The latest version of freebsd is found to be vulnerable. This vulnerability is found in run time link editor (rtld) which can be tricked to accept LD variables even on setugid binaries. You might see this flaw by analyzing this exploit.

With this leaked exploit, it’s more than 10 exploitable vulnerability leaked to public this year (2009)! So it’s that true if freebsd as secure as what people said?!

Thinking how to backdoor & keylog website in unusual way is something that fun to be implemented. Kiddies usually use public backdoor to come back to compromised server or website, dumping the database, and cracking hash of confidential information likes password and CC number. Public backdoor is somewhat easy to be detected by administrator while hash cracking sometimes gives no result.

Modifying source code of website to be a backdoor and keylogger is not kind of new technique, but just few kiddies know about this. By modifying the source code, we can make more invisible backdoor than using public ones. We also can record confidential information likes password and CC number in plaintext, so we don’t have to crack it. I have implemented this technique in phpbb3, modifying its source code become backdoor & keylogger. This concept can be used to modify ecommerce application so just try to imagine when your CC number being stolen.

Download my paper, presentation, and phpbb3 patch which has been presented in STIMIK Palcomtech Palembang.

Kami dari komite idsecconf 2009 memberi kesempatan pada rekan-rekan penggiat keamanan komputer di seluruh Indonesia untuk berpartisipasi lewat penyerahan paper. Topik yang kami cari adalah seperti di bawah ini:

* Web hacking
* Wireless hacking
* Metode Penetration testing
* Forensic dan Anti Forensic
* Kriptografi
* Fuzzing
* Exploit writing
* System hardening
* Lock Picking
* Open Hardware Implementation

Jika anda memiliki judul paper diluar cakupan topik diatas, kami masih terbuka untuk mempertimbangkannya selama masih berkaitan dengan security.

Format paper adalah file Open Office Writer dengan ukuran halaman “Letter” Gambar bisa langsung disisipkan ke dalam dokumen atau dibuat terpisah. Format gambar adalah PNG dengan ukuran dimensi maksimal (lebar x tinggi ) 640 x 480 pixel dengan resolusi 72 pixel per inch. Jika nama file dipisahkan, mohon nama file dirujuk dari naskah. Setiap gambar harap disertai keterangan secukupnya.

Naskah yang dikirimkan juga sudah harus mencakup:

# Nick, email dan nomer telepon yang bisa dihubungi
# Biografi singkat, afiliasi, dan achievement (Maksimal 250 Kata).
# Rangkuman dari Persentasi (Abstraksi)(Maksimal 1250 Kata)
# Peralatan Pendukung yang dibutuhkan (video, internet, wireless, audio, etc.)
# Durasi yang di butuhkan (60 menit, 90 menit, 120 menit)

Pengiriman naskah ditujukan ke e-mail address: submitHAPUSHURUFBESAR@idsecconf.org dan
diterima paling lambat Jumat, 18 September 2009.

Keputusan penerimaan atau penolakan paper adalah sepenuhnya wewenang komite idsecconf 2009 dan tidak bisa diganggu gugat. Bagi yang papernya diterima, akan menerima pemberitahuan tertulis lewat e-mail untuk persiapan presentasi on-stage pada acara idsecconf 2009.

Kami tunggu partisipasi anda semuanya!

salam,

komite idsecconf 2009

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

Yet, Gaffié argued that the disclosure was fair. The software company should have done more software quality assurance (SQA) on the networking components, he said in an e-mail interview with SecurityFocus. If they did, they would have easily found the issue — it took his fuzzer only 15 packets to crash the component, he said.

“So I personally think the one who has been irresponsible is Microsoft for shipping this driver on any Server 2008, Vista, and Windows 7 (system) without doing any SQA and security review,” he responded.

Gaffié said he notified the company, but had a typo in the e-mail address.

The flaw was disclosed on Monday, the day before Microsoft’s regularly scheduled patch day. The software giant issued five patches for eight vulnerabilities, including three flaws in the company’s TCP/IP networking stack. Other flaws affected Windows’ Javascript engine and its Windows Media components.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.

