Observing the Havex RAT

November 12, 2014, 1:50 pm

≫ Next: Evolution of Upatre Trojan Downloader

≪ Previous: Taming a Wild Nanomite-protected MIPS Binary With Symbolic Execution: No Such Crackme

It has, so far, been publicly reported that three ICS vendors have spread the Havex Remote-Access-Tool (RAT) as part of their official downloads. We've covered the six pieces of software from these three vendors in our blog post ”Full Disclosure of Havex Trojans”. In this blog post we proceed by analyzing network traffic generated by Havex.

more here........http://www.netresec.com/?page=Blog&month=2014-11&post=Observing-the-Havex-RAT

↧

Evolution of Upatre Trojan Downloader

November 12, 2014, 1:52 pm

≫ Next: Oil Droplets and Your Banking Credentials

≪ Previous: Observing the Havex RAT

Upatre is a Trojan Downloader family that once installed, is responsible for stealing information and downloading additional malware on the victim machine. It typically arrives via spammed e-mail messages from the Cutwail Botnet, either as an attachment, or via a URL pointing to a remote hosting site. We are also seeing Exploit Kits being used as a vector for Upatre infections in the wild.

more here......http://research.zscaler.com/2014/11/evolution-of-upatre-trojan-downloader.html

↧

Oil Droplets and Your Banking Credentials

November 12, 2014, 1:53 pm

≫ Next: Cloud Key Management vs. Hardware-Based Key Managers (HSMs)

≪ Previous: Evolution of Upatre Trojan Downloader

What does a droplet of oil have in common with the security of your banking credentials? Very little, you might think. However, there is research that came out a few months back, that confirms a theory made (and then dismissed) over 80 years ago about quantum effects. Bear with me.

more here........http://blog.whitehatsec.com/oil-droplets-and-your-banking-credentials/

↧

Cloud Key Management vs. Hardware-Based Key Managers (HSMs)

November 12, 2014, 8:18 pm

≫ Next: Automating Man-in-the-Middle SSHv2 attacks

≪ Previous: Oil Droplets and Your Banking Credentials

Cloud security is a top concern for any organization migrating to the cloud. The threats are many.
For example, the fact your data resides in a shared, multi-tenant environment is a threat that has become a reality with the latest Xen virtualization bug, which allowed a malicious fully virtualized server to read data about other virtualized systems running on the same physical hardware or the hypervisor).
Other threats to cloud security include internal employees and even governments.

more here............http://www.porticor.com/2014/11/cloud-key-management-vs-hardware-based-key-managers-hsms/

↧

Automating Man-in-the-Middle SSHv2 attacks

November 13, 2014, 4:16 am

≫ Next: Paper: Measuring the Leakage of Onion at the Root

≪ Previous: Cloud Key Management vs. Hardware-Based Key Managers (HSMs)

Recently during an internal penetration test, I was performing ARP spoofing and i discovered a SSH connection from the administrator computer to another box.

That sounds like the correct way to access remote hosts securely. However, the problem was that the company was using a network switch that was vulnerable to ARP spoofing.

more here.........http://milo2012.wordpress.com/2014/11/12/automating-man-in-the-middle-sshv2-attacks/

↧

Paper: Measuring the Leakage of Onion at the Root

November 13, 2014, 8:27 pm

≫ Next: OnionDuke: APT Attacks Via the Tor Network

≪ Previous: Automating Man-in-the-Middle SSHv2 attacks

“A measurement of Tor’s .onion pseudo-TLD in the global domain name system”
The Tor project provides individuals with a mechanism of communicating anonymously on the Internet. Furthermore, Tor is capable of providing anonymity to servers, which are configured to receive inbound connections only through Tor---more commonly called hidden services. In order to route requests to these hidden services, a namespace is used to identify the resolution requests to such services. A namespace under a non-delegated (pseudo) top-level-domain (TLD) of .onion was elected. Although the Tor system was designed to prevent .onion requests from leaking into the global DNS resolution process, numerous requests are still observed in the global DNS. In this paper we will present the state of .onion requests received at the global public DNS A and J root nodes over a longitudinal period of time, a synthesis of Day In The Life of the Internet (DITL) data repository, and potential explanations of the leakage, and highlights of trends associated with global censorship events. By sharing this preliminary work, we wish to trigger further discussions on the matter in the community.

