.:Computer Defense:.

So a while ago I wrote a few small scripts and I based them all off the same imported script. They're nothing special but I figure maybe someone, somewhere has a use for them... So I've done up a small readme (which I've included with the files) and I've put them into a package for everyone to enjoy (or laugh at ). So grab them, play with them and let me know what you think

Webfuzz Scripts

Peace,
HT

From the Readme:
-------

headerfuzz.py: This script takes a host and a max string size
as it's two arguments. It then iterates through
various Methods and Headers... The data for each
header will grow until max string size is reached.

mimefuzz.py: This script takes two headers (Accept and
Content-Type) and iterates through them.
Various mime types are appended to these
fields. The only input for this script is
a host.

randheader.py: This script takes host, max string size, headers
per send, and max times to run as it's arguments.
Randon headers are paired together (to the
supplied max) and each is populated with a
string of characters (to max string size).

randmime.py: This script takes a host, a number of iterations,
and a max mimetype count. It loops through each
iteration, appending random mimetypes.

webfuzz.py: My original intent was that this could be used
to fingerprint devices which speak http. Certain
"allowed" values are populated for various
headers. This is iterated through.

So I'd previously looked into the differences between Nmap and SinFP... I decided to do something a little more organized and readable. The results are available in two formats: XLS Results and HTML Results

Some of the results were expected, some where interesting...Some were unexpected. I can't wait to see nmap 4.20 once the fingerprint database is as populated as the previous one. As it did have a lot of unknowns. I did manage to flood both Fyodor and Gomor with fingerprints though... Hopefully they'll have fun incorporating them into their products.

As a note, I also attempted to bring my Nintendo DS Lite online and scan it...While I manually assigned the IP, neither of the products were able to scan it.. both returned nothing for results.. I may play with it a bit more and see if I can come up with anything, but for now here's the results.

Peace,
HT

Update: I just spoke with Fyodor via email and he had a question that I realized I should have addressed.. So here we go...

Options used for the various scans:

Nmap 4.03: nmap -O --osscan-guess
Nmap 4.20: nmap -O
SinFP: sinfp.pl -H -i -p

I had forgotten to enable --osscan-guess for 4.20 until about halfway through and then realized it... so I just left it out for the remaining tests. As for the port used with SinFP, it varied depending on host, however for the most part I stuck to ports 22, 80 and 445.

I just wanted to toss everyone a quick heads up... This just came across ISC and I wanted to inform my readers. It seems that Microsoft is investigating a possible 0-day in Word, they have issued an advisory on the subject. A user must actively open a document in order to be exploited.
Affected Software List:

• Microsoft Word 2000
• Microsoft Word 2002
• Microsoft Office Word 2003
• Microsoft Word Viewer 2003
• Microsoft Word 2004 for Mac
• Microsoft Word 2004 v. X for Mac
• Microsoft Works 2004
• Microsoft Works 2005
• Microsoft Works 2006

This is a good time to remind your colleagues and friends... your users or your managers that they shouldn't open attachments from people they don't know... and even better advice would be to never open unsolicited attachments.

CVE-2006-5994

Peace,
HT

About a month ago I posted a Daily Link List... In this list I mentioned that a new version of SinFP was avialble and that I had not been overly impressed with previous versions of the product. Shortly after, a comment was posted by Gomor (The author of SinFP) asking me to perform further testing with the new version and give it a try. I decided it was about time to give it a go. So last weekend, I downloaded the package on my Mac (PPC architecture) and started the install... About halfway through I received an error message that Big Endian systems were not supported and the install died. I decided to try again with a PC (Ubuntu 6.10). The install sailed through and I decided to give it a try.

I first tried as my regular user and received an error message:

user@host:/usr/local/sinfp/bin$ ./sinfp.pl -i 192.168.X.X
Must be EUID 0 to open a device for writing at /usr/local/sinfp/bin/../lib/Net/Packet/DescL3.pm line 86

Ok, so you have to be root.. nmap also requires root permissions to perform a -O (OS Detection) scan.

su - to root and try again... this time the results were slightly better. The scan completed with the follow results:

Let's try the same scan on nmap (ver. 4.03) (only OS information displayed):

Now the machine is Windows XP SP2... However, Gomor suggested that I try the -H option... so I we'll do that next. With -H the results are slightly better... nmap narrowed it down to 2K3 or XP with SP2... SinFP returned these results:

These results are nearly as specific or as accurate as nmap's results. Now this is a single host... I figure I'll give a few others a try. I decided to try my laptop (Ubuntu 6.10).

First attempt:

Oh yeah, I have to target a port (port 80 is the default open port, however you can specify another port using the -p flag). To simplify things, I'll use port 80 and simply turn on Apache.

Let's also verify that it actually did start.

So let's try SinFP again:

It still can't find it... I'm going to say that maybe you can't scan the host you're on, however if Gomor is reading this, I'd love his thoughts on why this didn't work. (I also used ports 445 and 111, however I didn't read the documentation, so maybe it states you can't scan localhost)... Moving on, let's test a few more hosts.

Here's another XP SP2 (Fresh Install) only port 3389 open... Let's look at the results :

I'm still waiting to see it correctly and easily identify a Windows XP machine, so I've decided to continue my testing...

The output from three additional XP SP2 machines:

I'm not overly impressed that it's yet to correctly identify a single XP Host, it can't seem to distinguish between XP and 2000 and it doesn't identify service pack levels. I'm going to move on to FreeBSD.

First Host ( FreeBSD 4.8 ) :

Second Host ( FreeBSD 5.3 ) :

Third Host ( FreeBSD 5.4 ) :

While SinFP was never completely accurate, it did out perform nmap on one of the hosts.

