Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

03 August 2006 | 4,472 views

eEye Duster – Dead/Uninitialized Stack Eraser

Check For Vulnerabilities with Acunetix

Duster is the Dead/Uninitialized Stack Eraser, an injectable DLL that causes uninitialized stack and heap memory in its host process to be wiped over with a specific value. It is intended as a crude tool to assist in the run-time discovery of uninitialized memory usage problems by increasing the chances that the host process will raise an exception when a value in uninitialized memory is used. To use Duster, just inject it into the target process (using the DLLInject utility), or add it to AppInit_DLLs (possible but not recommended).

Duster is a quick and dirty implementation of its concept, and as such, it has a number of limitations:

Stack wiping is accomplished by overwriting all memory between the stack commit “ceiling” and ESP, whenever RtlAllocateHeap, RtlReAllocateHeap, or RtlFreeHeap is called, an exception occurs, or a system call is dispatched, which seriously limits the execution flow “granularity” with which stack wiping occurs. Additionally, system call dispatch hooking is accomplished by replacing specific “INT 2Eh” or “MOV EDX, 7FFE0300h” instructions, the first of which currently relies upon a two-byte privileged instruction which is handled specially by the exception handler hook, resulting in some overhead but mostly making it difficult to use a debugger in conjunction with Duster on Windows 2000.

Heap wiping, in addition to a limited amount of heap and argument validation, is performed whenever a heap block is allocated or freed. This is roughly a subset of the functionality provided by the Windows heap manager in debug mode, with the most significant deficiency on Duster’s part being that it does not wipe memory following a call to RtlReAllocateHeap.

You can download here:

Duster

Advertisements



02 August 2006 | 7,082 views

eEye Binary Diffing Suite (EBDS)

The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis. This becomes very useful for reverse engineering patches as well as program updates.

The first tool is BDS, the Binary Diffing Starter from Andre Derek Protas. This tool helps reverse engineers with batch-analysis of patches by dispatching IDA with its many powerful plugins against groups of binaries. This especially comes in useful for Update Rollups or Service Packs, where automation is necessary to be able to reverse engineer the updates in a reasonable amount of time.

The second tool is DarunGrim, a code-analysis tool to actually find the distinct code-changes between two binaries. In Korean, DarunGrim translates to “difference in picture”. DarunGrim performs multiple matching techniques against functions in order to find function pairs and analyze the differences/similarities between the functions.

This allows reverse engineers to pinpoint code changes between two binaries with a graphical interface, much more rapid than “side-by-side” disassembly instances. Much like most powerful disassembly tools, DarunGrim is also using the power of IDA Pro for analysis.

You can download it here:

EBDS v1.0.1

More info here, IDA.


02 August 2006 | 14,337 views

Firefox Extension Spyware – FormSpy

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks.

It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

You should be extremely careful when installing unsigned Firefox extensions from unknown sources.

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers

You can read the McAfee info on Formspy here.

Source: Heise Security


01 August 2006 | 12,001 views

Israeli Hackers Join the War Against Palestinian Sites

Israeli hackers have decided to ‘help’ and join the war against Palestine.

The hackers group that calls itself “IDF” (which also means Israeli Defence Force) has hacked dozens of sites, erased the site content and replaced it the index with a picture of the Lebanon destruction that is made by Israeli Defence Force as an answer for the Palestinian terror in the past few days.

Above the picture they left a text saying “You touch Israel, We touch you”

Israel Hack

All Your Middle East Are Belong To US?

Source: http://livewavecam.com/hackedsited.htm


01 August 2006 | 13,986 views

SpikeSource Spike PHP Security Audit Tool

Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.

The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.

This tool is especially welcomed by Darknet as there aren’t many static analysis tools out there that are free, and there are very few tools for auditing PHP code..which as we all known tends to be coded quite insecurely at times (just look at phpBB and PhpNUKE).

You can find the latest version here:

Spike PHP Audit Tool


31 July 2006 | 6,409 views

WordPress 2.0.4 Released – Fixes Security Issues

Just to let you all know, if you are using WordPress you can upgrade today.

The latest stable release of WordPress (Version 2.0.4) is available.

his release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.

Also fixes for the serious SQL vulnerabilities that led to several WordPress sites being hacked.

Upgrading is fairly simple, just overwrite your old files with the latest from the download. If you’d like more thorough instructions, the Codex is always the best spot.

Since this is a security release, if you have any friends with blogs make sure to remind them to upgrade and lend a hand if they’re not too savvy. We’re all in this together.

As we reported here at Darknet, there was some serious security issues in 2.0.3 and below so it’s recommended you upgrade immediately.


