Secure Surfing at the Coffee Shop

From, Kyle Haugsness, SANS Handler's Diary
This tip is how to use SSH port forwarding to browse the web at your favorite coffee shop (or hacker conference).

1) Setup a machine on your home network. If you don't have a static IP address, then use dynamic DNS.

2) On this machine setup squid (http://www.squid-cache.org/) and bind it only to localhost. Do this with the "http_port 127.0.0.1:3128" line in squid.conf. This will prevent others on the Internet from abusing your open proxy.

Alternatively, you can use the built-in SOCKS proxy in SSHD but with less anonimity. Use the command "ssh -D 3128 " and in your web browser, configure the SOCKS proxy option to be 127.0.0.1 and port 3128.

3) Setup SSHD on this machine. And do yourself a favor, require SSH key authentication and run SSHD on a port that is NOT 22. This will keep all those brute force SSH grinders from filling your log files.

4) At the coffee shop, do ssh -p -L3128:127.0.0.1:3128 . This will setup your SSH tunnel.

5) The most critical piece is to configure your web browser to use a proxy. Host: 127.0.0.1; port 3128

6) Surf away. All your web surfing will be encrypted to your home box before travelling to the Internet.

You can forward almost any standard TCP application though an SSH tunnel.
read more ...

Hotmail/MSN Cross Site Scripting Vulnerability

A proof of concept code for exploiting an XSS vulnerability is available in a recent advisory published by Simo64, Morx Security Reseahc Team.

read more ...

More details of exploitation of XSS vulnerability is available here.

Linksys WRT54g router authentication bypass

From Ginsu Rabbit, bugtraq mailing list
An authentication bypass vulnerabiity is reported in Linksys WRT54g router. This advisory is published by Ginsu Rabbit in bugtraq mailing list.
--------------------------------------------------
I. DESCRIPTION

Tested product: Linksys WRT54g home router, firmware revision 1.00.9 (VxWorks based V5 router).

Problem #1: No password validation for configuration settings.

The WRT54g does not attempt to verify a username and password when configuration settings are being changed. If you wish to read configuration settings, you must provide the administrator ID and password via HTTP basic authentication. No similar check is done for configuration changes.

This request results in a user-id and password prompt:
GET /wireless.htm

This request disables wireless security on the router, with no password prompt:
POST /Security.tri
Content-Length: 24

SecurityMode=0&layout=en

Problem #2: Cross-site request forgery

The web administration console does not verify that the request to change the router configuration is being made with the consent of the administrator. Any web site can force a browser to send a request to the linksys router, and the router will accept the request.

II. Exploitation

The combination of these two bugs means that any internet web site can change the configuration of your router. Recently published techniques for port-scanning and web server finger printing via java and javascript make this even easier.

The attack scenario is as follows:
- intranet user visits a malicious web site
- malicious web site returns specially crafted HTML page
- intranet user's browser automatically sends a request to the router that enables the remote administration interface
- the owner of the malicious web site now has complete access to your router

I'm not going to share the "specially crafted HTML page" at this time, but it isn't all that special.

III. DETECTION

If your router is vulnerable, the following curl command will disable wireless security on your router. Tests for other router models and firmware revisions may be different:

curl -d "SecurityMode=0&layout=en" http://192.168.0.1/Security.tri

IV. MITIGATION

1) Make sure you've disabled the remote administration feature of your router. If you have this "feature" enabled, anybody on the internet can take control of the router.

2) Change the IP address of the router to a random value, preferably in the range assigned to private networks. For example, change the IP address to 10.x.y.z, where x, y, and z are numbers between 0 and 255 inclusive. This makes it more difficult for an attacker to forge the request necessary to change the router configuration. This mitigation technique might not help
much if you have a java-enabled browser, because of recently published techniques for determining gateway addresses via java applets.

3) Disable HTTP access to the administration interface of the router, allowing only HTTPS access. Under most circumstances, this will cause the browser to show a certificate warning before the configuration is changed.

V. VENDOR NOTIFICATION

Linksys customer support was notified on June 24, 2006.
Full disclosure on August 4, 2006.
--------------------------------------------------
read more ...

Satori - Passive OS fingerprinting, revisited

From Thierry Zoller, Full-disclosure List
" ...
I started using this tool last year ago and it became immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Kollman does not really seem to care if you do (or at least doesn't scream it from the top of every house)

I found out about Satori while reading the paper "Chatter on the Wire"[pdf] (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools. What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.

Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori doesthe fingerprinting on : DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.
... "

VMware Ultimate Virtual Appliance Challenge

From vmware.com

The Ultimate Virtual Appliance Challenge launched by VMware in Febrary 2006, offering $100,000 to the most creative virtual machine is towards its conclusion.

Participants in the challenge competed to create the industry’s most innovative virtual appliances, using open source or freely distributable components and/or their own code. All submitted challenge entries are available in their website for everyone to download and use.

Voting for best Virtual Appliance officially ended on July 31th. VMware plans to announce the Challenge winners on Monday, August 14, 2006.

An expert judging panel will award prizes based on the appliance description in the entry, the ratings of the community, and their own expert opinion.

More Resources from VMware website,
- Free Virtualization Products
- VMware Academic Program Resources
- VMware Programming API

Phishing Research

The Internet Defence Phishtank is a repository of phishing emails. It enables security researchers, or simply anyone concerned about the validity of an email that they have recieved, to check out the status of an email.

It captures examples of phishing emails and analyse its contents in real time and stores in the Repository. A Realtime Fake Site Monitor provides a real time display of the status of the currently known and active fake sites.

read more ...

WiFi Device Driver Vulnerabilities

Security researchers David Maynor and Jon Ellch have found ways to seize control of laptop computers by manipulating buggy code in wireless device drivers. In a demonstration presented at the Blackhat conference, they remotely compromised a MacBook exploiting one of the wireless device driver issues they discovered.

Wireless devices are designed to be constantly sniffing for new networks, and this can lead to security problems, especially if their driver software is buggy. Apple is not the only vendor to have problems with its wireless drivers, by exploiting bugs in four different wireless cards, the researchers found ways to seize control of laptops running Windows and Linux as well.

Firewalls and operating system tools have traditionally been used to protect against wireless users, but Cache and Maynor say device driver can be exploited at a much lower level. This allows attacks to bypass all operating system level protection.

You do not have to be connected to a wireless network in order to be exposed. Only defence is to turn them physically off when you dont need them and limit your usage of them to "somewhere safe".

More details and a video of the demonstration are available at Brian Krebs' Security Fix column.
read more ...