Raesene's Ramblings

Richard Monson-Haefel: Is Microsoft IIS 6.0 more secure than Apache HTTP Server 2.0?
Interesting posting on the relative security of IIS 6 and Apache 2.0. I'd agree that IIS 6 seems to have a MUCH better record than previous versions in terms both of vulnerability counts and initial configuration.
The only caveat I've got on it is my usual one about MS security, which is that with their products you have to look at the vulnerability of the whole stack as installed because it's so darn difficult to separate out the bits you don't want, unlike the situation with Apache running on something like Linux or BSD...
but I've done that rant before so I shan't do it again...

The Elder Geek on Windows XP

File Selection May Lead to Command Execution
This vulnerability doesn't look tooo bad at first. If you can persuade someone to highlight a file in windows explorer then it executes some abitrary code, which it seems can do most things. However you'd have to get people to download the file anyway for it to work as a virus/word, which isn't too likely (you'd hope, after years of that kind of thing doin the rounds on the 'net).
Then I got to thinking, what about a completely different attack scenario... Joe the disgruntled employee, could go through the corporate file store adding malicious author fields to word files or the like, then as soon as one of his co-workers clicks the file, the javascript runs and actions are taken looking like the person clicking the file has carried them out. (and if joe's got any sense the first one would be change the author field removing any evidence of his modification...)
Hard to catch, unless things like A-V scanners get a signature for this (which might be tough), changes of document metadata don't usually show up in things like security logs, and in many companies people have access to a lot of docs, so it might not be discovered for a long time...
Another interesting point in relation to this vuln. and the unpatched Jet engine one is, how long will it take Microsoft to get a patch out, and will they release it outside the monthly schedule they usually use.....

CacheDump: recovering cached password hashes on Windows
Handy pen testing tool. Can be used to dump the hashes for cached passwords which windows holds so that you can logon to your local machine if the domain controllers not available or you're not on the network (eg, laptops)
One attack using this I've seen suggested is to persuade a network admin to log onto a machine you control then you can use this to get their password (of course you could just use something like this instead.

Where's the Beef - xss / bankofamerica.com.html /
There's an interesting list at this site of XSS vulnerabilities that the authors found...

ok recently I've been using SQL injection in some Penetration testing work I've been doing, so I thought it would be worth getting together all the links/White Papers I've been using/found useful.
Start off with two papers, which are more advanced but which have been the most useful one's I've found in the sense of having techniques I've used...
Advanced SQL Injection and More Advanced SQL Injection from NGS. Both good papers and in the 1st there's a really handy methodology that you can follow through to iterate over the columns in a database table and then insert data into that table, amongst other things.
There's a good introduction to SQL injection here at securiteam and another one here at unixwiz
Some point that I've noticed from the testing I've done.
- If you get SQL error messages out of the database you're half way there. Without them you're stuck trying to guess whether the data you've chucked at the system has caused it to barf in the right way or not... (There are some techniques for this in the paper above, but I've not had much joy with them so far)
- If the web application you're looking at does intelligent escaping of quotes, you're probably only going to be able to attack numeric fields ('cause they don't typically put quotes round the input, thus no need to put one to inject your own SQL statements)
- understanding what the likely accounts and system tables are for a given DBMS is darned handy to expand the vulnerability.
Other Papers I've found handy
SQL Injection Signatures Evasion
Blind SQL Injection

christopher baus dot net
This is a really interesting post covering why the author thinks microsoft is in trouble. There's a lot in it I agree with. Definately Microsoft's current attitude to parts of the developer community (VB6 in particular) seems likely to drive people to the competition...
However I see Microsofts problem, from a security standpoint one the of their major problems is having to maintain backwards compatibility, for example Windows Server 2003 has many improvements to security, which are partially neutralised if you have to run it in backwards compatibility mode (eg, using LM/NTLM for NT4 compatibility).
That said Microsoft doesn't always help themselves from a security point of view... as is mentioned in the article they deploy a MEDIA PLAYER and a POP3 Client by default on their SERVER OS!!! That's just crazy, especially when those components start having critical vulnerabilities . Can you imagine a large enterprise having to deploy a patch to thousands of servers because the media player which will probably never run on any of them needs a patch!
ok this is turning into a bit of a rant, but that is a pet hate of mine... onto one other thought I have about this, which is.. how Microsoft may intend to save themselves (not saying I have some prescient knowledge of their strategy, but this does seem to fit current facts)
It's easy, force people to run your products because all your documents songs movies etc, will only play on those products and use DRM technology so that the content is encrypted such that there's no way for competitors to, legally, access it... Simple and if Microsoft pulls it off, I'm not actually sure how you'd stop them. If the majority of the media out there gets into encrpyted DRM protected Microsoft proprietary formats, it will really stuff the competition...

Professional Security Testers resources warehouse
More info on Pen testing. Especially on this site, there's a good link section.

White Papers - Web Application Security Consortium

Gmail Filesystem
Not that I'd ever want to rely on this for any data I cared about, but it's a really interesting idea and at current rates with the ~150 invites I've got access to I could create a 300GB filesystem all stored in gmail.......