Jump to content

Matt

Active Members
 View Profile  See their activity

  • Posts

    1773

  • Joined

  • Last visited

  • Days Won

    6

 Content Type 

Everything posted by Matt

  1. Matt

    Fun stuff

    Matt replied to Wisa's topic in Discutii non-IT

  2. Matt
    Succes.
  3. Matt

    Parole si PM-uri.

    Matt replied to 1337's topic in Sugestii

    Grupul "Trusted" ce rol ar avea?
  4. Matt
    Si atunci tu ce beneficii ai ? Daca spui ca e riscant eu in locul tau , l-as face calumea apoi as incerca sa il vand.(dupa popularizare)
  5. Matt
    Site-ul arata bine. Ce risti tinand un astfel de site ?Ce risca cel care urca serialele ? Totul din punct de vedere legislativ , bineinteles.
  6. Matt
    The European Commission (EC) has responded in no uncertain terms to the allegations of NSA surveillance taking place at its premises, demanding full clarification and transparency from the US government over its activities. Documents seen by the German newspaper Spiegel suggest that not only were bugs installed by US surveillance in the EU's offices in Washington, but also that the building's computer network was infiltrated. Through this, surveillance teams had the capability to listen to discussions in several offices belonging to the EU, as well as being able to access emails and documents on computers. The EC said it took immediate action to raise the matter with the European External Action Service, who will liase with US authorities. A statement from the EC said: "These are disturbing news [sic] if proven true. They demand full clarification." The newspaper also alleges that offices in New York and Brussels also came under the watch of US surveillance teams, with EU security officials apparently noticing suspicious telephone calls targeting a remote maintenance system of a building in Brussels, where the EU Council of Ministers and the European Council are based. The calls are said to have been traced back to a NATO headquarters in Brussels, from a building used by NSA employees. The EC asked for openness over the allegations, putting the ball firmly in the US authorities' court. "The EU is now expecting to hear from the US authorities. Clarity and transparency is what we expect from partners and allies, and this is what we expect from the US," the EC noted. On Sunday, Spiegel also revealed that the NSA typically taps half a billion phone calls, emails and text messages per year in Germany alone. The paper also indicated that surveillance in the country was stronger than in any other EU country. Last week, shadow home secretary David Davis told the House of Commons that UK laws to protect citizens from surveillance were ‘completely useless'. Founder of the web Tim Berners-Lee also weighed in last week, urging further advances in web freedom. This follows allegations that security organisations such as the NSA and GCHQ were monitoring personal emails of people across the world, and accessing data from companies such as Facebook, Microsoft and Google. The former NSA contractor Edward Snowden's location is still unknown after he failed to take a flight to Ecuador he had been booked onto last week, although it is believed he is in Russia and is seeking asylum there. The US government has issued a warrant for his arrest, with WikiLeaks founder Julian Assange expressing his allegiance to Snowden. Sursa v3.co.uk
  7. Matt
    Anul trecut la Automatica ultima medie a fost undeva in jurul a 8.60 .
  8. Matt
    Cea mai buna solutie.Admiterea insa sa fie admitere , nu interviu.Daca as fi in Guvern as scoate bacalaureatul ca si asa este degeaba.Se termina 12 clase frumos , apoi cine vrea sa se duca la facultate va lua admiterea . Cine nu vrea nu va da admiterea.Oricum bacalaureatul a ajuns de cacat si a devenit o hotie ordinara. // La Politehnica si anul acesta inca mai se intra cu interviu.
  9. Matt
    Felicitari
  10. Matt
    Doar nu faceau reducere la un router care costa 99 lei .. ci doar la cele de 200 +
  11. Matt
    10. Apple iOS 6.1.3 fix contains another lock screen bypass flaw An Apple iOS software fix was designed to repair a nasty bug that let unauthorized users bypass the lock screen for iPhones and iPads — and access user data. Good idea, except it contained yet another major flaw. 9. Mega users: If you're hacked once, you're hacked for life Pessimists, or perhaps realists, in the security industry say that being hacked is a matter of when, not if. But if you're a user of Kim Dotcom's Mega site, do whatever you can to make sure you're never hacked, because you can't change your password and you can't delete your account. 8. Hacker, activist Aaron Swartz commits suicide Aaron Swartz, Reddit co-founder, was dedicated to sharing data and information online. He worked tirelessly to develop and popularize standards for free and open information sharing. 7. The real story in the NSA scandal is the collapse of journalism If the NSA scandal, which exposed the US government for spying on its citizens, wasn't enough, media sources trying to pin down the big scoop couldn't get the story straight. Details, details. 6. CISPA passes U.S. House: Death of the Fourth Amendment? The Cyber Intelligence Sharing and Protection Act would allow private-sector firms to search personal and sensitive user data of ordinary U.S. residents to identify "threat information", which can then be shared with other opt-in firms and the U.S. government — without the need for a court-ordered warrant. Described as "misguided" and "fatally flawed" by the two largest US privacy groups, CISPA is considered a threat to the online privacy of ordinary US residents. 5. Homeland Security warns to disable Java amid zero-day flaw The US Department of Homeland Security was the latest body to warn users to disable Java software amid escalating concerns over a serious, exploitable vulnerability. 4. Anonymous posts over 4,000 U.S. bank executive credentials Anonymous appears to have published login and private information from over 4,000 American bank executive credentials its Operation Last Resort, demanding US computer crime law reform. 3. How to disable Java in your browser on Windows, Mac Amid a serious security flaw in the latest version of Java 7, there's one way to make sure it doesn't affect you. Disable it. Oracle released an emergency fix for Java over the weekend. However, security professionals say that this measure doesn't go far enough. 2. Anger mounts after Facebook's 'shadow profiles' leak in bug Facebook said it fixed a bug that exposed contact info for over 6 million accounts. The admission revealed its "shadow profile" data collection activities, and users are furious. 1. Feds stumbling after Anonymous launches 'Operation Last Resort' Hacktivist group Anonymous took control of the U.S. Sentencing Commission website Friday, January 25, in a new campaign called "Operation Last Resort". Sursa Zdnet.Com
