Matcha's Security Blog

HDRI photos are get into the news in geek in japan.

2008-04-06T11:20:00.000-07:00

@takesako who is popular engineer in japan.
he start HDRI photosHigh dynamic range imaging few days ago.

HDRI photos are composite photograph with changing 2-4 leaves of photos iris.
you can see HDRI detail at wikipedia.

I create few leaves of HDRI photos.
SAKURA with blue sky.

SAKURA

and SAKURA SAKURA SAKURA :-)

Spring has come to kyoto and cherry blossomed!!!

2008-04-06T10:57:00.000-07:00

Spring has come! every spring Japanese love to see cherry blossomed.
cherry blossomed flower are very short life like 1week.
and gone like flower shower.

these cherry blossomed compared to human life.

Anyway this year's Cherry is so beautiful.
Blue sky and pink flower and white flower shower.
We love SAKURA!

SAKURA with Blue sky

Dandelion and Cherry Blossom

Trendmicro Virus Infomation pages are Hacked(falsificated).

2008-03-12T00:31:00.001-07:00

Trendmicro Virus information page was modified by hacker.
And they insert <iframe> tags to download malware.

JS_DLOADER.TZE is the malware which download from falsificated pages.
Anti virus vendor spread malware...really?!

Virus infomation on these are falsificated virus infomation pages.

Trendmicro US does not release News anything.
There is Japanese release News page(see google translated page Below )
http://translate.google.com/translate?u=http%3A%2F%2Fjp.trendmicro.com%2Fjp%2Fabout%2Fnotice%2F0312%2Findex.html&langpair=ja%7Cen&hl=ja&ie=UTF8

English virus infomation pages.

ADWARE_BHO_WEBDIR
ADWARE_BHO_WSTART
HKTL_MDBEXP.A
POSSIBLE_OTORUN3
SPYWARE_TRAK_RADMIN
TROJ_ARTIEF-1
TROJ_CLAGGER.D
TSPY_BANKER-2.002
TSPY_BANKRYPT.N
TSPY_GAMANIA.CI
TSPY_GOLDUN.GEN
TSPY_LINEAGE
TSPY_ONLINEG.DAU
TSPY_ONLINEG.OAX
TSPY_ONLINEG.OAX
TSPY_QQPASS
TSPY_SDBOT.BTI
W97M_DLOADER.BKV
WORM_IRCBOT.JK
WORM_NYXEM.E
WORM_SOBER.AG

Japanese virus infomation pages.

ADW_BRUNME.A
ADW_ZANGO.A
ADWARE_ADBLASTER
ADWARE_EXACTADVERTISING
ADWARE_EZULA.ILOOKUP
TSPY_AGENT.HS
TSPY_ANICMOO
TSPY_GOLDUN.GEN
TSPY_HUPIGON.ZY
TSPY_Lmir TSPY_Tiny

Cross Site Scripting(XSS) Challenges by yamagata21h

2008-01-31T22:49:00.000-08:00

Japanese IT Security technical expert yamagata21h has made Cross Site Scripting(XSS) challenging site.
-> http://xss-quiz.int21h.jp/

Yamagata21h is Japanese famous technical Security expert.
Yamagata21h was impressed by "XSS Workshop" http://blogged-on.de/xss/.

This page was written by yamagata21, inspired by http://blogged-on.de/xss/.

but "XSS Workshop" is not so covering various of type of XSS he said.
so yamagata21h makes "XSS Challenges" him self.

Please Challenge it!!!
if you interesting on Development Security.
and feed back yamagata21h more XSS question if you have.
http://xss-quiz.int21h.jp/

[security] Microsoft Security Advisory (945713) can open arbitrary pages.

2007-12-28T13:09:00.000-08:00

In Microsoft Security Advisory (945713): Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure.
They said that "man-in-the-middle attacks" is threat. but is this vulnerability is realy only man-in-the-middle???

What causes this threat?
A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD). For customers with a primary DNS suffix configured, the DNS resolver in Windows will attempt to resolve an unqualified “wpad” hostname using each sub-domain in the DNS suffix until a second-level domain is reached. For example, if the DNS suffix is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of wpad, the DNS resolver will try wpad.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not found, it will try to resolve wpad.co.us, which is outside of the contoso.co.us domain.

