It only affects Windows 7 and the new R2 release of WS 2008.

The flaw was found in the Canonical Display Driver (cdd.dll), which is used by desktop composition to blend the Windows Graphics Device Interface (GDI) and DirectX drawing.

Microsoft reports that it has activated its security response process and will provide a patch once investigations are complete.

From the MSRC blog.

5 minute setup:

1. Download the latest version of sqlmap.
2. Download and install Active State Perl.
3. Scan through the thorough documentation of sqlmap at install_path/doc.

Now we are ready to go. We are going to send sqlmap a list of URLs within the vulnerable site based on which ones are indexed by Google and contain GET (?var=value) parameters. There is no need to scan through the site using this method. No need to parse through forms, tamper with URL’s, etc. In fact this is a great numero uno method of testing any new site that comes your way as a security professional…

All you need to do is to feed sqlmap a Google dork command and it is this simple. From the command prompt and within the sqlmap directory execute this command:

perl sqlmap.pl -g “site:yourdomain.com”

sqlmap will hit Google up for any URLs within this domain that contain parameters and then attempt to tamper each URL that Google returns.

You still have a lot of control here. You can choose to try to exploit each URL that sqlmap finds on Google or to ignore it. If a URL can be tampered with you can choose to enact this tampering. If a vulnerability can be exploited you control how it is exploited.

Using the many command line parameters you can take a vulnerable URL and run it through many paces per the documentation (stacked tests, time tests, union tests, fingerprinting, etc).

In protect the organizations that I work for I have found this tool to be a great way to find vulnerabilities on target sites who are indexed by Google.

Note that this should not replace exhaustive testing where all URL activity back and forth between the browser and web server is logged and examined. There is obviously a large disparity between what Google finds or is allowed to find and what a site and its protected pieces may contain.

If you are looking for a way to find the lazy mans entry into exploitable areas of your web servers then look no further than sqlmap.

Now go report your SQL injection vulnerabilities and enjoy your weekend!

A second way to ensure that you are completely up to date with the latest vulnerabilities and exploits is to monitor the web sites of what I will call ‘black market’ organizations who post these vulnerabilities. (and often times the corresponding exploit[s]) Sometimes the mission of these web sites is a little unclear; are they trying to help or trying to hurt…

Here is a list of web sites that may prove beneficial to you in learning about the latest on goings of the cyber-criminal collective mind:

http://milw0rm.com

Run by a group of “hacktivists” best down for penetrating the computers of the Bhabha Atomic Research Center in Mumbai (the primary nuclear research facility of India).

This site is an excellent source for the latest vulnerabilities, complete with corresponding exploits from their 0day exploit database, videos, papers and even shellcode.

Note: the site does have a bit of a habit of disappearing and reappearing.

http://threatpost.com/en_us/category/topics/vulnerabilities

Threatpost (Kaspersky) has a great running list of vulnerabilities

http://www.securityfocus.com/vulnerabilities

A great list of current vulnerabilities, sponsored by SecurityFocus. The details page for each vulnerability provides excellent info including which versions of what software are vulnerable and CVE tags.

http://web.nvd.nist.gov/view/vuln/search

The National Vulnerability Database, sponsored by the DHS National Cyber Security Division. Another great source of vulnerabilities in database/search form.

One key area of information gather is understanding the directory structure of a server and enumerating each directories files. This is commonly called “directory enumeration” or “web site scanner” or sometimes “directory traversal”.

One easy way to do this is by viewing a web servers directory listing/index. Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file (eg index.php) is not present. If a web server has automatic directory listing/indexing turned on then there is a high probability that its administrator[s] are not security conscious. Typically this is turned off.

So then, how can a pen-tester identify directories and files that are hidden from the public? This is where it gets easy. Typically web administrators run on the assumption that if directory listing is turned off and a particular directory is not indexed by search engines that the data will remain hidden. This is not the case.

The following tools are what I consider to be best-of-class for identifying directories and files. Some of the tools are actually methods that can be executed manually and should be used in conjunction with the tools. I have listed these in the order in which I recommend their use. And I recommend using all of them – as is almost always the case with security testing there is no one single golden tool – multiple tools must be used for each phase of your security testing. They will produce duplicate results but they will also return their own unique results. To be thorough use each tool described in this list in the order in which they are listed:

1. Google Dork.

Description: Google has an almost magical way of finding directories, even those that are hidden. You will be surprised with some of the data that Google stores… you will be at a loss to explain how Google finds your web applications hidden directories.

Usage: Use the simple Google Dork search string: site:yoursite.com and hit enter. The resulting links are specific files and directories that Google has indexed within your yoursite.com domain.

