Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Paper: I Know Where You’ve Been: Geo-Inference Attacks via the Browser Cache & Video Attack Demo

April 24, 2015, 9:35 am
$
0
0
Abstract—Many websites customize their services according
to different geo-locations of users, to provide
more relevant content and better responsiveness, including
Google, Craigslist, etc. Recently, mobile devices further
allow web applications to directly read users’ geo-location
information from GPS sensors. However, if such websites
leave location-sensitive content in the browser cache, other
sites can sniff users’ geo-locations by utilizing timing sidechannels.
In this paper, we demonstrate that such geolocation
leakage channels are widely open in popular
web applications today, including 62% of Alexa Top 100
websites. With geo-inference attacks that measure the
timing of browser cache queries, we can locate users’
countries, cities and neighborhoods in our case studies.
We also discuss whether existing defenses can effectively
prevent such attacks and additional support required for
a better defense deployment.




Search

Cisco releases first transparency report, showing literally nothing to hide

April 24, 2015, 9:38 am

3rd German PowerShell Conference Materials & Impressions

April 24, 2015, 9:41 am

TRACE A CHAIN OF DNS SERVERS BACK TO THE SOURCE

April 24, 2015, 12:38 pm

Pre-authentication XXE vulnerability in the Services Drupal module

April 24, 2015, 12:41 pm
$
0
0
From the Drupal website (https://www.drupal.org/project/services), the
Services module is:
“A standardized solution of integrating external applications with Drupal.
Service callbacks may be used with multipleinterfaces like REST, XMLRPC,
JSON, JSON-RPC, SOAP, AMF, etc. This allows a Drupal site to provide
web services viamultiple interfaces while using the same callback code."
The Services module can be configured to enable REST endpoints. The
REST handler can deals with JSON messages, PHP serialized objects and
also XML messages.

1.2. The issue
We discovered that the function handling XML REST requests does not
disable external entity loading when parsing XML messages sent by remote
users. If a user sends crafted XML messages referencing external resources
such as local files,the XML parser will load them during the message processing.
Using several tricks, the remote user can read local files.

In addition, we discovered that authentication and user rights are checked after
processing the message. Consequently, the vulnerability can be triggered without
being authenticated. A successful exploitation could allow anyone to read
arbitrary files on the remote file system, including the Drupal settings.php file.

more here..........http://synacktiv.ninja/ressources/synacktiv_drupal_xxe_services.pdf

Announcing ShadowOS

April 24, 2015, 3:46 pm

phpMyBackupPro Multiple Vulnerabilities

April 24, 2015, 5:39 pm
$
0
0 
* Affected software: phpMyBackupPro
* Website: http://www.phpmybackuppro.net/

* Changelog: File doc/HISTORY.txt in the release zip file states
"03/26/2015: v.2.5:  security fixes in mutli user mode, minor bug
fixes"

* Reported by: Matthew Daley
* Timeline:
2015-03-26: Private disclosure to vendor
2015-03-27: Vendor response
2015-03-31: v2.5 released
2015-04-04: Private note to vendor that some issues (#2, #3, #4 below)
remain unfixed
2015-04-25: Public disclosure


--- Issue #1: SQL injection in multi-user mode

* Affected versions: ? -> 2.4
* Fixed version: 2.5
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/35/ (still private)

* Description:
In multi-user mode, the username and password given when a user logs
in is not escaped before interpolation into the SQL query that is used
to look up users in the database. Hence, it is vulnerable to a simple
SQL injection attack.

The injection occurs at line 70 of login.php:
$res=mysql_query("select * from user where
(User='".$_POST['username']."' or User='') and
password=password('".$_POST['password']."')");

The documentation given in documentation/MULTI_USER_MODE.txt states:
You will have to provide the MySQL root account data which are used by phpMyBackupPro to determine all available 
MySQL users.
Hence, it's highly likely that unauthenticated attackers are able to
enumerate all database entries and complete database configuration
information, such as user password hashes, using this vulnerability. A
tool such as sqlmap can be (and has been) used to do this.

It's also possible to exploit this vulnerability in order to log in as
any user given a victim's username. To do so, an attacker logs in with
the victim's username and the string "') OR 1=1-- " as password.

