Shell-Shock aka BashBug

Posted: October 8, 2014 in Uncategorized

CVE-2014-7169 – Bash specially-crafted environment variables code injection attack

I wrote this couple of weeks ago, however due to the very busy schedule I had no access to the doc as it was on a different device, however here we go..

You don’t get CVSS v2 Base Score rating 10.0 vulnerabilities very day, and this is that moment you get some bad ass ones like that. If you running the following (please refer to the link )bash version you might be vulnerable,

To check the running bash version do as follows;

root@ubuntu:~# bash –version
bash –version
GNU bash, version 4.2.25(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later

if you need more info go with /bin/bash -v

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables.
If you want to see your system is vulnerable for this bug run the following command. If it’s vulnerable you know what to expect on the screen right? 😉

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
env x='() { :;}; echo “Bagbash: ” $(</etc/passwd)' bash -c "echo this is a test"
curl -v -A '() { :;}; echo "Bagbash: " $(</etc/passwd)' http://IP_or_FQDN/cgi-bin/status

"Bagbash: " $(</etc/passwd)'

If you see that; go patch your self! (Well you have other alternatives too, but easier one would be patching I believe) Go, coz you have an msf exploit for this already. To upgrade the systems there are many ways right, I'm not interested in how you want to update it but you can try following;

$ sudo apt-get update
$ sudo apt-get dist-upgrade

After you patched your systems or if its not vulnerable you should see an error importing function definition for `x' when you run the above test case.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Once again, Happy Patching!!


Microsoft warned about zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the Google security team. At this time limited targeted attacks directed at Microsoft Word 2010. According to Microsoft’s security advisory, Microsoft Word is vulnerable to remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF).

An Attacker can simply infect the victim’s system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook. The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code. Microsoft acknowledged that remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011. Microsoft is working on an official patch, which will be released with the next Patch Tuesday security updates on April 8. But in the meantime, Windows users can use temporary ‘Fix It’ tool to patch this vulnerability and also can install Enhanced Mitigation Experience Toolkit (EMET) tool that can mitigate this vulnerability.

Do not download .RTF files from the suspicious websites, and do not open or preview .RTF email attachments from strangers.

When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Almost all analyst and industry surveys list privacy and data security as top concern for CIOs and CISOs. Through our years of moving SMBs and large enterprises to the cloud, we’ve compiled a list of questions to help you determine the level of security the provider offers.

1. What is your data encryption viewpoint, and how do you encrypt data? Do you Encrypt data at rest or in transit? Is there an encryption offering and if so what level of encryption and what data protection certifications do you currently hold?
2. How do you manage the encryption keys?
3. Do you offer periodic reports confirming compliance with security requirements and SLAs?
4. What certifications for data protection have you achieved?
5. Who can see or have access to my information? How do you isolate and safeguard my data from other clients?
6. What are your disaster recovery processes?
7. What are your methods for backing up our data? What offerings are available to back up data?
8. Where is your data center, and what physical security measures are in place?
9. How do you screen your employees and contractors?
10. What actions do you have in place to prevent unauthorized viewing of customer information?
11. What actions do you do to destroy data after it is released by a customer?
12. What happens if you misplace some of my data?
13. What happens in the event of data corruption?
14. How is activity in my account monitored and documented? What auditing capabilities are provided: Admin/MGMT, Billing, System Information?
15. How much data replication is enough, and what level of data durability do you provide?
16. How much control do I retain over my data?
17. Can I leverage existing credentials and password policies? Do you offer SAML/SSO capabilities for authentication? What types of multifactor authentication is supported?
18. Can I disable access immediately to my data in the event of a breach?
19. Can you continue to provide protection as my workloads evolve? How scalable is the solution, including disaster recovery?
20. How often are backups made? How many copies of my data are stored, and where are they stored?
21. How reliable is your network infrastructure? What certifications do you currently hold for your data centers?
22. What is your current uptime and SLA option? What if SLA is not met?
23. Do you alert your customers of important changes like security practices and regulations or data center locations?
24. What country (or countries) is my data stored in – both on your infrastructure and for backups?
25. Will my needs be served by dedicated instances/infrastructure or shared instances/infrastructure?
26. Will my internal and external incident response resources be able to access your infrastructure in the event of an incident? If not, how will you perform the investigation on my behalf?
27. What third party security validation can you provide me with? How often do you have external assessments performed?
28. How do you dispose of end-of-life hardware?
29. How do you dispose of failed data storage devices?
30. What is your process for responding to a legal hold request?

Source : cloudsecurityalliance


Today almost all household and commercial environments are equipped with Wi-Fi Networks. The heart of such a network is the Wireless access point. When it comes to households and small commercial environments Wireless routers playing a major role than the Wireless Access points. Bootstrap programs and the instructions of these devices located in a special type of memory known as ”Firmware”. Recently researchers found that there is a malware in the wild which focusing on those special memories on ‘Linksys” wireless routers, and it can replicate to similar devices by itself. This happens by exploiting authentication bypass and code-execution vulnerabilities in the Linksys wireless routers. The Malware named as ‘THE MOON’, scans for other vulnerable devices to spread from router to router and the researches confirmed that the malicious worm has already infected around 1,000 Linksys E1000, E1200, and E2400 routers.

In order to hack the Router, malware remotely calls the Home Network Administration Protocol (HNAP), allows identification, configuration and management of networking devices. The Malware first request the model and firmware version of the router using HNAP and if the device founds vulnerable, it sends a CGI script exploit to get the local command execution access to the device. Linksys’s parent company has confirmed that HNAP implementation has a security flaw whose exploit code is publicly available on the Internet.

