There have been reports of a new remote information disclosure vulnerability in Apache HTTP Server, when the HTTP "OPTIONS" method is enabled and a misconfiguration occurs. While the misconfiguration trigger seems rare in production environments, the Apache .htaccess file ability enables users of virtual hosting services to intentionally introduce the bug in a shared environment and thus be able to abuse the vulnerability condition.
The bug has been assigned CVE-2017-9798 and reportedly affects the latest Apache release. There is a proof of concept example available to trigger the fault, however after hours of testing at OSI Security we were unable to reproduce the information leak. Reportedly, it only occurs in high traffic Apache websites and the examples used were from the Alexa Top 400 Global Websites, where the author noticed HTTP responses that included abnormal returned bytes of system memory outside of expected use, or HTTP server content destined for other website visitors / cached in memory. Example request: OPTIONS /index.html HTTP/1.0 Example vulnerable response: HTTP/1.0 200 OK Allow: GET,HEAD,OPTIONS,,HEAD,,HEAD,,HEAD,, HEAD,,HEAD,,HEAD,,HEAD,POST,,HEAD,, HEAD,!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" It is clear from the disclosed example, that the Allow header should only include GET, HEAD and OPTIONS (or others such as PUT and DELETE) however the server leaks information from other memory locations. The vulnerability is reportedly triggered where the Apache server is used, with the OPTIONS request enabled, with a <Directory> definition (or a .htaccess file) which contains a e.g. <Limit GET> access control which contains an invalid method name. An example would be <Limit GETT>, as a system administrator introduced typo. At this stage the vulnerability appears to be impractical and of low risk, however we suggest checking your Apache server configuration for Limit directives which may contain errors. At the same time as this report, during a client penetration test we discovered a minimal risk/impact vulnerability in the latest release of Apache which we reported to the security team. The bug has since been patched in source code and should be included in the next stable release. The NSA ShadowBrokers exploit leak included a tool known as “BenignCertain” which triggers an information leak which may result in credential and private key disclosure to unauthenticated parties. Cisco IOS routers, PIX and ASA firewalls with VPN IKE IPSec enabled may be affected.
The NSA toolkit's bc-genpkt, bc-id and bc-parser binaries can be used to generate vulnerability triggering packets, send the packet and store the response, and parse the information leak to reveal VPN credentials such as username and password. Alternatively, the Metasploit Framework contains a module to scan for and trigger this vulnerability known as cisco_ike_benigncertain. Example: The device appears to leak RAM contents when the fault is triggered: 0000 00 00 00 00 00 00 00 02 00 00 00 00 00 00 2e e0 0010 00 00 2e e0 12 a1 fb 48 00 00 00 00 00 00 00 00 0020 00 00 09 ec 00 00 09 d0 00 00 00 01 01 00 00 0e 0030 00 00 09 c4 00 00 00 01 00 00 00 01 0b 83 d4 d4 ... [ snip ] ... 0470 0f ff ff ff 0f ff ff ff 00 00 00 00 00 00 00 00 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0490 00 00 00 00 00 00 00 06 A1 44 93 40 00 00 00 00 When conducting subsequent tests, the memory bytes disclosed appear to change which indicates that this is likely vulnerable. Non-Cisco IPSec devices to not dump excessive bytes when responding to the vulnerability trigger (e.g. 10 bytes vs 2500+ bytes for vulnerable devices device). However, it is important to note that the usable exploit only affects Cisco PIX devices. This device may be vulnerable but due to slightly different implementation may be leaking less valuable information to an attacker or requires tweaking using the NSA bc-genpkt tool. Recommendation: Ensure the latest patched IOS firmware is installed. If the firmware is confirmed as vulnerable, the preshared VPN keys should also be changed and private keys on the device should be regenerated. Risk: High. A frequent question commonly asked when working in Security is "Where do I begin?"