more here...........http://delivery.acm.org/10.1145/2670000/2665951/p173-thomas.pdf?ip=74.65.254.23&id=2665951&acc=OPEN&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E6D218144511F3437&CFID=598741558&CFTOKEN=56195266&__acm__=1415901012_29baab4a3cea21984f145fb5587bc92a

↧

OnionDuke: APT Attacks Via the Tor Network

November 14, 2014, 2:09 am

≫ Next: Simple guest to host VM escape for Parallels Desktop

≪ Previous: Paper: Measuring the Leakage of Onion at the Root

Recently, research was published identifying a Tor exit node, located in Russia, that was consistently and maliciously modifying any uncompressed Windows executables downloaded through it. Naturally this piqued our interest, so we decided to peer down the rabbit hole. Suffice to say, the hole was a lot deeper than we expected!

more here..........http://www.f-secure.com/weblog/archives/00002764.html

↧

Simple guest to host VM escape for Parallels Desktop

November 14, 2014, 2:12 am

≫ Next: Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

≪ Previous: OnionDuke: APT Attacks Via the Tor Network

This is a little story about exploiting guest to host VM escape not-a-vulnerability in Parallels Desktop 10 for Mac. Discovered attack is not about some serious hardcore stuff like hypervisor bugs or low-level vulnerabilities in guest-host communication interfaces, it can be easily performed even by very lame Windows malware if your virtual machine has insecure settings.

more here......http://blog.cr4.sh/2014/11/simple-guest-to-host-vm-escape-for.html

↧

Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

November 14, 2014, 11:28 am

≫ Next: Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

≪ Previous: Simple guest to host VM escape for Parallels Desktop

↧

Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

November 14, 2014, 11:29 am

≫ Next: CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

≪ Previous: Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

↧

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

November 14, 2014, 11:32 am

≫ Next: CVE-2014-8683 XSS in Gogs Markdown Renderer

≪ Previous: Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]

Advisory Details:

(1) Aeon

Aeon is special collections circulation and workflow automation software
for your special collections library designed by special collections
librarians.

Aeon improves customer service and staff efficiency while providing
unparalleled item tracking, security and statistics.

(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at "aeon.dll?" page, with "&Action"
parameter.
(2.2) The second vulnerability occurs at "aeon.dll?" page, with "&Form"
parameter.

Solutions:
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source
code

References:
http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/

↧

CVE-2014-8683 XSS in Gogs Markdown Renderer

November 14, 2014, 12:00 pm

≫ Next: CVE-2014-8682 Multiple Unauthenticated SQL Injections in Gogs

≪ Previous: CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

XSS in Gogs Markdown Renderer
=============================
Researcher: Timo Schmid <tschmid@ernw.de>

Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])

It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.

Gogs provides two api views to transform markdown into HTML at the urls
/api/v1/markdown and /api/v1/markdown/raw

The transformation is vulnerable to XSS.

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

CVSS Base Score
===============
4.3 (AV:N / AC:M / Au:N / C:P / I:N / A:N)

CVE-ID
======
CVE-2014-8683

Impact
======
The vulnerability could be used together with social engineering attacks
to gain
access to restricted resources by extracting authentication tokens from
cookies
or by executing commands in the context of the logged in victim.

Status
======
Not fixed

Vulnerable Code Section
=======================
models/issue.go:
[...]
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
body := RenderSpecialLink(rawBytes, urlPrefix)
body = RenderRawMarkdown(body, urlPrefix)
return body
}

func RenderMarkdownString(raw, urlPrefix string) string {
return string(RenderMarkdown([]byte(raw), urlPrefix))
}
[...]

Proof of Concept
================
Form to trigger XSS:
<form action="http://example.com/api/v1/markdown" method="post">
<input name="text" value="<img
onerror="alert(&quot;XSS&quot;)
" src="x">">
<input type="submit">
</form>

Response:
<p><img onerror="alert("XSS")" src="x"></p>

Solution
========
The markdown processing should reject or filter any HTML input and
process only
markdown content.

Affected Versions
=================
>= v0.3.1-9-g49dc57e

Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-14: CVE-ID assigned

Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>

References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[4] https://www.ernw.de/download/BC-1404.txt

Advisory-ID
===========
BC-1404

Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

- --
Timo Schmid

ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================

↧

CVE-2014-8682 Multiple Unauthenticated SQL Injections in Gogs

November 14, 2014, 12:00 pm

≫ Next: CVE-2014-8681 Blind SQL Injection in Gogs label search

≪ Previous: CVE-2014-8683 XSS in Gogs Markdown Renderer

Unauthenticated SQL Injection in Gogs repository search
=======================================================
Researcher: Timo Schmid <tschmid@ernw.de>

Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])

It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.

