Saturday, March 12, 2011

USB autorun attacks against Linux

Many people think that Linux is immune to the type of Autorun attacks that have plagued Windows systems with malware over the years. However, there have been many advances in the usability of Linux as a desktop OS - including the addition of features that can allow Autorun attacks.

This Shmoocon presentation by Jon Larimer from IBM X-Force starts off with a definition of autorun vulnerabilities and some examples from Windows, then jumps straight into the Linux side of things.

Larimer explains how attackers can abuse these features to gain access to a live system by using a USB flash drive. He also shows how USB as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not.

The talk concludes with steps that Linux vendors and end-users can take to protect systems from this threat to head off a wave of Linux Autorun malware.

Google Releases Chrome 10

Google has released Chrome 10.0.648.127 for Windows, Mac and Linux. The jump from 9 to 10 brings new features but also some important security fixes and improvements. This first stable version of Chrome 10 fixes 23 security related problems that were present in the latest stable version of Chrome 9. Under the Chromium Security Rewards program, 20 of the 23 vulnerabilities were eligible for cash payments from Google. The highest payment of $1500 was to Sergey Glazunov for finding a problem relating to a stale pointer within the SVG cursors code.
The details of these fixes aren’t yet available to the public as Google restricts the access to the fix details until “the majority of Chrome users have updated to the latest patched version.”
As well as the security related fixes, Chrome 10 adds new features to Chrome including:
  • New version of V8 – Crankshaft – which greatly improves javascript performance
  • New settings pages that open in a tab, rather than a dialog box
  • Improved security with malware reporting and disabling outdated plugins by default
  • Sandboxed Adobe Flash on Windows
  • Password sync as part of Chrome Sync now enabled by default
  • GPU Accelerated Video
  • Background WebApps
  • webNavigation extension API (experimental but ready for testing)
From a security point of view one of the most instresting features is the extension of Chrome’s sandbox to include the integrated version of Flash. Users of Windows Vista or Windows 7 now benefit from an additional layer of protection against malicious webpages.

Google have made this video to explain how it works:

Share and Enjoy:

Apple updates Java for OS X 10.5 and 10.6

Apple has released Java for Mac OS X 10.5 Update 9 and Java for Mac OS X 10.6 Update 4. The updates effectively upgrades J2SE 5.0 to update 28 (Java 1.5.0_28) and Java SE 6 to update 24 (Java 1.6.0_24).
Multiple vulnerabilities exist in J2SE 5.0 update 26 (Java 1.5.0_26) and Java SE 6 update 22 (Java 1.6.0_22), the most serious of which may allow an untrusted Java applet to execute arbitrary code outside of the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are fixed in Java version 1.5.0_28 and 1.6.0_24.
Oracle previously released these updates for Java in February and these Apple updates are a result of these fixes trickling down to the official OS X release.
Apple have officially deprecated the Apple port of Java to OS X and it told developers to “not rely on the Apple-supplied Java runtime being present in future versions of Mac OS X”.

However they have (together with Oracle) announced the OpenJDK project for Mac OS X and that “Apple will contribute most of the key components, tools and technology required for a Java SE 7 implementation on Mac OS X, including a 32-bit and 64-bit HotSpot-based Java virtual machine, class libraries, a networking stack and the foundation for a new graphical client.

Monday, March 7, 2011

bfcrypt - Crypto scanner for Linux

There are several existing crypto scanners, but they are all for Windows, and are closed source:

  • PEiD with the Krypto Analyzer (KANAL) plugin
  • IDA Pro with the Findcrypt plugin
  • OllyDbg with the SnD Crypto Scanner
  • x3chun's Crypto Searcher
  • Keygener Assistant
  • Hash & Crypto Detector (HCD)
  • Draft Crypto Analyzer (DRACA)
    download it here: available on github under the GPLv2 license.

    For now, it can detect Blowfish and MD5, but it will support more in the future.


    $ bfcrypt ShrekW.BIN
    Blowfish P-array  (0x243f6a88) found at 0x0008bc90
    Blowfish S-box[0] (0xd1310ba6) found at 0x0008bcd8
    Blowfish S-box[1] (0x4b7a70e9) found at 0x0008c0d8
    Blowfish S-box[2] (0xe93d5a68) found at 0x0008c4d8
    Blowfish S-box[3] (0x3a39ce37) found at 0x0008c8d8

    source from