Open a blank spreadsheet and start recording the results. Remember, this is just the information gathering phase of your testing. Do not be tempted to dig in and start testing what you find or you’ll never complete this all too important phase.

2. The Web Archive (web.archive.org)

Description: The Internet Archive is a non-profit that was founded to build an Internet library. You can find snapshots of a web site stored monthly going back to (possibly) the month it was launched. What makes the Web Archive useful? Searching through it can help you find directories and files that were indexed in the past but hidden today.

Usage: http://web.archive.org/web/*/http://yoursite.com/*

This will return a list of all directories and files that the Web Archive has stored.

Record each new directory/file that is currently active (click the links to ensure the files exist today) in your spreadsheet.

3. The robots.txt file

Description: Web site administrators use the /robots.txt file to give instructions about their site to web robots such as Microsoft Bing and Google. It works like this: a robot wants to visit a web site URL, say http://www.yoursite.com/welcome.html. Before it does so, it first checks for the existance of /robots.txt to ensure that it should visit that page. In many cases this file will contains specific directories that web robots should not crawl. In essence this file is a double edged sword; it prevents indexing of directories that should remain hidden but it gives away the names of these directories.

Usage: Browse to http://www.yoursite.com/robots.txt. Look for specific directories that are disallowed. The format will look like this:

User-agent: *
Disallow: /cgi-bin/

In the example above the web site is telling the web robots to ignore the cgi-bin directory but potentially telling you that this directory exists. There is a caveat here – some web site administrators will use this file to create a sort of trap door. Knowing that only hackers will attempt to visit such directories they may put in a ‘fake’ directory, capture your IP address when you visit it and, perhaps, ban you from the site.

4. OWASP DirBuster

Description: This is, hands down, my current favorite file/directory enumeration tool. It is light-years beyond any other I have tested. Its powerful, highly customizable and blazinging flast. There is a warning here – it is possible to bring a web server to its knees with DirBuster by bumping up the number of concurrent threads; it supports up to 100.

DirBuster works in a number of different ways. It comes with many default dictionary files (small, medium, large and upper/lowercase) that can be used to perform ‘list based brute force’. However it can also be used in ‘pure brute force’ mode where it scans for files and directories using a character set (a-z, A-Z, 0-9, %20-_) with settings for minimum and maximum length.

Usage: Enter a target url, select the number of threads and choose the type of scan and click start. DirBuster even gives you an estimated number of hours or days left for each running scan.

5. Intellitamper

Description: This tool has been kicking around for a while but has not been updated in years. An initial warning: versions of it mascarade around on the Internet that include malware/spyware so be sure you find yourself a legitimate copy. That being said Intellitamper should definitely be a part of your enumeration arsenal. Intellitamper uses a dictionary file (like DirBuster) to try to find hidden directories and files.

With some web servers it will return false positives and you will see an enormous list of directories that do not actually exist.

Intellitamper does not perform pure brute force, just list based brute force.

Usage: Enter the URL and you are good to go.

6. Wikto

Description: Wikto is a web server assessment tooland it contains a module called back-end miner which is used to enumerate directories and files. Typically this tool does not return a lot of directories but it will surprise you once in a while; it is definitely worth using on a regular basis.

Usage: Enter a URL and you are off and running.

7. Nikto

Description: Nikto is the unix environment cousin to Wikto. If you are running Windows you can use Nikto by installing Active State Perl.

Usage: “perl nikto.pl -h http://yoursite.com”

8. Tennable Nessus

Description: Tennable Nessus is commercial software and it includes a module for directory enumeration. It typically returns far fewer directories than IntelliTamper or DirBuster but it is still worth running this tool each time you want a comprehensive list of directories/files on web server.

Usage: Launch, start the Nessus Server and enter the URL.

9. Paros Proxy

Description: Paros Proxy is a web application security assessment tool. This tool includes a nice spider function that crawls through a web site and creates a pretty comprehensive list of files and directories. This is based on following links and cannot be considered a brute force tool. The tool itself has not been updated since November of 2004.

That being said Paros Proxy should definitely be in your enumeration toolbelt. It is effective and will surprise you with the things it can find.

Usage: Launch Paros Proxy. Open IE/Firefox and configure a proxy toaccess the internet. By default the HTTP proxy should be 127.0.0.1 on port 81. Next, browse to the URL. When the URL appears in Paros Proxy select it and choose Analyze/Spider.

10. http-dir-enum

Description: Last but not least is the perl script http-dir-enum. This program guesses directory names within a website using a wordlist of potential directory names. It supports Basic Authentication HTTP Keep-alive, proxies, cookies and can save the results in XML format.

