Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Deobfuscation: recovering an OLLVM-protected program

December 5, 2014, 10:15 am
$
0
0
We recently looked at the Obfuscator-LLVM project in order to test its different protections. Here are our results, and explanations on how we deal with obfuscation.

more here.......http://blog.quarkslab.com/deobfuscation-recovering-an-ollvm-protected-program.html
Search

NASA Orion - Bypass, Persistent Issue & Embed Code Execution Vulnerability

December 6, 2014, 5:15 am
$
0
0
Document Title:
===============
NASA Orion - Bypass, Persistent Issue & Embed Code Execution Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1339

[VU#666988] US CERT

Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2014/12/05/nasa-mars-orion-program-researcher-reveals-vulnerability-boarding-pass

Reference Article: http://www.securityweek.com/exploit-payload-possibly-made-it-nasas-orion-spacecraft


Release Date:
=============
2014-12-05


Vulnerability Laboratory ID (VL-ID):
====================================
1339


Common Vulnerability Scoring System:
====================================
6


Product & Service Introduction:
===============================
People are being invited to sign up for a free `boarding pass`for trips into space. The plan is to start small with orbital flights
but will later involve flights to Mars. The US National Aeronautics and Space Administration is behind the scheme which is linked to
its new Orion spacecraft. It is expected to bring humans back into space for travel to far-flung destinations including the Red Planet.

And Nasa wants us all along for the ride. Sort of. It is inviting people to send in their names for inclusion in a penny-sized microchip
that will be carried on Orion’s first flight planned for December 4th. At time of publishing just over 114,000 people have signed up for
their “boarding pass” that will bring their name into space for a two-orbit flight and a splash-down in the Pacific Ocean. The names will
also fly on future Nasa exploration flights including missions to Mars. “When we set foot on the Red Planet, we’ll be exploring for all of
humanity,” says Mark Geyer, Orion programme manager. “Flying these names will enable people to be part of our journey.”

Nasa is using the web to collect names and social media to help promote it (#JourneyToMars). Sending your name isn’t quite like flying
yourself, but then there will be no question of space flight sickness and you don’t have to worry about getting your feet wet in cold
Pacific waters. Don’t delay as the closing date to add your name is October 31st. Submit your name to fly on Orion’s test flight by
visiting go.usa.gov/vcpz and learn more about Orion at nasa.gov/orion.

(Copy of the Homepage: http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ & http://www.cnet.com/news/nasa-you-cant-fly-to-mars-but-your-name-can/)


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side vulnerability and a filter bypass issue in the official Nasa Orion (mars) web-application.


Vulnerability Disclosure Timeline:
==================================
2014-10-09:     Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-10-10:     Vendor Notification (US CERT Team)
2014-10-15:     Vendor Response/Feedback (US CERT Team - Nasa Security Team)
2014-11-13:     Vendor Fix/Patch Notification (Nasa JPL Developer Team)
2014-12-05:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
NASA (US) [GOV]
Product: Orion Mars - Boarding Pass 2014 Q4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A filter bypass and persistent input validation web vulnerability (embed code exeuction) has been discovered in the official NASA Mars Program web-application.
The high severity vulnerability allows remote attackers to inject own system specific codes to the application-side of the affected NASA online-service website.

The issue is located in the firstname and lastname input fields of the nasa mission orion boarding pass module. Remote attackers are able to inject own script codes
as firstname and lastname to compromise the embed boarding pass module of the nasa website. The request method to inject is POST and the attack vector is on the
application-side of the vulnerable online-service module. After saving the malicious context to a boarding pass service the attacker can use the embed module to
stream malicious codes as embed code execution through the boarding pass application of the nasa mars program website.

In case of the scenario we would like to fly as first and inject a script code that gets stored in the nasa dbms. In a special case of a pentest ago the user limit
in the list runs that long since an error occurs. In case of the vote the nasa boarding pass list runs since the execution occurs and this will be the last entry
that counts. Result is that the user with the injected special crafted code could be able to become the first for a ticket.

