Category Archives: Various

ZATAZ WEBTV September 2012

If you understand french then you can watch our September 2012 Web TV show.

In this episode :

  • Defcon
  • pirateBox
  • Lock Picking
  • MegaUpload
  • Ethical Hacking learned in french university
  • Interview of a french military general specialized into cyber securit

Pwnie Awards 2012 nominees announced

The 6th edition of “The Pwnie Awards” will have its awards ceremony at the BlackHat USA conference in Las Vegas, the 25 July. Pwnie Awards celebrate the achievements and failures of security researchers and the security community.

In the 2012 edition they’re will be nine award categories:

  • Pwnie for Best Server-Side Bug
  • Pwnie for Best Client-Side Bug
  • Pwnie for Best Privilege Escalation Bug
  • Pwnie for Most Innovative Research
  • Pwnie for Lamest Vendor Response
  • Pwnie for Best Song
  • Pwnie for Most Epic FAIL
  • Pwnie for Epic Ownage

Nominees for these categories have been announced the 21 July. I will do a quick recap on the “Best Server-Side Bug“, “Best Client-Side Bug” and the “Best Privilege Escalation Bug“.

Pwnie for Best Server-Side Bug

Nominees for this category are listed here under. My vote will go to “WordPress Timthumb Plugin ‘timthumb’ Cache Directory Arbitrary File Upload Vulnerability” due to the impact of this vulnerability in term of number of botnets and owned servers.

TNS Poison Attack (CVE-2012-1675)

This vulnerability was discovered and reported to Oracle by Joxean Koret in 2008. Oracle had announce, in April CPU, that the vulnerability were fixed, but after releasing details of the vulnerability Joxean Koret had discover that the vulnerability were not fixed at all. Here under a video demonstration of the MITM attack.

ProFTPD Response Pool Use-after-Free (CVE-2011-4130)

This vulnerability was discovered and reported by an anonymous researcher in October 2011 and patched in November 2011. The vulnerability allows remote attackers to execute arbitrary code. Authentication is required to exploit this vulnerability in order to have access to the ftp command set.

“Are we there yet?” MySQL Authentication Bypass (CVE-2012-2122)

This vulnerability was discovered and reported to Oracle by Sergei Golubchik in April 2012. The vulnerability exploits a password bypass weakness in MySQL. Here under a video demonstration of the attack.

WordPress Timthumb Plugin ‘timthumb’ Cache Directory Arbitrary File Upload Vulnerability (CVE-2011-4106)

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well-known C&C servers used and shared by black hats from around the world.

Pwnie for Best Server-Side Bug

Nominees for this category are listed here under. My vote will go to “MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability” cause this vulnerability demonstrate clearly that bad guys are always in advance.

Pinkie Pie’s Pwnium Exploit

Pinkie Pie’s exploit took a chain of six different bugs in order to successfully break out of the Chrome sandbox.

Sergey Glazunov’s Pwnium Exploit (CVE-2011-3046)

Sergey Glazunov’s exploit took a chain of at least 14 bugs to successfully sidestep the browser’s sandbox.

MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability (CVE 2011-3402)

CVE 2011-3402, patched by MS11-087 in December 2011 ,was found exploited in the wild by Duqu malware.

Flash BitmapData.histogram() Info Leak (CVE 2012-0769)

CVE 2012-0769 was discovered by Fermin J. Serna of the Google Security Team and corrected in APSB12-05.

iOS Code Signing Bypass (CVE 2011-3442)

This vulnerability was discovered by Charlie Miller of Accuvant Labs and corrected in iOS 5.0.1 release. This vulnerability is a code signing bypass that allows third-party apps to dynamically download and execute code and use this in his rogue app.

Pwnie for Best Privilege Escalation Bug

Nominees for this category are listed here under. My vote will go to “Xen Intel x64 SYSRET Privilege Escalation” cause this vulnerability has impacts tones of products and vendors.

Xen Intel x64 SYSRET Privilege Escalation (CVE-2012-0217)

This vulnerability was discovered and reported to vendor by Rafal Wojtczuk. Successful demonstration of this vulnerability was provided by fail0verflow the 2012-07-05. Here under a video demonstration of the attack.

iOS HFS Catalog File Integer Underflow (CVE-2012-0642)

This vulnerability was discovered by pod2g, used in Absinthe iOS 5.0/5.0.1.

MS11-098: Windows Kernel Exception Handler Vulnerability (CVE-2011-2018)

CVE-2011-2018, patched by MS11-098, was discovered and reported to the vendor by Mateusz “j00ru” Jurczyk.

VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation (CVE-2012-1515)

CVE-2012-1515, patched by MS12-042 and by VMSA-2012-0006.2, was discovered and reported to vendors by Derek Soeder.

WordPress TimThumb Botnets Spreads Status – second edition

Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well-known C&C servers used and shared by black hats from around the world.

Six month after the discovery of the vulnerability I had made a first status on the WordPress TimThumb spread with some nice visualizations and graphs representing the botnet activities.

