Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

AT&T U-Verse VAP2500: The Passwords, They Do Nothing!

November 26, 2014, 4:30 am
$
0
0
You may have heard by now that AT&T has a “wireless” cable box offering for its U-Verse customers, which is pretty sweet. But what I wasn’t aware of is that, in order for this cable box to connect to your network, you need to put their special wireless access point on your network as well. Basically, this means that a device you have no control over is now sitting there on your network waiting for wifi connections. Never one to put an unknown like that in my environment, I decided to dig a little deeper, and what I found did not exactly inspire confidence.

more here........http://goto.fail/blog/2014/11/25/at-and-t-u-verse-vap2500-the-passwords-they-do-nothing/
Search

All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks

November 27, 2014, 2:12 am
$
0
0
*All Links in **Two Topics of Indiatimes (indiatimes.com
<http://indiatimes.com/>) Are Vulnerable to XSS (cross site scripting)
Attacks *




*Domain Description:*

http://www.indiatimes.com


"According to the Indian Readership Survey (IRS) 2012, the Times of India
is the most widely read English newspaper in India with a readership of
7.643 million. This ranks the Times of India as the top English daily in
India by readership." (en.Wikipedia.org <http://en.wikipedia.org/>)







*Vulnerability description:*


The vulnerability occurs at Indiatimes's URL links. Indiatimes only filter
part of the filenames in its website. All URLs under Indiatimes's
"photogallery" and "top-llists" topics are affected.


Indiatimes uses part of the links under "photogallery" and "top-llists"
topics to construct its website content without any checking of those links
at all. This mistake is very popular in nowaday websites. Developer is not
security expert.



The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





*POC Codes:*

http://www.indiatimes.com/photogallery/"><img src=x
onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/"><img src=x
onerror=prompt('justqdjing')>

http://www.indiatimes.com/photogallery/lifestyle/"><img src=x
onerror=prompt('justqdjing')>

http://www.indiatimes.com/top-lists/technology/"><img src=x
onerror=prompt('justqdjing')>





*POC Video:*

https://www.youtube.com/watch?v=EeJWu8_5BKU&feature=youtu.be


*Blog Details:*

http://securityrelated.blogspot.sg/2014/11/two-topics-of-indiatimes-indiatimescom.html






The vulnerabilities were reported to Indiatimes in early September, 2014.
However they are still unpatched.









Reported by:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.

http://www.tetraph.com/wangjing/

CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation

November 27, 2014, 2:12 am
$
0
0
<http://tetraph.com/security/open-redirect/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/#respond>

*CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege
Escalation*





Exploit Title: WordPress Ad-Manager Plugin Dest Redirect Privilege
Escalation Vulnerability

Product: WordPress Ad-Manager Plugin

Vendor: CodeCanyon

Vulnerable Versions: 1.1.2

Tested Version: 1.1.2

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]

CVE Reference: CVE-2014-8754

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

“WordPress Ad-Manager offers users a simple solution to implement
advertising into their posts, their blog or any other WordPress page. Users
can use pictures and images or HTML snippets like Google AdSense to
incorporate advertising in an easy way.”



*(2) Vulnerability Details:*

The Dest Redirect Privilege Escalation vulnerability occurs at
“track-click.php” page with “&out” parameter.






*References:*

http://tetraph.com/security/cves/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/

http://codecanyon.net/item/wordpress-admanager/544421

https://wordpress.org/plugins/ad-manager-for-wp/

http://cwe.mitre.org

http://cve.mitre.org/

CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Vulnerability

November 27, 2014, 2:13 am
$
0
0
*Exploit Title: Springshare LibCal XSS (Cross-Site Scripting) Vulnerability*

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

"Springshare LibCal is an easy to use calendaring and event management
platform for libraries. Used by 1,600+ libraries worldwide."



*(2) Vulnerability Details:*

The XSS vulnerabilities occur at "/api_events.php?" page, with "&m" and
"&cid" parameters.



