Showing posts from July, 2009

DEFCON preview: Netgear RP614 CSRF attack video

To give you a sense of what Mike Bailey and I will be covering at defcon 17 this Saturday at 11am, I thought I'd give you a little taste courtesy of a Netgear RP614v4 router that suffers from cross-site request forgery (CSRF) vulnerabilities, as well as persistent cross-site scripting (XSS) issues.
See OSVDB advisory 54885 for further specifics. BTW, please support OSVDB!

The short version:
The Netgear RP614v4 web-based administration interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform administrative actions or conduct script insertion attacks e.g. when a logged-in administrator visits a malicious web site.
The sad truth of the matter is this, while I don't have access to the whole Netgear product line, the reuse the same firmware codebase across multiple devices.
Thus, in all likelihood, there are numerous Netgear devices vulnerable to this issue, if not all.
The same ho…

steekR security steenkS

My RSS reader continues to provide me subject matter for analysis, and the recent F-Secure purchase of steekR, “Your Secured Online Space”, was no exception.
The purchase was described by El Reg as follows:

F-Secure grabs online storage firm in cloud security push
Steek's technology is designed to allow users to upload data from either PCs or mobile phones. Bordeaux-based Steek already partners with mobile telcos (including Virgin Media, SFR in France and SingTel), a factor which F-Secure hopes will increase its ability to sell Software as a Service (SaaS) technology packages through operators.

Oh boy, here we go again.
I want to create a new line of Bobbleheads for Cloud and SaaS. They’ll talk as well, bobbling and blathering the latest buzz words:
“We’ll give you the best ROI in the cloud!”
“Our SaaS offering relieves you of any responsibility, we’ll do it all!”
I digress.
I understand the business model, and F-Secure’s motives for the purchase; it’s hard to find fault there.
But as I…

Pick a toolsmith topic

I've decided to implement a new feature from time to time with regard to toolsmith, my monthly column in the ISSA Journal.
You, dear reader, are invited to propose topics. If I choose your topic, you will be mentioned in the column, and win an information security book of my choosing.
A few important guidelines.
1) It must be an information security tool I haven't already discussed. See the full list of those I have discussed here.
2) The tool must be information security related.
3) The tool must be free, and preferably open source.
4) Ideally, I prefer to try and focus on tools that aren't well known, with less exposure, in order to help them receive the attention they deserve.
Submit ideas at my contact page.
I look forward to hearing what might be of interest for you. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Pete Hoekstra = ID Ten T

From a state that could definitely use congressional members with a bit more intellectual savvy comes Michigan's Pete Hoekstra.
Graham Cluley's blog states:
Hoekstra told The Washington Times' America's Morning News radio show that "it's time for America, South Korea, Japan and others to stand up to North Korea" by launching a retaliatory cyber attack or international sanctions.
Graham took Hoekstra to task for this moronic idea yesterday, before today's headlines quickly began to reveal the possibility that the attacks against S. Korea and the US may have actually originated in the UK. The simple reality is, maybe it did, maybe it didn't. The premise that one nation state should launch a cyber attack against another based on the presumise that they might be responsible for a DDoS attack is short-sighted to say the least.
Should we now cyber-bomb our British friends, Mr. Hoekstra? I believe, amongst other things, we and the Brits can agree that you a…

MIR-ROR updated, v1.1 now available

MIR-ROR 1.1 is available on the CodePlex MIR-ROR site. This is a minor update to the MIR-ROR script including a repaired path declaration. We also removed a pause statement to promote improve WMI scripting with MIR-ROR.
MIR-ROR is a specialized, command-line script for incident response that makes use of the Windows Sysinternals tools, as well as some other useful tools. Further, you can easily enhance the script to your liking with whatever command line tool you require for response.

Thanks to Bryan Casper, Mike Maonde, Alex Alborzfard, Gene Morganti, Andreas Bunten, Harlan Carvey, and Rick Wanner for feedback after the initial release. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

ColdFusion, SaaS, and negligence

Recent headlines have described news pertinent to ColdFusion-related vulnerabilities and hacks specifically targeting the FCKEditor text editing tool, and the CKFinder file management tool. There have been further indications of attackers uploading a ColdFusion web shell as often seen on vulnerable PHP platforms.

These discussions reminded me of two significant pet peeves.
1) ColdFusion error verbosity and how useful it is to attackers.
2) Negligent vendors who do absolutely nothing about security vulnerabilities they've been advised of; worse still, when the vendor is a SaaS provider.

Case in point: WebPublish CMS

I communicated with these folks at multiple intervals via email and telephone from February 20, 2009 until April 23, 2009. It took multiple efforts just to get through as my messages were manually interpreted as "potential SPAM". Trust me, my security advisory language does not trip SPAM filters and is most often easily and well received. Yet, after finally making…

Malzilla: Exploring scareware and drive-by malware

Yesterday included a SANS ISC diary post regarding a tool list useful for de-obfuscation. Amongst the entries was Malzilla.
Fortuitous timing I say!
My toolsmith column for July's ISSA Journal is a complete analysis of Malzilla's capabilities.

Malzilla is best described as a useful program for use in exploring malicious pages, allowing you to choose your own User Agent and referrer and use proxies. While it downloads Web content, it does not render it, so it is not a browser. Think of it as WGET with a user interface and some very specific talents. In Using Malzilla, we’ll take a close look at rogue AV tactics and exploit sites in order to study the infection process utilized.

Lenny Zeltser contributed great feedback regarding Malzilla for this piece, thus furthering the tool's credibility.
Give the article a read and add Malzilla to your arsenal.
Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)