Category Archives: Various

update.microsoft.com SSL warnings due to certificate chain update

Flame malware, buzz of June 2012, had an interesting replication methods through Microsoft Windows Update service. The SNACK (NBNS spoofing) and MUNCH (Spoofing proxy detection and Windows Update request) Flame modules have allow man in the middle (MITM) attacks allowing distribution of forged Windows updates to the targets.

The MITM URLs were :

download.windowsupdate.com
download.microsoft.com
update.microsoft.com
www.update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
www.download.windowsupdate.com
v5stats.windowsupdate.microsoft.com

The problem was that components of Flame were signed using a forged certificate that the attacker were able to create by exploiting a weakness in Microsoft Terminal Services, how allow users to sign code with Microsoft certificates.

Microsoft has issue a security advisory (MSA-2718704) and an update (KB-2718704) how will remove the untrusted certificates.

But since today, “Microsoft Root Certificate Authority” root certificate, “Microsoft Update Secure Server CA 1” intermediate certificate are not more trusted by majority of Internet browsers like Firefox, Chrome, Safari and Opera. The cause is that Microsoft has regenerate the Windows Update certificate chain. The chain of trust is broken (Qualys SSL LabsSSL Shopper SSL Checker) for www.update.microsoft.com and update.microsoft.com.

SSL certificates for the following domain names are also no more trusted, cause the chain of trust is broken:

www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com

The SSL certificates associated to the following domain names are also no more trusted, cause they are pointing to a host not corresponding to the requested domain name (hosted on Akamai):

download.windowsupdate.com
download.microsoft.com
www.download.windowsupdate.com

With KB-2718704 installed on an up2date Windows XP SP3, only “www.update.microsoft.com” domain could be considered as trusted, if you use Internet Explorer.

But despite the installation of KB-2718704, the following domains are still invalid:

update.microsoft.com
v5.windowsupdate.microsoft.com
windowsupdate.microsoft.com
download.windowsupdate.com
download.microsoft.com

Here under some screenshots of different browsers and error messages.

[nggallery id=5]

Metasploit Digital Music Pad SEH overflow demo censored as copyright infringement

Yesterday I received an email from YouTube notifying me that the Metasploit video demonstration of Digital Music Pad SEH overflow (EDB-ID-15134) has been removed for copyright infringement.

YouTube has disable the video as a result of a third-party notification from E-Soft.co.uk, the vendor of Digital Music Pad.

The video, I recorded in February 2011, was a demonstration of “exploit/windows/fileformat/digital_music_pad_pls” Metasploit exploitation module. This module was developed by Abhishek Lyall in October 2010.

When I recorded the vulnerability exploitation demonstration the affected software was freely downloadable from the vendor web site and no sound or other materials submitted to copyrights were supporting the video.

My videos, available on my YouTube channel, are made for educational purposes, helping security researchers to understand on how to use Metasploit modules or other exploits and warning consumers on products vulnerabilities. If you search “Digital Music Pad” on Google, you can find an uncensored copy of my video demonstration and this video is also available on SecurityTube.

Many legal cases exists regarding vulnerabilities disclosures, all of them are reported on Attrition.org legal threats against security researchers.

I really don’t understand why the Metasploit Digital Music Pad SEH overflow demo was removed and for what reason, and why E-Soft.co.uk asked YouTube to remove my video. So I will contact Attrition and submit them this case cause it is really seemed to be an abuse of copyright usage.

Also this case could be a dangerous precedent for other security researchers how are publishing demonstration videos on YouTube.

Actually I’m no more able to submit new videos on YouTube or modify any parameters of my channel, cause I’m considered as a criminal and I’m forced to watch a stupid “YouTube Copyright School” and forced to fill full a form with stupid questions regarding copyrights.

Update 1 : 18/05 at 12:47. First contact with Attrition.org in order to submit them a new case of legal threat.

Update 2 : 18/05 at 14:38. I have finally recover my YouTube account after responding to the YouTube Copyright School questions. Funny stuff the form submission wasn’t compatible with Google Chrome, so I had to switch to Safari in order to submit my answers and recover my YouTube account #fail

Update 3 : 18/05 at 15:23. Seem that I can no more select Creative Commons license for my new videos on YouTube, forced to use YouTube standard license. #fail

Update 4 : 27/05 at 11:07. After some days in Hamburg Germany, I send an email to E-Soft.co.uk in order to know the reason of the “copyright infringement”.

Update 5 : 28/05 at 11:01. After some discussions with Attrition. We have discover the reason submitted from E-Soft.co.uk to YouTube. “Software: “Digital Music Pad” *Software interface is shown *Enables illegal copying of the software“.

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

Luxembourg Critical Remote Management Applications Attack Surface

MS12-020 patch is now out since a month with associate DoS PoC’s available for pen tester’s and other populations how have not equivalent ethic. Lot of articles, blog posts have been written around CVE-2012-0002, a vulnerability discovered by Luigi Auriemma in May 2011, reported to ZDI in August 2011 and disclosed in a coordinated manner in March 2012.

One of these MS12-020 related articles was written by Dan Kaminsky, “RDP and the Critical Server Attack Surface“. This blog post fact to remember that some applications are more critical than others due to they’re roles and they’re expositions to Internet.

