Burp Suite has been my favorite web app testing tool for a while and seems like it keeps getting better with age & updates. Typically, I have avoided using other tools to parse the Burp output (xml) because most of what we report comes from manual testing. Somewhat recently, I started using extensions to add the manual testing results to Burp and thus it made sense to write a script to parse Burp xml output. Say hello to “breathmint”.
Having a vulnerability management tool like Tenable Security Center is great. They offer a lot of functionality to analyze, track, and report on the current and past state of systems in the environment. But sometimes that’s overkill. Sometimes you want something quick and easy. Hence we wrote a quick little python script that parses one or more .nessus files and produces a spreadsheet (Excel format). There are five worksheets in the workbook output file:
For a period of time, it was possible to read snippets of memory on a screen-locked mac OS system from the USB port.
A while back we noticed some interesting files created by macOS when inserting a USB drive. These files were related to Spotlight, macOS’s built-in search functionality which indexes and enables searching of files on the system, among other things. The presence of the files is fairly standard, as an invisible /Volumes/<Volume Name>/.Spotlight-V100/ directory are added to every USB drive inserted into a macOS system when Spotlight indexes the files on that drive. However, while analyzing some of the file contents, it appeared that content from several emails (subject lines, email addresses, snippets of message contents) was stored among this data, specifically in the .store.db file which serves as Spotlight’s metadata store. This was alarming as this email data had never been purposely stored on that USB drive. The implications were obviously pretty big. Sensitive data from a macOS system could be inadvertently leaked to a removable USB drive by the OS and potentially exposed without a user’s knowledge.
In addition to the previously mentioned Nmap script, GuestStealer has now made its way into a [Nessus plugin] (http://www.nessus.org/plugins/index.php?view=single&id=44646) and a Metasploit module. Nessus Plugin 44646 was released by Tenable a few weeks ago and the Metasploit module was pushed up to the trunk last week.
GuestStealer has been mentioned in several articles and blog posts recently, including [DarkReading – Tech Insight: Securing The Virtualized Server Environment] (https://www.darkreading.com/tech-insight-securing-the-virtualized-server-environment/d/d-id/1132946) and The Hacker News Network. While most have been accurate, several early blogs stated that GuestStealer used a cross site scripting attack to steal the guests. So to clarify and avoid any confusion, GuestStealer exploits the directory traversal vulnerability described in [CVE-2009-3733] (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733). For further information, check out the [presentation slides] (https://www.slideshare.net/mascasa/shmoocon-2010-stealing-guests-the-vmware-way).
Justin and I will be on the [Security Weekly] (https://wiki.securityweekly.com/Episode187) podcast tonight to discuss the latest developments with GuestStealer and the Smart Grid book. For more information, check out tonight’s episode guide and join the live discussion tonight.
Also, GuestStealer v1.1 is now available for download. This is a bug fix release that improves the error handling and prevention of downloading the same vmdk file twice (when that vmdk self-references itself). Thanks to the efforts by Ron at [Skull Security] (https://blog.skullsecurity.org/), the new version is available on the [tools page] (https://www.fyrmassociates.com/tools/).
I will be giving a presentation on XAB (Cross Site Scripting Anonymous Browser) at the University of South Florida’s Whitehatters Computer Security Club’s next meeting on January 29th at 5:00PM. If you are a student at USF interested in learning about computer security, I highly encourage you to get involved with the club. See you there!
A new release of XAB, the framework that allows one to browse the web via XSS has been updated. This release will now accommodate all content-types, thus allowing any file format to be transferred through the framework. The latest release can be found at sourceforge: [xab.sourceforge.net] (https://sourceforge.net/projects/xab/).
We’re seeking volunteers to help out with development. We’d like to take this from a small research project to a community driven effort to expand the possibilities of what can be done with XSS.
I will be giving an update on XAB (Cross Site Scripting Anonymous Browser) with Jeff Yestrumskas at the OWASP DC Chapter’s next meeting on September 2 at 6:30PM. More details can be found [here] (http://www.owasp.org/index.php/Washington_DC). See you there!
