SecPod Research Blog

Folks,
SecPod Research Team member (Sooraj K.S) found an XSS flaw in ZeusCart Ecommerce Shopping Cart, which can be used to gain sensitive information and launch further attacks. The flaw lies in the search parameter while ZeusCart web app processes the user-supplied input and renders the content back to the client’s browser. The flaw can be exploited to inject arbitrary HTML codes and steal cookies and so on. Read more…

MS09-050 addresses the much talked about SMB2 Negotiation vulnerability. A crafted SMB packet could crash the Windows Vista/2008 systems with blue screen.

The OpenVAS plugin for checking MS09-050 hotfix is now available in the svn. This doesn’t require any credentials. The patched system responds differently to a particular SMB negotiation request (a crafted PID’s low_id field) from an un-patched system. The response is verified to confirm if the patch is installed. This has been tested on Windows Vista and 2008.

OpenVAS plugins for Microsoft Security Bulletins – July 2009 are now available in the SVN repository. The plugins can be also synced via openvas-nvt-sync method.

There were 6 bulletins in total, including the much in-news Video ActiveX control (MS09-032)

The news…

Passing the 10000th Network Vulnerability Test (NVT) is a perfect occasion to report about the progress of the OpenVAS project[1].

In October 2008 the systematic development of new NVTs started with a base of around 5800 Tests. With the release of OpenVAS 2.0 in December 2008, the development was boosted and has now reached an average of 10 code updates per day.  The public OpenVAS NVT Feed Service delivers 3-10 new vulnerability tests every day. Read more…

OpenVAS plugins for Microsoft Bulletins – April 2009 are now available in OpenVAS. Update your OpenVAS plugins by running openvas-nvt-sync or download from the SVN directly.

Conficker worm variants A, B and C are dependent on vulnerability in Microsoft server service. Microsoft had released an advisory MS08-067 back in October 2008 to address the above vulnerability. As was expected at that time, number of attacks are spreading, major one being Conficker worm.

We have plugins for OpenVAS,
900055 – secpod_ms08-067_900055.nasl
900056 – secpod_ms08-067_900056.nasl Read more…

Introduction

---

In the arena of computer security and exploitation world, we come across with many security tools. Some of them are quite useful and some of them you just have to plug it in and plug it out in few days. However, currently the antivirus company, F-Secure has developed an application called Exploit Shield which is mainly prioritized on giving dynamic protection to Zero-Day vulnerabilities. I won’t go that much of deep analysis for its internal mechanism but I will be discussing an overview of this tool, how this works etc. in the next phase.
Read more…

We had earlier released SecPod plugin for Nessus for MS08-067, vulnerability. The plugin required SMB credentials for it to work.

We have now made available the exploit code for the much talked about vulnerability in here. This has been tested with Nessus and OpenVAS and works well on Microsoft Windows 2000, XP and 2003. This doesn’t require any credentials to be supplied. Since this crashes the server service on the target system (Windows 2000 system restarts), you’ll have to restart the server service. Exercise caution!

The advisory released by Microsoft yesterday, MS08-067, calls for immediate update. The vulnerability is actively being exploited. We have the SecPod plugin for Nessus and OpenVAS available here, scan your system quickly and run the missing update.

Microsoft Bulletins – Sept08

There are 4 security bulletins released addressing 8 security vulnerabilities and all are Critical.

1. MS08-052 – GDI+ Remote Code Execution Vulnerability

2. MS08-053 – Windows Media Encoder 9 Remote Code Execution Vulnerability

3. MS08-054 – Windows Media Player Remote Code Execution Vulnerability

4. MS08-055 – Microsoft Office Remote Code Execution Vulnerability

More details can be found here. Also we have released SecPod Plugins for Nessus.

One critical vulnerability, MS08-052 requires considerable effort to deploy the patches. When we did a search for gdiplus.dll (vulnerable file), in one of the system, it returned 23 different locations where it exists and all are of different sizes and file versions. This indicates that each applications have been embedded with different version of GDI+ library.

First step towards applying the patch would be manually downloading the patches from Microsoft Bulletin and applying each of them listed against category of applications. Windows Automatic Update will not help here. Secondly, list out all the applications that are using GDI+ (search for gdiplus.dll) and try and see if you can overwrite those files with the latest versions (This may not work for all applications, as each is bundled with different versions and size). Apply thought while using these applications. Hopefully each vendor will update their software seperately and soon.