The web filter of the service encodes for example frames or script code tags. Img onloads can pass through the filter validation and the second instance filter of
cloudflare to provoke an execution of script code in the embed nasa boarding pass module. The dime-size microship carries 1.3 million names that fly aboard Orion.
Engeneers wrote 1.3 million names onto the tiny 0.8 cm sqare (8 mm square) silicon wafer microchip. To write the context to the chip the E-beam litography tool was used.
After the input the payload gets flashed to a nasa chip that is configured to get send with mission orion to the space.

After the report to the US CERT Team informed the nasa about the issue and they closed the active ticket of the researcher. To ensure the ticket got closed the NASA
included an image that shows the user in the official Nasa `NO FLY List`. The researcher was that intelligent to inject three payloads. Two ids got observed by the
nasa team and one passed through the procedure of verification and validation with id 344***.

In a statement the nasa wrote back that the chip itself is not at risk because there is no interaction or running code with it. In case of the research the code has
been blocked since it got written to the silicon microchip. The context that gets written to the chip will be done manually for about 1.3 million users. In a later
conversation to other security team they acknowledged that it would be impossible to check 1.3 million user accounts. By watching the last id of the researcher included
as reference, the people can see that the name value of an accepted ticket is not secure validated. He used the word Payload1 as firstname and Payload2 as second name to
approve the validation.

The security risk of the embed code execution vulnerability in the boarding pass is estimated as high with a cvss (common vulnerability scoring system) count of 6.0.
Exploitation of the persistent remote web vulnerability requires no privileged application user account and only low user interaction.  Successful exploitation of the
security vulnerability results in session hijacking, persistent phishing, persistent external redirect through nasa domains and persistent manipulation of affected or
connected module context.

Request Method(s):
                                [+] POST

Vulnerable Module(s):
                                [+] NASA Mars > Boarding Pass > Registration

Vulnerable Parameter(s):
                                [+] firstname
                                [+] lastname

Affected Module(s):
                                [+] NASA Mars - Boarding Pass (Embed Boarding Pass)


Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and
with low user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and
steps below to continue.

Manual steps to reproduce the remote vulnerability ...

1. Open the mars.nasa.gov website portal
2. Register a new boarding pass to register for the orion program
3. Iclude as firstname and lastname own script code to inject and to provoke the execution
Note: After saving the input the payload will be streamed to the invite of the boardpass index but also to the embed board pass module
4. The code execution occurs in the boarding pass website that displays the saved embed context information of the nasa customer/client
5. Successful reproduce of the security vulnerability!


PoC: Embed Exploitcode (Mars BoardingCard)
<iframe src="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?action=getcert&e=1&cn=334902" width="750" height="307" scrolling="no" frameborder="0"></iframe>


PoC: J2M1000000158467 (send-your-name/orion-first-flight/?s=confirm&cn=334902)

<div class="boarding">
<img src="/images/general/layout/hexAccentImage.png" class="graphic-right">
<div class="certificate-id">J2M1000000158467</div>
        <div class="name">
            <div style="font-size:1.5em;">"><"<[PERSISTENT INJECTED SCRIPT CODE VIA FIRSTNAME VALUES!]"></div>
            <div>"><"<[PERSISTENT INJECTED SCRIPT CODE VIA LASTNAME VALUES!]"></div></div>
        <img src="/images/mep/send-name-to-mars/Boarding-Pass.png" class="image-boarding" alt="boarding pass">
        <div style="bottom:0;left:0;position:absolute;z-index:100;background-color: rgba(85, 85, 85, 0.5);width:100%;">
          <div style="position:relative;z-index:101;float:right;margin-right:0%;margin-top:2px;margin-bottom:2px;">
              <a target="_blank" style="color:#eee;text-decoration:none;font-weight:normal !important;border:none;display:inline-block;padding-right:
8px;padding-right:10px;line-height:16px; font-family: 'Helvetica Neue',Arial,sans-
serif;font-size: 12px;" href="http://mars.nasa.gov/participate/send-your-name/orion-first-flight/"><div style="font-size:16px;margin-left:6px;float:
right;font-weight:bold;">+</div><div style="float:left;">Image Credit: mars.nasa.gov</div></a>
          </div>
        <br clear="all">
        </div>
    </div>


