RATS scanning tool provides a security analyst with a list of potential trouble spots on which to focus, along with describing the problem, and potentially suggest remedies. It also provides a relative assessment of the potential severity of each problem, to better help an auditor prioritize. This tool also performs some basic analysis to try to rule out conditions that are obviously not problems.

As its name implies, the tool performs only a rough analysis of source code. It will not find every error and will also find things that are not errors. Manual inspection of your code is still necessary, but greatly aided with this tool.

Requirements

RATS requires expat to be installed in order to build and run. Expat is often installed in /usr/local/lib and /usr/local/include. On some systems, you will need to specify –with-expat-lib and –with-expat-include options to configure so that it can find your installation of the library and header. Expat can be found here.

You can download RATS here:

Source Code: rats-2.3.tar.gz
Windows Binary: rats-2.3-win32.zip

Or read more here.

Goals

1. Identify the prevalence and probability of different vulnerability classes.
2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

The statistics was compiled from web application security assessment projects which were made by the following companies in 2008 (in alphabetic order):

• Blueinfy
• Cenzic with Hailstorm
• DNS with WebInspect
• Encription Limited
• HP Application Security Center with WebInspect
• Positive Technologies with MaxPatrol
• Veracode with Veracode Security Review
• WhiteHat Security with WhiteHat Sentinel

The statistics includes data about 12186 sites with 97554 detected vulnerabilities. The report contains Web application vulnerability statistics which was collected during penetration testing, security audits and other activities made by companies which were members of WASC in 2008. The statistics includes data about 12186 sites with 97554 detected vulnerabilities.

You can find the full study here:

Web Application Security Statistics

It’s a fair move by Mozilla though as the add-on can cause security vulnerabilities in Firefox outside of their control. They can’t fix the software, so the best thing they can do to ensure user safety is to block it.

Compounded with the fact it’s extremely hard for users to remove the add-on themselves the block is a good idea.

Mozilla late Friday blocked the Microsoft-made software that had put Firefox users at risk from attack.

The two-part Microsoft component — an add-on dubbed “.NET Framework Assistant” and a plug-in named “Windows Presentation Foundation” — have been blocked by Mozilla as a precautionary measure, said Mike Shaver, the company’s head of engineering.

“Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plug-in for all users via our blocklisting mechanism,” Shaver said in an announcement posted Friday night to the company’s security blog .

The annoying thing is these add-ons are installed in Firefox without any kind of prompt or permission given by the user.

Microsoft pushed them out with the .NET Framework 3.5 Service Pack 1 (SP1) update in February this year, so our browsers have been vulnerable since then.

The software was almost impossible to remove without some registry hacking, Microsoft did remedy this later – but still how many people would know?

Mozilla maintains an add-on/plug-in blocking list that automatically bars risky software from being used by Firefox. The open-source company first used the blocker in 2007. Mozilla has used the tool only nine times, including Friday’s blocking of the Microsoft add-on and plug-in. In May 2008, for example, Mozilla added a Vietnamese language pack for Firefox to the blocking list when the pack was found to contain a worm.

According to Shaver, Microsoft gave Mozilla the go-ahead to block the .Net Framework Assistant and the Windows Presentation Foundation.

Last week, Microsoft’s security team acknowledged that its software — which had been silently installed in Firefox as far back as February 2009 — contained a critical vulnerability that could be used by hackers to hijack Windows PCs. The same vulnerability also affected all versions of Internet Explorer (IE), including the newest version, IE8.

Thankfully Firefox has the blocklist functionality and they have been aggressively moving towards ensuring 3rd party additions are also secure and don’t comprise the integrity of the platform.

Last month they warned users with out of date Flash plugins to update.

Firefox 3.6 will be even more aggressive in this aspect warning users when they visit a site that relies on one or more outdated add-ons.

Source: Network World

The following links provide more information about the Naptha denial-of-service vulnerabilities:

• The original BindView advisory is archived here.
• The advisory that CERT/CC published for the Naptha vulnerabilities is here.

The Tool

To study and show the Naptha vulnerabilities, Bob Keyes wrote the Naptha tool. The tool was written in C and used libpcap to read packets from the network and libdnet to craft packets.

The Naptha tool actually consists of two programs: a program called synsend whose only function is to send TCP SYN packets to the target system, and a program called srvr whose function is to respond to specific traffic received from the target system with TCP packets with specific TCP flags set. Both what traffic to respond to and how to respond to it are specified by the user via command-line arguments.

