DEFCON 16 - Las Vegas 2008

August 21st, 2008
3

hack-fu by Matt Hillman

Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.

There’s a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less “wow” moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.

Here’s a list and some comments of the talks I attended:
Read the rest of this entry »

Posted in Events | 3 Comments »

SSID Script Injection

August 4th, 2008
2

The administrative web interfaces for many wireless access points (APs) provide users with ‘Neighbourhood Wireless Scan’ functionality. This functionality scans for all accessible APs and displays the details of any APs which are identified. However, examination of these administrative interfaces revealed that a large number of them do not properly sanitise the parameters that are passed to them from any accessible APs.

An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs. Read the rest of this entry »

Posted in hack-fu | 2 Comments »

DHCP Script Injection

August 4th, 2008
0

A number of administrative applications are available which allow users to manage a network DHCP server via a web interface. This allows administrators to set up configuration options and view active DHCP leases.

it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page. Read the rest of this entry »

Posted in hack-fu | No Comments »

middleware and me (part 2)

July 9th, 2008
0

hack-fu by: rux0r

In the last article (middleware and me (part-1)) we looked at the concept of Middleware security and why it is often a neglected area. In this article we are moving on to look in detail at the security features that can be employed to protect this type of software. For the purposes of these discussions we are going to be focussing on the IBM Websphere MQ product, hopefully in the future I will be able to contrast these discussions against the security controls employed by a number of other messaging technologies.
Read the rest of this entry »

Posted in hack-fu | No Comments »

Grabbing LM challenges with an ettercap filter

June 24th, 2008
0

hack-fu by: bob So… this is an amalgamtion of several ideas and bits of work I’ve found floating around that I put together. The result is a handy pentesting/pwnage technique. The following blog that kicked this idea off discusses a modified Metasploit exploit module called smb_server.pm by Kurt Grutzmacher: NTLMv1, Metasploit and You. Around the same time I’d been playing with some ettercap filters, based on the below work at Irongeek: Fun with Ettercap Filters. These two sparked something and gave me a use of those huge LMHALFCHALLENGE rainbow tables I’d downloaded. Read the rest of this entry »

Posted in Networking, Windows, hack-fu | No Comments »

dradis v1.2 - now with one-click installer

June 13th, 2008
0

dradis Windows one-click installer icon
In adition to the changes released on the 4th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

  • in the client:
    • export to XML module is now part of the standard module set.
    • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
    • fixed the window.rb:159 bug.
  • in the server:
    • a slightly less annoying implementation of the web interface auto refresh functionality.
    • the services added through the web interface can have a name now :)
    • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

dradis banner. click to go to dradis home

Posted in Tools | No Comments »

middleware and me (part 1)

May 6th, 2008
0

hack-fu by: rux0r

This post is the first in a series on the subject of enterprise messaging and in particular on IBM’s flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.
Read the rest of this entry »

Posted in hack-fu | No Comments »

National Rail Live Enquiries Departure Board Gadget - Script Injection Vulnerability

April 24th, 2008
0

Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.

The National Rail Live Departure Board Sidebar gadget provides users with the ability to view real time train departure boards for all main railway stations in the UK. The gadget allows users to choose a “Start Station” and a “Destination Station” in order to provide them with the most up to date live departure information for their chosen trip. The gadget requests this information from a web server, which responds to the gadget with live departure board information for the user’s chosen rail journey.

An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user, allowing the remote attacker to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user. Read the rest of this entry »

Posted in Advisories | No Comments »

Black Hat Europe 2008

April 2nd, 2008
0

Black Hat Europe brigings logo

I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.

Briefings were held during the 27th and 28th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading… :roll:

Read the rest of this entry »

Posted in Events | No Comments »

security advisory: Elastic Path Unrestricted Filesystem Access

March 10th, 2008
2

Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.

Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).

update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.
Read the rest of this entry »

Posted in Advisories | 2 Comments »
« Previous Entries