Back in August 2007, Microsoft released a critical update for a Visual Basic 6 Runtime file. The file, OLEAUT32.DLL, contains a vulnerability that can be exploited and allowing an attacker to gain complete control of a computer if the logged-on user has Administrator privileges. The exploit may be performed by a COM component or an ActiveX control residing in a Windows application or a Web page.

The vulnerability itself is caused by the improper checking of input data, allowing specially crafted memory requests to be passed to the Windows OLE Automation service. The OLEAUT32.DLL library provides the API to COM and ActiveX components to access this service. The update released by Microsoft patches the vulnerability by adding validity checking to memory requests.

So what’s to worry? You faithfully run Microsoft Update on the second Tuesday of every month, right? Well, hang on to your mouse–not all critical updates released by Microsoft are distributed through Microsoft Updates. This Visual Basic critical vulnerability is one that you’ll need to patch yourself.

(more…)

With Apple iPhone sales continuing to soar, little attention has been paid to the mounting security woes. The only security issue I’ve seen getting serious press is the teenager who hacked the hardware and enabled his iPhone for usage on networks other than the AT&T network. I’ve witnessed several serious issues (at Blackhat), and read about more. Some of the less obvious ones are outlined below.

Got root?

Problem number one is the root factor. It was has been discovered by H.D. Moore (Metasploit creator), that absolutely every application running on the iPhone runs with root privileges…… Let me say that again, every application running on the iPhone runs with root privileges. For years as a security researcher, trainer, and consultant, I’ve carried the torch and sang the now familair song titled “principle of least privilege”. However, apple (who’s employees I’ve had in class), seems to ignore this concept. What this means is that any application found to have a vulnerability essentially gives a malicious person COMPLETE control of the device. The fact is, just like the Ipod, and just like Mac’s, the iPhone pretty much runs on a Unix kernel (or I’ve heard it more accurately described as extremely unix-like). So we’re back to the same old security mistakes we’ve been trying to recover from for the last decade. Probably sounds hard and extremely technical to take advantage of these weaknesses right? Well, read on…..

Shell

The reason it’s not nearly as hard as it seems is because of two things. 1. The genius of H.D. Moore. 2. The “not so secure” thinking of the folks at Apple. H.D. has released publicly shell code that allows one to easily use the Metasploit framework to attack iPhone just as we use to attack PC’s. Can somebody say rootkit strapped iPhone ? H.D is convinced that because of these new discoveries, mobile device attacks are now primed to hit primetime. “A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list and phone hardware. Couple this with ‘always-on’ Internet access over EDGE and you have a perfect spying device,” Moore said. What he means by always on internet access with EDGE is that fact that when the iPhone doesn’t detect or isn’t connected to a wireless LAN, it automatically utilizes the EDGE data network (AT&T), for internet access. It’s certainly not the fastest connections, but in the security research world we like very slow terminal screens when “researching” security holes. I’ve decided to go out an purchase an iPhone myself just for research purposes. I’m intimately familiar with the inner workings of Metasploit and am ecstatic about the possibilities. Hungry yet? It doesn’t stop there……

The iPhone mobile mail app which enables the reading of MS Office documents (Word, Excel, etc), was one feature that generated a lot of marketing buzz. It does this by an implementation of the OfficeImporter framework. Three words; file format fuzzing. To those who might be asking what the heck is fuzzing, here ya go. It is basically the process of seeing how an application behaves when it is forced to try and process data that is malformed or crafted in a format that the application is not designed to process. Take this process an automate it by crafting a script or program that dynamically send different combinations of malformed data to an application and you have a fuzzer. The results of doing this vary.  Sometimes nothing happens, sometimes the application crashes, sometimes the OS crashes, and sometimes buffers are overflowed which then allows the pushing of any code across to the host OS and allow the execution of that code with discrimination (remember the root privilege state of all iPhone apps). This is how many of the vulnerabilities we read about daily are actually discovered. There are many pre-packaged fuzzers floating around on the web, however that’s beyond the scope of this blog topic. So again, considering that all apps on this thing run as root (including the mail app and the Officeconverter plugin), the possibilities are endless and I get all warm and “fuzzy” thinking about my spending some nights and flight time “researching” this. So imagine a person taking the time to fuzz every app that ships default on the iPhone , finding several vulnerable apps, constructing shell code that will exploit that vulnerability, testing against his or her own iPhone , then heading to the local Starbucks to catch an unsuspecting victim showing off the coolness of the web browser on his iPhone, then running aforementioned code against the phone with the aid of Metasploit framework……5 seconds passes……..5 more seconds……….10 seconds passes…he waits…………………………………….then like magic root# We do have to keep in mind that the master root password and other system utility passwords have already been cracked and are floating freely in the underbelly of the web.

The times are going to get real interesting real fast. As “myspace-like” social networks pop up for iPhone’s, look for a perfect stomping ground for new areas of ID theft, snooping, service theft, and a myriad of other sneaky things to surface.

Stay tuned.

KE

Welcome to the Keatron TechExams.net Blog!

Hello, everyone.

This is my first article for blogs on TechExams.net. Some of you know me from moderating (as with JDMurray) the security forums here on TE. My blogging will consist basically of infosec related material.

* Information Security in general
* Tales from the trenches (penetration tests, forensic investigations, etc)
* Security breaches
* Cyber Law Developments
* Pentesting tools and techniques
* Vulnerability Research
* And other topics

I look forward to all your comments and suggestions in the near future.

Keatron

PayPal is a great service for enabling both businesses and consumers to buy and sell goods and services online without exposing private financial information to the other parties in a transaction. As a consumer, you can safely purchase goods and services online without exposing your credit or debit card information to be recorded and possibly misused. As a business, you can be paid for your goods or services using the Web or email without the need of storing your customer’s private financial information.

A big concern with PayPal is that anyone who knows the password of your PayPal account can access the financial services that you have authorized to be used with PayPal. For consumers, this means that unauthorized purchases or cash transfer may be performed from your credit cards and bank accounts. As a business, unauthorized PayPal access can be a source of fraudulent purchases. Password security is always the responsibility of the PayPal account holder; but now PayPal has a service to make the disclosure of your PayPal password an almost insignificant threat.

(more…)