Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Paper: Compositional Decompilation using LLVM IR

April 25, 2015, 2:30 pm
$
0
0
Abstract
Decompilation or reverse compilation is the process of translating low-level
machine-readable code into high-level human-readable code. The problem is nontrivial
due to the amount of information lost during compilation, but it can be
divided into several smaller problems which may be solved independently. This
report explores the feasibility of composing a decompilation pipeline from independent
components, and the potential of exposing those components to the end-user.
The components of the decompilation pipeline are conceptually grouped into three
modules. Firstly, the front-end translates a source language (e.g. x86 assembly)
into LLVM IR; a platform-independent low-level intermediate representation. Secondly,
the middle-end structures the LLVM IR by identifying high-level control flow
primitives (e.g. pre-test loops, 2-way conditionals). Lastly, the back-end translates
the structured LLVM IR into a high-level target programming language (e.g. Go).
The control flow analysis stage of the middle-end uses subgraph isomorphism search
algorithms to locate control flow primitives in CFGs, both of which are described
using Graphviz DOT files.

Poster: Compositional Decompilation

more here........https://github.com/mewpaper/decompilation
Search

Unpacking CCTV Firmware

April 26, 2015, 12:42 am
$
0
0
I’ve been increasingly interested interested in firmware and have also stated in my previous articles that I would write an article on unpacking and hacking firmware. I thought this would be a good start. This isn’t some old firmware, the build date is February 2015 and has some interesting features. I see a lot of people writing articles on routers and thought I’d change things up a little and look at CCTV.
a

Hackers temporarily take control of Tesla’s website, Elon Musk's Twitter account

April 26, 2015, 1:13 am
$
0
0
Earlier today, Tesla's Twitter account and website were taken over by some nefarious jokesters. Around 5 PM ET,  a strange tweet popped up on the company's official Twitter account, suggesting the company was no longer in control of what was being posted. The tweets largely suggested this was just an unsophisticated prank.

more here.......http://www.theverge.com/2015/4/25/8497545/teslas-twitter-hacked

Patator, a multi-purpose brute-forcer, with a modular design and a flexible usage.

April 26, 2015, 2:28 am
$
0
0
Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.

more here........https://github.com/lanjelot/patator

GleeBug

April 26, 2015, 2:32 am

Timeline Analysis Process

April 26, 2015, 5:04 am

Betty- Open source Google Voice with Receptionist abilities, built on top of Twilio

April 26, 2015, 5:16 am
$
0
0
Betty (or Ben for the ones who prefer a male receptionist) is your own customizable receptionist, to forward call and messages to your team anywhere in the world. It's particularly useful if your organization is operating in the US, but based in another countries.

Betty is easy to setup and build on top of Twilio and Node.js, it doesn't necessitate a database (stateless). It can be deployed to Heroku or any unix server.

more here........https://github.com/SamyPesse/betty

ENUMERATE DNS HOSTNAMES USING NMAP

April 26, 2015, 8:29 am
Search

A Malicious Word Document Inside a PDF Document

April 26, 2015, 8:31 am

anti-virus vendors in trouble with testers?

April 26, 2015, 8:37 am

Newly Obtained Records Reveal Extensive Monitoring of E-ZPass Tags Throughout New York

April 26, 2015, 8:39 am

Sucuri WordPress Website Firewall Bypass

April 26, 2015, 12:52 pm
$
0
0
A few weeks back I wrote a piece about WordPress website firewalls, or as better known in the security industry web application firewalls (WAFs). In the article I explained All you need to know about WordPress website firewalls: how they work and what their limitations and shortcomings are. Fast forward to today; Rafay Baloch, one of Pakistan’s leading security professionals published a blog post about a Sucuri website firewall cross-site scripting filter bypass; he was able to exploit a cross-site scripting attack against a website protected with Sucuri website firewall, i.e. the firewall did not block it.

read more here.......http://www.wpwhitesecurity.com/wordpress-security-news-updates/sucuri-wordpress-website-firewall-bypass/

Sneaker- A tool for securely storing secrets on S3 using Amazon KMS

April 26, 2015, 1:01 pm
$
0
0
Sneaker is a utility for storing sensitive information on AWS using S3 and the Key Management Service (KMS) to provide durability, confidentiality, and integrity.

