VLC Media Player 0.8.6e is available to release multiple security vulnerabilities.
Security Advisory 0801
Summary : Format string vulnerability in the Web interface
Stack-based buffer overflow in the Subtitles demuxer
String buffer overflows in the Real RTSP demuxer
CVE references : CVE-2007-6681, CVE-2007-6682, CVE-2008-0295, CVE-2008-0296
Security Advisory 0802
Summary : Arbitrary memory overwrite in the MP4 demuxer
CVE reference : CVE-2008-0984
Security Advisory 0803
Summary : Arbitrary file overwrite and other abuses
through M3U parser and browsers plugins
CVE reference :
I’ve seen VLC showing up in the vulnerability scans more at work. People install it because it supports a wide variety of multimedia formats. One more non-standard app to get patched.
Archive for February 2008
VLC Media Player Update
Hard Disk Encryption – Not Dead Yet
Last week, some Princeton researchers demonstrated a technique for recovering cryptographic keys from RAM.
Here’s their Youtube video:
The typical security hype cycle then followed with articles from SANS: In Memory of Hard Disk Encryption? and then the usual computer trade mags, and then ultimately an AP story: Blast of cold air can open computer to hackers.
That latter article began “Want to break into a computer’s encrypted hard drive? Just blast the machine’s memory chip with a burst of cold air.” Gee that sounds really about as easy as opening a Kensington lock. I can just imagine the bulletins sent out by corporate security departments all over the country.
“If approached by Jack Frost,
do not let him spray your computer with cold air. Flee and notify your IT Security Department as soon as possible”.
The truth is a little less dire. Yes, data remains in RAM a bit longer than you’d expect. Yes cold air could be used to preserve the data in RAM. However in practice this means an attacker would have to physically compromise your computer within one or two minutes of turning it off.
Here’s what I think is important:
1. Users should never use standby unless they are aware that their data is at risk. Personally I advised that before this came out. So this is nothing new.
2. The system is vulnerable when its online but screen locked. Again, I dont think this is new.
3. When you turn your computer off, wait two minutes before you let someone plug in a unknown USB device or spray down the RAM with compressed air. Duh.
Non-technical people read these articles and they think the pain of full disk encryption wasn’t worth it. Anytime a bad guy has physical access to the computer, you’ve got a problem. It seems that this attack works best in the lab and can be defeated with a few steps that you should be following anyway.
Shmoocon Day 3
On the final day of Shmoocon I went to two talks. Here’s some notes.
I’m still fighting the cold that hit just after the conference. Three days of sick people on the metro and in a hotel ballroom seem to have taken their toll.
Dan Griffin, Hacking Windows Security
This talk presented four tools, three developed while working for Microsoft and are available on MSDN.
Hacking smartcards was an interesting concept for fuzzing smartcard middleware. I’m not sure if it was the early start to the day or not, but I didn’t understand if this was a problem in the smart card driver software as it comes in Windows or if this would be smart card software already written.
“Smart Cards have a vm and shouldn’t be treated as trustworthy.”
The other parts of the talk were using “hack” in the older white hat sense of the word. He showed how to add a new algorithm such as twofish to Windows.
PEAP: Pwned Extensible Authentication Protocol, Wright, Antoniewicz
If you’re up on wireless security you probably know this. Otherwise its a good presentation. Worth checking out when posted to shmoocon.org.
With EAP, your Access Point and Radius server are exposed to the world. Does it seem like a good idea for a RADIUS server to be so attackable?
To this point the supplicant and radius server code have not been explored thoroughly. This is a great opportunity for research.
EAP- MD5 not RFC4017 complaint
No support for encryption key delivery
No native supplicant in windows
eapmd5pass- a tool to read pcap file or monitor and brute force the password.
LEAP
Security through obscurity with proprietary protocol
MSCHAPv1 -
attacked through asleap tool
EAP-FAST
Uses PAC – protected authentication credential
But the PAC is transmitted anonymously by default (Eap FAST Phase 0)
If you use manual PAC provisioning now you have a cumbersome process that must be repeated as the PAC expires.