      • 1
      • Upvote
  12. Matt
    Bitcoin - Wikipedia
  13. Matt
    Google isi continua strategia de extindere si renunta in acelasi timp la serviciile ca Reader, care nu pot fi usor monetizate. Google ar putea lansa un serviciu social care sa ameninte existenta eBay si a oricarui alt site de licitatii. Gigantul IT pregateste serviciul Google Mine, care va permite utilizatorilor retelei sociale sa isi creeze un catalog online de posesii fizice. La prima vedere, pare a fi un serviciu perfect pentru hoti, dar combinat cu Google Wallet, s-ar putea transforma intr-o unealta impresionanta de comert online. Daca functionalitatea Google Mine ajunge in Google+ si este insotita si de tranzactii monetare online, eBay are cel mai mult de pierdut, mai ales in conditiile in care compania are nevoie de crestere constanta pentru a fi pe profit. Dupa ce Google Mine devine realitate, Google va avea posibilitatea de a colecta si mai multe informatii despre utilizatori, si ar putea chiar depasi Facebook in volumul de date stranse despre utilizatori si nu numai. Sursa Hit.Ro
  14. Matt
    Lansarea patch-urilor lunare Microsoft pentru luna iulie va acoperi sapte probleme de securitate, sase dintre acestea putand fi exploatate de la distanta de catre un atacator. Compania a publicat un consultativ inaintea lansarii patch-urilor - in cea de-a doua zi de marti a lunii - astfel incat administratorii sa cunoasca ce produse vor fi afectate. Microsoft nu a descris, insa, vulnerabilitatile, pana cand remediile de securitate nu vor fi lansate. Vulnerabilitatile critice se regasesc in Windows OS, .NET Framework, Silverlight, Office, Visual Studio, Lync si Internet Explorer. Un al saptelea buletin de securitate, etichetat ca fiind "important" afecteaza software-ul de securitate Windows Defender. Cel mai important buletin de securitate de adreseaza IE, a scris Wolfgang Kandek, CTO in cadrul Qualys. Acesta afecteaza versiunile IE de la 6 si pana la 10 pe Windows XP, Vista, 7, 8, Server 2003, Server 2008 si RT. Microsoft va remedia, de asemenea, o vulnerabilitate zero-day, dezvaluita de catre cercetatorul in domeniul securitatii Tavis Ormandy, a mai informat Kandek. Compania a descris vulnerabilitatea, CVE-2013-3660 ca fiind "o problema cunoscuta public in componenta kernel-mode driver a Windows". Buletinele de securitate vor fi lansate marti. Sursa: Computerworld - IT news, features, blogs, tech reviews, career advice
  15. Matt
    Numarul emailurilor spam continand link-uri catre site-uri frauduloase este in crestere, datorita cresterii furtului de ID-uri Apple si a informatiilor privind cardurile de credit, avertizeaza Kaspersky Lab. Potrivit Kaspersky Lab, numarul tentativelor phishing implicand copii ale site-ului oficial Apple, apple.com, a crescut de la 1.000 pe zi in 2011 la o medie de 200.000 pe zi in 2013. Cercetatorii au observat mari fluctuatii zilnice, tentativele de phishing fiind lansate pentru a coincide cu campaniile de marketing ale Apple. La data de 6 decembrie 2012 - imediat dupa deschiderea magazinelor iTunes in India, Turcia, Rusia, Africa de Sud si alte 52 de tari - Kaspersky Lab a detectat un record de peste 900.000 de tentative phishing indreptate asupra utilizatorilor Apple, intr-o singura zi. Infractorii cibernetici folosesc metode testate pentru accesa datele utilizatorilor Apple, inclusiv emailuri care pretind a proveni de la service@apple.com sau Apple Consumer Support. Aceste emailuri sunt, in general, scrise profesional, marcate cu logo-ul Apple si pot include chiar si link-uri catre "Frequently Asked Questions", pentru a convinge utilizatorii mai sceptici. Emailurile contin, de asemenea, link-uri catre site-uri Apple false, unde utilizatorilor li se solicita sa isi introduca ID-ul Apple si/sau parola. Aceste informatii sunt apoi furate si utilizate de catre infractorii cibernetici. Intr-o alta varianta, clientilor Apple li se fura direct datele cardurilor de credit, trimitandu-li-se un email prin care li se solicita sa verifice informatiile cardurilor de credit atasate ID-urilor Apple. Apoi, acestora li se solicita sa indice tipul si numarul cardului de credit, precum si data expirarii, codul de verificare a cardului, data nasterii si alte detalii de identificare. O modalitate de a distinge intre site-urile reale si cele contrafacute, create in scopuri de phising, este de a analiza bara de adrese, a indicat Kaspersky Lab. In timp ce majoritatea site-urilor contrafacute contin cuvantul "apple.com" in adresa (URL), utilizatorii experimentati ar trebui sa poata detecta falsurile prin examinarea adresei complete. Insa acest lucru devine mai dificil atunci cand bara de adrese nu poate fi vizualizata, spre exemplu atunci cand browserul Safari este utilizat pe dispozitive mobile cum ar fi iPhone si iPad. Atacatorii pot, de asemenea, sa construiasca site-uri intr-o asemenea maniera incat adresa sa fie incorporata pe site sub forma unei imagini, care este afisata in partea de sus a ecranului. Potrivit Kaspersky Lab, utilizatorii ar trebui sa verifice, in primul rand, daca emailurile prin care li se solicita anumite informatii provin, intr-adevar, de la Apple. Pentru a proteja impotriva tentativelor de frauda, Apple ofera, de asemenea, procesul de autentificare two-factor pentru ID-urile Apple. Acest proces implica trimiterea unui cod de patru cifre pe unul sau mai multe dispozitive selectate, apartinand utilizatorului. Kapersky Lab recomanda utilizatorilor sa nu urmeze link-urile din emailurile in discutie pentru a accesa site-uri. In schimb, acestia ar trebui sa introduca manual adresele site-ului in ferestrele browser. Utilizatorii care, totusi, doresc sa utilizeze astfel de link-uri, trebuie sa verifice cu atentie continutul acestora si adresa site-ului web catre care conduc link-urile, precum si sa instaleze un pachet software de securitate. Sursa: ComputerWeekly.com | Information Technology (IT) News, UK IT Jobs, Industry News
