End-of-Shift report
Timeframe: Mittwoch 24-06-2015 18:00 − Donnerstag 25-06-2015 18:00
Handler: Robert Waldner
Co-Handler: n/a
Paper: Using .NET GUIDs to help hunt for malware
Tool to extract identifiers incorporated into VirusTotal.
The large number of new malware samples found each day hasnt made malware analysis an easier task, and researchers could use anything that helps them automate this task. Today, we publish a paper by Cylance researcher Brian Wallace, who looks at two globally unique identifiers (GUIDs) found in malware created using .NET, which can help link multiple files to the same Visual Studio project.
http://www.virusbtn.com/blog/2015/06_24a.xml?rss
The Powershell Diaries - Finding Problem User Accounts in AD, (Wed, Jun 24th)
Powershell has gotten a lot of attention lately as a pentesters tool of choice, since it has access to pretty much every low-level system function in the Microsoft ecosystem, and the AV industry isnt dealing well with that yet (aside from ignoring powershell completely that is). But what about day-to-day system administration? Really, the possibilities for admins are just as limitless as for pentesters - thats what Powershell was invented for after all !
https://isc.sans.edu/diary.html?storyid=19833&rss
Shibboleth authentication - Moderately critical - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129
Advisory ID: DRUPAL-SA-CONTRIB-2015-129
Project: Shibboleth authentication (third-party module)
Version: 6.x, 7.x
Date: 2015-June-24
Security risk: 13/25 ( Moderately Critical)
AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
Vulnerability: Cross Site Scripting
Description
Shibboleth authentication module allows users to log in and get permissions based on federated (SAML2) authentication.The module didnt filter the text that is displayed as a login link.
https://www.drupal.org/node/2511518
HybridAuth Social Login - Less Critical - Access bypass - SA-CONTRIB-2015-127
Advisory ID: DRUPAL-SA-CONTRIB-2015-127
Project: HybridAuth Social Login (third-party module)
Version: 7.x
Date: 2015-June-24
Security risk: 8/25 ( Less Critical)
AC:Basic/A:None/CI:None/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass
Description
The HybridAuth Social Login module enables you to allow visitors to authenticate or login to a Drupal site using their identities from social networks like Facebook or Twitter.
https://www.drupal.org/node/2511410
Web security subtleties and exploitation of combined vulnerabilities, (Thu, Jun 25th)
The goal of a penetration test is to report all identified vulnerabilities to the customer. Of course, every penetration tester puts most of his effort into finding critical security vulnerabilities: SQL injection, XSS and similar, which have the most impact for the tested web application (and, indeed, it does not hurt a penetration testers ego when such a vulnerability is identified :)
However, I strongly push towards reporting of every single vulnerability, no matter how harmless it might appear ...
https://isc.sans.edu/diary.html?storyid=19837&rss
Samsung deaktiviert keine Sicherheitsupdates von Windows
PR-Desaster im Eigenbau: Samsung veröffentlicht ein Tool namens "disable_Windowsupdate.exe". Doch das macht gar nicht das, was der Name vermuten lässt.
http://www.heise.de/newsticker/meldung/Samsung-deaktiviert-keine-Sicherheitsupdates-von-Windows-2724602.html?wt_mc=rss.ho.beitrag.rdf
Von wegen Schutz: NOD32 erlaubt das Kapern von Rechnern
Statt die Nutzer zu schützen erlaubte NOD32 von Eset es Angreifern, die Rechner der Opfer komplett zu übernehmen. Das Update, welches die Lücke schließt, sollte schleunigst eingespielt werden.
http://heise.de/-2728967
SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module
SSA-142512 (Last Update 2015-06-25): Cross-Site Scripting Vulnerability in Climatix BACnet/IP Communication Module
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-142512.pdf
Multiple vulnerabilities in Cisco products
Cisco Wireless LAN Controller Command Injection Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39517
Cisco IOS XR MPLS LDP Packet Processing Denial of Service Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39509
Cisco Unified Presence Server Cross-Site Scripting Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39504
Cisco IM and Presence Service Leaked Encrypted Passwords Privilege Escalation Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39505
Cisco IM and Presence Service SQL Injection Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=39506