I verify using malicious proxy.pac(wpad.dat) to open arbitrary malicious pages as real pages.

For Example put proxy.pac as below.

function FindProxyForURL(url,host)
{
return "PROXY www.yahoo.co.jp:80";
}

By setting in Internet Explorer 6.
sorry for Japanese version of IE.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)

And then browse "http://www.microsoft.com/".
but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)

Next how about FireFox2.
sorry for Japanese version of FireFox.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)

And then browse "http://www.microsoft.com/".
Again but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)

This is "by design" of proxy.pac. And hijacking of wpad(or proxy.pac) can open arbitrary malicious pages.
Not only man-in-the-middle attack.
take care your self! :-)

Cross site scripting in year 2007.(Blog by Hasegawa Yosuke)

2007-12-25T12:09:00.000-08:00

Hasegawa yosuke wrote about Cross site scripting in Year 2007.
ripjyr translate this post to English.
Original post is http://d.hatena.ne.jp/hasegawayosuke/20071226/p1 (Japanese)
-----
I wrote about XSS(Cross site scripting) I found in year 2007.
someone wrote "hasegawa cut to write Blog :-)" someplace.
I didn't cut to write blog ,but noting to write.....
so I force look back XSS in year 2007 :-)

below are XSS found on a famous site I found.

XSS in National Institute of Advanced Industrial Science and Technology (AIST)

UTF-7 XSS was enabled because charset was not set in 404 response page.
Session Cookie can stolen if already logined
Reported:2007/04/16
Fixed:2007/05/16

XSS in sourceforge.jp

UTF-7 XSS was enabled because charset was not set in 404 response page.
Session Cookie can stolen if already logined
Reported:2007/04/16
Fixed:2007/05/16

XSS in IBM search page.

UTF-7 XSS was enabled because HTML character encoding as MS932 can use if specify like "&cs=MS932" in the query on IBM search page.
Reported:2007/04/19
Fixed:2007/08/30

XSS in MizuhoBank

UTF-7 XSS was enabled because HTML character encoding as jis can use if specify like "&oe=jis" in the query on MizuhoBank search page.
Reported:2007/04/26
Fixed:2007/12/25

XSS in F5 Networks search page

XSS was enabled Search page in F5 Networks.
Query like below.
http://www.f5networks.co.jp/cgi-bin/search/search.pl?query=abcd%22onload=%22alert(document.location)%22%20
Reported:2007/07/31
Fixed:2007/10/29

XSS in Oracle search page

"%22" was not escaped so XSS was enabled in search page at oracle.co.jp.
Reported:2007/08/28
Fixed:2007/09/21

XSS in METI Ministry of Economy, Trade and Industry

UTF-7 XSS was enabled because charset was not set in www.meti.go.jp pages.
Reported:2007/10/10
Fixed:2007/12/05

XSS in MIAU(Movements for Internet Active Users)

XSS was enabled at Subscription in MIAU Mail magazines page, Query like below.
http://miau.jp/miaumailmagsubmit.phtml?miaumgreg=test%40example.com%22%20style=%22xss%3aexpression(alert(1))&userevent=mag-reg
Reported:2007/10/24
Fixed:2007/10/31

Shown fake information considerable threat by XSS was already easily found in co.jp(like .com) or go.jp(like .gov).
So take care of yourself(who take cares and what cares :-)

Especially XSS in Image file , I contact IPA(INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN) and Microsoft contacts I knew for three years...
Though a considerable communication was done but every time finally said "by specification"....;-<
I wish to be fixed XSSed(not still fixed) pages here and there in 2008 :-)
Then, everybody have a good holidays.

[SECURITY]Hospital biohazard! (Computer) virus spread in hospital.

2007-09-25T18:01:00.000-07:00

FUJAX virus kills hospital of Chiba national university network. (http://www.ho.chiba-u.ac.jp/)
http://mytown.asahi.com/chiba/news.php?k_id=12000000709130001
Asahi newspaper said that Sep 5 virus spread into network.
And then confusion occurs in hospital.
Can't see last examination record.
Can't account the examination.