It's also possible to "log in" without a known username. To do so, an
attacker logs in with a username such as "../../../../../../../../tmp"
(which gets injected into the per-user configuration file path) and
the password string given above. This allows phpMyBackupPro to create
a multi-user config file in the /tmp directory regardless of how the
per-user configuration file path been configured.

In v2.5, this issue is fixed.


--- Issue #2: Arbitrary code execution through user configuration variables

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/36/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to execute arbitrary
PHP code. This is done by injecting it into a configuration variable
using a PHP variable variable or by breaking out of the string literal
in which the variable's value is stored in the user's configuration
file.

For example, setting a user's "delete local backups after x days"
configuration variable to the following value causes the file /tmp/xyz
to be created:
${`touch /tmp/xyz`}

The value is stored unchanged in the user's configuration file
(phpMyBackupPro_conf.php) as follows:
$CONF['del_time']=htmlspecialchars_decode("${`touch /tmp/xyz`}");

As the value is not escaped before being interpolated into the
configuration file's content, the embedded PHP code (in this case, a
single backticked shell statement) will be executed when the
configuration file is include_once'd. This includes the next loading
of any phpMyBackupPro page by that user.

(Note: Upon setting the value, the message "delete local backups after
x days' is not correct!" will be displayed; however, the setting is
still written to the user's configuration file.)

In v2.5, it is no longer possible to use PHP variable variables to
gain RCE in this way. However, it is still possible to break out of
the configuration variable's value string literal and achieve RCE in
other ways (e.g. \');`touch /tmp/xyz`;// ).


--- Issue #3: Information disclosure through get_file.php functionality

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/37/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to view (among other
filetypes) the content of any .php file using the functionality
provided by the get_file.php file. This includes the content of
phpMyBackupPro's own configuration files, which contain sensitive
information such as root database credentials.

For example, after logging in, a request to get_file.php can be made
to retrieve the content of definitions.php by using the following URL:
http://[host]/phpMyBackupPro/get_file.php?view=definitions.php

This will output the content of definitions.php, including the
location of the global configuration file (as the value of the
_PMBP_GLOBAL_CONF variable). Using this information, another request
can be made, this time for this global configuration file:
http://[host]/phpMyBackupPro/get_file.php?view=/[path]/global_conf.php

This will disclose the content of the global configuration file,
including root database credentials.

In v2.5, it is no longer possible to disclose the content of
phpMyBackupPro's configuration files by using get_file.php with a
direct path reference to the configuration file in question. However,
it is still possible by using indirect path references (e.g. replacing
"../../files/global_conf.php" with
"../../files/../files/global_conf.php").


--- Issue #4: Arbitrary code execution through scheduled backup scripts

* Affected versions: ? -> 2.5
* Fixed version: none
* Bug entry: https://sourceforge.net/p/phpmybackup/bugs/38/ (still private)

* Description:
It's possible, once logged in to phpMyBackupPro, to execute arbitrary
PHP code. This is done by injecting it into an automatically-generated
scheduled backup script.

Many of the user-specified parameters used when generating a scheduled
backup script are not correctly escaped before being interpolated into
the script; for example, the "period" parameter.

This can be exploited by eg. using curl:
curl -b 'PHPSESSID=[session cookie]' -d 'man_dirs=x&path=[writeable
path]/&filename=rce.php&period=;echo+"<h1>RCE</h1>"'
'http://[host]/phpMyBackupPro/scheduled.php&apos;

This will lead scheduled.php to create a scheduled backup script named
"rce.php" in the attacker-specified writable path with the following
content:
<?php
// This script was created by phpMyBackupPro v.2.4
(http://www.phpMyBackupPro.net)
// In order to work probably, it must be saved in the directory writable/.
$_POST['man_dirs']="x";
$period=(3600*24);echo "<h1>RCE</h1>";
$security_key="d06378763f9369ceea61663c33e0e8ca";
// switch to the phpMyBackupPro v.2.4 directory
@chdir("/var/www");
@include("backup.php");
// switch back to the directory containing this script
@chdir("writable/");
?>

Note that the "period" value is interpolated into the content without
being escaped. The attacker can then execute the newly-created
"rce.php", along with the injected PHP code, by making a normal HTTP
request for the file.

This obviously requires the attacker to know a web-accessible and
web-writeable directory to pass in as the "path" parameter to
scheduled.php.

