On March 14, 2013 I released the white paper “Practical Exploitation Using Malicious SSIDs” at Black Europe in Amsterdam. This paper discuses the concept of leveraging SSIDs to inject various attacks into Wireless devices, and management consoles. The type of injection attacks discussed include XSS, CSRF, and format strings attacks. A copy of the whitepaper can be downloaded from HERE.
Its been almost a year since this firmware process hack was first discussed at CarolinaCon by percX. PercX has finally finished up his tutorial/white paper on the subject. In this paper he discusses the hack in-depth. Covering the step by step process around how to gain root level access to high end Xerox MFP devices, how the firmware signing process works, and how to protect yourself from this attack. The paper can be downloaded by clicking here.
PercX will be presenting his recent research on injection attacks using malicious SSIDs “Practical Exploitation Using A Malicious Service Set Identifier (SSID)” at Blackhat Europe in Amsterdam on March 14-15 2013.
I just published an advisory, click here to enjoy it.
We are foofus.net. We are Humoctopus. Many of us will be at Defcon, where The Danger Is Real.
I got a very interesting note from Ryan Reynolds and Jonathan Claudius, who will be presenting at BlackHat and Defcon 20 in a few weeks. They discovered that, in certain circumstances, the hashes returned by tools like fgdump3 (which is a very limited “ask-and-you-shall-receive” research version I unveiled at ToorCon 2011) as well as HashDump are wrong. They have a proposed patch to HashDump, and I will be incorporating it into the fgdump3 branch as well.
So does this affect fgdump2/2.1?
No – this only affects versions pulling their values right from the registry (which version 3 is doing).
Where is fgdump3 anyway?
I unofficially/quietly released version 3 at ToorCon last year. However, speed issues continued to plague me (changing permissions on the keys is SLOW), and I started looking for a new solution. Right now, the NEW fgdump3 is about 80% done, and combines the old injection method, the registry method, and a new “super s3kr1t” method that looks to work well, and quickly I might add. I have yet to finish the new version (about 80% complete), but I’m going to see if I can pound this out before DC 20 in time for their presentation. It will be ultra-beta, but something to play with.
How can I get a copy to play with?
I can send you the old fgdump3 if you want to play with the registry method – email me at firstname.lastname@example.org if you like. It’s unsupported and may cause nausea, but feel free to give it a shot.
Medusa 2.1.1 is now available for public download.
This release contains several bug fixes and should also now compile with gcc 4.7.
The Micro Technology Services Inc. “Lynx Message Server 220.127.116.11″ and/or “LynxTCPService version 1.1.62″ web interface is vulnerable to SQL Injection, Cross-Site Scripting, and other security problems.
- Bede 5/3/12
Medusa 2.1 is now available for public download.
What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net. It currently has modules for the following services: AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), NNTP, PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (AUTH/VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC. It also includes a basic web form module and a generic wrapper module for external scripts.
While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see:
This release does not introduce any major changes to the core of the application, however, it does include two years worth of bug-fixes throughout the code base and numerous incremental improvements.
Updated release of Praeda 0.02.0b can be downloaded from GITHUB HERE . This release contains a few new modules and an update to the dispatcher, allowing NMAP .gnmap as target input.