Cyber threats landscape and defense workshop

The Cyber threats landscape and defense workshop was held April 14th at ISIS “C. Facchinetti” Institute.
The two-hours workshop was intended to illustrate and explain the evolution of cyber threats in the last years and the current scenario.

About 50 participants attend the event and follow the topics explained: from the first virus created in 1971 (Creeper was the first self-replicating program created by Bob Thomas targeting TENEX Operating Systems, but many people believe that Brain was the first virus coded in 1986) until the modern APT (Advanced Persisten Threats) attacks, supported by interactive sessions, a live demo and a great movie produced by TrendMicro (you can watch the entire movie in HD on YouTube).

Today we can all be victims of cyber criminals but we can be a little bit safer if we pay attention to our digital behaviors and we know the threats coming from technologies we are using every day. Security awareness and user behaviors represent one of the most effective defense against cyber crime, probably more than the most advanced security technology. We must protect our data starting from the Layer 8 in a top down approach :)

All the slides displayed during the workshop are now available on SlideShare.

Feel free to contact me if you have any questions, suggestions or requests.

MySQL Remote Root Authentication Bypass (CVE-2012-2122)

A new vulnerability discovered in MySQL Server allow an attacker to gain remote root privileges. According to the original article posted on SC Magazine “Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.”

This critical vulnerability CVE-2012-2122 was already patched so you have to fix your MySQL server as soon as possible.

The pyton script is still available on Exploit-DB and can be converted in a single line Bash Script:
$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done

Patch your MySQL ! :)

 

Remote Desktop DoS POC for MS12-20

RDP protocol allows interactive access to systems from remote users. Often it is exposed directly to the internet in order to permit mobile users to connect to the systems.
Recently it was discovered a vulnerability that allows unauthorized users to execute malicious code: this vulnerability is patched by Microsoft via MS12-20. Vulnerability has been classified as critical.

The vulnerability applies to most versions of Microsoft Windows.

  • The vulnerability allows remote code execution from an unauthenticated attacker.
  • Often, RDP is permitted in from the Internet on the default port to manage various systems.
  • Once an exploit becomes available, attackers can easily exploit the vulnerability on exposed and unpatched systems. Automated attacks are possible.
  • It’s not all about attacks from the Internet; internally exposed RDP servers can be targeted by malicious internal users or by malware in case an internal machine becomes infected.

Please refer to http://aluigi.org/adv/termdd_1-adv.txt to read exploit details.

If you want to test the Proof Of Concept you can follow this How To:

  1. Start a Virtual Machine running a Windows Operating System
  2. If not, enable Remote Desktop on the Virtual Machine
  3. Be sure you can reach the Virtual Machine from your host system (i.e.: ping 10.10.10.1)
  4. Download POC file from here (termdd_1.dat)
  5. Use NetCat to connect to the Virtual Server sending exploit packet:
    nc 10.10.10.1 3389 < termdd_1.dat
  6. Try several times to got Blue Screen of Death.

There are also several POC written in Ruby and available on pastebin.com: just copy and paste the code in a text file called rdpexploit.rb and set Ruby path (first line of the code must match your Ruby binary path). You need Ruby installed on the system to use it ! :)

Read Microsoft Security Bulletin for MS12-20