Local File Inclusion attempts on the rise

Various, ,

They’re is no new day without a Joomla Local File Inclusion (LFI) vulnerability. Just take a look at Exploit-DB, Inj3ct0r or Hack0wn and you will find thousands of Joomla components vulnerable to this vulnerability.

Since many years, security researcher have write studies on this vulnerability, and describe the different way to exploit them. You can find some good papers about LFI exploitations on Exploit-DB. But since 2010, LFI are coming back in force.

LFI vulnerability doesn’t look like to be dangerous in a first manner, but maybe we have to make a quick recap on the potential impacts to be vulnerable :

  • Exposure of sensitive informations (clear or hashed password, source code, documents leakage, etc.)
  • Exposure of system informations (system informations, users list, runtime informations, etc.)
  • Security bypass (normally inaccessible informations could be acceded…)
  • System access (malicious users could gain access to the system and compromise him)
  • Be involved in a botnet without knowing it
  • etc.

Why Local File Inclusion (LFI) attemps are on the rise ? The answer is very simple, cause Remote File Inclusion (RFI) are stagnating or even declining. Just do a simple research on Exploit-DB for RFI, you will directly see the difference with the LFI search. RFI vulnerabilities are very simple to exploit unlike LFI vulnerabilities. To argument, I propose you to visit our one year RFI HoneyNet statistics, you will see the increasing activity of RFI botnets. But the number of RFI exploits are decreasing continuously since the hype of 2006 and 2007. Compromised hosts by LFI are integrated into RFI botnets.

Despite LFI exploitation fail in 90% of cases (due to the OS, web server or PHP default hardening), if you scan 1000 hosts you can finally compromise 100 of them. LFI compromised hosts are compensating the decrease of RFI compromised hosts by RFI exploits. In such manner, we can see since 2010 apparition of dedicated Joomla LFI dork lists and mutation of traditional RFI scanners to LFI/RFI scanners (LRFI). The 2010 mutation of all traditional RFI scanner is also now to integrate XML RPC and SQL injection scanners, with nice updated dork lists.

We provide you a list of all unique LFI attempts on our HoneyNet for the latest 24 hours. This list will be updated daily and will permit you to follow the new vulnerable web applications.

So just a final word, take care on your /proc/self/environ, and special dedication to Indonesia 🙂 If you are curious, take a look to the Indonesian scene.

SUC017 : WEB Proxy CONNECT Request

Opportunists, Use Cases
  • Use Case Reference : SUC017
  • Use Case Title : Web Proxy CONNECT Request
  • Use Case Detection : IDS / HTTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : No
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 80/TCP
Possible(s) correlation(s) :
  • Apache web open proxy scans

Source(s) :

We have detect some increasing Web Proxy CONNECT Request from Russia. Majority of the source IPs are from 95.24.0.0/13 CORBINA-BROADBAND. As you can see in the yearly events graph, we have around 7 more time scans events than previous months. Also the monthly TOP 10 source IPs graph show us that all the IPs are coming from the same range located in Russia.

 

1 month SIG 2001675 IDS Events
1 month SIG 2001675 IDS Events

 

1 year SIG 2001675 IDS Events
1 year SIG 2001675 IDS Events
1 Month TOP 10 source IPs for SIG 2001675
1 Month TOP 10 source IPs for SIG 2001675
TOP 20 source countries for SIG 2001675
TOP 20 source countries for SIG 2001675

Increasing SSH Brute Force Attempts

Various,

As mentioned in my Tweet post, the 16 Jun, our HoneyNet has reveal increasing SSH Brute Force Attempts. These scans have been confirmed by Internet Storm Center (ISC), the 18 Jun from other sources. These scans made me remember last year and the incredible SSH 0Day rumor, and also the Zero For Owneds, Summer of Hax, also knows as ZF05. Maybe another try to own security experts infrastructures before DefCon & BlackHat ?

We have a clear difference with ISC alert around the increasing SSH Brute Force Attempts. On our HoneyNet all the source IP addresses have only focus on the root user and really try to password brute force the root account.

You follow the SSH Brute Force Attempts in our Use Case SUC015 with real time life data’s.

CVE-2010-1297 : Adobe Flash Player newfunction Invalid Pointer Use

Exploits, Metasploit,

Since yesterday, the Rapid 7 Metasploit team has release an exploit module for Adobe Flash exploit APSA10-01, aka CVE-2010-1297.

The vulnerability affects Adobe Flash 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris, but also Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX. This vulnerability could crash or allow an attacker to take control of the affected system.

So, as I understand, all Internet could own all Internet, a big party in perspective. How is not using Flash ?

The actual attack transmission vector is done between a crafted PDF file embedding a vulnerable Flash animation. So, if you are downloading these kind of PDFs from Internet, or open emails with attached PDF, and open it with Adobe Reader you could be owned.

We have successfully test the exploit with Adobe Reader 9.3.0 on Internet Explorer 8, Safari 5.

No results with Google Chrome 5.0.375.70 and Firefox 3.5.9.

With Foxit Reader the PDF is not lunching the Flash animation, so the exploit is not working.

Adobe has release updates for Flash Player, APSB10-14, so don’t hesitate to update your browsers add-ons.

Here under a video we have done, to demonstrate how it is easy to exploit this vulnerability with Metasploit.

[youtube JW7B8aZsT88]