Source : http://www.securityfocus.com/brief/1009

Yupe, that’s true when sock_sendpage() is discovered to be vulnerable by Tavis Ormandy and Julien Tinnes. The function is vulnerable to NULL pointer dereference that can be exploited to escalate priviledge to be root. Most of linux kernel are reported to be vulnerable. Exploit to take advantage of this flaw has been developed and spreaded freely on internet. The exploit can be used to bypass security restriction like SElinux.

http://milw0rm.com/exploits/9435 - the first written exploit by spender of gresecurity
http://milw0rm.com/exploits/9436 - another exploit taken from www.frasunek.com
http://milw0rm.com/exploits/9479 - another exploit from p0c73n1
http://milw0rm.com/exploits/9545 - another exploit written by Ramon de Carvalho Valle of risesecurity

Download the exploit, compile and execute! BOOMMM It’s root! Finally, this post is a little bit late :D.

It just fun to try exploiting pulseaudio to gain root priviledge, well my Ubuntu Intrepid is indeed exploitable.

Searching more about linux, i find an exploit to attack RHEL family with SELinux enabled here. So, is that true linux more secure than windows?? The fact which makes linux more secure is the people behind the machine. So many linux administrators is much more skilled than windows ones.

DEFINITION
Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct”.

A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” Interestingly, neither author takes into account using anti-forensics methods to ensure the privacy of one’s personal data.

Sub-Categories
Anti-forensics methods are often broken down into several sub-categories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories, data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) process/tools.

Read more »

This is my presentation in STIMIK Dipanegara Makasar. I try to describe Web and Wireless exploitation conceptually & technically. This presentation consist of:

• Web Hacking; I try to describe top 3 web exploitation, SQL Injection, File Inclussion, and Cross Site Scripting (XSS). My explanation are including SQL injection in login form, SQL injection in URI parameter, Local File Inclussion, Remote File Inclussion, DOM based XSS, Non-persistent XSS, and persistent XSS.
• Wireless hacking; I try to describe how to do war driving and how to exploit wireless network. Exploiting wireless network includes how to spoof MAC address, creating Rogue AP, Cracking WEP, Cracking WPA-PSK, and Denial of Service (DoS).

This presentation is not including how to defend that kind of attacking, but i’m sure this presentation is cool enough to start learning Web & Wireless Hacking. Download my presentation here.

Password cracking which uses some computers to accelerate password cracking process. It usually uses computer clusters and some software to support parallel computing. Some known software to do parallel computing in cluster computers are:

• John The Ripper and Condor, John works as password cracker while Condor works as scheduler which parallelizes cracking proccess and distributes it to clusters.
• John The Ripper and Djohn, John works as password cracker while Djohn works as client-servers application which parallelizes cracking proccess and distributes it to clusters.
• Medussa, password cracker which’s originally designed to do parallel password cracking. It contains client servers application to parallelize cracking proccess and distribute it to clusters.
• John The Ripper with MPI patch, john which’s developed using MPI programming. MPI is standard de facto for parallel programming which’s implemented on some softwares i.e : OpenMPI, MPICH, and LAM/MPI.

Our presentation describes how to do parallel cracking using John The Ripper with MPI patch. We use 15 dual core computers and LAM/MPI in distributing cracking proccess. Download our presentation here.

The complete title is “global trend attack in local network“, this is my presentation in Telkom RDC Bandung at last 2007. It’s old but still nice enough to know what threats may disturb your network. Download my presentation here.

This presentation explains top 6 flaws which’s commonly exploited in Local Network. They are:

• Spoofing; ARP Spoofing, IP Spoofing, DHCP Spoofing, DNS Spoofing are commonly exploited.
• Man In The Middle; Using some spoofing techniques to do Man In The Middle attack.
• Sniffing; Combining Man in The Middle with some tricks to passively intercept communication in Local Network.
• TCP/IP Hijacking; Doing active sniffing and modificating data traffic to take over active TCP/IP connection.
• Remote Code Execution; Using some software application flaws to exploit local network infrastructure. Buffer Overflow and Format String are the most common flaws to be exploited in Local Network.
• Denial of Service; Most powerful denial of service (DoS) comes from Local Network.

This presentation is completed with ways to defend this attacks and minimize security risks.

ISO/IEC 20000 is the first international standard for IT Service Management. It is based on and is intended to supersede the earlier British Standard, BS 15000.