Secrets are stored on S3, encrypted with AES-256-GCM and single-use, KMS-generated data keys.

more here........https://github.com/codahale/sneaker

Dovecot remote DoS on TLS connections

April 26, 2015, 1:04 pm
$
0
0 
The current Dovecot (2.2.16) imap/pop3 server has an issue that
handshake failures will lead to a crash of the login process.

An example where this is triggered is if the server is configured to
not allow SSLv3 connections and a client tries to connect with SSLv3
only.

The reason is that the error handling routine will try to finish the
handshake and that will crash. Details here:
http://dovecot.org/pipermail/dovecot/2015-April/100618.html

I had created a patch, one of the dovecot devs created a more thorough
patch that will probably catch more error states properly:
http://dovecot.org/tmp/diff
(url likely not stable)
Nothing is applied yet I think.

There is a related issue in openssl: It will crash instead of throwing
an error if one tries to use a connection context that already failed.
One could argue that this is not an openssl issue, because apps need to
properly check errors. Matt Caswell has created a patch to let openssl
handle these situations more gracefully:
https://rt.openssl.org/Ticket/Display.html?id=3818&user=guest&pass=guest

Authored by
-- 
Hanno Böck
http://hboeck.de/

Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win

April 26, 2015, 3:02 pm
$
0
0
A lot of network defense goes wrong before any contact with an adversary, starting with how defenders conceive of the battlefield. Most defenders focus on protecting their assets, prioritizing them, and sorting them by workload and business function. Defenders are awash in lists of assets—in system management services, in asset inventory databases, in BCDR spreadsheets. There's one problem with all of this. Defenders don't have a list of assets. They have a graph. Assets are connected to each other by security relationships. Attackers breach a network by landing somewhere in the graph using a technique such as spearphishing and they hack, finding vulnerable systems by navigating the graph. Who creates this graph? You do.

more here........http://blogs.technet.com/b/johnla/archive/2015/04/26/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win.aspx
Search

WordPress 4.2 stored XSS

April 26, 2015, 3:34 pm
$
0
0
*Overview*
Current versions of WordPress are vulnerable to a stored XSS. An
unauthenticated attacker can inject JavaScript in WordPress comments. The
script is triggered when the comment is viewed.

If triggered by a logged-in administrator, under default settings the
attacker can leverage the vulnerability to execute arbitrary code on the
server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password,
create new administrator accounts, or do whatever else the currently
logged-in administrator can do on the target system.




*Details*
If the comment text is long enough, it will be truncated when inserted in
the database. The MySQL TEXT type size limit is 64 kilobytes so the comment
has to be quite long.

The truncation results in malformed HTML generated on the page. The
attacker can supply any attributes in the allowed HTML tags, in the same
way as the previous stored XSS vulnerabilities affecting WordPress.

The vulnerability bears a similarity to the one reported by Cedric Van
Bockhaven in 2014 (patched this week, after 14 months). Instead of using an
invalid UTF-8 character to truncate the comment, this time an excessively
long comment text is used for the same effect.

In these two cases the injected JavaScript apparently can't be triggered in
the administrative Dashboard, so these exploits require getting around
comment moderation e.g. by posting one harmless comment first.




*Proof of Concept*
Enter the following as a comment:

<a title='x onmouseover=alert(unescape(/hello%20world/.source))
style=position:absolute;left:0;top:0;width:5000px;height:5000px
 AAAAAAAAAAAA [64 kb] ...'></a>


This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53
and 5.5.41.




*Solution*
Disable comments (Dashboard, Settings/Discussion, select as restrictive
options as possible). Do not approve any comments.




*Credits*
The vulnerability was discovered by Jouko Pynnönen of Klikki Oy.

An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html

Surveillance system used for censorship in Europe - Censorship attack combines packet injection and Heartbleed

April 26, 2015, 3:42 pm
$
0
0
>From https://goodcrypto.com/news/2015/03/26/surveillance-system-used-for-censorship-in-europe/

Published here to resist censorship.


