“There is no delight in owning anything unshared.”

Latest

Cyberattacks May 2013 – Malware on PRU 13 General Elections (Ubah!!)

As Malaysian are excited on the voting days which held at least once every five years. A new Malware has been discovered FinFisher (also called FinSpy). FinSpy is a commercially sold spyware package.

PRU

Canada based interdisciplinary laboratory had discovered a sample of FinFisher (a.k.a. FinSpy) surveillance in a Microsoft Word document crafted specifically for Malaysia’s 2013 general elections.

The specifically crafted Malware with the capability of:

  • hijack the camera and microphone.
  • infiltrates computers to grab screenshots.
  • record chat conversations.
  • log keystrokes.

Internet-based sources revealed this attack is targeting on Microsoft Word 2003. It will run VB-Macro and a fake FireFox 14.0 which named as “WINWORD.exe” will be created. The victim’s computer will communicate with the FinFisher Command & Control servers as follow:

168[.]144[.]97[.]39
117[.]121[.]241[.]86

Advisories:

  • Block the IP(s) 168.144.97.39 and 117.121.241.86
  • Be wary before clicking on links or opening files received from known/unknown sources.

May refer to Macro Security Levels in Office 2003 Macro Security Level

Full details by F-Secure: F-Secure Analysis

Cyberattacks January 2013 [Part II] – Zero-Day Java Exploit Debuts in Crimeware

New Java zero-day that exploits a vulnerability (CVE-2013-0422) in fully-patched versions of Java 7.

This zero-day vulnerability affects the latest version, Java 7 Update 10.This vulnerability is already included in most of the Crimeware Kits which included:

  • Blackhole
  • Nuclear Pack
  • Cool Exploit Kit
  • Redkit

while Metasploit  is expected to release an module soon. The zero-day will be exploited in various attack vectors.

java-7-

Advisories:

  • Disable Java if it is not required.
  • If there is critical application/websites requires Java. It is Suggested to use different web browser to access them such as:
  • Disable Java Plug-in on Web Browser intended for normal web surfing.
  • Enable Java Plug-in on another Web Browser for opening websites which require Java.
  • For Example: Use Firefox (Java Plug-in DISABLED) for normal web surfing and Internet Explorer (Java Plug-in ENABLED) for websites which requires Java.
  • Always wary of clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network and many more…

You may also refer to the in-depth security news provide by KrebsonSecurity:

In-depth KrebsonSecurity on Java Zero Days Exploits

LAB Testing with DVWA – Part I [SQL Injection Exploitation]

In order to exploit SQL injection vulnerabilities, understanding how query is built is essentials in order to inject our parameter in a situation that the query will remain true.For exampled SQL Injection Tutorials,a text field where it asks for user ID. By entering number 1 and click on the submit button the result will return the first name and the surname of the user with ID=1.

User ID 1

Executed query in the database as below:

[SELECT First_Name,Last_Name FROM users WHERE ID=’1′;]

In order to find the first names and surnames of all the users, lets try to change the ID number on the URL [127.0.0.1/dvwa/vulnerabilities/sqli/?id =(1,2,3,4) &Submit=Submit#] or the Submit Column to other values.

User ID 4

The next testing is to identify what kind of database is running on the back-end in order to construct the queries accordingly and to extract the information.

Version Identify

The idea is to make the database to respond in a way that it will produce an error message that it will contain the database type and version.[single quote] such as [‘] will force the database to consider any characters that are following the quote as a string to cause a syntax error.The vulnerable parameter id=’ will cause the database to generate an error message as shown in the browser. However, it fails to show it’s version number. Let’s proceed with version findings:

Show Version

UNION statement being used for the identification [union select 1,@@version#]

Running on MySQL Ver: 5.5.27

Beside, we also able to perform hostname discovery with @@hostname statement:

Hostname

Hostname Discovery via SQL Injection ‘ union select null,@@hostname #

Above Scenario and testing is part of the ideal how SQL Injection is able to discover information and abuse on server with such vulnerabilities, beside a simply statement and version or host discovery, never forget about the in depth damage that possibly can be done. Enjoy the tutorial and sample while always be ethical. 🙂

LAB Testing with DVWA – [SQL Injection Statements]

SQL injection is a code injection technique that exploits a security vulnerability in a website’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

  • Incorrectly filtered escape characters

User input is not filtered for escape characters and is then passed into an SQL statement.  Potential manipulation of  statements performed on the database by the end-user of the application. Line of code illustrates this vulnerability:

statement = “SELECT * FROM users WHERE name = ‘” + userName + “‘;”

This SQL code is designed to pull up the records of the specified username from its table of users. However, if the “userName” variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the “userName” variable as:

‘ or ‘1’=’1
‘ or ‘1’=’1′ — ‘
‘ or ‘1’=’1′ ({ ‘
‘ or ‘1’=’1′ /*
SELECT * FROM users WHERE name = ” OR ‘1’=’1′;
SELECT * FROM users WHERE name = ” OR ‘1’=’1′ — ‘;

The following value of “userName” in the statement below would cause the deletion of the “users” table as well as the selection of all data from the “userinfo” table using an API that allows multiple statements:

a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t

This input renders the final SQL statement as follows and specified:

SELECT * FROM users WHERE name = ‘a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t’;

Most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP’s mysql_query(); function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn’t stop them from modifying queries.

  • Incorrect type handling

This form of SQL injection occurs when a user-supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example:

statement := “SELECT * FROM userinfo WHERE id = ” + a_variable + “;”

It is clear from this statement that the author intended a_variable to be a number correlating to the “id” field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to

1;DROP TABLE users

will drop (delete) the “users” table from the database, since the SQL would be rendered as follows:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

LAB Testing with DVWA – [Installation]

DVWA is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment. Beside it’s also provide a better understanding for web developers in securing web applications and a web application learning environments for newbies.

