May 25, 2008
(ISC)2 Blog Launched
Tags:
infosec
(ISC)2 launched a new blog recently. The goal is to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.
May 19, 2008
Debian PRNG Security Vulnerability
Tags:
0day,
infosec,
opensource
PRNG = Pseudo/Predictable Random Number Generator.
This is a critical vulnerability and the exploit/POC is released.
Note: This vulnerability applied to any Debian-based Linux distribution including Ubuntu.
All OpenSSH and X.509 keys generated on vulnerable systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. Characteristics of potentially vulnerable keys include: The was generated since 2006-09-17 and generated using 'openssl', 'ssh-keygen', or 'openvpn --keygen'.
From SANS: there are 2 scenarios basically,
References:
This is a critical vulnerability and the exploit/POC is released.
Note: This vulnerability applied to any Debian-based Linux distribution including Ubuntu.
All OpenSSH and X.509 keys generated on vulnerable systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied. Characteristics of potentially vulnerable keys include: The was generated since 2006-09-17 and generated using 'openssl', 'ssh-keygen', or 'openvpn --keygen'.
From SANS: there are 2 scenarios basically,
- The public key is known publicly (TSL/SSL web server) -> no brute force needed, the attackers walk in private key in hand;
- The public key isn't found (Eg. SSH server) -> brute force of some 260K keys needed (~20min).
References:
- http://isc.sans.org/diary.html?storyid=4420
- http://isc.sans.org/diary.html?storyid=4421
- http://www.milw0rm.com/exploits/5622
- http://metasploit.com/users/hdm/tools/debian-openssl/
Apr 1, 2008
Translator in GTalk
Tags:
GTalk
Today I get introduced to 2 good friends: the en2zh and zh2en. They both are very good translators which can translate english to chiness and vice versa.
Actually they are bots. A (ro)bot is a piece of software that acts as a chat contact and provide some fun or useful funtionality.
Just add en2zh@bot.talk.google.com and zh2en@bot.talk.google.com as a friend in Google Talk and send it a message to translate from English to Chinese and vice versa. You can also make more firends (bots) and there are 23 of them. See GoogleTalk for more information.
Actually they are bots. A (ro)bot is a piece of software that acts as a chat contact and provide some fun or useful funtionality.
Just add en2zh@bot.talk.google.com and zh2en@bot.talk.google.com as a friend in Google Talk and send it a message to translate from English to Chinese and vice versa. You can also make more firends (bots) and there are 23 of them. See GoogleTalk for more information.
Mar 31, 2008
When FireFox 2.0 Meets with JavaScript
Just come across a Firefox extension, called FFsniFF. This is a NOT a password sniffer which can sniff password. See the reference links below for more information.
The question here is not whether it is a password sniffer or not, it is about how do I get rid of it once I installed since it is hidden from the FF Extension Manager? Chicken and egg problem.
Finally, I've no choice but to do it manually. Here's how I remove/disable it manually:
The question here is not whether it is a password sniffer or not, it is about how do I get rid of it once I installed since it is hidden from the FF Extension Manager? Chicken and egg problem.
Finally, I've no choice but to do it manually. Here's how I remove/disable it manually:
- Close your FF blowser and locate your FF user profile folder. Eg: %APPDATA%\Mozilla\Firefox\Mozilla\Profiles\[User Profile]\[random string].default\
- Go into subfolder "extensions\{66cdf40a-d0f2-46d0-abf4-eccba8205aef}\chrome". You should see a file called "ffsniff.jar"
- Find an unpacker (Eg. 7-zip) to unpack the "ffsniff.jar".
- Once unpack, go into "content\ffsniff\" folder and look for a file called "ffsniffOverlay.js".
- Edit the file with notepad. Goto the bottom (line 119), remark the line "hide_me();" with two slashes "//" (without the quote) in front.
- Save and close the file and put everything back to "ffsniff.jar".
- Start your FF broswer now and goto the Extension Manager, you should be able to see the extension called "FFsniFF 0.2".
- Now you can disable it.
- Disable FFsniFF Manually - J.Track
- http://jtrack.blogspot.com/2008/03/disable-ffsniff-manually.html
- FFsniFF Homepage
- http://azurit.gigahosting.cz/ffsniff/
- http://azurit.elbiahosting.sk/ffsniff/
- Vulnerability Summary CVE-2006-6585
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6585
- SecurityFocus
- http://www.securityfocus.com/archive/1/archive/1/454058/100/0/threaded
Mar 11, 2008
Image File Execution Options
Tags:
debugger
This is an old and interesting trick. See the reference below.
The "Image File Execution Options" is a registry key used to setup for debugger. To do so:
Start to smell something? Can we replace a well-known executable file with something malicious? For example, create a key for an antivirus and debugged by a malware.
Yes, you can. In fact it is a very common trick used by some malware to disable the well-known antivirus application. The main reason why this trick works is because Windows never verify that the debugger is truly a debugger.
Mark Russinovich and Bryce Cogswell use this technique to implement the "Replace Task Manager" feature of their Process Explorer utility. Get Process Explorer, enable the option in the "Options" menu, and check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe - the debugger value points to procexp.exe.
What if I've two executable files pointing each other as debugger, like calc.exe and notepad.exe? What will happen then? Try yourself with this sample registry script:
The "Image File Execution Options" is a registry key used to setup for debugger. To do so:
- Start regedit.exe
- Goto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- Create a key for your executable file. Eg. test.exe
- Create a new string entry under the key you created called "Debugger" and put full path to your debugger as the value.
Start to smell something? Can we replace a well-known executable file with something malicious? For example, create a key for an antivirus and debugged by a malware.
Yes, you can. In fact it is a very common trick used by some malware to disable the well-known antivirus application. The main reason why this trick works is because Windows never verify that the debugger is truly a debugger.
Mark Russinovich and Bryce Cogswell use this technique to implement the "Replace Task Manager" feature of their Process Explorer utility. Get Process Explorer, enable the option in the "Options" menu, and check HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe - the debugger value points to procexp.exe.
What if I've two executable files pointing each other as debugger, like calc.exe and notepad.exe? What will happen then? Try yourself with this sample registry script:
Some MSDN references:Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]
"Debugger"="c:\windows\notepad.exe"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]
"Debugger"="c:\windows\system32\calc.exe"
- Junfeng Zhang's Windows Programming Notes at http://blogs.msdn.com/junfeng/archive/2004/04/28/121871.aspx
- greggm's weblog at http://blogs.msdn.com/greggm/archive/2005/02/21/377663.aspx
- Image File Execution Options: Good, Evil, Fun at http://mygreenpaste.blogspot.com/2005/07/image-file-execution-options-good-evil.html
- Abusing "Image File Execution Options" at http://isc.sans.org/diary.html?storyid=4039
Subscribe to:
Posts (Atom)