Talking about Information Security can easily turn into information overload, which is why communication skills are essential for working in the industry. So in order to answer this big question, I have come up with a Security Checklist, which is an overview of where to begin, without overlooking essential things. Patch everything, immediately: It doesn't matter if there is a business requirement for some software, if it’s vulnerable and there’s publicly available exploit code or an easy to use exploitation tool available then it is going to be compromised. Update default passwords: This in my opinion is common sense; however, funny thing about common sense is its quite hard to come across these days. Honestly if you want a one way path to being compromised and even being a part of a botnet, ignore this advice. This includes your firewall, servers and any IoT device that you buy and connect to your network. Don't Reuse Passwords: Reusing passwords means once one device is compromised, what else can be compromised? Use a password manager such as KeePass (KeePassX for Apple) to keep track of passwords, don't write them down or you open yourself to a different arsenal of problems. Network Segmentation: Devices should be segmented logically by type; set up choke points between device types and heavily filter based on port and protocol. Consider how an attacker moving from one segment to another can be restricted. Consider how you can prevent an end-user device compromised by a phishing attack from reaching the servers. What about the mobile devices too? What can they access? Manage in and out of band: If your management plane is separated either logically, or physically from your data plane, it makes the task of an attacker monitoring or modifying that traffic one step harder. Use Secure Protocols: Using good protocols is essential i.e. SSH not telnet, SMTP/S not SMTP etc. It compliments managing in and out of band. Disable What You Don't Need: Continuing off of the last note, disable any protocols you don't need. This can help mitigate against being attacked. For example: NetBIOS-NS and SMB. PSK for wireless is not good enough: PSK networks be cracked off-site (once a handshake has been captured, which can take seconds) but also there are key distribution and key management issues. Also consider administrator login details for each AP, this has to do with default passwords. You should look in to deploying 802.1X which utilises client-side digital certificates and active directory authentication. You should have a plan for protecting against stolen or infected end-user devices and you should have a plan for access revocation. Proper Mobile Device Management: Remote erase, a secure pin number and encryption-at-rest are essential. Your company policy will give you the specifics of whether fingerprint access is acceptable, but you should accept that devices will be lost and stolen. The data on the device should be protected as should the access the device has in to your internal network – such as VPNs. Encrypt the data on the device so that it cannot be accessed or modified; enable remote wipe which may help with damage limitation; have the ability to be able to revoke a devices access to the VPN. This is all part of proper MDM. Restrict User Input: If you’re writing a web application then contextually filter user input through a white-listing approach to match each expected input – e.g if you're asking for a postcode does the input look like a number? Does it limit the inout to 4 characters long? Restrict User Access: Network Access Control applies to both wireless and wired networks and should be rigorous. Don’t restrict access based on something public and easily forged such as MAC addresses but instead utilise something like client-side certificates or active directory integration to determine whether machines should be allowed access. For web applications and external infrastructure restrict access to administrative interfaces to administrative machines only. Weak Encryption will be Broken: There’s a lot more to cryptography that just what encryption algorithm you’re using. With implementation issues, algorithm issues, hashing issues, padding issues, PRNG issues. There’s a lot of complexity and a lot that can go wrong, on top of this clients seem to take ages to fix default support for weak encryption. Get rid of old and weak ciphers quickly and remove broken ciphers immediately. Try to keep a real world understanding of the risks of each attack and new weakness, and how bad the issues are. Some issues are minor, whereas attacks like RC4 NOMORE are a big deal. Trust but Verify: Test your systems. It doesn't matter how great you think the level of your security is, test your systems, and test them manually. We believe human driven testing far beats automated testing. Before attackers come, have a plan to response: If a company is not adequately prepared for the efficient handling of an incident then a time of tension becomes one of crisis. Having procedures, and plans for when an attack comes is essential. This is the same as going to war, it just happens to be with the use of computers. Would you go into a war unprepared? "Appear weak when you are strong, and strong when you are weak" - Sun Tzu, The Art of War With the constant threat of Cyber Attacks against businesses. Being a Business owner can make you fearful of being attacked when you are a technical person, let alone when you're not a technical person. Now let's say that business owner comes to a company like ours because they need security services, and is not a technical person, they always want to know what services are best for their business, and this can be confusing, especially to a non-technical person about what each service is, let alone how it will help their business. In this post we will talk about Small, Medium, and Large Businesses and which services we would generally recommend to each business type.