Gogs provides an api view to give javascript code the possibility to
search for
existing repositories in the system. This view is accessible at
/api/v1/repos/search?q=<search query>.

The q Parameter of this view is vulnerable to SQL injection.

Exploitation Technique
======================
Remote

Severity Level
==============
Critical

CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)

CVE-ID
======
CVE-2014-8682

Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.

Status
======
Fixed by Vendor

Vulnerable Code Section
=======================
models/repo.go:
[...]
// SearchRepositoryByName returns given number of repositories whose name
contains keyword.
func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err
error) {
// Prevent SQL inject.
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return repos, nil
}
opt.Keyword = strings.ToLower(opt.Keyword)

repos = make([]*Repository, 0, opt.Limit)

// Append conditions.
sess := x.Limit(opt.Limit)
if opt.Uid > 0 {
sess.Where("owner_id=?", opt.Uid)
}
if !opt.Private {
sess.And("is_private=false")
}
sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos)
return repos, err
}
[...]

The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.

Proof of Concept
================
Request:
http://www.example.com/api/v1/repos/search?q=%27)%09UNION%09SELECT%09*%09FROM%09
(SELECT%09null)%09AS%09a1%09%09JOIN%09(SELECT%091)%09as%09u%09JOIN%09(SELECT%09
user())%09AS%09b1%09JOIN%09(SELECT%09user())%09AS%09b2%09JOIN%09(SELECT%09null)
%09as%09a3%09%09JOIN%09(SELECT%09null)%09as%09a4%09%09JOIN%09(SELECT%09null)%09
as%09a5%09%09JOIN%09(SELECT%09null)%09as%09a6%09%09JOIN%09(SELECT%09null)%09as
%09a7%09%09JOIN%09(SELECT%09null)%09as%09a8%09%09JOIN%09(SELECT%09null)%09as%09
a9%09JOIN%09(SELECT%09null)%09as%09a10%09JOIN%09(SELECT%09null)%09as%09a11%09
JOIN%09(SELECT%09null)%09as%09a12%09JOIN%09(SELECT%09null)%09as%09a13%09%09JOIN
%09(SELECT%09null)%09as%09a14%09%09JOIN%09(SELECT%09null)%09as%09a15%09%09JOIN
%09(SELECT%09null)%09as%09a16%09%09JOIN%09(SELECT%09null)%09as%09a17%09%09JOIN
%09(SELECT%09null)%09as%09a18%09%09JOIN%09(SELECT%09null)%09as%09a19%09%09JOIN
%09(SELECT%09null)%09as%09a20%09%09JOIN%09(SELECT%09null)%09as%09a21%09%09JOIN
%09(SELECT%09null)%09as%09a22%09where%09(%27%25%27=%27

Response:
{"data":[{"repolink":"bluec0re/test"},{"repolink":"bluec0re/secret"},{"repolink"
:"bluec0re/root@localhost"}],"ok":true}

Solution
========
This vulnerability could easily be fixed by using prepared statements:

sess.And("lower_name like ?", "%" + opt.Keyword + "%").Find(&repos)

Update to version 0.5.6.1105.

Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45

Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned

Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>

References
==========Update to version 0.5.6.1105.
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1402.txt

Advisory-ID
===========
BC-1402

Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

Unauthenticated SQL Injection in Gogs user search
=================================================
Researcher: Timo Schmid <tschmid@ernw.de>

Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])

It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.

Gogs provides an api view to give javascript code the possibility to
search for
existing users in the system. This view is accessible at
/api/v1/users/search?q=<search query>.

The q Parameter of this view is vulnerable to SQL injection.

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Critical

CVSS Base Score
===============
8.3 (AV:N / AC:M / Au:N / C:C / I:P / A:P)

CVE-ID
======
CVE-2014-8682

Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.

Status
======
Fixed by Vendor

Vulnerable Code Section
=======================
models/user.go:
[...]
// SearchUserByName returns given number of users whose name contains
keyword.
func SearchUserByName(opt SearchOption) (us []*User, err error) {
opt.Keyword = FilterSQLInject(opt.Keyword)
if len(opt.Keyword) == 0 {
return us, nil
}
opt.Keyword = strings.ToLower(opt.Keyword)

us = make([]*User, 0, opt.Limit)
err = x.Limit(opt.Limit).Where("type=0").And("lower_name like '%" +
opt.Keyword + "%'").Find(&us)
return us, err
}
[...]