*(3) Solutions:*

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code









*References:*

http://tetraph.com/security/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-vulnerability/

http://www.springshare.com/libcal/

http://cwe.mitre.org

http://cve.mitre.org/

The Weather Channel weather.com Almost All Links Vulnerable to XSS Attacks

November 27, 2014, 2:13 am
$
0
0
*The Weather Channel weather.com <http://weather.com/> Almost All Links
Vulnerable to XSS Attacks*





Domain Description:

http://www.weather.com/


"The Weather Channel is an American basic cable and satellite television
channel which broadcasts weather forecasts and weather-related news and
analyses, along with documentaries and entertainment programming related to
weather."


"As of August 2013, The Weather Channel was received by approximately
99,926,000 American households that subscribe to a pay television service
(87.50% of U.S. households with television), making it the most common
cable channel in the country." (Wikipedia)






*Vulnerability description:*


Almost all links under the domain weather.com are vulnerable to XSS
attacks. Attackers just need to add script at the end of The Weather
Channel's URLs. Then the scripts will be executed.


10 thousands of Links were tested based a self-written tool. During the
tests, 76.3% of links belong to weather.com were vulnerable to XSS attacks.


The reason of this vulnerability is that Weather Channel uses URLs to
construct its tags without filtering malicious script codes.


The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





*POC Codes, e.g.*

http://www.weather.com/slideshows/main/"--/>"><img src=x
onerror=prompt('justqdjing')>

http://www.weather.com/home-garden/home/white-house-lawns-20140316%22--/"--/>"><img
src=x onerror=prompt('justqdjing')>t%28%27justqdjing%27%29%3E

http://www.weather.com/news/main/"><img src=x onerror=prompt('justqdjing')>






*POC Video:*

https://www.youtube.com/watch?v=Ij78WnzKB4M&feature=youtu.be


*Blog Details:*

http://securityrelated.blogspot.sg/2014/11/the-weather-channel-weather.html





The Weather Channel has patched this Vulnerability in late November, 2014
(last Week).









Reported by:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.

http://www.tetraph.com/wangjing/

Writing meaningful and professional penetration testing reports

November 27, 2014, 2:15 am
$
0
0
Take a raw report from £199 per year security scanner, pack it into your "methodology template" and sell as "consulting service" on £1000 per day basis, 5 days minimum. Sounds like a recipe for commercial success, but it's going to be a short-term one.

more here.......http://ipsec.pl/penetration-testing/2014/writing-meaningful-and-professional-penetration-testing-reports.html

CVE-2014-5439 - Root shell on Sniffit [with exploit]

November 27, 2014, 2:16 am
$
0
0
CVE-2014-5439 - Root shell on Sniffit

Sniffit is a packet sniffer and monitoring tool.

The attacker can create a specially-crafted sniffit configuration file, which is able
to bypass all three protection mechanisms:

  -  Non-eXecutable bit NX
  -  Stack Smashing Protector SSP
  -  Address Space Layout Randomisation ASLR

And execute arbitrary code with root privileges.

Exploit, fix and discussion in:

http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html


Regards,
Hector Marco.
http://hmarco.org

Cybersecurity researcher at:
http://cybersecurity.upv.es/

Defaced websites leading to Dokta Chef Exploit Kit and CVE-2014-6332

November 27, 2014, 2:17 am
$
0
0
Defacing websites has been the main stay for hacktivist groups to spread their message.  During recent research, we found multiple compromised websites containing a malicious link to a "lulz.htm" page, which in turn leads the user to a Dokta Chef Exploit Kit (EK) hosting site. This appears to be  a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites.

more here....http://research.zscaler.com/2014/11/defaced-websites-leading-to-dokta-chef.html
Search

Agafi/ROP

November 27, 2014, 2:19 am
$
0
0
Agafi/ROP is a Win32 command line tool chain useful to find gadgets and build ROP-Chains used by x86 binary exploits.

more here..........https://github.com/CoreSecurity/Agafi

CoinVault Ransomware Jumps on Freemium Model

November 27, 2014, 3:19 am
$
0
0
We have continuously monitored crypto-ransomware’s modifications and evolution since its discovery in late 2013. Though crypto-ransomware  is still relatively “new” to the threat landscape, it has already established itself as a formidable threat to unsuspecting users. By definition, crypto-ransomware shares similar routines with cryptolocker, a refinement of ransomware with file-encryption capabilities.