Hospital of Chiba University decides shutdown Web browsing and E-mail.
And so on still shutting down web browsing and E-mail until today (September 26).
Virus was Newly discovered virus and not detected by anti-virus software.

Discovered virus was newly appeared in china in February.
Perhaps, it is thought as newly appeared type of FUJAX.
Infected route was web browsing.
Hospital staff searching Internet for chart of human body, they infected at site in china.

Hospital will recover network on end of September. But not recover yet (September 26).
Is this incident one of bio? (Non-bio?) Hazard??? YES!!!
Computer virus spread in hospital and shut hospital system down…

Finally F-Secure Blog to be Weblog2.0 :-p

2007-09-16T14:26:00.000-07:00

F-Secure Blog to be Weblog2.0!!! they are changing!!!

Here is F-Secure Weblog2.0
-> http://www.f-secure.com/weblog/archives/00001276.html

and this is still Weblog1.0
-> http://www.f-secure.com/weblog/archives/archive-092007.html#00001276

What is deference between Weblog2.0 and Weblog1.0???
Only Permanent link ware made?

We'll update the indexes next week. In the meantime, please provide your feedback.

I thought only two things about F-Secure Weblog2.0.

Please set indivisual Page title to posted title.
this became weblog or bookmark seen very easily.
Please set category or label of posts.
this became post seen clearly.

please Hold out, We will expecting you!

(18 Sep 2007 update post)
F-Secure recieve my feedbacks!!!
1 - We will be adjusting the individual Page Titles soon.
2 - We'll investigate the option.

I went to eat the French cuisine after a long time.

2007-07-23T01:45:00.000-07:00

Ordovl

Potage of season

meat cookery

dessert

[Security] Is it now the time to talk about UTF-7? by yosuke.hasegawa in webappsec.jp

2007-07-22T21:31:00.000-07:00

This story is wrtten by hasegawa.yosuke in webappsec.jp(Japanese only blog).

It is thought that XSS using UTF-7 is occurs when charset is not specified. However, this is a biggest mistake in Internet Explorer.
Accurately, XSS occurs when not specified charset,Internet Explorer can recognized charset. Even if charset has been added, XSS is occurs when a character encoding name cannot be recognized by Internet Explorer.

For example,IE cannot correctly recognize the character encoding name to following HTML. Therefore, it is interpreted from the content of HTML as UTF-7 and the script runs. The string "utf8" in charset is not correct charset(hyphen comes off) but used commonly as "UTF-8".

<html>
<head>
<meta http-equiv="Content-Type"
content="text/html;
charset=utf8">
</head>
<body>
+ADw-script+AD4-alert(document.location)+ADsAPA-/script+AD4-
</body>
</html>

The list of the character encoding name to be able to distinguish IE correctly is being defined in registry at "HKCR\MIME\Database\charset".The attecker could occur XSS by combining with CVE-2007-1114 if Web Application send these character encoding name.

In the character encoding names tend to be,at the Web application in Japan,other than "utf8" example above, and the character encoding name to which IE cannot be recognized is as follows.

jis
Expression of ISO-2022-JP used commonly
MS932 / CP932 /
CP942C
Similar encoding of Shift_JIS in
Java
Windows-31J
IANA formal registration name of code page
932 used with Windows.

I think this cannot be recognized IE is bad no matter how
it thinks.
Sometimes it seen the character encoding is not only hard-coded on the Web application but the character encoding can be specified from the outside according to the parameter like below.

http://example.com/?q=abcd&charset=euc-jp

It is like converting it's character encoding according to the parameter not only is interpreted according to the specified character encoding but also the output is parameter character encoding specified.When the character encoding name such as CP932 ,above-mentioned , is allowed, XSS will be occured in such kind of Web application.

http://example.com/?q=%2BADw-script%2BAD4-alert%28document.location%29ADsAPA-/script%2BAD4-&charset=CP932

Use character encoding name without the problem such as "Shift_jis" or "UTF-8" in error pages or all pages, let's bear it in mind.

Good News.

When I(hasegawa) have submitted Microsoft as a demand of the improvement of the specification of Internet Explorer (*1), the answer was wanting i(hasegawa) to report as a vulnerability report again. Then, when reported again as a c, I got the following answers (excerpt summary).

