour found in malicious botnets, or networks of infected machines that can operate on the scale of a million nodes.


{lang: 'en-GB'}

Apple Security: I’m in yo keeboards hax0ring yo porn sitez.

August 2nd, 2009 No comments

I’ll let you decide if this is LOL worthy.

APPLE KEYBOARDS ARE vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

Nothing is encrypted, decrypted, and the process is simple. You then resume HIDFirmwareUpdaterTool, and in a few seconds, your keyboard is compromised. Formatting the OS won’t do you any good, the code is in keyboard flash. There are no batteries to pull, no nothing, the keyboard is simply compromised.

Then from the proof of concept document:

The application checks a number of properties of the keyboard and checks the validity of the ?rmware image ?le kbd 0x0069 0x0220.irrxfw in the bundle. The ?rmware validity checking routine is called CRC32: and is the 75 byte routine starting at 0x00003005. Despite the name, this routine does not do CRC32 at all and in fact, it simply just adds up the bytes of the ?rmware image ?le and the application veri?es that the sum is 0x252ed7.

EPIC FAIL. While the rest of the world has been working hard on securing the fabrics of their kernel, Apple have concentrated on painting the Lepoard with new stripes. Before you fall into a trap thinking this isn’t as big as they make it out to be – because you need physical (and root) access to update firmware (and the user would have to approve), think of malware or a Safari related exploit. How many security conscience Mac users are there do you think? Wasn’t the original deal move to Mac and forget all your troubles?

Surely Apple can’t be the only keyboard at fault, I’m sure my Razer Tarrantula (with a few modifications) can fall into the same trap – atleast you’d hope so, for Apple’s sake (or not!).

Anyway, woo WINdows 7 to Technet/MSDN guys this week!

{lang: 'en-GB'}

[XKCD] Security, in The Real World.

February 2nd, 2009 4 comments

…and you know it.

{lang: 'en-GB'}

MSY Hacked! Firefox blocks!

July 15th, 2008 No comments

MSY( – dont go there yet!), one of the most competitive IT hardware stores in Australia recently got hacked and the site has embedded Net-Worm.JS.Aspxor.a worm. Only realised after I went to the site and Firefox blocked the page. You can read all about the hack and the effects on the Whirlpool Thread or Google Safe Browsing diagnostic page.

Firefox Security

Its always nice when someones got your back. Who knows MSY might actually endup making a proper website now instead of the messy FrontPage site that was.

{lang: 'en-GB'}