Posted: April 21st, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, Deployment Toolki, java, jsunpack, yara | No Comments »
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
} |
rule JavaDeploymentToolkit
{
meta:
ref = "CVE-2010-0887"
impact = 7
strings:
$cve20100887_1 = "CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA" nocase fullword
$cve20100887_2 = "document.createElement(\"OBJECT\")" nocase fullword
$cve20100887_3 = "application/npruntime-scriptable-plugin;deploymenttoolkit" nocase fullword
$cve20100887_4 = "application/java-deployment-toolkit" nocase fullword
$cve20100887_5 = "document.body.appendChild(" nocase fullword
$cve20100887_6 = /.*?.launch\(.*?\)/
$cve20100887_7 = "-J-jar -J" nocase fullword
condition:
3 of them
}
Posted: April 20th, 2010 | Author: xanda | Filed under: IT Related | Tags: 0day, CVE-2010-0886, CVE-2010-0887, firefox, internet explorer, java, Java Deployment Toolkit | No Comments »
I’ve play around with Java Deployment Toolkit exploit last week and found that the exploit is damn easy to trigger, but mitigation is a bit tricky (for Firefox especially if you have multiple version of Java installed)
Anyway, the patch released and people dont have to worry much about this anymore.
I’ve wrote a short analysis on the exploit (sample taken from the wild) and soon to be published in the Lebahnet Blog (pending for review). I’ve also wrote Yara rule to detect this exploit and it can be used with Jsunpack for automated analysis 🙂 owh.. I’ll publish the rule soon 😉
Many people are talking about this exploit including this blog. By the time I read through the content, I’ve found that they had published a non-valid code (maybe due to improper de-obfuscation or error during copy and paste for the entry). I’ve left 2 comments, correcting 2 lines of code in the entry. They made the changes but delete my comments (poor me, no credit :P)
Insyaallah I’ll publish the Yara rule by tomorrow 🙂
Posted: April 19th, 2010 | Author: xanda | Filed under: IT Related | Tags: 2010, csfr, owasp, rfi, sql injection, top 10, xss | No Comments »
On April 19, 2010 we released the final version of the OWASP Top 10 for 2010. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.
Click here to download the OWASP Top 10 – 2010
The OWASP Top 10 Web Application Security Risks for 2010 are:
* A1: Injection
* A2: Cross-Site Scripting (XSS)
* A3: Broken Authentication and Session Management
* A4: Insecure Direct Object References
* A5: Cross-Site Request Forgery (CSRF)
* A6: Security Misconfiguration
* A7: Insecure Cryptographic Storage
* A8: Failure to Restrict URL Access
* A9: Insufficient Transport Layer Protection
* A10: Unvalidated Redirects and Forwards
Please help us make sure every developer in the ENTIRE WORLD knows about the OWASP Top 10 by helping to spread the world!!!
[Source: OWASP]
Posted: April 6th, 2010 | Author: xanda | Filed under: IT Related | Tags: ActiveX, CVE-2010-0805, detection, internet explorer, jsunpack, Tabular Data Control, yara | 9 Comments »
Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
} |
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}
Credit:
- ZSploit.com
- Metasploit
- @d3t0n4t0r
Posted: March 21st, 2010 | Author: xanda | Filed under: IT Related | Tags: alienvault, macos, nessus, nvt, openvast, snow leopard | 6 Comments »
Here is my simple howto and modified AlienVault NVT sync script to be use with Nessus 4 on Mac OS
First thing first, you need to have Nessus and MacPorts installed
Then install the md5sha1sum package
sudo port install md5sha1sum |
sudo port install md5sha1sum
Use the following modified script and let it automagically fetch the NVT feed for you
