Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Lynis - Security auditing and hardening tool for Unix/Linux based systems

February 26, 2015, 10:53 am
$
0
0
Lynis is an security auditing and hardening tool for Unix derivatives like Linux, BSD and Solaris. It performs an in-depth security scan on the system to detect software and security issues. Besides information related to security, it will also scan for general system information, installed packages, and possible configuration mistakes.

The software is aimed at assisting with automated auditing, configuration management, software patch management, penetration testing, vulnerability management, and malware scanning of Unix-based systems.

Lynis is a great addition to the toolkit of security officers, auditors, system administrators and security professionals.

more here........https://github.com/CISOfy/Lynis
Search

Malware Cleanup to Arbitrary File Upload in Gravity Forms

February 26, 2015, 11:54 am
$
0
0
During our regular cleanup process we came across a reinfection case that caught our attention.

This particular environment didn’t have anything special or fancy, it was an updated WordPress installation and had 3 out-of-date plugins; that’s pretty reasonable.

After running through our processes and cleaning the environment we kept coming back to a reinfection; the attacker kept uploading nefarious files on the server.

more here.......http://blog.sucuri.net/2015/02/malware-cleanup-to-arbitrary-file-upload-in-gravity-forms.html

The FBI's request for single-warrant, remote computer searches: Examining the technical issues

February 26, 2015, 11:59 am
$
0
0
With little fanfare, zero congressional review or debate, and barely any public awareness, the FBI is requesting a rule change to gain broad powers to remotely search multiple computers, no matter location, on a single warrant. The implications are far-reaching and apt to affect not only suspected criminals but the innocent as well, including victims of hackers and botnets. Setting aside the Fourth Amendment, privacy concerns, and potential diplomatic consequences, there are technical reasons to oppose the rule change as proposed. Remote searches require the installation of software, or malware, which often causes unintended computer problems. What provisions prevent damage to files or programs? How will computer owners be notified? These and other technical questions are contained in a comments document by Steven M. Bellovin, Matt Blaze (University of Pennsylvania), and Susan Landau (Worcester Polytechnic Institute) and summarized here.

more here.........http://www.cs.columbia.edu/2015/bellovin-rule41-comments/

Deceiving cPanel ‘Account Suspended’ page serves exploits

February 26, 2015, 12:05 pm
$
0
0
cPanel is one of the most popular web hosting control panels out there. It allows administrators to manage their website(s) using a graphical front end, perform maintenance and review important logs among other things.

cPanel also has a user interface for CGI (short for Common Gateway Interface) typically used to run scripts and generate dynamic content.

One such script populates a fairly well-known (and somewhat dreaded) page known as the “Account Suspended” page Visitors to a site are redirected to this screen for one of many reasons ranging from the site owner’s failure to pay for his hosting, violating the Terms and Conditions, or perhaps exceeding their allocated bandwidth.

The script that loads this page is located here:
/usr/local/cpanel/cgi-sys/suspendedpage.cgi

The page itself is made of HTML code, and can be edited by an administrator, often via a Web Host Manager (WHM). Many sites that were once used to distribute malware and have been suspended will sport that kind of page. One would assume that the site would now be harmless, since the hosting provider has already taken action.

more here........https://blog.malwarebytes.org/exploits-2/2015/02/deceiving-cpanel-account-suspended-page-serves-exploits/

SEC Consult SA-20150227-0 :: Multiple vulnerabilities in Loxone Smart Home

February 27, 2015, 1:47 am
$
0
0
SEC Consult Vulnerability Lab Security Advisory < 20150227-0 >
=======================================================================
              title: Multiple vulnerabilities
            product: Loxone Smart Home
 vulnerable version: Firmware: 5.49; Android-App: 3.4.1
      fixed version: 6.3
             impact: High
           homepage: http://www.loxone.com
              found: 2014-07-02
                 by: Daniel Schwarz (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

                     Manuel Deticek, Alexander Inführ, Robert Pölzelbauer
                     FH-St.Pölten - Institut für IT Sicherheitsforschung
                     http://www.fhstp.ac.at

 =======================================================================

Vendor & product description:
-----------------------------
"Loxone Electronics was founded in 2008. Our focus is the development and
production of control solutions for all homes. Our aim is to make home
automation interesting, affordable and accessible for everyone."

URL: http://www.loxone.com/enus/company/about-us.html

"The Loxone Smart Home gives the owner full control of every device or
task using a wall switch, phone or smart tablet. Control and automte
areas such as: Lighting, Climate, Security, Audio/Video, Shading, and
event Pool and irrigation systems. Your system will adapt all areas of
your home providing complete smart home automation."