We are soon one year after the discovery of the vulnerability and a second status on the WordPress TimThumb botnets could be done. Are the botnets still active, are less WordPress blogs vulnerable, is the pick of spread over ? We will try, through an analysis of all the WordPress TimThumb vulnerability exploitation attempts against our Honey Net, to answer these questions. The data’s collected through our Honey Net are representing only a small part of the real activity of the WordPress TimThumb botnets, but these data’s could also represent an extrapolation of the real activities.

List of all detected infected domains

You can find in the following table the complete list of all detected infected domains how were called during the WordPress TimThumb RFI attack, with the domain associated IP address, the country where the blog were hosted, the number of distinct source IPs how have call the related domain during the RFI attack and the live time of the domain name.

We have a total of 473 affected domains compared to the 202 six month before. This number demonstrates that 11 months after the vulnerability discovery the botnet is still in activity and that the number of infected domains are still important. “blogger.com.dollhousedelights.com“, hosted in Taiwan (IP has moved from Vietnam to Taiwan), was the affected domain how was called by the much more distinct source IPs (265), followed by “picasa.com.xpl.be” with 167 distinct source IPs, and at the third place “blogger.com.midislandrental.com” with 110 distinct source IPs.

picasa.com.xpl.be” has a live time of 238 days, followed by “upload.wikimedia.org.penguinet.co.ke” with a live time of 218 days, “blogger.com.sabrosaserver.com” with 211 days, “wordpress.com.airatrip.com” with 186 days and “flickr.com.bpmohio.com” with 179 days.

29 domains have a live time above 100 days and 86 domains have a live time between 30 days and 100 days.

Infected blogs countries repartition

You can find in the following graphs (Chart1Chart2) the geographically repartition of the infected blogs.

We have a total of 45 different countries for 473 affected domains. United States is in first position with 57% (284) of all infected blogs, followed by Canada with 5.2% (26), United Kingdom with each 4.4% (22) of all infected blogs. US is still in the first position (+155) of infected WordPress and we can see that the infected countries are quiet the same as six months ago.

Infected blogs countries repartition by number of source IPs

You can find in the following graphs (Chart3Chart4) the geographically repartition of the infected blogs by number of distinct source IPs how have call the infected blogs.

We have a total of 3340 distinct source IPs for 473 affected domains and 45 different hosting countries. United States is in first position with 44.3% (1480), followed by Vietnam with 8.4% (279), Chile with 4.3% (143), Romania with 4.3% (142) and Australia with 3.6% (119). US is in the first position (+639) of infected WordPress, Vietnam in second position but source IPs have drastically decrease compared to six months ago (only +36).

Timeline by day of infected blogs calls and source IPs

You can find in the following timeline (Chart5) a representation by day of the infected blogs number calls and source IPs.

From January 2012 to April 2012 the botnet spread has constantly decrease in term of number of affected hosts and source IPs, but in April 2012 the botnet has suddenly increase his activity. November 2011 was the most active month for the number of source IPs.

Geographic timeline by day of all source IPs

In this geographic time map we’re loading data’s from a Google Spreadsheet (published here). These data’s are coming from our HoneyNet and are representing the geographic WordPress TimThumb Botnet activities from 15-09-2011 to 01-07-2012.

Conclusion

WordPress TimThumb botnets, one year after the vulnerability discovery, is still continuing to infect new blogs, the pick of spread is over since November 2011. My personal opinion is that we will steal continue to hear about these botnets during second part of 2012.

PCI-DSS Requirement 6.2 Changes Impacts after 30 Jun 2012

PCI-DSS (Payment Card Industry Data Security Standard) version 2.0 is out since October 2010, but vulnerability ranking as defined in the 6.2.a testing procedure was considered as best practice until Jun 30, 2012, after which it becomes a requirement. The vulnerability ranking, how is now mandatory, will impact they way you classify your vulnerabilities, your change management process, your internal vulnerabilities assessment, your NTP monitoring, the way you document your hardening guides and your software development process.

Requirement 6.2

Just for recap, if you don’t know this requirement:

6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
Notes: Risk rankings should be based on industry best practices. For example, criteria for ranking "High" risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as "critical", and/or a vulnerability affecting a critical system component.
Testing procedure 6.2.a: Interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities, and that a risk ranking is assigned to such vulnerabilities. (At minimum, the most critical, highest risk vulnerabilities should be ranked as "High".

As described above, PCI-DSS requirement 6.2 request that a formal vulnerability management process exist in order to rank the risk of the discovered vulnerabilities, before assets are put in production. Also the process should include outside sources for security vulnerability information (from vendors and/or vulnerability scanning tools and/or external sources). The vulnerabilities risk ranking could be “Low“, “Medium” and “High“, but at minimum the most critical vulnerabilities should be ranked as “High“. As described in the “Notes” of 6.2 requirement you could use CVSS scores for you risk ranking mapping.

Using CVSS v2 scoring

As described by Thierry Zoller in his “CVSS – Common Vulnerability Scoring System – a critique [ Part1 ]” blog post, CVSS v2 is not perfect and need some enhancements, maybe in v3. In order to explain the impacts of CVSS scores on the risk ranking we will use CVE-2012-1875 as example.

