“MIFARE Classic” report released
quine posted in security news, SeverelyBroken, vulns on October 8th, 2008
comments:0
Researchers from the Institute for Computing and Information Sciences at Radboud University in The Netherlands have, at long last, published their report (PDF) on the security posture of the MIFARE Classic system. The report, simply and appropriately entitled “Dismantling MIFARE Classic”, was presented as part of the 13th European Symposium on Research in Computer Security (ESORICS 2008).
At a mere 18 pages, the report still provides good detail about the team’s findings, including hardware setup, crypto used by MIFARE Classic (including the oft ridiculed 48-bit CRYPTO1 cipher), and exploits that can be launched against the system. Additional information can be found at the homepage of Flavio D. Garcia, one of the researchers involved.
Hat tip to Security4all for the notification on this paper.
Clickjacking details released
aaron posted in vulns on October 8th, 2008
comments:0
It looks like some of the details on clickjacking have been finally released. There are tons of different variants of it that have different impact, and varying levels of remediation. Here’s a quote from RSnake on this:
First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses brs to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use CSRF to pre-load data in forms, some don’t.
There’s a proof of concept for camera hijacking along with a video of it. There’s also PoC of hijacking your microphone from RSnake. There’s supposed to be some clickjacking code released here, but I wasn’t able to download it when I tried last. (edited: code link should work now)
Here’s a couple of the bad ones:
Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of Flash on Firefox on MacOS are particularly vulnerable to camera and video monitoring due to security issues allowing the object to be turned opaque or covered up. This fix relies on all users upgrading, and since Flash users are notoriously slow at upgrading, this exploit is expected to persist. Turning off microphone access in the bios and unplugging/removing controls to the camera are an alternative. Here is the information directly from Adobe.
and
Issue #2b STATUS: Resolved. Flash security settings manager is also particularly vulnerable, allowing the attacker to turn off the security of Flash completely. This includes camera/microphone access as well as cross domain access.
RSnake is going to be releasing a full paper in the next day or two, and hopefully more patches will be rolling in. In the meantime maybe it’s time for an internet vacation, 
.
Update: Here’s a more informative video from Jeremiah Grossman on the webcam hijacking
Update 2: The link to the clickjacking code was fixed on the ha.ckers.org site.
OSX update service MITM attack
aaron posted in osx, vulns on December 17th, 2007
comments:1
It looks like there is a fairly serious security vulnerability/exploit/patch released for OSX. Among other things, arbitrary commands can be trivially run on any OSX client with a man in the middle attack to the update service. There is a patch, but exploit code is already publicly available for metasploit, so I’d suggest not patching over any insecure connections,
The security update also contains fixes for about a dozen other things within OSX as well. I’m pretty surprised that the OSX update service doesn’t (didn’t?) use any type of certificate or other methods for server authentication. Several other projects (firefox, debian, etc) have had issues with this in the past, but have been subsequently fixed. It does appear that Apple responded very quickly to the the notice (initial notice was on 12/6), but this seems like one of those “by design” vulnerabilities, so I’d have to guess they’ve known about it for a while.
If I wasn’t stuck writing reports tonight instead of hacking, I’d try to put together a quick script for AirPwn. It looks like you just need to intercept/inject a couple of http connections to swscan.apple.com. It makes a request to get a catalog file (“.sucatalog”), which is just an xml file that references a distribution xml that contains the packages (payload).