June 26, 2008

Yazd University seminar slides

Last day I had a one-day seminar in Yazd university , covering some topics about discovery,attack and defense techniques in softwares , followed by quick coverage of common attacks against web-applications and passwords/authentication mechanisms .
As I`ve guessed before the event , 6 hours speaking was not enough to cover all topics in acceptable amount of details . But after all it wasn`t that bad :)

Download presented power-point slides from here .
[Updated:] And in case you look for pdf version ,it`s here .

June 12, 2008

Another nasty BYPASS thingy .

Authentication bypass vulnerabilities in important services or components appear rarely . They are more rare on critical services , and even more rare with a condition that exploiting the flaw is as short as modifying a single byte !
Before today , you may remember MySQL authentication bypass , and the script-kiddies friendly VNC auth. bypass vulnerability . these are not the only ones in recent years , but are most well-knowns . Today I saw another crazy bypass !

This time , affected service is SNMP v3 . And no it`s not limited to a rarely used or less-known vendor . MULTIPLE vendors included but not limited to CISCO are affected . I bet CVE-2008-0960 will make a lot of noise for various reasons :

first , where ever you read a best-practice on hardening your SNMP based infrastructures , it`s always advised to use secure version of SNMP , which they mean v3 .
Second , SNMP is favorite monitoring protocol used in almost any big enterprise network .
Third and worst ; we all use it on core elements of the network which means routers , switches , firewalls , ... .

To make it more clear for you , here`s list of affected products , borrowed from cisco`s related advisory :

* Cisco IOS
* Cisco IOS-XR
* Cisco Catalyst Operating System (CatOS)
* Cisco NX-OS
* Cisco Application Control Engine (ACE) Module
* Cisco ACE Appliance
* Cisco ACE XML Gateway
* Cisco MDS 9000 Series Multilayer Fabric Switches

Since many vendors may be affected by this vulnerability , they all has been informed about the subject and should be in state of verifying their product . keep watching US-CERT vulnerability note and wait for all listed vendors to update their state . Let`s just hope not many of listed "unknown" items change to "vulnerable" .

So , how hard is it to exploit this vulnerability ?
As I had previous experience on such class of vulnerabilities , my first guess was true . By modifying few lines of codes in your favorite snmp client , you`re ready to bypass . Am I the only one who think about net-snmp ? ;)
inode generously has done this for you and provided a patch for net-snmp . since I`m not kind of guy you spread sploits , I leave you with Google to catch the patch .

Keep your core network elements tight.