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://mars.nasa.gov/participate/send-your-name/orion-first-flight/ Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[144] Mime Type[text/html]
   Request Header:
      Host[mars.nasa.gov]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
      Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D; __utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604; __utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2F
mars.nasa.gov%2Fparticipate%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22
delivery_src%22%3A%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22
http%3A%2F%2Fwww.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp
%22%3A%22a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D; __utma=259910805.435627752.1412859567.1412859567.1412859567.1; __utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight;
s_invisit=true; __utmb=36124604.0.10.1412869134]
      Connection[keep-alive]
   POST-Daten:
      action[submit]
      pid[2]
      FirstName[[PERSISTENT INJECTED SCRIPT CODE!]]
      LastName[[PERSISTENT INJECTED SCRIPT CODE!]]
      CountryCode[DE]
      ZipCode[34128]
      Email[research%40vulnerability-lab.com]
      rp[]
      recaptcha_challenge_field[03AHJ_VutiAgzfSZseCHPF92TfRrOZIIX-E6X078M8JwT-meq1bJthIybgz2TGRb_fl0QJdopcWTcJLSp2vy-DirSlgF370p4a4xnMI1D-
oypqwieb2Q5ckPquDsbrDV4Gp4u3B2jRORQn4KW4VEont0UfwogAMQgKBpqEjer1MrSEimu9LxVJRD3v-Jz40RRNTcR2FvsQqCL3hGPl27ca9RjTd7KrzM56-
xZRWdnXHfHmFNyLNSNzOrcCEvcv3ZW9oZVBoV0IQzL19g_zMXEOt61sAKOZbVDI0cT0DGUt2EGDlBJ81uj8dp0]
      recaptcha_response_field[619]
      Submit[SEND+MY+NAME]
   Response Header:
      Content-Type[text/html;charset=UTF-8]
      Content-Length[144]
      Connection[keep-alive]
      Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
      Cache-Control[max-age=600]
      Date[Thu, 09 Oct 2014 15:46:04 GMT]
      Location[./?s=confirm&cn=344616]
      Server[nginx/1.1.19]
      X-Cache[Miss from cloudfront]
      Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
      X-Amz-Cf-Id[Ol1wi0YiljsLjsNOdJjXmYAjmvQgVMvLCh9WnjvbTFF0a4GKSVHifw==]
-
Status: 200[OK]
GET http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616
Load Flags[LOAD_DOCUMENT_URI  LOAD_REPLACE  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[7642] Mime Type[text/html]
   Request Header:
      Host[mars.nasa.gov]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://mars.nasa.gov/participate/send-your-name/orion-first-flight/]
      Cookie[s_cc=true; s_vnum=1415451392569%26vn%3D3; s_sq=%5B%5BB%5D%5D; __utma=36124604.1688619800.1412859393.1412866915.1412869134.3;
__utmc=36124604; __utmz=36124604.1412859393.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_vi=[CS]v1|2A1B4302851D2BE0-40000107A00688CE[CE];
fsr.s=%7B%22v2%22%3A1%2C%22v1%22%3A1%2C%22rid%22%3A%22d036702-53567014-5eea-b60c-7e184%22%2C%22ru%22%3A%22http%3A%2F%2Fmars.nasa.gov%2Fparticipate
%2Fsend-your-name%2Forion-first-flight%2F%3Fcn%3D161115%22%2C%22r%22%3A%22mars.nasa.gov%22%2C%22st%22%3A%22%22%2C%22cp%22%3A%7B%22delivery_src%22%3A
%22none%22%7D%2C%22to%22%3A3%2C%22mid%22%3A%22d036702-53567258-d212-8c96-20007%22%2C%22rt%22%3Afalse%2C%22rc%22%3Afalse%2C%22c%22%3A%22http%3A%2F%2F
www.nasa.gov%2F%22%2C%22pv%22%3A1%2C%22lc%22%3A%7B%22d3%22%3A%7B%22v%22%3A1%2C%22s%22%3Afalse%7D%7D%2C%22cd%22%3A3%2C%22meta%22%3A%7B%22rtp%22%3A%22
a%22%2C%22rta%22%3A3%2C%22rts%22%3A3%7D%7D; __utma=259910805.435627752.1412859567.1412859567.1412859567.1; __utmc=259910805;
__utmz=259910805.1412859567.1.1.utmcsr=mars.nasa.gov|utmccn=(referral)|utmcmd=referral|utmcct=/participate/send-your-name/orion-first-flight/;
gpv_pe5=MEP%20-%20Send%20Your%20Name%20on%20NASA%27s%20Journey%20to%20Mars%2C%20Starting%20with%20Orion%27s%20First%20Flight; s_invisit=true; __utmb=36124604.0.10.1412869134]
      Connection[keep-alive]
   Response Header:
      Content-Type[text/html;charset=UTF-8]
      Content-Length[7642]
      Connection[keep-alive]
      Access-Control-Allow-Origin[http://marsdev.jpl.nasa.gov]
      Cache-Control[max-age=600]
      Content-Encoding[gzip]
      Date[Thu, 09 Oct 2014 15:46:05 GMT]
      Server[nginx/1.1.19]
      Vary[Accept-Encoding]
      X-Cache[Miss from cloudfront]
      Via[1.1 641720e73fe93af037f911457c12ae1e.cloudfront.net (CloudFront)]
      X-Amz-Cf-Id[fcCNBQ3RNkRMQ_9nK-1v_ConkoOko6ttxX2F0IDcwKGyovh3SJSAZg==]