URL: http://www.loxone.com/enus/smart-home/overview.html


Business recommendation:
------------------------
The Loxone Smart Home has multiple design and implementation
flaws which could be used by an attacker to:
    1) cause a denial of service,
    2) steal the user's credentials,
    3) execute JavaScript code in the user's browser or
    4) control arbitrary devices connected to the system.

It is recommended by SEC Consult not to use this system until a thorough
security review has been performed by security professionals and all identified
issues have been resolved.



Vulnerability overview/description:
-----------------------------------
1) Unencrypted data-transmission
All available communication is unencrypted and could therefore get intercepted
and manipulated by a man-in-the-middle attacker. This enables an attacker to
control every device within the smart home system. Furthermore a plaintext
authentication mechanism is supported which enables an attacker to steal
user-credentials.

2) Missing state-of-the-art http-header
The http-headers set doesn't comply with the current state-of-the-art.
Therefore it is possible to embed the webinterface within an iframe and misuse
it for phishing attacks. Furthermore no CSP-Headers are set in order to prevent
cross-site scripting attacks.

3) Cross-site request-forgery (XSRF)
The system is vulnerable to XSRF attacks. If an attacker is able to lure a user
into clicking a crafted link or by embedding such a link within web pages (e.g.
discussion forums) he could control arbitrary devices within the smart home
system.

4) HTTP Response Splitting
The backend of the smart home system is vulnerable to HTTP response splitting
attacks. If an attacker is able to lure a user into clicking a crafted link he
could arbitrarily manipulate the server's response (e.g. injection of
JavaScript code).

5) Multiple reflected cross-site scripting (XSS) vulnerabilities
The admin webinterface of Loxone Smart Home is vulnerable to multiple reflected
cross-site scripting attacks. If an attacker is able to lure a user into
clicking a crafted link he could execute arbitrary JavaScript-code in the
user's browser. Thereby he could steal the user's credentials or control
arbitrary devices within the smart home system. To exploit this vulnerability
it isn't mandatory for the user to be authenticated. Unauthenticated XSS
vulnerabilities exist as well (by exploiting the HTTP Response Splitting
vulnerability described in 4) as authenticated ones.

6) Stored cross-site scripting vulnerability
Beside the already mentioned reflected XSS vulnerabilities the Loxone Smart
Home System also contains a stored XSS vulnerability. An authenticated attacker
is able to persistently inject JavaScript code in the user webinterface.  This
code gets executed in the context of other users at every login as well as by
calling a certain functionality of the webinterface. The injection of the code
itself could either be done via the webinterface or could also be conducted
through the already mentioned XSRF vulnerability. Therefore it is not necessary
for the attacker to login explicitly. After circumventing some
filtering-obstacles an attacker for example could be able to automatically
disable a connected alarm-system everyday at midnight.

7) Insecure storage of credentials by the remember-me function
The user webinterface contains a remember-me functionality which stores the
user credentials in an insecure way. Basically they get stored encrypted, but
the key could be requested unauthenticated by everyone. In combination with
one of the already mentioned XSS vulnerabilities it is possible to steal the
user credentials without the user's notice.

8) Credentials stored in cleartext on Android devices
The user credentials get stored in cleartext after the first login via the
Loxone Android app. On a rooted device the credentials could get stolen (e.g.
by malware). The user has to manually "Logout" or clear the configuration to
delete the credentials from the app storage.

9) Denial of service
An attacker could perform a denial of service attack with simple measures (e.g.
synflood, etc.). During and after such an attack the system isn't accessible
via the network interface and couldn't be controlled anymore. Furthermore the
system doesn't recover after the attack and has to be manually restarted in
order to work properly.


Proof of concept:
-----------------
1) Unencrypted data-transmission

The proof of concept code has been removed since no fix is available to
mitigate this issue.


2) Missing state-of-the-art http-header

The proof of concept code has been removed since no fix is available to
mitigate this issue.


