.:Computer Defense:.

This project is still happening, in case anyone was wondering... Unfortunately I've run into problems... The host i'm using relies on cpanel which doesn't allow modification of the file privs on mysql... They also won't do a custom mod for me... I now have two choices... write a script that will prase the update file as if it were the LOAD DATA command, or move to another host... I don't have time to contemplate the change at the moment, so I'm pushing back launching this project until most likely the end of April... hopefully I'll have it up before the calendar officially reads May.

Peace,
HT

Hey Hey,

I think the first thing that needs to be mentioned is Jerry Taylor and the city of Tuttle... those of you that haven't heard of this yet... check out http://www.centos.org/127_story.html?storyid=127, I can't believe this guy would actualy threaten to call the FBI on CentOS because someone had installed their OS... Read it, laugh at him, understand why he's been making the news everywhere lately and then google him and the city and send him an email.

Other fun news includes the release of ophcrack 2.2, my favourite password cracking program... it's a handy little thing. They've also put the Ophcrack Live CD 1.0 up on their website.. I haven't played with it yet, but I'm always welcoming new things.. so let me know how it goes. - http://sourceforge.net/projects/ophcrack. In the FD thread regarding this topic... this also made mention - http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/SSTIC04-2.7k.zip, a 1150MB set of Rainbow tables from what I can tell... I have it downloading as we speak

Next, we have FrSIRT, who has decided to start charging for exploits... I know this is a little old... but hey, I've been busy... read the article @ http://www.eweek.com/article2/0,1895,1938511,00.asp

After that we've got a whole slew of new software from iDefense being released free of charge

Codis - A Console Based Disassembler - http://labs.idefense.com/labs-software.php?show=18
COMRaider - A COM Object Interface Fuzzer - http://labs.idefense.com/labs-software.php?show=20
HookExplorer - A Utility to scan a target process and identify userland hooks - http://labs.idefense.com/labs-software.php?show=19

Lastly, we have the Kororaa project which has released an Xgl Live CD for people wishing to test it -- http://kororaa.org/

Peace,
HT

So it looks like there's a new IE Vuln floating around the past couple of days. Not much to say about it... other than it's effective.. definately crashes IE... Wonder if anyone will find a way to also have it execute code..

The proof of concept that's out is available from - http://lcamtuf.coredump.cx/iedie.html. One important thing to note that followed the initial email is that this is most effective if run with only a single copy of IE open.
Here is the complete email for your reading pleasure:

----SNIP----
Good morning,

This might not come as a surprise, but there appears to be a *very* interesting and apparently very much exploitable overflow in Microsoft Internet Explorer (mshtml.dll).

This vulnerability can be triggered by specifying more than a couple thousand script action handlers (such as onLoad, onMouseMove, etc) for any single HTML tag. Due to a programming error, MSIE will then attempt to write memory array out of bounds, at an offset corresponding to the ID of the script action handler multiplied by 4 (due to 32-bit address clipping, the result is a small positive integer).

The list of IDs can be found on the Web, and is as follows (values in parentheses = resulting offsets):

onhelp = 0x8001177d (+0x45df4)
onclick = 0x80011778 (+0x45de0)
ondblclick = 0x80011779 (+0x45de4)
onkeyup = 0x80011776 (+0x45dd8)
onkeydown = 0x80011775 (+0x45dd4)
onkeypress = 0x80011777 (+0x45ddc)
onmouseup = 0x80011773 (+0x45dcc)
onmousedown = 0x80011772 (+0x45dc8)
onmousemove = 0x80011774 (+0x45dd0)
onmouseout = 0x80011771 (+0x45dc4)
onmouseover = 0x80011770 (+0x45dc0)
onreadystatechange = 0x80011789 (+0x45e24)
onafterupdate = 0x80011786 (+0x45e18)
onrowexit = 0x80011782 (+0x45e08)
onrowenter = 0x80011783 (+0x45e0c)
ondragstart = 0x80011793 (+0x45e4c)
onselectstart = 0x80011795 (+0x45e54)

What happens next depends on the structure of the page in which the malicious tag is embedded, as well as previously visited page and previously initialized extensions (all these factors can be controlled by the attacker).

When the offending page contains no additional elements, and the user is not redirected from elsewhere, the browser will typically crash immediately, because there is no allocated memory at the resulting offset.
In all other cases, crashes will typically occur later, due to attempted use of unrelated but corrupted in-memory buffers -for example, when the user attempts to leave or reload the page. Another good example is coming from a page that contains Macromedia Flash - this usually causes the Flash plugin itself to choke on corrupted memory on cleanup.

For non-believers, there's a short but fiery demonstration page available at http://lcamtuf.coredump.cx/iedie.html (yes, it will probably crash your browser).

Tested on MSIE 6.0.2900.2180.xpsp2.040806-1825 on Windows XP SP2. As far as I can tell, other browser makes (Firefox, Opera) are not susceptible to this attack.

