HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » whereisjustice » Journal
Page: 1

whereisjustice

Profile Information

Member since: Tue Jul 8, 2014, 09:43 PM
Number of posts: 2,941

Journal Archives

Everything you need to know about the Shellshock Bash bug

Source: http://www.troyhunt.com/

What are the potential ramifications?

The potential is enormous – “getting shell” on a box has always been a major win for an attacker because of the control it offers them over the target environment. Access to internal data, reconfiguration of environments, publication of their own malicious code etc. It’s almost limitless and it’s also readily automatable. There are many, many examples of exploits out there already that could easily be fired off against a large volume of machines.

Unfortunately when it comes to arbitrary code execution in a shell on up to half the websites on the internet, the potential is pretty broad. One of the obvious (and particularly nasty) ones is dumping internal files for public retrieval. Password files and configuration files with credentials are the obvious ones, but could conceivably extend to any other files on the system.

Likewise, the same approach could be applied to write files to the system. This is potentially the easiest website defacement vector we’ve ever seen, not to mention a very easy way of distributing malware

Read more: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html



Haven't seen anything posted on this. While most home users are not affected, the internet services you use are going to be affected. What is alarming is the simplicity of the exploit and its broad nature.

Vulnerability Summary for CVE-2014-6271
Original release date: 09/24/2014
Last revised: 09/24/2014
Source: US-CERT/NIST
Overview

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Impact
CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Official CVE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Concerns about patches here:
http://www.theregister.co.uk/2014/09/25/shellshock_bash_worm_type_fears/
Posted by whereisjustice | Thu Sep 25, 2014, 10:54 PM (15 replies)

In the name of profit Target and Home Depot refused to protect customers

This is criminal negligence. To anyone believing our salvation rests with the benevolence of corporations, go sit in the corner.

In the name of profit Target and Home Depot refused to protect customers; now customers' credit cards are stolen

In the wake of a stunning data breach at America's largest home improvement retail chain, The Home Depot, Inc. (HD), a stunning picture of negligence is slowly emerging. Both Home Depot and Target Corp. (TGT) -- whose registers were compromised last December -- appear to have fallen victim to a decade-old exploit of Windows XPe.

What's more, these losses -- which may total as many as 100 million customer credit and debit card numbers -- could have likely been prevented by simply paying to upgrade to a more modern Microsoft Corp. (MSFT) operating system, such as Windows 7 for Embedded Systems. But since Target, Home Depot, and others have refused to protect customers, customers are now paying the price. Banks are scrambling to try to control the damage of these massive intrusions perpetrated by hackers in Russia and Ukraine. But much damage is already done and will yet be done due to retailers' appalling technical negligence.

I. Windows XPe -- The OS Behind Retail's Credit Card Breaches

This week Brian Krebs, a top security research affiliated with The Washington Post, wrote in his blog Krebs on Security fresh details of a hack that potentially compromised millions of Americans' credit cards. Mr. Krebs had broken word of the hack last Tuesday, writing that it appeared to be the work of Russian hackers. Now he's offered up fresh details on the malware they used to siphon credit card numbers (CCNs) from checkouts of Home Depot.

The hack was first noticed sometime in the last month or two after bank fraud prevention specialists began to notice a reoccurring pattern of fraud, abuse that was correlated with customers who shopped at the retail giant.

Home Depot
In need of repairs: outdated softwae at America's largest home improvement retailer led to yet another loss of millions of customers' credit card numbers. [Image Source: Reuters]

The new report reveals that Home Depot's registers -- most of which are believed to still be running the aging point-of-sale versions of Windows XP or a derivative -- were infected with a kind of malware which was also installed on registers during the massive Dec. 2013 hack of Target.

To understand this malware, it's crucial to first understand its host -- a badly aging Microsoft operating system, that's behind the times security-wise, but still broadly used in the world of retail. The OS in question is a derivative of Windows XP, one of the most popular consumer OSes in history.

The version used by retailers is known as Windows XP Embedded (aka Windows XPe). It launched a month after the consumer version of the 14-year-old OS, in Nov. 2001.

According to Wikipedia, Home Depot was indeed using the original Windows XPe Service Pack 3 (SP3) on its point-of-sale (POS) devices (aka, registers in layman's terms). An article on Wikipedia reports that the chain uses the "Zune" theme, which was released in Nov. 2006 by Microsoft. The theme features dark grey windows tops and an orange Start Button, a departure from the standard green start button in Windows XP/XPe.

Target was also believed to be running the same aging OS -- Windows XPe SP3 -- on its PoS hardware. A Jan. 2003 press release from Microsoft rather ironically mentions both retailers in the same paragraph, indicating they adopted the OS late in 2002. It writes:

Retailers taking advantage of Microsoft .NET-enabled solutions include Rite Aid Corp. and Metro Cash & Carry, which are equipping retail stores with point-of-sale (POS) systems based on the Windows® XP Embedded operating system; Target Corp., which plans to deploy Windows XP Embedded in its Target and Mervyn's Stores; Best Buy Co. Inc. and 7-Eleven Inc., which are using Windows XP Tablet PC Edition in their corporate and store operations; and, most recently, Home Depot Inc., which has chosen to update its store point-of-sale terminals with Microsoft technologies because of their high degree of flexibility.

That sentence is painfully ironic today, as it ultimately reveals the root of one of the biggest successful cybercrime campaigns in recent history.


http://www.dailytech.com/Appalling+Negligence+DecadeOld+Windows+XPe+Holes+Led+to+Home+Depot+Hack/article36517.htm

h/t to PuppyBismark
Posted by whereisjustice | Wed Sep 10, 2014, 10:40 PM (6 replies)

NPR says "this election is about nothing, really..."

NPR, which has become nothing more than a smarmy salve for the fragile egos of the rich, has proclaimed coming elections about nothing, really. An election without issues, they called it.

Think about it, NPR just could not find any real issues to talk about this election. None. Nada. Zip. Even called in experts who agreed with them.

Hey NPR, here's a few fucking things to talk about:

- Poverty near or at record levels

- Real wages and savings continuing in decline for the middle class

- Health care costs delivering 2nd world health care outcomes

- Education inflation at 20% or more, creating a massive debt load for students

- R&D funding ad grants for science and engineering at record low levels of investment.

- Highway, electrical, water, sewer infrastructure failing, municipalities unable to fund repairs.

- Militarized police, out of control racist cops

- Spying, torture and "free speech zones"

- An unregulated Wall Street with booming market that most Americans cannot benefit from

- Millions of over educated, underemployed or unemployed workers

- What the fuck? Do I need to continue?

Has it really come to this, our public broadcasting system just as disaffected and oblivious as our millionaire politicians to the forces tearing at the nation?

NPR, what a fucking waste. Maybe it is time to shut them down. "Fair and balanced", worthless goddamn news readers, no problem sending reporters around the world looking for stories that are sitting right under their own asses here in the USA.

Is NPR so goddamn lazy they can't see with their own eyes what is happening around these issues?

Our political leadership is doing their best to ignore the facts crippling the economy for a majority of Americans. So why the hell do we need to waste money on another politically correct media outlet unwilling to challenge the fairy tale narratives of our ruling class?








Posted by whereisjustice | Tue Sep 9, 2014, 07:47 PM (7 replies)

Hawk watching. No binoculars needed.


Posted by whereisjustice | Sat Sep 6, 2014, 06:04 PM (2 replies)
Go to Page: 1