The base CVSS score, on National Vulnerability Database, for CVE-2012-1875, one of vulnerabilities patched in MS12-037, is 9.3 (HIGH). But by doing a Vulnerability Management process you could increase or decrease the risk ranking.

In CVSS v2 “Base Score Metric“, actual “Attack complexity” for CVE-2012-1875 is by default defined at “Medium“, but since an exploit is available through Metasploit we could consider that the “Attack complexity” should be set to “Low” (The attack can be performed manually and requires little skill or additional information gathering).

In “Temporal Score Metrics“, I would define “Exploitability” to “High” cause the Metasploit module is working for Internet Explorer 8 over Windows XP SP3 and Windows 7 SP1/SP2. For “Remediation Level” set to “Official fix” and for “Report Confidence” to “Confirmed“. In my opinion “Remediation Level” is the most disturbing in CVSS v2, cause if a patch exist, it does not imply that you have actually plan to deploy it or have actually deploy it.

In “Environmental Score Metrics“, “Collateral Damage Potential” and “Target Distribution” are related to your organization and on the number of potential vulnerable assets.

Example 1: If your vulnerable assets have a “Low” “Collateral Damage Potential” and they represent only “0 to 25%” of the total assets, the overall CVSS score will be 2.2.

Example 2: If your vulnerable assets have a “High” “Collateral Damage Potential” and they represent only “26 to 75%” of the total assets, the the overall CVSS score will be 7.

Example 3: If your vulnerable assets have a “Low” “Collateral Damage Potential” and you don’t known the number of potential vulnerable assets, the overall CVSS score will be 9.4. This score demonstrates you the importance to have a good inventory of your assets.

You can also play with the CVSS v2 “Security Requirements” metrics how will allow you to customize the CVSS score depending of the importance of the affected assets in terms of confidentiality, integrity and availability.

I would recommend to organizations, how don’t have the resources (updated CMDB, automatic vulnerability scanner, etc) to customize the CVSS score, and also because CVSS v2 is not perfect, to only take the base CVSS score as the default value to do vulnerability ranking.

Requirement 2.2

Requirement 2.2 is also impacted by requirement 6.2. Just for recap, if you don’t know this requirement:

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
2.2.b Verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.2

If a vulnerability is discovered or published, and one of your system component is vulnerable despite an industry-accepted hardening standard is configured, you will have to update, asap or before going in production, your configuration standard in order to avoid new vulnerabilities during installation of a new system component.

Requirement 6.5

Requirement 6.5 is also impacted by requirement 6.2. Just for recap, if you don’t know this requirement:

6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:
6.5.6 All "High" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).

As described in the requirement a formal software development process should exist and include references to the vulnerability ranking with associated resolution processes. If a “High” vulnerability is discovered or published, and one of your application is vulnerable, you will have to correct or mitigate the vulnerability, asap or before going in production.

Requirement 10.4

Requirement 10.4 is also impacted by requirement 6.2. Just for recap, if you don’t know this requirement:

10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time.
10.4.a Verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.

Accurate time synchronization is an important part of the security process, and most of time this requirement is under estimated and risks associated to time synchronization defect are under evaluated. Each reported time synchronization vulnerabilities should be carefully evaluated and associated with a risk ranking. For example, if a server has an offset of more than x seconds then the event could be considered as a “High” vulnerability ranking. Another examples could be that the NTP client could no more connect to the NTP server, or that a configuration change has be done on the NTP client or server, etc.

Before Jun 30, it wasn’t mandatory to resolve “High” vulnerabilities related to time synchronization vulnerabilities. Now it is mandatory and you should correct it asap and validate the correction.

Requirement 11.2.1

Requirement 11.2.1 is also impacted by requirement 6.2. Just for recap, if you don’t know this requirement:

11.2.1 Perform quarterly internal vulnerability scans.
11.2.1.b Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.

As described in the requirement a formal quarterly scanning process should exist and include references to the vulnerability ranking with the requirement of a rescan until the vulnerability is resolved. Before Jun 30, it wasn’t mandatory to resolve “High” vulnerabilities after a quarterly internal vulnerability scan. Now it is mandatory and you should correct it asap and validate the correction by a rescan.

Requirement 11.2.3

Requirement 11.2.3 is also impacted by requirement 6.2. Just for recap, if you don’t know this requirement:

11.2.3 Perform internal and external scans after any significant change.
11.2.3.b Review scan reports and verify that the scan process includes rescans until: 
- For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS, 
- For internal scans, a passing result is obtained or all "High" vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.

As described in the requirement a formal scanning process, after any significant change, should exist and include references to the vulnerability ranking with the requirement of a rescan until the vulnerability is resolved. Significant changes are defined by examples in requirement 11.2 : new system component installations, changes in network topology, firewall rule modifications, product upgrades.

Before Jun 30, it wasn’t mandatory to resolve “High” vulnerabilities introduced by a significant change and discovered by an internal vulnerability scan. Now it is mandatory and you should correct it asap and validate the correction by a rescan.

Conclusion

As you can see, requirement 6.2 has introduce tonnes of new requirements and you should plan asap, if you are PCI-DSS compliant, all required actions in order to comply with them.