Cupfighter.net

Last night I attended the Microsoft Security Response Team webcast regarding the Out Of Band patch for the ASP.net padding Oracle vulnerability discovered by Juliana Rizzo and Thai Duong 11 days before.

My main objective in watching the webcast (which is not my usual habit) was to find out if systems that have the described workaround applied still need to apply the patch. The webcast did not give a definitive answer but this YouTube video and the Netifera website and the twitter accounts Thai Duong provide the answer: Yes you should apply the patch a.s.a.p!

However the Q&A section of the talk did give me, as a security operations guy, quite some food for thought. I made some notes in my own Twitter feed, which I have summarized here.

Q: Why did Microsoft release and OOB update for a vulnerability rated “only” as important?
A: The vulnerability itself is rated as Important because it is not a vulnerability that directly leads to remote code execution on the vulnerable system, however exploitation of the vulnerability will lead to disclosure of all information in the webroot including web.config. This information can be used for session hijacking, compromising backend databases and to attack associations between websites, e.g. the association of a website with PayPal. Hence an out of band patch was warranted.

Q: Why only release to the download center and not to WSUS etc?
A: We felt we needed to get this update out quickly, the people that need to apply this patch quickly are mainly enterprises who are capable of applying patches without the aid of WSUS. Developing the WSUS capabilities would add another few days of delay to the deployment of this patch.

Q: Is the attack actively used?

Read more…

For whatever reason Microsoft removed the accessible way of removing hardware profiles in Vista and Windows 7. To help out a collegue with a corrupt profile I made a tiny Powershell script to perform this action. It’s easily done by hand in the registry, the downside is you won’t see the profile descriptions which is a tad errorprone. Also, feel free to use this but I will take no responsibility whatsoever if you use this and you break your Windows install

# 20091218 – vo.o1 – PZO    – Initial hack to delete hardware profiles in Windows Vista/7
#
#————————————————————————————————————————————–
# Let’s see which profiles exist..
#————————————————————————————————————————————–
$i = 0
Write-Host “”
Write-Host “The following hardware profiles have been found on this computer:” -f white
foreach ($profile in (ls -path “HKLM:\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\”) ) {
Write-Host 000$i – (get-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware Profiles\000$i”).FriendlyName
$i++
}
#————————————————————————————————————————————–
# Now we can ask which to remove..
#————————————————————————————————————————————–
Write-Host “”
Write-Host “You are strongly advised not to remove profile 0000 – New Hardware Profile” -f red
Write-Host “”
$input = read-host “Which profile is causing you headaches and should be removed?”
Write-Host “deleting.. “HKLM:\SYSTEM\CurrentControlSet\Hardware Profiles\$input”"
Remove-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Hardware Profiles\$input”

Finally: do _not_ remove profile 0000 unless you know what you are doing. YMMV!

[BBG]

I could not install McAfee 8.7 on all server in several high secure environments. I got the infamous McAfee 8.7 Error 1920, service McShield failed to start. Also got the 5004 error from McLogEvent when I did a custom install and did not start McShield during install. I already tried all options from McAfee Support (especially changing imagepath for mfeapfk.sys mfeavfk.sys, mfebopk.sys in the registry looked promising since I already had the latest version of the patch) after it didn’t work out, I’ve logged an incident at McAfee. I went up to 3rd level support, in the end it turned out that if I disabled all policies it worked. That made support think the issue was solved. That’s not true of course. Therefore I did some further investigation to find out which setting it was. (I cannot afford to switch off all securtiy settings of course). It turned out I had to change the following setting:
Client computers can trust the following certificate stores
change from:
Enterprise Root Certification Authorities
to:
Third-Party Root Certification Authorities and Enterprise Root Certification Authorities

With the first option, only a very small list of certificates is available in the “trusted root certification authorities” list of certificates. After I’ve changed the policy there are plenty certificates in the list.

McAfee has added new drivers (Device manager, show hidden Devices, Non-Plug and Play Drivers to show them). One of these, the McAfee Validation Trust Protection Service (mfevtps), needs one of the root certificates in the extended list as shown above.

Full credit for this goes to Elianne van de Kamp, who’s been busy with the investigation for quite a while. What happened?

On the 9th of September, together with the regular MS updates an update for WSUS 3.0 came in: Service pack 2. The first issue we encountered was the fact it was announced as an upgrade. It performs a re-install though. This means you have to reconfigure the basic setup of WSUS. The computer list and grouping definitions are safe in the database. Things like which updates and which language to download will have to be configured again though. Being prepared here by making a note of current settings will help.