The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. Because of the SQL filter at the method entry, attackers
can't use spaces (0x20) and since v0.5.6.1025-g83283b commas are also
filtered.

Proof of Concept
================
Request:
http://www.example.com/api/v1/users/search?q='/**/and/**/false)/**/union/**/
select/**/null,null,@@version,null,null,null,null,null,null,null,null,null,null,
null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/from
/**/mysql.db/**/where/**/('%25'%3D'

Response:
{"data":[{"username":"5.5.40-0ubuntu0.14.04.1","avatar":
"//1.gravatar.com/avatar/"}],"ok":true}

Solution
========
This vulnerability could easily be fixed by using prepared statements:

err = x.Limit(opt.Limit).Where("type=0").And("lower_name like ?", "%" +
opt.Keyword + "%").Find(&us)

Update to version 0.5.6.1105.

Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1104-g0c5ba45

Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-04: Fixed in master branch
2014-11-14: CVE-ID assigned

Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>

References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1403.txt

Advisory-ID
===========
BC-1403

Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

- --
Timo Schmid

ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================

↧

CVE-2014-8681 Blind SQL Injection in Gogs label search

November 14, 2014, 12:01 pm

≫ Next: XSS Reflected in Page visualization agents in Pandora FMS v5.1SP1 - Revisión PC141031 (CVE-2014-8629)

≪ Previous: CVE-2014-8682 Multiple Unauthenticated SQL Injections in Gogs

Blind SQL Injection in Gogs label search
========================================
Researcher: Timo Schmid <tschmid@ernw.de>

Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
from [1])

It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
unauthorized users.

Gogs provides a view to filter issues by labels. This view is accessible at
/<username>/<repository>/issues?labels=&type=&state=

The labels Parameter of this view is vulnerable to a blind SQL injection.

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Critical

CVSS Base Score
===============
6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P)

CVE-ID
======
CVE-2014-8681

Impact
======
The vulnerability results at least in a complete compromise of the database.
Depending on the particular database configuration a compromise of the
system
is also possible.

Status
======
Fixed by Vendor

Vulnerable Code Section
=======================
models/issue.go:
[...]
// GetIssues returns a list of issues by given conditions.
func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds,
sortType string) ([]Issue, error) {
sess := x.Limit(20, (page-1)*20)

if rid > 0 {
sess.Where("repo_id=?", rid).And("is_closed=?", isClosed)
} else {
sess.Where("is_closed=?", isClosed)
}

if uid > 0 {
sess.And("assignee_id=?", uid)
} else if pid > 0 {
sess.And("poster_id=?", pid)
}

if mid > 0 {
sess.And("milestone_id=?", mid)
}

if len(labelIds) > 0 {
for _, label := range strings.Split(labelIds, ",") {
sess.And("label_ids like '%$" + label + "|%'")
}
}
[...]

The vulnerability exists because of a string concatination in the SQL
query with
user supplied data. A attacker is restricted to not use commas in the
injection
string as the program splits input at commas.

Proof of Concept
================
Test of version string contains at least 10 characters:
http://www.example.com/user/repos/issues?label=' or
char_length(@@version) > 10
and '|%'='&type=all&state=

Returns all issues if true, non if false.

This could be used to extract data with a binary search.

Solution
========
This vulnerability could easily be fixed by using prepared statements:

sess.And("label_ids like ?", "%$" + label + "|%")

Update to Version 0.5.6.1025.

Affected Versions
=================
>= v0.3.1-9-g49dc57e
<= v0.5.6.1024-gf1d8746

Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-10-25: Fixed by ensuring datatype of user input
2014-11-14: CVE-ID assigned

Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>

References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/
[4]
http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/
[5]
http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/
[6] https://www.ernw.de/download/BC-1401.txt

Advisory-ID
===========
BC-1401

Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

- --
Timo Schmid

ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
================== TROOPERS15 ==================
* International IT Security Conference & Workshops
* 16th - 20st March 2015 / Heidelberg, Germany
* www.troopers.de
====================================================

↧

XSS Reflected in Page visualization agents in Pandora FMS v5.1SP1 - Revisión PC141031 (CVE-2014-8629)

November 14, 2014, 8:48 pm

≫ Next: 81% of Tor users can be de-anonymised by analysing router information, research indicates

≪ Previous: CVE-2014-8681 Blind SQL Injection in Gogs label search

I. VULNERABILITY

-------------------------

XSS Reflected in Page visualization agents in Pandora FMS v5.1SP1 -
Revisión PC141031

II. BACKGROUND
Pandora FMS is the monitoring software chosen by several companies all
around the world for managing their IT infrastructure. Besides ensuring
high performance and maximum flexibility, it has aIII.