This phenomenon is same as the content that is already public, and our
company(Microsoft) judges it is vulnerability of Internet Explorer. Our company
recognizes that the modify of this phenomenon is necessary, and is examining the
modification now.

The future, IE will be corrected to the direction to decrease.where the situation of XSS generation like the above-mentioned. It was indeed unexpected.because i(hasegawa) had not been thought that Microsoft judged such behavior of IE as a vulnerability.

*1:I(hasegawa) was thought that it did not apply to the definition of "Security vulnerability" that Microsoft meant, and assumed the demand of the specification improvement.

[Security] APOP for POP3 Mail receives protocol is now vulnerabile.

2007-04-19T09:29:00.000-07:00

JPCERT/CC and IPA(INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN) reports APOP encrypted password decrypted vulnerability.

APOP is a protocol for authentication for POP3.
APOP uses md5 hash to check password.
hash protocol MD5 has collision for his hash.
If APOP hash tapped and stolen hashes, a malicious person might decipher it.

This problem causes from MD5 collision not only APOP.
but also If system uses MD5 same problem occurs.

------
http://d.hatena.ne.jp/shikap/20070419#p1)shikap said that

Almost everyone is uses POP, and APOP are only encrypting only password.
But receiving mail is still plaintext in POP protcol.

On this occasion, you might be shift to "POP over SSL".

Link
Practical Password Recovery on an MD5 Challenge-Response such as APOP (pdf) (FSE2007 )
Extended APOP Password Recovery Attack (pdf) (FSE2007 )

Ichitaro Zero-Day Exploit and Targeted Attack was Available.

2007-04-10T08:07:00.000-07:00

Japanese famous word processing software Ichitaro’s Zero-Day Targeted Attack is now in wild.
10 Apr Justsystems has released Ichitaropatch of Zero-Day Vulnerabilities.

What is Ichitaro?
In Japan Ichitaro is most famous word processing software from 1985 to 1995.
18 million Ichitaro was shipped. (from Justsystems Page)
In 1990’s Ichitaro was famous software according to called as word processor.
A lot of government office uses Ichitaro in there office.
Recently, Ichitaro is replacing Microsoft Word. But Ichitaro is still using in government.
And there official documents.

Why Zero-Day Targeted Attack.
According to most famous word processor in government in Japan Ichitaro is a target of Targeted attack.

And more Ichitaro does not have automatic update for them.
You should download security patch and fix it one by one.
If patch has released but most all of Ichitaro does not patched for long time.
Like Blaster worm in Aug 2003 and Microsoft.
After Blaster worm Microsoft has released automatic update (Windows Update).

I think Justsytem must have be release automatic update to there software.

A similar weakness of Ichitaro and targeted attack was in wild at Aug 2006.
This is second time to Justsystem.

Cherry 100% blossomed in Kyoto!

2007-04-08T20:22:00.000-07:00

Cherrey blossoms in Kyoto!!!
A lot of travelers in kyoto. for seeing cherry blossom.

Kissho-in Tenman-gu

Near Kamo-River

Cherry blossomed but yesterday was rainy day.

2007-04-07T15:29:00.000-07:00

Oh...rainy day...cherry flower falls.

This photo was taken 05 April.

Windows 2003 Server Service Pack2 Japanese Edition probrem on using icacls.exe.

2007-04-04T17:30:00.000-07:00

On post in hotfix.jp, Windows 2003 Server SP2 Japanese Edition has little problem...
http://bbs.hotfix.jp/ShowPost.aspx?PostID=6624 (Japanese Only)

Uchikoshi as Hotfix.jp Staff said that

"icacls.exe" can't run in Windows 2003 Server SP2 Japanese edition.
(Both Windows Server 2003 Standard Edition+SP2 and Windows Server 2003 Enterprise Edition＋SP2)
Running icacls.exe ,some unknown word output on cmd.exe.
But nothing happen...
---
C:\>icacls.exe
ICACLS <
C:\>
---
Windows 2003 Server SP2 English Edition of icacls.exe done well.
Running English “icacls.exe” on Windows 2003 Server SP2 Japanese Edition done
well.
(Of course help messages or display messages are English)

gentoo post below

Add “_tsetlocale( LC_ALL, _T( ".OCP" ) ); “ to Japanese “icacls.exe” binary
code will shown pretty good.
Thus maybe “icacls.exe” file forgotten LOCALE setting…

Maybe Windows 2003 Server 2003 SP2 Japanese Edition will Re release again...

