DarkComet, adWind, CyberGate and more here......http://malwareconfig.com/
↧
Malware Database
↧
The email that's watching you (Inclusive video demonstrating exploitation of IBM iNotes with BeEF using CVE-2014-0913)
Cross-site Scripting (XSS) is probably the most common security vulnerability in web applications. Nevertheless, the impact of XSS is still seriously underestimated by many people and even major companies. The CVE-scores given for Cross-Site Scripting issues are low on average. But an adversary doesn't care about scores if Cross-site Scripting vulnerabilities will make his dreams come true.
The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.
We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue.
more here.......http://blog.beefproject.com/2015/04/the-email-thats-watching-you.html
The impact of Cross-site Scripting in webmail applications does not differ from those in regular web applications. However, mail infrastructure is a top-notch target for a Cross-Site Scripting (XSS) attack.
We released a paper that explains why Cross-Site Scripting in webmail applications is a serious issue.
more here.......http://blog.beefproject.com/2015/04/the-email-thats-watching-you.html
↧
↧
ScratchABit Incremental Disassembler
ScratchABit is an interactive incremental disassembler with data/control
flow analysis capabilities. ScratchABit is dedicated to the efforts of
the OpenSource reverse engineering community (reverse engineering to
produce OpenSource drivers/firmware for hardware not properly supported
by vendors).
flow analysis capabilities. ScratchABit is dedicated to the efforts of
the OpenSource reverse engineering community (reverse engineering to
produce OpenSource drivers/firmware for hardware not properly supported
by vendors).
more here.........https://github.com/pfalcon/ScratchABit
↧
A Million Lines of Bad Code
This is the story of some bad code I wrote here......http://varianceexplained.org/programming/bad-code/
↧
Operation RussianDoll: Adobe & Windows Zero-Day Exploits Likely Leveraged by Russia’s APT28 in Highly-Targeted Attack
FireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers detected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure, FireEye assess that APT28 is probably responsible for this activity.
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.
Exploit overview here..........https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Microsoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701). While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.
Exploit overview here..........https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
↧
↧
VolDiff: Malware Memory Footprint Analysis
VolDiff is a bash script that runs Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes.
VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.
more here........https://github.com/houcem/VolDiff
VolDiff is a simple yet powerfull malware analysis tool that enables malware analysts to quickly identify IOCs and understand advanced malware behaviour.
more here........https://github.com/houcem/VolDiff
↧
Mimosa-Framework
Mimosa Framework to abuse EPC functionality on CISCO Routers here.........https://github.com/rfdslabs/Mimosa-Framework
↧
jQuery considered harmful
Heh, I always wanted to do one of those “X considered harmful” posts.
Before I start, let me say that I think jQuery has helped tremendously to move the Web forward. It gave developers power to do things that were previously unthinkable, and pushed the browser manufacturers to implement these things natively (without jQuery we probably wouldn’t have document.querySelectorAll now). And jQuery is still needed for those that cannot depend on the goodies we have today and have to support relics of the past like IE8 or worse.
However, as much as I feel for these poor souls, they are the minority. There are tons of developers that don’t need to support old browsers with a tiny market share. And let’s not forget those who aren’t even Web professionals: Students and researchers not only don’t need to support old browsers, but can often get by just supporting a single browser! You would expect that everyone in academia would be having tons of fun using all the modern goodies of the Open Web Platform, right? And yet, I haven’t seen jQuery being so prominent anywhere else as much as it is in academia. Why? Because this is what they know, and they really don’t have the time or interest to follow the news on the Open Web Platform. They don’t know what they need jQuery for, so they just use jQuery anyway. However, being able to do these things natively now is not the only reason I’d rather avoid jQuery.
more here.......http://lea.verou.me/2015/04/jquery-considered-harmful/
Before I start, let me say that I think jQuery has helped tremendously to move the Web forward. It gave developers power to do things that were previously unthinkable, and pushed the browser manufacturers to implement these things natively (without jQuery we probably wouldn’t have document.querySelectorAll now). And jQuery is still needed for those that cannot depend on the goodies we have today and have to support relics of the past like IE8 or worse.