Small Business: Small Businesses we will assume as 1-10 employees that work in a fairly small office, with a single WiFi connection, and an externally hosted website, meaning not on a server owned, and maintained by the business. Although an attacker gaining access to the website would not pose a threat to a companies server (Because there is no server), the website could still contain sensitive information. Because of this we would always recommend having your companies website tested, no matter the size of your business. However if you have a small business like described, this is usually the extent of External Penetration Testing needed. The other testing Small Businesses mainly need is Internal Penetration Testing and a WiFi Auditing. The Internal Testing involves checking local machines for viruses, malware, checking for open ports that could pose a threat. Medium Businesses: Medium Businesses we will assume to be similar to Small Businesses except with more people, more internal threats, and now the business will more likely than not host their own website, and have their own server(s). Therefore the need for external Penetration Testing has increased, and we would recommend it for externally facing hosts. On top of this we would still recommend Internal Testing, and WiFi Auditing. Large Businesses: Of course Large Businesses can benefit from all of our services; however, for large businesses it is a matter of prioritising what services are needed, and where they are most needed. Your company might have hundreds of public IP addresses, and therefore, it is necessary to work out what is it that is posing the highest risk to your organisation. For example being a bank, your main website is going to be where you need to put the most amount of focus. As that is where clients are going to log in, to do any transactions they might want to do. On a side note, all businesses should also consider Social Engineering as a service, this can be a service that can affect all businesses small or large, and help people be alert, if anyone through either a phone call or an email, can extract important information from an organisation. In summary, small businesses should focus mainly on their internal systems and their website, medium businesses should do the same but prioritise their externally facing server(s), if they have them, and large businesses should work to secure their assets both internally and externally, focusing on their most vulnerable areas, and what is going to cause the biggest loss to the organisation in the event it is leaked to an attacker. Please be aware there is a Samba remote code execution vulnerability that has been published today in Metasploit and mass exploitation is likely to follow or be used to self-propagate in the form of a worm.
The vulnerability affects all versions of Samba over the past 7 years, the open source Unix/Linux implementation of the Microsoft File and Print Sharing service, and a patch was released yesterday. The vulnerability is triggered by connecting to a writeable file share (it can be abused as an anonymous user or with credentials) then uploading a Unix .so shared object file which is then executed on the server. Many Linux and Unix based operating systems are vulnerable, as are products like NAS (Network Attached Storage) file servers such as Synology, mediacentres and modems etc. CVE-2017-7494 has been assigned to this issue and reports indicate over 100,000 internet accessible systems are currently vulnerable. If you are unable to patch immediately, the vulnerable feature can be disabled by setting the 'nt pipe support = no' directive within the /etc/samba/smb.conf file and restarting the service. The words ‘Security’ and ‘Cheap’ often instantly arouse suspicion. It will quickly make people question if the product/service being advertised really will secure their assets, as needed. This article however, is not trying to necessarily sell any product, but more just to give advice on what companies can do to mitigate threats to their organisation no matter their financial state.
User Level Security: For years good practices have been talked about and encouraged in organisations; however, in reality people still don’t follow these recommendations. The best example of this is passwords. Passwords are difficult enough to remember when they’re just a passphrase with a 1 on the end, so when it comes to a random series of different numbers, letters, upper and lower-case characters, it becomes almost impossible to remember. So what is the next logical solution? To write the password down on a sticky note on your computer. All this has done is changed the threat from IT Security to Physical Security. The recommendation for this would be a password vault stored on the user’s computer such as LastPass or KeePass, so that you can store passwords without having to write them down. Be careful to keep an eye out for the latest threats to these programs, and keep them regularly updated, to minimise threats. Hire a Professional: This immediately sounds expensive, as industry rates can range from $2000 - $4000 per day. But keep an eye out as there are other companies around that offer competitive rates to this, and still offer a quality service. Using existing IT Staff to look for issues is not as ideal as hiring a Security Expert, but it is definitely not a bad idea. Asking IT Staff to keep systems updated, to shutdown unused ports, and to monitor traffic are all good methods of this. Software: Not all good software is expensive. In fact a lot of good open-source security tools can be found online, and installed on a variety of operating systems. If Linux is not an issue to use Kali Linux by Offensive Security, and the Security Onion are great Linux distributions, containing collections of useful open-source security software. Kali Linux comes with lots of software geared at testing security by attempting to break it, while the Security Onion comes with software geared at monitoring and detecting such behaviour. These are just some of the ways you can mitigate threats to your organisation, no matter the size or the budget. Security is not for the rich, it’s for whoever desires it, and is willing to take steps to improve the security for themselves, or for their organisation. Oracle / BEA WebLogic HTTP web servers will respond to client requests with a Server HTTP header which reveals the version running which may aid an attacker in using targeted exploits.