  16. Matt
    Tocmai asta era ideea.Nu trebuie sa faci asta pentru ca nu iti va mai folosi nimeni programul.
  17. Matt
    The European Parliament has voted in a new directive designed to increase the maximum sentences hackers can receive. The legislation focuses on attacks designed to harm areas of critical national infrastructure or hijack company computer systems. Under the draft reform attacks on areas of critical infrastructure can now carry a maximum sentence of five years, while attempts to illegally access information systems can accrue a two year sentence in all European Union member states. The directive also address Europe's growing Botnet problem. "When a significant number of information systems have been affected through the use of a tool (eg botnets) there is a maximum penalty of at least three years," reads the Commission's report on the legislation. Botnets have been a massive issue across the world for many years now. The operations enslave computers using various malwares, letting hackers steal control of them and use them for a variety of nefarious schemes, including denial of service attacks and phishing scams. Numerous technology firms, including Microsoft, have mounted joint operations with law enforcement to take down the zombie networks command and control servers. Most recently Microsoft teamed up with the FBI to take down the Citadel botnet. At its peak the botnet is believed to have controlled millions of infected PCs and stolen more than $500m in bank fraud. Interestingly the move will allow nation states to take action against businesses selling botnet and hacking tools as well as those using them. It will also grant law enforcement the power to punish firm's paying or hackers to use the tools to steal information for them. The Parliament in Strasbourg approved the legislation with a final vote count of 541 to 91 with nine abstentions on the proposal by the European Commission. Only Denmark has chosen to opt out of the rules preferring to keep its current cyber legislation. Other participating governments will now have two years to translate the decision into national law. The news has been welcomed by European Commission, with Commissioner for Home Affairs, Cecilia Malmström said the move is a key step in the European Commission and Parliament's ongoing efforts to bolster the region's cyber defences. "This is an important step to boost Europe's defences against cyber-attacks [...] The perpetrators of increasingly sophisticated attacks and the producers of related and malicious software can now be prosecuted, and will face heavier criminal sanctions. Member States will also have to quickly respond to urgent requests for help in the case of cyber-attacks, hence improving European justice and police cooperation," she said. However, in the private sector many security companies have been less positive. Alienvault research team engineer, Conrad Constantine said the legislation will cause more harm than good as the people creating it do not understand cyber threats. "Cybercrime is an oxymoron - we already have a word for it - 'Crime' - the reason 'cyber crimes' are criminal acts, is because they were criminal acts before computers were involved. Every time law tries to encode some particular use of technology into law, the result is inevitably fair poorly for civilians," he said. "This is not to say that there are not edge cases that require some extension - determining how to prosecute a botnet operator may be difficult under current law, but not impossible, since whatever (existing) crimes the botnet is being used for, the botnet operator is complicit in. Having said that, more laws do not capture more criminals, they only turn more people into criminals."
  18. Matt
    Malware is common nowadays. Each day, machines get infected with viruses, spyware, Trojans, keyloggers, rogueware, ransomware, rootkits, … The list continues with more advanced malware like Conficker, Duqu, Stuxnet, Flame, … The malware scenario on itself has also drastically changed. Where in the past, malware was created for showing off your skills or gaining your 15 minutes of fame (remember LoveLetter?), it is now almost solely used for the purpose of making money. If you are reading this article, you have already helped someone getting rid of malware infestations, or you at least have an interest in the basics on how to clean malware from an infected machine. Basic Malware Cleaning.pdf
  19. Matt
    Description : Ubuntu Security Notice 1900-1 - Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. A format string vulnerability was discovered in Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw to gain administrative privileges. Various other issues were also addressed. Author : Ubuntu Source : Ubuntu Security Notice USN-1900-1 ? Packet Storm Code : ============================================================================ Ubuntu Security Notice USN-1900-1 July 04, 2013 linux-ec2 vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.04 LTS Summary: Several security issues were fixed in the kernel. Software Description: - linux-ec2: Linux kernel for EC2 Details: Dmitry Monakhov reported a race condition flaw the Linux ext4 filesystem that can expose stale data. An unprivileged user could exploit this flaw to cause an information leak. (CVE-2012-4508) An information leak was discovered in the Linux kernel's tkill and tgkill system calls when used from compat processes. A local user could exploit this flaw to examine potentially sensitive kernel memory. (CVE-2013-2141) A format string vulnerability was discovered in Broadcom B43 wireless driver for the Linux kernel. A local user could exploit this flaw to gain administrative privileges. (CVE-2013-2852) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.04 LTS: linux-image-2.6.32-354-ec2 2.6.32-354.67 After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. If you use linux-restricted-modules, you have to update that package as well to get modules which work with the new kernel version. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-server, linux-powerpc), a standard system upgrade will automatically perform this as well. References: http://www.ubuntu.com/usn/usn-1900-1 CVE-2012-4508, CVE-2013-2141, CVE-2013-2852 Package Information: https://launchpad.net/ubuntu/+source/linux-ec2/2.6.32-354.67
