November 23rd, 2014

We know what you typed last summer

An interesting advisory comes from guys at remote-exploit and dreamlab technologies dealing with (in)security of common non-bluetooth wireless keyboards sold by Microsoft (Wireless Optical Desktop 1000 and 2000). According to the white paper released on the subject (available here) only the actual key pressed is transmitted in encrypted form, all other communication such as keyboard identification, metakeys (Shift, Alt, etc.), and other data are all transmitted in clear text. Furthermore, the encryption scheme used for keystroke data consists of “a simple XOR mechanism with a single byte of random data generated during the association procedure”. What this means is that not only can you quickly brute force entire key space (256 combinations), but you can actually obtain the encryption key by intercepting the initial association of keyboard and receiver (as was demonstrated in this video ). Authors did not release the PoC tool to the public citing an ongoing research (meaning more goodies coming soon ;). As such we can only applaud at this effort and look forward to seeing this tool in the upcoming Backtrack 3.

Microsoft Optical Desktop 1000

Pretty Pretty Pwnies

The latest month of bugs trend has started again with the Month of Apple Bugs. The first bug is a buffer overflow in Apple Quicktime rtsp URL Handler. Here is the description from the bug information on the MOAB site:

A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

Note that this affects the OSX and the Windows versions of Quicktime. It doesn’t look like there is a patch for this yet, but apparently you can disable the rtsp handler within Quicktime.

Here is the official MOAB mascot:

OMG! Pwnies!

“Mac bugs come in pink.” ™

More wireless vulns

As expected, there are a couple more wireless driver vulnerabilities that have been released as part of the month of kernel bugs run. A good description and FAQ on the Broadcom vunlerability are available here. This exploit was written by Johnny Cache, and here is the ported (by HD) metasploit module for it.

The second vulnerability is for the D-Link DWL-G132. The ususal suspects were involved, and the metasploit module is here. The MOKB post has details and download links for the patched driver versions.

p.s. Sorry about the lack of posts this week — I’ve been travelling and haven’t had much extra time. Maybe this weekend as I go through my RSS backlog I’ll have a few new posts

More Visual Sploit

While I can only guess from the graphics that this is a bad April Fool’s joke, here is a link to a video of Immunity’s supposed Visual Sploit in action (Dave seemed serious when announcing it here). It’s still not quite the 3-d interactive hacker holo-sphere we all hoped for.

Fisher-price ® “my first sploit”

metasploit 2.6 released

A new version of metasploit is out today. Here is a previously linked metasploit blog post on doing metaspoit exploit development end to end.

Version 2.6 of the Metasploit Framework has been released. This release includes 43 more exploits, numerous bug fixes, improvements to the SMB/DCERPC layers, and a few cosmetic changes. If you are running version 2.5, you can seemlessly upgrade to 2.6 by running the msfupdate tool (twice). Please see the release notes for more information.

perl published advisory

Here is the actual advisory from Dyad on the perl format string exploit issue I posted about yesterday. A patch has been proposed, but isn’t official yet. They also mention that there are several other exploitable programs that they know about today. Hopefully anyone using webmin is smart enough to keep it firewalled off in the first place. Someone needs to audit SlashCode for this, =), they don’t look very active.

update: Here is a paper with more details, examples, and a few more vulnerable programs.

perl format strings and webmin

This could get nasty real fast. There is supposedly an advisory coming out for perl itself from dyadsecurity that could have far-reaching effects. While this was recently triggered from just a webmin advisory, if it turns out to be true, it could affect scads of other things written in perl. As alluded to in the Full-Disclosure list posts, this could be a “new” type of format-string exploit for perl. Beware.

Update: Looks like this has been confirmed by others

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS