Archive for April, 2005

New Tool: hcraft – HTTP Vuln Request Crafter

April 18, 2005

hcraft is a HTTP systems penetration testing tool designed to make exploitation of known vulnerabilities in HTTP systems a dynamic, simple process. hcraft is intended to help take the details out of executing HTTP- based attacks that require you to specially craft an HTTP request. By defining a modeline for a given vulnerability in the modes file you can instruct hcraft in how the HTTP request should be constructed, then use the tool to select the appropriate mode and include the dynamic parts of the attack such as target host, port, and the filename to retrieve or the command to execute.

hcraft was originally designed to be primarily used for arbitrary file disclosure or command execution vulnerabilities, however it can also be used for cross-site-scripting and sql-injection attacks if the modeline for the vulnerability is carefully designed.

You can find the debut version of hcraft at the following URL:

http://druid.caughq.org/projects/hcraft/

CAUNewswire – CAU Enters the Information Security Certifications market

April 14, 2005
                       ,pP""Yq,  ,pP""Yq,  ,d    b,
                      i$l    l$i $l    l$ i$l    l$i
                      $$     !$$ ,gP""Yp$$$$      $$
                      $$        i$l    l$$$$      $$
              `$$$$$  $$     !$$$$      $$$$      $$  $$$$$'
               `$$$$  i$l    l$ii$l    l$$i$l    l$i  $$$$'
                `$$$$  Y$,  ,$P  Y$,  ,$$ $Y$,  ,$P  $$$$'
                 `$$$$  `""""`    `""""`""  `""""`  $$$$'
                  `$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
                      computer academic underground
                               ..newswire..

DALLAS, Texas, April 14 2005 /CAUNewswire/ —

CAU announced today it’s first offerings into the Information Security Certifications market, providing an overly generalized certification, the CAU Certified Information Systems Security Practitioner (C²ISSP), as well as it’s first specialized certification, the Hacker and Xtreme 0day Researcher (HAX0R) certification. “The white-hat community has so many damn certs, it’s hard to tell many of them apart.” ventured I)ruid, CAU’s Founder and CHO, “It’s time for the black- and grey-hat community to get a piece of the action.” CAU has also implied that it intends to one-up the white-hat community by making all of it’s certification processes FREE, as in “free beer,” not as in “free speech.”

The C²ISSP is a certification targeted for mid- and senior-level hackers who are working toward or have already attained unemployment or covert positions as janitors, secure document disposal personnel, surveillance system technicians, or Senior Security Engineers. Essentially, it’s meant to be the inverse of the white-hat CISSP certification. intropy, CAU’s Lead Vulnerability & Exploit Researcher had this to say about the new certification: “They only got one ‘C’, WE GOT TWO!!!”

The C²ISSP is an overly generalized certification spanning a breadth of hacker underground subjects conveniently categorized into ten manageable domains, called the Common Body of Information (CBI), which consist of the following:

  • Hacking
  • Phreaking
  • Anarchy
  • Viruses
  • Cracking
  • Software Development
  • Radio & Wireless
  • Hardware & Electronics
  • Intelligence / Counter-Intelligence
  • History, Community, & Culture

The HAX0R certification, CAU’s first specialized skill certification, is targeted toward all hackers who specialize in vulnerability and 0day exploit development.

More information on CAU’s Information Security Certifications can be found at the organization’s website, under the Certifications area:

http://www.caughq.org/certs/

Or via email to the CAU Certifications Review Board, at crb@caughq.org

CAU-2005-0001: Chat Service Users – “Oops! Wrong Window” Information Disclosure

April 1, 2005

A potential information disclosure vulnerability exists with all users
of chat services. When users do not adequately pay attention to which
window or application has focus on their workstation, they may
inadvertently type sensitive information like passwords or personal
information into the chat service.

http://www.caughq.org/advisories/CAU-2005-0001.txt