BackTrack 5 “Revolution” Released
The most popular security and penetration testing Linux distribution has been updated once again, this time built from scratch! BackTrack 5, codenamed “Revolution”, is based on Ubuntu Lucid LTS with kernel 2.6.38, and brings with it full 32 and 64-bit support, an ARM-compatible image, forensics and stealth modes, KDE (4.6) and Gnome (2.6) desktop environments, and (allegedly) over 350 updated security tools including Metasploit 3.7.0. Best of all it’s “aligned with industry methodologies”! Whatever that means ;)
It appears BackTrack 5 will only be available torrents for the time being. The torrents are available in the following flavours: Gnome ISO (32bit, 64bit, ARM img), Gnome 32-bit VMware Image, KDE ISO (32bit, 64bit). Here’s the BackTrack downloads page. Those of you wondering which flavour to get between Gnome and KDE, it’s largely dependent on one’s taste, but the BackTrack guys appear to be favouring Gnome (which was the default Ubuntu graphics environment). If you have no idea what to get, then grab the Gnome 32-bit ISO (or VMware image) using the links above. I recommend Transmission (Mac) or uTorrent (Mac/PC) for BitTorrent clients. For anyone who hasn’t used BT before, the default username and password is root/toor.
BackTrack is a great tool for network security specialists and penetration testers, but it’s an even more valuable resource for people looking at learning more about application and network security (and Linux). Although I do have an Ubuntu install, I tend to use BackTrack more often due to the convenience (when I’m not using OSX that is ;).
It’s not possible to upgrade from BT4r2 to BT5, so those of you with installations of BackTrack 4 will need to reinstall (or download the new VM).
Check out their shiny promotional video below!
[Updated] BackTrack 5 R2 is now available, and brings a new kernel and 42 new tools. You can update your existing BT5 (R1) installation by running:
echo “deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing” >> /etc/apt/sources.list
apt-get update
apt-get dist-upgrade
ProFTPD 1.3.3c Briefly Backdoored by Hackers
Servers of the widely popular FTP server, ProFTPD, were compromised (probably with 0day) on the 28th of November 2010. During the attack, some source code was modified to insert a backdoor. The source files affected were for ProFTPD version 1.3.3c., between the 28/11/2010 and 02/12/2010.
The backdoor introduced by the attackers allows unauthenticated users remote root access to systems which run the maliciously modified version of the ProFTPD daemon.
If you installed or updated ProFTPD from one of the official mirrors during that time, it is recommended that you recompile from a known good version of the code. The source modification was spotted and rectified on 01/12/2010. MD5 sums for the valid source tarballs:
8571bd78874b557e98480ed48e2df1d2 proftpd-1.3.3c.tar.bz2
4f2c554d6273b8145095837913ba9e5d proftpd-1.3.3c.tar.gz
Hit the jump for details on how the backdoor is triggered. A Metasploit module is available to automate the exploit. Read more
Armitage: Metasploit Attack Management GUI
Armitage, by Raphael Mudge, is a great little user interface for Metasploit which allows you to easily discover targets, deliver exploits, and manage your attacks to do things like pivots without any hassles.
Getting started with Armitage in Backtrack 4 R2 is easy. First, start the MySQL DB with /etc/init.d/mysql start (root/toor), and then start the Metasploit RPC daemon:
cd /pentest/exploits/framework3
./msfrpcd -f -U msf -P test -t Basic
Once msfrpcd is running, simply launch Armitage using the script provided and click Connect (you may need to check the Use SSL checkbox).
Armitage is written in Java, and works in Linux, Windows and Mac OS X. Download it here.
[Update] Armitage has been added to the Backtrack repos. Here’s a short tutorial, and check out the video tutorial below.
[Updated 21/01/2011] Hak5 episode 882 features a tutorial with mubix and Mudge (Hak5).
Apple QuickTime 7.6.7 “_Marshaled_pUnk” Code Execution Vulnerability and Metasploit Exploit
A new (read: yet another) 0day QuickTime vulnerability has been discovered by researcher Ruben Santamarta which leads to arbitrary client-side code execution. The vulnerability, which affects QuickTime <= 7.6.7 on Windows XP, Vista and 7 and defeats DEP and ASLR, is due to a flaw in the way the QuickTime ActiveX controller handles a supplied parameter and treats it as a trusted pointer.
This vulnerability can be exploited by luring the victim to a malicious web page. A heap-spraying Metasploit module has already been published which exploits this issue.
QuickTime Player SMIL Buffer Overflow and Metasploit Exploit
On the 26th July 2010, Krystian Kloskowski discovered a vulnerability in QuickTime Player 7.6.6 for Windows caused by a buffer overflow in the application’s error logging.
The original advisory states:
The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.
Successful exploitation of this vulnerability leads to the ability of executing arbitrary code on the victim’s computer.
A couple of days ago, Joshua Drake (aka. jduck) submitted a working exploit module to the Metasploit Framework.
As QuickTime is installed on many Windows systems these days (it’s included as part of iTunes), this vulnerability poses a real threat. As always users should beware of clicking on unknown links, but ultimately if someone wants to get you to visit a malicious page, they can.
In this case users should update QuickTime asap. Apple has released QuickTime 7.6.7 which fixes this issue.
[Update] Check out the video below for a demo of the Metasploit module in action:
Loading ...
