CVE-2015-0250:
Apache Batik information disclosure vulnerability
Severity:
Medium
Vendor:
The Apache Software Foundation
Versions Affected:
Batik 1.0 - 1.7
Description:
Files lying on the filesystem of the server which uses batik can
be revealed to arbitrary users who send maliciously formed SVG
files. The file types that can be shown depend on the user context
in which the exploitable application is running. If the user is root
a full compromise of the server--including confidential or sensitive
files--would be possible.
XXE can also be used to attack the availability of the server
via denial of service as the references within a xml document
can trivially trigger an amplification attack.
Mitigation:
Users should upgrade to Batik 1.8+
Credit:
This issue was independently reported by Nicolas Gregoire of AGARRI
(www.agarri.fr) and Kevin Schaller of ERNW (www.ernw.de).
References:
http://xmlgraphics.apache.org/security.html
Luis Bernardo
↧
[CVE-2015-0250] Apache Batik information disclosure vulnerability
↧
NAXSI
NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
NAXSI means Nginx Anti Xss & Sql Injection.
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is Naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.
more here.........https://github.com/nbs-system/naxsi
and additional pre-release info here with Libinjection now integrated as internal rules.....https://github.com/nbs-system/naxsi/releases/tag/0.54rc0
NAXSI means Nginx Anti Xss & Sql Injection.
Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, '<', '|' or 'drop' are not supposed to be part of a URI.
Being very simple, those patterns may match legitimate queries, it is Naxsi's administrator duty to add specific rules that will whitelist those legitimate behaviours. The administrator can either add whitelists manually by analyzing nginx's error log, or (recommended) start the project by an intensive auto-learning phase that will automatically generate whitelisting rules regarding website's behaviour.
In short, Naxsi behaves like a DROP-by-default firewall, the only job needed is to add required ACCEPT rules for the target website to work properly.
more here.........https://github.com/nbs-system/naxsi
and additional pre-release info here with Libinjection now integrated as internal rules.....https://github.com/nbs-system/naxsi/releases/tag/0.54rc0
↧
↧
chisel
Chisel is an HTTP client and server which acts as a TCP proxy, written in Go (Golang). Chisel useful in situations where you only have access to HTTP, for example – behind a corporate firewall.
more here..............https://github.com/jpillora/chisel
more here..............https://github.com/jpillora/chisel
↧
WinNT/Pitou (MBR bootkit, alias Backboot)
Pitou author seems to be pretty creative when it comes to droppers. This one is coded in PureBasic and drops a slightly older variant of the version described by EP_X0FF.
Behaviour on Windows XP and prior (x86)
more here..........http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3667#p25470
Behaviour on Windows XP and prior (x86)
more here..........http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3667#p25470
↧
CTF write-ups 2015- Wiki-like CTF write-ups repository, maintained by the community.
There are some problems with CTF write-ups in general:
they’re scattered across the interwebs
they don’t usually include the original files needed to solve the challenge
some of them are incomplete or skip ‘obvious’ parts of the explanation, and are therefore not as helpful for newcomers
often they disappear when the owner forgets to renew their domain or shuts down their blog
This repository aims to solve those problems.
more here.........https://github.com/ctfs/write-ups-2015
they’re scattered across the interwebs
they don’t usually include the original files needed to solve the challenge
some of them are incomplete or skip ‘obvious’ parts of the explanation, and are therefore not as helpful for newcomers
often they disappear when the owner forgets to renew their domain or shuts down their blog
This repository aims to solve those problems.
more here.........https://github.com/ctfs/write-ups-2015
↧
↧
Safe Rowhammer Privilege Escalation
Problem description: The row-hammer attack is a method, where the physical properties of the DRAM chip are exploited: Flushing one row frequently may trigger bit flips in adjecent rows (see here). One Problem is, that each row contains many pages belonging to various processes or the operating system. Hammering might cause also bit flips in any of those, thus causing system instability.
The following article demonstrates an approach to nail down a memory page from a SUID-binary or ld-linux itself to a suitable physical memory location and then hammer it without any risks here.....http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/
The following article demonstrates an approach to nail down a memory page from a SUID-binary or ld-linux itself to a suitable physical memory location and then hammer it without any risks here.....http://www.halfdog.net/Security/2015/SafeRowhammerPrivilegeEscalation/
↧
Writing a web application scanner
I’ve started out to build a web application scanner. The first usable iteration is ``wascan’’ (sorry, I’m bad at naming things, if you have a better idea, let me know). The current version can crawl a target url and then by performing a brute-forcing step, it can discover further resources. The goal is to create a scanner which can automatically perform authentication, find and fuzz parameters, detect CSRF tokens, recognize session cookies and discover most of the OWASP top 10 vulnerabilities.
more here..........http://itinsight.hu/en/posts/articles/2015-03-17-wascan/
more here..........http://itinsight.hu/en/posts/articles/2015-03-17-wascan/
↧
X.Org Security Advisory: More BDF file parsing issues in libXfont
X.Org Security Advisory: March 17, 2015
More BDF file parsing issues in libXfont
========================================
Description:
============
Ilja van Sprundel, a security researcher with IOActive, has discovered an
issue in the parsing of BDF font files by libXfont. Additional testing by
Alan Coopersmith and William Robinet with the American Fuzzy Lop (afl) tool
uncovered two more issues in the parsing of BDF font files.