  20. Matt
    Description : AVAST Internet Security Suite version 8.0.1489 suffers from multiple persistent local code injection vulnerabilities. Author : Ateeq Khan Source : AVAST Internet Security Suite 8.0.1489 Local Code Injection ? Packet Storm Code : Title: ====== AVAST Internet Security Suite - Persistent Vulnerabilities Date: ===== 2013-06-27 References: =========== http://www.vulnerability-lab.com/get_content.php?id=969 VL-ID: ===== 969 Common Vulnerability Scoring System: ==================================== 3.4 Introduction: ============= AVAST Software (www.avast.com), maker of the world’s most popular antivirus, protects over 184 million computers and mobile devices with our security applications. In business for over 25 years, AVAST is one of the oldest companies in the computer security business, with a portfolio covering everything from free antivirus for PC, Mac, and Android, to premium suites and services for business. In addition to being top-ranked by consumers on popular download portals worldwide, AVAST performance is certified by, among others, VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, and West Coast Labs. Vendor Homepage: http://www.avast.com/ Product website: http://www.avast.com/internet-security Abstract: ========= The Vulnerability Labs Team has discovered a persistent code injection & local command path injection vulnerability in the AVAST Internet Security Suite. Report-Timeline: ================ 2013-06-09: Researcher Notification & Coordination (Ateeq Khan) 2013-06-11: Vendor Notification (AVAST - Security Incident Team) 2013-06-15: Vendor Response/Feedback (AVAST - Security Incident Team) 2013-**-**: Vendor Fix/Patch (AVAST - Developer Team) 2013-06-27: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== AVAST! Product: Internet Security Suite Software 8.0.1489 Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== It has been discovered that the avast Internet Security Suite is vulnerable to persistent code injection and local command path injection vulnerability. During the testing, I was able to successfully read/load and execute any file/application from local system having the local admin privileges. Initially the bug was an HTML code injection flaw only however, with more deep analysis, it was revealed that the severity of this vulnerability is far more differnet. A simple <a href> tag bypasses the AVAST Sandbox and drops a locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and through that we are even able to browse local folders and access any file, we can even browse external websites. The bug exists in the Firewall Module under the Network Utilities Section. Since proper input sanatization is not being performed, a user can insert any HTML code which then gets executed successfully. For a POC i used the <img> and <a href> tags to read/load and execute files from my local system. I believe there may be possibilities of multiple attack vectors keeping in mind the scope of this vulnerability. During the POC, I was able to successfully bypass the AVAST sandbox and I was able to run local system level commands using the AVAST Interface. Proper user input sanatization of the source code should be performed because these sort of basic security controls should always be intact to meet all regulatory and compliance standards. Vulnerable Product(s): [+] Avast Internet Security Suite Installer - Latest Release Vulnerable Module(s): [+] Firewall Vulnerable Section(s): [+] Network Utilities Vulnerable Field(s) [+] IP Address Details [+] Graphical Traceroute Proof of Concept: ================= Proof of Concept #1 For reproducing the bug, please follow the below mentioned steps: a) Open the avast internet security suite, goto Firewall and Click on Network Utilities Enter the following payload under the IP ADDRESS DETAILS <h1>Vulnerable</h1> or <iframe src=test.de> c) Click on "Get Details" and you should be able to see a popup within a few seconds proving the existence of this vulnerability. d) To spawn a Command Shell on the local system, use the payload "><a href="cmd">CLICKME e) On the next avast information popup box that appears, click anywhere and you should be able to spawn a local CMD shell. Proof of Concept #2 For reproducing the bug, please follow the below mentioned steps: a) Open the avast internet security suite, goto Firewall and Click on Network Utilities Enter the following payload under the "Graphical Trace-Route" section <h1>Vulnerable</h1> or <iframe src=test.de> c) Click on "Get Details" and you should be able to see a popup within a few seconds proving the existence of this vulnerability. d) To spawn a Command Shell on the local system, use the payload "><a href="cmd">CLICKME e) On the next avast information popup box that appears, click anywhere and you should be able to spawn a local CMD shell. POC Technical Description & Fix: Here, we used the common HTML tags as our payload. The fact that user injected HTML code is being executed successfully raises concerns for this core applications security. Then, the fact that using just the <a href> tag, we can easily bypass AVAST Sandbox and gain local system shell with privileges of the user that installed the application initially which in most cases will be administrator is very critical. I believe this bug can be further escalated to gain more interested results. Solution: ========= By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input sanatization in the source code will fix this issue. Risk: ===== The security risk of these kinds of vulnerabilities are estimated as medium. Credits: ======== Vulnerability Laboratory [Research Team] - Ateeq Khan (khan@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
