October 23, 2014, 2:50 pm
----------------------------------------------------------------TestLink <= 1.9.12 (database.class.php) Path Disclosure Weakness----------------------------------------------------------------[-] Software Link:http://testlink.org/[-] Affected Versions:Version 1.9.12 and prior versions.[-] Weakness Description:The vulnerable code is located in the /lib/functions/database.class.php script:208. if(defined('DBUG_ON') && DBUG_ON == 1)209. {210. echo "<pre>"; debug_print_backtrace(); echo "</pre>";211. }212. else213. {214. echo "<pre>"; debug_print_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS); echo "</pre>";215. }The weakness exists due to this script reveals debug information generated by the "debug_print_backtrace()" function.This can be exploited to gain knowledge of the web root directory by sending direct requests to certain scripts.[-] Solution:Update to version 1.9.13 when will be released or apply these hotfixes: http://mantis.testlink.org/view.php?id=6609[-] Disclosure Timeline:[06/10/2014] - Issue reported to http://mantis.testlink.org/view.php?id=6651
[07/10/2014] - Issue fixed in the Git repository: http://goo.gl/AnOAi6
[08/10/2014] - CVE number requested[11/10/2014] - CVE number assigned[23/10/2014] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2014-8082 to this weakness.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2014-12 ![]()
↧
October 23, 2014, 2:51 pm
--------------------------------------------------------------------------TestLink <= 1.9.12 (execSetResults.php) PHP Object Injection Vulnerability--------------------------------------------------------------------------[-] Software Link:http://testlink.org/[-] Affected Versions:Version 1.9.12 and prior versions.[-] Weakness Description:The vulnerable code is located in the /lib/execute/execSetResults.php script:428. if(is_string($args->filter_status) && strlen($args->filter_status) > 1)429. {430. $args->filter_status = unserialize($args->filter_status);431. }User input passed through the “filter_result_result” request parameter is not properly sanitized before being used ina call to the “unserialize()” function at line 430. This can be exploited to inject arbitrary PHP objects into theapplication scope, and could allow an attacker to delete arbitrary files, carry out Server-Side Request Forgery (SSRF),SQL Injection, or Local/Remote File Inclusion attacks via specially crafted serialized objects.[-] Solution:Update to version 1.9.13 when will be released or apply these hotfixes: http://mantis.testlink.org/view.php?id=6609[-] Disclosure Timeline:[06/10/2014] - Issue reported to http://mantis.testlink.org/view.php?id=6651
[07/10/2014] - Issue fixed in the Git repository: http://goo.gl/ptQaqZ
[08/10/2014] - CVE number requested[11/10/2014] - CVE number assigned[23/10/2014] - Public disclosure[-] CVE Reference:The Common Vulnerabilities and Exposures project (cve.mitre.org)has assigned the name CVE-2014-8081 to this vulnerability.[-] Credits:Vulnerability discovered by Egidio Romano.[-] Original Advisory:http://karmainsecurity.com/KIS-2014-11 ![]()
↧
↧
October 23, 2014, 3:48 pm
A few years back I found myself reverse-engineering a vendor lock-in handshake in a proprietary application. It was clear to me: I needed a code tracer.
In my mind the ultimate code tracer should be able to trace code with minimal slowdown, it should provide high granularity and not require me to trace the entire process, and it should be able to cope with anti-debug trickery.
more here.........https://medium.com/@oleavr/anatomy-of-a-code-tracer-b081aadb0df8
![]()
↧
October 23, 2014, 6:29 pm
An army of the undead, wreaking havoc on the Internet – it’s a nightmare scenario that has played out time and again as the world’s online population has exploded. But time and again protectors of the worldwide web have come together to stop these malicious hordes, yet it has not been easy. There are some zombie botnets plagues that have been particularly troubling, and we will take a look at the worst of the worst.
more here...........http://www.welivesecurity.com/2014/10/23/top-5-scariest-zombie-botnets/
![]()
↧
October 23, 2014, 6:31 pm
Point of Sale (POS) systems consist of the hardware and software used in processing a retail purchase of goods or services. The information stored on the magnetic stripe of the card is collected and processed by the attached computer or device for the purchase. The data stored on the magnetic stripe is what is referred to as Track 1 and Track 2 data. Track 1 data is the information associated with the account number and cardholder’s name and Track 2 data contains information such as the credit card number and expiration date.
Dexter
Dexter POS mainly targets credit and debit card data. It steals Track 1 / Track 2 magnetic card data through memory scraping or parsing of some specific processes. It then relays this information back to the command and control (C&C) systems for the malware.
more here..........http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/POS-malware-a-look-at-Dexter-and-Decebal/ba-p/6654398#.VEmr6vnF-Sp
![]()
↧
↧
October 23, 2014, 6:32 pm
Intego has seen an eyebrow-raising upward trend in the number of malicious files discovered targeting Mac OS X in the past few years, and it has many security experts concerned. Virus hunters have unveiled yet another modular malware for Mac OS X, called the Ventir Trojan.
more here...........http://www.intego.com/mac-security-blog/ventir-trojan-intercepts-keystrokes-from-mac-os-x-computers/
![]()
↧
October 23, 2014, 6:35 pm
After creating and using a new exitmap module, I found downloaded binaries being patched through a Tor exit node in Russia. Tor is a wonderful tool for protecting the identity of journalists, their sources, and even regular users around the world; however, anonymity does not guarantee security.
more here............http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/
![]()
↧
October 23, 2014, 6:39 pm
Many NAT-PMP devices are incorrectly configured, allowing them to field requests received on external network interfaces or map forwarding routes to addresses other than that of the requesting host, making them potentially vulnerable to information disclosure and malicious port mapping requests.
more here.............http://www.kb.cert.org/vuls/id/184540
![]()
↧
October 24, 2014, 2:46 am
Hack.lu's 2014 CTF took place on October 21-23. The event was organized by fluxfingers, and this year's challenges were really enjoyable, huge props to them. I played with my friends from TheGoonies - after winning the Brazilian CTF Pwn2Win we are now getting better organized to become more competitive. There are quite a few write ups around and I decided to post about a few tasks which we had a different solution from other teams.
