<< Previous Next >>
Social Engineering
Public Release Date: 4/01/2010
Vendor: Alienvault (www.alienvault.com)
============= Technical Details =============
The page /ossim/control_panel/alarm_console.php is vulnerable to a CSRF vulnerability. An attacker can send a malicious link to an authorized OSSIM user and, by social engineering, provoke the deletion of all the alarms:
/ossim/control_panel/alarm_console.php?delete_backlog=all
Nicolas Grandjean
When it comes to exploitative penetration testing, I relay on tactics
rather then exploits. I've already talked about how insecure Remote
Desktop service could be. In this post I will show you how easy it is
to compromise a well protected Windows Terminal or CITRIX server with
a simple social engineering attack and some knowledge about the
platform we are about to exploit.
The attack is rather simple. All the bad guys have to do is to compose
a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
file and send it to the victim. The victim is persuaded to open the
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open any file from this
network location with any Windows application - which should require
minimal social engineering. Since Windows systems by default have the Web
Client service running - which makes remote network shares accessible via
WebDAV -, the malicious DLL can also be deployed from an Internet-based
network share as long as the intermediate firewalls allow outbound HTTP
traffic to the Internet.
shares located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open a specially crafted file
from this network location - which should require minimal social
engineering. Since Windows systems by default have the Web Client service
running - which makes remote network shares accessible via WebDAV -, the
malicious DLL can also be deployed from an Internet-based network share as
long as the intermediate firewalls allow outbound HTTP traffic to the
Internet.
vulnerability is in the streaming component of Microsoft Windows,
attacks can be launched from a malicious website or any application
that delivers Web content. In Windows Explorer, if the Web View Content
is enabled, which is the default setting, a single click will open the
malicious file in the preview pane and trigger the vulnerability. An
attacker can host a malicious AVI file and use social engineering
techniques to trick a user into visiting the site or to deliver the
hostile code to a user via e-mail, for example.
IV. DETECTION
>
> When it comes to exploitative penetration testing, I relay on tactics
> rather then exploits. I've already talked about how insecure Remote
> Desktop service could be. In this post I will show you how easy it is
> to compromise a well protected Windows Terminal or CITRIX server with
> a simple social engineering attack and some knowledge about the
> platform we are about to exploit.
>
> The attack is rather simple. All the bad guys have to do is to compose
> a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
> file and send it to the victim. The victim is persuaded to open the
Topic could be anything from Auto meter crooking, hacking cars to
hacking mobile networks, anything that would make people standup and
take notice.
A subset of topics we would be interested in (but not
limited to): Application security, Web security, social engineering,
Mobile Networks GSM/CDMA/3G, Bluetooth, OS/Kernel, Virtualization,
cloud security/hacking, protocol vulnerabilities, hardware security,
cyber warfare, cyber forensics, cryptography, spam, malware, L2-L4
hacking.
CVE-2009-3076
Jesse Ruderman discovered that the user interface for installing/
removing PCKS #11 securiy modules wasn't informative enough, which
might allow social engineering attacks.
CVE-2009-3077
It was discovered that incorrect pointer handling in the XUL parser
could lead to the execution of arbitrary code.
trigger a heap based buffer overflow.
III. ANALYSIS
Successful exploitation allows an attacker to execute arbitrary code in
the context of the current user. Social engineering is required, as an
attacker must trick a user into viewing an image in the Web Browser,
viewing an e-mail with embedded image, opening an office file with
embbeded image, or downloading an image file and opening it within a
graphics rendering program.
fix presented vulnerabilities and is more exploitable than 3.0-1.
An attacker can steal UserID, Passcode, Domain code and Registration
code before they are sent back to the server itself and potentially
poison the navigation of the user and steal other sensitive informations
via social engineering (injecting additional fields in the form or
showing "additional functions" to the user) abusing user's trust.
Remediation consists in proper escaping the user controlled inputs.