Reference(s):
http://mars.nasa.gov/
http://mars.nasa.gov/participate/
http://mars.nasa.gov/participate/send-your-name/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=334902
http://mars.nasa.gov/participate/send-your-name/orion-first-flight/?s=confirm&cn=344616


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname and lastname input fields.
Restrict and filter the input to prevent execution of persistent script codes in the board pass service.
Encode the boarding pass output values in the embed code module to block application-side script code executions.
Upgrade the filter and capture image onloads and image cookie requests.


Security Risk:
==============
The security risk of the filter bypass and persistent script code inject web vulnerability in the nasa boarding pass application is estimated as high. (CVSS 6.0)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

The Mystery of sqlmap’s Empty Files

December 6, 2014, 5:28 am
$
0
0
Recently I was working with a basic SQLi flaw, and wanted to get OS-level access. Naturally, I turned to sqlmap’s “–os-shell” feature

more here.........http://www.willhackforsushi.com/?p=581

Reading local files from Facebook's server (fixed)

December 6, 2014, 5:32 am
$
0
0
Recently I found a vulnerability in Facebook which allowed me to read local files from Facebook's servers. The vulnerable part of Facebook was their Careers resume uploader, located at every job offer

more here........http://josipfranjkovic.blogspot.ro/2014/12/reading-local-files-from-facebooks.html

Google App Engine Java security sandbox bypasses (project pending completion / action from Google)

December 7, 2014, 5:48 am
$
0
0 
We discovered multiple security issues in Google App Engine that allow
for a complete Java VM security sandbox escape.

There are more issues pending verification - we estimate them to be in
the range of 30+ in total.

Quick summary of our developments so far:
- we bypassed GAE whitelisting of JRE classes / achieved complete Java VM
  security sandbox escape (17 full sandbox bypass PoC codes exploiting 22
  issues in total),
- we achieved native code execution (ability to issue arbitrary library
  / system calls),
- we gained access to the files (binary / classes) comprising the JRE
  sandbox, that includes the monster libjavaruntime.so binary (468416808
  bytes in total),
- we extracted DWARF info from binary files (type information and such),
- we extracted PROTOBUF definitions from Java classes (description of 57
  services in 542 .proto files),
- we extracted PROTOBUF definition from binary files (description of 8
  services in 68 .proto files),
- we analyzed the above stuff and learned a lot about the GAE environment
  for Java sandbox (among others).

Unfortunately, we cannot complete our work due to the suspension of the
"test" GAE account that took place today.

Without any doubt this is an opsec failure on our end (this week we did
poke a little bit more aggressively around the underlying OS sandbox /
issued various system calls in order to learn more about the nature of
the error code 202, the sandbox itself, etc.).