I also post at here
http://www.dozleng.com/updates/index.php?showtopic=13856

Cherry Blossomed!!! at kyoto Japan,

2007-04-01T14:38:00.000-07:00

Cherry Blossomed!!! a little...

20% - 50% of flower has blossomed.
these are picture of cherry.

You can't filter .ANI by URLs. Microsoft Animated Cursor vulnerability.

2007-03-30T14:27:00.000-07:00

There are Windows Animated Cursor exploit(Microsoft Security Advisory 935423) is now wild.
In some japanese security proffessionals has some hypothesis...

http://bakera.jp/hatomaru.aspx/ebi/topic/2833 (Japanese Only)
http://d.hatena.ne.jp/hasegawayosuke/20070330/p2 (Japanese Only)

Exploit with CSS(Cascading Style Sheets) Animated Cursor properties.

************************************************
THIS IS NOT PROOFED VERIFICATED. BUT POSSIBILITY IDEA.
************************************************
In "cursor properties" in CSS can use .ani file from anywhare .
Like this

<body style="cursor: url('http://example.com/cursor.ani')">

Internet Explorer shows contents NOT filename extention but file's contents.
Microsoft said "This is by design of Internet Explorer".

If .ANI file with faked filename extention URL, but IE shows .ani contents.

cursor: url(http://example.com/virus.txt);

In this case URL is virus.txt not xxx.ani or xxx.cur, so you can't filter by URL.

So only SANS detection rule can detect this exploit.
Use this to detect Animated Cursor's Exploit....

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT EVENTS MS ANI exploit”; flow:established,from_server; content:”|54 53 49 4C 03 00 00 00 00 00 00 00 54 53 49 4C 04 00 00 00 02 02 02 02 61 6E 69 68 52|”; classtype:attempted-admin; reference:url,http://isc.sans.org/diary.html?storyid=2534; reference:url,http://www.avertlabs.com/research/blog/?p=233; reference:url,doc.bleedingthreats.net/2003519; sid:2003519; rev:1;)

Cherry blossomed a little....

2007-03-29T18:28:00.000-07:00

Tokyo cherry blossomed.but kyoto is not.
it blossomed next weekend.

it like cherry blossoms on Potomac river in washingon DC.

Japanese SOBA noodle(Not security blog)

2007-03-28T13:27:00.000-07:00

I love Japanese Soba noodle!

Tofu from soba.

Spring has soon comes....(Not Security Blog)

2007-03-28T13:19:00.000-07:00

Spring soon come to Japan. but not yet!

picture Below is Cherry NOT Blossom :-)

Picture Below is Kamo-River at Kyoto.

soon soon soon be a spring.
Cherry blossom in kyoto are japanese very famous to travelers .
after cherry blossomed i post beautiful cherry blossom. see you next post!

NoScript for FireFox can stop another site Javascript XSS

2007-03-21T13:37:00.000-07:00

ha.ckers.org web application security lab - Archive ≫ NoScript Plugin Beta Attempts To Stop XSS

Beta version of NoScript(Noscript 1.1.4.6.070318) for FireFox can stops Cross site Scripting(XSS) from other site(like importing js file).
We are waiting for NoScript for Internet Explorer!!! :-)

Giorgio Maone, the author of the NoScript Firefox plugin has recently been posting to the boards about a new experimental version of the plugin that intends to protect against XSS. The concept of the tool change is to detect when one site is attempting to send you to another site with XSS within the query string. Obviously there are more ways to XSS sites than the query string, so this mostly relates to certain forms of reflected XSS.

[Trendmicro] I've joined Calender of Updates!

2007-02-22T00:43:00.000-08:00

In Caleder of Updates post Trendmicro pattern file updates.

