February 14th Valentines Day HackFest

Lisa Kachold lisakachold at obnosis.com
Wed Jan 28 21:09:38 MST 2009 




  Catch the Patch Procrastinators Recovery Group

      PLUG February HackFest 

Various important security daemon patches have
only recently been released including Bind9,
OpenSSL, cups & NTP for Ubuntu; Redhat5 Avahi (FC 10) and
SquirrelMail. So we will demonstrate exploits available for these
issues:


1) OpenSSL: (Using Debian)
http://www.metasploit.com/users/hdm/tools/debian-openssl/

Brute Forcing Tools Include:
http://www.milw0rm.com/exploits/5622
http://metasploit.com/users/hdm/tools/debian-openssl/debian_openssh_key_...


OpenSSL: Examples will also apply to the recent issues with OpenSSL:
Several functions inside OpenSSL incorrectly checked the result after
calling the EVP_VerifyFinal function, allowing a malformed signature
to be treated as a good signature rather than as an error. The issue
affected the signature checks on DSA and ECDSA keys used with
SSL/TLS for various mail systems and DNS systems built upon OpenSSL
also.
We will show an easy 'man in the middle' attack to present a malformed
SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation and segway into a
discussion of the MD5 Verisign cert issues.


2) NTP Spoofing: (Using Debian) NTP Spoofing has been a staple of DoS
and remote root exploits since the 1990's. Usually NTP is selectively
allowed to egress DMZ via stateful packet inspection (that will catch
spoofed packets) via source and destination (or served via internal NTP
daemons). It's common to spoof the NTP servers while sending exploitive
packets.
A new issue has been identified:
http://www.debian.org/security/2009/dsa-1702


A simple exploit using netcat will be demonstrated:
http://cybexin.blogspot.com/2009/01/introduction-to-netcat.html


3) Overview of BEef:
http://www.bindshell.net/tools/beef

We
will also look at forensic image from the November Hackfest and discuss
ways to protect (arp, VPN/VLAN, Switches, SELINUX) from the inevitable
pwnership in a production or users desktop system.


We will not dissect squirrelmail, since it's only a XSS issue (similar
to 9 out of 10 running versions of Apache httpd in consumerland). We will not dissect
Bind9 because it also relates to the OpenSSL malformed signature. Other
PRNG type entropy issues with SSL exist, just waiting to be
popularlized, so we will wait for the industry to continue to ignore
this and other issues inherent in various protocols.
  

  


It's going to be a fun filled 3 hours of presentations.

www.Obnosis.com |  http://wiki.obnosis.com | http://hackfest.obnosis.com | http://nuke.obnosis.com (503)754-4452
PLUG HACKFESTS - http://uat.edu Second Saturday of Each Month Noon - 3PM




> Date: Wed, 28 Jan 2009 14:21:23 -0700
> From: tuna at supertunaman.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Subject: Re: [Article] Cox ready to throttle P2P, non "time sensitive" traffic
> 
> Anthony Boynes wrote:
> > On Wed, Jan 28, 2009 at 2:06 PM, Stephen P Rufle
> > <stephen.p.rufle at cox.net> wrote:
> >> http://arstechnica.com/tech-policy/news/2009/01/cox-opens-up-throttle-for-p2p-non-time-sensitive-traffic.ars
> >> ---------------------------------------------------
> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> >> To subscribe, unsubscribe, or to change your mail settings:
> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >>
> > 
> > Hrmm.  Here are the types of traffic that will be delayed at the
> > beginning of the trial.
> > 
> >     * File Access (Bulk transfers of data such as FTP)
> >     * Network Storage (Bulk transfers of data for storage)
> >     * P2P (Peer to peer protocols)
> >     * Software Updates (Managed updates such as operating system updates)
> >     * Usenet (Newsgroup related)
> > 
> > 
> > Why the heck would they want to delay OS updates? That seems rather silly to me.
> > 
> 
> Majority of Windows users don't even care about those. In fact, I'm 
> pretty sure nobody does.
> 
> Either people don't know what they are or they avoid them on purpose, it 
> seems.
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_________________________________________________________________
Windows Live™ Hotmail®…more than just e-mail. 
http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090129/68964938/attachment.htm

More information about the PLUG-discuss mailing list