Surveillance system used for censorship in Europe

Censorship attack combines packet injection and Heartbleed


We all know there is censorship online. It happens in China. It happens
to "terrorists". But we don't believe it will happen to us.

As Eben Moglen[1] and Kaspersky[2] have pointed out, companies developing
crypto are prime targets no matter where they are. So you don't have
to be a bad guy for the NSA to attack you. You just have to protect
people from the NSA. Even protecting yourself is often enough. NSA
prefers their victims to be defenseless.

Detection in the wild

In early 2015 people were still downloading our ISO file for GoodCrypto.
But suddenly installations stopped.

After a lot of checking we noticed that the downloads got HTTP 200
result codes, but the lengths were all too short. This isn't supposed
to happen. A 200 result means success. These weren't successful
downloads, but the web logs said they were. Ordinary log checks didn't
show the bug.

Finding the vuln

Downloads from goodcrypto.com to goodcrypto.com worked. Downloads from
another site at a different datacenter in the same country worked. A
little further away in the network, downloads failed but the server
logged a "Success" status code.

The obvious answer was a server misconfiguration. We couldn't find one.
A server side packet dump showed the client just dropped the
connection in the middle of the download.

We couldn't get a browser to download the whole ISO file. The browser
thought it came in fine, but the file was incomplete.

So was it a browser bug? We tried other browsers. They couldn't
download either.

The wget program often helps debug downloads. It doesn't have the same
malware issues as browsers, because wget doesn't support malware
vectors such as javascript, java, and css. It also retries failed
downloads, and often tells you why it failed.

When we tried wget, it detected errors, retried, and finally succeeded.
It said the error was a bad length field in a TLS packet. That didn't
make sense at first because we thought TLS packets were error corrected
by TCP.

We searched for other bug reports like this. They were all during
session initiation, not in the middle of a long download.

But our searching led to Heartbleed. Modifying SSL/TLS length fields
is exactly how it works.

Wasn't Heartbleed fixed in 2014?

In 2014 when we all heard about Heartbleed many servers were
vulnerable. But OS providers fixed it fast. Our own servers get regular
security updates.

How were we seeing it now?

Servers around the world were fixed fast, but clients were vulnerable
too. The Heartbleed news coverage was all about servers. Servers got
fixed. Many clients didn't. A client side Heartbleed attack is
sometimes called Reverse Heartbleed.

Packet evidence shows MITM

Was our server cracked? We're pretty careful, so that doesn't happen
often. But we checked, and checked again. Even though we don't usually
have any packet logs, we ran download tests with simultaneous packet
logs on both the server and client.

The server packet logs showed an ordinary number of bad packets, all
error corrected. During the download the client dropped the connection.

The client packet logs were very different. There was a surprising
number of bad incoming packets. Almost none of these bad packets
showed in the server logs for the same session. These packets appeared
to be injected into the packet stream. This is an MITM/MOTS attack,
specifically a packet injection attack.

Finally wget reported that a TLS packet with a bad length field got
through and caused the TLS connection to break. Now we knew this was a
MITM variant of Reverse Heartbleed.

Working around the censorship

We added simple instructions to our Download[3] page:

    Somebody (Hi NSA!) is trying to censor GoodCrypto downloads.

    But don't worry. The workaround for their super duper advanced
    network attack is: Just use wget.

    If you're on windows you need wget.exe[4].

    At a command prompt:

             wget --no-check-certificate (URL appeared here)

    Because you will verify the file hash, "--no-check-certificate" is
    ok in this rare case, and Windows needs it.

We also strengthened the encouragement to verify the file, and asked
visitors to let us know[5] when the attackers change tactics.

False Flag

The attacker injected packets by forging our site's IP address. If a
site visitor notices the packets, they will think that the attack is
from us. The attacker didn't just shift blame away from themselves.
They framed someone they don't like. Faking the evidence to blame an
attack on someone else, especially someone the attacker doesn't like,
is a classic False Flag operation.