3) Cross-site request-forgery (XSRF)

Basically all devices are controlled by websocket-requests.
E.g. turn on the alarm-system:
    jdev/sps/io/32a4981e-f5af-11e1-8d4ac9ef1f112e83/on

In addition all devices could be controlled by http-basic authenticated
GET-requests. An attacker just has to lure a user who is authenticated against
the admin interface into clicking the following link in order to disable the
device with the id '32a4981e-f5af-11e1-8d4ac9ef1f112e83':

http://<server-ip>/dev/sps/io/32a4981e-f5af-11e1-8d4ac9ef1f112e83/off

Within the official democase, this device is the alarm system.
In accordance to the vendor this vulnerability is basically fixed in version
6.3. It is just possible to alter the ip address of the Smart Home System via
this technique, but it should not be possible to control attached devices any more.


4) HTTP Response Splitting

Some parts of a request's URL get returned unescaped within the response's
authentication-realm. It is possible to cut off the current response-header by
injecting the string "%0D%0A%0D%0A". Afterwards a new arbitrary response body
could be appended (e.g. some JavaScript code). To reproduce this behaviour it
is sufficient to open the following URL as an unauthenticated user:

http://<server-ip>/dev/cfg/version%0D%0A%0D%0A%3Chtml%3E%3Cscri
pt%3Ealert%28%27XSS%27%29%3C/script%3E%3C/html%3E

The server answers with the following response and the injected JavaScript
code gets executed:

    HTTP/1.1 401 Unauthorized
    Server: Loxone 5.49.3.4
    WWW-Authenticate: Basic realm="dev/cfg/version
    <html><script>alert('XSS')</script><"
    Content-Type: text/html
    Content-Length: 93
    Connection: close
    <html><head><title>Loxone Miniserver
    error</title></head><body>401 Unauthorized</body></html>

According to the vendor this issue is basically fixed in version 6.3.


5) Multiple reflected cross-site scripting (XSS) vulnerabilities

To reproduce this behavior it is sufficient to open the following URL as an
http-authenticated admin user (or enter the credentials when prompted), which will
show a popup message and turns on the LED-lights of the loxone democase:

    http://<server-ip>/dev/sps/io/%22%3E%3Cscript%20xmlns=%27http:%
    26%23x2f%3B%26%23x2f%3Bwww.w3.org/1999/xhtml%27%3Ealert%28%27
    you%20got%20p0wned%20again%27%29%3b%20r=new%20XMLHttpRequest
    %28%29;%20r.open%28%27GET%27,%27/dev/sps/io/c447fcde-f5aa-11e1-
    b157c9ef1f112e83/AI1/on%27,true%29;%20r.send%28%29;%3C/script%3E

The server answers with the following response:
    HTTP/1.1 200 OK
    Server: Loxone 5.49.3.4
    Content-Type: text/xml
    Content-Length: 301
    Keep-Alive: timeout=10, max=1000
    Connection: Keep-Alive
    <?xml version="1.0" encoding="utf-8"?>
    <LL control="dev/sps/io/"><script
    xmlns='http:&#x2f;&#x2f;alert'>alert'>www.w3.org/1999/xhtml'>alert('you
    got p0wned again'); r=new XMLHttpRequest();
    r.open('GET','/dev/sps/io/c447fcde-f5aa-11e1-
    b157c9ef1f112e83/AI1/on',true); r.send();</script>" value=""
    Code="500"/>

According to the vendor this issue is basically fixed in version 6.3.


6) Stored cross-site scripting vulnerability

It is possible to permanently store JavaScript code within the backend of the
smart home system. This could be achieved by injecting the code in the
description field of a new task, created in the webinterface.
In combination with the XSRF vulnerability described in 3, this could also be
done by sending the following request:

    http://<server-ip>/dev/sps/addcmd/2015-12-
    24%2023:59:00/innocent_testtask%20%3Csvg%20onload=alert%281%29%3
    E/32a4981e-f5af-11e1-8d4ac9ef1f112e83/off

This payload creates a task which switches off the alarm system at 2015-12-24
23:59. Additionally the description field contains the injected JavaScript
payload. This payload gets executed everytime a user logs in to the
webinterface or explicitly opens the tasklist.

According to the vendor this issue is basically fixed in version 6.3.


7) Insecure storage of credentials by the remember-me function

The proof of concept code has been removed since no fix is available to
mitigate this issue.


8) Credentials stored in cleartext on android-devices

The proof of concept code has been removed since no fix is available to
mitigate this issue.


9) Denial of service

The primary denial of service attack was conducted by simply running the
metasploit-module "synflood".

Furthermore it was possible to cause a denial of service in various other ways,
e.g. by running a Nmap scan or by sending malformed http-requests (e.g. if
"HTTP/1.1" is missing in several requests, the following correct requests don't
get processed correctly).