A rogue AP could be used to get the clients MSCHAP credentials.
EAP-TTLS
Mutual authentication between client and servers.
Can still screw things up by not verifying the server certificate. This allows anyone to impersonate the Radius server.
Winamp 5.52 released
Winamp 5.52 has been released to correct a Ultravox streaming metadata stack overflow reported by Secunia. Users of Winamp are encouraged to upgrade immediately.
Shmoocon 2008 Day 2
Here are some notes from Shmoocon day 2. Today was a return to the traditional Build It, Break It, and Bring it on tracks. Here are some notes/summaries from the sessions I attended. It was another fun day.
Active 802.11 Fingerprinting, Bratus, Cornelius and Peebles
How can you identify if an access point is legitimate or rogue? Does two way RSA crypto solve the problem of a rogue AP? The speakers would argue that if you are communicating with a rogue AP, the use of certificates could actually cause more information to be given away to the rogue. You could certainly be exploited in your communication as well if your wireless drivers have vulnerabilities.
Just as with OS fingerprinting through TCP, the wireless protocol can be abused to send unexpected traffic to the AP and fingerprint how it responds. They built a tool called Baffle using Ruby to perform this test. They were able to verify that the access point was using the driver that is expected.
If you’re expecting a linksys AP and I set up a rogue linksys AP, this isn’t going to help you, at least from my understanding of the talk. An audience member asked if this could be used with adhoc (client-to-client) connections as well. It cannot be used for that because the APs are much more chatty and have more negotiation.
The remainder of the time was a presentation on access point hiding. I did not catch the presenters name. Basically anything that has some room inside and has sufficient power could be refashioned to contain an AP. This assumes that you need to be stealthy about placing a rogue AP in the first place. The take home for me from this section of the talk was the question, “if an AP enabled itself at 2 am (either to let the hacker in, or to move some data out) would you catch that.”
Smarter Password Cracking; Weir, Glodek
Not a lot new here.
Password cracking is getting tougher. Sometimes users are forced to pick better passwords. Often developers are throwing in a salt or hashing multiple times. A salt makes a precalculated table attack difficult. Multiple hashes attempt to increase the calculation penalty when trying a offline password attack. For example while Word’s password mechanism was once trivial to break, Word now uses 5000 SHA1 and a huge salt.
In the last year or two several password troves have become available to all. In the past researchers didn’t have a way to report on user password selection. After a myspace phishers collected passwords leaked, researchers now had a large collection of legitimate passwords. Many of the passwords were tremendously weak and thus not comparable to the enterprise password.
When setting out to crack passwords, it is helpful to figure how how the users select the passwords. This allows the cracker to have a better chance at success.
I was hoping to take from this lecture a script to analyze a list of passwords and display the tendencies found. I would like to be able to easily run a report that says: 30% of users passwords were reveals in testing. Of those 90 percent were in the format Aaaaaa11 (A=upper, a=lower, 1=any number). I don’t see that script on his website, I’m going to check back later.
They’re hacking Our Clients, Why are we focusing only on servers; Beale
This talk had two major sections. The need for patching clients, and a poor man’s way to find clients that need patching.
In the first section Beale said that in pentesting engagements they now attempt to get to the internal network through client side attack. Often they are limited by engagement rules to the computers belonging to IT staff or security folk. Even with this set of users they are consistently able to perform attacks on the browser, mail client, Office, Adobe Reader, etc. Core Impact and Metasploit are two tools mentioned.
The bad guys moved to client side attacks years ago. Their biggest problem is managing all their owned boxes.
The question is asked, isn’t this just social engineering. There are two responses to this. No, sometimes attacks autorun without user interaction. Yes, but the human firewall is imperfect. Even the most educated users get fooled. Its still appropriate for a pentest.
Comment from the audience – Once it reaches the user, freakin game over.
The attackers only have to find one vulnerable human or one vulnerable software install.
Isn’t this a patch management problem, Beale asks rhetorically.
He says yes, but not every organization has patch management.
