What? IE 0day again?

Standard

Yes, in the latest Security Advisory (2887505) published on September 17, 2013, Microsoft said they are investigating a new vulnerability which affects all supported version of Internet Explorer. The vulnerability is a remote code execution vulnerability which tracked under CVE-2013-3893. So far we are not seeing any POC or Code/Exploit available. However, Qualys reported that “The exploit depends on a Microsoft Office DLL which has been compiled without Adress Space Layout Randomization (ALSR) to locate the right memory segment to attack, but this DLL is extremely common and most likely will not lower the affected population by much.” “The attack is very much targeted and geographically limited to Japan”, Wolfgang Kandek of Qualys added.

Still, it is the time to apply the Fix It solutionCVE-2013-3893 MSHTML Shim Workaround” to prevent the exploitation of this remote code bug.

As usual, there are few rules from Emerging Threats for detection purpose.
2017477 – ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass (web_client.rules)
2017478 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017479 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)
2017480 – ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability (web_client.rules)

These rules are available for download here.

September 17. 2013, somehow it re-called my memory about another IE zero-day shared by Eric Romang back in September 16, 2012.

Is IE 0day part of the IT life?

Update:
September 30, 2013: Metasploit released an exploit module for CVE-2013-3893 (IE SetMouseCapture Use-After-Free).

Output only ASCII from Hex dump with Python

Standard

Here is a simple Python script which will output only American Standard Code for Information Interchange (ASCII) from Hex dump (hexadecimal view of computer data). Moreover, it is added up with the URL decode function. Personally, this script is very useful for me to perform analysis, eg. identify SQL injection parameter on the payloads captured by Snort.

How to Install Python – Hello World!

Standard

Today we will learn about Python installation on Windows, where it will start from how to install Python on Windows and end with executing “Hello, World” in Python.

Download the latest version of Python from the official websites. To install it, just double click the .msi file (Microsoft Windows Installer). By default, Python installs to a directory with the version number embedded, e.g. C:\Python27\. To ensure we are able to run Python regardless of the working directory, we need to modify the PATH environment variable by adding in the directories for our default Python version. You can look for my earlier post to learn on how to set the PATH environment variable. We can also achieve this by including “Add python.exe to Path” feature during the installation.

PATH environment variable

PATH environment variable

So, we are now done with the installation. Let’s try to write our first simple program – “Hello, World”. Create a text file, and add in the line print “Hello, World”

Save the text file with file extension *.py. For my case, I named my file as “HelloWorld.py”. Execute the program by key in “python HelloWorld.py”

Python Hello World

Python Hello World

If you get “Syntax Error” when you try to run the program, please check on the version of Python which you are running.
For version 2.x – print “Hello, World”
For version 3.x – print (“Hello, World”)

For newbie like me, I prefer to use Pyhton 2.x first, as it is easier for me to get the tutorials.

Cheers!

How to set the PATH environment variable in Windows 7

Standard

According to Wikipedia:
“The %PATH% variable is specified as a list of one or more directory names separated by semicolon (;) characters. The Windows system directory (typically C:\WINDOWS\system32) is typically the first directory in the path, followed by many (but not all) of the directories for installed software packages. Many programs do not appear in the path as they are not designed to be executed from a command window, but rather from a Graphical User Interface. Some programs may add their directory to the front of the PATH variable’s content during installation, to speed up the search process and/or override OS commands.”

To set the PATH environment variable in Windows 7, you can follow the steps below (refer here):
(1) From the Desktop, right click Computer and click Properties.
(2) Go to Advanced System Settings and click on Environment Variables.

For instance, if your Python installation is in C:\Python27\, add C:\Python27\; to your PATH. Don’t forget to reboot your computer for the changes to take effect.

Environment Variables

Environment Variables

Exploiting GitHub New Search Infrastructure

Standard

On January 23, GitHub had revealed its new search infrastructure which is powered by ElasticSearch. GitHub Inc. was founded in 2008 and it was the most popular open source code repository site as of May 2011.

Unfortunately, the new feature had been misused for malicious purposes. According to Help Net Security, a few individuals managed to obtain several private encryption keys and passwords via GitHub using this new search infrastructure. As highlighted by Sean Michael Kerner via InternetNews.com, it is NOT a GitHub’s security issue, as the search infrastructure is only expose what is already there.

I have tried the new search infrastructure on my own with the keyword “BEGIN RSA PRIVATE KEY“, and an interesting search result returned. Unfortunately, due to some “additional maintenance” by GitHub after they discovered this issue, I got a message “Nothing to see here yet. Move along.” when I wish to look further into the code.

For those who used to upload their code in GitHub, you are recommended to read the instructions provided by GitHub on removing sensitive data.

GitHub "BEGIN RSA PRIVATE KEY"

GitHub “BEGIN RSA PRIVATE KEY”

Yahoo! Mail Now Supports HTTPS

Standard

According to the latest update by Yahoo! Help on January 1, 2013, Yahoo finally got support for Hypertext Transfer Protocol Secure (HTTPS). But, not enabled by default. Please ensure that you enable it for your account right now!

How to Enable HTTPS for your Yahoo! Mail account?
(1) Once you sign in, click the gear icon in the upper right corner and select Mail Options.
(2) By default, you will now in the General menu. Scroll down, under Advanced Settings, check the box next to Turn on SSL.

Mail Options

Mail Options

Turn On SSL

Turn On SSL

According to Venkat, currently the browsers that support SSL for Yahoo Mail for Windows are:

  • Internet Explorer 7.0 -10.0 and newer
  • Chrome 5.0 and higher
  • Firefox 3.5 and higher
  • Safari 4.0 and newer

Till then, be safe on Internet!