An MITM attack like this requires impersonation, so the benefits to the
attacker of a False Flag are built right in.

One way to censor anyone is to attack their reputation.

Censorship by a nation state

Even though the download broke, the browser didn't complain. It looked
like a successful download. The server showed an HTTP 200 result code.
Neither the client nor server detected the attack.

Server packet logs didn't show anything unusual except the abrupt
client disconnection. The attack didn't show at all during downloads
from a client that was close to the server in network space, such as
another nearby datacenter. It wasn't an attack on the server or the
hosting provider.

We set up another server in a different country and the attack
continued. It wasn't an attack by the hosting country. We were nowhere
near our transfer limits for either server, so it was not traffic
shaping by hosting providers.

The clients were all over the world. It wasn't separate attacks
launched from close to individual clients.

The attack appears to be from someone sitting on the net pipes and
injecting packets. This requires huge resources. The U.S., U.K.,
Canadian, and Chinese spooks do this. Ordinary criminals don't have
the ability.

Because the goodcrypto.com servers are in Europe, China is an unlikely
suspect. GCHQ and CSE are dependent on the U.S. for their QUANTUM
capability. That means it was likely an NSA attack, either directly or
by proxy.

But which nation really doesn't matter. There is no known way to
protect against specific nations. You have to protect against all or
none.

Who is vulnerable

Anyone who publishes on the web is vulnerable to this form of
censorship. Even if you just use HTTP, the Chinese censorship method of
a simple RST works.


Update: The attack is now intermittent. Exposing them often helps. When
it's paused they may be avoiding forensics, or just changing tactics.
Let us know.[5]

    [1] http://www.theguardian.com/technology/2014/may/27/-sp-privacy-under-attack-nsa-files-revealed-new-threats-democracy
    [2] http://www.kaspersky.com/about/news/virus/2015/equation-group-the-crown-creator-of-cyber-espionage
    [3] https://goodcrypto.com/server/download/
    [4] https://goodcrypto.com/redirect-offsite/https://eternallybored.org/misc/wget/wget.exe
    [5] https://goodcrypto.com/contacts/


GoodCrypto warning: Anyone could have read this message. Use encryption, it works.


Authored by Doug 
Email: doug@goodcrypto.com

Security execs call on companies to improve ‘cyber hygiene’

April 26, 2015, 3:48 pm
$
0
0
Cyber security chiefs have called on companies to conduct better “cyber hygiene” focusing on preventing basic attacks, rather than obsessing over the threat of nation state-backed hackers.
The industry has begun to think of cyber crime as akin to a public health issue, whereby companies and individuals must be encouraged to do the online equivalents of washing hands and getting vaccines.


Powersploit Function: Invoke-Shellcode is fixed with a couple other updates

April 26, 2015, 3:53 pm
$
0
0
.DESCRIPTION
Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-
Make sure to specify 'thread' for your exit process. Also, don't bother encoding your shellcode. It's entirely unnecessary.

more here........https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke--Shellcode.ps1

How Kaspersky makes you vulnerable to the FREAK attack and other ways Antivirus software lowers your HTTPS security

April 26, 2015, 5:30 pm
$
0
0
Lately a lot of attention has been payed to software like Superfish and Privdog that intercepts TLS connections to be able to manipulate HTTPS traffic. These programs had severe (technically different) vulnerabilities that allowed attacks on HTTPS connections.

What these tools do is a widespread method. They install a root certificate into the user's browser and then they perform a so-called Man in the Middle attack. They present the user a certificate generated on the fly and manage the connection to HTTPS servers themselves. Superfish and Privdog did this in an obviously wrong way, Superfish by using the same root certificate on all installations and Privdog by just accepting every invalid certificate from web pages. What about other software that also does MitM interception of HTTPS traffic?

Antivirus software intercepts your HTTPS traffic

Many Antivirus applications and other security products use similar techniques to intercept HTTPS traffic. I had a closer look at three of them: Avast, Kaspersky and ESET.

more here........https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html
Viewing all 8064 articles
Browse latest View live
Search