Taking into account an educational nature of the security issues found
in GAE Java security sandbox and what seems to be an appreciation Google
has for arbitrary security research / all sorts of sandbox escapes [1],
we hope the company makes it possible for us to complete our work and
reenables our GAE account, so that we could in particular:
- verify the remaining potential vulnerabilities spotted,
- verify some attack ideas,
- prepare short report containing the description of the issues found
  (the results of the evaluation) and deliver it to Google (in a form
  similar to SE-2013-01 project report [2]),
- share the results of our research with the security community.

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
---------------------------------------------

References:
[1] Google Security Research
http://code.google.com/p/google-security-research/
[2] Security vulnerabilities in Oracle Java Cloud Service
http://www.security-explorations.com/en/SE-2013-01.html

IIS, Compromised GoDaddy Servers, and Cyber Monday Spam

December 8, 2014, 4:09 am
$
0
0
While doing an analysis of one black-hat SEO doorway on a hacked site, I noticed that it linked to many similar doorways on other websites, and all those websites were on IIS servers. When I see these patterns, I try to dig deeper and figure out what else those websites have in common. This time I revealed quite a few GoDaddy Windows servers have been pwned by “replica spam” hackers.

more here.........http://blog.sucuri.net/2014/12/iis-compromised-godaddy-servers-and-cyber-monday-spam.html

The POODLE bites again

December 8, 2014, 12:47 pm
$
0
0
October's POODLE attack affected CBC-mode cipher suites in SSLv3 due to SSLv3's under-specification of the contents of the CBC padding bytes. Since SSLv3 didn't say what the padding bytes should be, implementations couldn't check them and that opened SSLv3 up to an oracle attack.

more here.........https://www.imperialviolet.org/2014/12/08/poodleagain.html

Bypassing Windows and OSX Logins with NetHunter &

December 8, 2014, 12:48 pm
$
0
0
The Kali Linux NetHunter platform has many hidden features which we still haven’t brought to light. One of them is the DriveDroid application and patch set, which have been implemented in NetHunter since v1.0.2.

more here.......http://www.offensive-security.com/kali-linux/bypassing-windows-and-osx-logins-with-nethunter-kon-boot/
Search

Hacking SQL Server Stored Procedures – Part 2: User Impersonation

December 8, 2014, 12:50 pm
$
0
0
Application developers often use SQL Server stored procedures to make their code more modular, and help apply the principle of least privilege. Occasionally those stored procedures need to access resources external to their application’s database. In order to satisfy that requirement sometimes developers use the IMPERSONATE privilege and the EXECUTE AS function to allow the impersonation of other logins on demand.  Although this isn’t really a vulnerability, this type of weak configuration often leads to privilege escalation. This blog provides a lab guide and attack walk-through that can be used to gain a better understanding of how the IMPERSONATE privilege can lead to privilege escalation in SQL Server.

more here..........https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/

Magnitude Exploit Kit Backend Infrastructure Insight - Part III

December 8, 2014, 12:51 pm
$
0
0
Welcome to our third and final post in this series about the Magnitude exploit kit. If you haven't already read them, you may want to start with the first and second posts. This post will continue where the second post left off discussing the infection flow and cybercriminals redirecting victims to the gateway servers.

more here........http://blog.spiderlabs.com/2014/12/magnitude-exploit-kit-backend-infrastructure-insight-part-iii.html

Code Execution In Spite Of BitLocker

December 8, 2014, 12:53 pm
$
0
0
Disk Encryption is “a litany of difficult tradeoffs and messy compromises” as our good friend and mentor Tom Ptacek put it in his blog post. That sounds depressing, but it’s pretty accurate - trying to encrypt an entire hard drive is riddled with constraints

more here........https://cryptoservices.github.io/fde/2014/12/08/code-execution-in-spite-of-bitlocker.html

CVE-2014-0195: Adventures in OpenSSL’s DTLS Fragmented Land

December 8, 2014, 7:12 pm
$
0
0
Earlier this year, details of a remote code execution bug in OpenSSL’s DTLS implementation were published. The following is a look at the bug, its process and the different ways attackers might leverage it for exploitation here........http://securityintelligence.com/cve-2014-0195-adventures-in-openssls-dtls-fragmented-land/#.VIYQETHF-So

Humhub SQL injection and multiple persistent XSS vulnerabilities

December 9, 2014, 4:42 am
$
0
0
[+] Humhub [1] SQL injection vulnerability
[+] Discovered by: Jos Wetzels, Emiel Florijn
[+] Affects: Humhub <= 0.10.0-rc.1