Formally: ISO 20000-1 (’part 1′) “promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements”. It comprises ten sections:

• Scope
• Terms & Definitions
• Planning and Implementing Service Management
• Requirements for a Management System
• Planning & Implementing New or Changed Services
• Service Delivery Processes
• Relationship Processes
• Control Processes
• Resolution Processes
• Release Process.

ISO 20000-2 (’part 2′) is a ‘code of practice’, and describes the best practices for service management within the scope of ISO 20000-1. It comprises the same sections as ‘part 1′ but excludes the ‘Requirements for a Management system’ as no requirements are imposed by ‘part 2′.

ISO 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA’s CobIT framework. It comprises two parts: a specification for IT Service Management and a code of practice for service management. The differentiation between ISO 20000 and BS 15000 has been addressed by Jenny Dugmore.

The standard was first published in December 2005.

Taken From : http://en.wikipedia.org/wiki/ISO_20000

Introduction

Grid computing is kind of new technology which has been known since 1990s. It idea was brought together by Ian Foster, Carl Kesselman, and Steve Tuecke, widely regardes as “Father of Grid”. Grid computing is defined as group of node computation which works together in distributed computing. You can find some grid project in wikipedia article here.

Each node in grid has computer cluster to perform high performance computing through parallel computation. A computer cluster consists of a headnode (master) and some computational nodes (slaves). Headnode is responsible in communicating with the other headnode in grid, managing computation resource, and scheduling computation jobs to slave. We don’t want to explain detail how computer cluster works. In this article, our interest is in grid computing and why it’s vulnerable to some hacking exploitation.

How Grid Works

Grid computing is really complex inside its technology, so the chance of being exploited is really big. Grid computing needs a good network connectivity, many TCP/IP services, encryption, parallel programming, and web service. A headnode of cluster trusts the other because valid Certificate Authority (CA) is installed on both of headnode. CA which installed on headnode is called as Host CA. TCP/IP services is needed in headnode to send or receive data or execute jobs between two or more headnodes. There is two services in headnode which need to communicate a headnode to other, 1st is GridFTP service which is responsible in data transfer between two or more headnodes and 2nd is Web Service Container which is responsible in receiving jobs from user. Both services can be activated by installing Globus Toolkit which is de facto standard open source software for grid.

Read more »

I just look arround on milw0rm today and searching for linux kernel exploit, luckily i find four new linux kernel exploits.

• First exploit is to attack linux kernel locally using exit_notify() function vulnerability. This flaw affects linux kernel less than 2.6.29 (most of linux kernel). Just take a look here for the proof of concept.

• Second exploit is to attack linux kernel locally using UDEV vulnerability. Udev less than 1.4.1 is reported that it doesn’t verify wheter a NETLINK message originates from kernel space, which allows local users to gain root priviledge by sending a NETLINK message from user space. Let take a look here and here for the proof of concept.

• Third exploit is to attack linux kernel remotely using SCTP FWD memory corruption. Some people say this bug isn’t exploitable untill sgrakkyu gives his explanation. Sgrakkyu explanation can be read here, take a look here for the proof of concept. This flaw affects most of linux kernel.

• Fourth exploit is to attack linux kernel locally using ptrace_attach() function vulnerability. This flaw affects linux kernel version 2.6.29. Just take a look here and here for the proof of concept.

Now i just think, which is more secure by default “linux or windows??“, even openbsd which’s claimed as the most secured operating system has a stupid bugs inside its code.

Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums. Computer forensics is also known as digital forensics.

The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The explanation can be as straightforward as “what information is here?” and as detailed as “what is the sequence of events responsible for the present situation?”

The field of Computer Forensics also has sub branches within it such as Firewall Forensics, Database Forensics and Mobile Device Forensics.

There are many reasons to employ the techniques of computer forensics:

• In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases).
• To recover data in the event of a hardware or software failure.
• To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did.
• To gather evidence against an employee that an organization wishes to terminate.
• To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.

  Read more »

  
  No Comments »  

Introduction

802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

• Supplicant An end-user station, often a laptop, that runs 802.1x client software.
• Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
• Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

EAP-LEAP Basics

The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.

Read more »