According to the vendor this issues are basically fixed in version 6.3.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Loxone Smart Home,
Firmware-Version 5.49 (official Democase) and Loxone Android App 3.4.1 which
were the most recent versions at the time of discovery.

Older versions or versions between 5.49 and the current fixed version 6.3 have
not been tested and may be affected as well.



Vendor contact timeline:
------------------------
The initial vendor contact was performed by the cooperation partner polytechnic
university St. Pölten, Austria [FH STP].

2014-08-11: Contacting vendor through email [FH STP]
2014-09:    Release of updated firmware version 6.0
2014-12-19: Coordination between vendor and SEC Consult regarding planned advisory
            and current state of vulnerabilities by phone and email
2015-01-16: Coordination between vendor and SEC Consult regarding planned advisory
            and current state of vulnerabilities by phone
2015-02-03: Coordination between vendor and SEC Consult regarding planned advisory
            and current state of vulnerabilities by email
2015-02-25: Release of updated firmware version 6.3
2015-02-27: Release of security advisory


Solution:
---------
Update to the latest availble firmware version (6.3):
http://www.loxone.com/enus/service/downloads.html

The vendor claimed that most of the vulnerabilities have been fixed since
version 6.3.
The following vulnerabilities haven't been fixed yet:
   1) Unencrypted data-transmission
   2) Missing state-of-the-art http-header
   7) Insecure storage of credentials by the remember-me function (will be
      fixed in version 6.4)
   8) Credentials stored in cleartext on android-devices

These statements were not verified by SEC Consult.


Workaround:
-----------
No workaround available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Daniel Schwarz / @2015

Windows: AppInfo AiCheckSecureApplicationDirectory Bypass

February 27, 2015, 1:52 am
$
0
0
The AppInfo service handles requests for UAC elevation. There's an issue with the checking of secure directories which allows a  user to install a UIAccess application without requiring full access to a secure directory leading to the potential for EoP

more here.........https://code.google.com/p/google-security-research/issues/detail?id=220

Some statistics about onions

February 27, 2015, 2:03 am
$
0
0
We are starting a project to study and quantify hidden services traffic. As part of this project, we are collecting data from just a few volunteer relays which only allow us to see a small portion of hidden service activity (between 2% and 5%). Extrapolating from such a small sample is difficult, and our data are preliminary.
We've been working on methods to improve our calculations, but with our current methodology, we estimate that about 30,000 hidden services announce themselves to the Tor network every day, using about 5 terabytes of data daily. We also found that hidden service traffic is about 3.4% of total Tor traffic, which means that, at least according to our early calculations, 96.6% of Tor traffic is *not* hidden services. We invite people to join us in working to research methodologies and develop systems for better understanding Tor hidden services.

more here.......https://blog.torproject.org/blog/some-statistics-about-onions

Vulnerability found in Sourceforge

February 27, 2015, 3:06 am
$
0
0
Attacker can get shell and modify the homepage
Disclosed here........http://wooyun.org/bugs/wooyun-2015-098566
Search

FlashHacker

February 27, 2015, 3:14 am
$
0
0
FlashHacker is an ActionScript Bytecode instrumentation framework. The RABCDasm tool is used for disassembling and assembling of ActionScript Bytecode. The tool uses Bytecode disassembly to inject various instrumentation instructions.

The tool is very useful when you work with malicious Flash files.

more here.........https://github.com/ohjeongwook/FlashHacker

Adventures in Xen exploitation

February 27, 2015, 5:13 am
$
0
0
This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217).

This issue was patched in June 2012 and was disclosed in Xen Security Advisory 7 [1]. The bug was found by Rafal Wojtczuk and Jan Beulich. Rafal gave a talk about it at BlackHat USA 2012, [2][3].

Xen versions unpatched 4.1.2 and earlier releases are affected. In short, we won, learnt a lot and came up with some novel techniques along the way.

more here..........https://www.nccgroup.com/en/blog/2015/02/adventures-in-xen-exploitation/

dnsdist

February 27, 2015, 5:17 am
$
0
0
dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life is to route traffic to the best server, delivering top performance to legitimate users while shunting or blocking abusive traffic

more here...........https://github.com/ahupowerdns/pdns/blob/dnsname/pdns/README-dnsdist.md

Caphaw - the advanced persistent pluginer

February 27, 2015, 7:32 am
$
0
0
Caphaw (also known as Shylock) is a bit of a rarity among today's botnets: its source code hasn't been leaked and the malware has never been offered for sale on underground forums, suggesting that the same group of people wrote the code and maintained the botnet.