I eagerly await due reprimend from Microsoft for not disclosing this vulnerability in a manner that benefits them most, not passing start, not collecting $200 (from iDefense?).

Regards,
/mz
http://lcamtuf.coredump.cx/silence/
----SNIP----

Peace,
HT

This is old news to those of you that follow AntiOnline.com and Irongeek.com that come here as well, and will be exciting for those of you that are attending Notacon, as Irongeek will be presenting this information there. Anyways... he has a really great tutorial on hacking network printers on his website @ http://www.irongeek.com/i.php?page=security/networkprinterhacking. Also he had a test example up using a php page @ http://tux.ius.edu/printer.php, however since being posted on digg.com he has had to take it offline because it was being hammered, check out the video to se how fast it was going.

Peace,
HT

Looking for something to watch?

Check this out, Unix History -- http://bsdmall.com/historyofunix.html. I don't have it yet, but I've heard others speak of it. I plan on ordering it one of these days. Hopefully very soon... we'll see what happens though.

If you've seen it, let your fellow readers know if it's worth the $19.95.

Peace,
HT

So I do some programming... not a lot but enough to get by... I like networking, I like operating systems... I like getting my hands dirty... to me programming has always been something done by people that can't use a computer in it's entirety... This belief is slowly starting to change... so I've decided to look further into the subject. To start... I looked into Little Endian and Big Endian numbers... It's really as simple as it sounds.. (unless someone replies and tells me I'm a moron). With little endian, the little number goes in the lowest address space.. so Ones, then 10s, then Hundreds (if you're talking decimal). With big endian, the big number goes in the lowest address space.. Hundreds, than 10s, then ones... Little Endian = PC, Big Endian = Motorola (Pre-Intel Macs)... now I'm curious about the Intel Macs.. If anyone knows and wants to save me a simple google search.. feel free to contribute.. otherwise I'll do some googling..

Anyways.. I relied on this page which proved very interesting... Check it out http://www.cs.umass.edu/~verts/cs32/endian.html.

Peace,
HT

Apparently Microsoft doesn't spell check their error messages and output text... or if they do it's done manually..

Go to your command prompt (Verified on XP and 2k3) and type ipconfig ... Check out the MS spelling of recognize.

-----
D:\Program Files\Support Tools>ipconfig blahblah

Error: unrecongnized or incomplete command line.
-----

Just something I thought I'd share with you that I saw come across the mailing lists.

Peace,
HT

So here's a cool little tool.... SocksCap... It allows any program that uses plain ol' TCP or UDP for it's connections to tunnel over SOCKS.. regardless of whether the actual application supports it or not..

Check it out @ http://www.socks.permeo.com/Download/SocksCapDownload/index.asp

Peace,
HT

Hey Hey,

So I know everyone is anxious for this... the perl script is finally written.. only took a couple minutes but I'm lazy... Anyways, I'm going to implement it later tonight or tomorrow morning.. and try and co-ordinate with those who've expressed an interest on Sunday night... get a beta version live as early as Monday or Tuesday...

Stay Tuned.

So it's been a while since there were one of these... but I've got a few things to share... Some have been passed to me, some I've found.. others are just cool...

First, let's cover Microsoft's free USB Key's.... It's quite simple to get one... for those of you that don't follow full dislcosure... check it out

----SNIP----

http://www.microsoft.com/mysterysolved/corp

Here are the answers to the four questions:
Q1. How many ways are there to obtain a full Microsoft® Windows® Desktop license?
Answer:: 2

Q2: Volume License Agreements cover Windows Desktop operating system upgrades only.
Answer: True

Q3: OEM operating system licenses are non-transferable.
Answer: True

Q4: The most cost-effective way to acquire an initial, full underlying Windows Desktop license is preinstalled.
Answer: True

----SNIP----

I've got mine coming already... who knows maybe I'll get another sent to work or something.... anyways... let's see what else I have in my bag of goodies..

FreeNX -- http://freenx.berlios.de/  Think of this as being the same as RDP except from Windows, *nix or OS X to Linux and without the shitty speed and operation of VNC...  Best of all it's free... and very easy to implement... I may include screenshots in the near future... As I think this product deserves it's own post..

RegShot -- This is handy for dealing with that pesky malware... Want to see what it actually changes in your registry... Setup a clean machine (Virtual Machine perhaps)... install the malware... take another shot... compare the results.. You'll see every change that was made -- http://www.majorgeeks.com/download965.html -- It is definately very cool...

F-Secure World Virus Map -- This is quite the new release... You can read the press release @ http://www.f-secure.com/news/items/news_2006030101.shtml. The english version of the map is found @ http://worldmap.f-secure.com/vwweb_1_2/en/previous_day. It let's you drill down and see Virus distrobution for the previous day... I was quite impressed... it's handy to have around..
That's all for now.. This weekend I'm going to catch myself up-to-date.

Peace,
HT