In v2.5, it is no longer possible to split the "period" PHP statement
with a semicolon. However, it is possible to still inject code using
many other methods (e.g. .print("RCE") ). There are also other
injectable parameters, e.g. dirs[]=".print("RCE2")."' .

Sans Report on Iranian Cyber Attacks as reported by Norse and the American Enterprise Institute

April 24, 2015, 5:48 pm
$
0
0
On April 15, 2015 the New York Times released an article titled “Iran is Raising
Sophistication and Frequency of Cyberattacks, Study Says.”1 The article focuses
on the Iranian cyber threat as a whole but a significant portion of the article
highlighted a report by Norse, a cybersecurity intelligence company, and the
American Enterprise Institute (AEI). The article highlighted findings in an
upcoming Norse and AEI report. The report stated there were significant
increases in attacks on critical infrastructure and industrial control systems (ICS)
by the Iranian government. The report released by AEI and Norse, titled “The
Growing Cyberthreat from Iran”2 revealed claims of hundreds of thousands of
cyber attacks on worldwide infrastructure by Iran.

The purpose of this Defense Use Case (DUC) is to evaluate what can be learned
from the Norse report while also taking the opportunity to educate on what the
cyber security community would typically deem to be a cyber attack on ICS. After
reviewing the data provided in the report we agree that the data could be
interesting if put into proper context or analyzed along with additional data.
However, the data and events described in the report do not conclusively meet
the threshold of what the authors of this DUC would deem as ICS cyber attacks.

more here..........http://ics.sans.org/media/SANSICS-DUC3-Norse-Iran-Report.pdf
Search

Google: A Javascript-based DDoS Attack as seen by Safe Browsing

April 24, 2015, 5:51 pm
$
0
0
To protect users from malicious content, Safe Browsing’s infrastructure analyzes web pages with web browsers running in virtual machines. This allows us to determine if a page contains malicious content, such as Javascript meant to exploit user machines. While machine learning algorithms select which web pages to inspect, we analyze millions of web pages every day and achieve good coverage of the web in general.

In the middle of March, several sources reported a large Distributed Denial-of-Service attack against the censorship monitoring organization GreatFire. Researchers have extensively analyzed this DoS attack and found it novel because it was conducted by a network operator that intercepted benign web content to inject malicious Javascript. In this particular case, Javascript and HTML resources hosted on baidu.com were replaced with Javascript that would repeatedly request resources from the attacked domains.

While Safe Browsing does not observe traffic at the network level, it affords good visibility at the HTTP protocol level. As such our infrastructure picked up this attack, too. Using Safe Browsing data, we can provide a more complete timeline of the attack and shed light on what injections occurred when.

more here......http://googleonlinesecurity.blogspot.com/2015/04/a-javascript-based-ddos-attack-as-seen.html

The Pmem Memory acquisition suite

April 25, 2015, 1:13 am
$
0
0
The Rekall project has maintained a set of open source memory acquisition tools for a while now. After all, Memory acquisition is the first step in memory analysis. Before any analysis can be done, we need to acquire the memory in the first place. There are a number of commercial solutions to acquire memory, but sadly open source solutions have been abandoned or not maintained (For example win32dd has been a popular solution many years ago but has now been commercialized and is no longer open source).
We believe in open source forensic tools to make testing and transparency easier. We also believe that the availability of open source solutions spurs further development in the field and enables choices.
That is the reason we feel an open source, well tested and capable forensic memory acquisition tool is essential - we call it the Pmem suite of tools. The pmem acquisition tool aims to provide a complete imaging solution for Windows, Linux and OSX (OSXPmem is the only memory acquisition tool we are aware of, which works on the latest version of OSX - 10.10.x - commercial or open source).

more here.........http://rekall-forensic.blogspot.com/2015/04/the-pmem-memory-acquisition-suite.html

Building an Evil-AP with TL-MR3020 – Part 1 – Setup

April 25, 2015, 3:26 am
$
0
0
So, recently I got my hands on a cheap TP-Link TL-MR3020 and figured I could create an Evil-AP as a project.

