Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Google Analytics by Yoast stored XSS

March 19, 2015, 12:59 pm
$
0
0
*Overview*

Google Analytics by Yoast is a WordPress plug-in for monitoring website
traffic. With approximately seven million downloads it’s one of the most
popular WordPress plug-ins.

A security vulnerability in the plug-in allows an unauthenticated attacker
to store arbitrary HTML, including JavaScript, in the WordPress
administrator’s Dashboard on the target system. The JavaScript will be
triggered when an administrator views the plug-in’s settings panel. No
further user interaction is required.

Typically this can be used for arbitrary server-side code execution via the
plugin or theme editors. Alternatively the attacker could change the
administrator’s password, create new administrator accounts, or do whatever
else the currently logged-in administrator can do on the target site.



*Details*

The impact is a combination of two underlying problems. Firstly, missing
access control allows an unauthenticated user to modify some of the
settings associated with the plug-in. It’s possible overwrite the existing
OAuth2 credentials which the plug-in uses for retrieving data from Google
Analytics, and thereby connect the plug-in with the attacker’s own Google
Analytics account.

Secondly, the plug-in renders an HTML dropdown menu based on the data
downloaded from Google Analytics. This data is not sanitized or
HTML-escaped. If the said attacker enters HTML code such as <script> tags
in the properties in their Google Analytics account settings, it will
appear in the WordPress administrative Dashboard of the targeted system and
get executed whenever someone views the settings.



*Proof of Concept*

The following HTML snippet could be used to hijack the Google Analytics
account of a website running a vulnerable version of the plug-in:

<a href="http://YOUR.BLOG/wp-admin/admin-post.php?reauth=1">reauth</a>
<br><br>
<form method=POST action="http://YOUR.BLOG/wp-admin/admin-post.php">
<input type=text size=100 name="google_auth_code">
<input type=submit>
</form>


First, the attacker would click the reauth link. The action doesn't require
any kind of authentication. It will reset some of the plugin settings and
redirect the attacker to a google.com OAuth dialog, where they'd get an
authentication code.

Next the attacker would copy-paste the code in the above form and submit.
This would update the code in the plugin settings - again without requiring
authentication. The plugin would now retrieve its data from the attacker's
Google Analytics account.

The actual payload script would be entered at the attacker's own Google
Analytics account settings at

https://www.google.com/analytics/web/?hl=en#management/Settings/

An example of a property name:

    test"><script>alert('stored XSS')</script>

This would fire an alert box whenever an administrator views the Analytics
settings page in the Dashboard of the target WordPress site.

A real-world attack would probably use a src attribute to load a more
sophisticated script from an external site. It could make chained ajax
calls to load and submit administrative forms, including those of the
plugin editor to write server-side PHP code, and finally execute it.




*Solution*

Yoast was notified on March 18, 2015. A new version of the plug-in (5.3.3)
was released the next day.



*Credits*

The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland.

An up-to-date version of this document is available at
http://klikki.fi/adv/yoast_analytics.html
Search

Flood Shield

March 19, 2015, 1:44 pm
$
0
0
Flood Shield is a very fast http flood blocker
Please be aware! It's first beta realease of tool!

We sniff and parse all incoming http requests. If any IP made more than XX requests per second (with same host, method and URI) we will trigger ipset ban immediately.

more here...........https://github.com/FastVPSEestiOu/flood_shield

Transcript/Slides: DLL Hijacking on OS X Presentation CanSecWest

March 19, 2015, 4:05 pm
$
0
0
AN OUTLINE history of dll hijacking dylib hijacking attacks & defenses }hijackingfinding ‘hijackables’ loader/linker
 features

more here......http://www.slideshare.net/Synack/can-secw?=

Taming the wild copy: Parallel Thread Corruption

March 19, 2015, 4:08 pm
$
0
0
Back in 2002, a very interesting vulnerability was found and fixed in the Apache web server. Relating to a bug in chunked encoding handing, the vulnerability caused a memcpy() call with a negative length with the destination on the stack. Of course, many parties were quick to proclaim the vulnerability unexploitable beyond a denial of service. After all, a negative length to memcpy() represents a huge copy which is surely guaranteed to hit an unmapped page and terminate the process. So it was a surprise when a working remote code execution exploit turned up for FreeBSD and other BSD variants, due to a quirk in their memcpy() implementations!

more here......http://googleprojectzero.blogspot.ca/2015/03/taming-wild-copy-parallel-thread.html

Face Recognition Security, Even With A "Blink Test," Is Easy To Trick

March 19, 2015, 4:10 pm
$
0
0
Jack Ma, CEO of the Chinese retail giant Alibaba--that country's answer to Amazon--announced at the CeBit conference in Germany this week that the site would soon let you purchase goods and authorize payment using facial recognition.