Also patch management, needs know about every system to patch it. It needs rights. It often doesn’t patch every product. Most people don’t have that complete an inventory of what is on their network.
To address these issues, the speaker proposed using User-Agent strings to self identify vulnerable systems. That information could be collected in HTTP proxy logs, and email servers. Vulnerable clients could be denied further access.
While you could do further things such as implement something like the Master Reconnaissance Tool to gather browser plug-ins, there is still vulnerable software that you don’t address in this way.
Another idea is to look at the metadata for recently created files on your fileserver, sharepoint, in email. Apparently you can determine the version of the software used to create the document. A vulnerable version and a recently created document equal a problem that needs to be addressed.
Since I do vuln scan all online systems, and I do have a patch management system, the second part of the talk wasn’t as interesting. It seemed like a lot of work just to catch a small number that missed the patch management and vuln scanning. I do see the usefulness in a University or other similar environment.
VOIP Hopper; Ostrom and Kindervas
This was strong talk demonstrating their new version of their voiphopper program. Most people outside that room think that a vlan is a security separator. The talk showed how easy it is to get onto the voice vlan. In IT there is also a low awareness of VOIP threats. People think, “you can’t access corporate data from an IP Phone.”
voiphopper now includes a Cisco Discovery Protocol generator making it really easy to pretend to be a VOIP phone.
Mitigation-
1. Use Cisco’s phone CDP Security provided in 12.2.36 SE. This requires a phone to have power or it will shutdown the port. (one wonders how that would work in my case where a bad blade wasn’t providing power for some ports, and I was given a brick for my phone instead of using power over ethernet).
2. MAC address filtering
3. Disable the pc port on the phone. (this is the lobby phones that should be have a pc plugged into them).
Got Citrix? Hack it!; Gupta
One audience member correctly asked for less IE vulnerabilities and more about Citrix I agree. The vulnerabilities presented all existed because Windows was not secured for the role the system was playing.
Gupta has a good point that people think putting something behind Citrix is equal to securely serving it.
We did not get to see a couple of demos because the wireless network was down during this session. I’d recommend either not relying on a unreliable medium for a presentation or have a video backup. We were left with a session cut short, and a feeling of disappointment.
Shmoocon 2008 Day 1
I’m down at Shmoocon this weekend. I’ve been to two of the four Shmoocons. Apparently I only go on even years.
Here are some notes. This is probably going to be even less coherent than usual as its getting late and I need to be back down there tomorrow.
David Hulton, “Intercepting GSM Traffic”
As I understood it, this talk described a “known plain text” attack on the session key between a GSM phone and the tower. It still requires massive computational power. although the hardware and time cost is much lower for this attack that other previous attacks. The solution will probably be more networks switching to 3G.
wiki
David Smith, Forensic Image Analysis to Recover Passwords
This talk described his attempt to recover passwords from coredumps, swap, memory dump, logs , deleted temp files, slack space and internal history.
He is currently working in perl to search for strings of a certain length and then gives them an entropy score.
A audience member suggested starting with a clean OS image to easily rule out the OS files from the gathered strings.
In terms of defenses, I would start with not saving passwords in easily reversible forms (browser saving password for example). Next, I would consider wiping the free space. Full disk encryption would be the best defense assuming you dont get caught while the computer is booted.
Syn Phishus, Unauthorized phishing exercise
This is talk I was most looking forward to. Syn, as a security contractor, decided to phish the computer security department (consisting of 200 employees). He created a phishing campaign announcing the companies ID theft insurance vendor signup. If users clicked on the link in the email, they were prompted to log in using domain credentials, if they hit submit or cancel they were counseled not to be so dang gullible.
The goals for this project were to raise security awareness, demonstrate that policies require enforcement and education, get corporate communications to sign their email and create a service the company could sell. He didn’t tell anyone before doing it. He didn’t want anyone else to take the risk. He tried to make it easy for IT security to respond to by putting information in the comments on the phishing site, and by using a computer connected to the corporate vpn for his phishing attack.