Trendmicro does not open past OPR(Official pattern Release) infomation detail to the public.
(only newest one)
http://www.trendmicro.com/ftp/products/pattern/whatsnew.txt

System administrator have to know what was changed in OPR.
so i made it :-)
http://matcha139.hiemalis.org/~isamik/ptn/PATTERN#.txt
ex) http://matcha139.hiemalis.org/~isamik/ptn/4.287.00.txt

have fun!

[workshop] 10th Matcha 139 workshop will held in 17 Feb in Kyoto.

2007-01-17T22:26:00.000-08:00

Our community workshop with IT security will held in 17 Feb.
In this time "SQL injection" on Web application is thema of workshop.

Panel discussion with defending of Web application and Attaker.we discuss about HOW TO DEFEND web application from cracker.

Detail are below.(Japanese Only)
http://d.hatena.ne.jp/ripjyr/20070217

[Microsot] MS07-002 Excel patch has probrem at Chinese,Korean and Japanese version of Excel 2000.

2007-01-17T20:58:00.000-08:00

MS07-002 and Japanese edition of Microsoft Excel 2000 has probrem.
If apply MS07-002 with Japanese edition of Excel,
sometime (not always) can't open Excel file.
Probrem is occured Excel files create with Korean ,Chinese or Japanese version of Excel 2000.
and open with Excel 2000 in these langages.

this probrem occurs in the phonetic information at
Excel 2000 file create.
Excel 2000
does not open some files after you install security update 925524 that is
documented in security bulletin MS07-002

Excel 2000 is not supported in WSUS(Windows Software Update Service) or Microsoft Update.
this reson not so big influence in Japan.So people who patch by hand or Office Updated has occurs this probrem.(but supported in Office Update)

Microsoft has *NOT* release patch,but they still open trouble patch in public.Microsoft need to stop providing Office2000 patch! right now and release patch.

Microsoft Re-Released MS07-002. After 6hour i post this blog. :-)
Detail are in Microsoft Security Research Center Blog.
Shown like this.

[Security] Hijacked community at SNS.

2007-01-05T10:20:00.000-08:00

Mixi the most populer SNS(Social Network Service) in japan.(Like Orkut by Google)
in this SNS some community was hijacked.(community whith huge number of menber joined)
hijacker's technique are Social engineering.

Three Techniques are below...
1.hijack community with no owner(owner has leaved SNS)

2.Send message directly to Owner "I want to be owner"
(these community are not Active)

3.Two or more malices members ruins the community.
Malicious members blame owner because owner is not steady.
The person who runs for a new owner goes out , saying that "I become a owner while it is getting ruin".
A tired owner is cheated and transfers the management right.

After hijacked they modify content of community.and delete Bulletin board messages...they renew community.

they enjoys the reaction of the member who is from the origin.
or
It enjoys counting the seceding number of people.

Real Example is...

"Mos Burger" (hamburger shop's community) was hijacked and community contents has been changed to tavern community.

And now Mixi created sub-owner function to defend community to hijack.
A sub-owner might be able to obstruct the hijack.

infomation from
Mixi community Hijacker's infomation site.(Japanese)

[Security] NISSAN leaks 5.3Million customers personal infomation...

2006-12-21T07:41:00.000-08:00

NISSAN leaks 5.3Million customers Personal infomation.

about 5.3Million data was leaked.
Nissan send apologized Letters to 5.3Million people.
Letter fee: 0.5$ x 5.3Million = $2,650,000

I was surprised to Nissan collect 5.3 million information in one year.
5.3Millon / 365Day = about 15000 People / Day
Nissan collect 15000People data per day!

The following is a summary of the key findings:
Based on the limited information supplied by the magazine, Nissan has been unable to match that database with one that exists inside the company.
Although the alleged outside database does not match with our own internal database, our investigation has identified certain matching items that could have only been sourced from inside the company.
Based on our extensive research, Nissan has been able to identify that certain internal data may have been sourced from an old customer database. These findings are supported through vehicle model codes (model type, base, class etc.) that are exclusively used inside the company.
From the data investigations, we have concluded that the most likely timing for the leak to have occurred was between May 2003 and February 2004.

[Security] Do that with Unicode!!