Which made me wonder: how hard would it be to trick?

more here.........http://www.popsci.com.au/tech/face-recognition-security-even-with-a-blink-test-is-easy-to-trick,401860

Paper: Rearing its Seven Ugly Heads: the DLL-Preload Attack

March 19, 2015, 4:13 pm
$
0
0
Abstract
In computer science and fashion alike, comebacks are often unavoidable, yet not always desirable
(think “mullet”). But while the vagaries of fashion are impenetrable, trends in computer security
follow logical rules. For instance, the implementation of mitigation technologies in modern OS
(such as DEP and ASLR on Windows) has made leveraging a memory corruption bug into a
working exploit a tremendously difficult task today. As a consequence, ancient exploitation
techniques that don’t rely on memory corruption seem to become popular again. The
DLL-Preload Attack is one of such.
This attack relies on a MS Windows system feature, which, in certain circumstances (read: when
an application developer lacked caution or knowledge. But who never does?) can be abused to
achieve escalation of privilege. Combined with either another exploit or simply a pinch of social
engineering, it can even perfectly lead to execution of arbitrary code on the system by a remote
attacker.
This paper’s aim is twofold: raise awareness on the issue - although this attack is not new, many
applications, including very high profile ones, are subject (i.e. “vulnerable”) to it - and foster best
practice for developers and testers.
Both aims are addressed by highlighting 7 typical mistakes in the development/QA process of
applications that lead them to be vulnerable, identified via the analysis of 7 previously
un-released instances of the vulnerability, in the following applications/OS: [pending disclosure],
[pending disclosure], [pending disclosure], [pending disclosure], [pending disclosure], [pending
disclosure], and [pending disclosure].
The paper concludes on the responsibility of application vendors in future instances of the
vulnerability, as a system-wide solution that would not break backward compatibility is unlikely
to exist.

more here......http://www.fortiguard.com/files/DLL-Preload_Attack.pdf

PACKAGER SHELL OBJECT BEING USED AS INFECTION VECTOR

March 19, 2015, 4:15 pm
$
0
0
Today, something interesting came across my desk. A user forwarded me an email that claimed to be an invoice and attached to it was a word document. At first, I was excited to take a look at another malicious office macro. When I opened the document, I was kind of let down. All I saw was an embedded Excel file

more here...........https://enigma0x3.wordpress.com/2015/03/19/packager-shell-object-being-used-as-infection-vector/

GoDaddy accounts vulnerable to social engineering and Photoshop

March 19, 2015, 4:25 pm
$
0
0
GoDaddy's layered verification protections defeated by a phone call and four hours in Photoshop

more here.........http://www.csoonline.com/article/2898128/disaster-recovery/godaddy-accounts-vulnerable-to-social-engineering-and-photoshop.html
Search

BadXNU, a rotten apple! – CodeBlue 2014, SyScan 2015 slides and source code

March 20, 2015, 3:00 am
$
0
0
The last SyScan is almost here so it’s time to get again into a plane and travel to Singapore.
This means that the slides and source code can finally be released. Below you can find the archive with both presentations slides (they are slightly different, SyScan fixes/upgrades a few things) and full source code for both rootkit/kext loaders.

more here..........https://reverse.put.as/2015/03/19/badxnu-a-rotten-apple-codeblue-2014-syscan-2015-slides-and-source-code/

CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

March 20, 2015, 3:39 am
$
0
0
As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 )

more here..........http://malware.dontneedcoffee.com/2015/03/cve-2015-0336-flash-up-to-1600305-and.html

Paper: Poisoning Network Visibility in Software-Defined Networks: New Attacks and Countermeasures

