Blog
Safari on Win32, and browser choices in general..
Gareth linked to David Maynor’s blog where he documents the results of some simple fuzzing against the new Win32 port of Safari. Of course fanboys everywhere are going to be on this one like, erm.. like a thing that is very onto another thing.. but.. i digress..
2 things are interesting in all this for me though..
Why Apple chose now to do the win32 safari release Why anyone in security uses Safari anyway? Most people postulate that the Win32 Safari release is tied to the release of the iPhone. Since 3rd party developers cant build for the iPhone yet, it would seem that web-apps running on iPhone Safari would be the way to go for now.. if you are pushing the browser they need better adoption.. its a reasonable enough theory and i cant imagine its because apple actually want to launch a serious attack against IE/Mozilla on non Apple desktops
More Pentagon data leakage through Office files..
R J Hillhouse (who has a fascinating background) found that when she double clicked a graph on a slide deck belonging to the office of national intelligence (available from the DIA website), the linked spreadsheet popped up..
This effectively revealed “the dollar amounts in tens of millions spent by the US Intelligence Community on contractors”.
Aages ago lcamtuf highlighted info leakage through MS Office files, and it seems these days lots of folks are making lots of money selling blackbox, i will prevent data leakage in your organization type kit.. i haven’t looked in depth at too many of them but have to wonder how many of them would have caught the embedded spreadsheet at all..
Threat Modelling Talk at CSI Phoenix
After a six hour delay due to technical problems *before* my journey
even started I’m finally on the plane and waiting for take off. Tag
an additional five hour delay due to a missed connection in New York
and this quickly become a very, very long trip. Perhaps my longest
ever. Ah well, the price we pay for living at the end of the world, I
guess.
VMware for OSX (Fusion) – Beta 4
VMware have just released beta4 of its Fusion product for OSX.
The initial beta was hard to justify and a little flaky, which allowed Parallels to take an early lead. We still have people in the office who swear by parallels.. But.. in my book VMware has just been such a life saver since we first started making heavy use of it (about 6 years ago) that i figured it was worth sticking it out..
Right escalation via services or scheduled tasks in Windows
Scheduled tasks and services are often run as accounts with excessive privileges (HP Insight, backups etc) instead of limited service accounts. By exploring the tasks under c:\windows\tasks or the services by managing the computer, you can quickly see possible options to escalate your rights. By replacing at the actual exe that the service or task runs with a exe of your own, you can spawn a netcat shell. I use a batch file to exe converter and use the batchfile to call nc.exe with the correct parameters. *You can not alter the service or task itself in anyway else you loose the stored credentials. Attached are some screenshots that should illustrate this.
Hotel Hacking
Check out http://hongkong.langhamplacehotels.com/accom/technology.htm in Hong Kong. They provide Cisco IP phones in the rooms, but with a difference. According to an article I read in TIME the hotel will collect your most frequently dialled numbers and load them onto the touchscreen phone when you return for your next visit. Not only that, they also program the phone to show stock quotes or news and weather from your home town, AND if you forward them snapshots of your loved ones they’ll pre-load those onto the phone’s interface also.
Re: Jeremiah Grossmans “How to find your websites”
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear to our hearts, with 3 Blackhat talks on it (or applications of it) (“Automation – Deus ex Machina or Rube Goldberg Machine?“, “Putting The Tea Back Into CyberTerrorism“, “The Role of Non Obvious Relationships in the Foot Printing Process“), a commercial tool almost dedicated to it, and a full blown chapter on it in Open Source Penetration Testing by charl and gareth. Footprinting is a genuinely important part of a companies security assessment, cause it doesn’t matter if they have multi-layer firewalls and WAF’s protecting the web app on their www.company.com, and an old barely used sql-injectable form on their community.company.com site that lets you grab SA on their SQL server anyway..
(Now that the shameless self promotion is over..) i wanted to touch on an interesting aspect of webserver discovery that is often skipped, and thats the issue of multiple websites running as name based virtual hosts on the same web-server. There was a time (not so long ago) when all of the popular scanning tools, failed to take into account that scanning 209.61.188.39 was not the same as scanning www.sensepost.com (or hackrack.sensepost.com which happens to be on the same ip address).
Second Life land grab case moves into U.S federal courts..
Ars Technica is reporting on the law suit filed in 2006 by Martin Bragg who accused Linden labs of wrongfully seizing his virtual land.
-snip-
Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.
-snip-
A few things about this are super interesting..
Linden Labs (creators of Second Life) literally sells online assets for real world money.. Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1) Bragg apparently invested thousands planning to buy low and sell high We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..
Web Mashups point and click style (open invite for Sammy v2.0) ?
[Yahoo pipes] looks like an awesome way for even non-programmers to create web mashups trivially. Aside from the fact that its interface is super-cool, it brings an interesting dimension to next gen web attacks. (Google Video on Pipes by Pipes developers).
pdp has already covered pipes in his OWASP talk where he used it to re-write a jikto equiv. in almost-0 lines of code, along with a tinyurl filesystem. pdp also mentions Dapper, which i have not checked out till now, but looks like fun waiting to happen too..
In all the services look leet, and look like a cool way to get “unification” going for browser attacks*. Check them out, the possibilities for evil’ness should start running through your head from click 1.
Windows filesharing on OSX still vulnerable…
Aaron Adams over at SYMANTEC, did a quick check on the version of Samba running on currently up to date OSX machines and found that the Macs were still running 3.0.10. He did a quick mod on the existing Metasploit module and has reliable code execution going..
If you are running OSX, you probably want to make sure your samba isnt exposed while you grab the latest source and build..
/mh