We recently came across two variants of crypto-ransomware, each with a routine or feature not found in other variants. The discovery of these two variants proves that crypto-ransomware is still continuing its evolution—all to victimize users.

more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/coinvault-ransomware-jumps-on-freemium-model/

How Cross-Site WebSocket Hijacking could lead to full Session Compromise

November 28, 2014, 4:40 am
$
0
0
WebSockets is an HTML5 feature providing full-duplex communications channel over a single TCP connection. This enables building real-time applications by creating a persistent connection between the browser and the server.

more here.........https://www.notsosecure.com/blog/2014/11/27/how-cross-site-websocket-hijacking-could-lead-to-full-session-compromise/

New PoS Malware Kicks off Holiday Shopping Weekend

November 28, 2014, 4:41 am
$
0
0
We are currently looking into a new point-of-sale (PoS) malware family detected as TSPY_POSLOGR.K, which is making the rounds just in time for this year’s holiday shopping weekend.

more here..........http://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/

AGbot DDoS Attacks Internet VNC Servers

November 28, 2014, 4:42 am
$
0
0
Last week, our FortiGuard Labs Threat Intelligence system was able to capture a DDoS attack targeting internet VNC servers. The attack was raised by a brand new IrcBot, which we are detecting as W32/AGbot.AB!tr.

Let’s now dig into the details of this attack here..........http://blog.fortinet.com/post/agbot-ddos-attacks-internet-vnc-servers

Crackq Client

November 28, 2014, 4:45 am
$
0
0
Distributed GPU-accelerated online password cracker
more here.........http://www.reddit.com/r/netsec/comments/2nmyri/crackq_distributed_gpuaccelerated_online_password/

HeapInspector

November 28, 2014, 10:30 am
$
0
0
HeapInspector is an iOS debug tool that monitors the memory heap in your app. You can discover memory leaks, no longer needed living objects and more issues directly on your device without ever starting Instruments.

more here..........https://github.com/tapwork/HeapInspector-for-iOS
Search

Zero Knowledge Proofs: An illustrated primer

November 28, 2014, 10:33 am
$
0
0
One of the best things about modern cryptography is the beautiful terminology. You could start any number of punk bands (or Tumblrs) named after cryptography terms like 'hard-core predicate', 'trapdoor function', ' or 'impossible differential cryptanalysis'. And of course, I haven't even mentioned the one term that surpasses all of these. That term is 'zero knowledge'.

more here........http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html

Using PowerShell for Client Side Attacks

November 28, 2014, 10:35 am
$
0
0
When I started working on this, I just thought of using PowerShell scripts and payloads for client side attacks and not of the generator scripts. There are many awesome Social Engineering tools out there, then why PowerShell? There are many reasons, first and foremost, coding a tool not only helps in understanding the attacks but also improves the grasp over that language. Other reasons, like the tremendous power with PowerShell, easy availability on Windows targets, no or low detection rate, easy post exploitation also motivated me.

With this blog post, a newer version of Nishang with "Client" category of attacks is also being released.
Lets have a look at the scripts one-by-one here...........http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html

Responder v2.1.3

November 30, 2014, 3:49 am
$
0
0
Responder is an Active Directory/Windows environment takeover tool suite
that can stealthily take over any default Active Directory environment
(including Windows 2012R2).
Most of the attacks in this tool are hard to detect and are highly
successful.

