Predictions for 2013 in Infosec

Here are the predictions for the year 2013 for those of us in the security field.

  1. More pointless debates on full disclosure/non disclosure/selling 0day to governments or whatever. Our good friend @csoghoian will continue to demonize the 0day sellers such as VUPEN and @thegrugq who will continue not giving a flying monkeys.
  2. More “ERMAGHERD BLAME CHINA” nonsense, physician calling skript kiddie level phishing attacks involving poorly written remote admin tools and old exploits “Advanced Persistent Threats”. Some decent threat actors will pop up with some shiny 0days and cause a widespread pants-soiling as they 0day the hell out of some US defence contractors from .CN subnets and generally make AV firms a shedload of money.
  3. More passwords will be leaked as script kiddies with Havij and SQLmap pop large websites who still do not think SQL injection is a thing. Groups such as “Anonymous” and their offshoots will proliferate, purchase with several “wannabe lulzsec” scrublords making a bit of a mess.
  4. More holes in Java, Adobe, and IE. Lots of holes. AV firms will capitalize on these to sell “ENTERPRISE SECURITY” products to people.
  5. More SCADA vulnerabilities will be touted which will cause “OMG HACKERS CAN HIJACK POWER PLANTS” headlines.
  6. The good people at Attrition will expose a literal buttload of Charlatans and said charlatans will be laughed at.
  7. Kaspersky will find some more malware, probably in Iran, and make headlines about the mythical “Cyberwar” thing. Kaspersky will make more money and press.
  8. We will see more shitty XSS posted on Full Disclosure. ESPECIALLY by “Vulnerability Lab”.
  9. I am going to wake up on the first day of 2013 and post a pretty cool proof of concept exploit, as per tradition. I will possibly be laughed at for how simple it is, and someone, somewhere, will facepalm for not figuring it out first.
  10. I dropped my crystal future seeing ball, sorry.

And, those are our predictions. I am betting a pint on those, so they better bloody well be right.

-info

Exploit Demo – FreeFloatFTPd Remote SYSTEM. Oppa Stuxnet Style!

Ever since Kingcope released the “Stuxnet Style” MySQL exploit using .mof files to execute dropped binaries, illness there has been a rash of similar exploits cropping up – and I fully expect many more to come. This one is one of the interesting ones, as it demonstrates something extremely interesting. How improper FTP file access privileges can lead to trivial remote code execution.

This exploit works in an extraordinarily simple manner. The FreeFloat FTP Server is rife with security flaws. Not least the fact it has no authentication whatsoever, and drops one right into C: with privileges to write files as the SYSTEM user.

It uploads the binary (Meterpreter in the MSF exploit) to System32, then plants a .MOF file to execute it in the System32wbemmof directory, allowing Windoes Management Interface to execute it as SYSTEM – the same as the other exploits.

Essentially, you pop a SYSTEM shell within less than a minute.

I expect that future weeks will show us more and more “Stuxnet Style” exploits as this technique becomes more trendy, hence, “Oppa Stuxnet Style!”.

Without further ado, here is the video!

 

Exploit Demo – Windows MySQL Post Auth RCE using Stuxnet Technique

My previous post demonstrated the exploit @kingcope released, MySQLJackPot, that leveraged FILE privileges to take over a Windows MySQL server. That exploit worked by abusing the User Defined Function stuff.

This exploit goes a bit further, and is reliable on everything pre-Vista. It leverages the same technique used by Stuxnet’s MS-10-061 exploit, wherin arbritary file creation is turned into Remote Code Execution (under the context of the SYSTEM user) by dropping a binary and a .MOF file.

By using the INTO DUMPFILE method (assuming we have FILE privs on the remote server), we can create arbritary files with the permissions of the MySQL user, which just so happens to be NT AUTHORITY/SYSTEM.

So, we drop a binary (our payload) in System32 folder, and then drop a crafted .MOF file in System32\wbem\mof\. The Windows Task Scheduler (similar to CRON on Unix to my understanding) periodically scans this directory and executes any .MOF files in there. Our .MOF file executes our payload.

This is the same method that the MS-10-061 exploits use – by dropping a .MOF file in there along with a binary, the binary will be executed in short order, and et-viola: got shell.

Anyways, without further ado, here is the video of it in action. I ended up using the Metasploit module, as I did something nasty to my PERL installation while installing stuff from CPAN for another demo, and things started to “not work right”.