March 20, 2015, 4:19 am
$
0
0
Abstract—Software-Defined Networking (SDN) is a new networking
paradigm that grants a controller and its applications
an omnipotent power to have holistic network visibility and
flexible network programmability, thus enabling new innovations
in network protocols and applications. One of the core advantages
of SDN is its logically centralized control plane to provide the
entire network visibility, on which many SDN applications rely.
For the first time in the literature, we propose new attack vectors
unique to SDN that seriously challenge this foundation. Our new
attacks are somewhat similar in spirit to spoofing attacks in legacy
networks (e.g., ARP poisoning attack), however with significant
differences in exploiting unique vulnerabilities how current SDN
operates differently from legacy networks. The successful attacks
can effectively poison the network topology information,
a fundamental building block for core SDN components and
topology-aware SDN applications. With the poisoned network
visibility, the upper-layer OpenFlow controller services/apps may
be totally misled, leading to serious hijacking, denial of service
or man-in-the-middle attacks. According to our study, all current
major SDN controllers we find in the market (e.g., Floodlight,
OpenDaylight, Beacon, and POX) are affected, i.e., they are
subject to the Network Topology Poisoning Attacks. We then
investigate the mitigation methods against the Network Topology
Poisoning Attacks and present TopoGuard, a new security extension
to SDN controllers, which provides automatic and real-time
detection of Network Topology Poisoning Attacks. Our evaluation
on a prototype implementation of TopoGuard in the Floodlight
controller shows that the defense solution can effectively secure
network topology while introducing only a minor impact on
normal operations of OpenFlow controllers.

more here.........http://www.internetsociety.org/sites/default/files/10_4_2.pdf

Xerces-C Security Advisory [CVE-2015-0252]

March 20, 2015, 4:22 am
$
0
0 
CVE-2015-0252: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.2

Description: The Xerces-C XML parser mishandles certain kinds of
malformed input documents, resulting in a segmentation fault during
a parse operation. The bug does not appear to allow for remote code
execution, but is a denial of service attack that in many applications
may allow for an unauthenticated attacker to supply malformed input
and cause a crash.

Mitigation: Applications that are using library versions older than
V3.1.2 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1667870

Credit: This issue was reported independently by Anton Rager and Jonathan
Brossard from the Salesforce.com Product Security Team and by Ben Laurie
of Google.

References:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt

PoC||GTFO 0x07 is out

March 20, 2015, 7:17 am
$
0
0
Neighbors, please join me in reading this eighth release of the International Journal of Proof of Concept or Get the F Out, a friendly little collection of articles for ladies and gentlemen of distinguished ability and taste in the field of software exploitation and the worship of weird machines.

more here.......https://www.alchemistowl.org/pocorgtfo/pocorgtfo07.pdf

python-oletools - python tools to analyze OLE files

March 20, 2015, 7:20 am
$
0
0
python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on my olefile parser.

more here.........http://www.decalage.info/python/oletools

DRIVE IT YOURSELF: USB CAR

March 20, 2015, 7:23 am
$
0
0
EVER WONDERED HOW DEVICE DRIVERS ARE REVERSE ENGINEERED? WE’LL SHOW YOU WITH A SIMPLE YET COMPLETE EXAMPLE HERE.......http://www.linuxvoice.com/drive-it-yourself-usb-car-6/
Search

GitLab User Enumeration

March 20, 2015, 8:40 am
$
0
0
MWR InfoSecurity discovered a username enumeration vulnerability in GitLab v5.0.0 to v7.5.0 which provides a Ruby on Rails web interface to manage git repositories. MWR have worked with the GitLab team to ensure that future versions of GitLab are no longer vulnerable to this issue.

more here........https://labs.mwrinfosecurity.com/blog/2015/03/20/gitlab-user-enumeration/

mimikatz 2.0 alpha 20150320 (oe.eo) edition just released

March 20, 2015, 10:03 am
$
0
0
A little tool to play with Windows security
Includes Windows 10 support/Domain and SID from hives here https://github.com/gentilkiwi/mimikatz/releases/tag/2.0.0-alpha-20150320


Buffer-Overflows

March 20, 2015, 10:07 am
$
0
0
An introduction to buffer overflow vulnerabilities exploitation here.......https://github.com/JasonPap/Buffer-Overflows

rfishell

March 20, 2015, 10:10 am
$
0
0
Provide a shell-like interface for exploiting Remote File Inclusion vulnerabilities here........https://github.com/superkojiman/rfishell

findsploit

March 20, 2015, 10:11 am
$
0
0
Finsploit is a simple bash script to quickly and easily search both local and online exploit databases
more here........https://github.com/1N3/findsploit
Viewing all 8064 articles
Browse latest View live
Search