Other than that, the banking trojan shows many similarities with other modern malware families

more here.........https://www.virusbtn.com/blog/2015/02_27a.xml

The Anthem Hack: All Roads Lead to China

February 27, 2015, 9:53 am
$
0
0
When news of the Anthem breach was reported on February 4th, 2015, the security industry quite understandably went wild. A breach of this magnitude was certainly unprecedented.  Naturally, many industry professionals were keenly interested in digging into this incident to see what could be uncovered, and the research team at ThreatConnect was no exception.  Thanks to our powerful API and third-party partner integrations, we were able to use ThreatConnect to quickly uncover a wealth of intelligence even when initially hindered by a relative lack of investigative lead information and context, a key requirement of any Threat Intelligence Platform (TIP). However, before we delve into what we were able to uncover, let’s briefly review the facts as they stood in the wake of the initial discovery announcement.

more here...........http://www.threatconnect.com/news/the-anthem-hack-all-roads-lead-to-china/

Analysis of Windows USB Descriptor Vulnerability – MS13-081 (CVE-2013-3200)

February 27, 2015, 9:56 am
$
0
0
Occasionally we receive requests to develop Core Impact modules for specific vulnerabilities. Here, I’d like to dive into what that process looked like for CVE-2013-3200, Windows USB vulnerability included in MS13-081 bulletin a.k.a. Windows USB Descriptor Vulnerability. The vulnerability allows physically proximate attackers to execute arbitrary code by connecting a crafted USB device. Crafty, eh?

You may be wondering why someone would look to exploit this vulnerability when other options (like the Arduino-based attack) are available. Well, in this case, the target machine doesn’t have to be unlocked for the attack to be successful.

- See more at: http://blog.coresecurity.com/2015/02/27/analysis-of-windows-usb-descriptor-vulnerability-ms13-081-cve-2013-3200/

Abusing Blu-ray Players Pt. 1 – Sandbox Escapes

February 27, 2015, 11:06 am
$
0
0
In today’s (28 February) closing keynote talk at the Abertay Ethical Hacking Society’s Secuir-Tay conference I discussed how it was possible to build a malicious Blu-ray disc.

By combining different vulnerabilities in Blu-ray players we have built a single disc which will detect the type of player it’s being played on and launch a platform specific executable from the disc before continuing on to play the disc’s video to avoid raising suspicion. These executables could be used by an attacker to provide a tunnel into the target network or to exfiltrate sensitive files, for example.

more here.......https://www.nccgroup.com/en/blog/2015/02/abusing-blu-ray-players-pt-1-sandbox-escapes/
Search

Damn Vulnerable iOS App (DVIA)

February 27, 2015, 11:27 am
$
0
0
Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10

more here..........https://github.com/prateek147/DVIA

Awesome Penetration Testing

February 27, 2015, 11:30 am
$
0
0
A collection of awesome penetration testing resources, tools, books, confs, magazines and other shiny things

more here...........https://github.com/enaqx/awesome-pentest#ddos-tools

Uber security breach may have affected up to 50,000 drivers

February 27, 2015, 1:23 pm
$
0
0
Thousands of Uber driver names and driver's license numbers may be in the hands of an unauthorized third party due to a data breach that occurred last year, the ride-hailing company announced today.

more here.........http://www.latimes.com/business/technology/la-fi-tn-uber-data-breach-20150227-story.html

(0Day) Microsoft Word Heap Corruption Remote Code Execution Vulnerability

February 27, 2015, 2:46 pm
$
0
0
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the line formatting functionality. By providing a malformed .docx file, an attacker can cause heap corruption. An attacker could use this to execute arbitrary code in the context of the current user.

more here......http://www.zerodayinitiative.com/advisories/ZDI-15-052/

dnstest – Monitor Your DNS for Hijacking

February 27, 2015, 2:54 pm
$
0
0
In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don’t know what to do about it. More importantly, many companies don’t even notice they’ve been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only accept comments through a website, they may never know unless they randomly check, or the attacker releases the site and the flood of complaints comes rolling in after the fact.

So I wrote a little tool called “dnstest.pl” (yes a Perl script) that can be run out of cron and can monitor one or more hostname-to-IP-address pairs of sites that are critical to you.

more here.........http://blog.whitehatsec.com/dnstest-monitor-your-dns-for-hijacking/
Viewing all 8064 articles
Browse latest View live
Search