Task: At Gunpoint (Reversing - 200)
more here.............http://w00tsec.blogspot.com/2014/10/hacklu-2014-ctf-write-up-at-gunpoint.html
![]()
↧
↧
October 24, 2014, 2:47 am
As you might have heard, Microsoft recently patched some vulnerabilities, vulnerabilities related to Sandworm CVE-2014-4114 (Powerpoint exploit) and Font parsing vulnerabilitiy (CVE-2014-4148). But in this article, I'm more interested to talk about CVE-2014-4113, local kernel vulnerability that successful exploitation of it would give you SYSTEM access. So I started analyzing Microsoft's Patch (KB3000061) and during analysis, I found a PoC for this vulnerability in wild. So I combined my patch analysis and reverse engineering this PoC binary together to deeply understand this vulnerability and exploitation technique. I'll share it step by step, with all details, so you'll know everything about CVE-2014-4113.
more here.............https://www.codeandsec.com/CVE-2014-4113-Detailed-Vulnerability-and-Patch-Analysis
![]()
↧
October 24, 2014, 6:03 am
This particular type of vulnerability is used to attack data-driven applications found across the web. It has been around for over a decade and is one of the top threats today. Do you know what it is? Here’s another hint: it executes malicious queries in situations where user supplied inputs are not properly sanitized and validated before submitting to a database.
more here............http://blogs.microsoft.com/cybertrust/2014/10/23/vuln-hunt-find-the-security-vulnerability-challenge-3/
![]()
↧
October 24, 2014, 8:27 am
The PWC-named malware OrcaRat is presented as a new piece of malware but looking at the URI used for C&C communication, it could be an updated version of a well-known and kind of old piece of malware: LeoUncia.
more here..................http://blog.airbuscybersecurity.com/post/2014/10/LeoUncia-and-OrcaRat
![]()
↧
October 25, 2014, 12:16 am
[ How it starts ]
It all started when we saw Tsui Lokman mentioned about an executable that they received and it could be a malware.
This particular piece of malware could potentially be used to target Hongkongers participating in #OccupyCentral & #UmbrellaMovement .
Being the curious cat(s), we started asking for a copy of it to analyse it.
more here...........http://www.vxsecurity.sg/2014/10/25/technical-teardown-hongkong-protest-malware/
![]()
↧
↧
October 25, 2014, 12:22 am
Many shell users, and certainly most of the people working in computer forensics or other fields of information security, have a habit of running /usr/bin/strings on binary files originating from the Internet. Their understanding is that the tool simply scans the file for runs of printable characters and dumps them to stdout - something that is very unlikely to put you at any risk.
more here........http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html
![]()
↧
October 25, 2014, 3:26 am
ownCloud developer Lukas Reschke has sent an email to the Ubuntu Devel mailing list, requesting that ownCloud (server) is removed from the Ubuntu repositories because the package is old and there are multiple critical security bugs for which no fixes have been backported.
more here.........http://www.webupd8.org/2014/10/owncloud-ubuntu-package-affected-by.html
![]()
↧
October 25, 2014, 3:28 am
I was bored so I thought I’d take a look at Ashar’s filters. I noticed he’d done a talk about it at Blackhat Europe which I was quite surprised at.
more here...........http://www.thespanner.co.uk/2014/10/24/unbreakable-filter/
![]()
↧
October 25, 2014, 6:24 am
Now where the hack.lu 2014 CTF is over, I can finally publish a small ELF analysis tool fuck up, I found some months ago. I used this ELF analysis tools fuck up in a challenge of the CTF ("the union") because I did not find anything about it on the internet (you can almost say it was a kind of "0 day" to obfuscate stuff in analysis tools).
So a short back story how I came to it. I gave a little talk about ELF basics and some obfuscation with the help of ELF sections at a colloquium. I discussed some ELF stuff with guys there and an idea was raised: "What would happen, if you put two dynamic string tables in there. One manipulated in the section table and the original in the dynamic segment?". And this is what this post is all about.
more here..............http://h4des.org/blog/index.php?/archives/346-ELF-obfuscation-let-analysis-tools-show-wrong-external-symbol-calls.html
![]()
↧
↧
October 25, 2014, 9:53 am
If you ever shortened a URL using bit.ly or if you use it anywhere, be aware that Google recently blacklisted all bit.ly pages through its Safe Browsing program. It means that anyone using Chrome, Firefox or Safari will get a nasty The site ahead contains malware warning when visiting a bit.ly link
more here..........http://blog.sucuri.net/2014/10/bit-ly-blacklisted-by-google-safe-browsing.html
![]()
↧
October 25, 2014, 9:55 am
I've received several reports of what appears to be shellshock exploit attempts via SMTP. The sources so far have all be webhosting providers, so I'm assuming these are compromised systems.
more here...........https://isc.sans.edu/diary/Shellshock+via+SMTP/18879
![]()
↧
October 25, 2014, 2:54 pm
Akamai’s globally-distributed Intelligent Platform allows us to
gather massive amounts of data on many metrics, including
connection speeds, attack traffic, network connectivity/availability
issues, and IPv6 adoption progress, as well as traffic patterns across
leading Web properties and digital media providers.
more here............http://www.stateoftheinternet.com/downloads/pdfs/2014-state-of-the-internet-connectivity-report-2014-q2.pdf
![]()
↧