  21. Matt
    Description : AVAST Universal Core Installer suffers from multiple local code injection vulnerabilities. Author : Ateeq Khan Source : AVAST Universal Core Installer Local Code Injection ? Packet Storm Code : Title: ====== AVAST Universal Core Installer - Multiple Vulnerabilities Date: ===== 2013-06-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=966 VL-ID: ===== 965 Common Vulnerability Scoring System: ==================================== 4.2 Introduction: ============= Avast! (styled avast!) is - both freeware and payable - an antivirus computer program with user interface that includes 41 languages, available to Microsoft Windows, Mac OS X and Linux users. The name Avast is an acronym of `Anti-Virus – Advanced Set`. The official, and current logo of Avast! is a white orb with the letter `a` on it and an orange circle around it, sticking out to four directions. Its developer, AVAST Software a.s. (formerly known as ALWIL Software a.s.), has headquartered in Prague, Czech Republic, with offices in Linz, Austria; Friedrichshafen, Germany; and San Mateo, California. It has been awarded VB100 Award by Virus Bulletin multiple times for 100% detection of `in-the-wild` viruses, and also won the Secure Computing Readers`Trust Award. The central scanning engine has been certified by ICSA Labs and West Coast Labs` Checkmark process. Avast! competes in the antivirus industry against Avira, AVG Technologies, Bitdefender, F-Secure, Frisk, Kaspersky, McAfee, Symantec and Trend Micro among others. (Copy of the Homepage: http://en.wikipedia.org/wiki/Avast! ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent code injection and local command path injection vulnerability in the AVAST Universal Core Installer application software. Report-Timeline: ================ 2013-06-06: Researcher Notification & Coordination (Ateeq Khan) 2013-06-07: Vendor Notification (AVAST! - Security Incident Team) 2013-06-09: Vendor Response/Feedback (AVAST! - Security Incident Team) 2013-**-**: Vendor Fix/Patch (AVAST! - Developer Team) 2013-06-28: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== It has been discovered that the Core avast installer application is vulnerable to persistent code injection and local command path injection vulnerability. During the testing, I was able to succesfully read/load and execute any file/application from local system having the local admin priviledges which makes this bug alot more interesting. Initially the bug was an HTML code injection flaw only however, with more indepth analysis, it was revealed that the severity of this vulnerability is far more differnt. A simple <a href> tag bypasses the AVAST Sandbox and drops a locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and through that we are even able to browse local folders and access any file, we can even browse external websites. The bug exists in the Custom Install Section under Destination Field. Since proper input sanatization is not being performed, a user can insert any HTML code which then gets executed successfully. For a POC i used the <img> and <a href> tags to read/load and execute files from my local system. I believe there may be possibilities of multiple attack vectors keeping in mind the scope of this vulnerability. During the POC, I was able to successfully bypass the AVAST sandbox and I was able to run local system level commands using the AVAST Interface. These sort of vulnerabilities can result in multiple attack vectors on the clients end which may eventually result in complete compromise of the end user system. Exploitation of this vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed resulting in local command/shell injection, persistent phishing, Client side redirects and similar dangerous attacks. Vulnerable Product(s): [+] avast Premier Antivirus Installer - Latest Release [+] avast Antivirus Pro Installer - Latest Release [+] avast Free Antivirus Installer Version 8 - Latest Release [+] avast Internet Security Suite Installer - Latest Release Vulnerable Module(s): [+] Custom Install Vulnerable Field(s): [+] Enter the Destination Directory Proof of Concept: ================= The vulnerabilities can be exploited by local attackers with low system privilege account and low user interaction. For demonstration or reproduce ... a) Run the avast Premier Installer binary file (avast_premier_antivirus_setup.exe) Click on Custom Install c) under the field "Enter the Destination directory" enter the following Payload C:Program FilesAVAST SoftwareAvast<h1>Vulnerable<a href="cmd">ClickME d) Click Next twice untill you reach the "Installation Information" Window e) Scroll down and you should be able to see our Injected Payload. f) If you click on "ClickME" you should get a CMD shell spawned on the local system hence proving the existence of this vulnerability. g If you proceed with the installation and continue, the installation will fail eventually and once again in the Final Install Log you will see the executed payload. Note: All tests were performed on a system running latest version of MicroSoft Windows 7 OS. Solution: ========= By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input encoding and format parse in the source code will fix this issue. Risk: ===== The security risk of these kinds of vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ateeq Khan [ateeq@evolution-sec.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
  22. Matt