To hide the version number, modify the configuration XML file such as config.xml and set the directive ‘ServerSignature’ to ‘Off’. By default the Play! Framework web service will disclose the version number used which can aid an attacker in conducting targeted attacks using known vulnerabilities.
To hide the version number, modify the conf/application.conf file and set the directive http.exposePlayServer to equal ‘false’. The HTTP Strict-Transport-Security standard (HSTS) is a HTTP server header sent by SSL/TLS enabled websites to prevent communication over HTTP in order to protect content and authentication cookies from interception or alteration.
To enable this header on the nginx web server, modify the nginx.conf file. Within the server block, find and edit the location block and set the "add_header" directive with a value of e.g. Strict-Transport-Security "max-age=31536000"; (for 365 days). E.g: server { location / { add_header Strict-Transport-Security "max-age=31536000"; } } Dear clients,
This is a quick email to alert you about a newly disclosed vulnerability that affects all Microsoft operating systems from Windows 7 to Server 2016. The vulnerability is present within the Malware Protection engine that runs as the SYSTEM superuser. The detailed vulnerability report by the Google Security team is now public with proof of concept code. To summarise, the vulnerability results in remote code execution and can be triggered on any system which scans a vulnerability triggering text string or file. Exploitation scenarios include:
Ensure the Microsoft Malware Protection Engine is able to receive the latest updates and threat definitions to resolve this issue. It is also worth mentioning that another Microsoft vulnerability has been found by the Google Security team which has not yet been made public or patched. The issue is rumoured to affect all versions of Microsoft Windows and is remotely exploitable and wormable and may affect the TCP/IP implementation which would also bypass the Windows firewall. We will send another alert when details become public. Dear clients,
We trust you had a relaxing Easter long weekend. We wanted to let you know that over the break the NSA exploit toolkit for Microsoft was published online which included zero day remote code execution exploits for all modern Microsoft operating systems and popular products. You can read more about the response and Microsoft Security Updates here: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/ Please note that some remote exploits are not patched by Microsoft, as they affect discontinued products and will remain vulnerable. An excerpt of the dump includes the following attacks:
Alternatively if you'd like to consider our Monthly Managed Penetration Testing Service, we can check vulnerable systems for you. Many of you would have seen our anti-malware solution test website known as WICAR (think EICAR AV Test File, but for web based attacks). This is just a quick email to let you know we now have SSL enabled for our test malware attacks, so not only can you test your firewall, IDS/IPS, proxies, content filtering and desktop antivirus, but you can also check if you are protected against payloads delivered over HTTP/S or verify your SSL-inspection products are working.
Simply open the Test Malware page and click the [SSL] hyperlink to conduct the test over SSL to ensure your organisation is adequately protected (most attacks today are delivered over SSL to get around proxy inspection). Juniper have just released a product security alert regarding their NetScreen / ScreenOS devices. During an audit, it was discovered that their source code was compromised and an unknown attacker planted a backdoor within the firewall code.
The backdoor permitted: 1. Unauthenticated remote administrative access over SSH or telnet. 2. IPSec VPN traffic decryption (possibly by leaking private keys to the attacker). Detailed information can be found in JSA10713. Am I vulnerable? The ScreenOS firmware was compromised in August 2012. Only ScreenOS versions 6.2.0r15 to 6.2.0r18, and 6.3.0r12 to 6.3.0r20 are known to contain the backdoor. If you are running a version number below this release, earlier than August 2012, then your network should be secure. Juniper recommends that anyone using these firmware versions should upgrade immediately. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b CVE-2015-7755 has been assigned for this issue. This is a timely reminder to employ "defence in depth" techniques, such as installing layered firewalls from different vendors, to protect your internal assets in the event one is defeated. Have a safe and relaxing holiday season, To test a HTTP/S server for weak Diffie-Hellman (DH) SSL / TLS ciphers, you may use the following command (Linux):
$ openssl s_client -connect [target]:443 -cipher "EDH" EDH requires use of weak DH keys. If it connects, you may GET / HTTP/1.0 to confirm. A secure host should not connect, e.g. $ openssl s_client -connect www.gmail.com:443 -cipher "EDH" CONNECTED(00000003) 139671352862352:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770: https://weakdh.org/ This is a quick email to bring your attention to a recently publicised OpenSSL security vulnerability known as "Heartbleed". The Common Vulnerabilities and Exposures list has assigned CVE-2014-0160 for this issue.