[1] http://www.ush.it/2006/01/25/php5-globals-vulnerability/
provide the required security properties. Virtual organizations often
use the Internet to support collaboration. The Internet, operating
systems and distributed environments currently suffer from poor
security support and cannot resist common attacks (spamming, worms,
session hijacking, buffer overflow, denial of service, social
engineering, etc.). Collaborative organizations require better
security properties (strong authentication, efficient encryption,
Mandatory Access Control, integrity, non-repudiation and
availability). Nowadays, collaborative organizations use new
technologies such as mobile devices, smartcards, wireless networks,
high performance networks, grid computing, multi-agent systems,
>CourtTV (TruTV) has a new series starting Dec 25 called "Tiger
>Team". They will air the first two episodes back-to-back at 11 pm
>and 11:30 pm ET.
>
>It follows a group of penetration testers hired to test the
>security of organizations through social engineering,
>wired/wireless penetration testing, and physically defeating
>security mechanisms (lock picking, dumpster diving, going through
>air vents/windows). They attempt all of this while avoiding
>organizations' defenses (and local law enforcement). Think "To
>Catch a Thief", but better.
>
> When it comes to exploitative penetration testing, I relay on tactics
> rather then exploits. I've already talked about how insecure Remote
> Desktop service could be. In this post I will show you how easy it is
> to compromise a well protected Windows Terminal or CITRIX server with
> a simple social engineering attack and some knowledge about the
> platform we are about to exploit.
>
> The attack is rather simple. All the bad guys have to do is to compose
> a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
> file and send it to the victim. The victim is persuaded to open the
o Network scanning and analysis
o Cryptography
o Malware Analysis
o Reverse engineering
o Forensics and Anti-forensics
o Social engineering
o Web application security
o Database security
o Legal aspects of computer security and surrounding issues
o Law enforcement activities
o Telecommunications security (mobile, GSM, VOIP, etc)
From GFI's website:
"GFI WebMonitor offers web security features that allow you to control your
employees Internet access by monitoring what files employees are downloading, to
block file types such as MP3s and to scan all files for viruses, spyware and malware
using multiple antivirus engines. GFI WebMonitor lowers the risk of social engineering
by blocking access to phishing websites through the use of an auto-updatable database
of phishing urls. The web monitoring features also allow you to monitor and block
Live Messengenger (MSN) chat sessions and file transfers."
GFI's Website can be found at http://www.gfi.com
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open a media file from this
network location in iTunes - which should require minimal social
engineering. Since Windows systems by default have the Web Client service
running - which makes remote network shares accessible via WebDAV -, the
malicious DLL can also be deployed from an Internet-based network share as
long as the intermediate firewalls allow outbound HTTP traffic to the
Internet.
13:15 Invited Talk: Ahmad Sadeghi, TU Darmstadt
14:15 Session: Attacks
Reverse Social Engineering Attacks in Online Social Networks
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
Timing attacks on VoIP PIN input (Short Paper)
Ge Zhang, Simone Fischer-Hübner
vulnerability on the event log page resulting from
displaying unsanitized user input received from an invalid
login attempt.
This can be exploited without valid credentials or social
engineering. Access to device administration IP address is
needed and an administrator has to view event log at some point,
however.
Successful attack requires that an administrator visits event
log page, thus enabling the attacker to control the chassis
EDLGraph is a social engineering tool that harvests email addresses in the
public domain and produces a graph linking FQDN domains in a single row based
on
public user interaction records.
http://sourceforge.net/projects/edlgraph/
The source code can be obtained from the svn:
https://edlgraph.svn.sourceforge.net/svnroot/edlgraph
> computer completely from processing Group Policies.
And the exploit requires that a domain administrator have logged into
the target system at some point. If a domain administrator did that
once, it's probably not hard to make it happen again, with a little
social-engineering grease. And since the attacker is a local
administrator on that machine, it'd be easy to simply capture the domain
administrator's credentials (at least if password authentication is
being used).
