Monday, July 6, 2009

New MS 0-day ActiveX (MSVidCtl dll exploit)



This was just announced this morning and was found in the wild on several Chinese forums. Apparently this has been rampant for almost a month undetected.

This is a client side (browser) exploit, so visiting a malicious site will result in infection.

There is one known hotfix and that is to set a "kill bit" in the registry for the ActiveX component.

* Create a registry key called:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]

Then, create a dword value named "Compatibility Flags" and give it a value of 400.

Here are the current Snort IDS/IPS signatures for this exploit:


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MSVidCtl 0-day"; flow: to_server, established; uricontent:"/aa/go.jpg"; nocase; classtype: attempted-admin; reference:URL,isc.sans.org/diary.html?storyid=6733; sid: 3000305; rev: 2;)


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit";
flow:to_client,established; content:"|00 03 00 00 11 20 34|";
content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70;
classtype:trojan-activity; sid:2009493; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt";
flow:to_client,established; content:"clsid"; nocase;
content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro";
nocase; content:"logo.gif"; nocase;
reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799
classtype:web-application-attack; sid:2009xxx; rev:0;)
Posted by Greg Martin at 7:36 AM 1 comments

Tuesday, June 30, 2009

Kevin Mitnick's website hacked




Just blogged about infamous hacker Kevin Mitnick on Fireblog today and actually got him to make a statement for my article.

Check the article

And the original story

Moral of the story, not even hackers are safe from hackers :)
Posted by Greg Martin at 10:44 AM 0 comments
Labels: , , ,

Wednesday, June 10, 2009

Exclusive interview with StrongWebMail's $10,000 hacker

If you haven't been living under a rock, you would of heard that webmail security company "StrongWebmail" issued a $10,000 hacking challenge to prove the security of their product. If any hacker could get into the CEO's email account and read the task list off his exchange calendar they would win $10,000. To make it even more exciting/rediculous he posted his username and password: CEO/Mustang85

The product works that any time an unauthorized person needs to access or change the password for an account it uses the phone system for two factor authentication with voice or txt message. Well Lance and co. wasn't challenged by any of that and relied on a simple XSS attack and some trickery to prove the prize was his.

Lance being an old friend of mine agreed to do an exclusive interview yesterday on FireBlog.com with all of the technical details and controversy.
Posted by Greg Martin at 5:12 AM 1 comments
Labels: , , ,

Tuesday, June 9, 2009

LxLab's CEO commits suicide after software hack

Very sad to find out today that the CEO and developer of the software leading to the massive hosting provider hack I blogged about yesterday was found hanging in his home this morning.
http://www.theregister.co.uk/2009/06/09/lxlabs_funder_death/

Sad that someone was driven to suicide from such an event but showed the pride and personal dedication this man had in his software.
Posted by Greg Martin at 1:24 PM 0 comments

Monday, June 8, 2009

VPS Hosting Vulnerability Leads to huge compromise

Article on the register today reports VPS hosting company LXLabs full customer base hacked due to vulnerability in their HyperVM VPS management application.
http://www.theregister.co.uk/2009/06/08/webhost_attack/

The main reason this was possible is HyperVM requires giving customers (the public) access to your Hypervisor OS (through the HyperVM web application).

FireHost recognizes these risks and made the decision in the beginning to not give any access to the hypervisor, in fact it runs on a completely out of band private network!

Any remote command to the hypervisor go through private VPN through an API which is limited to only basic features like stop, start, reload and rename VM. It's highly controlled and secure unlike HyperVM which ran directly ontop of the hypervisor.

Virtualization security is going to continue to be a hot topic and Firehost Inc. leads the way by providing true advanced security while sharing knowledge and best practices on our blog and security center.
Posted by Greg Martin at 2:04 PM 0 comments
Labels: , , , ,

Thursday, June 4, 2009

Wireless Keyboard Sniffing

New Free Open Source utility for sniffing keystrokes on a wireless keyboard! If you have heard my talks on RFID before you will remember that regardless how weak the signal is the guy with the big antenna always wins!

The tool is called Keykeriki and is available here:

http://www.remote-exploit.org/Keykeriki.html


Keyboard Sniffer Keykeriki from Max Moser on Vimeo.

Posted by Greg Martin at 9:23 AM 0 comments
Labels: , , ,

Wednesday, May 20, 2009

Wireless inSecurity (WPA Owned)

So it has been no mystery that it's possible to break WPA and WPA2's Pre-Shared Key which is the default WPA security on most consumer grade access points. Because there is no direct weakness in the encryption protocol like WEP, it relied on brute force hash matching a process that can take a long time.

Wordlists considerably sped this process up making breaking WPA possible against dictionary PSK's in weeks/months as opposed to years. Why is this process so slow? WPA encrypts in multiple steps including salting the PSK hash with the SSID. So the password "dogthebountyhunter" would be SHA1 hash with the ssid or "DOG" as the salt. This adds unique randomness to make encryption breaking take longer.

Then two years ago group called "The Church of Wifi" released a set of rainbow tables (precomputed password hashes) for WPA security. The only issue is that it only covered the top 10 SSID names (default, linksys, NETGEAR, Belkin54g, etc) listed from http://Wigle.net/

So PCI DSS and an entire industry for years have been championing WPA and strong non-dictionary passwords for wireless safety, and it was generally considered secure, until now...

The biggest reasons WPA and most encryption are hard to break is that they are computationally difficult algorithms which simply take long time to guess. A standard modern processor say an Intel Core2Duo 2.5Ghz could brute-force crack WPA using methods above at around 600-700 PSK/s, well if there are a 500 million possible hashes to try it's going to take while (think lifetime).

Now graphics card developers namely Nvidia and ATI have been making super computers on a chip for a decade now, with simple, fast and highly parallel processors to make Counter Strike run smoothly as possible :) Recently something amazing happened, Nvidia released the CUDA API or programing library so the average Joe could write scripts and applications harnessing the power of their GPU for any type of computation, including encryption. The end result? WPA is broken:


Pyrit Source



Another movie
Posted by Greg Martin at 6:22 AM 4 comments
Labels: , , , ,
Subscribe to: Posts (Atom)