The vulnerability is currently being exploited in the wild on a small scale. The vulnerability is a memory disclosure bug. That is, a malicious user can send a trigger packet to an HTTPS service with a vulnerable OpenSSL instance, and the server will respond with the raw memory contents of the HTTP server (such as Apache) or OpenSSL. Examples include:
Am I vulnerable? Only OpenSSL versions 1.0.1, 1.0.1a through to 1.0.1f are vulnerable. Version 1.0.1 was released March 2012. Version 1.0.1g was released today and is immune (many distributions have not yet released updates, but they should become available within 24 hours). Versions prior to 1.0.1, such as 1.0.0 and the 0.9.x variants do not include this specific vulnerability. You can check what version you have by running openssl with the version switch: # openssl version OpenSSL 1.0.1f 6 Jan 2014 (vulnerable) This bug is specific to OpenSSL only. Microsoft products may not be affected, however Windows products which utilise OpenSSL may be affected. Most Linux and unix variants utilise OpenSSL. It is worth determining what risks this presents to your organisation. As the private key can be compromised and traffic decrypted, consider whether a new private key should be issued and signed by CA (once the server has been patched). Introduction
Often you will find yourself in a situation where you can upload arbitrary content to a web server. If the webserver accepts dynamic content (e.g. ASP, PHP, EXE, PL, etc) then you may want to upload a "backdoor shell" to provide a web based GUI for the command line. Method Examples include;
Recommendation None - however keep in mind the following: 1) The backdoor shell may be trojaned. Read the code FIRST! 2) Don't leave it there for too long, as someone else may find it or worse - Google may index it! Introduction:
At some point you may be required to audit the configuration of a SonicWALL device. If you have physical/admin access to the management interface, then this is probably the easiest method - drill down every option and check for misconfiguration. If not, obtain a configuration export file (file name is generally 'sonicwall-name-date.exp') such as sonicwall-SydneyDC-20100607.exp. You will notice the file is a single line of Base64 encoding. Method: Either use software such as nipper (a tool to automatically decode multi-vendor firewall, router, switch etc.. configurations then analyse the settings and make recommendations in a pretty report) or Base64 decode it yourself and read the variables. Linux: 'base64 -d file' Windows (if you have ActiveState Perl): 'c:\bin\decode-base64.bat file' Recommendation: Often issues such as SSH v1 and SNMP will be present. Also check the firmware as SonicWALL is notorious for format string bugs. Over the past 6 months, a new rootkit known as Max++, ZeroAccess, Sirefef (and others) has been impacting a significant number of businesses and home users.
Recently, OSI Security responded to a client affected by this malware:
To fix this issue, the TCP/IP stack needs to be working (check Device Management, Hidden Devices and TCP/IP may have the yellow exclamation mark if the device is not working). In our situtation, TCP/IP would not start because a group dependency failed. The IPSEC Service wouldn't start, and a check of the system32\drivers directory showed ipsec.sys driver was missing. To fix, get the ipsec.sy_ (cab) file from the Windows CD-ROM in the i386 directory and extract it to C:\Windows\system32\drivers\ipsec.sys. For example, go to Start -> Run -> cmd.exe, then in the command prompt type (assuming D:\ is your Windows install CD). extract d:\i386\ipsec.sy_ c:\Windows\system32\drivers\ipsec.sys If the above command worked as expected, you should now be able to go to Services (services.msc) and start the IPSEC Service. If it started as hoped, you should now reboot and find that the issue with ipconfig / the network adapter not being able to obtain an IP address is now resolved. If not, consider doing the same extract for tcpip.sy_ and doing a 'netsh ip reset all' and 'netsh winsock reset catalog' then rebooting. Once we resolved this matter, we encountered another issue:
This occurs because the Microsoft Windows TCP/IP stack or Winsock API is corrupted. Specifically, the nslookup tool works because it is sending DNS lookup information directly across the wire, whereas everything else uses the Windows host operating system's Winsock gethostbyname() API which is broken. To fix, firstly reboot into the Microsoft Windows Recovery Console, then (where D:\ is the Windows install CD-ROM); expand D:\i386\dnsapi.dl_ C:\Windows\system32\dnsapi.dll expand D:\i386\dnsrslvr.dl_ C:\Windows\system32\dnsrslvr.dll Reboot and you should find that nslookup, ping, Internet Explorer etc is now functioning as expected. Note 1: Under normal Windows, the command is 'extract' to extract a CAB file (the .sy_ or .dl_ files). Under the Recovery Console, the command is 'expand'. Using either is fine for ipsec, tcpip, dnsapi, dnsrslvr files however you will likely find using 'extract' is denied as the destination file is in use by Windows and cannot be replaced - thus, you may wish to use the Recovery Console and 'expand' for all 4 files to avoid the file in use / access denied message. Note 2: We observed other users with similar issues i.e. nslookup works but ping does not. The above dnsapi.dll and dnsrslvr.dll replacement should in theory resolve the issue, irrespective of presence of any malware. Worth trying.. Good luck! Introduction