As libXfont is used by the X server to read font files, and an unprivileged
user with access to the X server can tell the X server to read a given font
file from a path of their choosing, these vulnerabilities have the potential
to allow unprivileged users to run code with the privileges of the X server
(often root access).
The vulnerabilities are:
- CVE-2015-1802: bdfReadProperties: property count needs range check
The bdf parser reads a count for the number of properties defined in
a font from the font file, and allocates arrays with entries for each
property based on that count. It never checked to see if that count
was negative, or large enough to overflow when multiplied by the size
of the structures being allocated, and could thus allocate the wrong
buffer size, leading to out of bounds writes.
- CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read
If the bdf parser failed to parse the data for the bitmap for any
character, it would proceed with an invalid pointer to the bitmap
data and later crash when trying to read the bitmap from that pointer.
- CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct
The bdf parser read metrics values as 32-bit integers, but stored
them into 16-bit integers. Overflows could occur in various operations
leading to out-of-bounds memory access.
Affected Versions
=================
X.Org believes all prior versions of this library contain these flaws,
dating back to its introduction in X11R5.
Fixes
=====
Fixes are available in the patches for these libXfont git commits:
2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
78c2e3d70d29698244f70164428bd2868c0ab34c
2351c83a77a478b49cba6beb2ad386835e264744
Which are now available from:
git://anongit.freedesktop.org/git/xorg/lib/libXfont
http://cgit.freedesktop.org/xorg/lib/libXfont/
Fixes will also be included in the libXfont 1.5.1 & 1.4.9 module releases
from X.Org.
Thanks
======
X.Org thanks Ilja van Sprundel of IOActive, Alan Coopersmith of Oracle, and
William Robinet of Conostix for reporting these issues to our security team
and helping evaluate and test the fixes; and thanks Michal Zalewski and the
American Fuzzy Lop community for providing their fuzz testing tool as an open
source project we can all benefit from at http://lcamtuf.coredump.cx/afl/ .
--
-Alan Coopersmith- alan.coopersmith () oracle com
X.Org Security Response Team - xorg-security () lists x org
↧
esc_sql Doh! WordPress SQL Injection Vulnerability
Update: This is not about a specific vulnerability, but a series of vulnerabilities due to trusting the use of a sanitizing function in a situation where it should not be used.
WordPress has a number of data sanitizing functions. esc_sql is one of them and it is frequently used, when used the way it was intended it performs perfectly. Unfortunately some of us developers assumed that esc_sql was magic and would sanitize anything related to SQL queries.
more here........http://www.pritect.net/blog/esc_sql-doh-wordpress-sql-injection-vulnerability
WordPress has a number of data sanitizing functions. esc_sql is one of them and it is frequently used, when used the way it was intended it performs perfectly. Unfortunately some of us developers assumed that esc_sql was magic and would sanitize anything related to SQL queries.
more here........http://www.pritect.net/blog/esc_sql-doh-wordpress-sql-injection-vulnerability
↧
↧
Would Rust have prevented Heartbleed? Another look
In case you haven’t heard, another serious OpenSSL vulnerability will be announced this Thursday. It reminded me of about a year ago, when Heartbleed was announced
more here...........http://tonyarcieri.com/would-rust-have-prevented-heartbleed-another-look
more here...........http://tonyarcieri.com/would-rust-have-prevented-heartbleed-another-look
↧
Codegate CTF 2015 Dodocrackme2 Write Up
Description
You are given an apk file looks like some kind of CrackMe Application:
Solution
Try to input some characters,it turns out a toast saying “Invalid code”. It seems that we should reverse this apk to find the correct input.
more here.........http://loccs.sjtu.edu.cn/~evermars/blog/2015/03/17/dodocrackme2_writeup/
↧
Paper: Factoring 512-bit RSA Moduli for Fun (and a Profit of $9,000)
Abstract. The recent FREAK attack highlighted widespread support
for export-grade RSA keys in TLS servers. We present the results of
an IPv4-wide survey of TLS servers performed roughly one week after
FREAK was announced. We found that only 9.7% of servers now support
such export-grade RSA keys. However, we also found that some keys
are repeated with high frequency, making each of them an attractive
target for a direct factoring attack; one key in particular was repeated
28,394 times. We also computed the pairwise gcds of all the export-grade
RSA moduli that we found, leading to 90 factorisations. These moduli
correspond to 294 different hosts. The computation took less than 3
minutes on an 8-core system, saving the $9,000 that a cloud computation
would have cost if each modulus had been attacked directly. We consider
this to be a good return on investment for a Friday afternoon’s work.