Flashing OpenWRT
It ships with a firmware which makes it really easy to upgrade/flash OpenWRT to it. Check this for instructions how to do this. Once it is flashed you should login to the web-page and set a root password, once that is done you’ll be able to SSH to the device as well.

more here...........http://0xdeadcode.se/archives/407

VulnPryer- Pries more context into your vulnerability data

April 25, 2015, 3:37 am
$
0
0
VulnPryer is the code behind a vulnerability reprioritization project. Using a vulnerability data feed (VulnPryer uses the VulnDB commercial project by default), VulnPryer will download that feed on an incremental basis, load the feed into MongoDB for storage, extract a mapping of features, and provide a remapping of vulnerabilities to custom severities for importing into your analysis product of choice (VulnPryer targets the RedSeal platform by default).

more here..........https://github.com/SCH-CISM/VulnPryer/blob/master/README.md


Also related, here are slides from the presentation titled "Vulnerability Management Nirvana:
A Study in Predicting Exploitability" from RSA 2015.....https://www.rsaconference.com/writable/presentations/file_upload/tech-f01_vulnerability-management-nirvana-a-study-in-predicting-exploitability.pdf

More on Threatbutt, the new threat intelligence firm emerging out of RSA 2015- Hunt for Advanced APT with Threatbutt integration for Maltego

April 25, 2015, 7:16 am

Consideration and evaluation of using fuzzy hashing

April 25, 2015, 7:20 am

Opportunity Knows No Boundary: A Case Study of Acquisition

April 25, 2015, 7:32 am
$
0
0
On Monday, April 20, Raytheon and Websense announced a new venture, outlining the defense industry contractor’s planned acquisition of 80% of the internet security firm. By Thursday, April 23, an ambitious attack was unleashed and directed at Websense employees in the guise of a welcoming, if grammatically questionable, message. Emails with the subject “Welcome to join Raytheon!” were seen, containing a malicious file slyly tucked away inside a fake Kaspersky installation program.

more here.........http://community.websense.com/blogs/securitylabs/archive/2015/04/24/opportunity-knows-no-boundary-a-case-study-of-acquisition.aspx
Search

OpenSSL Vs HSM Performance

April 25, 2015, 9:22 am
$
0
0
Hardware Security Modules(HSMs) are basically dedicated cryptography devices, and are often one of the first links in the chain of trust in so much of what we do with technology today.  They allow you to offload sometimes computationally expensive, cryptographic functions like signing or encryption and are often required in industries whose regulations require tight control of private key material(e.g. banking, certificate authorities).  They also allow you to have reliable auditing capabilities and are designed to be extremely difficult to tamper with.  This article does not try to sway you one way or the other in terms of using an HSM, whether or not you need an HSM is usually determined by regulation or security requirements and not performance reasons. If you want are not interested how I arrived at the numbers, click here to see the results.
Having said that, I think there are more than a few people out there that think that dedicated hardware equals better performance.  This article attempts to explore this assumption of whether or not HSMs provide any performance benefit over using software, in this case OpenSSL, on commodity hardware.

Malware Seen In The Middle East Region

April 25, 2015, 11:19 am
$
0
0
This attack is from the same attack group as Cyber Attack 1. The attack comes as an email containing a malicious Google Docs link. It was seen around Mon 2/16/2015.



The email looks like below:


The subject translates as "Video: The Egyptian Army Conducts An Air Strike Against ISIL" and body translates as "On the dawn of Monday, the armed forces conducted a strike against some ISIL centers. The strike has met its target precisely, where ISIL camps and training places were targeted. In the video are ISIL casualities and the havoc left by the Egyptian Air Strike. Watch The Video".


more here including additional malware samples.........http://middleeastmalware.blogspot.com/2015/04/cyber-attack-10.html

An HTTP Status Code to Report Legal Obstacles

April 25, 2015, 2:06 pm

Insufficient TLS Protection in Composer (PHP)

April 25, 2015, 2:17 pm
$
0
0
Composer helps you declare, manage and install dependencies of PHP projects,
ensuring you have the right stack everywhere.

Pádraic Brady exclaims "this is a publicly disclosed unpatched vulnerability
on Composer's issue tracker since 2012.

The specific issue is a failure to perform TLS peer verification on remote
requests when making any API request or retrieving any file, i.e. there is a
singular client class.

more here.....https://github.com/composer/composer/issues/1074

Quagga BGP and exabgp: work together for BGP blackhole (dropoing undersirable traffic) implementation

April 25, 2015, 2:23 pm
Viewing all 8064 articles
Browse latest View live
Search