As you might expect this did not go over well with his company. Doing something like this is definitely a career limiting event. You should always have a get out of jail free card, that is something in writing authorizing you.
edited to remove incorrect assumption about Syn and another phishing venture. Sorry about that.
Deral Heiland, Web Portals
This talk was about a pentest facilitated by the company’s internet portal.
Portals provide easy access to corporate data. They call also be huge threats to the internal network.
The problem with this particular (unspecified) portal is two fold. One is it accepted unauthenticated traffic and two, the portal had full access to the network. The portal accepted and processed GET commands so you could create a query to the portal that would have it open a website on the internal network. By trying common internal address space, you could find anything running a webserver. This ranged from things like printers, Compaq Lights Out board, network equipment, the SAN administration. Bad news for the company if a hacker had uncovered this.
This is why they should have required strong authentication for everything on that server. The server should also have been filtered from internal access so that only required services could be accessed. A layer 7 firewall could have prevented the portal from being exploited as well.
Isaac Mathis, Hacking the Samauri Spirit
This was actually a intersting talk about how differences in culture influence security.
Deviant Ollam, Latest News on Bump Key Attacks
This was fairly routine for anyone who is up on bumpkeys.
Anti-bumping technology is starting to make its way into common consumer level locksets. Masterlock and Kwickset appear to be gearing up to sell consumers on this added protection.
Fred – CDW Commercials
These bring back some memories
Fred, I promised someone remote access. What is remote access…
I opened that virus, just like you told us not to…
I’m taking user error to a whole new level…
Adobe Reader/Acrobat 7 Support Sunset
I can not find a statement on Adobe’s website saying they no longer support reader/acrobat versions earlier than 8, but actions speak louder than words.
The security bulletin for the vulnerability currently being exploited states:
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities. Adobe will provide further information as to the nature of the vulnerabilities via the company’s Security Bulletins and Advisories page (http://www.adobe.com/support/security/) once updates are available for all affected versions of Acrobat and Adobe Reader.
That is not very reassuring because the last Adobe Reader/Acrobat security bulletin said the same thing.
Adobe will be providing an update to Adobe Reader 7.0.9 and Acrobat 7.0.9 at a later date.
That update hasn’t been released.
We have a large number of users still running 7.0.9 Standard or Professional. I don’t expect them to be all that excited about ponying up the dough for the upgrade to 8.x. Version 7 isn’t supported with Office 2007 or Vista so they’ll have to upgrade fairly soon anyway.
There has been growing talk (in general, not at work) about Adobe Reader and Acrobat alternatives. Adobe’s product has become more and more bloated. They then have security bulletins as a result of these extra features. FoxIt Reader doesn’t have any reported security vulnerabilities. I don’t have any experience with FoxIt, but it sure seems like time to investigate a change that doesn’t require multiple updates per year.
Update: Not so fast…
On February 20th, Adobe updated its security bulletin to say:
Acrobat and Adobe Reader 7.0.9 and earlier versions are also affected by these vulnerabilities.
Adobe is planning to release an update to Adobe Reader and Acrobat 7 by the end of May 2008 to resolve these security issues in those versions of the products
Secunia Personal Software Inspector 0.9.0.1
Secunia has released Personal Software Inspector (PSI) 0.9.0.1. As I’ve blogged about before Secunia PSI is software for the home user that reports software that is vulnerable or no longer updated by the manufacturer.
The change log here lists a few interesting improvements.
- Improved intelligence to make it even easier for non-technical users to patch their applications. Special rules for Adobe Flash and Sun Java have been implemented.
- The Secunia PSI is now able to determine if the detected Adobe Flash versions are an ActiveX Control (IE), a Firefox plug-in, an Opera plug-in, or a general Operating System plug-in.
- The Secunia PSI is now able to determine if the detected Sun Java versions requires an uninstall (the Sun Java installer does not automatically uninstall old versions when you upgrade to their latest version).
- When hovering your mouse over an application name the Secunia PSI will now always display the exact path to where the application is installed.
Keeping third party application patched is critical for computers used on the Internet.