Visit www.openspf.org for more information on this technology. Method It is held within a TXT record for the domain. You can query this with the host command under Linux/POSIX. $ host -t txt [victim].com [victim].com descriptive text "v=spf1 a mx include:[victim].com" Recommendation Consider adding SPF records to allow MX records to send email. SPF helps prevent forging of the FROM address on the receiver end. Customer MTAs which support SPF will reject fraudulent emails because the SPF record will not match the spammers IP source addresses when forging @[victim].com FROM addresses. Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format. Coupled with its graphing libraries, Maltego allows you to identify key relationships between information and identify previously unknown relationships between them.
It can be utilised in searching for the following (entities): * Autonomous System Number * DNS Name * Domain * Email Address * IP Address * Location * MX Record * NS Record * Netblock * Person * Phone Number * Phrase * URL * Website It is offered in 2 editions which are Commercial edition and Community edition. Community edition can be downloaded from the following link: http://www.paterva.com/web4/index.php/client/community-edition It is also available as a built in tool with the current backtrack editions. The following link describes in detail the process of finding information about people and organisations using Maltego in 2 parts. http://www.ethicalhacker.net/content/view/202/24/ Recently, a client of ours requested some information regarding security considerations should a corporation permit employees to use social media such as Facebook, YouTube, Twitter and other sites.
It is a common problem. There are a few issues here which need to be considered; 1) Yes there are cross-site scripting issues with the websites. But the vulnerabilities are in the websites themselves, so youtube.com, facebook.com and twitter.com are managed by internal staff - if they are vulnerable then everybody is. It is really out of your control. The worms use to propagate, such as the recent Facebook worm which was posting adult images, abuse the [zero-day] vulnerability in the website... eventually the sysadmins discover the worm and close the gap. 2) The web browsers also play a part in exploitability. Internet Explorer 8+ has some mitigations for XSS. Chrome and Firefox also have some anti-XSS measures, but still lack complete protection. NoScript add-ons can be used for Firefox and Chrome to further mitigate attacks. Earlier browsers such as IE6 and older releases of Firefox interpret HTML and JavaScript differently, as well as Content-Type / Content-Disposition which may make a user of IE6 vulnerable to a facebook worm but not say IE7. So up-to-date SOE browsers are a good idea depending on what your patching is like. 3) When using XSS attacks the attacker or worm often needs a location to store their malicious JavaScript. NoScript will deny external locations unless explicitly permitted. But regardless, attackers sometimes use what would be considered trusted websites... so it is possible for someone to obtain a Google Sites account, upload JavaScript, then the browser will fetch the content from *.google.com ... instead of a suspect .cn domain etc. 4) There is the crossdomain.xml policy - http://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html. This is dependent on the website. 5) Researchers occasionally uncover browser vulnerabilities which breach the internal browser cross-domain security policy... so the result may be a vulnerability despite proactive protections and hardened configuration. 6) Antivirus vendors such as TrendMicro provide browser add-ons which check and report all URLs accessed by clients world-wide. The Trend Micro Threat Intelligence cloud and other reputable AV companies will notice the worm after a handful of end-users report the malicious action of a site. In this case, a few users will be infected but after the cloud picks up on this, the URL will be blacklisted globally until the threat is eliminated, thus protecting end-users providing you're not the first few visitors to be infected. 