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer
from an SQL injection vulnerability, which has now been resolved in
cooperation with the vendor [2], in its notification listing
functionality allowing an attacker to obtain backend database access.
In the actionIndex() function located in
"/protected/modules_core/notification/controllers/ListController.php"
[3] a check is performed on the unsanitized $lastEntryId variable
(which is fetched from the 'from' GET parameter) to see if it is
greater than 0. However, since PHP uses type-unstrict comparisons and
$lastEntryId isn't guaranteed to be an integer, this allows an
attacker to prefix their string of choice with any number of integers
(so that $lastEntryId gets treated as an integer during the
comparison) such that the comparison evaluates to true and
$criteria->condition is injected with the otherwise unsanitized
$lastEntryId, which can be any SQL injection.

Proof of Concept: Performing the following request

index.php?r=notification/list/index&from=999) AND (CASE WHEN
0x30<(SELECT substring(password,1,1) FROM user_password WHERE id = 1)
THEN 1 ELSE 0 END) AND (1=1

Allows an attacker to perform a binary search SQL injection. In
addition, the SQL error handling of the function in question allows
the attacker to perform a reflected Cross-Site Scripting attack.

Proof of Concept: Directing any user to the following link

index.php/?r=notification/list/index&from=999) AND ("<iframe src =
'index.php/?r=user/auth/logout'>"=""

Will perform a CSRF attack against the target user.

It should be noted that the attack requires regular user-level
authentication to the humhub system.

[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3.https://github.com/humhub/humhub/blob/e406538ac44f992774e1abd3748ee0a65469829d/protected/modules_core/notification/controllers/ListController.php#L46
------------------------------------------------------------------------------------------------------------------------
[+] Humhub [1] multiple persistent XSS vulnerabilities
[+] Discovered by: Jos Wetzels, Emiel Florijn
[+] Affects: Humhub <= 0.10.0-rc.1

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer
from multiple persistent Cross-Site Scripting vulnerabilities, which
have now been resolved in cooperation with the vendor [2], in various
parts of the codebase.

1. Post/comment persistent XSS vulnerability

In the function actionPost() in
"/protected/modules_core/post/controllers/PostController.php" [3], the
$_POST variable is cleaned using a now-outdated version of the Yii
framework's CmsInput extension stripClean() function [4], which
improperly sanitizes user-input for XSS [5]. This situation also
applies to actionPost() in
"/protected/modules_core/comment/controllers/CommentController.php"
[6]

Proof of Concept: making a post or comment with the URL-encoded form of either:

<a href = "data:text/html,test">test</a>
<img src = "index.php?r=user/auth/logout">

Will insert the corresponding HTML elements into the post/comment body.

2. Humhub-modules-mail [7] persistent XSS vulnerability

Humhub-modules-mail versions 0.5.9 and prior (when used in conjunction
with Humhub 0.10.0-rc.1 or prior) is affected by the same
vulnerability as described above. The vulnerable code is located in
the function actionCreate() in "/controllers/MailController.php" [8].
Since every private message sent to a humhub user is also sent to the
user's e-mail in the form of a HTML-enabled notification e-mail, an
attacker can insert custom HTML elements in the body of the e-mail
with grave consequences. It should be noted that the displayed
in-system private messages are not susceptible to this attack vector.

3. Admin error logging persistent XSS vulnerability

In addition to the above, the admin error logging codebase is
vulnerable to a persistent XSS vulnerability (with an even less
restrictive set of injectable elements) as well. In most modules'
error logging functionality, there is no XSS sanitation on the error
message before passing it to the database and since there is no XSS
sanitation before displaying error messages in the admin error logging
interface, causing an error with a URL-encoded XSS string (different
modules' error logging allow for different XSS vectors) in the
parameter will cause the XSS to be persistently logged in the admin
error logging interface, potentially allowing an attacker, among other
attack vectors, to hijack the admin's session.