WARNING!! – from DVWA: User are not suppose and not encourage to  upload it to your hosting provider’s public html folder or any working web server as it will be hacked!! 

Step 1: [Installation] Guide from DVWA:

http://www.youtube.com/watch?v=GzIj07jt8rM

Default username = admin

Default password = password

  • Installation of  DVWA can be done by installing ‘XAMPP’ if you do not have a web server setup.
  • XAMPP is a very easy to install Apache Distribution for Linux, Solaris, Windows and Mac OS X. The package includes the Apache web server, MySQL, PHP, Perl, a FTP server and phpMyAdmin.
  • XAMPP can be downloaded from: http://www.apachefriends.org/en/xampp.html
  • Simply unzip dvwa.zip, place the unzipped files in your public html folder, then point your browser to http://127.0.0.1/dvwa/index.php

Step 2: [Setup Database]

Click on the Setup button in the main menu, then click on the ‘Create / Reset Database’ button. This will create / reset the database for you with some data in.

Database Setup DVWA

‘After installation, DVWA is successful hosted and running on My SQL backend Database’

Any error while trying to create your database, make sure your database credentials are correct within /config/config.inc.php

Cyberattacks January 2013 [Part I] – Fraudulent Digital Certificates Could Allow Spoofing

Fake Turkish digital Certificates blocked by Browser vendors – The Hacker News present

Trust

A fraudulent digital certificate that could be used for active phishing attacks against Google’s web properties. Using the certificate it is possible to spoof content in a classic phishing schema or perform a man-in-the-middle attack according Google Chrome Security Team and Microsoft experts.Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar.

Microsoft is aware of active attacks using one fraudulent digital certificate issued by TURKTRUST Inc., which is a CA present in the Trusted Root Certification Authorities Store. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. This issue affects all supported releases of Microsoft Windows.

TURKTRUST Inc. incorrectly created two subsidiary CAs (*.EGO.GOV.TR and e-islem.kktcmerkezbankasi.org). The *.EGO.GOV.TR subsidiary CA was then used to issue a fraudulent digital certificate to *.google.com. This fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. To help protect customers from the fraudulent use of this digital certificate, Microsoft is updating the Certificate Trust list (CTL) and is providing an update for all supported releases of Microsoft Windows that removes the trust of certificates that are causing this issue.” It’s still unknown which is the real target of attack neither their geographic distribution, Microsoft advisory refers the domain kktcmerkezbankasi.org a web site that present itself as the Central Bank of the Turkish Republic of Northern Cyprus (TRNC).

Google On-Line Security Blog published a blog post that reported that on Dec. 24, 2012, its Chrome Web browser detected and blocked an unauthorized digital certificate for the “*.google.com” domain. The security repercussions are very critical, any attacker with the possibility to sign using a certificate of a CA can sign certificates for any domain.

Advisories:

“Microsoft Security Advisory (2798897) -Fraudulent Digital Certificates Could Allow Spoofing”

Microsoft Security Advisory 2798897 Security TechCenter

Cyberattacks December 2012 – New Internet Explorer Zero-Day

IE Zero Days in the wild: This vulnerability had been tracked under CVE-2012-4792

Marc Whitten

The zero-day was first disclosed by a US based network security company on December 28, 2012 during an investigation on Council on Foreign Relations (CFR)’s website compromise. In the security advisory released on December 29, Microsoft had confirmed that Internet Explorer 6, 7 and 8 are vulnerable to this zero-day attack. The company expects to issue a fix within the next few days.

Internet-based sources revealed this attack is targeting on Internet Explorer which configured for English (U.S.), Chinese (China), Chinese (Taiwan), Japanese, Korean, or Russian. Moreover, it will only target on Internet Explorer with Adobe Flash installed. In this attack, Adobe Flash is used to generate a heap spray attack against Internet Explorer. The consequence of this attack is allowing arbitrary code execution under the context of the user.

Zero Days

Zero Days Exploits Explanation with Graph by Trend Micro 

How do attackers exploit this vulnerability?

Attackers make use of several components in order to successfully exploit IE. These include a malicious HTML file, a malicious .SWF file, and triggering a malicious .EXE as a final payload. When users connect to a compromised website, the malicious HTML file or exploit.html (HTML_EXPDROP.II) serves as the entry point of the attack. It creates multiple instances of the image element (array) in the document, or the current Web page. All of these set the value of src to string “a”. These values are stored in the heap memory. A heap refers to an area of pre-reserved memory that a program can use to store data in some variable amount.

What are other repercussions of unpatched systems?

Exploits generally allow attackers to drop or load malware that downloads other, more menacing malware onto vulnerable or unpatched systems. But even an up-to-date computer can be vulnerable to attacks through zero-day vulnerabilities. Zero-day exploits are more dangerous in nature as they target vulnerabilities that have yet to be resolved by the respective software vendors. Until the software vendor issues a workaround solution, i.e., a fix tool or the actual software update, users are left unprotected and vulnerable to threats.

Advisories:

  1. Upgrade your Internet Explorer to version 9 or later. Microsoft confirmed that Internet Explorer 9 and 10 are not affected.
  2. If you have no choice but to use Internet Explorer version 8 or lower, you can block the attack by: Disabling Javascript and Flash
  3. Install The Enhanced Mitigation Experience Toolkit (EMET) and enable it to protect Internet Explorer.  http://support.microsoft.com/kb/2458544
  4. Be wary before clicking on links received from known/unknown sources. An attacker would have to convince the user to exploit this vulnerability, typically by getting them to click on malicious URL through email, instant messenger message, social network, etc.