We ran into a new issue the next morning. The upgrade of WSUS also upgrades all clients with the Windows Update Agent. This runs flawless on 32 bit windows clients. It causes an issue on 64 bit windows however: two files, NT5IIS.CAT and IASNT4.CAT are replaced, probably by 32 bit versions. When you connect to the console of the server it will tell you about this in the form of a Windows File Protection Error. The choice is yours to cancel this warning and ignore like we did, because it concerns a database server and the files will never be used (NT5IIS for web server, IASNT4 for internet authentication). You could also cancel and replace the files manually from CD or service pack. Fact is that the files copied with this update are dated 25-05-2005, so very old and will most like cause problems when you ever need them.

I thought I’d share this information as I’m sure other people will run into this problem as well. Would be a shame if they had to go through the same cycle!

Overview of Microsoft patches due today by Microsoft

Microsoft is even more vague than usual about the patches it plans to release today.

In this patch announcement Microsoft only states that it plans to release 5 patches.

This is the data currently known:

Read more…

Talk focused on a methodology for restoration after a massive compromise while keeping the users on the network and somewhat productive.

Four phases for RETRI

1. Preparation
2. Assessment
3. Segmentation and restoration
4. Investigate and recovery

Read more…

Finding the next available driveletter on a system, excluding reserved driveletters, can be done using the following PowerShell 1-liner.

[char[]]”DEFGJKLMNOPQRTUVWXY” | ?{!(gdr $_ -ea ‘SilentlyContinue’)} | select -f 1

The character array containing only valid driveletters (in this example A, B, C, H, I, S and Z are not to be used)  is piped to the where-object cmdlet which uses Get-PSDrive to filter out the non-used drive letters. These are then passed to the Select-Object cmdlet which only displays the 1st match.

Beware: the line above returns only the bare driveletter – no colon is appended.

An interesting paper on how to authenticate against Active Directory using Kerberos and OpenSSH. This will enable SSO capabilities between Linux and windows, if used in combination with an Kerberos enabled SSH. And maybe even 2-factor authentication if combined with smartcards, haven’t tested this but should be working in theory if you use an SSH client from windows at least.

Components used:

On linux:

• openssh
• openssh-server
• samba-common
• samba-client
• krb5-workstation
• krb5-libs

On Windows:

• Windows Support Tools

OpenSSH on Linux using Windows/Kerberos for Authentication

Putty With Kerberos

Comparing version numbers can be tricky from time to time, before you know it you end up in auto-casting issues comparing strings to integers etc. The most common format of a version number in Windows is “Major. Minor. Build. Revision” where each individual item is a figure, but because of the separating dots PowerShell will treat each item as a string.

The .Net System.Version assembly offers a CompareTo method which can do the trick, as shown in the figure below.

The CompareTo method will return 1, 0 or -1  depending whether the compare to version  is higher, equal or lower.

Thanks to Shay Levi (see the comment) I now know a better/faster method for comparing version numbers (thaks Shay). PowerShell has its own [vesion] type. This removes the need of loading the assembly and using New-Object. It still allows for using the CompareTo method and direct compare via -ge, -gt, etc.

The CompareTo method will distinguish between the 3 possibilities (>, < or =), but direct comparison might be sufficient in a script.

PowerShell allows for inline parameter control for some of its cmdlet parameters. Based upon commandline and/or inputfile content you might want to turm some of the cmdlet parameters on or off.

For example: scripts manipulating files will often use the Get-ChildItem cmdlet in combination with the -recurse parameter, but not allways the subfolder files are required. Instead off having multiple Get-ChildItem commandlines (each with their own set of parameters) a single line might be possible.

The following examples use the Get-ChildItem cmdlet to show what I mean.

The command in figure below will display all *.tmp files in the current folder and its subfolders.

By extending -recurse with :$false recursive lookup will be turned off.

On the otherhand, replacing $false with $true will turn recursive lookup on again.

So using a boolean variable we can turn recursive lookup on or off from within the script (-recurse:$RecurseOnOff). And of course this method also works for other parameters.

And it does get stranger….. in some occasions you can also reverse the default action of a parameter. Hence the following figure.

The 1st command will show all files with exception of the *.tmp files. By appending :$false to -exclude, we turn -exclude into -include as demonstrated by the 2nd command.

This form of parameter manipulation offers a scala of possibilities. Using script parameters to control cmdlet behaviour can both decrease script size and complexity.

Have fun experimenting with this little trick