#!/bin/bash
#
# OpenVAS
# Description: Synchronize with with NVT feed.
# This shell script synchronizes the local set of
# OpenVAS Network Vulerability Tests (NVTs) and
# associated includefiles with a given upstream
# feed of updated or new files.
#
# Authors:
# Lukas Grunwald <l.grunwald@dn-systems.de>
# Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>
# xanda <adnanDOTshukorATgmailDOTcom>
#
# Copyright DN-Systems Enterprise Internet Solutions GmbH 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Slight modifications, 2008/07 AlienVault VRT - code@alienvault.com
# Slight modifications, 2008/08 Vlatko Kosturjak Kost <kostATlinuxDOThr>
# Slight modifications, 2010/03 xanda - adnanDOTshukorATgmailDOTcom
SCANNER=$1
if [ "x$SCANNER" = "x" ]
then
echo "Usage: $0 nessus"
exit
fi
if [ ! $SCANNER = "nessus" ]
then
echo "Usage: $0 nessus"
exit
fi
# Plugin dir
if [ "x$NVT_DIR" = "x" ]; then
# Plugin dir
if [ $SCANNER = "nessus" ]; then
NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"
fi
fi
# The URL of the plugin feed
FEED=rsync://feed.alienvault.com:/nvt-feed
findcmd()
{
CMD=$1
SRCH=/usr/bin:/usr/ucb:/usr/sbin:/sw/bin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin
SAVEIFS=$IFS
IFS=:
set $SRCH
IFS=$SAVEIFS
for dir
do
[ -x $dir/$CMD ] && {
echo $dir/$CMD
return
}
done
}
chk_system_tools(){
echo "Searching for required system tools ..."
RSYNC=`findcmd rsync`
MD5SUM=`findcmd md5sum`
if [ -z "$RSYNC" ]; then
echo "Error: RSYNC not found";
exit -1
fi
if [ -z "$MD5SUM" ]; then
echo "Error: MD5SUM not found";
exit -1
fi
}
sync_nvts (){
echo "Synchonizing NVTs via RSYNC ..."
mkdir -p "$NVT_DIR"
eval "rsync -av --progress \"$FEED\" \"$NVT_DIR\""
echo "Synchronization successful."
}
echo "AlienVault NVT Feed Sync"
echo " "
echo "Configured Scanner: $SCANNER"
echo "Configured NVT Feed: $FEED"
echo "Synchronized into: $NVT_DIR"
echo " "
echo " "
chk_system_tools
sync_nvts
echo " "
echo " "
echo "Please restart your scanner daemon" |
#!/bin/bash
#
# OpenVAS
# Description: Synchronize with with NVT feed.
# This shell script synchronizes the local set of
# OpenVAS Network Vulerability Tests (NVTs) and
# associated includefiles with a given upstream
# feed of updated or new files.
#
# Authors:
# Lukas Grunwald <l.grunwald@dn-systems.de>
# Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>
# xanda <adnanDOTshukorATgmailDOTcom>
#
# Copyright DN-Systems Enterprise Internet Solutions GmbH 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Slight modifications, 2008/07 AlienVault VRT - code@alienvault.com
# Slight modifications, 2008/08 Vlatko Kosturjak Kost <kostATlinuxDOThr>
# Slight modifications, 2010/03 xanda - adnanDOTshukorATgmailDOTcom
SCANNER=$1
if [ "x$SCANNER" = "x" ]
then
echo "Usage: $0 nessus"
exit
fi
if [ ! $SCANNER = "nessus" ]
then
echo "Usage: $0 nessus"
exit
fi
# Plugin dir
if [ "x$NVT_DIR" = "x" ]; then
# Plugin dir
if [ $SCANNER = "nessus" ]; then
NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"
fi
fi
# The URL of the plugin feed
FEED=rsync://feed.alienvault.com:/nvt-feed
findcmd()
{
CMD=$1
SRCH=/usr/bin:/usr/ucb:/usr/sbin:/sw/bin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin
SAVEIFS=$IFS
IFS=:
set $SRCH
IFS=$SAVEIFS
for dir
do
[ -x $dir/$CMD ] && {
echo $dir/$CMD
return
}
done
}
chk_system_tools(){
echo "Searching for required system tools ..."
RSYNC=`findcmd rsync`
MD5SUM=`findcmd md5sum`
if [ -z "$RSYNC" ]; then
echo "Error: RSYNC not found";
exit -1
fi
if [ -z "$MD5SUM" ]; then
echo "Error: MD5SUM not found";
exit -1
fi
}
sync_nvts (){
echo "Synchonizing NVTs via RSYNC ..."
mkdir -p "$NVT_DIR"
eval "rsync -av --progress \"$FEED\" \"$NVT_DIR\""
echo "Synchronization successful."
}
echo "AlienVault NVT Feed Sync"
echo " "
echo "Configured Scanner: $SCANNER"
echo "Configured NVT Feed: $FEED"
echo "Synchronized into: $NVT_DIR"
echo " "
echo " "
chk_system_tools
sync_nvts
echo " "
echo " "
echo "Please restart your scanner daemon"
chmod +x alienvault-nvt-feed.sh |
chmod +x alienvault-nvt-feed.sh
Make sure you stop the Nessus server first before run the script!
sudo ./alienvault-nvt-feed.sh nessus |
sudo ./alienvault-nvt-feed.sh nessus
Enjoy! 😉