‘To what extent this worm can be dangerous’ is yet a question.

You can use the following command to verify that your device is vulnerable or not.

echo [-e] “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080

If you receive an XML HNAP reply, you are likely to be victimized for the worm affecting Linksys devices and some preventive measures are to be taken. Also keep an eye on the logs of port 80 and 8080. Users are recommended to Disable Remote Administration of their device or limits the administration right to a limited number of trusted IP addresses.

Source : THN, SANS

Adobe released an emergency update today for its Flash Player to guard against a zero-day exploit, which could allow attackers to gain remote access to an affected machine. The security flaw has been elevated to “critical” status, which is Adobe’s highest threat level. Ars Technica reports the exploit can be triggered by “underlying code that could be exploited to execute arbitrary code” if a person navigates to a malicious site hosting an attack.

Windows and Mac users are affected by this zero-day exploit if running Adobe FLash Player and earlier versions. Linux users are also affected if running or earlier versions of Flash Player. Users running Google Chrome or Internet Explorer 10/11 will automatically be updated to the latest Adobe Flash Player version,, which will be bundled with the browser. Other users are advised to install the update as soon as possible.

Source: Adobe , softonic


1.Smart Appliances

Smart TVs, smart fridges and other internet-connected home appliances, ranging from medical equipment to security cameras, are widely expected to become a “magnet for hackers” says Kevin Haley, director of Symantec Security Response in a blog post.

Companies building internet-connected appliances such as smart TVs often don’t recognize potential security risks, says internet security firm Symantec. (Thomas Peter/Reuters)

“The companies building gadgets that connect to the internet don’t even realize they have an oncoming security problem,” Haley wrote.

“These systems are not only vulnerable to an attack — they also lack notification methods for consumers and businesses when vulnerabilities are discovered. Even worse, they don’t have a friendly end-user method to patch these new vulnerabilities.”

One of the concerns is that hackers logging into such appliances may be able to get information about who is home at a given time of day, noted Fortiguard, adding, “This is bound to give cybercriminals new and nefarious ideas around how and when to rob someone’s home.”

Fortiguard predicts we’ll see the first mass malware for home devices such as smart TVs and appliances later in 2014.

2. Social networks

Attacks by cybercriminals are becoming more targeted, and social networks are becoming a useful source of data for crafting these types of attacks.

Websense predicts that in 2014 hackers will increasingly make use of services such as LinkedIn to lure executives and other potentially lucrative targets.

“This highly targeted method will be used to gather intelligence and compromise networks.”

Haley of Symantec adds that cybercriminals won’t just be turning to big social networks.

“Scammers, data collectors and cybercriminals will not ignore any social network, no matter how “niche” or obscure,” he wrote. “Users who feel it’s just them and their friends on these new sites are in for a big (and unpleasant) surprise.”

3. The cloud

Businesses are increasingly storing their data in the cloud and on servers outside their own network, and Websense predicts that criminals will increasingly turn their attention to that data this year.

“Hackers will find that penetrating the data-rich cloud can be easier and more profitable than getting through the ‘castle walls’ of an on-premise enterprise network,” WebSense says.

Sophos predicts that cybercriminals will target mobile devices and the credentials of individual employees to gain access to the cloud, perhaps employing blackmail via “ransomware” that threatens to go public with confidential data if the criminals aren’t given what they ask for.

4. Android

According to Sophos, malware aimed at Google’s Android grew exponentially in 2013, and is expected to keep growing in 2014 because of the operating system’s dominant share of the smartphone market.

Trend Micro predicts the number of malicious and high-risk apps for the Android operating system will hit three million in the coming year.

“While we expect that new security features in the Android platform will make a positive change in infection rates over time, their adoption will be slow, leaving most users exposed to simple social engineering attacks,” the company wrote.

It added that the mobile devices that run Android are “an attractive launching pad for attacks aimed at social networks and cloud platforms.”

Trend Micro predicts the number of malicious and high-risk Android apps will hit three million in the coming year.

Fortiguard expects Android malware to expand beyond mobile devices in 2014 to industrial control systems in devices such as smart home appliances.

5. Java

Plug-ins that allow browsers to run apps in the Java programming language – already responsible for some high-profile cyberattacks – will continue to be exploited in 2014, security experts say.

“In 2014, cybercriminals will devote more time to finding new uses for tried-and-true attacks and crafting other aspects of advanced, multi-stage attacks,” the company predicted.

Security patches for older versions of Java and Windows are no longer being issued, even when new exploits are found, despite the fact that there are many systems still using this software.

Trend Micro predicts that in the coming year, that “lack of support” will expose millions of PCs to attack.

Source :

Would NFC smartphones have helped at Target?

Posted: January 27, 2014 in Analysis

Recent massive data breaches at Target and Neiman Marcus have re-ignited a campaign by retailers to get U.S. consumers to carry “PIN and chip” credit and debit cards to replace the decades-old magnetic stripe cards used by 90% of Americans.

Such PIN and chip cards would do what dozens of newer-model smartphones with NFC chips are already doing while using payment apps like Google Wallet and Isis. So why isn’t the focus on promoting near-field communication smartphones instead of PIN and chip cards?

The answer is complicated and political, primarily because there are questions over who is liable for a data breach — the retailers or the financial institutions and their associated card processing companies such as Visa and MasterCard. It is also expensive to install point-of-sale (POS) terminals in millions of retail locations and at ATMs that can read chips on the newer contactless cards, as well an NFC signal from a smartphone.

Source : CSO Online