Usage: Install Active State Perl. Run this from the command line: “perl http-dir-enum.pl -f directory-names.txt http://yoursite.com”

The ten tools described above, when used in conjunction with one another, provide what I believe to be the most comprehensive method of enumerating directories and files.

Do you know of a tool that should have made this list? Let me know!

I have now taken the guess work out of my confidence scheme. I can now deal with you using actual facts. And I will mask and cover these facts with a thick layer of emotion. You, yes you will give me the keys to Old Gorman’s kingdom.

The next series of events are easy. And they only take, I would say, a few to several minutes. I call your company, Acme Lead Management Software. ‘How can we help you?’ I’ll let you know and you’ll buy it. Hook. Line. Sinker.

You have a decent PBX system for your customer support which integrates caller-id with your support software.

I utilize a quick and dirty software application that obfuscates and misrepresents my caller-id as coming from Old Gorman’s 800 number. Your customer support application automatically pulls up Gorman Industry & Futures customer record.

“Look this is Kent at Gorman Industries, glad to get you on the phone – I have a situation and I need some help, quick.”

You may reply: “Ok Kent, give me a second while I review your account. How are you today.”

While you type away I set the stage: “Not good at all. My boss, Mr. Gorman, needs two reports out of your system and he needs them before 9:00am or I am in some real trouble. And.. I have called like 5 times this morning and kept getting put on hold. What is wrong with your phone system!!!”

“Wow, my apologies Kent, I will notify my manager as soon as we end this call. So… now.. let me help you get what you need”.

I respond, “much appreciated – if you can help me here I will be your company’s number one fan again”.

I call this next part ‘Endgame: DEFCON 5 for you my friend.’ (coming soon)

I know Old Gorman, his employee kitchen, his financials, his employees, his products, his vendors. To be blunt I own Old Gorman. And I didn’t have to leave my expensive leather chair and the view overlooking the Oslo central train station, Oslo Sentralstasjon. Most would not consider the view to be much but to me it might as well be a panorama of the Greek Isles. Anyhow, back on point.

I need to be able to convince you (read: con) into thinking I work for Old Gorman. Therefore I need to learn about your business, your employees in order to sound believable. Within minutes I fingerprint your business using tools such as Paterva Maltego, culling, cross-referencing and learning about many of your employees, job titles, personal email addresses. Heh, Kent Richardson has a profile on LinkedIn that gives away his Yahoo email address. There is a good chance that this is his login name since your login page states that the username is your email address. Either that or its kent.richardson@…
Among many other finds, I locate a short 30 second commercial on Old Gormans website showcasing his winter specials. I download this. I think it could be useful.

I call this next part ‘You’ll Do What You Do Best’.

Not terribly – not yet, that is.

But I pay a large sum each month to your business, Acme Lead Management Software; I usually enjoy using your product but today I think I will be frustrated.

See, the problem is that I, Kent Richardson, normally arrive to my office, Gorman Industry & Futures, by 7:45am, throw my coat across my seat and go to turn on that new jamocha maker we recently bought. Old Gorman is, to be sure, a grumpy boss but he listens to his employees when they complain sufficiently.

I quickly ensconce to my office to enjoy the thirty or so minutes of quiet before the harum-scarum atmosphere swallows my peaceful morning. I have work to get done. Having worked here for 15 years I am second or third in command. This depends upon the day, sometimes the hour. Gorman is past retirement age but shows no signs of slowing down. That being said he plans to retire in three months. Yesterday Gorman himself asked me to personally handle a few special matters for the company.

The first involves hopping on the internet and logging into your web application. I need to generate two reports, download them and produce a singular sales projection for the next quarter.

From memory I enter my username and password and click ‘Submit’. Strange, the application does not load. Instead, an error message appears, ‘Your Username or Password is Incorrect, please try again’. I try again with the same result. This is a problem.

But there is a bigger problem.

I am not Kent Richardson and I am only warming up. I have done my research. Old Gorman exists. His son in law is second or third in command. He married Old Gormans daughter 10 years ago after working at the company five years. There is a jamocha maker. I know they bought one but I have never seen it. So this is my own interpretation of what it should look like. I like the metal spikes on it. That’s just me. There is no peaceful morning, especially for you. There is no reports that require immediate attention. There is no ‘next quarter’ projection to work up.

I am in the trust business.

Gaining it dishonestly that is. Sort of a conundrum, gaining trust dishonestly, huh? But don’t think about that too long or else you will miss the confidence scheme I am about to pull off.

Flawlessly I might add.

I call this next part ‘Thanks For The Info’.