This version includes several enhancements:

- Analyze Mode: Figure out what kind of network you're dealing with before
doing anything:
   - Map all workstations, domain forests, SQL servers within maximum 12
minutes, no user interaction; The Lanman module will query any hosts who
sent a Domain Master Browser announcement on the subnet to extract that
domain computer list and additional forests (
https://support.microsoft.com/KB/188001 -> "Only the PDC can be a domain
master browser").
   - Figure out right away if you can use ICMP Redirect on that subnet
automatically.
   - Figure out what's going on on this network; Is there a NAC/IPS/etc
trying to detect NBT-NS/LLMNR poisoning by sending random unexistant names?
   - Allows a client/sysadmin to see if remediation was done properly.

- WPAD module; Choose if you want to intercept/inject traffic, get NTLMv1/2
hashes transparently or get a plain text sets of credentials.
This module is highly effecive and will gather any workstations sets of
credentials on a default environment with no user interaction (unless if
you're using -b for plaintext credentials).

- Kerberos server. Grab Kerberos AS-REQ Pre-Auth type 23 hashes (hashcat -m
7500).

- In-scope names or IPs to respond to (LLMNR/NBT-NS).

- Names or IPs (LLMNR/NBT-NS) you don't want to respond to (detected
NAC/IPS, out of scope multicast LLMNR, etc).

- Find MSSQL servers with the MSSQL Browser Service, one packet.

- Rogue servers included:
    - SMB NTLMv1/2, Clear text passwords for NT4, and LM hashing downgrade
when the --lm option is set.
    - MSSQL Auth server supports NTLMv1, LMv2 hashes and MSSQL plaintext
auth.
    - HTTP Auth server NTLMv1/2 and basic.
    - HTTPS NTLMv1/2 and basic auth.
    - LDAP NTLMv1/2 and plaintest auth.
    - FTP clear text credentials.
    - POP3 clear text credentials.
    - SMTP clear text credentials.
    - IMAP clear text credentials.

Usage example:

./Responder.py -i YourIP -A
  --> -A Analyze Mode, be a ninja; Port scanning is for losers.

./Responder.py -i YourIP -rFv
  --> -r use workstation redirector for NBT-NS
  --> -F force auth on wpad.dat files retrieval (highly efficient)
  --> -v be verbose, print all queries.

./Responder.py -i YourIP -rw
  -->  -w enable WPAD server, grab requests and try to inject a custom html
payload into the HTML page sent to the victim. Default HTML is:
"<html><head></head><body><img src='file:\\\\\RespProxySrv\ssed\seyad.ico'
alt='Loading' height='1' width='2'></body></html>". If nothing is specified
in Responder.conf under "HTMLToServe" then nothing will be injected.
r

./FindSQLSrv.py
  --> Map MSSQL servers on your subnet, one packet.

./DHCP.py -I eth0 -i 10.20.30.40 -d pwned.com -p 10.20.30.40 -s 10.20.30.1
-r 10.20.40.1
  ##DHCP INFORM##
  --> -i Yourip
  --> -d Domain to inject
  --> -p Primary domain to inject
  --> -s Secondary domain to inject
  --> -r Gateway/Router to inject
  ##/DHCP INFORM##
  --> (Optional -R) Respond to DHCP Requests, inject Linux/Windows clients
usually faster than the actual DHCP server.
  Use this in conjunction with Responder's DNS server or Pcredz (
https://github.com/lgandx/PCredz)

Github: https://github.com/Spiderlabs/Responder
Twitter for the latest updates: https://twitter.com/PythonResponder

Exploiting MS14-066 / CVE-2014-6321 (aka “Winshock”)

November 30, 2014, 5:07 am
$
0
0
I think enough time has passed now to provide a little more detail on how to exploit MS14-066 schannel vulnerability (aka “Winshock”). In this post I won’t be providing a complete PoC exploit, but I will delve into the details on exactly how to trigger the heap overflow along with some example modifications to OpenSSL so you can replicate the issue yourself.

more here...........http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/

Hacking Facebook.com/thanks Posting on behalf of your friends!

November 30, 2014, 5:11 am
$
0
0
Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends.

To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.

So, I started digging up as soon as "Say Thanks" was launched.


more here..........http://www.anandprakash.pw/2014/11/hacking-facebookcomthanks-posting-on.html
Viewing all 8064 articles
Browse latest View live
Search