Oh Year 2015, your end is nigh. Let us pause for a moment and grab some information security highlights for these past weeks before we end this great year. This article will not tackle all of the information security highlights we have for the year 2015 but only recent news and updates.
Last Weekly Metasploit Wrap-up of the Year
James “egypt” Lee, a long time Metasploit Framework contributor and one of the most badass Rapid7 employees the world has ever known, has just posted his last Weekly Metasploit Wrapup for the year 2015 few days ago. The wrap-up announced mut’s (Offensive Security Founder and Kali Linux Core Developer) voice as the official voice of the sounds plugin, which is a feature when you use load sounds. You should be able to hear mut saying one of these phrases (it depends) if the exploit worked and if you get a session:
- “We’ve got a shell”
- “And our exploit worked”
If the exploit fails, you will hear the word “Try Harder”. Now your horror for the PWK class has been immortalized. LOL
Thanks to Wei “sinn3r” Chen for this awesome and cool update!
Aside from that, the framework has just been loaded with five exploit modules and three auxiliary, or post, modules. The exploit modules include:
- Jenkins CLI RMI Java Deserialization Vulnerability
- phpFileManager 0.9.8 WRemote Code Execution
- Legend Perl IRC Bot Remote Code Execution
- Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
- ManageEngine Desktop Central 9 FileUploadServlet ConnectionId
The auxiliary and post modules include:
- UNIX Gather RSYNC Credentials
- Bitlocker Master Key (FVEK) Extraction
- Windows Antivirus Exclusions Enumeration
More information about the wrapup: https://community.rapid7.com/community/metasploit/blog/2015/12/17/weekly-metasploit-wrapup
The Hyped Juniper ScreenOS Authentication Backdoor for SSH and Telnet (CVE-2015-7755)
Juniper Networks has released an advisory last December 18, 2015 which talks about their recent discovery of an unauthorized code in the ScreenOS software that powers their Netscreen firewalls. The unauthorized code comes with a SSH and Telnet authentication backdoor password. The backdoor password is <<< %s(un=’%s’) = %u which affects versions 6.2.0r15 to 6.2.0r18 and 6.3.0r12 to 6.3.0r20.
This issue or should I say major problem has been assigned with CVE-2015-7755.
There is a theory that the U.S. National Security Agency might be indirectly responsible for the unauthorized ScreenOS. According to an article in Wired, “Ralf-Philipp Weinmann, founder and CEO of Comsecuris, a security consultancy in Germany, suggests that the Juniper culprits repurposed an encryption backdoor previously believed to have been engineered by the NSA, and tweaked it to use for their own spying purposes.”
And also according to Eduard Kovacs’ report from the Security Week:
“The theory that the U.S. National Security Agency might be responsible for the ScreenOS backdoor is partly based on older reports claiming that the agency had targeted Juniper products.”
“Furthermore, the vulnerable Dual EC standard is said to be an NSA effort to introduce a backdoored PRNG. The backdoor allows an attacker who possesses a secret key to predict future output.”
“The NSA reportedly paid RSA $10 million to get the company to use Dual EC by default in one of its toolkits.”
“CNN reported last week that U.S. officials are concerned that the Juniper backdoor could be the work of a foreign government, which has triggered an FBI investigation.”
More information and Additional Reading:
KDefend or KDLinux – a New Elf Threat or DDoS Unix Bot
Security crusaders and malware hunters of the #MalwareMustDie! Team has discovered a new ELF malware or DDoS Bot that runs on Unix or Linux boxes last December 03, 2015. The name of this new ELF threat is “KDefend” / “KDLinux” / “KDefend Firewall Stresser”. More details posted on: http://blog.malwaremustdie.org/2015/12/mmd-0045-2015-kdefend-new-elf-threat.html
PS4 Kernel Exploit Finally Working!
A developer named CTurt has claimed that Sony’s PS4 can now be enjoyed with homebrew contents because it has been jailbroken by using a FreeBSD exploit since PS4’s operating system which is “Orbis OS” is actually based upon a customized FreeBSD 9.0.
CTurt has also opened an open source PlayStation 4 SDK repository on Github. Cool ayt!
I got this news from Twitter that points to Slashdot:
Google Project Zero Disclosed a Critical Remote 0-day for FireEye Appliances
The elites Tavis Ormandy and Natalie Silvanovich of Google Project Zero has responsibly disclosed a critical vulnerability about FireEye’s security and monitoring appliances. To avoid spoiling the fun about the said vulnerability, read more at http://googleprojectzero.blogspot.com/2015/12/fireeye-exploitation-project-zeros.html.