However, as much as I feel for these poor souls, they are the minority. There are tons of developers that don’t need to support old browsers with a tiny market share. And let’s not forget those who aren’t even Web professionals: Students and researchers not only don’t need to support old browsers, but can often get by just supporting a single browser! You would expect that everyone in academia would be having tons of fun using all the modern goodies of the Open Web Platform, right? And yet, I haven’t seen jQuery being so prominent anywhere else as much as it is in academia. Why? Because this is what they know, and they really don’t have the time or interest to follow the news on the Open Web Platform. They don’t know what they need jQuery for, so they just use jQuery anyway. However, being able to do these things natively now is not the only reason I’d rather avoid jQuery.
more here.......http://lea.verou.me/2015/04/jquery-considered-harmful/
↧
afl-fuzz fixup shim, pdflex (Minimal and hacky PDF lexer), Crashwalk, Francis, Terry and Gootool
afl-fuzz fixup shim is a skeleton to fixup tests for afl-fuzz >= 1.52. I've used a Go fixer, but it should work for any language more here......https://github.com/bnagy/aflfix
pdflex here.......https://github.com/bnagy/pdflex
Crashwalk Bucket and triage on-disk crashes. OSX and Linux here....https://github.com/bnagy/crashwalk
Francis LLDB engine based tool to instrument OSX apps and triage crashes here....https://github.com/bnagy/francis
Terry Wrap radamsa on OSX, add instrumentation / triage here.....https://github.com/bnagy/terry
and Gootool Silly PoC of a limited otool clone based on the capstone disassembly lib here.....https://github.com/bnagy/gootool
pdflex here.......https://github.com/bnagy/pdflex
Crashwalk Bucket and triage on-disk crashes. OSX and Linux here....https://github.com/bnagy/crashwalk
Francis LLDB engine based tool to instrument OSX apps and triage crashes here....https://github.com/bnagy/francis
Terry Wrap radamsa on OSX, add instrumentation / triage here.....https://github.com/bnagy/terry
and Gootool Silly PoC of a limited otool clone based on the capstone disassembly lib here.....https://github.com/bnagy/gootool
↧
↧
Slides: An overview of PDF potential leaks
Awareness about preventing informations leaks via PDFs with PoCs here.....https://speakerdeck.com/ange/an-overview-of-pdf-potential-leaks
↧
libxml2 issue found in Shopify: out-of-bounds memory access when parsing an unclosed HTML comment
This is an out-of-bounds memory access in libxml2. By entering a unclosed html comment such as <!-- the libxml2 parser didn't stop parsing at the end of the buffer, causing random memory to be included in the parsed comment that was returned to ruby. In Shopify, this caused ruby objects from previous http requests to be disclosed in the rendered page.
more here.........https://hackerone.com/reports/57125#activity-384861
more here.........https://hackerone.com/reports/57125#activity-384861
↧
gr-nacl- GNU Radio module for data encryption using NaCl library
The gr-nacl module for GNU Radio provides functionality from the NaCl crypto library implemented with the fork libsodium (see section 'Dependency' for more information). This contains public-key and secret-key encryption. The difference is explained, e.g., on Wikipedia [0]. The implementation is based on encryption of messages, which are passed in GNU Radio via the message system. Check out the GNU Radio documentation for further information [1]. Furthermore, a byte stream encryption method via tagged streams is implemented.
The functionality can be tested with the example flowgraphs for GNU Radio Companion at the subfolder examples/ or directly with the provided test-cases for ctest.
more here........https://github.com/stwunsch/gr-nacl
The functionality can be tested with the example flowgraphs for GNU Radio Companion at the subfolder examples/ or directly with the provided test-cases for ctest.
more here........https://github.com/stwunsch/gr-nacl
↧
Pharaoh - PHAR Comparison Tool
A tool to compare executable PHP Archives (.phar files) here.....https://github.com/paragonie/pharaoh
Previously, there wasn't a tool available that specifically worked with
.phar files, which differ from just a .zip or .tar in that they have an
executable stub which allows you to do something like this:
<?php
include "vendor/acme/deliverable.phar";
$foo = \Acme\Deliverable\Foo();
$bar->process($foo);
Pharaoh is useful for open source projects that distribute a .phar
(phpunit, composer, etc.). Since many of these projects do not sign their
.phar, if their server gets hacked it would be trivial to slip in a bit of
extra code in the stub (add a public key to ~/.ssh/authorized_keys, etc).
The idea is that someone can download the .phar from their website, build
the same one from source, then use Pharaoh to compare them and detect this
malicious tampering. (And then, hopefully, blow the whistle to disrupt the
campaign.)
Authored by Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
Previously, there wasn't a tool available that specifically worked with
.phar files, which differ from just a .zip or .tar in that they have an
executable stub which allows you to do something like this:
<?php
include "vendor/acme/deliverable.phar";
$foo = \Acme\Deliverable\Foo();
$bar->process($foo);
Pharaoh is useful for open source projects that distribute a .phar
(phpunit, composer, etc.). Since many of these projects do not sign their
.phar, if their server gets hacked it would be trivial to slip in a bit of
extra code in the stub (add a public key to ~/.ssh/authorized_keys, etc).
