HexEsec | a pentester's view » vulnerability

what should be considered a vulnerability?

jcran — Tue, 15 Dec 2009 10:53:20 +0000

…And now, a rant.

What should be considered (and reported) as a vulnerability when auditing a network?

Is weak network architecture? What if i can hit a critical server from an unprotected workstation? Isn’t that a vulnerability? Can we detect it?

What are today’s vulnerability scanners doing to detect bad management practices? Users w/ local administrator? Admins in the same segment as untrusted contractors? Windows servers / workstations with the same password?

Isn’t that a vulnerability? (hint – pass-the-hash)

What are scanners doing to detect insufficient technical controls? In the face of current (phishing, malware, etc) threats, should lack of egress filtering and lack of a proxy be considered a vulnerability? Should automated tools be picking this up and pointing it out?

New DOS attack technique: sockstress

jcran — Wed, 01 Oct 2008 23:46:05 +0000

The guys from outpost24 are releasing a new tool (sockstress) that exploits problems with TCP state tables. Apparently, you can disable most any windows/linux/firewall box with minimal attack bandwidth (read: cable modem).

According to the podcast, the tool does “some evil things” during the negotiation of the handshake. It’s definitely not a SYN flood or a SYN cookie.

The attack uses a concept called ‘reverse SYN cookies‘ to encode information about the client’s TCP session in the packets. This allows the attacker to attack without ever keeping track of state. The packets themselves keep track of state and what phase the attack is in.

Approximately 10 packets are needed to disable a single service. No system is known to withstand the attack.

The podcast is the best source of information at this point. (English starts after 5 mins)
More information here:

Google Calendar Search for Fun & Profit

jcran — Tue, 02 Sep 2008 04:24:40 +0000

In the same vein as the earlier post on searching for vulnerabilities with Google Code Search, I realized tonight that you can search for private calendars on Google Calendar Search by simply typing ‘private’ in the search box. You’ll be surprised by how many results you get (960 at time of writing).

With such nuggets as:

What

Presentation in Bern [work]

When

Mon Sep 1 12pm – Mon Sep 1 4pm
20080901T120000/20080901T160000
Where

Created By

Michel

It’s certainly not a great deal of work to trace other public details, and find out exactly who this might be. Interestingly, he’s also praying at 1AM today, and rowing at 2PM. He looks to be a bit worried about his skills.

This post ties closely to an observation made by stan over at n0where.org. What if a bank were able to access your calendar while you were planning to make a week-long trip to vegas? Do you think they’d still be eager to give you that home-loan? Food for thought, no?

UPDATE 09/02/08:
Google: John Gomez! Are you really sure you want to share this with the world?
John Gomez: *clicks yes*
Google: Are you sure??
John Gomez: just do it, it’s handy!
Google: Okay, but don’t say I didn–
John Gomez: DO IT!
Google: fine. idiot.
[Except this doesn't happen, and people have NO IDEA they're sharing this info most likely]

Delta Air Lines #616, 01:15 PM PDT

WhenFri, Sep 26, 4:15pm – 10:01pm

WhereSFO – JFK (map)

Description Record Locator: MXNYGI Flight: Delta Air Lines #616 Confirmation: CYT0L0 Departure Location: San Francisco International Airport (SFO) Departure Time: Friday, September 26 at 01:15 PM PDT Departure Terminal: 1 Arrival Location: John F. Kennedy International Airport (JFK) Arrival Time: Friday, September 26 at 10:01 PM EDT Arrival Terminal: 3

UPDATE (09/02/08) (2):

Looks like our boy John is in good company at least… 680 results for the term ‘Record Locator.’ Ouch.

So how do you take advantage of this?

- Impersonate them

- Break into their house / steal their car while they’re away

- Frame them for a crime happening in their vicinity

- Call the airport, impersonate an authority (you’ve got all the details, right?.. right.)

Out of curiosity, is anyone doing a taxonomy of real-world attacks? The final attack listed above is analogous to a DOS attack, but these are all straight-forward. I’d love to see a taxonomy of possible ways to exploit a piece of information (vulnerability).

Google Code Search for Fun & Profit

jcran — Mon, 01 Sep 2008 04:37:30 +0000

While toying around with Google code search to look for HTTP Response Splitting vulnerabilities, i discovered that code search is a treasure trove of vulnerabilities. For instance, simply try searching for “vulnerability”.

Looks like I’m about 2 years behind on this:

Chris Shiflett: http://shiflett.org/blog/2006/oct/google-code-search-for-security-vulnerabilities
Jose Nazario: http://monkey.org/~jose/blog/viewpage.php?page=google_code_search_stats
Dug Song: http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/
Cipher dot org dot uk: http://www.cipher.org.uk/bugle.php (Google Hacking with Code Search)

UPDATE (09/01/2008):

Regular expression search rocks. Why can’t you do this with regular search?