Dan has scan around 300 million IPs, who are representing around 8.3% of the Internet, and 415 thousands showed an open RDP (3389/TCP), a ratio of 0,14%. By extrapolation Dan has arrived to around 5 million RDP endpoints on the Internet. Hopefully for the Internet community (should I say for the sysadmins ?), despite the efforts by security researches (most on freenode #ms12-020), MS12-020 has “only” lead to a DoS exploit. Potentially 5 million BSoD’s (Blue Screen of Death), it is a blessing in disguise ?

In his article Dan Kaminsky has also remember us that other critical server attack surfaces are existing on Internet, such as TCP/IP, HTTP, SSL, SSH, DNS or SMTP, and that all these applications are playing potential essential roles for business.

I have done the same study for the Luxembourg landscape with around 550 000 IP addresses, but before giving my results I would like to explain you what is Luxembourg 🙂

If you don’t know, Luxembourg has the higher GDP in Europe and is classified in the top 3 of the list of countries by GDP per capita (Wikipedia source). Also more than 90% of population is using Internet and 82% of the population connect to Internet daily. Luxembourg became the geography with the highest ratio of malicious email activity in February 2012 regarding Symantec Intelligence Report.

Also Luxembourg has a total balance sheet of Euro 776 billion in credit institutions and the Luxembourg banking sector comprised 143 credit institutions from over 20 different countries (pwc Luxembourg source). All of these credit institutions are under the CSSF (Commission de Surveillance du Secteur Financier) surveillance and most of them are delegating their IT management to PSF (Professionals of the Financial Sector), also known as “Primary IT systems operators” and “Secondary IT systems and network operators“.

In conclusion most of the IP addresses assigned to Luxembourg have a potential high asset value for bad guys. Luxembourg IP addresses ranges assigned for Internet broadband access, have surely a bigger return on investment compared to other countries in case phishing or malware campaigns. Also IP addresses ranges assigned to professionals of the financial sector are surely hosting e-banking or fund transactions infrastructures, a prime target for cyber crime.

So, what are the results for Luxembourg, a country how normally should have a less ratio of exposition than others du to the fact that an IP address has a higher asset value than 300 million addresses arbitrary scanned. I have only focus on applications equivalent to RDP, these applications are known as “Remote Access Services” (RDP, ssh, telnet, VNC, PCAnywhere, Citrix, etc.).

In “2012 Verizon Data Breach Report“, “Remote Access Services” are noted “as continuing their rise in prevalence, as hacking vector, accounting for 88% of all breaches leveraging hacking techniques – more than any other vector“. Remote services accessible from the entire Internet, combined non patched applications, with default, weak, or stolen credentials continue to plague organizations. Scripted attacks seeking victims with known remote access ports, followed with issuance of known default vendor credentials, allow for targets of opportunity to be discovered and compromised in an automated and efficient manner.

Do you remember, Dan Kaminsky had discovered a ratio of 0,14% of open RDP on 300 million IPs. In Luxembourg, this ratio is 0,26%, twice Dan ratio. For ssh the ratio of open port is 0,79%, for telnet the ratio is 0,31% (still open telnet despite best practices ?), for VNC the ratio is 0,06% and for PCAnywhere the ratio is 0,02% (still open PCAnywhere despite the leaked source code ?).

Shouldn’t Luxembourg have a less ratios of open ports for “Remote Access Services” ? I think YES. But why are these ratios so important ? Surely because Security has fail in his mission, surely because Security is still understood as technical game and not as an insurance to protect the value of assets. Also maybe the cause could be that Internet is growing to fast and that the Internet grow speed don’t give the time to learn from errors. Internet maybe distort the reality, the memory and the time.

Just to remember a small list of vulnerabilities or backdoor’s how have target these critical remote server surfaces :

2012 :

  • SSH : cisco-sa-20120328-ssh – Cisco IOS Software Reverse SSH Denial of Service Vulnerability
  • RDP : CVE-2012-0002 – Microsoft Remote Desktop Protocol Remote Code Execution Vulnerability
  • PCAnywhere : OSVDB-79412 – PCAnywhere 12.5.0 build 463 Denial of Service
2011 :
  • Telnet : CVE-2011-4862 – FreeBSD Telnet Service Encryption Key ID Buffer Overflow
  • FTP : OSVDB-73573 – vsftpd-2.3.4 backdoor
  • SSH : EBD-ID-17462 – OpenSSH 3.5p1 Remote Root Exploit for FreeBSD
2010 :
  • SMTP : CVE-2010-4344 – Exim4 <= 4.69 string_format Function Heap Buffer Overflow
  • FTP : OSVDB-69562 –  ProFTPD 1.3.3c compromised source remote root Trojan
  • FTP : CVE-2010-3867 – ProFTPD IAC Remote Root Exploit
  • FTP : OSVDB-62134 – Easy FTP Server v1.7.0.11 Multiple Commands Remote Buffer Overflow Exploit (Post Auth)
2009 :
  • FTP : CVE-2009-3023 – Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
2008 :
  • DNS : CVE-2008-1447 – Remote DNS Cache Poisoning Flaw Exploit
  • SSH : CVE-2008-0166 – Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit
Etc. Etc.