The idea is that someone can download the .phar from their website, build
the same one from source, then use Pharaoh to compare them and detect this
malicious tampering. (And then, hopefully, blow the whistle to disrupt the
campaign.)
Authored by Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>
↧
↧
Playing with Content-Type – XXE on JSON Endpoints
Many web and mobile applications rely on web services communication for client-server interaction. Most common data formats for web services are XML, whether SOAP or RESTful, and JSON. While a web service may be programmed to use just one of them, the server may accept data formats that the developers did not anticipate. This may result in JSON endpoints being vulnerable to XML External Entity attacks (XXE), an attack that exploits weakly configured XML parser settings on the server.
XXE is a well-known attack against XML endpoints. To exploit it, external entity declarations are included in the XML payload, and the server expands the entities, potentially resulting in read access to the web server’s file system, remote file system access via UNC paths, or connections to arbitrary hosts over HTTP/HTTPS.
more here..........https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
XXE is a well-known attack against XML endpoints. To exploit it, external entity declarations are included in the XML payload, and the server expands the entities, potentially resulting in read access to the web server’s file system, remote file system access via UNC paths, or connections to arbitrary hosts over HTTP/HTTPS.
more here..........https://blog.netspi.com/playing-content-type-xxe-json-endpoints/
↧
The power of DNS rebinding: stealing WiFi passwords with a website
DNS rebinding attacks are known since a long time as useful tools in the hands of attackers for subverting the browser Same-origin policy. The attack abuses DNS, changing the IP address of a website after serving the page contents, usually with some ad-hoc Javascript payload, tricking the browser into waiting some time for the DNS cache to invalidate and perform other requests, still believing it is connecting to the same host, while in reality it is now communicating with a new IP chosen by the attacker. As a result, the attacker can access internal services, exfiltrate information and do other nasty stuff.
Ready-made proof of concept tools exist and mitigations are hard to deploy and not always effective (for example, DNS pinning is not a panacea and dnswall only filters out private IP addresses in DNS response, protecting from just some attacks).
read more here........https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-passwords-with-a-website/
Ready-made proof of concept tools exist and mitigations are hard to deploy and not always effective (for example, DNS pinning is not a panacea and dnswall only filters out private IP addresses in DNS response, protecting from just some attacks).
read more here........https://miki.it/blog/2015/4/20/the-power-of-dns-rebinding-stealing-wifi-passwords-with-a-website/
↧
TCP load balancing code
TCP load balancing code from Nginx Plus is now available publicly here......http://hg.nginx.org/nginx/rev/61d7ae76647d
↧
Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
more here.....https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
more here.....https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
↧
↧
Introducing a cross-platform debugger for Go
This tool was introduced on the 4th of this month but here is an additional article published today.....http://blog.mailgun.com/introducing-a-new-cross-platform-debugger-for-go/
↧
Experimental Use of 64-bit Dump of 32-bit .NET Process in WinDbg
A .NET dmp file is typically best captured as 32-bit for 32-bit process. On x64 system this could be using the 32-bit task manager (C:\windows\syswow64\taskmgr.exe), WinDbg (x86), or a tool like ProcDump (http://live.sysinternals.com/ProcDump.exe )
However what if a 32-bit .NET process has already been captured in 64-bit dmp file, and the issue is really hard to reproduce?
more here.........https://chentiangemalc.wordpress.com/2015/04/17/experimental-use-of-64-bit-dump-of-32-bit-net-process-in-windbg/
However what if a 32-bit .NET process has already been captured in 64-bit dmp file, and the issue is really hard to reproduce?
more here.........https://chentiangemalc.wordpress.com/2015/04/17/experimental-use-of-64-bit-dump-of-32-bit-net-process-in-windbg/
↧
Patching a Null Pointer Access Violation
An application was crashing about 5x a time a day so crash dumps were enabled via registry https://msdn.microsoft.com/en-us/library/windows/desktop/bb787181(v=vs.85).aspx
Looking at the dmp files the program always crashed at same point in the program here......https://chentiangemalc.wordpress.com/2015/04/17/patching-a-null-pointer-access-violation/
Looking at the dmp files the program always crashed at same point in the program here......https://chentiangemalc.wordpress.com/2015/04/17/patching-a-null-pointer-access-violation/
↧