Roger's Information Security Blog

RockYou was hacked a couple of weeks ago and over 35 million passwords were stolen. RockYou may have your password if you’ve played any of their Social Networking Applications on sites like Facebook or MySpace. Their applications include

• Slideshow
• Uploadphoto
• Photofx
• Glittertext
• Funnotes
• Countdown
• Superhug
• Myspace layouts
• Stickers
• Superwall
• Pieces of flair
• Speedracing
• Likeness
• Hugme
• Birthday cards

Pieces of flair seems like one I’ve seen my friends using. Depending on the application, RockYou may have had your Facebook or Webmail password. RockYou recommends that you change passwords for any online service where you’ve used the same password disclosed to them.
In the last day, I’ve seen a massive spike in the number of friends who have had their Gmail account hacked and spam sent to contacts in the address book. Its not necessarily connected to the RockYou attack, but its worth mentioning. The hacker briefly posted the full database online for anyone to download. So its not surprising that people would get hit.

I logged into PowWeb (my web host)’s forums and found they were majorly owned last night. The powers that be aren’t saying anything at all, but other users are reporting malicious javascript (detected as Psyme) was added to many of their webpages, particularly index pages.
PowWeb reset all passwords used for Ops (their web control panel) and mailed one time passwords to users. They have now removed the viral code added to the user files. They have not reported how this occured.
My sites don’t seem to have been effected at all.

I read a couple of interesting blog posts today about sites getting hacked.
Sunbelt Blog had an example of a hacked site, where the site redirected you to malware if you got to the site through a link (such as from a search engine). Otherwise the site displayed normally.
The Kaspersky Analyst diary had more information. In a dark form of search engine optimization, the attackers would find search results for a search term, and then compromise the popular results that they could. Adding an iframe is so 2006, so they’d modify existing javascript on the page to run their code and redirect users to Antivirus 2009 websites.

The SANS Internet Storm Center diary has an entry a telnet authentication bypass vulnerability in Solaris 10 and 11. They don’t mention any useful details, but if you’re the type who prefers to see for yourself, you might check out a place that likes to fully disclose this type of thing.
I found we only have one Solaris 10 server running telnet. Its one of the Unix administrator’s desktops. You can only access root from the console, but I was able to get in using the ‘adm’ account. Good times, good times.

I hear that a government agency (which I wont name) is blocking all email file attachments with a .doc extension as a result of the announced zero day attack. The email that I saw adviced employees to stick to TXT files and PDF files.
Every company has its own level of risk aversion but I think this is kind of ridiculous. Word documents are essential to business. I’ve asked before in this blog, you people with untrustworthy antivirus who block by file type what are you going to do when viruses come in flavors other than easily blockable things like EXE and PIF. Well, we found soon that viruses come in image files. Viruses come in office files. I guess the answer for this agency will eventually be to enforce text only email.
The Federal agency will be blocking .doc files until a fix is available or they feel the threat level has changed. I did hear that renaming the extension before mailing does circumvent this filter. So they aren’t blocking using the file header, only by extension. If someone were truely targeting them specifically, and currently this attack is only used against one or two companies, the attacker might know enough to rename the file with instructions for the recipient to rename the .cod file back to .doc.
I’m a bit surprised that they are advising that PDF files are an acceptable alternative. Adobe Reader and Professional have all kinds of remote execution vulnerabilities. Adobe recommends that you upgrade to version 8 which was released this week.

Fantasy site Second Life was hacked according to Dark Reading. The second life website doesn’t provide any information other than that it was a zero day attack on unnamed web software. More info is available in their blog.

My rainbow tables for alphanumeric plus 32 symbols and a space are not working right with Sam Inside. I’m not sure if the problem is with SAMInside or with the files. My original file source is not available right now, so I cant download a new copy and compare hashes. I feel like my powers have been diminished, like superman with kryptonite.

Six Apart’s free support bulletin board for Movable Type has been offline for maintenance since this past weekend. I just saw why on Bugtraq. Looks like there is another SQL injection exploit in Invision Power Board that will grant an attacker admin access. This is a vulnerability in versions prior to 2.1.7. Hopefully they’ll get patched and back online soon.
Back in May, I wrote when that forum was exploited and modified to serve up WMF exploits. At that time I let the SANS ISC know about it. So it was pretty funny in June when a Circuit City IPB forum was hacked and it made the tech news. According to MSN search there are still a lot of boards running Invision Power Board 2.1.6. A lot of them are hobby websites that likely learn the hard way about keeping up with security patches.

The Cisco VPN Client for Windows has a privilege escalation vulnerability that allows a regular user to gain system right.
http://www.cisco.com/warp/public/707/cisco-sa-20060524-vpnclient.shtml
Makes you wonder, if you’ve “locked down” your user permissions, how many of the really dangerous ones haven’t already promoted themselves to admin through privilege escalation vulnerabilities like this.

I’m not sure if I’ve posted about this or not. During March and into April we had a pen-testing project as school. At the beginning of the semester we had a project to configure our server (Windows 2003, or Red Hat Enterprise AS 4). Next we had to perform reconnaissance on our classmates and a collection of cannon fodder servers set up by the instructor. This led into the pen testing assignment.
Going into the assignment, my main concern was not getting hacked and not embarrassing myself. It actually turned out better than that. I didn’t get hacked, and I was able to hack more servers than anyone else in the class.
What differentiated my results from those of my classmates were a series of application attacks. The foundation for these attacks were laid when Terminal Services was installed. You see Terminal Services has asks at install if you want high security or application compatibility. If you select application compatibility, then any terminal server user has modify rights to c:\program files\* and some important registry keys. The administrator of those servers should have looked at the terminal server settings and changed it to the high security, or looked at the file ACLs and removed unnecessary permissions.
Although my “guest” account only had user rights, because I was a terminal server user, I was able to modify some key files. Luall.exe is Symantec Liveupdate. When a scheduled liveupdate runs, it runs with SYSTEM permissions. By replacing luall.exe with my own version of the file, I was able to escalate my rights and own multiple servers.
This is another case of application compatibility mode causing security troubles. Of course this is not the preferred configuration for Terminal Services. So hopefully this isn’t an exposure that you have on your own servers. So if you have Terminal Services, even just for remote admin mode, make sure that you check your security level. Otherwise a Terminal Server User is just an admin who hasn’t promoted himself yet.