2006-12-19T22:02:00.000-08:00

In Dec 9 2006 at hiroshima 10 TEXT HACK was Presentation by Yosuke Hasegawa who also Microsoft MVP for Windows-Security.

He Presented in Security-Momiji(IT Security Workshop in Hiroshima) .
document are below(Japanese Only)
-> http://openmya.hacker.jp/hasegawa/public/20061209/momiji.html

---

TEXT HACKS,Useless 10 technique after another.

HACK #1 XSS it! (UTF-7)

Script with UTF-7
Ex) script with UTF-7
+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-+AC8-SCRIPT+AD4-
Internet Explorer can't set Encoding .And Internet Explorer is UTF-7 LIKELY Character automatic distinction to UTF-7.
Ex) Google Search replies "404 not found". (2005.12)
IIS error page XSS in MS06-053 (2006.10)
Specify encoding from outside.
Ex) Google Appliance XSS (2006.11)

HACK #2 more XSS it!(US-ASCII)

Internet Explorer Disregard first bits in 7bit character set(ex.US-ASCII or ISO-2022-JP...)
Ex) both 0x73 and 0xF3 are same "s" in IE on using US-ASCII.
s : 0x73 01110011
0xF3 11110011
Both 0x3C and 0xBC are same "<" in IE on using US-ASCII. < : 0x3C 00111100 0xBC 10111100
above can bypass META characters detection.
Ex) ｼscr iptｾalert(｢XSS｢)ｼ/scriptｾ

ｼ : 0xBC(7bit) -> 0x3C(first bit on) -> same as <
ｾ : 0xBE(7bit) -> 0x3E(first bit on) -> same as >
｢ : 0xA2(7bit) -> 0x22(first bit on) -> same as '

These mean "<sctipt>alert('XSS')</script>" on US-ASCII.

HACK #3 XSS by Japanese(Multi Byte Characters)

"first byte" of Shift_jis or EUC-JP Can destroy HTML.
Use 0x82(first byte of Shift_JIS) to next " (double quote) as force 2nd byte of Shift_JIS to Intenet Blowser.
---
<input type=text value="(0x82)"><br>
<input type=text value=" onmuseover=alert('xss');(0x82)"><br>
---
(Source from http://www.atmarkit.co.jp/fsecurity/rensai/hoshino10/hoshino02.html (Only Japanese))

Ex2) Yahoo Mail (2005.11)
---
Content-Type: text/html; charset=GB2312
Subject: example

<span
style='width:expr/*[0x81]*/*/ession(alert())'>
exploited</span>
---

Ex2) Hotmail (2006.8)
---
Content-Type: text/html; charset=SHIFT_JIS
Subject: example

<font ></font><font face="
onmouseover=alert() s=[0x81]">exploited</font>
---

HACK #4 More more XSS (Do that with expression!)

Internet Explorer can use UNICODE or Double Byte to write "expression( )" or "url()"
---
Ex) Double Byte
<div style="{left:expression(alert('xss'))}">
<div style="{left:ｅｘｐｒｅｓｓｉｏｎ(alert('xss'))}">
<div style="{background:ＵＲＬ(javascript:alert('xss'))}">

Ex) Unicode
You can use Character to write expression or url.
R - U+0280 ()
N - U+0274(t)、U+207F( )
L - U+029F(・)

Hatena Diary (2005.12)
Hotmail、Windows Live Mail (2006.11)
SquirrelMail (2006.12)

HACK #5 more and more XSS (Do that with unvisible charactors)

Internet Explorer all Disregard Null Charactor in HTML.
<s(0x00)cript>
Internet Explorer 0x0B or 0x0C treated as SPACE in HTML.
<script(0x0B)>
<s (0x0C)onmouseover="...">
Mozilla FireFox 1.5.0.4 and Prior version disregard BOM (U+FEFF; ZERO WIDTH NO-BREAK SPACE).
<s(BOM)cript>

MFSA 2006-42: Web site XSS using BOM on UTF-8 pages

HACK #6 bypass mail contents filter.

Outlook Express is also Disregard first bit of 7bit charactor such US-ASCII or ISO-2022-JP.