You can download Naptha here:

naptha-1.1.tgz

Or read more here.

The exploit isn’t 100% reliable but it’s still fairly significant in my eyes as it is a critical vulnerability and can be used for code execution.

Vista isn’t the most popular OS still so perhaps Microsoft don’t the threat being that wide as the protocol this exploit focuses on (SMB 2) was only introducted in Vista.

A security researcher has downplayed the significance of publicly released attack code exploiting a critical vulnerability in newer versions of Windows, saying it isn’t reliable enough to force Microsoft to issue an emergency patch.

The exploit, which on Monday was folded into the open-source Metasploit penetration testing kit, is at best successful only 50 percent of the time, said Dave Aitel, CTO of security firm Immunity. Given the burden of releasing out-of-schedule patches, Microsoft is unlikely to do so in this case.

“To move something like Microsoft you’ve got to have something major and this isn’t quite it,” Aitel, whose company released its own attack code two weeks ago. “It’s going to be a lot of work to take the exploit where it is to something that works enough that they will do that.”

It seems like the exploit is more reliable with Windows on VMware, but honestly how commonly do you see that? With a real native Windows installation they are only seeing a 10% success rate.

Which really isn’t that serious is it?

Apparently Immunity have made it much more reliable, but they have poured a ton of resources into it.

The vulnerability, which surfaced three weeks ago, resides in file-sharing technology called SMB2, short for server message block version 2, which was first added to Windows Vista and later made its way into newer versions of the operating system. While the Metasploit exploit is sophisticated, it is frequently thwarted by a security measure known as ASLR. Short for address space layout randomization, it picks a different memory location to load system components each time the OS is started.

Without being able to predict where required code will be located, the Metasploit attack isn’t reliable enough to prompt Microsoft to take the drastic step of releasing a patch outside of the regularly scheduled update cycle. The software giant adopted the patch routine to make life easier on system administrators by allowing them to plan and test updates before installing them on huge numbers of business critical machines.

The Metasploit exploit in many cases is able to get around ASLR by targeting memory locations that are predictable when Windows is running on VMware. But when the exploit targets the OS running directly on a computer, the success rate can be as low as 10 percent.

Microsoft will patch this eventually, but I doubt it’ll be soon and they definitely won’t be rushing an out-of-schedule patch out just for this vulnerability.

The question is can the bad guys fashion this into a reliable exploit and get some major ownage going on?

Source: The Register

It’s a pretty serious flaw this time with root escalation, thankfully it’s only a local exploit though and not remotely exploitable.

Although a user could get user access on the system through an exploit in a web facing application, and use some kind of PHP/Python web shell to exploit and get root.

A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems.

The bug in FreeBSD’s kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, Przemyslaw Frasunek, an independent security consultant in Poland, told The Register. It affects versions 6.0 through 6.4 of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation.

Versions 7.1 and and beyond are not vulnerable.

With a lot of people still using FreeBSD 6.3 and 6.4, amongst the FreeBSD community I’d say this could be quite a widespread problem.

A lot of BSD boxes are used for web hosting too, so I’d imagine a lot have SSH access enabled giving people local access and the capability of executing this exploit.

Those exploiting the bug must first have local access to a vulnerable system, either as a legitimate user or by exploiting some other flaw (say, a vulnerable PHP script) that gives an attacker a toe-hold in to the targeted system. Frasunek said the vulnerability is trivial to exploit, as a video he posted here suggests.

The bug is the result of a race condition in the FreeBSD kqueue that leads to a NULL pointer dereference in kernel mode. Attackers can cause vulnerable systems to run malware by putting the code in a memory page mapped to address 0×0.

Frasunek said he notified FreeBSD officials on August 29 and has yet to get a response. Robert Watson, a FreeBSD Core Team member, told El Reg that it appeared the email had gotten “lost in the slew” and he expected an advisory to be issued soon.

If you’re using the latest production release (at this time 7.2) you aren’t vulnerable to this problem, I hope to see them backport the patch to the previous versions as they still have a sizable following.

You should see an advisory hitting the mailing lists soon, and I’d expect it to be fixed pretty quickly too.

Beware if you are using FreeBSD and have users with local access you don’t trust.

Source: The Register

4f’s purpose is to find vulnerabilities in code that parses file formats including configuration files.

4f uses specialized modules for fuzzing code that interprets file formats. Several modules are included and more can be written to follow other file formats.