30 July 2006 | 5,920 views

Netscape.com HACKED With Cross Site Scripting (XSS) Vulnerability

Netscape.com has been hacked via a persistent Cross Site Scripting (XSS) vulnerability in their newly launched Digg-like news service.

It seems the attacker did report the flaw to them repeatedly but they didn’t heed and ignored it, so he performed the XSS all over the site.

eplawless stated the following:

It was me. I did it. C’est moi, etc. This was in response to my having reported the month and a half old vulnerability to Netscape over a week ago. They ignored me. I reported it again, multiple times; they continued to ignore. I posted a few stories on their site, which made it to the front page and were deleted. I made the decision, in response to the recent Rose/Calacanis debacle, to add a benign script to the site that everyone would see and recognize as a compromise of security because this vulnerability is serious and they were not taking it as such. They had this coming; this isn’t a juvenile prank, and is only marginally retaliation against Calacanis for being a twit. This is making sure their users don’t get hacked too.

The guy made use of a fairly simple XSS vulnerability to inject their own javascript code snippets into pages on the website, including the homepage. As of now, it has only been used to display javascript alerts with “comical” messages and to redirect visitors to Digg.com!

Luckily nothing malicious has been done and the users aren’t at risk, as far as we know anyhow..

You can see the screenshots of the hacked JavaScript alerts here:

Shot 1, Shot 2 & Shot 3

Source: F-Secure Blog


28 July 2006 | 6,518 views

BASE 1.2.6 Released (Basic Analysis & Security Engine)

We are happy to announce that the 1.2.6 (christine) release of the Basic Analysis and Security Engine (BASE) is available.

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

I used to LOVE ACID, and I have to say BASE has taken it one step further, it’s a superb project.

A number of bugs have been fixed including some that affected IE and the setup system for BASE. A couple of interface tweaks have also been done to make it more user friendly.

The developers are currently looking for more people willing to test the BASE releases as they work on them. If you are interested, feel free to contact base@secureideas.net

The BASE team have also started coding the 2.x code base. If you have any ideas or feedback regarding that rewrite, please forward them to the BASE developers list which is a public mailing list.

You can download the new version of BASE at:

http://sourceforge.net/projects/secureideas


27 July 2006 | 17,151 views

Serious WordPress Vulnerability/Exploit Verion 2.0.3 and Below

Yes that means all versions including the current version and before, 2.0.4 has not yet been released at the current time.

An exploit has been discovered in the current release of WordPress, affecting WordPress 2.0.3 and below (including 1.5.x) that allows these subscribed users to cause some serious damage.

It’s recommended at present if you are using WordPress to disable the “Anyone can Register” option in your ‘Options’ tab.

It’s also advised you delete any unknown subscribers that haven’t commented or that you don’t know personally.

WordPress developers are aware of this flaw and hopefully it will be fixed in the 2.0.4 release which is imminent.

Leaving it open and letting people sign-up for guest accounts on your WordPress blog could lead to incredibly nasty stuff happening if anybody so desired. And trust me I am not exaggerating this. So don’t wait a second to disable this option and please relay the message.

WordPress dev team has been notified a while back and I dare hope they will soon start acting on it, if only by relaying a similar announcement through the official channel (as well as, of course, releasing a proper patch).

Source: Dr Dave


26 July 2006 | 12,144 views

HOPE Speak Steven Rombom (Rambam) Charged

It turns out yesterday one of the planned speakers at HOPE Number 6 was arrested on Saturday and is being charged by the FBI.

Security Fix obtained a copy of the complaint against “Steven Rambam” the private investigator arrested Saturday at the Hope Number Six hacker conference in New York City. The government document says Rambam is an alias, and that his real name is Steven Rombom, so that is how he’ll be referred to here henceforth.

The complaint, available here as a PDF, charges Rombom with obstruction of justice and with witness tampering, alleging that in April 2006 Rombom impersonated a federal investigator at the request of a client who had hired him to locate a government informant who was central to the client’s money-laundering indictment in 2003.

Seems like it’s not unjust though, he is getting what he deserves. He was taking things a little bit too far.

The government claims that in April Rombom located and visited the California home of the informant’s in-laws, and introduced himself as an FBI agent, flashing what the informant’s mother-in-law described as “a laminated card with an official government gold seal or badge.”

The complaint says “ROMBOM told [the mother-in-law] that he was investigating the [informant], and that her son-in-law was a very bad and dangerous person, and that there were many things about the [informant] that the in-laws probably didn’t know,” such as that the informant had been in jail many times. Rombom also told the mother-in-law that her daughter was in danger because of the informant and that he was afraid for the safety of their daughter, the government says.

1 less speaker for HOPE next time then I guess?

Source: Security Fix