    Description : OpenVZ kernel version 2.6.32 suffers from multiple memory leaks. Author : Jonathan Salwan Source : OpenVZ Kernel 2.6.32 Memory Leaks ? Packet Storm Code : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2013-2239 - Multiple memory leaks in OpenVZ kernel 2.6.32 (042stab080.1) Description =========== Two memory leaks was discovered in the versions before vzkernel patch 042stab080.2. One memory leak in ploop: The ploop_getdevice_ioc function in drivers/block/ploop/dev.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. One memory leak in quota: The compat_quotactl function in fs/quota/quota.c in the vzkernel patch before 042stab080.2 does not initialize a certain length variable, which allows local users to obtain sensitive information from kernel stack memory. Fixed in the 042stab080.2 - [security/ploop] memory info leak fixed (PSBM-20690) - [security/quota] memory info leak fixed (PSBM-20690) Classification ============== Location : Local Access Required Attack Type : Information Disclosure, Input Manipulation Version : vzkernel 2.6.32 (Patch 042stab080.1) Impact : Loss of Confidentiality Solution : Patch / RCS Disclosure : Vendor Verified References ========== CVE ID : CVE-2013-2239 Changelog : http://wiki.openvz.org/Download/kernel/rhel6-testing/042stab080.2 Credit : Jonathan Salwan (Sysdream Security Lab) Timeline ======== 2013-06-16 : Bugs found 2013-06-19 : Bugs reported 2013-06-28 : Bugs fixed 2013-06-29 : CVE request 2013-07-04 : CVE assigned Thanks, - -- Jonathan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) iQEcBAEBAgAGBQJR1a2+AAoJEH9bXKkQj2JzGQkIAKgsP6wJLdbIicezwy8wd57V gdtaqfBxq3PwRP47C0Yw0TVe+KMuYgq7vxjyMo5L1vrVoBd39NkHqmdo105d3s7z gxBkhARCS53wiuQ09AIIjFVHAhXzzxLYPrJ3HlzBH0pF/UouIusvI1t+fgOufGsU SO28DshO+xZWMJiP3ao1Ce8gtkFK9QIdPjoyr67jMndLuv6MTFYPN/Kv33CN0cOQ 6W0ULtxrBVDVuudZMhGon8cEifyisF/WVvG4MuEla9ZyryF2NUJvE05hpfpFqjYf mYrAKpdEjBGvVHEXn27paXUBJDyWZa2Z2X934TgrCfwx4ysU9UCQ7jK4IDmw8xs= =BfIK -----END PGP SIGNATURE-----
  23. Matt
    Description : AVAST Universal Core Installer suffers from multiple local code injection vulnerabilities. Author : Ateeq Khan Source : AVAST Universal Core Installer Local Code Injection ? Packet Storm Code : Title: ====== AVAST Universal Core Installer - Multiple Vulnerabilities Date: ===== 2013-06-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=966 VL-ID: ===== 965 Common Vulnerability Scoring System: ==================================== 4.2 Introduction: ============= Avast! (styled avast!) is - both freeware and payable - an antivirus computer program with user interface that includes 41 languages, available to Microsoft Windows, Mac OS X and Linux users. The name Avast is an acronym of `Anti-Virus – Advanced Set`. The official, and current logo of Avast! is a white orb with the letter `a` on it and an orange circle around it, sticking out to four directions. Its developer, AVAST Software a.s. (formerly known as ALWIL Software a.s.), has headquartered in Prague, Czech Republic, with offices in Linz, Austria; Friedrichshafen, Germany; and San Mateo, California. It has been awarded VB100 Award by Virus Bulletin multiple times for 100% detection of `in-the-wild` viruses, and also won the Secure Computing Readers`Trust Award. The central scanning engine has been certified by ICSA Labs and West Coast Labs` Checkmark process. Avast! competes in the antivirus industry against Avira, AVG Technologies, Bitdefender, F-Secure, Frisk, Kaspersky, McAfee, Symantec and Trend Micro among others. (Copy of the Homepage: http://en.wikipedia.org/wiki/Avast! ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent code injection and local command path injection vulnerability in the AVAST Universal Core Installer application software. Report-Timeline: ================ 2013-06-06: Researcher Notification & Coordination (Ateeq Khan) 2013-06-07: Vendor Notification (AVAST! - Security Incident Team) 2013-06-09: Vendor Response/Feedback (AVAST! - Security Incident Team) 2013-**-**: Vendor Fix/Patch (AVAST! - Developer Team) 2013-06-28: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== It has been discovered that the Core avast installer application is vulnerable to persistent code injection and local command path injection vulnerability. During the testing, I was able to succesfully read/load and execute any file/application from local system having the local admin priviledges which makes this bug alot more interesting. Initially the bug was an HTML code injection flaw only however, with more indepth analysis, it was revealed that the severity of this vulnerability is far more differnt. A simple <a href> tag bypasses the AVAST Sandbox and drops a locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and through that we are even able to browse local folders and access any file, we can even browse external websites. The bug exists in the Custom Install Section under Destination Field. Since proper input sanatization is not being performed, a user can insert any HTML code which then gets executed successfully. For a POC i used the <img> and <a href> tags to read/load and execute files from my local system. I believe there may be possibilities of multiple attack vectors keeping in mind the scope of this vulnerability. During the POC, I was able to successfully bypass the AVAST sandbox and I was able to run local system level commands using the AVAST Interface. These sort of vulnerabilities can result in multiple attack vectors on the clients end which may eventually result in complete compromise of the end user system. Exploitation of this vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed resulting in local command/shell injection, persistent phishing, Client side redirects and similar dangerous attacks. Vulnerable Product(s): [+] avast Premier Antivirus Installer - Latest Release [+] avast Antivirus Pro Installer - Latest Release [+] avast Free Antivirus Installer Version 8 - Latest Release [+] avast Internet Security Suite Installer - Latest Release Vulnerable Module(s): [+] Custom Install Vulnerable Field(s): [+] Enter the Destination Directory Proof of Concept: ================= The vulnerabilities can be exploited by local attackers with low system privilege account and low user interaction. For demonstration or reproduce ... a) Run the avast Premier Installer binary file (avast_premier_antivirus_setup.exe) Click on Custom Install c) under the field "Enter the Destination directory" enter the following Payload C:Program FilesAVAST SoftwareAvast<h1>Vulnerable<a href="cmd">ClickME d) Click Next twice untill you reach the "Installation Information" Window e) Scroll down and you should be able to see our Injected Payload. f) If you click on "ClickME" you should get a CMD shell spawned on the local system hence proving the existence of this vulnerability. g If you proceed with the installation and continue, the installation will fail eventually and once again in the Final Install Log you will see the executed payload. Note: All tests were performed on a system running latest version of MicroSoft Windows 7 OS. Solution: ========= By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input encoding and format parse in the source code will fix this issue. Risk: ===== The security risk of these kinds of vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ateeq Khan [ateeq@evolution-sec.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