Now for some random hosts (No output data, just OS results)

The results are interesting overall... While nmap is able to give more accurate OS breakdowns (Service pack level and actual OS) it seems that SinFP is accurate almost as often... and occasionally actually out performs nmap. Over all, I'm not impressed simple because of the inability to accurately detect Windows Operating systems... but it is definitely better than it was when I originally tested the 1.x family.

Peace,
HT

rpoppa, a colleague of mine at nCircle, has written a rather interesting blog post on The Successes and Failures of the Security Industry. I recommend that everyone go over and give it a read.

The post covers 15 "statements" about security and then uses a paragraph or two to delve more deeply into each of them. The statements are:

1) Today feels a lot like yesterday
2) The role of a Security Professional
3) There are too many so-called "Security Professionals"!
4) Security Breeds Apathy.
5) Security can be overwhelming
6) People are afraid of what they don't understand.
7) Security is not seamless.
End users are ignorant
9) Not all security is right for you.
10) The World is a War Zone
11) It is no longer about the Chase, it is about the Money!
12) Attacks are Polymorphic.
13) Vendors and Security don't match.
14) The industry is immature
15) 2+2=1

So go give it a read and then leave your feedback and comments.

Peace,
HT

So since my post mentioning the blackberry PDF a lot of people have emailed me to ask if I've found the document yet. The answer is yes... However I'm not going to post it here... simply because of bandwidth issues. Also milw0rm has recently had it added to it's collection, so those of you interested in reading it can download it from here.

Peace,
HT

Let's call this attempt #2. I attempted to blog on this subject earlier this evening but when I published the post, only half of it was there... I've learned to either save frequently... or use an outside text editor to compose my posts.

Anyways, a couple of blogs have been mentioning a new 0-day DoS which is available on milw0rm. FrSIRT has released an advisory on the subject. I spent some time earlier today looking into the exploit...

This is included in the comments of the exploit (which is written in python):

# Tested on Windows 2000 SP4 Polish + All Microsoft Security Bulletins
# Example:
#
# C:\>python spoolss_dos.py 192.168.0.2 512
#
# [*] MS Windows GetPrinterData() 0day Memory Allocation Remote DoS Exploit
# [*] Coded by h07
# [*] Connecting to 192.168.0.2:445
# [+] Connected
# [+] The NETBIOS connection with the remote host timed out.
# [+] 192.168.0.2: Out of memory
# [+] Done
#
# Exploit --> GetPrinterData(handle, value, 1024 * 1024 * 512) --> MS_Windows
# Spooler service(spoolsv.exe) memory usage: 512 MB

I tested the exploit against Windows XP SP2. Both machines that I tested it against returned the message "Return code: Access denied (0x00000005)". This same message was also received when attempting the exploit on a Windows XP SP1 machine.
I moved my testing on to 2K. In the end I ran the exploit about 10 times, using values from 128 to 1024. Every time I ran the DoS the amount of memory in use would increase. If I attempted a value higher than the remaining available memory, I would receive a "Memory Allocation Error". When I reached the end of the available memory, my virtual memory would grow until it finally hit the maximum allowed virtual memory. At this point I received an error message on the system informing me that my Virtual Memory Minimum was too low. I ran the exploit a couple more times after this happened (using 256 as my value) and eventually the UI became unresponsive. I could very slowly move the mouse, however the taskbar clock wasn't updating with the time, and I couldn't click on anything. I was essentially forced to reboot the system. Upon reboot, there was no indication of what had caused the problem, or that there had been a problem.

It is important to remember that this DoS requires the Printer Spooler service to be enabled.  For a previous Printer Spooler vulnerability, Microsoft offered the following advice:

Option 1: Disable the Print Spooler service
( HT's Note: This solution was suggested on Donna's Security Flash (as well as MS Advisory: MS05-043, I suggest option two which is below and was also included in MS05-043 )

Disabling the Print Spooler service will help protect the affected system from attempts to exploit this vulnerability. To disable the Print Spooler service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.

2. Double-click Administrative Tools.

3. Double-click Services.

4. Double-click Print Spooler.

5. In the Startup type list, click Disabled.

6. Click Stop, and then click OK.

You can also stop and disable the Print Spooler service by using the following command at the command prompt:

sc stop Spooler & sc config Spooler start= disabled

Impact of Workaround: If you disable the Print Spooler service, you cannot print locally or remotely. Therefore, we recommend this workaround only on systems that do not require printing.

------

Option 2: Remove Printer Spooler Service from NullSessionPipes.

On Windows 2000 Server Service Pack 4 remove the Print Spooler service from the NullSessionPipes registry key:

1. Click Start, click Run, type "regedt32" (without the quotation marks), and then click OK.

2. In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes

3.Edit the registry key and remove the SPOOLSS value.

4. Restart the affected system after performing these actions.

Impact of Workaround: Anonymous connections to the Print Spooler service will not be allowed. This is the default behavior of later operating system versions.

It is also important to note that based on the output we see in the exploit, that it would appear as thought access to port 445 is required. Firewalling this port should prevent remote DoS attempts.

Peace,
HT

Microsoft has made a VPC image available for testing IE 6 to IE 7 web site transitions… but anyone can download the image (all it requires is Windows Genuine Validation)… The idea is that users will have the image with IE 6 and their computer with IE 7… The image has an expiry date of April 2007… but if you want to test Virtual PC without taking the time to install Windows on it… here’s an easy way to do it.

Download Link

Peace,
HT