Hell, I'd bet lots of domain administrators, when logging into a user's
located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open a specially crafted HTML
file from this network location - which should require minimal social
engineering. Since Windows systems by default have the Web Client service
running - which makes remote network shares accessible via WebDAV -, the
malicious DLL can also be deployed from an Internet-based network share as
long as the intermediate firewalls allow outbound HTTP traffic to the
Internet.
failed to react.
SecurityVulns issue: http://securityvulns.com/news/Planet/VC-200M/DoS.html
Original message (in Russian): http://securityvulns.ru/Rdocument847.html
2. MustLive reports low-risk (requires social engineering), yet
interesting example of crossite scripting in Internet Explorer. Local
zone scripting is possible on accessing saved page with original URL
in the form of
http://site/-->[script]alert("XSS")[/script]
* Cryptography
* System Weaknesses
* Infrastructure and Critical Systems
* Reverse Engineering
* Social Reverse Engineering
* Reversing Social Engineering
* Caipirinha and Feijoada Hacks
* and everything else information security related that our attendees
would enjoy, the coolest/ different/ most creative submissions win,
keep that in mind!
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the current user. In order to exploit this
vulnerability, a user must load a web page containing a specially
crafted TIFF image. An attacker typically accomplishes this via social
engineering or injecting content into compromised, trusted sites.
Typical social engineering attacks will pass URLs as part of instant
messages or electronic mail.
IV. DETECTION
>
> > With all the proliferation of phone home for update systems in
> > even trivial software packages these days, neophyte users
> > can easily get confused about legitimate upgrades and imposters.
> > So someone is trying to take advantage of this with an
> > automated version of an old school social engineering
> > attack via Skype spam.
> >
> > Someone/something/.someone's-botnet on skype last night
> > contacted users who reported it to me. The messages were
> > formatted to resemble Microsoft update messages or an AV scan
Attack vectors:
///////////////
There are two main attack vector schemes:
- inducing remote user to launch WWW link after obtaining the information about the location of an arbitrary file(s) locations/names in the remote system. After clicking the link the files contents will be unrecoverably destroyed. This attack vector thus requires additional social engineering of the vitim to acquire exact name and location of the potential attack target files.
- inducing remote user to launch WWW link resulting in corruption of vital Operating System files, leaving the system unusable. This attack vector DOESN'T require any additional victim social engineering,
because the system files are always placed in the predictable locations.
> With all the proliferation of phone home for update systems in
> even trivial software packages these days, neophyte users
> can easily get confused about legitimate upgrades and imposters.
> So someone is trying to take advantage of this with an
> automated version of an old school social engineering
> attack via Skype spam.
> Someone/something/.someone's-botnet on skype last night
> contacted users who reported it to me. The messages were
> formatted to resemble Microsoft update messages or an AV scan
>
> When it comes to exploitative penetration testing, I relay on tactics
> rather then exploits. I've already talked about how insecure Remote
> Desktop service could be. In this post I will show you how easy it is
> to compromise a well protected Windows Terminal or CITRIX server with
> a simple social engineering attack and some knowledge about the
> platform we are about to exploit.
>
> The attack is rather simple. All the bad guys have to do is to compose
> a malicious RDP (for Windows Terminal Services) or ICA (for CITRIX)
> file and send it to the victim. The victim is persuaded to open the
During a penetration test, RedTeam Pentesting discovered that the emails
sent by the IceWarp WebMail Server when using the "Forgot Password"
function are generated on the client side. Furthermore, the server
expands certain keywords in these emails to users' full names, usernames
and passwords. This allows for advanced social engineering attacks and
the potential disclosure of usernames and passwords.
Details
=======
The schedule (which can be found at https://deepsec.net/schedule) covers a
range of topics including botnet analysis, web application security, malware
detection/analysis, legal and administrative issues, secure coding and code
review, hardware and firmware attacks, attacking/hardening databases, social
engineering, dealing with rich Internet applications (RIAs) and, of course,
the Digital Armageddon (coming soon to a server near you).
Key speakers include:
- Adam Laurie (http://rfidiot.org/)
<<Previous Next>>
|
