Sharpe Security Blog

Let me first say that I have no relationship with HBGary.  I think HBGary, Memoryze, and Volatility each have their own strengths and weaknesses and each has a place in the Windows RAM dump analyst’s toolbox.After having some stability issues with earlier editions of HBGary REcon, I tried the latest REcon version available with HBGary Responder 2.0.0.0354 with a piece of malware that I needed to analyze and that worked like a champ for me.This piece of malware was found spreading via USB media.  There was nothing unusual about this malware sample other than it was over 30MB in size … Continue Reading

If there is any truth to this Washington Post article about the US military taking down a joint CIA-Saudi terrorist intelligence gathering website, it sounds like some serious policy and protocol work needs to be done to help guide our well-intentioned military and intelligence service decisions makers when similar situations arise in the future. If unintended collateral damage like what allegedly happened in this instance spread to another nation’s SCADA systems or systems at sensitive facilities, the blowback could be much worse.From the Washington Post article:”By early 2008, top U.S. military officials had … Continue Reading

Apparently the vulnerability in Apache mod_isapi described here affects certain versions of the IBM HTTP Server – which is included in IBM’s WebSphere Application Server in some cases.I haven’t verified yet if the existing Metasploit exploit (www.metasploit.com/modules/auxiliary/dos/http/apache_mod_isapi) works on vulnerable versions of IBM HTTP Server.According to IBM, The mod_isapi module is provided only on Windows and only on IBM HTTP Server 6.1 and earlier. It is not enabled or configured by default and is not available in IBM HTTP Server 7.0 and later.References:http://secunia.com/advisories/38978/http://secunia.com/advisories/38776/http://www-01.ibm.com/support/docview.wss?uid=swg1PM09447email: … Continue Reading

Apache released version 2.2.15 of their Apache web server. 2.2.15 has vulnerability fixes in it that you need to consider since at least one of the vulnerabilities patched has a known working exploit available publicly. Proof of concept code for CVE-2010-0425 (mod_isapi) has already been released on the explo.it site (http://www.exploit-db.com/exploits/11650).The OpenSSL library has also been updated in this release to version 0.9.8m to address CVE-2009-3555.The Apache download site is: http://httpd.apache.org/download.cgiMetasploit module: www.metasploit.com/modules/auxiliary/dos/http/apache_mod_isapiemail: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Unfortunately, it appears that the popular Rage3D site was hacked recently.  I point this out not to embarrass them, but instead to applaud them for taking the time to give the following great advice as they work to address the problem.From http://www.rage3d.com/ as of 14 March 2010:”We recommend those of you registered in the Rage3D Forums change the password for the email address that you used to register in the Rage3D Forum.  If you use the same password anywhere else in your online life, you should change it there as well”.As the Internet becomes increasingly hostile, … Continue Reading

Has anyone seen Microsoft MS10-015 mpsyschk.exe tool (http://support.microsoft.com/kb/980966) find a copy of Alureon/Tidserv? If so, please ping me at david @ sharpesecurity.com. I ran mpsyschk across a large population of machines last week and found nothing. Based on what I had observed in AV reporting, I had at least expected a couple hits.I took a look at the pass/fail logic in mpsyscheck.exe. The pseudocode for the function that makes the PASS or FAIL decision is below. It looks like the decision point is whether or not two 4 byte values at offsets 0x7FFE0308 and 0x7FFE030C in the … Continue Reading

There is, in my opinion, a serious usability problem with encrypted drives conforming to the Trusted Computing Group Opal standard (i.e. the Opal Security Subsystem Class (SSC)). If an Opal-compatible drive thinks power has gone away as part of moving the S3 standby power state, the drive deauthenticates or locks. If an Opal drive is locked, only the shadow MBR and data log areas are reachable on the drive. As a result, the machine cannot see the file system which means it cannot boot out of the S3 state or hibernate. Microsoft Windows will typically bugcheck … Continue Reading