A module system is in place for fuzzing any file format you like as long as you know its specification

Custom debugger gathers crucial debugging information on crash, logs it, then continues fuzzing.

Usage

USAGE DETAILS

USAGE:   ./4f <-T /usr/bin/target> <-M #> [-N fuzz.conf]
         [-A ARGS] [-R /output] [-L log.txt] [-C] [-D]

INFO:    [-O Fuzzing Oracle] [-S Modules Available]

You can download 4f here:

4f.tar.gz

Or read more here.

So far Redhat has offered a workaround for the flaw and Juniper has responded that their equipment is not vulnerable.

It could be that Juniper doesn’t really understand the attack yet, if so that’s bad news as most of the Internet backbone (ISP Level) runs on Juniper equipment.

Microsoft and Cisco have issued updates that protect against a new class of attack that requires very little bandwidth and can leave servers and routers paralyzed even after a flood of malicious data has stopped.

The bug in the TCP, or transmission control protocol, was disclosed in October by security researchers Jack Louis and Robert E. Lee of Sweden-based Outpost24. It gave many security watchers pause because it provided attackers with a new way to launch potentially crippling attacks on a wide array of equipment used to route traffic over the internet.

“This is definitely momentum and other vendors, once they fully understand what has been talked about here, will come up with mitigation strategies of their own,” Lee told The Register. “This really is good progress from both Microsoft and Cisco.”

Microsoft rolled it out in their normal “Patch Tuesday” fashion and Cisco issued a bulletin about especially disruptive DoS attacks.

Good to see it being addressed finally, I guess it took Microsoft some time and money in R&D to come up with a satisfactory solution.

I wonder if any other vendors will be following suite shortly.

On Tuesday, Microsoft responded with MS09-048, a security advisory that fixes a variety of networking vulnerabilities in Windows operating systems, including those discovered by Louis and Lee. The update implements a new feature called memory pressure protection, which automatically drops existing TCP connections and SYN requests when attacks are detected.

The update from Microsoft came during the company’s Patch Tuesday, in which it fixed a total of eight security vulnerabilities in various versions of its Windows operating system. In all, Microsoft issued five patches, which change the way Windows processes javascript, MP3 audio files and wireless signals. As always, the Sans Institute provides a helpful overview here.

Cisco issued it’s own bulletin warning that multiple products are vulnerable to DoS, or denial-of-service attacks that can be especially disruptive.

It’s often hard to fix problems like this in core components because a band-aid solution could end up breaking some of the functionality, especially with something like the TCP stack which is relied on so heavily.

Even then, a patch is released but how many people actually apply it? Cisco equipment is well known for being hard to manage/patch so I’d imagine many network devices will remain unpatched.

Source: The Register

Apparently one the remote SSH keys was compromised allowed attacked to upload code, the scary part is they could upload a trojaned version of Apache, which over a few days could be downloaded by thousands of people.

Very little seems to be known about what damage was done and no-one is claiming responsibility for it.

The website of Apache was taken offline for several hours on Friday after the SSH remote administration key on one of its servers was compromised.

SSH is a widely used technology for remote administration, so in the worst scenario the compromise created a means for hackers to upload Trojanised code onto the download section of Apache’s website. Around 50 per cent of webservers run Apache, according to the latest stats from Netcraft, so any problem would be extremely widely felt.

It’s unclear at present whether any code on the Apache website was actually modified. Nor do we know how the attack was carried out or who was behind it.

According to the Apache Infrastructure Team, in their own words:

“To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.”

You can read their initial report here.

Apache’s web site was restored after DNS records were changed so that servers based in Europe rather than at the main US site were carrying the load.

Rik Ferguson, a security researcher at Trend Micro, notes that the same type of compromised SSH key problem led to attacks that attempted to install rootkits on Linux based systems in August 2008.

Screenshots of Apache’s statement on the incident, since removed, have been preserved for posterity in a blog posting by Trend Micro here and F-Secure here. ®

They have restored all the servers from back-up images and I hope they’ve changed all the SSH keys, we can keep an eye on the progress and see if any more details crop up.

It’d be interesting to know the motives behind the attack, was it political or for money?

Apache currently scores about 47% of all global web-servers, so we better hope there isn’t a backdoor slipped in.

Source: The Register (Thanks Droope)

Usage

Graudit supports several options and tries to follow good shell practices. For a list of the options you can run graudit -h or see below. The simplest way to use graudit is;

graudit /path/to/scan

You can download Graudit v1.1 here:

graudit-1.1.tar.bz2

Or read more here.