for export-grade RSA keys in TLS servers. We present the results of
an IPv4-wide survey of TLS servers performed roughly one week after
FREAK was announced. We found that only 9.7% of servers now support
such export-grade RSA keys. However, we also found that some keys
are repeated with high frequency, making each of them an attractive
target for a direct factoring attack; one key in particular was repeated
28,394 times. We also computed the pairwise gcds of all the export-grade
RSA moduli that we found, leading to 90 factorisations. These moduli
correspond to 294 different hosts. The computation took less than 3
minutes on an 8-core system, saving the $9,000 that a cloud computation
would have cost if each modulus had been attacked directly. We consider
this to be a good return on investment for a Friday afternoon’s work.
more here........https://martinralbrecht.files.wordpress.com/2015/03/freak-scan1.pdf
↧
Tool Release – CANBus Protector a (very simple) CANBus IPS system built on two separate pieces of hardware that use one-way communication to get information out of the "trusted" vehicle network.
Continuing in the line of CANBus research and tools release I’d like to announce some quick work on a proof-of-concept CANBus IPS called, unoriginally, the CANBus Protector. I took some time to work on defense of CAN after conducting a lot of vulnerability research in recent weeks.
more here.......http://www.digitalbond.com/blog/2015/03/17/tool-release-canbus-protector/
more here.......http://www.digitalbond.com/blog/2015/03/17/tool-release-canbus-protector/
↧
↧
GHOST Remote Code Execution Exploit
A demonstration of remote code execution of the GHOST vulnerability, delivered as a standalone Metasploit module, is now available. The module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.
more here.........https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/17/ghost-remote-code-execution-exploit
more here.........https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/03/17/ghost-remote-code-execution-exploit
↧
Door Skimmer + Hidden Camera = Profit
If an ATM you’d like to use is enclosed in a vestibule that requires a card swipe at the door, it might be a good idea to go find another machine, or at least use something other than a payment card to gain entry. Thieves frequently add skimmers to these key card locks and then hide cameras above or beside such ATMs, allowing them to steal your PIN and card data without ever actually tampering with the cash machine itself.
more here........http://krebsonsecurity.com/2015/03/door-skimmer-hidden-camera-profit/
more here........http://krebsonsecurity.com/2015/03/door-skimmer-hidden-camera-profit/
↧
A ready to use Intel PIN Visual Studio project
Intel PIN is a great tool, but configuring a Visual Studio project is not very straightforward from its documentation. I know a couple of people who have heard of it, but have given up after not being able to set up a working project easily.
more here........http://chaplja.blogspot.com/2015/03/a-ready-to-use-intel-pin-visual-studio.html
more here........http://chaplja.blogspot.com/2015/03/a-ready-to-use-intel-pin-visual-studio.html
↧
B-Sides Vancouver CTF 2015 - garbage file
Your buddy Joey left a USB key with some data he needs your help with. He pulled it from the firewall logs at a 'secure file format'-as-a-Service provider, so he's pretty sure it might be protected or obfuscated somehow.
more here...........http://www.sinfocol.org/2015/03/b-sides-vancouver-ctf-2015-garbage-file/
more here...........http://www.sinfocol.org/2015/03/b-sides-vancouver-ctf-2015-garbage-file/
↧
↧
VMDE
Virtual Machines Detection Enhanced, sourced from paper, adapted to 2015 here....https://github.com/hfiref0x/VMDE
↧
Research Spotlight: Exploiting Use-After-Free Vulnerabilities
Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Yves Younan of Talos will be presenting at CanSecWest on Friday March 20th. The topic of his talk will be FreeSentry, a software-based mitigation technique developed by Talos to protect against exploitation of use-after-free vulnerabilities. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows.
more here.......http://blogs.cisco.com/security/talos/exploiting-use-after-free
more here.......http://blogs.cisco.com/security/talos/exploiting-use-after-free
↧
Teslacrypt Joins Ransomware Field
A newly crafted ransomware, Teslacrypt, has arrived in the malware genre that encrypts user files using AES encryption and demands money to decrypt the files. This ransomware infects systems from a compromised website that redirects victims to a site running the Angler exploit kit. (For more on Angler, read the McAfee Labs Threats Report, February 2015.) This ransomware, like many others, encrypts document files including text, pdf, etc. to force victims to pay a ransom to have their files restored.
more here...........https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field
more here...........https://blogs.mcafee.com/mcafee-labs/teslacrypt-joins-ransomware-field
↧