MIME-Version: 1.0

Content-Type: text/plain; charset=US-ASCII

Content-Transfer-Encoding: 7bit

 

This is test mail



begin 644 eicar.com

ﾍｶ#5/(5`E0$%06S1<4%i8-30h4%xi-t-#*3=])

$5)0T%2+5-404Y$05)$+4%.

75$E625)54RU415-4+49)3$4A)$@K2"I#

`

end



uuencode eicar.com(virus test file) and first bit on.

HACK #7 Create same file name(do that with ZERO WIDTH Charactors)

by using ZERO WIDTH or Control Charactors a part of file name can make looks like same file name.

Unvisible Charactors.
- U+200B ( ZERO WIDTH SPACE )
- U+200C ( ZERO WIDTH NON-JOINER )
- U+200D ( ZERO WIDTH JOINER )
- U+FEFF ( ZERO WIDTH NO-BREAK SPACE )
- U+202A ( LEFT-TO-RIGHT EMBEDDING )

HACK #8 Directory Traversal (do that with Yen mark)

Unicode has backslash (U+005C) and Yen mark(U+00A5).
Yen mark(U+00A5) can use for file name.
Yen mark(U+00A5) convert to Shift-JIS and be backslash(0x5C)

Therefore, in the application not to treat the file name with Unicode Directory Traversal might be happen.
Ex) DoS might be generated.if application that recurrently enumerates the file .
and If the folder like "..\".
Ex)
- Namazu 2.0.15 (for Windows) prior
- Hyper Estraier Version 1.0.2 (for Windows) prior
- Becky! Ver.2.22 prior

HACK #9 registry key that doesn't pretend exist but exist(Do that with ZERO WIDTH Charactor)

Registry entry can use UNICODE,so you can use ZERO WIDTH Charactors to camouflaged by using ZERO WIDTH Charactors ,same as file name HACK #7.

HACK #10 camouflage the file extension (do that with Bidi)

Unicode has "bidirectional algorithm" function.
show charactors to right directional to left directional.
U+202E(RIGHT-TO-LEFT OVERRIDE; RLO) into file name,file name after RLO,charactors are left side right.

Ex) RLO with file name
Real file name: this-(U+202E)txt.exe
File name shown:this-exe.txt

Summary

permitted characters are the MANAGED white list.
Character string is inspection are after regularized.
Don't change after regularized.
Dont cheated by Unicode that looks like.
The behavior of difference between a Browser and MUA.(if possible)

Reference

[Securiry] Backup product and Vulnerability

2006-12-19T01:04:00.000-08:00

Recently a lot of vulnerability was found in Backup product.
such as Arcserve and Netbackup.

Arcserve

http://isc.sans.org/diary.php?storyid=1876

Backup Exec

http://www.symantec.com/avcenter/security/Content/2006.12.13a.html
http://seer.support.veritas.com/docs/285984.htm

Backup product have to use system privileged user for backup system files.
I think only backup (file copy process) have to use system privileged role, and other
process unnecessary to hold system privileged.

Backup vender Should design with secure default!

[Security]128 bit WEP Key cracked in 81Minitues.so about Nintendo DS Lite.

2006-12-18T00:46:00.000-08:00

kikuz0u post that WEP key in Wifi Connection is cracked in 81Minutes.

He uses airsnort, aircrack-ng for crack WEP Key.

How about Nintendo DS Lite Wifi Connection.
this product *CAN ONLY* use WEP key.....
AES or TKIP can't use......I can't Believe it.

many many Nintendo DS Lite owner set weak setting of Wifi to use
Nintendo DS Lite.
however other Wifi product's Default setting are weak too.

[BLOG] Security Blog open!

2006-12-18T00:06:00.000-08:00

In this blog. I'll post security topics , news and someting like that I interested.

in my main blog is here.(Sorry only Japanese)

----
Q.Who am i?
A.I'm matcha daifuku.
I'am system administrator and security administrator at a company in japan(osaka)
and I operate security community for ITpro in japan.(matcha139).
---Microsoft MVP Windows-Security 2005/10-2007/09---

Q.what is matcha139?
A.matcha139 is security community. we hold workshop(meeting) 4times a year at kyoto.

Q.what ripjyr stand for.
A.Nothing (:-D) ripjyr was created by password maker.