Rapid7’s ScanNow Tool Has Been Deprecated Because of a DLL Search Order Hijacking Vulnerability
On December 21, 2015, Rapid7 has officially announced that it will be deprecating a security auditing toolkit called ScanNow and advised users to remove the software from any system that still has it. This is because of a vulnerability disclosed to Rapid7 by Stefan Stefan Kanthak which is DLL Search Order Hijacking, but is also referred to as DLL side loading, DLL pre-loading, binary planting, binary carpet bombing, or similar names.
New Joomla Remote Code Execution Vulnerability (2015-8562)
On December 15, 2015, Exploit-DB has published a remote code execution exploit for Joomla versions 1.5 – 3.4.5 wherein a sample Proof of Concept exploit was reported by Gary of Sec-1 ltd. Gary’s PoC uses the “User-Agent” header while another exploit made by Andrew McNicol uses “X-Forwarded-For” header.
A metasploit exploit module has been created by Christian Mehlmauer a.k.a FireFart to make our lives easier and that the module uses the “X-Forwarder-For” header by default although you can change it by setting it up instead of “User-Agent” in order to avoid default logs to the access log and is patterned after Andrew McNicol’s Proof of Concept exploit code.
An Infosec Institute article has also been published on how to exploit this vulnerability: http://resources.infosecinstitute.com/exploiting-cve-2015-8562-new-joomla-rce-2/
New Angler Exploit Kit Includes TeslaCrypt ransomware Spreader
One of Infosec Institute’s acclaimed contributor Pierluigi Paganini has reported that “the French security researcher “Kafeine” has discovered a new variant of the popular Angler exploit kit that includes the exploit code for a recently patched Adobe Flash Player vulnerability (CVE-2015-8446). Kafeine reported that new exploit code was added to the Angler exploit kit on December 14″.
With the inclusion of this new exploit, it can be used to spread the TeslaCrypt ransomware as verified by malware experts at Malwarebytes just last week. More information at http://securityaffairs.co/wordpress/42960/cyber-crime/angler-exploit-kit-new-flaw.html
Ethical Hacking Training – Resources (InfoSec)
HardenedBSD 2016 Roadmap Announced to the Public
HardenedBSD is one of the projects I have been watching lately because of its awesomeness and die-hard security enhancements. As an introduction, it is a project founded by Oliver Pinter and Shawn Webb which aims to promote a security-enhanced fork for FreeBSD.
How I wish Playstation would use this since this project implemented many exploit mitigation and security technologies on top of FreeBSD take for example the Address Space Layout Randomization (ASLR) as an initial focal point and is now implementing further exploit mitigation techniques.
Last December 07, 2015, Shawn Webb published the project’s 2016 roadmap to gain more support from hardcore FreeBSD users. Here are the plans:
- First official release: 11.0-RELEASE
- Binary updates for base via pkg
- PaX NOEXEC finished
- UDEREF started
- syscall and sysctl hardening
- ugidfw integrated into secadm
- (Maybe) secadm in base
- hbsdcontrol finished
- Network-installable installation media
- Mirrors for both packages and installation media
- SEGVGUARD cleanup
- Focus on documentation
- All of base compiled as PIE
The project’s official Website: https://hardenedbsd.org/
Underhyped Vulnerability of 2015: Java Unserialize Vulnerability
A few weeks ago, Steve Breen of FoxGlove Security posted a blog entitled “What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability“. The article explains the most underrated, underhyped vulnerability of 2015 which is Java Unserialize vulnerability. It’s because despite releasing a proof of concept for exploiting the said vulnerability over nine months ago, no patch was available to suppress the Java library containing the vulnerability.
The post includes several Proof of Concepts for exploiting Java unserialize vulnerabilities which can lead to remote code execution and total pwnage to the following applications:
- WebSphere Application Server – CVE-2015-7450
- Oracle WebLogic – CVE 2015-4852
- JBoss Application Server – CVE-2015-7501
- Jenkins CI – Continuous Integration and DevOps platform
- OpenNMS – Open Source Network Management software
Other applications may still be at risk especially if the server receives Java Serialized Objects and uses the Apache.Common.Collections library.
Metasploit modules have been published too for some of the applications mentioned. In fact, in the last weekly Metasploit Wrapup – one exploit module exploits a Java Unserialize vulnerability for Jenkins CLI RMI.