M32 Security » Corporate

Critical Flaw In RDP Exposes ALL Versions of Windows To Remote Code Execution Risk

Kyle — Tue, 13 Mar 2012 21:54:58 +0000

Image via Wikipedia

An EXTREMELY critical flaw in Microsoft’s RDP protocol (Remote Desktop) has been discovered and disclosed by Microsoft today. This vulnerability is about as critical as they get; especially for corporate customers. In short, any attacker who sends specially crafted code to any computer running Microsoft Windows that hat has Remote Desktop enabled can essentially take control of it. Microsoft has already released an article about it here (MS12-020).

All users are advised to update their machines as soon as possible, as this nasty exploit has the potential to become very nasty, very fast.

Microsoft to patch Windows bug called ‘Holy Grail’ by one researcher (networkworld.com)
KB 2671387 (support.microsoft.com)
March 2012 Microsoft Black Tuesday, (Tue, Mar 13th) (isc.sans.edu)
Microsoft Issues Urgent Patch for ‘Wormable’ RDP Vulnerability (pcworld.com)

Tags: attack, attacker, black tuesday, code, code execution, exploit, isc, microsoft, network, RDP, rdp protocol, release, remote desktop, risk, SANS, tw, vulnerability, Windows, worm, Wormable

LulzSec Hacks Sony…Again…And Scores PSN Source Code

Kyle — Tue, 07 Jun 2011 00:56:38 +0000

LulzSec, also known as Lulz Security, which has become infamous for their past and more recent hacks including PBS and Sony, has hacked Sony HQ…again. This time they scored around 54 megabytes of the developer’s source code to the PlayStation Network. What does it mean? Hold on to your butts. The group published a press release detailing the hack while simultaneously releasing all stolen code to the public through various channels. The implications of this are enormous, as Sony’s PSN is now wide-open to any exploits found in the previously obfuscated code. Expect Sony’s problems to continue for a while.

The targeting of Sony stems from their legal assault on George Hotz, otherwise known as GeoHotz, who had found and published a way to circumvent protection mechanisms on the PlayStation 3. This was a big deal after the company removed the “Other OS” feature through a firmware update that allowed the installation of Linux on the console to use the powerful IBM Cell processor that powers the machine. The PS3 has been known to be used by organizations like the US Air Force in supercomputer clusters due to the Cell processor’s vastly superior floating-point performance which is highly desired for processing large amounts of data for modeling.

Stay tuned…

Tags: ACHIEVEMENT, Cell, floating point, geohotz, George Hotz, IBM, ibm cell processor, legal assault, lulz, LulzSec, OtherOS, pbs, playstation 3, point performance, ps3, psn, release, sony hq, Source, supercomputer

LNK Zero-Day Exploit: Siemens WinCC SCADA systems targeted

Kyle — Mon, 26 Jul 2010 05:20:59 +0000

It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Tags: 2WSXcder, Chymine, Ivanlef, july 14, LNK, SCADA, Siemens, siemens wincc, WinCC, zero day

Critical Microsoft Vista/2008/Windows 7 Zero-day Remote BSOD Found

Kyle — Wed, 09 Sep 2009 00:24:06 +0000

Remember back in the days of Windows 95 when someone could use the OOB attack to remotely BSOD a PC? Well now you can relive your youth with a classic throwback from Microsoft! Windows Vista, 2008, and 2007 of all variants all have a similar vulnerability that allows a remote attacker take your machine down with a simple ampersand. Leave it up to Microsoft to do it all again more than a decade later.

The SMB 2.0 driver in x86 and x64 versions of Windows Vista, Server 2008, and Windows 7 are all one in the same. When sent the “&” character in the “Process ID High” SMB header, the process pagefaults and brings us the beloved Blue Screen of Death we’ve all come to know and love.

Credit goes to Laurent Gaffié and you can find the Proof-of-Concept on his blog.

Tags: ampersand, attack, attacker, blue screen of death, BSOD, Laurent Gaffié, microsoft, microsoft vista, microsoft windows vista, OOB, process id, proof of concept, SMB, throwback, versions of windows vista, vulnerability, zero day

T-Mobile USA confirms massive data breach

Kyle — Thu, 11 Jun 2009 02:02:57 +0000

The network security guys at T-Mobile USA probably breached their underpants after some black hat or group of black hats named “Pwnmobile” posted on seclists.org a sizeable list of internal hostnames, OSes, partial descriptions, internal IP addresses, and facilities relating to the back-end of T-Mobile’s customer management and services network.

At first, T-Mobile tried to say it was just a list pulled from a corporate document; but now the company is admitting that it was, in fact a major security breach according to a USA Today Blog and are not disclosing how much data was taken. Odds are, if whoever managed to get this far, a very sizeable amount of data was captured. The person who made the posting mentioned that they had tried to sell the information to competitors, but they were not taken seriously.

On a slightly related note, the posting related the T-Mobile hack with Check Point. Does this mean a perimeter Check Point firewall was either hacked or exploited to gain access to this network? Only further elaboration from Pwnmobile, T-Mobile, or an insider can say. There have been several recently published high-visibility Check Point exploits and perhaps they were used in the hack.

Tags: attack, black hat, breach, check point, check point firewall, checkpoint, corporate document, cybersecurity, exploit, GSM, high visibility, internal ip addresses, massive data, mobile hack, network, network security, partial descriptions, Pwnmobile, Security, t-mobile, usa today, user data