My Top 5 exploits of interest from the past weeks (July 29-Aug6)…

Here are my top five publicized exploits and vulnerabilities that have been in the news over the past week and a half.

1) SCADA and Windows Shortcut Vulnerability

I’ve already provided some insight on this. You can read more on my previous blogs “Analysis of the Siemens SCADA and Windows Shortcut Vulnerabilities” or “No patch for Microsoft Shortcut Vulnerability available for XP SP2 or any other end-of-life Windows release“.

Additionally, during the recent Blackhat conference, Red Tiger Security presented material to show that SCADA systems are far more insecure than Enterprise systems.  They discovered 38,573 vulnerabilities exposed on 120 critical infrastructure facilities

Some more highlights from this presentation:

  • There is a 331 day gap between vulnerabilities discovered in Enterprise systems and SCADA systems.
  • Most of the systems weren’t properly hardened and had unnecessary services and software running including Botnet and Malware
  • SCADA environments typically do not allow for planned outages to apply patches such as ones to address critical vulnerabilities

Please see the below article for more information:

  1. http://www.scmagazineus.com/black-hat-2010-scada-systems-far-more-insecure-than-enterprise-it-systems/article/175804/

2) Browsers are still susceptible to attacks even with SSL/TLS

Two presenters at the recent Black Hat conference in Las Vegas presented 24 vulnerabilities that exist in  the manner in which browsers implement SSL/TLS for secure sessions.  The message is we shouldn’t simply trust that your web sessions are secure by simply seeing the padded lock.

All of these take advantage of man-in-the-middle (MITM) attacks therefore an attacker has to gain access to your network in order to carry out these attacks and would/could most likely carry out more damaging attacks then listed below.

Though most are low risk in nature there are two that that are classified as critical. The most prevalent uses session fixation (cookie-passing technique) which is a form of session hijacking. The way it works is an attacker first picks or is assigned a valid session ID from the target website. When the victim wants to connect to the target website, the attacker tricks the victim into using this session ID by inserting it into the victim’s browser via a MITM attack. This could be a through XSS, meta tag or HTTP response. The victim is now fixed on a session ID determined by the attacker. When the victim logs on to the target website with his credentials, the attacker, using the session ID can also gain access without having to validate the victims credentials. This was accomplished without having to predict or capture an existing session ID determined by the victim.

See the following links for more information:

  1. http://www.scmagazineus.com/black-hat-2010-even-with-ssltls-browsers-still-are-susceptible-to-attack/article/175911/
  2. http://www.thewhir.com/web-hosting-news/073010_Black_Hat_Conference_Presenters_Poke_Holes_in_SSL
  3. http://blogs.forbes.com/firewall/2010/07/29/twenty-four-more-reasons-not-to-trust-your-browsers-padlock/

3) Zeus Botnet steals 60GB of Data

Zeus, considered one of the largest botnet on the internet,  is a trojan horse that primarily steals banking information by using keystroke logging mechanisms. It spreads through phishing techniques. It has infected millions and millions of computers over the world and there are now several different variants of it out there such as Mumba.  Zeus is very difficult to detect, hence the high infection rate.

According to AVG, the Mumba botnet is a “mass production site for deploying phishing sites and crimeware”.  From April 2010, it has stolen 60GB of data from 55,000 sites under its control including credentials from bank accounts, credit card information, email accounts and social media accounts.  33% of these attack victims reside in the U.S. while 5% reside here in Canada.  It differs from past botnets in most use bullet-proof hosting (ignore or provide leniency on the content being hosted) or hijacked web servers to host the data, while Mumba uses a fast-fluxed network to host stolen data. Fast-flux works by having an FQDN contain hundreds or thousands of IP addresses assigned to it. These IP addresses are interchanged frequently for any given DNS record therefore resulting in A FQDN having a different IP as frequent as every couple of minutes. This makes tracking of these hosted servers more difficult.

I will provide a more in depth look at the Zeus botnet in a subsequent blog

The report from AVG is located here. I highly recommend reading it

See also http://www.scmagazineus.com/new-zeus-botnet-steals-60-gb-of-sensitive-data/article/176225/

4) Buffer overflow in Adobe Acrobat

Another vulnerability that was presented at Blackhat (by Charlie Miller) was an integer overflow flaw that is caused in the way that Adobe Acrobat and Reader parses fonts.  If this vulnerability is exploited correctly, it could allow an attacker to corrupt particular memory segments and insert and arbitrary code on the impacted machine.

Adobe has acknowledged the vulnerability and will be pushing out an emergency out-of-band patch to fix this critical vulnerability.

More information here:

  1. http://www.scmagazineus.com/adobe-confirms-critical-flaw-in-reader-and-acrobat/article/176367/
  2. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1517945,00.html

5) Two critical VxWorks Vulnerabilities discovered

Two critical vulnerabilities have been discovered in the VxWorks operating system, which is used in some 500 million devices such as telecom equipment, military devices and spacecraft. Both of these vulnerabilities have been reported by US-CERT:
http://www.kb.cert.org/vuls/id/362332
http://www.kb.cert.org/vuls/id/840249

HD Moore, the creator of Metasploit, the penetration tester presented material at DEFCON highlighting thse vulnerabilities.  He discussed his presentation with SCMagazine.  Here are some of the highlights.

VxWorks Debugger

VxWorks is shipped with a debugger called WDB agent, which is used to debug issues and ensure quality code is developed. The service, is enabled by default and is not secured and exposes a vulnerability in a deployed system.

According to Moore, WDB agent could allow anyone to take control of the device.  To demonstrate how widespread this vulnerability is, he scanned more than 3.1 billion IP addresses and more than 250,000 devices were found with the WDB agent exposed. He also stated that it appears that some unknown hackers had spent 2006 scanning the same service and its unknown how they exploited this vulnerability.

Default Hashing Algorithm can be broken by brute force attacks

There is a vulnerability in the default hashing algorithm provided by VxWorks which is susceptible to collisions (where a hashing function generates the same output for different input strings) and could allow an attacker to use brute force techniques to discover the password.  VxWorks is aware of the issue and will be providing a fix for it in VxWorks release 6.9. US-CERT recommends not using this default hashing algorithm and to use only a trusted authentication algorithm.

Check out Moore’s blog for more info here.

Add to DeliciousAdd to DiggAdd to FaceBookAdd to Google BookmarkAdd to RedditAdd to StumbleUponAdd to TechnoratiAdd to Twitter

About the author

jojo.maalouf -

3 Responses to "My Top 5 exploits of interest from the past weeks (July 29-Aug6)…"

  1. Just to add to the fast-flux comment, traditional IP blocking or IP-based ACLs will not work against a Botnet using this technique. More advanced domain name blocking will work unless the Bot uses many different FQDNs. I recommend using DNS blackholing to stop a Bot or malware from calling home to get one of these Flux addresses. If this Bot uses thousands of FQDNs, then this will become unmanageable.

  2. I wasn’t aware of the many ripples and depth to this story until I surfed here through Yahoo! Good job. With regards, Emily.

  3. Every time I read a good article I usually do three things:1.Forward it to all the close contacts.2.save it in all of the favorite sharing websites.3.Make sure to return to the same website where I read the article.After reading this article I’m seriously thinking of going ahead and doing all of the above!

Do you have something to say?

Your email is never published nor shared.
Required fields are marked *

WP-SpamFree by Pole Position Marketing