Forensic Challenge 2010

Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack. Send submissions (please use the MS word submission template or the Open Office submission template) forensicchallenge2010@honeynet.org no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. (Note that the IP address of the victim has been changed to hide the true location.) Analyze and answer the following questions:

1. Which systems (i.e. IP addresses) are involved? (2pts)
2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
3. How many TCP sessions are contained in the dump file? (2pts)
4. How long did it take to perform the attack? (2pts)
5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
7. What specific vulnerability was attacked? (2pts)
8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
11. Do you think this is a manual or an automated attack? Why? (2pts)

Download:
attack-trace.pcap_.gz Sha1: 0f5ddab19034b2656ec316875b527d9bff1f035f

- En tus pensamientos distingo un valle de lagrimas que desaparese pero existe
- Toca mi cara y escuchame sentado, escucha mi dolor.
- Dolor ?
- Prefiero sentirme a salvo escuhando el indicio de un sonido que me hace vivir
- Te refieres al terrible sonido tan vacio de la brisa o de los momentos en que las sombras despiertan ?
- Al silencio final, al silencio del dolor
- Si estas en un error estas cofundido

http://bit.ly/8bshsn

You have all wept once more... why? I would never ask for such. Go. I have realized for once in my existence my true happiness. This is a first time for me... I feel innocent, caring, and non-threatening.

Reincarnation for a better life... becoming one with true harmony. No gods have caressed or burned me, only nature is willing to comfort me. Salvation is dead and all of you have passed away with me today. I will never have to entertain or please any of you ever again. I am alive.

My memory is the only thing keeping the old tears in my eyes.

I still know that all of you are taking for the sake of not leaving. You are killing the innocent for your so-called nutrition. You are infecting our lands with your filth. You are killing for the sake of your promotions in life.

One day we will all be in this soil... with no gods to slave to, and no heroes to kill for.

Existe un error en el sistema de análisis de contenido de los navegadores Opera y Google Chrome. Un atacante remoto podría explotar esto para ejecutar código JavaScript arbitrario a través de un enlace que devuelva un "mime type" del tipo "text/xml", "text/atom-xml" o "text/rss-xml" con JavaScript incrustado. Estos navegadores lo procesarían sin motivo.

El sistema de análisis de contenido de un navegador web debería comprobar qué tipo de datos son los que va a mostrar y activar o desactivar ciertas funcionalidades dependiendo del tipo; por ejemplo, no tendría sentido que un navegador ejecutara código JavaScript si accede a un fichero cuyo "mime type" en el servidor es "image/jpeg", puesto que en teoría, no debería existir ningún tipo de código JavaScript en un fichero de ese formato.

Google ya ha solucionado esta vulnerabilidad y ha publicado un parche para su versión 3 que se puede aplicar desde el propio Chrome.

En este momento Opera no ha actualizado ni notificado oficialmente esta vulnerabilidad en su sitio oficial, pero al parecer su equipo de desarrollo y seguridad están trabajando para solucionar este problema.

Prueba de concepto: http://securethoughts.com/2009/09/exploiting-chrome-and-operas-inbuilt-atomrss-reader-with-script-execution-and-more/

Advisory de Chrome: http://googlechromereleases.blogspot.com/2009/09/stable-channel-update.html

Sitio de Advisories de Opera: http://www.opera.com/support/kb/advisory/page1/

Fuente: Hispasec