  24. Matt
    Description : PayPal QR Labs service web application suffers from an authentication bypass vulnerability. Author : Cernica Ionut Cosmin from Romanian Security Center ( Felicitari ! ) mah_one Source : PayPal QR Labs Authentication Bypass ? Packet Storm Code : Title: ====== Paypal Bug Bounty #102 QR Dev Labs - Auth Bypass Vulnerability Date: ===== 2013-07-05 References: =========== http://www.vulnerability-lab.com/get_content.php?id=995 PayPal Security UID: ZVf25kC VL-ID: ===== 995 Common Vulnerability Scoring System: ==================================== 7.1 Introduction: ============= Shopping made easy with PayPal QR enabled on your mobile device. You can scan for deals using the QR Code displayed in shops, trains stations, bus-stops & banners and purchase items in just a few taps. Make shopping experience easy for your customer. (Copy of the Vendor Homepage: https://qr.paypal-labs.com ) Abstract: ========= An independent vulnerability laboratory researcher discovered an auth bypass web session vulnerability in the PayPal QR Labs Service Web Application. Report-Timeline: ================ 2012-05-11: Researcher Notification & Coordination (Cernica Ionut) 2013-05-14: Vendor Notification (PayPal Inc Security Incident Team - Bug Bounty Program) 2013-06-20: Vendor Fix/Patch (PayPal Inc Developer Team) 2013-07-05: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== PayPal Inc Product: QR Labs Online Service - Web Application 2013 Q2 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== An auth bypass session web vulnerability is detected in the official PayPal QR Labs Service Web Application. The vulnerability allows remote attackers to bypass the web- or system user auth of the affected vulnerable computer system to compromise paypal accounts. The bug is located in the application account login module when processing to load manipulated j_password parameters via GET method. Attackers are able the decrypt and exchange the information in the request live with a session tamper to take-over other accounts. At the end the vulnerability allows remote attackers to enter remotely any paypal qr labs account of the web application. Exploitation of the vulnerability does not require user interaction but a low privileged paypal qr labs application user account. Successful exploitation results in account steal or compromise and stable user session manipulation with different effects. Vulnerable Service(s): [+] PayPal Inc – qr.paypal-labs.com Vulnerable Module(s): [+] Account - Login Vulnerable Parameter(s): [+] j_password Affected Module(s): [+] Account System Proof of Concept: ================= The vulnerability can be exploited by remote attackers with low privilege paypal qr labs application user account and without user interaction. For demonstration or reproduce ... Note: After some security checks to authenticate in the qr.paypal-labs.com web application, the last request for being authenticate in this web application it is not secure implemented. Afected Link: https://qr.paypal-labs.com/j_security_check?j_username=loger177@gmail.com&j_password=96301aa9f02b5d12278b0e902dc5434ed9477d19 Note: If we look at the request wich is a GET method request we will soon see ... If we encrypt the j_username parameter value as SHA1 ... The result will be the value of the j_password parameter Note: PoC Video The username loger177@gmail.com is encrypted in SHA1 it is equals with < 96301aa9f02b5d12278b0e902dc5434ed9477d19 In the demonstration above it seems that the password of the username is encrypted in SHA1 Solution: ========= 2013-06-20: Vendor Fix/Patch (PayPal Inc Developer Team) Risk: ===== The security risk of the auth bypass web session vulnerability is estimated as high(+). Credits: ======== Independent Security Researcher – Cernica Ionut Cosmin (ionut.cernica@whit3hat.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
  25. Matt
    Description : AVAST Antivirus version 8.0.1489 suffers from persistent code execution and local command path injection vulnerabilities. Author : Ateeq Khan Source : AVAST Antivirus 8.0.1489 Code Execution ? Packet Storm Code : Title: ====== AVAST Antivirus v8.0.1489 - Multiple Core Vulnerabilities Date: ===== 2013-06-30 References: =========== http://www.vulnerability-lab.com/get_content.php?id=963 VL-ID: ===== 963 Common Vulnerability Scoring System: ==================================== 4.1 Introduction: ============= Avast! (styled avast!) is - both freeware and payable - an antivirus computer program with user interface that includes 41 languages, available to Microsoft Windows, Mac OS X and Linux users. The name Avast is an acronym of `Anti-Virus – Advanced Set`. The official, and current logo of Avast! is a white orb with the letter `a` on it and an orange circle around it, sticking out to four directions. Its developer, AVAST Software a.s. (formerly known as ALWIL Software a.s.), has headquartered in Prague, Czech Republic, with offices in Linz, Austria; Friedrichshafen, Germany; and San Mateo, California. It has been awarded VB100 Award by Virus Bulletin multiple times for 100% detection of `in-the-wild` viruses, and also won the Secure Computing Readers`Trust Award. The central scanning engine has been certified by ICSA Labs and West Coast Labs` Checkmark process. Avast! competes in the antivirus industry against Avira, AVG Technologies, Bitdefender, F-Secure, Frisk, Kaspersky, McAfee, Symantec and Trend Micro among others. (Copy of the Homepage: http://en.wikipedia.org/wiki/Avast! ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent code execution and local command path injection vulnerability in the free AVAST Antivirus v8.0.1489 software. Report-Timeline: ================ 2013-06-06: Researcher Notification & Coordination (Ateeq Khan) 2013-06-07: Vendor Notification (AVAST! - Security Incident Team) 2013-06-09: Vendor Response/Feedback (AVAST! - Security Incident Team) 2013-**-**: Vendor Fix/Patch (AVAST! - Developer Team) 2013-06-30: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== AVAST! Product: Antivirus 8.0.1489 Exploitation-Technique: ======================= Local Severity: ========= Medium Details: ======== It has been discovered that the lastest build of Avast Free Antivirus Version 8 is vulnerable to HTML code injection which eventually leads to local command / shell execution. During the testing, I was able to succesfully bypass the AVAST Sandbox and read/load and execute any file/application from local system having the local admin priviledges which makes this bug alot more critical. Initially the bug was an HTML code injection flaw only however, with more indepth analysis, it was revealed that the severity of this vulnerability is far more critical. A simple <a href> tag bypasses the AVAST Sandbox and drops a locall CMD shell on the system where AVAST is installed. You can technically access any file / application, execute it. It seems like We can control explorer.exe and through that we are even able to browse local folders and access any file, we can even browse external websites. The bug exists in the Maintenance / Registration Module under the Offline Registration Section in the `Insert the License Key` field. Since proper input sanatization is not being performed, a user can insert any HTML code which then gets executed successfully. For a POC i used the <img> and <a href> tags to read/load and execute files from my local system. I believe there may be possibilities of multiple attack vectors keeping in mind the scope of this vulnerability. During the POC, I was able to successfully bypass the AVAST sandbox and I was able to run local system level commands using the AVAST Interface. These sort of vulnerabilities can result in multiple attack vectors on the clients end which may eventually result in complete compromise of the end user system. This code injection vulnerability exists in the main core AVAST Antivirus application. Exploitation of this vulnerability requires a low or medium user interaction. Successful exploitation of the vulnerability may result in malicious script code being executed resulting in local command/shell injection, persistent phishing, Client side redirects and similar dangerous attacks. Vulnerable Product(s): [+] Avast Free Antivirus Version 8 - Latest Release Vulnerable Section(s): [+] Offline Registration Vulnerable Module(s): [+] Registration Information (Maintainence) Vulnerable Input Field(s): [+] License Key Proof of Concept: ================= Proof of Concept #1 HTML Code Injection For reproducing the HTML Code Injection bug successfully, please follow the below mentioned steps: a) Download / Install the Latest Version of Avast Free Antivirus 8 After installation, Right Click on Avast Tray Icon and click on ``Registration Information`` c) Scroll down to the `Offline Registration` section and click on ``Enter the License Key`` d) Enter the following payload <h1>Vulnerable</h1> and click OK e) You should now see the entered string `Vulnerable` in Heading 1 format proving the existence of this vulnerability. Proof of Concept #2 Local Image File Include For reproducing the Local File include through <img> tag bug successfully, please follow the below mentioned steps: a) Right Click on Avast Tray Icon and click on ``Registration Information`` Scroll down to the `Offline Registration` section and click on ``Enter the License Key`` c) Enter the following payload <img src=``file:///YOURFILE``></img> and click OK d) You should now see the local image file loaded successfully from your system proving the existence of this vulnerability. Note: For POC #2 I copied a file called logo.png to my C:/ folder and used the following payload to produce the bug <img src=``file:///C:/logo.png``></img> Proof of Concept #3 Command Shell on Local System (cmd.exe) For reproducing the bug, please follow these below mentioned steps: a) Right Click on Avast Tray Icon and click on ``Registration Information`` Scroll down to the `Offline Registration` section and click on ``Enter the License Key`` c) Enter the following payload <a href=``cmd``> and click OK d) You should now see the cmd.exe file loaded successfully from your system proving the existence of this vulnerability. e) You can also use the payloads mentioned under next section for some interesting results: Interesting Payloads: <a href=``test.com``> <a href=``explorer.exe``> <a href=````> <a href=``shell:System``> <a href=``calc``> <a href=``mspaint.exe``> <a href=``notepad.exe``> Please note: All tests were performed on a system running latest version of MicroSoft Windows 7 OS. POC Technical Description Here, we used the common HTML tags as our payload. The fact that user injected HTML code is being executed succesfully raises concerns for this core applications security. Then, the fact that using just the <a href> tag, we can easily bypass AVAST Sandbox and gain local system shell with priviledges of the user that installed the application initially which in most cases will be administrator is very critical. I believe this bug can be further escalated to gain more interested results. I also wanted to test the License file for input validation but I havent been able to perform that test yet due to not having access to a proper license file. I intend to test that feature because i believe it might also be vulnerable. Solution: ========= By default, no user should be allowed to inject HTML code in the application. This can be mitigated by performing proper input sanatization of the vulnerable fields. All illegal characters should also be escaped and application source code should be hardened overall. Proper input sanatization in the source code will fix this issue. Risk: ===== The security risk of the detected software vulnerabilities are estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ateeq Khan [ateek@vulnerability-lab.com] Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com
×
×
  • Create New...