George Chetcuti

The whoami command-line tool

Most of you one day or another might have come across an end user permission issue and wanted to quickly verify the users’ permissions in the domain. Let’s say you are at an end user workstation and have limited or no access to remote admin tools. Then I suggest to go for the command-line tool whoami, a quick and easy tool that displays user, group, and privileges information for the user who is currently logged on to the local computer. This security command-line tool can be used on Windows Server 2008, Windows Vista and Windows 7.

If used without parameters, whoami displays the current domain and user name while the /all option would reveal information about the current access token, including the current user name, security identifiers (SID), privileges, and groups that the current user belongs to.

A typical example is when users report that they have no access to a specific shared resource in the domain. The following example lists the groups the logged on user is member of in a list format:

whoami /groups /fo list

In order to get just the info you need and remove the extra bits you can pipe the output to the find command as shown below:

whoami /groups /fo list | find “Group Name”

ISC DHCP server 4.2 vulnerability

ISC DHCP is open source software that implements Dynamic Host Configuration Protocols for connections in a local network. DHCP is available for free download under the terms of the ISC License, a BSD style license.

An attacker can crash the service by establishing a TCP connection to a port that is configured for communication with a fail-over node. Hence, the server becomes unresponsive to all normal DHCP traffic and ceases to provide DHCP services to clients. The immediate resolution is a server restart; however, ISC recommends a version upgrade to 4.2.0-P2 or later, where the vulnerability is addressed.

Visit ICS advisory DHCP: Server Hangs with TCP to Failover Peer Port for more details.

MS releases a workaround for IE CSS vulnerability

This vulnerability would lead an attacker to execute arbitrary code due to memory corruption caused by a recursive CSS call in IE. The workaround issued by Microsoft is based on a control check that rejects recursive calls for style sheets with the same URLs.

Microsoft recommends users to install the new workaround until a security update is available. Note, that you must have the latest security updates in place before installing the fix. Since the fix is an msi package I suggest that you visit and follow MS release notes for a complete and successful installation.

Google Chrome vulnerabilities

Multiple memory corruption vulnerabilities were found in Chrome which could allow a remote attacker crash the application and execute arbitrary code. If your Chrome web browser version is prior to 8.0.552.237 then you need to update it with the latest security fixes. Windows Chrome users should get updates automatically however, I suggest that you check your current version. From the wrench icon, select the About Google Chrome item.

Updates are available if the wrench icon on the browser toolbar shows a little orange dot. Click the wrench icon and select Update Google Chrome and restart the browser.

For more information visit Google's Chrome release notes here.

The HTML Object Memory Corruption Vulnerability (IE 0day vulnerability)

This is an Internet Explorer memory corruption issue triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model (DOM) element. If an attacker is able to prepare memory with attack code, the reference to a random location of freed memory could result in execution of the attacker’s code.

The vulnerability is present in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions may crash after opening the attack code. However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution.

Additional information can be found at Microsoft’s Security Research & Defense web site.

Cybercrime hit more firms!

Cyber criminals hacked the website of cosmetic firm Lush where customer credit card details have been compromised. Although, the company did not release the fraud amount, it is estimated to be significant as the incident may have spanned four months. The firm took the site down after discovering the breach on Christmas day and started investigating the incident.

Another breach incident happened to Trapster, a firm that provides road safety services and police speed traps alerts. Attackers broke into the website and retrieved millions of users’ email addresses and passwords. The stolen user information could be used as a spam source. Trapster immediately warned their customers and instructed them to change their passwords, and avoid using the disclosed credentials on other sites.

Internet Explorer CSS vulnerability

This vulnerability affects all versions of Internet Explorer where an attacker can execute remote code with the same user rights as the local user. The attacker can use a web page with specially crafted content that could exploit this vulnerability. Users may end up on a similar web page through malicious links in E-mail or Instant Messenger messages.

It is recommended to use a good anti-virus program or an IDS/IPS system as a countermeasure which according to Microsoft have been quite effective at detecting and blocking attacks.

For more information on how to mitigate this risk visit Microsoft Security Advisory 2458511.

Install the latest Messenger security update email!

For those of you who have received an email message from [email protected] instructing you to download the latest security updates for Windows Live Messenger and haven’t raised your eyebrows then you need to be more security pro. Whether this email is a scam or not, it’s hard to tell for sure but I would like to attempt a quick check for its validity. One thing is for sure; do not click any links in this message before you do your checks!

Firstly, I would assume that microsoft.windowslive.com is a genuine domain owned by Microsoft, I would have trusted more windowslive.microsoft.com though! Trying this domain in my browser gives an error, while trying windowslive.com loads Windows Live home page, so I am still without any clue! Even the username part of this email address seems slightly exaggerated but it happens with big organizations.

Secondly, I would invoke a couple of tools hoping that one of them would give me a definite answer. The online whois query tools for registration information would verify windowslive.com as a Microsoft registered domain but it wouldn’t help me verifying the subdomain microsoft.windowslive.com. I can check the domain against a couple of Malware Domain lists available on the net. Some tools like network-tools.com would resolve the full domain name to an IP address and then test that IP address against public available blacklists such as, mxtoolbox.com. There I find some useful utilities that help me do a reverse lookup, port scan, etc. Eventually, the results of these tests do not incriminate the domain o

Microsoft IIS FTP service vulnerability

A Denial of Service risk had been reported in IIS FTP 7.5 service that ships with Windows 7 and Windows Server 2008 R2. An attacker can take advantage of the FTP response mechanism and cause a heap buffer overrun. Microsoft states that there is no risk of malicious code execution. Hence, the exploit of such vulnerability can cause a DOS attack on the FTP service while it does not affect IIS web services.

It is recommended to stop the IIS FTP service if you do not intend using it, however, the service is not installed by default. Microsoft will be releasing a security update or additional guidance to help customers protect themselves against this vulnerability.

For more information visit Microsoft’s Security Research & Defense

Scroll to Top