FAQs Help and Tutorials | KrowTen Security

php5 Security Update: Recent PHP security update is flawed

Debian Security Advisory DSA-2403-1

php5 remote code execution, after problems were patched.

Image via Wikipedia

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.

For the oldstable distribution (lenny), no fix is available at this time.

For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7.

The testing distribution (wheezy) and unstable distribution (sid) will be fixed soon.

Recommended that you upgrade your php5 packages.

Further information about Debian Security Advisories,
found at: http://www.debian.org/security/

PHP 5.3.10 release delivers a critical security fix (php.net)
Manuel Lemos: Another Serious Security Bug on PHP 5.3.9 (phpclasses.org)

February 3, 2012 | Categories: Malware, Patching, remote attackers, Remote Code Execution, Security, Security Advisory, Vulnerabilities, Zero-Day | Tags: arbitrary code execution, Chaos Communication Congress, code execution, Debian, debian security, FAQs Help and Tutorials, Hypertext Transfer Protocol, Languages, manuel lemos, Microsoft Windows, Patch (computing), PHP, Programming, security bug, stable distribution, unstable distribution | Leave a comment

American Express (AMEX) fixes critical security vulnerability

Charge card company American Express has fixed a security vulnerability on its web site that allowed SQL injection and, therefore, direct access to its server’s database. The company acted after The H‘s associates at heise Securityforwarded a tip-off from one of its readers.

Image via Wikipedia

Student Nils Kenneweg had discovered that the pages of the American Express web site did not adequately filter data passed to a search function, thereby allowing direct access to the database server. He sent a message about this SQL injection problem to the heise Security team, who were able to reproduce it; the information was then passed on to American Express.

The company reacted quickly and fixed the vulnerability within a few days. It stated that the vulnerability had not been used and no customer data had been compromised. Some doubt exists about this statement, however, since SQL injection frequently allows access to all of an affected system’s data, and tables with names like “Accounts” often show up in SQL statements.

Read More: http://tinyurl.com/7vsjoup

You thought SQL injection was bad? Schema injection coming to a NoSQL site near you (mysqltalk.wordpress.com)
Lilupophilupop: coming to a site near you? (blogs.rsa.com)
01/12/12: Experian, American Express, Paypal, Cdiscount, Verizon (sociallypay.wordpress.com)
Use American Express Membership Reward Points to Get Groupon Gift Card (fashionhippo.com)
01/13/12: Billeo, Ingenico, iMobile3, Experian, American Express (sociallypay.wordpress.com)

January 13, 2012 | Categories: Enterprise, General Security, Hacking, Malware, Network Management, Network Security, Security | Tags: allowing direct access, American Express, american express membership reward, american express membership reward points, cdiscount, Database, FAQs Help and Tutorials, filter data, Microsoft SQL Server, search, Security, security vulnerability, SQL, SQL injection, Vulnerability | Leave a comment

Question for Hacker or InfoSec Pro….Evading the IDS: UPDATED!

Intrusion Detection System Evasion.

I am in the middle of my CEH training and the topic of IDS (Intrusion Detection Systems) bypassing is on the agenda. Currently I am covering the topic of “Evasion” when it comes to bypassing an IDS.

Evasion is defined as such: You can use evasion methods to bypass IDSs by submitting a packet to the IDS, which will be denied. The packet, however is accepted by the host. However, because the IDS denied the packet, it didn’t verify it’s contents, enabling the illegal packet to obtain access to the host.

This confuses me on two levels.

One, what type of IDS would be used in this case? Allowing a denied packet to go through is a bit of an oxy moron, no? And two, how can the IDS deny a packet it does not verify? Doesn’t the verification come after inspection?

I throw these questions out to you, please be kind and respond. Looking for a detailed example of how the illegal packet makes it to the host if it is denied.

My previous post above (posted 4 days ago) and the mystery packet that can defy evil? Well it has been demistified and the answer is below: Thanks to a mentor!

An example of one of the potential evasion techniques would be using packets that do not adhere to protocol standards. It is possible for a packet to be crafted in such a way that it will be handled differently by an IDS than by a host. Resulting in the packet being dropped by the IDS, but processed by the client.

Regarding your question, “Allowing a denied packet to go through is a bit of an oxy moron, no?”; an IDS is a passive device that is used to monitor traffic. It will inspect a copy of a packet that is traversing a network, but the IDS is not positioned in the traffic stream and therefore it cannot prevent a packet from reaching its destination. It is an Intrusion Prevention System (IPS) that is an active device positioned in line of the traffic flow and can take active steps to stop an attack, not an Intrusion Detection System (IDS).

Regarding your question, “And two, how can the IDS deny a packet it does not verify?”; A packet that is denied by an IDS would be discarded. Whether the IDS logs the packet activity would depend on how the IDS is configured, and the type of packet that was received. For example, if a packet is deemed to be corrupt or malformed by the IDS it could be simply dropped without logging the event. Since the packet was deemed to be corrupt, the contents would not be inspected by the IDS, but the client may process the packet differently.