DESCRIPTION
-------------------------
Has been detected a Reflected XSS vulnerability in Pandora FMS in page
visualization agents, that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser.

The code injection is done through the parameter "refr" in the page
“/index.php?sec=estado&sec2=operation/agentes/estado_agente&refr=”

IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “refr”.

Malicious Request ("refr")

Vulnerable:

http://firefly.artica.es/pandora_demo/index.php?sec=estado&sec2=operat
ion/agentes/estado_agente&refr=</script><script>alert(document.cookie)
</script>0&group_id=0

V. BUSINESS IMPACT
-------------------------
An attacker can send link and choice text write in page.

VI. SYSTEMS AFFECTED

-------------------------

Pandora FMS v5.1SP1 - Revisión PC141031

VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated

By William Costa

william.costa@gmail.com

↧

81% of Tor users can be de-anonymised by analysing router information, research indicates

November 15, 2014, 6:05 am

≫ Next: Cisco-SNMP-Slap

≪ Previous: XSS Reflected in Page visualization agents in Pandora FMS v5.1SP1 - Revisión PC141031 (CVE-2014-8629)

Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.

more here.........http://thestack.com/chakravarty-tor-traffic-analysis-141114

↧

Cisco-SNMP-Slap

November 15, 2014, 6:08 am

≫ Next: Vita native hack: vitasploit released by Hykem

≪ Previous: 81% of Tor users can be de-anonymised by analysing router information, research indicates

cisco-snmp-slap utilises IP address spoofing in order to bypass an ACL
protecting an SNMP service on a Cisco IOS device.

Typically IP spoofing has limited use during real attacks outside DoS. Any TCP
service cannot complete the inital handshake. UDP packets are easier to spoof
but the return packet is often sent to the wrong address, which makes it
difficult to collect any information returned.

However if an attacker can guess the snmp rw community string and a valid source
address an attacker can set SNMP MiBs. One of the more obvious uses for this
is to have a Cisco SNMP service send its IOS configuration file to another
device.

This tool allows you to try one or more community strings against a Cisco device
from one or more IP addresses.

more here.........https://github.com/nccgroup/Cisco-SNMP-Slap

↧

Vita native hack: vitasploit released by Hykem

November 15, 2014, 6:10 am

≫ Next: Exploitation of Philips Smart TV

≪ Previous: Cisco-SNMP-Slap

Native vita hack news keep coming for those of you who managed to keep their Vita in firmware 3.18 or under.

Yesterday, developer Hykem released his own set of tools to leverage the Webkit exploit on the PS Vita .

more here........http://wololo.net/2014/11/14/vita-native-hack-vitasploit-released-by-hykem/

↧

Exploitation of Philips Smart TV

November 15, 2014, 6:14 am

≫ Next: DigimarcPIN

≪ Previous: Vita native hack: vitasploit released by Hykem

My Philips Smart TV is a Linux box standing there in my living room : that's a sufficient reason to try to get root.

more here........http://www.fredericb.info/2014/11/exploitation-of-philips-smart-tv.html

↧

DigimarcPIN

November 15, 2014, 9:14 pm

≫ Next: Malware spreading via Steam chat

≪ Previous: Exploitation of Philips Smart TV

You may be familiar with Digimarc for Images. It's a tool for watermarking photos to prove you own the copyright, in a way that doesn't ruin the photo like a traditional watermark. When you try to embed a watermark, you must enter your six-digit Digimarc ID, which identifies a specific copyright owner who registered with Digimarc, as well as a two-digit PIN. Without the PIN, Digimarc won't apply the watermark. However, as the correct PIN is calculated locally, I was able to figure out how it was generated, and create this tool which will help if you ever lose your PIN. Just enter your Digimarc ID, and it will instantly tell you your PIN.

more here........https://github.com/flarn2006/DigimarcPIN

↧