Midnight Research Labs

SEAT included in Best IT Security and Auditing Softwares 2007
cybernmd posted in Uncategorized on December 31st, 2007
comments:1

Great news come from Security-Database.com, a popular security web portal. SEAT (Search Engine Assessment Tool) is listed as a recommended Information Gathering tool in annual listing of Best IT Security and Auditing Softwares 2007. To celebrate this event, we are releasing an updated version of SEAT to include updated signature database and a few bug fixes. Now go download SEAT 0.2 and start scanning.

OSX update service MITM attack
aaron posted in osx, vulns on December 17th, 2007
comments:9

It looks like there is a fairly serious security vulnerability/exploit/patch released for OSX. Among other things, arbitrary commands can be trivially run on any OSX client with a man in the middle attack to the update service. There is a patch, but exploit code is already publicly available for metasploit, so I’d suggest not patching over any insecure connections,

The security update also contains fixes for about a dozen other things within OSX as well. I’m pretty surprised that the OSX update service doesn’t (didn’t?) use any type of certificate or other methods for server authentication. Several other projects (firefox, debian, etc) have had issues with this in the past, but have been subsequently fixed. It does appear that Apple responded very quickly to the the notice (initial notice was on 12/6), but this seems like one of those “by design” vulnerabilities, so I’d have to guess they’ve known about it for a while.

If I wasn’t stuck writing reports tonight instead of hacking, I’d try to put together a quick script for AirPwn. It looks like you just need to intercept/inject a couple of http connections to swscan.apple.com. It makes a request to get a catalog file (“.sucatalog”), which is just an xml file that references a distribution xml that contains the packages (payload).

The 12 threats of Christmas
aaron posted in Uncategorized on December 17th, 2007
comments:5

Wow. The video says it all. It gets, uh, something around 30 seconds in.

Backtrack 3 beta!
aaron posted in Uncategorized on December 14th, 2007
comments:0

After a long wait, the backtrack3 beta is finally out. w00t. I saw the development version of it, and it looks pretty good (but haven’t played with the beta yet). It contains a few new tools, and lots of updates. Good work and congrats to Max, Muts and the offensive security team.

The latest release version of wicrawl is on there as well, but I do have a few subsequent fixes for it. I’ll try to get those in before the final release.

Update: It looks like the official announcement hasn’t gone out yet, but since this has already been posted elsewhere, I’m pretty sure I can link it here too:

• BT3 Beta .iso torrent
• BT3 Beta USB/DVD torrent

Hack in the box videos online
aaron posted in cons, hacking videos on December 6th, 2007
comments:0

Videos for the HITB conference in Malaysia are now available online for free. There’s around 26 different talks that cover both days of the conference covering a range of topics including SCADA, web/ajax/database hacking, bluetooth, biometrics, protocol fuzzing, CCTV hacking and anti-forensics along with several others. I do like this trend of making conference materials (especially video) available online, and I hope it continues. Happy torrenting.

We know what you typed last summer
cybernmd posted in exploits, hacking, hardware hacks, Uncategorized on December 1st, 2007
comments:14

An interesting advisory comes from guys at remote-exploit and dreamlab technologies dealing with (in)security of common non-bluetooth wireless keyboards sold by Microsoft (Wireless Optical Desktop 1000 and 2000). According to the white paper released on the subject (available here) only the actual key pressed is transmitted in encrypted form, all other communication such as keyboard identification, metakeys (Shift, Alt, etc.), and other data are all transmitted in clear text. Furthermore, the encryption scheme used for keystroke data consists of “a simple XOR mechanism with a single byte of random data generated during the association procedure”. What this means is that not only can you quickly brute force entire key space (256 combinations), but you can actually obtain the encryption key by intercepting the initial association of keyboard and receiver (as was demonstrated in this video ). Authors did not release the PoC tool to the public citing an ongoing research (meaning more goodies coming soon . As such we can only applaud at this effort and look forward to seeing this tool in the upcoming Backtrack 3.