Proof of Concept: performing either of the following requests:

index.php?r=post/post/post%3Csvg%20onload%3Dalert(1)%3E
index.php?r=mail/mail/indexdf%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E
index.php?r=notification/list/index&from=999)%3Cscript%3Ealert(1)%3C/script%3E

Wil insert the corresponding script elements into the admin error
logging interface.

It should be noted that all XSS attack vectors require at least
regular user-level access to the humhub system.

[*] References:
1. http://humhub.org
2. https://github.com/humhub/humhub/commit/febb89ab823d0bd6246c6cf460addabb6d7a01d4
3.https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/post/controllers/PostController.php#L41
4.https://github.com/humhub/humhub/blob/9274a701b316cf8da0d05862066a90a3585fff01/protected/extensions/CmsInput.php#L165
5. http://packetstormsecurity.com/files/129373/yiicmsinput-xss.txt
6.https://github.com/humhub/humhub/blob/22d4cc040b56ed72c7bdc17a14af087b06a2cf18/protected/modules_core/comment/controllers/CommentController.php#L139
7. https://github.com/humhub/humhub-modules-mail
8. https://github.com/humhub/humhub-modules-mail/blob/04e4f2dad17ed0e4aec0d5a61a5ef979f416e98b/controllers/MailController.php#L300

Reading Outlook using Metasploit

December 9, 2014, 4:45 am
$
0
0
In penetration tests, it sometimes can be hard to escalate privileges on a (Windows) target system. In this situation it can be useful to gain access to resources with sensitive information, such as passwords.

Metasploit does not have any module to read email messages from a local Outlook installation. Outlook can however contain a lot of sensitive and useful information in a penetration test, such as networkcredentials. I decided to create a Metasploit module which can read and/or search the local Outlook email messages.

more here........https://forsec.nl/2014/12/reading-outlook-using-metasploit/

Save Your Cloud: XSS in OpenStack Dashboard

December 9, 2014, 4:47 am
$
0
0
Maximizing the effectiveness of compute power using an Infrastructure-as-a-Service (IaaS) cloud service is a common technique nowadays. Private (IaaS) clouds are often advertised as being more secure as public ones, simply because they are "provisioned for exclusive use by a single organization" (source). However, private and public clouds share the same technology; there is no fundamental difference in the techniques employed.

Differences between private and public clouds must therefore be defined through properties of the setup itself.

more here............http://web-in-security.blogspot.com/2014/12/save-your-cloud-xss-in-openstack.html?spref=tw
Search

Unpatched Atlassian products still reign over a critical security flaw

December 9, 2014, 4:48 am
$
0
0
Atlassian released a security advisory nearly 8 months ago and released patches for a very critical vulnerability contained nearly all web based products.

Description of vulnerability was not sufficent for potential black hats but given patches leaked all the details they need. Any average level attacker would understand components of the issue when patches downloaded and compared with previous releases. But some advanced capabilities required to figure out how and where to attack.

more here.........http://sceptive.com/p/unpatched-atlassian-products-still-reign-over-a-critical-security-flaw

PuttyRider

December 9, 2014, 4:50 am
$
0
0
Hijack Putty sessions in order to sniff conversation and inject Linux commands.

more here.......https://github.com/seastorm/PuttyRider

Sony's hack GOP statement … ( torrent files also included there )

December 9, 2014, 11:00 am
$
0
0
We are the GOP working all over the world.
We know nothing about the threatening email received by Sony staffers, but you should wisely judge by yourself why such things are happening and who is responsible for it

more here.........https://gist.github.com/anonymous/7b9a0a0ac94065ccfc5b

InsideReCaptcha

December 9, 2014, 11:01 am
$
0
0
A few days ago, Google has introduced a new version of ReCaptcha, theorically allowing most users to complete it by only ticking a checkbox. If the user isn't deemed as human by Google, the old version with distorted text appears. Although I used a normal Firefox version, I still had to fill the text captcha after clicking, so it didn't really worked for me. My curiosity induced me to look at the JavaScript in order to know how all this really works...

more here........https://github.com/ReCaptchaReverser/InsideReCaptcha#readme

Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution

December 9, 2014, 11:02 am
$
0
0
This security update resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

more here.............https://technet.microsoft.com/en-us/library/security/MS14-084
Viewing all 8064 articles
Browse latest View live
Search