7) Obviously if you have a HTTP AV / Content Filter proxy then this may detect some worms. So to summarise, there are many different preventative measures you can take to avoid infection. Implementing all of the above may significantly reduce your risk, but after all is said and done, if the youtube.com / facebook.com / twitter.com domains are vulnerable, you are waiting on them to provide a fix. If there is a known, unpatched worm spreading and the media has alerted users like the recent facebook adult photos and dead animals worm, you could temporarily ban access to those sites on the firewall until the worm is cleared to try and protect staff. Another matter worth considering is whether there is a risk of staff seeing objectionable material such as pornography from the worm and the staff going on stress leave, workers compensation or suing for psychological damages etc etc. Some organisations try to minimise law suits by implementing strict policies about what to do when someone sends you pornographic material and you unexpectedly open it. There is paper work to complete including who sent the email (they are permanently added to a blacklist), listing all who received the email, any 3rd parties that saw it on your screen, ensuring that email archive / data backup staff store the offending email if needed for court on tape, and email admin staff forcibly deleting copies from staff inboxes by conducting email audits. Hopefully this gives you some insight into corporate considerations prior to blanket access of social media websites for staff. Introduction
The web server has directory listings enabled, which may reveal folder contents that might otherwise be hidden from an attacker looking for sensitive information, Example URLs:
Recommendation: Modify the apache2.conf file and set the folder “Options” directive to -Indexes, so that directory indexing is disabled and restart the service. Risk: Low. Introduction
By default BIND DNS reveals the version number when queried for a certain TXT record. Command # dig chaos txt version.bind @ns.[target].com Result An example is below: ; <<>> DiG 9.7.1-P2 <<>> chaos txt version.bind @ns.[target].com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18628 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.3.6-P1-RedHat-9.3.6-4.P1.el5" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 329 msec ;; SERVER: [ip]#53([ip]) ;; WHEN: Sat Aug 21 03:55:28 2010 ;; MSG SIZE rcvd: 87 Recommendation Using the 'version' directive in the 'options' section will block the 'version.bind' query - usually in /etc/named.conf. The server is running the PHP programming language which is configured to expose details about the target host. This information may be useful to an attacker in determining the software versions installed.
Example HTTP response header:
Recommendation: Modify the php.ini file and set the directive 'expose_php' to 'Off' and restart the service. Risk: Low. Introduction
WordPress versions equal or greater than v2.5 use a salted hash to prevent Rainbow Table attacks, based on the work by Solar Designer. Previous releases (v2.4 and below) use an MD5 unsalted hash. To verify a salted hash is used, you can check the contents of the wp-includes\class-phpass.php file. The hash is stored in the MySQL database, inside the wp_users table. If you're able to crack the hash, then you can simply log in to the /wp-admin/ page with the correct password and administer the website. Alternatively, it is common to discover that people re-use passwords in other locations, so the plain-text password may be used for the cPanel installation or the MySQL database root user. Technique There are a few tools out there which support PHPass salt and hash. One example is hashcat, which can be downloaded from http://hashcat.net/hashcat/. The software comes pre-compiled, with versions for both 32bit and amd64 architectures, and Windows and Linux binaries. There is also the optional GUI which can be downloaded from http://hashcat.net/hashcat-gui/ In our example, we are running a Linux operating system. So lets say you've managed to recover the admin hash from the wp_users table, which in our example is: $P$BNCFzhkOgblRnMahSc8aRW.2O2oCYZ0 Create an empty text file and paste the hash into the document and save the file as 'hash.txt'. Next, run hashcat with '-m 400' which is the PHPass / WordPress cipher mode and provide a suitable dictionary file. Note: the .bin extension is for Linux operating system. Use the .exe files for execution under Windows. $ ./hashcat-cli64.bin -m 400 hash.txt /usr/share/dict/cracklib-small Initializing hashcat v0.43 by atom with 8 threads and 32mb segment-size... Added hashes from file hash.txt: 1 (1 salts) Activating quick-digest mode for single-hash with salt NOTE: press enter for status-screen $P$BNCFzhkOgblRnMahSc8aRW.2O2oCYZ0:aaron All hashes have been recovered The example hash password is 'aaron' – we can then login to /wp-admin/ as 'admin' with password 'aaron' It is worth noting that hashcat supports dictionary, bruteforce, hybrid and other modes. Use the '--help' switch for further information. |
Archives
September 2017
Categories
All
|
|
|